summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7899.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7899.txt')
-rw-r--r--doc/rfc/rfc7899.txt1011
1 files changed, 1011 insertions, 0 deletions
diff --git a/doc/rfc/rfc7899.txt b/doc/rfc/rfc7899.txt
new file mode 100644
index 0000000..8bff1d3
--- /dev/null
+++ b/doc/rfc/rfc7899.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) T. Morin, Ed.
+Request for Comments: 7899 S. Litkowski
+Updates: 6514 Orange
+Category: Standards Track K. Patel
+ISSN: 2070-1721 Cisco Systems
+ Z. Zhang
+ R. Kebler
+ J. Haas
+ Juniper Networks
+ June 2016
+
+
+ Multicast VPN State Damping
+
+Abstract
+
+ This document describes procedures to damp Multicast VPN (MVPN)
+ routing state changes and control the effect of the churn due to the
+ multicast dynamicity in customer sites. The procedures described in
+ this document are applicable to BGP-based multicast VPN and help
+ avoid uncontrolled control-plane load increase in the core routing
+ infrastructure. The new procedures proposed were inspired by BGP
+ unicast route damping principles that have been adapted to multicast.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7899.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 1]
+
+RFC 7899 MVPN Damping June 2016
+
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 4. Existing Mechanisms . . . . . . . . . . . . . . . . . . . . . 5
+ 4.1. Rate-Limiting Multicast Control Traffic . . . . . . . . . 5
+ 4.2. Existing PIM, IGMP, and MLD Timers . . . . . . . . . . . 6
+ 4.3. BGP Route Damping . . . . . . . . . . . . . . . . . . . . 6
+ 5. Procedures for Multicast State Damping . . . . . . . . . . . 7
+ 5.1. PIM Procedures . . . . . . . . . . . . . . . . . . . . . 7
+ 5.2. Procedures for Multicast VPN State Damping . . . . . . . 10
+ 6. Procedures for P-Tunnel State Damping . . . . . . . . . . . . 12
+ 6.1. Damping MVPN P-Tunnel Change Events . . . . . . . . . . . 12
+ 6.2. Procedures for Ethernet VPNs . . . . . . . . . . . . . . 13
+ 7. Operational Considerations . . . . . . . . . . . . . . . . . 13
+ 7.1. Enabling Multicast Damping . . . . . . . . . . . . . . . 13
+ 7.2. Troubleshooting and Monitoring . . . . . . . . . . . . . 13
+ 7.3. Default and Maximum Values . . . . . . . . . . . . . . . 13
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 15
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
+ 9.1. Normative References . . . . . . . . . . . . . . . . . . 16
+ 9.2. Informative References . . . . . . . . . . . . . . . . . 17
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 17
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
+
+
+
+
+
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 2]
+
+RFC 7899 MVPN Damping June 2016
+
+
+1. Introduction
+
+ In a multicast VPN [RFC6513] deployed with BGP-based procedures
+ [RFC6514], when receivers in VPN sites join and leave a given
+ multicast group or channel through multicast membership control
+ protocols (Internet Group Management Protocol (IGMP) [RFC3376] and
+ Multicast Listener Discovery (MLD) [RFC3810]), multicast routing
+ protocols accordingly adjust multicast routing states and P-multicast
+ tree states to forward or prune multicast traffic to these receivers.
+ Similar challenges arise in the context of the multicast
+ specification for Virtual Private LAN Service (VPLS) [RFC7117].
+
+ In VPN contexts, providing isolation between customers of a shared
+ infrastructure is a core requirement resulting in stringent
+ expectations with regard to risks of denial-of-service attacks.
+
+ By nature, multicast memberships change based on the behavior of
+ multicast applications running on end hosts. Hence, the frequency of
+ membership changes can legitimately be much higher than the typical
+ churn of unicast routing states.
+
+ Therefore, mechanisms need to be put in place to ensure that the load
+ put on the BGP control plane, and on the P-tunnel setup control
+ plane, remains under control regardless of the frequency at which
+ multicast membership changes are made by end hosts.
