summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3479.txt
blob: b5ef5eeb4f1a709dab0914a5424ba8db2ad6f9ac (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
Network Working Group                                     A. Farrel, Ed.
Request for Comments: 3479                          Movaz Networks, Inc.
Category: Standards Track                                  February 2003


       Fault Tolerance for the Label Distribution Protocol (LDP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

IESG Note

   This specification includes procedures for failure detection and
   failover for a TCP connection carrying MPLS LDP control traffic, so
   that it can be switched to a new TCP connection.  It does not provide
   a general approach to using multiple TCP connections to provide this
   kind of fault tolerance.  The specification lacks adequate guidance
   for the timer and retry value choices related to the TCP connection
   fault tolerance procedures.  The specification should not serve as a
   model for TCP connection fault tolerance design for any future
   document, and users are advised to test configurations based on this
   specification very carefully for problems such as premature
   failovers.

Abstract

   Multiprotocol Label Switching (MPLS) systems will be used in core
   networks where system downtime must be kept to an absolute minimum.
   Many MPLS Label Switching Routers (LSRs) may, therefore, exploit
   Fault Tolerant (FT) hardware or software to provide high availability
   of the core networks.

   The details of how FT is achieved for the various components of an FT
   LSR, including Label Distribution Protocol (LDP), the switching
   hardware and TCP, are implementation specific.  This document
   identifies issues in the LDP specification in RFC 3036, "LDP
   Specification", that make it difficult to implement an FT LSR using
   the current LDP protocols, and defines enhancements to the LDP
   specification to ease such FT LSR implementations.



Farrel                      Standards Track                     [Page 1]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   The issues and extensions described here are equally applicable to
   RFC 3212, "Constraint-Based LSP Setup Using LDP" (CR-LDP).

Table of Contents

   1. Conventions and Terminology used in this document..........3
   2. Contributing Authors.......................................4
   3. Introduction...............................................4
      3.1. Fault Tolerance for MPLS..............................4
      3.2. Issues with LDP.......................................5
   4. Overview of LDP FT Enhancements............................7
      4.1. Establishing an FT LDP Session........................8
           4.1.1 Interoperation with Non-FT LSRs.................8
      4.2. TCP Connection Failure................................9
           4.2.1 Detecting TCP Connection Failures...............9
           4.2.2 LDP Processing after Connection Failure.........9
      4.3. Data Forwarding During TCP Connection Failure........10
      4.4. FT LDP Session Reconnection..........................10
      4.5. Operations on FT Labels..............................11
      4.6. Check-Pointing.......................................11
           4.6.1 Graceful Termination...........................12
      4.7. Label Space Depletion and Replenishment..............13
      4.8. Tunneled LSPs........................................13
   5. FT Operations.............................................14
      5.1. FT LDP Messages......................................14
           5.1.1 Sequence Numbered FT Label Messages............14
           5.1.2 FT Address Messages............................15
           5.1.3 Label Resources Available Notifications........15
      5.2. FT Operation ACKs....................................17
      5.3. Preservation of FT State.............................17
      5.4. FT Procedure After TCP Failure.......................19
           5.4.1 FT LDP Operations During TCP Failure...........20
      5.5. FT Procedure After TCP Re-connection.................21
           5.5.1 Re-Issuing FT Messages.........................22
   6. Check-Pointing Procedures.................................22
      6.1 Check-Pointing with the Keepalive Message.............23
      6.2 Quiesce and Keepalive.................................23
   7. Changes to Existing Messages..............................24
      7.1. LDP Initialization Message...........................24
      7.2. LDP Keepalive Messages...............................25
      7.3. All Other LDP Session Messages.......................25
   8. New Fields and Values.....................................26
      8.1. Status Codes.........................................26
      8.2. FT Session TLV.......................................27
      8.3. FT Protection TLV....................................29
      8.4. FT ACK TLV...........................................32
      8.5. FT Cork TLV..........................................33
   9. Example Use...............................................34



Farrel                      Standards Track                     [Page 2]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


      9.1. Session Failure and Recovery - FT Procedures.........34
      9.2. Use of Check-Pointing With FT Procedures.............37
      9.3. Temporary Shutdown With FT Procedures................38
      9.4. Temporary Shutdown With FT Procedures
           and Check-Pointing...................................40
      9.5. Check-Pointing Without FT Procedures.................42
      9.6. Graceful Shutdown With Check-Pointing
           But No FT Procedures.................................44
   10. Security Considerations..................................45
   11. Implementation Notes.....................................47
      11.1. FT Recovery Support on Non-FT LSRs..................47
      11.2. ACK generation logic................................47
            11.2.1 Ack Generation Logic When Using
                   Check-Pointing...............................47
      11.3 Interactions With Other Label Distribution
           Mechanisms...........................................48
   12. Acknowledgments..........................................48
   13. Intellectual Property Consideration......................49
   14. References...............................................49
      14.1. Normative References................................49
      14.2. Informative References..............................50
   15. Authors' Addresses.......................................50
   16. Full Copyright Statement.................................52

1. Conventions and Terminology used in this document

   Definitions of key words and terms applicable to LDP and CR-LDP are
   inherited from [RFC3212] and [RFC3036].

   The term "FT Label" is introduced in this document to indicate a
   label for which some fault tolerant operation is used.  A "non-FT
   Label" is not fault tolerant and is handled as specified in
   [RFC3036].

   The term "Sequence Numbered FT Label" is used to indicate an FT label
   which is secured using the sequence number in the FT Protection TLV
   described in this document.

   The term "Check-Pointable FT Label" is used to indicate an FT label
   which is secured by using the check-pointing techniques described in
   this document.

   The extensions to LDP specified in this document are collectively
   referred to as the "LDP FT enhancements".

   Within the context of this document, "Check-Pointing" refers to a
   process of message exchanges that confirm receipt and processing (or
   secure storage) of specific protocol messages.



Farrel                      Standards Track                     [Page 3]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   When talking about the individual bits in the 16-bit FT Flag Field,
   the words "bit" and "flag" are used interchangeably.

   In the examples quoted, the following notation is used:  Ln : An LSP.
   For example L1.  Pn : An LDP peer.  For example P1.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, RFC 2119
   [RFC2119].

2. Contributing Authors

   This document was the collective work of several individuals over a
   period of several years.  The text and content of this document was
   contributed by the editor and the co-authors listed in section 15,
   "Authors' Addresses".

3. Introduction

   High Availability (HA) is typically claimed by equipment vendors when
   their hardware achieves availability levels of at least 99.999% (five
   9s).  To implement this, the equipment must be capable of recovering
   from local hardware and software failures through a process known as
   fault tolerance (FT).

   The usual approach to FT involves provisioning backup copies of
   hardware and/or software.  When a primary copy fails, processing is
   switched to the backup copy.  This process, called failover, should
   result in minimal disruption to the Data Plane.

   In an FT system, backup resources are sometimes provisioned on a
   one-to-one basis (1:1), sometimes as one-to-many (1:n), and
   occasionally as many-to-many (m:n).  Whatever backup provisioning is
   made, the system must switch to the backup automatically on failure
   of the primary, and the software and hardware state in the backup
   must be set to replicate the state in the primary at the point of
   failure.

3.1.  Fault Tolerance for MPLS

   MPLS is a technology that will be used in core networks where system
   downtime must be kept to an absolute minimum.  Many MPLS LSRs may,
   therefore, exploit FT hardware or software to provide high
   availability of core networks.






Farrel                      Standards Track                     [Page 4]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   In order to provide HA, an MPLS system needs to be able to survive a
   variety of faults with minimal disruption to the Data Plane,
   including the following fault types:

   -  failure/hot-swap of a physical connection between LSRs.

   -  failure/hot-swap of the switching fabric in an LSR.

   -  failure of the TCP or LDP stack in an LSR.

   -  software upgrade to the TCP or LDP stacks in an LSR.

   The first two examples of faults listed above are confined to the
   Data Plane.  Such faults can be handled by providing redundancy in
   the Data Plane which is transparent to LDP operating in the Control
   Plane.  The last two example types of fault require action in the
   Control Plane to recover from the fault without disrupting traffic in
   the Data Plane.  This is possible because many recent router
   architectures separate the Control and Data Planes such that
   forwarding can continue unaffected by recovery action in the Control
   Plane.

3.2.  Issues with LDP

   LDP uses TCP to provide reliable connections between LSRs over which
   they exchange protocol messages to distribute labels and set up LSPs.
   A pair of LSRs that have such a connection are referred to as LDP
   peers.

   TCP enables LDP to assume reliable transfer of protocol messages.
   This means that some of the messages do not need to be acknowledged
   (for example, Label Release).

   LDP is defined such that if the TCP connection fails, the LSR should
   immediately tear down the LSPs associated with the session between
   the LDP peers, and release any labels and resources assigned to those
   LSPs.

   It is notoriously hard to provide a Fault Tolerant implementation of
   TCP.  To do so might involve making copies of all data sent and
   received.  This is an issue familiar to implementers of other TCP
   applications such as BGP.

   During failover affecting the TCP or LDP stacks, the TCP connection
   may be lost.  Recovery from this position is made worse by the fact
   that LDP control messages may have been lost during the connection
   failure.  Since these messages are unconfirmed, it is possible that
   LSP or label state information will be lost.



Farrel                      Standards Track                     [Page 5]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   This document describes a solution which involves:

   -  negotiation between LDP peers of the intent to support extensions
      to LDP that facilitate recovery from failover without loss of
      LSPs.

   -  selection of FT survival on a per LSP/label basis.

   -  acknowledgement of LDP messages to ensure that a full handshake is
      performed on those messages either frequently (such as per
      message) or less frequently as in check-pointing.

   -  solicitation of up-to-date acknowledgement (check-pointing) of
      previous LDP messages to ensure the current state is flushed to
      disk/NVRAM, with an additional option that allows an LDP partner
      to request that state is flushed in both directions if graceful
      shutdown is required.

   -  re-issuing lost messages after failover to ensure that LSP/label
      state is correctly recovered after reconnection of the LDP
      session.

   The issues and objectives described above are equally applicable to
   CR-LDP.

   Other objectives of this document are to:

   -  offer backward-compatibility with LSRs that do not implement these
      extensions to LDP.

   -  preserve existing protocol rules described in [RFC3036] for
      handling unexpected duplicate messages and for processing
      unexpected messages referring to unknown LSPs/labels.

   -  avoid full state refresh solutions (such as those present in RSVP:
      see [RFC2205], [RFC2961], [RFC3209] and [RFC3478]) whether they be
      continual, or limited to post-failover recovery.

   Note that this document concentrates on the preservation of label
   state for labels exchanged between a pair of adjacent LSRs when the
   TCP connection between those LSRs is lost.  This is a requirement for
   Fault Tolerant operation of LSPs, but a full implementation of end-
   to-end protection for LSPs requires that this be combined with other
   techniques that are outside the scope of this document.

