Re: failure detection

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

El 18/08/2005, a las 17:06, Paul Jakma escribió:

>
...
> > Suppose you have a multihomed site with ISPA and ISPB and that they 
> > have assigned PrefA and PrefB respectivelly
> >
> > Suppose you have Host1 in the multihomed host and that it is 
> > communicating with Host2 outside the multihomed site. For that 
> > communication, Host1 is using address PrefA:host1 both as locator and 
> > as ULID. I assume that host2 has a single address host1
>
> Is host2 shim-aware?

yes

> It must be for scenario in next sentence to work. Particularly given 
> RPF filtering at ISPs on "PA" customers.
>
> > Now, suppose that an outage in the link between the multihomed site 
> > and ISPA occurs.
>
> Ok.
>
> > Host1 detects and needs to do something about it, how can he try with 
> > an alternative path?
>
> Why must host1 detect this? Host2 could also ;).

not in a unidirectional connectivity scenario

consider the case where the failure implies that:
PrefA:Host1 -> Host2 is not working
PrefB:Host1 -> Host2 is working
Host2 -> PrefA:Host1 is working
Host2 -> PrefB:Host1 is not working

How would you cope with this case?

> If, as part of shim6 control, host1 had, /in advance/, informed host2 
> that prefB:host1 was /also/ a valid locator, then:
>
> - if host2 was first to detect the problem, it could simply switch to
>   using the prefB:host1 locator
>
> - if host1 notices there is a problem with bidirectional
>   communication, it can simply start using the PrefB based locator
>   (which host2 already knows about and should accept)

this last point is influencing SAS and trying with alternative source 
locators, which is basically what we are considering here and that you 
are opposing right?

> This presumes host1 is actively managing its source address according 
> to state specific to shim6. However, there is a *better* way:
>
> - dont have shim6 pick the ISP dependent part of the locator
> - let the OS's existing SAS mechanisms pick the source address
>   according to routing policy, as per normal, for each and every
>   packet
> - let some external mechanism detect the local failure
>
> Some (non-exhaustive) examples of such mechanisms:
>
> - link status information
>
> (eg PPP has its own heartbeat mechanism. PPP is often used for DSL 
> connections, which will be a common case for the scenario described 
> above for host1, today at least)
>
> - Routing information
>
> (eg, host1 /could/ get routing information from either or both of ISP1 
> and ISP2. Be it just a RIP default announced regularly on up to full 
> *read-only* BGP feeds)

we have already discussed this point (in multi6) and imho it is not 
such a good idea to have the hosts to receive a full BGP feed.. i think 
there was ssome kind of concensous on this point, but maybe now has 
changed...

> - Link probing / dead-gateway detection software
>
> (At least one OS provides software to actively probe gateways and 
> adjust routes as/when required)
>
> - Well-known remote host probing software
>
> And so on.
>
> So, I'm not sure shim6 is at all the best place to take on detection 
> of /local/ failures.

The idea is that shim performs e2e failure detection (as i already 
mentioned earlier) so that the fate of the communicating parties i.e. 
the apps is shared with the fault tolerance mechanism and that the shim 
can detect all the potential outages and recover from them. Having 
different mechanisms deal with different types of failures would result 
in a reduced protection i guess

> Ie, in your scenario above, what I'm saying is:
>
> - Shim6 on host1 doesnt and shouldn't be involved in detecting local
>   failures

but you are assuming that host1 detects local failures through other 
means and this other means are likely to be injecting a full BGP feed 
into end hosts, right?

> - Only host2 needs to know and detect whether it must use PrefA or
>   PrefB based locator for host1.
>
> Ie, this should all be about reachability of the *remote* locator. 
> Which local locator to use should simply *not* be in scope for shim6 - 
> then things get easier, and you can avail of one or more existing 
> mechanisms for detecting local failures.

as i mention above, i am not sure if this supports the unidirectional 
case that i mention above.