+
+ This document describes procedures inspired by existing BGP route
+ damping [RFC2439] that are aimed at offering means to set an upper
+ bound to the amount of processing for the MVPN control-plane
+ protocols: more precisely, the BGP control plane in [RFC6514], the
+ P-tunnel control-plane protocol in the contexts of [RFC6514], and the
+ multicast specification for VPLS [RFC7117]. The goal of setting this
+ upper bound is pursued simultaneous with the goal of preserving the
+ service provided (delivering the multicast stream as requested by
+ Customer Edge devices), although at the expense of a minimal increase
+ of average bandwidth use in the provider network). The upper bound
+ to the control-plane load due to the processing of a given multicast
+ state is controlled indirectly via configurable parameters.
+
+ Section 16 of [RFC6514] specifically spells out the need for damping
+ the activity of C-multicast and Leaf Auto-discovery routes and
+ outlines how to do it by "delaying the advertisement of withdrawals
+ of C-multicast routes". This specification provides appropriate
+ detail on how to implement this approach and how to provide control
+ to the operator; for this reason, it is an update to [RFC6514].
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 3]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ The base principle of this specification is described in Section 3.
+ Existing mechanisms that could be relied upon are discussed in
+ Section 4. Section 5 details the procedures introduced by this
+ specification.
+
+ Section 6 provides specific details related to the damping of
+ multicast VPNs P-tunnel state.
+
+ Finally, Section 7 discusses operational considerations related to
+ the proposed mechanism.
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document reuses terminology from [RFC7761] and [RFC6514].
+
+ In this specification, damping of a multicast state will be said to
+ be "active" or "inactive". Note that in [RFC2439], the term used for
+ a unicast route that is dampened is "suppressed", but we will avoid
+ this term in this specification given that the proposed solution
+ consists in holding active a damped multicast state.
+
+3. Overview
+
+ The procedures described in this document allow the network operator
+ to configure multicast VPN PEs (Provider Edge routers) so that they
+ can delay the propagation of multicast state prune messages between
+ PEs when faced with a rate of multicast state dynamicity exceeding a
+ certain configurable threshold. Assuming that the number of
+ multicast states that can be created by a receiver is bounded,
+ delaying the propagation of multicast state pruning results in
+ setting up an upper bound to the average frequency at which the
+ router will send state updates to an upstream router.
+
+ From the point of view of a downstream router, such as a CE (Customer
+ Edge router), this approach has no impact: the multicast routing
+ state changes that it solicits to its PE will be honored without any
+ additional delay. Indeed, the propagation of Joins is not impacted
+ by the procedures specified here, and having the upstream router
+ delay state prune propagation to its own upstream router does not
+ affect what traffic is sent to the downstream router. In particular,
+ the amount of bandwidth used on the PE-CE link downstream to a PE
+ applying this damping technique is not increased.
+
+
+
+
+
+Morin, et al. Standards Track [Page 4]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ This approach increases the average bandwidth utilization on a link
+ upstream to a PE applying this technique, such as a PE-PE link:
+ indeed, a given multicast flow will be forwarded for a longer time
+ than if no damping was applied. That said, it is expected that this
+ technique will meet the goals of protecting the multicast routing
+ infrastructure control plane without a significant average increase
+ of bandwidth; for instance, damping events happening at a frequency
+ higher than one event per X seconds can be done without increasing by
+ more than X seconds the time during which a multicast flow is present
+ on a link.
+
+ That said, simulation of the exponential decay algorithm shows that
+ the multicast state churn can be drastically reduced without
+ significantly increasing the duration for which multicast traffic is
+ forwarded. Hence, using this technique will efficiently protect the
+ multicast routing infrastructure control plane against the issues
+ described here without a significant average increase of bandwidth.
+ The exception will be a scenario with strict constraints on multicast
+ bandwidth, where extending the time a multicast flow is forwarded
+ would result in congestion.
+
+ To be practical, such a mechanism requires configurability. In
+ particular, means are required to control when damping is triggered
+ and to allow delaying the pruning of a multicast state for a time
+ increasing with the churn of this multicast state. This will let the
+ operator control the trade-off made between minimizing the dynamicity
+ and reducing bandwidth consumption.
+
+4. Existing Mechanisms
+
+ This section describes mechanisms that could be considered to address
+ the issue but that end up appearing as not suitable or not efficient
+ enough.