   In particular, this document does not attempt to describe how to
   modify the routing of an LSP or the resources allocated to a label or
   LSP, which is covered by [RFC3214].  This document also does not



Farrel                      Standards Track                     [Page 6]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   address how to provide automatic layer 2 or layer 3 protection
   switching for a label or LSP, which is a separate area for study.

   This specification does not preclude an implementation from
   attempting (or require it to attempt) to use the FT behavior
   described here to recover from a preemptive failure of a connection
   on a non-FT system due to, for example, a partial system crash.
   Note, however, that there are potential issues too numerous to list
   here - not least the likelihood that the same crash will immediately
   occur when processing the restored data.

4. Overview of LDP FT Enhancements

   The LDP FT enhancements consist of the following main elements, which
   are described in more detail in the sections that follow.

   -  The presence of an FT Session TLV on the LDP Initialization
      message indicates that an LSR supports some form of protection or
      recovery from session failure.  A flag bit within this TLV (the S
      bit) indicates that the LSR supports the LDP FT enhancements on
      this session.  Another flag (the C bit) indicates that the check-
      pointing procedures are to be used.

   -  An FT Reconnect Flag in the FT Session TLV (the R bit) indicates
      whether an LSR has preserved FT Label state across a failure of
      the TCP connection.

   -  An FT Reconnection Timeout, exchanged on the LDP Initialization
      message, that indicates the maximum time peer LSRs will preserve
      FT Label state after a failure of the TCP connection.

   -  An FT Protection TLV used to identify operations that affect LDP
      labels.  All LDP messages carrying the FT Protection TLV need to
      be secured (e.g. to NVRAM) and ACKed to the sending LDP peer so
      that the state for Sequence Numbered FT Labels can be correctly
      recovered after LDP session reconnection.

      Note that the implementation within an FT system is left open by
      this document.  An implementation could choose to secure entire
      messages relating to Sequence Numbered FT Labels, or it could
      secure only the relevant state information.

   -  Address advertisement may also be secured by use of the FT
      Protection TLV.  This enables recovery after LDP session
      reconnection without the need to re-advertise what may be a very
      large number of addresses.





Farrel                      Standards Track                     [Page 7]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   -  The FT Protection TLV may also be used on the Keepalive message to
      flush acknowledgement of all previous FT operations.  This enables
      a check-point for future recovery, either in mid-session or prior
      to graceful shutdown of an LDP session.  This procedure may also
      be used to check-point all (that is both FT and non-FT) operations
      for future recovery.

4.1.  Establishing an FT LDP Session

   In order that the extensions to LDP [RFC3036] described in this
   document can be used successfully on an LDP session between a pair of
   LDP peers, they MUST negotiate that the LDP FT enhancements are to be
   used on the LDP session.

   This is done on the LDP Initialization message exchange using a new
   FT Session TLV.  Presence of this TLV indicates that the peer wants
   to support some form of protection or recovery processing.  The S bit
   within this TLV indicates that the peer wants to support the LDP FT
   enhancements on this LDP session.  The C bit indicates that the peer
   wants to support the check-pointing functions described in this
   document.  The S and C bits may be set independently.

   The relevant LDP FT enhancements MUST be supported on an LDP session
   if both LDP peers include an FT Session TLV on the LDP Initialization
   message and have the same setting of the S or C bit.

   If either LDP Peer does not include the FT Session TLV LDP
   Initialization message, or if there is no match of S and C bits
   between the peers, the LDP FT enhancements MUST NOT be used during
   this LDP session.  Use of LDP FT enhancements by a sending LDP peer
   in these cases MUST be interpreted by the receiving LDP peer as a
   serious protocol error causing the session to be terminated.

   An LSR MAY present different FT/non-FT behavior on different TCP
   connections, even if those connections are successive instantiations
   of the LDP session between the same LDP peers.

4.1.1 Interoperation with Non-FT LSRs

   The FT Session TLV on the LDP Initialization message carries the U-
   bit.  If an LSR does not support any protection or recovery
   mechanisms, it will ignore this TLV.  Since such partners also do not
   include the FT Session TLV, all LDP sessions to such LSRs will not
   use the LDP FT enhancements.

   The rest of this document assumes that the LDP sessions under
   discussion are between LSRs that support the LDP FT enhancements,
   except where explicitly stated otherwise.



Farrel                      Standards Track                     [Page 8]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


4.2.  TCP Connection Failure

4.2.1 Detecting TCP Connection Failures

   TCP connection failures may be detected and reported to the LDP
   component in a variety of ways.  These should all be treated in the
   same way by the LDP component.

   -  Indication from the management component that a TCP connection or
      underlying resource is no longer active.

   -  Notification from a hardware management component of an interface
      failure.

   -  Sockets keepalive timeout.

   -  Sockets send failure.

   -  New (incoming) Socket opened.

   -  LDP protocol timeout.

4.2.2 LDP Processing after Connection Failure

   If the LDP FT enhancements are not in use on an LDP session, the
   action of the LDP peers on failure of the TCP connection is as
   specified in [RFC3036].

   All state information and resources associated with non-FT Labels
   MUST be released on the failure of the TCP connection, including
   deprogramming the non-FT Label from the switching hardware.  This is
   equivalent to the behavior specified in [RFC3036].

   If the LDP FT enhancements are in use on an LDP session, both LDP
   peers SHOULD preserve state information and resources associated with
   FT Labels exchanged on the LDP session.  Both LDP peers SHOULD use a
   timer to release the preserved state information and resources
   associated with FT-labels if the TCP connection is not restored
   within a reasonable period.  The behavior when this timer expires is
   equivalent to the LDP session failure behavior described in
   [RFC3036].

   The FT Reconnection Timeout each LDP peer intends to apply to the LDP
   session is carried in the FT Session TLV on the LDP Initialization
   messages.  Both LDP peers MUST use the value that corresponds to the
   lesser timeout interval of the two proposed timeout values from the
   LDP Initialization exchange, where a value of zero is treated as
   positive infinity.



Farrel                      Standards Track                     [Page 9]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


4.3.  Data Forwarding During TCP Connection Failure

   An LSR that implements the LDP FT enhancements SHOULD preserve the
   programming of the switching hardware across a failover.  This
   ensures that data forwarding is unaffected by the state of the TCP
   connection between LSRs.

   It is an integral part of FT failover processing in some hardware
   configurations that some data packets might be lost.  If data loss is
   not acceptable to the applications using the MPLS network, the LDP FT
   enhancements described in this document SHOULD NOT be used.

4.4.  FT LDP Session Reconnection

   When a new TCP connection is established, the LDP peers MUST exchange
   LDP Initialization messages.  When a new TCP connection is
   established after failure, the LDP peers MUST re-exchange LDP
   Initialization messages.

   If an LDP peer includes the FT Session TLV with the S bit set in the
   LDP Initialization message for the new instantiation of the LDP
   session, it MUST also set the FT Reconnect Flag according to whether
   it has been able to preserve label state.  The FT Reconnect Flag is
   carried in the FT Session TLV.

   If an LDP peer has preserved all state information for previous
   instantiations of the LDP session, then it SHOULD set the FT
   Reconnect Flag to 1 in the FT Session TLV.  Otherwise, it MUST set
   the FT Reconnect Flag to 0.

   If either LDP peer sets the FT Reconnect Flag to 0, or omits the FT
   Session TLV, both LDP peers MUST release any state information and
   resources associated with the previous instantiation of the LDP
   session between the same LDP peers, including FT Label state and
   Addresses.  This ensures that network resources are not permanently
   lost by one LSR if its LDP peer is forced to undergo a cold start.

   If an LDP peer changes any session parameters (for example, the label
   space bounds) from the previous instantiation, the nature of any
   preserved labels may have changed.  In particular, previously
   allocated labels may now be out of range.  For this reason, session
   reconnection MUST use the same parameters as were in use on the
   session before the failure.  If an LDP peer notices that the
   parameters have been changed by the other peer, it SHOULD send a
   Notification message with the 'FT Session parameters changed' status
   code.





Farrel                      Standards Track                    [Page 10]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   If both LDP peers set the FT Reconnect Flag to 1, both LDP peers MUST
   use the procedures indicated in this document to complete any label
   operations on Sequence Numbered FT Labels that were interrupted by
   the LDP session failure.

   If an LDP peer receives an LDP Initialization message with the FT
   Reconnect Flag set before it sends its own Initialization message,
   but has retained no information about the previous version of the
   session, it MUST respond with an Initialization message with the FT
   Reconnect Flag clear.  If an LDP peer receives an LDP Initialization
   message with the FT Reconnect Flag set in response to an
   Initialization message that it has sent with the FT Reconnect Flag
   clear, it MUST act as if no state was retained by either peer on the
   session.

4.5.  Operations on FT Labels

   Label operations on Sequence Numbered FT Labels are made Fault
   Tolerant by providing acknowledgement of all LDP messages that affect
   Sequence Numbered FT Labels.  Acknowledgements are achieved by means
   of sequence numbers on these LDP messages.

   The message exchanges used to achieve acknowledgement of label
   operations and the procedures used to complete interrupted label
   operations are detailed in section 5, "FT Operations".

   Using these acknowledgements and procedures, it is not necessary for
   LDP peers to perform a complete re-synchronization of state for all
   Sequence Numbered FT Labels, either on re-connection of the LDP
   session between the LDP peers or on a timed basis.

4.6.  Check-Pointing

   Check-pointing is a useful feature that allows nodes to reduce the
   amount of processing that they need to do to acknowledge LDP
   messages.  The C bit in the FT Session TLV is used to indicate that
   check-pointing is supported.

   Under the normal operation on Sequence Numbered FT Labels,
   acknowledgments may be deferred during normal processing and only
   sent periodically.  Check-pointing may be used to flush
   acknowledgement from a peer by including a sequence number on a
   Keepalive message requesting acknowledgement of that message and all
   previous messages.  In this case, all Sequence Numbered FT Labels are
   Check-Pointable FT Labels.






Farrel                      Standards Track                    [Page 11]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   If the S bit is not agreed upon, check-pointing may still be used.
   In this case it is used to acknowledge all messages exchanged between
   the peers, and all labels are Check-Pointable FT Labels.

   This offers an approach where acknowledgements need not be sent to
   every message or even frequently, but are only sent as check-points
   in response to requests carried on Keepalive messages.  Such an
   approach may be considered optimal in systems that do not show a high
   degree of change over time (such as targeted LDP sessions) and that
   are prepared to risk loss of state for the most recent LDP exchanges.
   More dynamic systems (such as LDP discovery sessions) are more likely
   to want to acknowledge state changes more frequently so that the
   maximum amount of state can be preserved over a failure.

   Note that an important consideration of this document is that nodes
   acknowledging messages on a one-for-one basis, nodes deferring
   acknowledgements, and nodes relying on check-pointing, should all
   interoperate seamlessly and without protocol negotiation beyond
   session initialization.