...
> > This implies that in order to explore all the possible paths, we need 
> > to make n^2 probes.
>
> Yes, if you refuse to consider the option of leaving SAS to something 
> else (a wealth of mechanisms exist /already/), then you'll become 
> convinced you need n^2 probes. :)
>
> > Now, it is important to realize that n^2 is just an upper bound, and 
> > that n^2 probes will only be performed when all paths have failed 
> > except one and this is the last one you have tried with
>
> Even better is to realise that local address selection simply does not 
> need to be something shim6 has to concern itself with. Then the number 
> of probes, in the worst case, goes down to n, where n is the number of 
> locators you have to hand for the remote shim6.
>
> Don't forget, n^2 is per side. Each side will have to have to do it.
> So you're looking at, worst case, for host1 with n locators and host2 
> with y locators, by my potentially incorrect algebra:
>
> shim6 doing SAS and probing each side:
>
> 	y^2 + n^2
>
> In the worse case, both y and n tend to infinity, so generally n = y, 
> so the worst case therefore is:
>
> 	2*n^2
>
> as n and y -> infinity.

Your math is correct
now let me ask: how many unidirectional address pairs are available 
between two hosts having y and n addresses each one?

i guess that we agree that there are y^2+n^2 different unidirectional 
address pairs, right?

So the point is: if you want to provide full fault tolerance you need 
to explore them all, if you don't, there may exists available paths 
that you are discarding, hence there are communications that could be 
preserved but you are not finding the available path to use.

Of course, you may have optimizations, like testing two unidirectional 
paths (one in each directions) with a single packet exchange (2 packets 
instead of 4), using local information for discarding some addresses 
and so on, but again these are only optimizations.

...

> If you figure out that the local source to use is better left to 
> other, existing, mechanisms, and only probe the remote side,
> That's great, but you have 0 idea whether its the right address.
>
> Determining the right address involves:
>
> - route lookup on the destination to find the local output
> - lookup source for this output
>
> Shim6 /could/ do this, but on the other hand it could just leave the 
> local address in packets sent down the stack as unspecified, and the 
> OS will just do it for shim6.

how? i guess that you are asuming a BGP feed on hosts right?

I mean, a hosts with a single deafult route, wouldn't really know which 
of the n addresses available in its single interface to use for a given 
destiantion address... i mean DAS would not result in any particular 
address and the source address would be selected randomly...

> What is the benefit for shim6 to do this, that it MUST? (It doesn't 
> need to. Any such optimisations are purely implementation specific).
>
> Ergo: No need for SAS in shim6.
>
> > No, shim will try to honor the policy table (or any other tool to 
> > express policy we need to define) Obviously, if the path preffered by 
> > the policy is not available, then shim will have to use others of 
> > course
>
> See, there's an existing way to send a packet to a remote host and 
> have the source be set appropriately for the preferred path - don't 
> specify the source address...
>
> No complications needed.
>
> > > That's entirely scaleable and well within reason for deployment at 
> > > 'enterprise' shim6 sites.
> >
> > agree, but this is not enough to preserve established communications
>
> Why exactly?
>
> > Are you considering the case that full BGP feed is injected to the 
> > hosts, so that the hosts can find out which path is available towards 
> > its final destination?
>
> Well, in a BGP fed and shimmed network, I would imagine the shimming 
> would be done just on one or two hosts (or routers) at the edge of the 
> shimmed network. The BGP feed would be confined to those.

well, this seems a bit far from what is currently being considered imho

So far, we are assuming that the shim is a host based approach and that 
each host performs all the functions of the shim

the case of the proxy that you are mentioning have been considered and 
it is attractive but it presents some difficulties, especially w.r.t 
security... perhaps you could try to consider the security implications 
of that split that you are considering...

> As far as I know, the ULID and shimming host need not be same machine, 
> is my understanding correct?

not sure what you mean here... ULID is upper layer identifier, right?
so the ULID belongs to the shim host, so i guess they are in the same 
machine

regards, marcelo