+
+4.1. Rate-Limiting Multicast Control Traffic
+
+ The Protocol Independent Multicast - Sparse Mode (PIM-SM)
+ specification [RFC7761] examines multicast security threats and,
+ among other things, the risk of denial-of-service attacks described
+ in Section 1. A mechanism relying on rate-limiting PIM messages is
+ proposed in Section 5.3.3 of [RFC4609] but has the identified
+ drawbacks of impacting the service delivered and having side-effects
+ on legitimate users.
+
+
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 5]
+
+RFC 7899 MVPN Damping June 2016
+
+
+4.2. Existing PIM, IGMP, and MLD Timers
+
+ In the context of PIM multicast routing protocols [RFC7761], a
+ mechanism exists that may offer a form of de facto damping of
+ multicast states, under some conditions. Indeed, when active, the
+ prune override mechanism consists in having a PIM upstream router
+ introduce a delay ("prune override interval") before taking into
+ account a PIM Prune message sent by a downstream neighbor.
+
+ This mechanism has not been designed specifically for the purpose of
+ damping multicast state, but as a means to allow PIM to operate on
+ multi-access networks. See Section 4.3.3 of [RFC7761]. However,
+ when active, this mechanism will prevent a downstream router from
+ producing multicast routing protocol messages that would cause, for a
+ given multicast state, the upstream router to send to its own
+ upstream router multicast routing protocol messages at a rate higher
+ than 1/[JP_Override_Interval]. This provides a form of de facto
+ damping.
+
+ Similarly, the IGMP and MLD multicast membership control protocols
+ can provide a similar behavior under the right conditions.
+
+ These mechanisms are not considered suitable to meet the goals
+ spelled out in Section 1, the main reasons being that:
+
+ o when enabled, these mechanisms require additional bandwidth on the
+ local link on which the effect of a prune is delayed (in our case,
+ the PE-CE link);
+
+ o when enabled, these mechanisms require disabling explicit tracking
+ (see Section 4.3.3 of [RFC7761]), even though enabling this
+ feature may otherwise be desired;
+
+ o on certain implementations, these mechanisms are incompatible with
+ behaviors that cannot be turned off (e.g., implementation applying
+ a fast-leave behavior on interfaces with only two neighbors);
+
+ o they do not provide a suitable level of configurability; and
+
+ o they do not provide a way to discriminate between multicast flows
+ based on estimation of their dynamicity.
+
+4.3. BGP Route Damping
+
+ The procedures defined in [RFC2439] and [RFC7196] for BGP route flap
+ damping are useful for operators who want to control the impact of
+ unicast route churn on the routing infrastructure and offer a
+ standardized set of parameters to control damping.
+
+
+
+Morin, et al. Standards Track [Page 6]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ These procedures are not directly relevant in a multicast context for
+ the following reasons:
+
+ o they are not specified for multicast routing protocol in general,
+ and
+
+ o even in contexts where BGP routes are used to carry multicast
+ routing states (e.g., [RFC6514]), these procedures do not allow
+ the implementation of the principle described in this document;
+ the main reason being that a damped route becomes suppressed while
+ the target behavior would be to keep advertising when damping is
+ triggered on a multicast route.
+
+ However, the set of parameters standardized to control the thresholds
+ of the exponential decay mechanism can be relevantly reused. This is
+ the approach proposed for the procedures described in this document
+ (Section 5). Motivations for doing so are to help the network
+ operator deploy this feature based on consistent configuration
+ parameters and to obtain predictable results without the drawbacks of
+ relying on rate-limiting multicast control protocol exchanges (as is
+ exposed in Section 4.1) or on the use of existing PIM/IGMP timers (as
+ is exposed in Section 4.2).
+
+5. Procedures for Multicast State Damping
+
+5.1. PIM Procedures
+
+ This section describes procedures for multicast state damping
+ satisfying the goals spelled out in Section 1. This section
+ describes procedures for (S,G) states in the PIM-SM protocol
+ [RFC7761]; they apply unchanged for such states created based on
+ multicast group management protocols (IGMP [RFC3376], MLD [RFC3810])
+ on downstream interfaces. The same procedures are applied to (*,G)
+ states in the context of PIM-SM Any-Source Multicast (ASM) groups
+ (damping is not applied to (S,G,Rpt) Prune state).