   Further discussion of this feature is provided in section 5, "FT
   Operations".

4.6.1 Graceful Termination

   A feature that builds on check-pointing is graceful termination.

   In some cases, such as controlled failover or software upgrade, it is
   possible for a node to know in advance that it is going to terminate
   its session with a peer.

   In these cases the node that intends terminating the session can
   flush acknowledgement using a check-point request as described above.
   The sender SHOULD not send further label or address-related messages
   after requesting shutdown check-pointing in order to preserve the
   integrity of its saved state.

   This, however, only provides for acknowledgement in one direction,
   and the node that is being terminated also requires verification that
   it has secured all state sent by its peer.  This is achieved by a
   three-way hand shake of the check-point which is requested by an
   additional TLV (the Cork TLV) in the Keepalive message.

   Further discussion of this feature is provided in section 5, "FT
   Operations".






Farrel                      Standards Track                    [Page 12]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


4.7.  Label Space Depletion and Replenishment

   When an LDP peer is unable to satisfy a Label Request message because
   it has no more available labels, it sends a Notification message
   carrying the status code 'No label resources'.  This warns the
   requesting LDP peer that subsequent Label Request messages are also
   likely to fail for the same reason.  This message does not need to be
   acknowledged for FT purposes since Label Request messages sent after
   session recovery will receive the same response.  However, the LDP
   peer that receives a 'No label resources' Notification stops sending
   Label Request messages until it receives a 'Label resources
   available' Notification message.  Since this unsolicited Notification
   might get lost during session failure, it may be protected using the
   procedures described in this document.

   An alternative approach allows that an implementation may always
   assume that labels are available when a session is re-established.
   In this case, it is possible that it may throw away the 'No label
   resources' information from the previous incarnation of the session
   and may send a batch of LDP messages on session re-establishment that
   will fail and that it could have known would fail.

   Note that the sender of a 'Label resources available' Notification
   message may choose whether to add a sequence number requesting
   acknowledgement.  Conversely, the receiver of 'Label resources
   available' Notification message may choose to acknowledge the message
   without actually saving any state.

   This is an implementation choice made possible by making the FT
   parameters on the Notification message optional.  Implementations
   will interoperate fully if they take opposite approaches, but
   additional LDP messages may be sent unnecessarily on session
   recovery.

4.8.  Tunneled LSPs

   The procedures described in this document can be applied to LSPs that
   are tunnels and to LSPs that are carried by tunnels.  Recall that
   tunneled LSPs are managed by a single LDP session that runs end to
   end, while the tunnel is managed by a different LDP session for each
   hop along the path.  Nevertheless, a break in one of the sessions
   that manages the tunnel is likely to correspond with a break in the
   session that manages the tunneled LSP.  This is certainly the case
   when the LDP exchanges share a failed link, but need not be the case
   if the LDP messages have been routed along a path that is different
   from that of the tunnel, or if the failure in the tunnel is caused by
   an LDP software failure at a transit LSR.




Farrel                      Standards Track                    [Page 13]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   In order that the forwarding path of a tunneled LSP be preserved, the
   forwarding path of the tunnel itself must be preserved.  This means
   that the tunnel must not be torn down if there is any session failure
   along its path.  To achieve this, the label exchanges between each
   pair of LDP peers along the path of the tunnel must use one of the
   procedures in this document or in [RFC3478].

   It is perfectly acceptable to mix the restart procedures used for the
   tunnel and the tunneled LSP.  For example, the tunnel could be set up
   using just check-pointing because it is a stable LSP, but the
   tunneled LSPs might use full FT procedures so that they can recover
   active state.

   Lastly, it is permissible to carry tunneled LSPs that do not have FT
   protection in an LSP that has FT protection.

5. FT Operations

   Once an FT LDP session has been established, using the S bit in the
   FT Session TLV on the Session Initialization message as described in
   section 4.1, "Establishing an FT LDP Session", both LDP peers MUST
   apply the procedures described in this section for FT LDP message
   exchanges.

   If the LDP session has been negotiated to not use the LDP FT
   enhancements, these procedures MUST NOT be used.

5.1.  FT LDP Messages

5.1.1 Sequence Numbered FT Label Messages

   A label is identified as being a Sequence Numbered FT Label if the
   initial Label Request or Label Mapping message relating to that label
   carries the FT Protection TLV.

   It is a valid implementation option to flag all labels as Sequence
   Numbered FT Labels.  Indeed this may be a preferred option for
   implementations wishing to use Keepalive messages carrying the FT
   Protection TLV to achieve periodic saves of the complete label
   forwarding state.

   If a label is a Sequence Numbered FT Label, all LDP messages
   affecting that label MUST carry the FT Protection TLV so that the
   state of the label can be recovered after a failure of the LDP
   session.






Farrel                      Standards Track                    [Page 14]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   A further valid option is for no labels to be Sequence Numbered FT
   Labels.  In this case, check-pointing using the Keepalive message
   applies to all messages exchanged on the session.

5.1.1.1  Scope of FT Labels

   The scope of the FT/non-FT status of a label is limited to the LDP
   message exchanges between a pair of LDP peers.

   In Ordered Control, when the message is forwarded downstream or
   upstream, the TLV may be present or absent according to the
   requirements of the LSR sending the message.

   If a platform-wide label space is used for FT Labels, an FT Label
   value MUST NOT be reused until all LDP FT peers to which the label
   was passed have acknowledged the withdrawal of the FT Label, either
   by an explicit LABEL WITHDRAW/LABEL RELEASE, exchange or implicitly
   if the LDP session is reconnected after failure but without the FT
   Reconnect Flag set.  In the event that a session is not re-
   established within the Reconnection Timeout, a label MAY become
   available for re-use if it is not still in use on some other session.

5.1.2 FT Address Messages

   If an LDP session uses the LDP FT enhancements, both LDP peers MUST
   secure Address and Address Withdraw messages using FT Operation ACKs,
   as described below.  This avoids any ambiguity over whether an
   Address is still valid after the LDP session is reconnected.

   If an LSR determines that an Address message it sent on a previous
   instantiation of a recovered LDP session is no longer valid, it MUST
   explicitly issue an Address Withdraw for that address when the
   session is reconnected.

   If the FT Reconnect Flag is not set by both LDP peers upon
   reconnection of an LDP session (i.e. state has not been preserved),
   both LDP peers MUST consider all Addresses to have been withdrawn.
   The LDP peers SHOULD issue new Address messages for all their valid
   addresses, as specified in [RFC3036].

5.1.3 Label Resources Available Notifications

   In LDP, it is possible that a downstream LSR may not have labels
   available to respond to a Label Request.  In this case, as specified
   in RFC 3036, the downstream LSR must respond with a Notification - No
   Label Resources message.  The upstream LSR then suspends asking for
   new labels until it receives a Notification - Label Resources
   Available message from the downstream LSR.



Farrel                      Standards Track                    [Page 15]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   When the FT extensions are used on a session, implementations may
   choose whether or not to secure the label resource state of their
   peer.  This choice impacts the number of LDP messages that will be
   incorrectly routed to a peer with depleted resources on session re-
   establishment, but does not otherwise impact interoperability.

   For full preservation of state:

   -  The downstream LSR must preserve the label availability state
      across a failover so that it remembers to send Notification -
      Label Resources Available when the resources become available.

   -  The upstream LSR must recall the label availability state across
      failover so that it can optimize not sending Label Requests when
      it recovers.

   -  The downstream LSR must use sequence numbers on Notification -
      Label Resources Available so that it can check that LSR A has
      received the message and clear its secured state, or resend the
      message if LSR A recovers without having received it.

   However, the following options also exist:

   -  The downstream LSR may choose to not include a sequence number on
      Notification - Label Resources Available.  This means that on
      session re-establishment it does not know what its peer thinks the
      LSR's resource state is, because the Notification may or may not
      have been delivered.  Such an implementation MUST begin recovered
      sessions by sending an additional Notification - Label Resources
      Available to reset its peer.

   -  The upstream node may choose not to secure information about its
      peer's resource state.  It would acknowledge a Notification -
      Label Resources Available, but would not save the information.
      Such an implementation MUST assume that its peer's resource state
      has been reset to Label Resources Available when the session is
      re-established.

   If the FT Reconnect Flag is not set by both LDP peers upon
   reconnection of an LDP session (i.e. state has not been preserved),
   both LDP peers MUST consider the label availability state to have
   been reset as if the session had been set up for the first time.









Farrel                      Standards Track                    [Page 16]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


5.2.  FT Operation ACKs

   Handshaking of FT LDP messages is achieved by use of ACKs.
   Correlation between the original message and the ACK is by means of
   the FT Sequence Number contained in the FT Protection TLV, and passed
   back in the FT ACK TLV.  The FT ACK TLV may be carried on any LDP
   message that is sent on the TCP connection between LDP peers.

   An LDP peer maintains a separate FT sequence number for each LDP
   session in which it participates.  The FT Sequence number is
   incremented by one for each FT LDP message (i.e. containing the FT
   Protection TLV) issued by this LSR on the FT LDP session with which
   the FT sequence number is associated.

   When an LDP peer receives a message containing the FT Protection TLV,
   it MUST take steps to secure this message (or the state information
   derived from processing the message).  Once the message is secured,
   it MUST be ACKed.  However, there is no requirement on the LSR to
   send this ACK immediately.

   ACKs may be accumulated to reduce the message flow between LDP peers.
   For example, if an LSR received FT LDP messages with sequence numbers
   1, 2, 3, 4, it could send a single ACK with sequence number 4 to ACK
   receipt, securing of all these messages.  There is no protocol reason
   why the number of ACKs accumulated, or the time for which an ACK is
   deferred, should not be allowed to become relatively large.

   ACKs MUST NOT be sent out of sequence, as this is incompatible with
   the use of accumulated ACKs.  Duplicate ACKs (that is two successive
   messages that acknowledge the same sequence number) are acceptable.

   If an LDP peer discovers that its sequence number space for a
   specific session is full of un-acknowledged sequence numbers (because
   its partner on the session has not acknowledged them in a timely
   way), it cannot allocate a new sequence number for any further FT LPD
   message.  It SHOULD send a Notification message with the status code
   'FT Seq Numbers Exhausted'.

5.3.  Preservation of FT State

   If the LDP FT enhancements are in use on an LDP session, each LDP
   peer SHOULD NOT release the state information and resources
   associated with FT Labels exchanged on that LDP session when the TCP
   connection fails.  This is contrary to [RFC3036], but allows label
   operations on FT Labels to be completed after re-connection of the
   TCP connection.





Farrel                      Standards Track                    [Page 17]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   Both LDP peers on an LDP session that is using the LDP FT
   enhancements SHOULD preserve the state information and resources they
   hold for that LDP session as described below.

   -  An upstream LDP peer SHOULD release the resources (in particular
      bandwidth) associated with a Sequence Numbered FT Label when it
      initiates a Label Release or Label Abort message for the label.
      The upstream LDP peer MUST preserve state information for the
      Sequence Numbered FT Label, even if it releases the resources
      associated with the label, as it may need to reissue the label
      operation if the TCP connection is interrupted.

   -  An upstream LDP peer MUST release the state information and
      resources associated with a Sequence Numbered FT Label when it
      receives an acknowledgement to a Label Release or Label Abort
      message that it sent for the label, or when it sends a Label
      Release message in response to a Label Withdraw message received
      from the downstream LDP peer.

   -  A downstream LDP peer SHOULD NOT release the resources associated
      with a Sequence Numbered FT Label when it sends a Label Withdraw
      message for the label as it has not yet received confirmation that
      the upstream LDP peer has ceased to send data using the label.
      The downstream LDP peer MUST NOT release the state information it
      holds for the label as it may yet have to reissue the label
      operation if the TCP connection is interrupted.

   -  A downstream LDP peer MUST release the resources and state
      information associated with a Sequence Numbered FT Label when it
      receives an acknowledgement to a Label Withdraw message for the
      label.

   -  When the FT Reconnection Timeout expires, an LSR SHOULD release
      all state information and resources from previous instantiations
      of the (permanently) failed LDP session.

   -  Either LDP peer MAY elect to release state information based on
      its internal knowledge of the loss of integrity of the state
      information or an inability to pend (or queue) LDP operations (as
      described in section 5.4.1, "LDP Operations During TCP Failure")
      during a TCP failure.  That is, the peer is not required to wait
      for the duration of the FT Reconnection Timeout before releasing
      state; the timeout provides an upper limit on the persistence of
      state.  However, in the event that a peer releases state before
      the expiration of the Reconnection Timeout, it MUST NOT re-use any
      label that was in use on the session until the Reconnection
      Timeout has expired.




Farrel                      Standards Track                    [Page 18]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   -  When an LSR receives a Status TLV with the E-bit set in the status
      code, which causes it to close the TCP connection, the LSR MUST
      release all state information and resources associated with the
      session.  This behavior is mandated because it is impossible for
      the LSR to predict the precise state and future behavior of the
      partner LSR that set the E-bit without knowledge of the
      implementation of that partner LSR.

      Note that the 'Temporary Shutdown' status code does not have the
      E-bit set, and MAY be used during maintenance or upgrade
      operations to indicate that the LSR intends to preserve state
      across a closure and re-establishment of the TCP session.

   -  If an LSR determines that it must release state for any single FT
      Label during a failure of the TCP connection on which that label
      was exchanged, it MUST release all state for all labels on the LDP
      session.

   The release of state information and resources associated with non-FT
   labels is as described in [RFC3036].

   Note that a Label Release and the acknowledgement to a Label Withdraw
   may be received by a downstream LSR in any order.  The downstream LSR
   MAY release its resources upon receipt of the first message and MUST
   release its resources upon receipt of the second message.

5.4.  FT Procedure After TCP Failure

   When an LSR discovers or is notified of a TCP connection failure it
   SHOULD start an FT Reconnection Timer to allow a period for re-
   connection of the TCP connection between the LDP peers.

   The RECOMMENDED default value for this timer is 5 seconds.  During
   this time, failure must be detected and reported, new hardware may
   need to be activated, software state must be audited, and a new TCP
   session must be set up.

   Once the TCP connection between LDP peers has failed, the active LSR
   SHOULD attempt to re-establish the TCP connection.  The mechanisms,
   timers and retry counts to re-establish the TCP connection are an
   implementation choice.  It is RECOMMENDED that any attempt to re-
   establish the connection should take into account the failover
   processing necessary on the peer LSR, the nature of the network
   between the LDP peers, and the FT Reconnection Timeout chosen on the
   previous instantiation of the TCP connection (if any).






Farrel                      Standards Track                    [Page 19]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   If the TCP connection cannot be re-established within the FT
   Reconnection Timeout period, the LSR detecting this timeout SHOULD
   release all state preserved for the failed LDP session.  If the TCP
   connection is subsequently re-established (for example, after a
   further Hello exchange to set up a new LDP session), the LSR MUST set
   the FT Reconnect Flag to 0 if it released the preserved state
   information on this timeout event.

   If the TCP connection is successfully re-established within the FT
   Reconnection Timeout, both peers MUST re-issue LDP operations that
   were interrupted by (that is, un-acknowledged as a result of) the TCP
   connection failure.  This procedure is described in section 5.5, "FT
   Procedure After TCP Re-connection".

   The Hold Timer for an FT LDP Session (see [RFC3036] section 2.5.5)
   SHOULD be ignored while the FT Reconnection Timer is running.  The
   hold timer SHOULD be restarted when the TCP connection is re-
   established.

5.4.1 FT LDP Operations During TCP Failure

   When the LDP FT enhancements are in use for an LDP session, it is
   possible for an LSR to determine that it needs to send an LDP message
   to an LDP peer, but that the TCP connection to that peer is currently
   down.  These label operations affect the state of FT Labels preserved
   for the failed TCP connection, so it is important that the state
   changes are passed to the LDP peer when the TCP connection is
   restored.

   If an LSR determines that it needs to issue a new FT LDP operation to
   an LDP peer to which the TCP connection is currently failed, it MUST
   pend the operation (e.g. on a queue) and complete that operation with
   the LDP peer when the TCP connection is restored, unless the label
   operation is overridden by a subsequent additional operation during
   the TCP connection failure (see section 5.5, "FT Procedure After TCP
   Re-connection").

   If, during TCP Failure, an LSR determines that it cannot pend an
   operation which it cannot simply fail (for example, a Label Withdraw,
   Release or Abort operation), it MUST NOT attempt to re-establish the
   previous LDP session.  The LSR MUST behave as if the Reconnection
   Timer expired and release all state information with respect to the
   LDP peer.  An LSR may be unable (or unwilling) to pend operations;
   for instance, if a major routing transition occurred while TCP was
   inoperable between LDP peers, it might result in excessively large
   numbers of FT LDP Operations.  An LSR that releases state before the
   expiration of the Reconnection Timeout MUST NOT re-use any label that
   was in use on the session until the Reconnection Timeout has expired.



Farrel                      Standards Track                    [Page 20]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   In ordered operation, received FT LDP operations that cannot be
   correctly forwarded because of a TCP connection failure MAY be
   processed immediately (provided sufficient state is kept to forward
   the label operation) or pended for processing when the onward TCP
   connection is restored and the operation can be correctly forwarded
   upstream or downstream.  Operations on existing FT Labels SHOULD NOT
   be failed during TCP session failure.

   It is RECOMMENDED that Label Request operations for new FT Labels not
   be pended awaiting the re-establishment of TCP connection that is
   awaiting recovery at the time the LSR determines that it needs to
   issue the Label Request message.  Instead, such Label Request
   operations SHOULD be failed and, if necessary, a notification message
   containing the 'No LDP Session' status code sent upstream.

   Label Requests for new non-FT Labels MUST be rejected during TCP
   connection failure, as specified in [RFC3036].

5.5.  FT Procedure After TCP Re-connection

   The FT operation handshaking described above means that all state
   changes for Sequence Numbered FT Labels and Address messages are
   confirmed or reproducible at each LSR.

   If the TCP connection between LDP peers fails but is re-connected
   within the FT Reconnection Timeout, and both LSRs have indicated they
   will be re-establishing the previous LDP session, both LDP peers on
   the connection MUST complete any label operations for Sequence
   Numbered FT Labels that were interrupted by the failure and re-
   connection of the TCP connection.

   The procedures for FT Reconnection Timeout MAY have been invoked as a
   result of either LDP peer being unable (or unwilling) to pend
   operations which occurred during the TCP Failure (as described in
   section 5.4.1, "LDP Operations During TCP Failure").

   If, for any reason, an LSR has been unable to pend operations with
   respect to an LDP peer, as described in section 5.4.1, "LDP
   Operations During TCP Failure", the LSR MUST set the FT Reconnect
   Flag to 0 on re-connection to that LDP peer indicating that no FT
   state has been preserved.

   Label operations are completed using the following procedure.








Farrel                      Standards Track                    [Page 21]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


5.5.1 Re-Issuing FT Messages

   Upon restoration of the TCP connection between LDP peers, any LDP
   messages for Sequence Numbered FT Labels that were lost because of
   the TCP connection failure are re-issued.  The LDP peer that receives
   a re-issued message processes the message as if received for the
   first time.

   "Net-zero" combinations of messages need not be re-issued after re-
   establishment of the TCP connection between LDP peers.  This leads to
   the following rules for re-issuing messages that are not ACKed by the
   LDP peer on the LDP Initialization message exchange after re-
   connection of the TCP session.

   -  A Label Request message MUST be re-issued unless a Label Abort
      would be re-issued for the same Sequence Numbered FT Label.

   -  A Label Mapping message MUST be re-issued unless a Label Withdraw
      message would be re-issued for the same Sequence Numbered FT
      Label.

   -  All other messages on the LDP session that were sent and carried
      the FT Protection TLV MUST be re-issued if an acknowledgement was
      not previously been received.

   Any FT Label operations that were pended (see section 5.4.1, "LDP
   Operations During TCP Failure") during the TCP connection failure
   MUST also be issued upon re-establishment of the LDP session, except
   where they form part of a "net-zero" combination of messages
   according to the above rules.

   The determination of "net-zero" FT Label operations according to the
   above rules MAY be performed on pended messages prior to the re-
   establishment of the TCP connection in order to optimize the use of
   queue resources.  Messages that were sent to the LDP peer before the
   TCP connection failure, or pended messages that were paired with
   them, MUST NOT be subject to such optimization until an FT ACK TLV is
   received from the LDP peer.  This ACK allows the LSR to identify
   which messages were received by the LDP peer prior to the TCP
   connection failure.

6. Check-Pointing Procedures

   Check-Pointing can be selected independently from the FT procedures
   described above by using the C bit in the FT Session TLV on the
   Session Initialization message.  Note, however, that check-pointing
   is an integral part of the FT procedures.  Setting the S and the C
   bit will achieve the same function as setting just the S bit.



Farrel                      Standards Track                    [Page 22]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   If the C bit is set, but the S bit is not set, no label is a Sequence
   Numbered FT Label.  Instead, all labels are Check-Pointable FT
   Labels.  Check-Pointing is used to synchronize all label exchanges.
   No message, apart from the check-point request and acknowledgement,
   carries an active sequence number.  (Note that the Session
   Initialization message may carry a sequence number to confirm that
   the check-point is still in place).

   It is an implementation matter to decide the ordering of received
   messages and check-point requests to ensure that check-point
   acknowledgements are secured.

   If the S and C bits are both set, or only the S bit is set, check-
   pointing applies only to Sequence Numbered FT Labels and to address
   messages.

   The set of all messages check-pointed in this way is called the
   Check-Pointable Messages.