+
+ The following notions of [RFC2439] are reused in these procedures:
+
+ figure-of-merit: A number reflecting the current estimation of
+ recent past activity of an (S,G) multicast routing state, which
+ increases based on routing events related to this state and
+ decreases between these events following an exponential decay
+ function (see below); the activation or inactivation of damping on
+ the state is based on this number. This number is associated with
+ the upstream state machine for (S,G) and is initialized to a value
+ of zero on state creation.
+
+
+
+
+
+Morin, et al. Standards Track [Page 7]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ exponential decay function: A mathematical function as defined in
+ Section 2.3 of [RFC2439] (ignoring the first paragraph of the
+ section, as it does not apply here).
+
+ decay-half-life: The duration used to control how fast the
+ exponential decay of the *figure-of-merit* is; this parameter of
+ the exponential decay function is the time duration during which
+ the *figure-of-merit* will be reduced by half when in the absence
+ of a routing event (configurable parameter).
+
+ cutoff-threshold: The value of the *figure-of-merit* over which
+ damping is applied (configurable parameter).
+
+ reuse-threshold: The value of the *figure-of-merit* under which
+ damping stops being applied (configurable parameter).
+
+ In addition to these values, a configurable *increment-factor*
+ parameter is introduced that controls by how much the *figure-of-
+ merit* is incremented on multicast state update events.
+
+ Section 7.3 proposes default and maximum values for the configurable
+ parameters.
+
+ On reception of updated multicast membership or routing information
+ on a downstream interface I for a given (S,G) state, which results in
+ a change of the state of the PIM downstream state machine (see
+ Section 4.5.3 of [RFC7761]), a router implementing these procedures
+ MUST:
+
+ o apply procedures of [RFC7761] unchanged, for everything relating
+ to what multicast traffic ends up being sent on downstream
+ interfaces, including interface I
+
+ o update the *figure-of-merit* following the exponential decay
+ algorithm
+
+ o increase the *figure-of-merit* for the (S,G) by the *increment-
+ factor*
+
+ o update the damping state for the (S,G) state: damping becomes
+ active on the state if the recomputed *figure-of-merit* is
+ strictly above the configured *cutoff-threshold*:
+
+ * if damping remains inactive on (S,G) state, update the upstream
+ state machine as usual (as per Section 4.5.7 of [RFC7761]).
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 8]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ * if damping becomes active for the (S,G) state:
+
+ + if the received message has caused the upstream state
+ machine to transition to Joined state, update the upstream
+ state machine for (S,G) applying usual PIM procedures in
+ Section 4.5.7 of [RFC7761] and including sending a PIM Join
+ to the upstream neighbor
+
+ + if the received message has caused the upstream state
+ machine to transition to NotJoined state, do not update the
+ upstream state machine for (S,G)
+
+ + hold the upstream state machine in Joined state until the
+ reuse threshold is reached: for the purpose of updating this
+ state machine, events that may result in updating the state
+ based on [RFC7761] SHOULD be ignored until the *reuse-
+ threshold* is reached. The effect is that in the meantime,
+ while PIM Join messages may be sent as refreshes to the
+ upstream neighbor, no PIM Prune message will be sent.
+
+ * if damping was already active, do not update the upstream state
+ machine for (S,G); the upstream state machine was frozen after
+ processing the previous message.
+
+ Once the *figure-of-merit* for (S,G) damping state decays to a value
+ strictly below the configured *reuse-threshold*, the upstream state
+ machine for (S,G) is recomputed based on states of downstream state
+ machines, eventually leading to a PIM Join or Prune message to be
+ sent to the upstream neighbor.
+
+ Given the specificity of multicast applications, it is REQUIRED for
+ the implementation to let the operator configure the *decay-half-
+ life* in seconds, rather than in minutes.
+
+ This specification does not impose the use of a particular technique
+ to update the *figure-of-merit* following the exponential decay
+ controlled by the configured *decay-half-life*. For instance, the
+ same techniques as the ones described in [RFC2439] can be applied.
+ The only requirement is that the *figure-of-merit* has to be updated
+ prior to increasing it and that its decay below the *reuse-threshold*
+ has to be reacted upon in a timely manner: in particular, if the
+ recomputation is done with a fixed time granularity, this granularity
+ should be low enough to not significantly delay the inactivation of
+ damping on a multicast state beyond what the operator wanted to
+ configure (e.g., for a *decay-half-life* of 10s, recomputing the
+ *figure-of-merit* each minute would result in a multicast state
+ remaining damped for a much longer time than specified).