6.1 Check-Pointing with the Keepalive Message

   If an LSR receives a FT Protection TLV on a Keepalive message, this
   is a request to flush the acknowledgements for all previously
   received Check-Pointable Messages on the session.

   As soon as the LSR has completed securing the Check-Pointable
   Messages (or state changes consequent on those messages) received
   before the Keepalive, it MUST send an acknowledgement to the sequence
   number of the Keepalive message.

   In the case where the FT procedures are in use and acknowledgements
   have been stored up, this may occur immediately upon receipt of the
   Keepalive.

   An example message flow showing this use of the Keepalive message to
   perform a periodic check-point of state is shown in section 9.2, "Use
   of Check-Pointing With FT Procedures".

   An example message flow showing the use of check-pointing without the
   FT procedures is shown in section 9.5, "Check-Pointing Without FT
   Procedures".

6.2 Quiesce and Keepalive

   If the Keepalive Message also contains the FT Cork TLV, this
   indicates that the peer LSR wishes to quiesce the session prior to a
   graceful restart.




Farrel                      Standards Track                    [Page 23]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   It is RECOMMENDED that upon receiving a Keepalive with the FT CORK
   TLV, an LSR should cease to send any further label or address related
   messages on the session until it has been disconnected and
   reconnected, other than messages generated while processing and
   securing previously unacknowledged messages received from the peer
   requesting the quiesce.  It should also attempt to complete this
   processing and return a Keepalive with the FT ACK TLV as soon as
   possible in order to allow the session to be quiesced.

   An example message flow showing this use of the FT Cork TLV to
   achieve a three-way handshake of state synchronization between two
   LDP peers is given in section 9.4, "Temporary Shutdown With FT
   Procedures and Check-Pointing".

7. Changes to Existing Messages

7.1.  LDP Initialization Message

   The LDP FT enhancements add the following optional parameters to a
   LDP Initialization message:

      Optional Parameter    Length     Value

      FT Session TLV        4          See Below
      FT ACK TLV            4          See Below

   The encoding for these TLVs is found in Section 8, "New Fields and
   Values".

   FT Session TLV
      If present, specifies the FT behavior of the LDP session.

   FT ACK TLV
      If present, specifies the last FT message that the sending LDP
      peer was able to secure prior to the failure of the previous
      instantiation of the LDP session.  This TLV is only present if the
      FT Reconnect flag is set in the FT Session TLV, in which case this
      TLV MUST be present.













Farrel                      Standards Track                    [Page 24]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


7.2.  LDP Keepalive Messages

   The LDP FT enhancements add the following optional parameters to a
   LDP Keepalive message:

      Optional Parameter     Length     Value

      FT Protection TLV      4          See below
      FT Cork TLV            0          See below
      FT ACK TLV             4          See below

   The encoding for these TLVs is found in Section 8, "New Fields and
   Values".

   FT Protection TLV
      If present, specifies the FT Sequence Number for the LDP message.
      When present on a Keepalive message, this indicates a solicited
      flush of the acknowledgements to all previous LDP messages
      containing sequence numbers and issued by the sender of the
      Keepalive on the same session.

   FT Cork TLV
      Indicates that the remote LSR wishes to quiesce the LDP session.
      See section 5, "FT Operations", for the recommended action in such
      cases.

   FT ACK TLV
      If present, specifies the most recent FT message that the sending
      LDP peer has been able to secure.

7.3.  All Other LDP Session Messages

   The LDP FT enhancements add the following optional parameters to all
   other message types that flow on an LDP session after the LDP
   Initialization message

      Optional Parameter    Length     Value

      FT Protection TLV      4          See below
      FT ACK TLV             4          See below

   The encoding for these TLVs is found in section 8, "New Fields and
   Values".

   FT Protection TLV
      If present, specifies the FT Sequence Number for the LDP message.





Farrel                      Standards Track                    [Page 25]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   FT ACK TLV
      If present, identifies the most recent FT LDP message ACKed by the
      sending LDP peer.

8. New Fields and Values

8.1.  Status Codes

   The following new status codes are defined to indicate various
   conditions specific to the LDP FT enhancements.  These status codes
   are carried in the Status TLV of a Notification message.

   The "E" column is the required setting of the Status Code E-bit; the
   "Status Data" column is the value of the 30-bit Status Data field in
   the Status Code TLV.

   Note that the setting of the Status Code F-bit is at the discretion
   of the LSR originating the Status TLV.  However, it is RECOMMENDED
   that the F-bit is not set on Notification messages containing status
   codes except 'No LDP Session' because the duplication of messages
   SHOULD be restricted to being a per-hop behavior.

   Status Code                 E   Status Data

   No LDP Session              0   0x0000001A
   Zero FT seqnum              1   0x0000001B
   Unexpected TLV /            1   0x0000001C
      Session Not FT
   Unexpected TLV /            1   0x0000001D
      Label Not FT
   Missing FT Protection TLV   1   0x0000001E
   FT ACK sequence error       1   0x0000001F
   Temporary Shutdown          0   0x00000020

   FT Seq Numbers Exhausted    1   0x00000021
   FT Session parameters /     1   0x00000022
      changed
   Unexpected FT Cork TLV      1   0x00000023

   The 'Temporary Shutdown' status code SHOULD be used in place of the
   'Shutdown' status code (which has the E-bit set) if the LSR that is
   shutting down wishes to inform its LDP peer that it expects to be
   able to preserve FT Label state and return to service before the FT
   Reconnection Timer expires.







Farrel                      Standards Track                    [Page 26]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


8.2.  FT Session TLV

   LDP peers can negotiate whether the LDP session between them supports
   FT extensions by using a new OPTIONAL parameter, the FT Session TLV,
   on LDP Initialization Messages.

   The FT Session TLV is encoded as follows.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |1|0| FT Session TLV (0x0503)   |      Length (= 12)            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     FT Flags                  |      Reserved                 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                FT Reconnect Timeout (in milliseconds)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                Recovery Time (in milliseconds)                |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   FT Flags
      FT Flags: A 16 bit field that indicates various attributes the FT
      support on this LDP session.  This field is formatted as follows:

      0                   1
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |R|         Reserved    |S|A|C|L|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   R: FT Reconnect Flag.
      Set to 1 if the sending LSR has preserved state and resources for
      all FT-labels since the previous LDP session between the same LDP
      peers, and is otherwise set to 0.  See section 5.4, "FT Procedures
      After TCP Failure", for details of how this flag is used.

      If the FT Reconnect Flag is set, the sending LSR MUST include an
      FT ACK TLV on the LDP Initialization message.

   S: Save State Flag.
      Set to 1 if the use of the FT Protection TLV is supported on
      messages other than the KeepAlive message used for check-pointing
      (see the C bit).  I.e., the S bit indicates that some label on the
      session may be a Sequence Numbered FT Label.

   A: All-Label Protection Required
      Set to 1 if all labels on the session MUST be treated as Sequence
      Numbered FT Labels.  This removes from a node the option of



Farrel                      Standards Track                    [Page 27]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


      treating some labels as FT Labels and some labels as non-FT
      Labels.

      Passing this information may be considered helpful to a peer since
      it may allow it to make optimizations in its processing.

      The A bit only has meaning if the S bit is set.

   C: Check-Pointing Flag.
      Set to 1 to indicate that the check-Pointing procedures in this
      document are in use.

      If the S bit is also set to 1 then the C bit indicates that
      check-pointing is applied only to Sequence Numbered FT Labels.

      If the S bit is set to 0 (zero) then the C bit indicates that
      check-pointing applies to all labels - all labels are Check-
      Pointable FT Labels.

   L: Learn From Network Flag.
      Set to 1 if the Fault Recovery procedures of [RFC3478] are to be
      used to re-learn state from the network.

      It is not valid for all of the S, C and L bits to be zero.

      It is not valid for both the L and either the S or C bits to be
      set to 1.

      All other bits in this field are currently reserved and SHOULD be
      set to zero on transmission and ignored upon receipt.

      The following table summarizes the settings of these bits.

      S   A   C   L    Comments
      =========================
      0   x   0   0    Invalid
      0   0   0   1    See [RFC3478]
      0   1   0   1    Invalid
      0   x   1   0    Check-Pointing of all labels
      0   x   1   1    Invalid
      1   0   0   0    Full FT on selected labels
      1   1   0   0    Full FT on all labels
      1   x   0   1    Invalid
      1   x   1   0    Same as (S=1,A=x,C=0,L=0)
      1   x   1   1    Invalid.






Farrel                      Standards Track                    [Page 28]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   FT Reconnection Timeout
      If the S bit or C bit in the FT Flags field is set, this indicates
      the period of time the sending LSR will preserve state and
      resources for FT Labels exchanged on the previous instantiation of
      an FT LDP session that has recently failed.  The timeout is
      encoded as a 32-bit unsigned integer number of milliseconds.

      A value of zero in this field means that the sending LSR will
      preserve state and resources indefinitely.

      See section 4.4 for details of how this field is used.

      If the L bit is set to 1 in the FT Flags field, the meaning of
      this field is defined in [RFC3478].

   Recovery Time
      The Recovery Time only has meaning if the L bit is set in the FT
      Flags.  The meaning is defined in [RFC3478].

8.3.  FT Protection TLV

   LDP peers use the FT Protection TLV to indicate that an LDP message
   contains an FT label operation.

   The FT Protection TLV MUST NOT be used in messages flowing on an LDP
   session that does not support the LDP FT enhancements.  Its presence
   in such messages SHALL be treated as a protocol error by the
   receiving LDP peer which SHOULD send a Notification message with the
   'Unexpected TLV Session Not FT' status code.  LSRs that do not
   recognize this TLV SHOULD respond with a Notification message with
   the 'Unknown TLV' status code.

   The FT Protection TLV MAY be carried on an LDP message transported on
   the LDP session after the initial exchange of LDP Initialization
   messages.  In particular, this TLV MAY optionally be present on the
   following messages:

   -  Label Request Messages in downstream on-demand distribution mode.

   -  Label Mapping messages in downstream unsolicited mode.

   -  Keepalive messages used to request flushing of acknowledgement of
      all previous messages that contained this TLV.








Farrel                      Standards Track                    [Page 29]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   If a label is to be a Sequence Numbered FT Label, then the Protection
   TLV MUST be present:

   -  on the Label Request message in downstream on-demand distribution
      mode.

   -  on the Label Mapping message in in downstream unsolicited
      distribution mode.

   -  on all subsequent messages concerning this label.

   Here 'subsequent messages concerning this label' means any message
   whose Label TLV specifies this label or whose Label Request Message
   ID TLV specifies the initial Label Request message.

   If a label is not to be a Sequence Numbered FT Label, then the
   Protection TLV MUST NOT be present on any of these messages that
   relate to the label.  The presence of the FT TLV on a message
   relating to a non-FT Label SHALL be treated as a protocol error by
   the receiving LDP peer which SHOULD send a notification message with
   the 'Unexpected TLV Label Not FT' status code.

   Where a Label Withdraw or Label Release message contains only an FEC
   TLV and does not identify a single specific label, the FT TLV should
   be included in the message if any label affected by the message is a
   Sequence Numbered FT Label.  If there is any doubt as to whether an
   FT TLV should be present, it is RECOMMENDED that the sender add the
   TLV.

   When an LDP peer receives a Label Withdraw Message or Label Release
   message that contains only a FEC, it SHALL accept the FT TLV if it is
   present regardless of the FT status of the labels that it affects.

   If an LDP session is an FT session as determined by the presence of
   the FT Session TLV, with the S bit set on the LDP Initialization
   messages, the FT Protection TLV MUST be present on all Address
   messages on the session.

   If the session is an FT session, the FT Protection TLV may also
   optionally be present:

   -  on Notification messages on the session that have the status code
      'Label Resources Available'.

   -  on Keepalive messages.






Farrel                      Standards Track                    [Page 30]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   The FT Protection TLV is encoded as follows.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0|0| FT Protection (0x0203)    |      Length (= 4)             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      FT Sequence Number                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   FT Sequence Number
      The sequence number for this Sequence Numbered FT Label operation.
      The sequence number is encoded as a 32-bit unsigned integer.  The
      initial value for this field on a new LDP session is 0x00000001
      and is incremented by one for each FT LDP message issued by the
      sending LSR on this LDP session.  This field may wrap from
      0xFFFFFFFF to 0x00000001.

      This field MUST be reset to 0x00000001 if either LDP peer does not
      set the FT Reconnect Flag upon re-establishment of the TCP
      connection.

      See section 5.2, "FT Operation Acks" for details of how this field
      is used.

      The special use of 0x00000000 is discussed in the section 8.4, "FT
      ACK TLV" below.

   If an LSR receives an FT Protection TLV on a session that does not
   support the FT LDP enhancements, it SHOULD send a Notification
   message to its LDP peer containing the 'Unexpected TLV, Session Not
   FT' status code.  LSRs that do not recognize this TLV SHOULD respond
   with a Notification message with the 'Unknown TLV' status code.

   If an LSR receives an FT Protection TLV on an operation affecting a
   label that it believes is a non-FT Label, it SHOULD send a
   Notification message to its LDP peer containing the 'Unexpected TLV,
   Label Not FT' status code.

   If an LSR receives a message without the FT Protection TLV affecting
   a label that it believes is a Sequence Numbered FT Label, it SHOULD
   send a Notification message to its LDP peer containing the 'Missing
   FT Protection TLV' status code.

   If an LSR receives an FT Protection TLV containing a zero FT Sequence
   Number, it SHOULD send a Notification message to its LDP peer
   containing the 'Zero FT Seqnum' status code.




Farrel                      Standards Track                    [Page 31]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


8.4.  FT ACK TLV

   LDP peers use the FT ACK TLV to acknowledge FT Label operations.

   The FT ACK TLV MUST NOT be used in messages flowing on an LDP session
   that does not support the LDP FT enhancements.  Its presence on such
   messages SHALL be treated as a protocol error by the receiving LDP
   peer.

   The FT ACK TLV MAY be present on any LDP message exchanged on an LDP
   session after the initial LDP Initialization messages.  It is
   RECOMMENDED that the FT ACK TLV be included in all FT Keepalive
   messages in order to ensure that the LDP peers do not build up a
   large backlog of unacknowledged state information.

   The FT ACK TLV is encoded as follows.

    0                   1                   2                  3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0|0|   FT ACK (0x0504)         |      Length (= 4)             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      FT ACK Sequence Number                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   FT ACK Sequence Number
      The sequence number for the most recent FT label message that the
      sending LDP peer has received from the receiving LDP peer and
      secured against failure of the LDP session.  It is not necessary
      for the sending peer to have fully processed the message before
      ACKing it.  For example, an LSR MAY ACK a Label Request message as
      soon as it has securely recorded the message, without waiting
      until it can send the Label Mapping message in response.

      ACKs are cumulative.  Receipt of an LDP message containing an FT
      ACK TLV with an FT ACK Sequence Number of 12 is treated as the
      acknowledgement of all messages from 1 to 12 inclusive (assuming
      the LDP session started with a sequence number of 1).

      This field MUST be set to 0 if the LSR sending the FT ACK TLV has
      not received any FT label operations on this LDP session.  This
      applies to LDP sessions, to new LDP peers or after an LSR
      determines that it must drop all state for a failed TCP
      connection.

      See section 5.2, "FT Operation Acks" for details of how this field
      is used.




Farrel                      Standards Track                    [Page 32]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   If an LSR receives an FT ACK TLV that contains an FT ACK Sequence
   Number that is less than the previously received FT ACK Sequence
   Number (remembering to take account of wrapping), it SHOULD send a
   Notification message to its LDP peer containing the 'FT ACK Sequence
   Error' status code.

8.5.  FT Cork TLV

   LDP peers use the FT Cork TLV on FT Keepalive messages to indicate
   that they wish to quiesce the LDP session prior to a controlled
   shutdown and restart, for example during control-plane software
   upgrade.

   The FT Cork TLV is encoded as follows.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0|0|   FT Cork (0x0505)        |      Length (= 0)             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Upon receipt of a Keepalive message with the FT Cork TLV and the FT
   Protection TLV, an LSR SHOULD perform the following actions:

   -  Process and secure any messages from the peer LSR that have
      sequence numbers less than (accounting for wrap) that contained in
      the FT Protection TLV on the Keepalive message.

   -  Send a Keepalive message back to the peer containing the FT Cork
      TLV and the FT ACK TLV specifying the FT ACK sequence number
      equal to that in the original Keepalive message (i.e. ACKing all
      messages up to that point).

   -  If this LSR has not yet received an FT ACK to all the messages it
      has sent containing the FT Protection TLV, then also include an FT
      Protection TLV on the Keepalive sent to the peer LSR.  This tells
      the remote peer that the local LSR has saved state prior to
      quiesce but is still awaiting confirmation that the remote peer
      has saved state.

   -  Cease sending any further state changing messages on this LDP
      session until it has been disconnected and recovered.

   On receipt of a Keepalive message with the FT Cork TLV and an FT ACK
   TLV that acknowledges the previously sent Keepalive that carried the
   FT Cork TLV, an LSR knows that quiesce is complete.  If the received
   Keepalive also carries the FT Protection TLV, the LSR must respond
   with a further Keepalive to complete the 3-way handshake.  It SHOULD



Farrel                      Standards Track                    [Page 33]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   now send a "Temporary Shutdown" Notification message, disconnect the
   TCP session and perform whatever control plane actions required this
   session shutdown.

   An example of such a 3-way handshake for controlled shutdown is given
   in section section 9.4, "Temporary Shutdown With FT Procedures and
   Check-Pointing".

   If an LSR receives a message that should not carry the FT Cork TLV,
   or if the FT Cork TLV is used on a Keepalive message without one of
   the FT Protection or FT ACK TLVs present, it SHOULD send a
   Notification message to its LDP peer containing the 'Unexpected FT
   Cork TLV' status code.

9. Example Use

   Consider two LDP peers, P1 and P2, implementing LDP over a TCP
   connection that connects them, and the message flow shown below.

   The parameters shown on each message below are as follows:

      message (label, senders FT sequence number, FT ACK number)

      A "-" for FT ACK number means that the FT ACK TLV is not included
      on that message.  "n/a" means that the parameter in question is
      not applicable to that type of message.

   In the diagrams below, time flows from top to bottom.  The relative
   position of each message shows when it is transmitted.  See the notes
   for a description of when each message is received, secured for FT or
   processed.

9.1.  Session Failure and Recovery - FT Procedures

   notes         P1                         P2
   =====         ==                         ==
   (1)           Label Request(L1,27,-)
                 --------------------------->
                 Label Request(L2,28,-)
                 --------------------------->
   (2)                Label Request(L3,93,27)
                 <---------------------------
   (3)                                      Label Request(L1,123,-)
                                            -------------------------->
                                            Label Request(L2,124,-)
                                            -------------------------->





Farrel                      Standards Track                    [Page 34]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   (4)                                           Label Mapping(L1,57,-)
                                            <--------------------------
                      Label Mapping(L1,94,28)
                 <---------------------------
   (5)                                           Label Mapping(L2,58,-)
                                            <--------------------------
                       Label Mapping(L2,95,-)
                 <---------------------------
   (6)           Address(n/a,29,-)
                 --------------------------->
   (7)           Label Request(L4,30,-)
                 --------------------------->
   (8)           Keepalive(n/a,-,94)
                 --------------------------->
   (9)                   Label Abort(L3,96,-)
                 <---------------------------
   (10)          ===== TCP Session lost =====
                   :
   (11)            :                            Label Withdraw(L1,59,-)
                   :                        <--------------------------
                   :
   (12)          === TCP Session restored ===

                 LDP Init(n/a,n/a,94)
                 --------------------------->
                         LDP Init(n/a,n/a,29)
                 <---------------------------
   (13)          Label Request(L4,30,-)
                 --------------------------->
   (14)                Label Mapping(L2,95,-)
                 <---------------------------
                        Label Abort(L3,96,30)
                 <---------------------------
   (15)               Label Withdraw(L1,97,-)
                 <---------------------------

   Notes:
   ======

   (1)  Assume that the LDP session has already been initialized.  P1
        issues 2 new Label Requests using the next sequence numbers.

   (2)  P2 issues a Label Request to P1.  At the time of sending this
        request, P2 has secured the receipt of the label request for L1
        from P1, so it includes an ACK for that message.






Farrel                      Standards Track                    [Page 35]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   (3)  P2 processes the Label Requests for L1 and L2 and forwards them
        downstream.  Details of downstream processing are not shown in
        the diagram above.

   (4)  P2 receives a Label Mapping from downstream for L1, which it
        forwards to P1.  It includes an ACK to the Label Request for L2,
        as that message has now been secured and processed.

   (5)  P2 receives the Label Mapping for L2, which it forwards to P1.
        This time it does not include an ACK as it has not received any
        further messages from P1.

   (6)  Meanwhile, P1 sends a new Address Message to P2.

   (7)  P1 also sends a fourth Label Request to P2

   (8)  P1 sends a Keepalive message to P2, on which it includes an ACK
        for the Label Mapping for L1, which is the latest message P1 has
        received and secured at the time the Keepalive is sent.

   (9)  P2 issues a Label Abort for L3.

   (10) At this point, the TCP session goes down.

   (11) While the TCP session is down, P2 receives a Label Withdraw
        Message for L1, which it queues.

   (12) The TCP session is reconnected and P1 and P2 exchange LDP
        Initialization messages on the recovered session, which include
        ACKS for the last message each peer received and secured prior
        to the failure.