+
+
+
+
+Morin, et al. Standards Track [Page 9]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ PIM implementations typically follow the suggestion from Section 4.1
+ of [RFC7761] that:
+
+ implementations will only maintain state when it is relevant to
+ forwarding operations - for example, the 'NoInfo' state might be
+ assumed from the lack of other state information, rather than
+ being held explicitly.
+
+ To properly implement damping procedures, an implementation MUST keep
+ an explicit (S,G) state as long as damping is active on an (S,G).
+ Once an (S,G) state expires, and damping becomes inactive on this
+ state, its associated *figure-of-merit* and damping state are removed
+ as well.
+
+ Note that these procedures:
+
+ o do not impact PIM procedures related to refreshes or expiration of
+ multicast routing states: PIM Prune messages triggered by the
+ expiration of the (S,G) keep-alive timer are not suppressed or
+ delayed, and the reception of Join messages not causing transition
+ of state on the downstream interface does not lead to incrementing
+ the *figure-of-merit*;
+
+ o do not impact the PIM Assert mechanism: in particular, PIM Prune
+ messages triggered by a change of the PIM Assert winner on the
+ upstream interface are not suppressed or delayed;
+
+ o do not impact PIM Prune messages that are sent when the RPF
+ neighbor is updated for a given multicast flow; and
+
+ o do not impact PIM Prune messages that are sent in the context of
+ switching between a Rendezvous Point Tree and a Shortest Path
+ Tree.
+
+ Note also that no action is triggered based on the reception of PIM
+ Prune messages (or corresponding IGMP/MLD messages) that relate to
+ non-existing (S,G) state: in particular, no *figure-of-merit* or
+ damping state is created in this case.
+
+5.2. Procedures for Multicast VPN State Damping
+
+ The procedures described in Section 5.1 can be applied in the Virtual
+ Routing and Forwarding (VRF) PIM-SM implementation (in the "C-PIM
+ instance"), with the corresponding action to suppressing the emission
+ of a Prune(S,G) message being to not withdraw the C-multicast Source
+ Tree Join (C-S,C-G) BGP route. An implementation of [RFC6513]
+ relying on the use of PIM to carry C-multicast routing information
+ MUST support this technique to be compliant with this specification.
+
+
+
+Morin, et al. Standards Track [Page 10]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ In the context of [RFC6514], where BGP is used to distribute
+ C-multicast routing information, the following procedure is proposed
+ as an alternative to the procedures in Section 5.1 and consists in
+ applying damping in the BGP implementation based on existing BGP
+ damping mechanisms applied to C-multicast Source Tree Join routes and
+ Shared Tree Join routes (and as well to Leaf A-D routes - see
+ Section 6) and modified to implement the behavior described in
+ Section 3 along the following guidelines:
+
+ o not withdrawing (instead of not advertising) damped routes;
+
+ o providing means to configure the *decay-half-life* in seconds if
+ that option is not already available; and
+
+ o using parameters for the exponential decay that are specific to
+ multicast based on default values and multicast-specific
+ configuration.
+
+ While these procedures would typically be implemented on PE routers,
+ in a context where BGP Route Reflectors (RRs) [RFC4456] are used it
+ can be considered useful to also be able to apply damping on RRs as
+ well to provide additional protection against activity created behind
+ multiple PEs. Additionally, for MVPN Inter-AS deployments, it can be
+ needed to protect one Autonomous System (AS) from the dynamicity of
+ multicast VPN routing events from other ASes.
+
+ The choice to implement damping based on BGP routes or the procedures
+ described in Section 5.1 is up to the implementor, but at least one
+ of the two MUST be implemented. In the perspective of allowing
+ damping to be done on RRs and Autonomous System Border Routers
+ (ASBRs), implementing the BGP approach is recommended.
+
+ When not all routers in a deployment have the capability to drop
+ traffic coming from the wrong PE (as spelled out in Section 9.1.1 of
+ [RFC6513]), then the withdrawal of a C-multicast route resulting from
+ a change in the Upstream Multicast Hop or Upstream Multicast PE
+ SHOULD NOT be damped. An implementation of this specification MUST
+ do at least one of the two following things:
+
+ o not damp these withdrawals by default, and/or
+
+ o provide a tuning knob to disable the damping of these withdrawals.