   (13) From the LDP Init exchange, P1 determines that it needs to re-
        issue the Label request for L4.

   (14) Similarly, P2 determines that it needs to re-issue the Label
        Mapping for L2 and the Label Abort.

   (15) P2 issues the queued Label Withdraw to P1.












Farrel                      Standards Track                    [Page 36]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


9.2.  Use of Check-Pointing With FT Procedures

   notes         P1                         P2
   =====         ==                         ==
   (1)           Label Request(L1,27,-)
                 --------------------------->
                 Label Request(L2,28,-)
                 --------------------------->
   (2)                Label Request(L3,93,-)
                 <---------------------------
   (3)                                      Label Request(L1,123,-)
                                            -------------------------->
                                            Label Request(L2,124,-)
                                            -------------------------->
   (4)                                           Label Mapping(L1,57,-)
                                            <--------------------------
                      Label Mapping(L1,94,-)
                 <---------------------------
   (5)                                           Label Mapping(L2,58,-)
                                            <--------------------------
                       Label Mapping(L2,95,-)
                 <---------------------------
   (6)           Address(n/a,29,-)
                 --------------------------->
   (7)           Label Request(L4,30,-)
                 --------------------------->
   (8)           Keepalive(n/a,31,-)
                 --------------------------->
   (9)                   Keepalive(n/a,-,31)
                 <---------------------------
   (10)                                          Keepalive(n/a,59,124)
                                            <---------------------------
   (11)                                     Keepalive(n/a,-,59)
                                            --------------------------->
   Notes:
   ======

   Notes (1) through (7) are as in the previous example except note that
   no acknowledgements are piggy-backed on reverse direction messages.
   This means that at note (8) there are deferred acknowledgements in
   both directions on both links.

   (8)  P1 wishes to synchronize state with P2.  It sends a Keepalive
        message containing an FT Protection TLV with sequence number 31.
        Since it is not interested in P2's perception of the state that
        it has stored, it does not include an FT ACK TLV.





Farrel                      Standards Track                    [Page 37]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   (9)  P2 responds at once with a Keepalive acknowledging the sequence
        number on the received Keepalive.  This tells P1 that P2 has
        preserved all state/messages previously received on this
        session.

   (10) The downstream node wishes to synchronize state with P2.  It
        sends a Keepalive message containing an FT Protection TLV with
        sequence number 59.  P3 also takes this opportunity to get up to
        date with its acknowledgements to P2 by including an FT ACK TLV
        acknowledging up to sequence number 124.

   (11) P2 responds at once with a Keepalive acknowledging the sequence
        number on the received Keepalive.

9.3.  Temporary Shutdown With FT Procedures

   notes         P1                         P2
   =====         ==                         ==
   (1)           Label Request(L1,27,-)
                 --------------------------->
                 Label Request(L2,28,-)
                 --------------------------->
   (2)                Label Request(L3,93,27)
                 <---------------------------
   (3)                                      Label Request(L1,123,-)
                                            -------------------------->
                                            Label Request(L2,124,-)
                                            -------------------------->
   (4)                                           Label Mapping(L1,57,-)
                                            <--------------------------
                      Label Mapping(L1,94,28)
                 <---------------------------
   (5)                                           Label Mapping(L2,58,-)
                                            <--------------------------
                       Label Mapping(L2,95,-)
                 <---------------------------
   (6)           Address(n/a,29,-)
                 --------------------------->
   (7)           Label Request(L4,30,-)
                 --------------------------->
   (8)           Keepalive(n/a,-,94)
                 --------------------------->
   (9)                   Label Abort(L3,96,-)
                 <---------------------------







Farrel                      Standards Track                    [Page 38]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   (10)          Notification(Temporary shutdown)
                 --------------------------->
                 ===== TCP Session shutdown =====
                   :
   (11)            :                            Label Withdraw(L1,59,-)
                   :                        <--------------------------
                   :
                 ===== TCP Session restored =====
   (12)          LDP Init(n/a,n/a,94)
                 --------------------------->
                         LDP Init(n/a,n/a,29)
                 <---------------------------
   (13)          Label Request(L4,30,-)
                 --------------------------->
   (14)                Label Mapping(L2,95,-)
                 <---------------------------
                        Label Abort(L3,96,30)
                 <---------------------------
   (15)               Label Withdraw(L1,97,-)
                 <---------------------------

   Notes:
   ======

   Notes are as in the previous example except as follows.

   (10) P1 needs to upgrade the software or hardware that it is running.
        It issues a Notification message to terminate the LDP session,
        but sets the status code as 'Temporary shutdown' to inform P2
        that this is not a fatal error, and P2 should maintain FT state.
        The TCP connection may also fail during the period that the LDP
        session is down (in which case it will need to be re-
        established), but it is also possible that the TCP connection
        will be preserved.

















Farrel                      Standards Track                    [Page 39]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


9.4.  Temporary Shutdown With FT Procedures and Check-Pointing

   notes         P1                         P2
   =====         ==                         ==
   (1)           Label Request(L1,27,-)
                 --------------------------->
                 Label Request(L2,28,-)
                 --------------------------->
   (2)                Label Request(L3,93,-)
                 <---------------------------
                                            Label Request(L1,123,-)
                                            -------------------------->
                                            Label Request(L2,124,-)
                                            -------------------------->
                                                 Label Mapping(L1,57,-)
                                            <--------------------------
   (3)                 Label Mapping(L1,94,-)
                 <---------------------------
                                                 Label Mapping(L2,58,-)
                                            <--------------------------
                       Label Mapping(L2,95,-)
                 <---------------------------
   (4)           Address(n/a,29,-)
                 --------------------------->
   (5)           Label Request(L4,30,-)
                 --------------------------->
   (6)           Keepalive(n/a,31,95) * with FT Cork TLV *
                 --------------------------->
   (7)                   Label Abort(L3,96,-)
                 <---------------------------
   (8)                    Keepalive(n/a,97,31) * with FT Cork TLV *
                 <---------------------------
   (9)           Keepalive(n/a,-,97) * with FT Cork TLV *
                 --------------------------->
   (10)          Notification(Temporary shutdown)
                 --------------------------->
                 ===== TCP Session shutdown =====
                   :
                   :                            Label Withdraw(L1,59,-)
                   :                        <--------------------------
                   :
                 ===== TCP Session restored =====
   (11)          LDP Init(n/a,n/a,96)
                 --------------------------->
                         LDP Init(n/a,n/a,31)
                 <---------------------------
                      Label Withdraw(L1,97,-)
                 <---------------------------



Farrel                      Standards Track                    [Page 40]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   Notes:
   ======

   This example operates much as the previous one.  However, at (1),
   (2), (3), (4) and (5), no acknowledgements are made.

   At (6), P1 determines that graceful shutdown is required and sends a
   Keepalive acknowledging all previously received messages and itself
   containing an FT Protection TLV number and the FT Cork TLV.

   The Label abort at (7) crosses with this Keepalive, so at (8) P2
   sends a Keepalive that acknowledges all messages received so far, but
   also includes the FT Protection and FT Cork TLVs to indicate that
   there are still messages outstanding to be acknowledged.

   P1 is then able to complete the 3-way handshake at (9) and close the
   TCP session at (10).

   Upon recovery at (11), there are no messages to be re-sent because
   the KeepAlives flushed the acknowledgements.  The only messages sent
   after recovery is the Label Withdraw that was pended during the TCP
   session failure.





























Farrel                      Standards Track                    [Page 41]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


9.5.  Check-Pointing Without FT Procedures

   notes         P1                         P2
   =====         ==                         ==
   (1)           Label Request(L1)
                 --------------------------->
   (2)                Label Request(L2)
                 <---------------------------
                                            Label Request(L1)
                                            -------------------------->
                                                 Label Mapping(L1)
                                            <--------------------------
   (3)                 Label Mapping(L1)
                 <---------------------------
   (4)           Keepalive(n/a,12,-)
                 --------------------------->
   (5)           Label Request(L3)
                 --------------------------->
   (6)                    Keepalive(n/a,-,12)
                 <---------------------------
                                            Label Request(L3)
                                            -------------------------->
                                                 Label Mapping(L3)
                                            <--------------------------
   (7)                 Label Mapping(L3)
                 <---------------------------
                 ===== TCP Session failure =====
                   :
                   :
                   :
                 ===== TCP Session restored =====
   (8)          LDP Init(n/a,n/a,23)
                 --------------------------->
                         LDP Init(n/a,n/a,12)
                 <---------------------------
   (9)           Label Request(L3)
                 --------------------------->
                                            Label Request(L3)
                                            -------------------------->
                                                 Label Mapping(L3)
                                            <--------------------------
   (10)                Label Mapping(L3)
                 <---------------------------
   (11)                Label Request(L2)
                 <---------------------------






Farrel                      Standards Track                    [Page 42]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   Notes:
   ======

   (1), (2) and (3) show label distribution without FT sequence numbers.

   (4)  A check-Point request from P1.  It carries the sequence number
        of the check-point request.

   (5)  P1 immediately starts a new label distribution request.

   (6)  P2 confirms that it has secured all previous transactions.

   (7)  The subsequent (un-acknowledged) label distribution completes.

   (8)  The session fails and is restarted.  Initialization messages
        confirm the sequence numbers of the secured check-points.

   (9)  P1 recommences the unacknowledged label distribution request.

   (10) P2 recommences an unacknowledged label distribution request.































Farrel                      Standards Track                    [Page 43]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


9.6.  Graceful Shutdown With Check-Pointing But No FT Procedures

   notes         P1                         P2
   =====         ==                         ==
   (1)           Label Request(L1)
                 --------------------------->
   (2)                Label Request(L2)
                 <---------------------------
                                            Label Request(L1)
                                            -------------------------->
                                                 Label Mapping(L1)
                                            <--------------------------
   (3)                 Label Mapping(L1)
                 <---------------------------
   (4)           Keepalive(n/a,12,23) * With Cork TLV *
                 --------------------------->
   (5)             :
                   :
                   :
   (6)                    Keepalive(n/a,24,12) * With Cork TLV *
                 <---------------------------
   (7)           Keepalive(n/a,-,24) * With Cork TLV *
                 --------------------------->
   (8)           Notification(Temporary shutdown)
                 --------------------------->
                 ===== TCP Session failure =====
                   :
                   :
                   :
                 ===== TCP Session restored =====
   (9)          LDP Init(n/a,n/a,24)
                 --------------------------->
                         LDP Init(n/a,n/a,12)
                 <---------------------------
   (10)          Label Request(L3)
                 --------------------------->
                                            Label Request(L3)
                                            -------------------------->
                                                 Label Mapping(L3)
                                            <--------------------------
   (11)                Label Mapping(L3)
                 <---------------------------
   (12)                Label Mapping(L2)
                 --------------------------->







Farrel                      Standards Track                    [Page 44]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   Notes:
   ======

   (1), (2) and (3) show label distribution without FT sequence numbers.