+
+ Additionally, in such a deployment context, it is RECOMMENDED not to
+ enable any multicast VPN route damping on RRs and ASBRs since these
+ types of equipment cannot distinguish the event having caused a
+ C-multicast to be withdrawn.
+
+
+
+
+Morin, et al. Standards Track [Page 11]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ Note well that it is out of scope of this section to consider the
+ application of these damping techniques on MVPN BGP routes other than
+ C-multicast routes.
+
+6. Procedures for P-Tunnel State Damping
+
+6.1. Damping MVPN P-Tunnel Change Events
+
+ When selective P-tunnels are used (see Section 7 of [RFC6513]), the
+ effect of updating the upstream state machine for a given (C-S,C-G)
+ state on a PE connected to multicast receivers is not only to
+ generate activity to propagate C-multicast routing information to the
+ source connected PE, but also to possibly trigger changes related to
+ the P-tunnels carrying (C-S,C-G) traffic. Protecting the provider
+ network from an excessive amount of change in the state of P-tunnels
+ is required, and this section details how this can be done.
+
+ A PE implementing these procedures for MVPN MUST damp Leaf A-D routes
+ in the same manner as it would for C-multicast routes (see
+ Section 5.2).
+
+ A PE implementing these procedures for MVPN MUST damp the activity
+ related to removing itself from a P-tunnel. Possible ways to do so
+ depend on the type of P-tunnel, and local implementation details are
+ left up to the implementor.
+
+ The following is proposed as an example of how the above can be
+ achieved:
+
+ o For P-tunnels implemented with the PIM protocol, this consists in
+ applying multicast state damping techniques described in
+ Section 5.1 to the P-PIM instance, at least for (S,G) states
+ corresponding to P-tunnels.
+
+ o For P-tunnels implemented with multipoint LDP (mLDP), this
+ consists in applying damping techniques completely similar to the
+ one described in Section 5 but generalized to apply to mLDP
+ states.
+
+ o For root-initiated P-tunnels (P-tunnels implemented with the
+ Point-to-Multipoint (P2MP) RSVP-TE, or relying on ingress
+ replication), no particular action needs to be implemented to damp
+ P-tunnels membership, if the activity of Leaf A-D route themselves
+ is damped.
+
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 12]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ o Another possibility is to base the decision to join or not join
+ the P-tunnel to which a given (C-S,C-G) is bound and to advertise
+ or not advertise a Leaf A-D route related to (C-S,C-G) based on
+ whether or not a C-multicast Source Tree Join route is being
+ advertised for (C-S,C-G) rather than by relying on the state of
+ the C-PIM Upstream state machine for (C-S,C-G).
+
+6.2. Procedures for Ethernet VPNs
+
+ Specifications exist to support or optimize multicast and broadcast
+ in the context of Ethernet VPNs [RFC7117] relying on the use of
+ Selective P-Multicast Service Interface (S-PMSI) and P-tunnels. For
+ the same reasons as for IP multicast VPNs, an implementation of
+ [RFC7117] MUST follow the procedures described in Section 6.1 to be
+ compliant with this specification.
+
+7. Operational Considerations
+
+7.1. Enabling Multicast Damping
+
+ In the context of multicast VPNs, these procedures would be enabled
+ on PE routers. Additionally, in the case of C-multicast routing
+ based on BGP extensions ([RFC6514]), these procedures can be enabled
+ on ASBRs and RRs.
+
+7.2. Troubleshooting and Monitoring
+
+ Implementing the damping mechanisms described in this document should
+ be complemented by appropriate tools to observe and troubleshoot
+ damping activity.
+
+ Complementing the existing interface providing information on
+ multicast states with information on eventual damping of
+ corresponding states (e.g., Multicast Routing Information Base (MRIB)
+ states) is RECOMMENDED for C-multicast routing states and P-tunnel
+ states.
+
+7.3. Default and Maximum Values
+
+ Considering that, by design, multicast streams will be delivered
+ unchanged to the end user independent of the value chosen for the
+ configurable parameters, and that the only trade-off being made is an
+ increase of bandwidth use, the default and maximum values do not have
+ to be perfectly tuned.
+
+ This section proposes default and maximum values that are
+ conservative, so as to not significantly impact network dimensioning
+ but still prevent multicast state churn going beyond what can be
+
+
+
+Morin, et al. Standards Track [Page 13]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ considered a reasonably low churn for a multicast state (see below
+ for illustrations in order of magnitude of the effect of these
+ values).
+
+ The following values are RECOMMENDED to be adopted as default values:
+
+ o *increment-factor*: 1000
+
+ o *cutoff-threshold*: 3000
+
+ o *decay-half-life*: 10s
+
+ o *reuse-threshold*: 1500
+
+ For unicast damping, it is common to set an upper bound to the time
+ during which a route is suppressed. In the case of multicast state
+ damping, which relies on not withdrawing a damped route, it may be
+ desirable to avoid a situation where a multicast flow would keep
+ flowing in a portion of the network for a very long time in the
+ absence of receivers.
+
+ The proposed default maximum value for the *figure-of-merit* is
+ 20x*increment-factor*, i.e., 20000 with the proposed default
+ *increment-factor* of 1000.
+
+ As illustrations, with these values:
+
+ o a multicast state updated less frequently than once every 6 s will
+ not be damped at all;
+
+ o a multicast state changing once per second for 3 s, and then not
+ changing, will not be damped;
+
+ o a multicast state changing once per second for 4 s, and then not
+ changing, will be damped after the fourth change for approximately
+ 13 s;
+
+ o a multicast state changing twice per second for 15 s, and then not
+ changing, will be damped after the fourth change for approximately
+ 50 s; and
+
+ o a multicast state changing at a fast pace for a long time will
+ reach the maximum of *figure-of-merit*; once the activity on this
+ state stops, corresponding traffic may still flow in the network
+ for approximately 37 s before dampening stops being active.
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 14]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ The following values are proposed as maximums:
+
+ o *decay-half-life*: 60 s
+
+ o *cutoff-threshold*: 50000
+
+ More aggressive protection against the risk of denial of service can
+ be achieved by increasing the *increment-factor* or the
+ *decay-half-life*, or by reducing the *cutoff-threshold* and/or
+ *reuse-threshold*.
+
+8. Security Considerations
+
+ The procedures defined in this document do not introduce additional
+ security issues not already present in the contexts addressed and
+ actually aim at addressing some of the identified risks without
+ introducing as much denial-of-service risk as some of the mechanisms
+ already defined.
+
+ The protection provided relates to the control plane of the multicast
+ routing protocols, including the components implementing the routing
+ protocols and the components responsible for updating the multicast
+ forwarding plane.
+
+ The procedures described are meant to provide some level of
+ protection for the router on which they are enabled by reducing the
+ amount of routing state updates that it needs to send to its upstream
+ neighbor or peers but do not provide any reduction of the control-
+ plane load related to processing routing information from downstream
+ neighbors. Protecting routers from an increase in control-plane load
+ due to activity on downstream interfaces toward core routers (or in
+ the context of BGP-based MVPN C-multicast routing, BGP peers) relies
+ on the activation of damping on corresponding downstream neighbors
+ (or BGP peers) and/or at the edge of the network. Protecting routers
+ from an increase in control-plane load due to activity on customer-
+ facing downstream interfaces or downstream interfaces to routers in
+ another administrative domain is out of the scope of this document
+ and should use already defined mechanisms (see [RFC4609]).
+
+ To be effective, the procedures described here must be complemented
+ by configuration limiting the number of multicast states that can be
+ created on a multicast router through protocol interactions with
+ multicast receivers, neighbor routers in adjacent ASes, or in
+ multicast VPN contexts with multicast CEs. Note well that the two
+ mechanisms may interact: the state for which Prune has been requested
+ may still remain taken into account for some time if damping has been
+ triggered and hence result in an otherwise acceptable new state from
+ being successfully created.
+
+
+
+Morin, et al. Standards Track [Page 15]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ Additionally, it is worth noting that these procedures are not meant
+ to protect against peaks of control-plane load but only address
+ averaged load. For instance, assuming a set of multicast states are
+ submitted to the same Join/Prune events, damping can prevent more
+ than a certain number of Join/Prune messages to be sent upstream in
+ the period of time that elapses between the reception of Join/Prune
+ messages triggering the activation of damping on these states and
+ when damping becomes inactive after decay.
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2439] Villamizar, C., Chandra, R., and R. Govindan, "BGP Route
+ Flap Damping", RFC 2439, DOI 10.17487/RFC2439, November
+ 1998, <http://www.rfc-editor.org/info/rfc2439>.