   (4)  A check-point request from P1.  It carries the sequence number
        of the check-point request and a Cork TLV.

   (5)  P1 has sent a Cork TLV so quieces.

   (6)  P2 confirms the check-point and continues the three-way
        handshake by including a Cork TLV itself.

   (7)  P1 completes the three-way handshake.  All operations have now
        been check-pointed and the session is quiesced.

   (8)  The session is gracefully shut down.

   (9)  The session recovers and the peers exchange the sequence numbers
        of the last secured check-points.

   (10) P1 starts a new label distribution request.

   (11) P1 continues processing a previously received label distribution
        request.

10.   Security Considerations

   The LDP FT enhancements inherit similar security considerations to
   those discussed in [RFC3036].

   The LDP FT enhancements allow the re-establishment of a TCP
   connection between LDP peers without a full re-exchange of the
   attributes of established labels, which renders LSRs that implement
   the extensions specified in this document vulnerable to additional
   denial-of-service attacks as follows:

   -  An intruder may impersonate an LDP peer in order to force a
      failure and reconnection of the TCP connection, but where the
      intruder does not set the FT Reconnect Flag upon re-connection.
      This forces all FT labels to be released.

   -  Similarly, an intruder could set the FT Reconnect Flag on re-
      establishment of the TCP session without preserving the state and
      resources for FT labels.






Farrel                      Standards Track                    [Page 45]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   -  An intruder could intercept the traffic between LDP peers and
      override the setting of the FT Label Flag to be set to 0 for all
      labels.

   All of these attacks may be countered by use of an authentication
   scheme between LDP peers, such as the MD5-based scheme outlined in
   [RFC3036].

   Alternative authentication schemes for LDP peers are outside the
   scope of this document, but could be deployed to provide enhanced
   security to implementations of LDP and the LDP FT enhancements.

   As with LDP, a security issue may exist if an LDP implementation
   continues to use labels after expiration of the session that first
   caused them to be used.  This may arise if the upstream LSR detects
   the session failure after the downstream LSR has released and re-used
   the label.  The problem is most obvious with the platform-wide label
   space and could result in mis-forwarding of data to other than
   intended destinations and it is conceivable that these behaviors may
   be deliberately exploited to either obtain services without
   authorization or to deny services to others.

   In this document, the validity of the session may be extended by the
   FT Reconnection Timeout, and the session may be re-established in
   this period.  After the expiry of the Reconnection Timeout, the
   session must be considered to have failed and the same security issue
   applies as described above.

   However, the downstream LSR may declare the session as failed before
   the expiration of its Reconnection Timeout.  This increases the
   period during which the downstream LSR might reallocate the label
   while the upstream LSR continues to transmit data using the old usage
   of the label.  To reduce this issue, this document requires that
   labels not be re-used until the Reconnection Timeout has expired.

   A further issue might apply if labels were re-used prior to the
   expiration of the FT Reconnection Timeout, but this is forbidden by
   this document.

   The issue of re-use of labels extends to labels managed through other
   mechanisms including direct configuration through management
   applications and distribution through other label distribution
   protocols.  Avoiding this problem may be construed as an
   implementation issue (see below), but failure to acknowledge it could
   result in the mis-forwarding of data between LSPs established using
   some other mechanism and those recovered using the methods described
   in this document.




Farrel                      Standards Track                    [Page 46]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


11.   Implementation Notes

11.1. FT Recovery Support on Non-FT LSRs

   In order to take full advantage of the FT capabilities of LSRs in the
   network, it may be that an LSR that does not itself contain the
   ability to recover from local hardware or software faults still needs
   to support the LDP FT enhancements described in this document.

   Consider an LSR, P1, that is an LDP peer of a fully Fault Tolerant
   LSR, P2.  If P2 experiences a fault in the hardware or software that
   serves an LDP session between P1 and P2, it may fail the TCP
   connection between the peers.  When the connection is recovered, the
   LSPs/labels between P1 and P2 can only be recovered if both LSRs were
   applying the FT recovery procedures to the LDP session.

11.2. ACK generation logic

   FT ACKs SHOULD be returned to the sending LSR as soon as is
   practicable in order to avoid building up a large quantity of
   unacknowledged state changes at the LSR.  However, immediate one-
   for-one acknowledgements would waste bandwidth unnecessarily.

   A possible implementation strategy for sending ACKs to FT LDP
   messages is as follows:

   -  An LSR secures received messages in order and tracks the sequence
      number of the most recently secured message, Sr.

   -  On each LDP KeepAlive that the LSR sends, it attaches an FT ACK
      TLV listing Sr.

   -  Optionally, the LSR may attach an FT ACK TLV to any other LDP
      message sent between Keepalive messages if, for example, Sr has
      increased by more than a threshold value since the last ACK sent.

   This implementation combines the bandwidth benefits of accumulating
   ACKs while still providing timely ACKs.

11.2.1 Ack Generation Logic When Using Check-Pointing

   If check-pointing is in use, the LSRs need not be concerned with
   sending ACKs in such a timely manner.

   Check-points are solicitations for acknowledgements conveyed as a
   sequence number in an FT Protection TLV on a Keepalive message.  Such
   check-point requests could be issued on a timer, after a significant
   amount of change, or before controlled shutdown of a session.



Farrel                      Standards Track                    [Page 47]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   The use of check-pointing may considerably simplify an implementation
   since it does not need to track the sequence numbers of all received
   LDP messages.  It must, however, still ensure that all received
   messages (or the consequent state changes) are secured before
   acknowledging the sequence number on the Keepalive.

   This approach may be considered optimal in systems that do not show a
   high degree of change over time (such as targeted LDP sessions) and
   that are prepared to risk loss of state for the most recent LDP
   exchanges.  More dynamic systems (such as LDP discovery sessions) are
   more likely to want to acknowledge state changes more frequently so
   that the maximum amount of state can be preserved over a failure.

11.3 Interactions With Other Label Distribution Mechanisms

   Many LDP LSRs also run other label distribution mechanisms.  These
   include management interfaces for configuration of static label
   mappings, other distinct instances of LDP, and other label
   distribution protocols.  The last example includes the traffic
   engineering label distribution protocol that is used to construct
   tunnels through which LDP LSPs are established.

   As with re-use of individual labels by LDP within a restarting LDP
   system, care must be taken to prevent labels that need to be retained
   by a restarting LDP session or protocol component from being used by
   another label distribution mechanism since that might compromise data
   security amongst other things.

   It is a matter for implementations to avoid this issue through the
   use of techniques such as a common label management component or
   segmented label spaces.

12.   Acknowledgments

   The work in this document is based on the LDP ideas expressed by the
   authors of [RFC3036].

   The ACK scheme used in this document was inspired by the proposal by
   David Ward and John Scudder for restarting BGP sessions now included
   in [BGP-RESTART].

   The authors would also like to acknowledge the careful review and
   comments of Nick Weeds, Piers Finlayson, Tim Harrison, Duncan Archer,
   Peter Ashwood-Smith, Bob Thomas, S. Manikantan, Adam Sheppard,
   Alan Davey, Iftekhar Hussain and Loa Andersson.






Farrel                      Standards Track                    [Page 48]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


13.   Intellectual Property Consideration

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

   The IETF has been notified of intellectual property rights claimed in
   regard to some or all of the specification contained in this
   document.  For more information, consult the online list of claimed
   rights.

14.  References

14.1. Normative References

   [RFC2026]      Bradner, S., "The Internet Standards Process --
                  Revision 3", BCP 9, RFC 2026, October 1996.

   [RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
                  Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3036]      Andersson, L., Doolan, P., Feldman, N., Fredette, A.
                  and B. Thomas, "LDP Specification, RFC 3036, January
                  2001.

   [RFC3478]      Leelanivas, M., Rekhter, Y. and R. Aggrawal, "Graceful
                  Restart Mechanism for Label Distribution Protocol",
                  RFC 3478, February 2003.







Farrel                      Standards Track                    [Page 49]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


14.2. Informative References

   [RFC2205]      Braden, R., Zhang, L., Berson, S., Herzog, S. and S.
                  Jamin, "Resource ReSerVation Protocol (RSVP) --
                  Version 1, Functional Specification", RFC 2205,
                  September 1997.

   [RFC2961]      Berger, L., Gan, D., Swallow, G., Pan, P., Tomassi, F.
                  and S. Molendini, "RSVP Refresh Reduction Extensions",
                  RFC 2961, April 2001.

   [RFC3209]      Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan,
                  V. and G. Swallow, "Extensions to RSVP for LSP
                  Tunnels", RFC 3209, December 2001.

   [RFC3212]      Jamoussi, B., Andersson, L., Callon, R., Dantu, R.,
                  Wu, L., Doolan, P., Worster, T., Feldman, N.,
                  Fredette, A., Girish, M., Gray, E., Heinanen, J.,
                  Kilty, T. and A. Malis, "Constraint-Based LSP Setup
                  using LDP", RFC 3212, January 2002.

   [RFC3214]      Ash, G., Lee, Y., Ashwood-Smith, P., Jamoussi, B.,
                  Fedyk, D., Skalecki, D. and L. Li, "LSP Modification
                  Using CR-LDP", RFC 3214, January 2001.

   [BGP-RESTART]  Sangli, S., et al., Graceful Restart Mechanism for
                  BGP, Work in Progress.

15.  Authors' Addresses

   Adrian Farrel (editor)
   Movaz Networks, Inc.
   7926 Jones Branch Drive, Suite 615
   McLean, VA 22102

   Phone:  +1 703-847-1867
   EMail:  afarrel@movaz.com

   Paul Brittain
   Data Connection Ltd.
   Windsor House, Pepper Street,
   Chester, Cheshire
   CH1 1DF, UK

   Phone:   +44-(0)20-8366-1177
   EMail:   pjb@dataconnection.com





Farrel                      Standards Track                    [Page 50]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


   Philip Matthews
   Hyperchip
   1800 Rene-Levesque Blvd W
   Montreal, Quebec H3H 2H2
   Canada

   Phone:  +1 514-906-4965
   EMail: pmatthews@hyperchip.com

   Eric Gray

   EMail: ewgray@GraIyMage.com

   Jack Shaio
   Vivace Networks
   2730 Orchard Parkway
   San Jose, CA 95134

   Phone: +1 408 432 7623
   EMail: jack.shaio@vivacenetworks.com

   Toby Smith
   Laurel Networks, Inc.
   1300 Omega Drive
   Pittsburgh, PA 15205

   EMail: tob@laurelnetworks.com

   Andrew G. Malis
   Vivace Networks
   2730 Orchard Parkway
   San Jose, CA 95134

   Phone: +1 408 383 7223
   EMail: andy.malis@vivacenetworks.com
















Farrel                      Standards Track                    [Page 51]
^L
RFC 3479              Fault Tolerance for the LDP          February 2003


16.  Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Farrel                      Standards Track                    [Page 52]
^L