+
+ [RFC3376] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A.
+ Thyagarajan, "Internet Group Management Protocol, Version
+ 3", RFC 3376, DOI 10.17487/RFC3376, October 2002,
+ <http://www.rfc-editor.org/info/rfc3376>.
+
+ [RFC3810] Vida, R., Ed. and L. Costa, Ed., "Multicast Listener
+ Discovery Version 2 (MLDv2) for IPv6", RFC 3810,
+ DOI 10.17487/RFC3810, June 2004,
+ <http://www.rfc-editor.org/info/rfc3810>.
+
+ [RFC6513] Rosen, E., Ed. and R. Aggarwal, Ed., "Multicast in MPLS/
+ BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, February
+ 2012, <http://www.rfc-editor.org/info/rfc6513>.
+
+ [RFC6514] Aggarwal, R., Rosen, E., Morin, T., and Y. Rekhter, "BGP
+ Encodings and Procedures for Multicast in MPLS/BGP IP
+ VPNs", RFC 6514, DOI 10.17487/RFC6514, February 2012,
+ <http://www.rfc-editor.org/info/rfc6514>.
+
+ [RFC7117] Aggarwal, R., Ed., Kamite, Y., Fang, L., Rekhter, Y., and
+ C. Kodeboniya, "Multicast in Virtual Private LAN Service
+ (VPLS)", RFC 7117, DOI 10.17487/RFC7117, February 2014,
+ <http://www.rfc-editor.org/info/rfc7117>.
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 16]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ [RFC7196] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., and O.
+ Maennel, "Making Route Flap Damping Usable", RFC 7196,
+ DOI 10.17487/RFC7196, May 2014,
+ <http://www.rfc-editor.org/info/rfc7196>.
+
+ [RFC7761] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I.,
+ Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent
+ Multicast - Sparse Mode (PIM-SM): Protocol Specification
+ (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, March
+ 2016, <http://www.rfc-editor.org/info/rfc7761>.
+
+9.2. Informative References
+
+ [RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route
+ Reflection: An Alternative to Full Mesh Internal BGP
+ (IBGP)", RFC 4456, DOI 10.17487/RFC4456, April 2006,
+ <http://www.rfc-editor.org/info/rfc4456>.
+
+ [RFC4609] Savola, P., Lehtonen, R., and D. Meyer, "Protocol
+ Independent Multicast - Sparse Mode (PIM-SM) Multicast
+ Routing Security Issues and Enhancements", RFC 4609,
+ DOI 10.17487/RFC4609, October 2006,
+ <http://www.rfc-editor.org/info/rfc4609>.
+
+Acknowledgements
+
+ We would like to thank Bruno Decraene and Lenny Giuliano for
+ discussions that helped shape this proposal. We would also like to
+ thank Yakov Rekhter and Eric Rosen for their reviews and helpful
+ comments. Thanks to Wim Henderickx for his comments and support of
+ this proposal. Additionally, Martin Vigoureux, Gunter Van De Velde,
+ and Alvaro Retana provided useful comments to finalize the document.
+
+Authors' Addresses
+
+ Thomas Morin (editor)
+ Orange
+ 2, avenue Pierre Marzin
+ Lannion 22307
+ France
+
+ Email: thomas.morin@orange.com
+
+
+
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 17]
+
+RFC 7899 MVPN Damping June 2016
+
+
+ Stephane Litkowski
+ Orange
+ France
+
+ Email: stephane.litkowski@orange.com
+
+
+ Keyur Patel
+ Cisco Systems
+ 170 W. Tasman Drive
+ San Jose, CA 95134
+ United States of America
+
+ Email: keyupate@cisco.com
+
+
+ Zhaohui Zhang
+ Juniper Networks Inc.
+ 10 Technology Park Drive
+ Westford, MA 01886
+ United States of America
+
+ Email: zzhang@juniper.net
+
+
+ Robert Kebler
+ Juniper Networks Inc.
+ 10 Technology Park Drive
+ Westford, MA 01886
+ United States of America
+
+ Email: rkebler@juniper.net
+
+
+ Jeffrey Haas
+ Juniper Networks
+
+ Email: jhaas@juniper.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morin, et al. Standards Track [Page 18]
+