BGP BFD Strict-Mode

Introduction Bidirectional Forwarding Detection BFD enables routers to monitor data plane connectivity and to detect faults in the bidirectional forwarding path between them. This capability is leveraged by routing protocols such as BGP to rapidly react to topology changes in the face of path failures. The BFD interaction with BGP is specified in Section 10.2 of . When BFD is enabled for a BGP neighbor, faults in the bidirectional forwarding detected by BFD result in session termination. It is possible in some failure scenarios for the network to be in a state such that a BGP session may be established but a BFD session cannot be established. In some other scenarios, it may be possible to establish a BGP session, but a degraded or poor-quality link may result in the corresponding BFD session going up and down frequently. To avoid situations which result in routing churn and to minimize the impact of network interruptions, it will be beneficial to disallow BGP to establish a session until BFD session is successfully established and has stabilized. We refer to this mode of operation as BGP BFD "strict-mode". However, always using "strict-mode" would preclude BGP operation in an environment where not all routers support BFD strict-mode or have BFD enabled. This document defines BGP "strict-mode" operation as preventing BGP session establishment until both the local and remove speakers have a stable BFD session. The document also specifies the BGP protocol extensions for BGP capability for announcing BFD parameters including a BGP speaker's support for "strict-mode", i.e., requiring a BFD session for BGP session establishment.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

BFD Strict-Mode Capability The BGP Strict-Mode Capability will allow a BGP speaker's to advertise this capability. The capability is defined as follows: Capability code: 74 Capability length: 0 octets

Operation A BGP speaker which supports capabilities advertisement and has BFD strict-mode enabled MUST include the BFD strict-mode capability. A BGP speaker which supports the BFD Strict-Mode capability, examines the list of capabilities present in the capabilities that the speaker receives from its peer. If both the local and remote BGP speakers include the BFD strict-mode capability, the BGP finite state machine does not transition to the Established state from OpenSent or OpenConfirm state until the BFD session is in the Up state (see below for AdminDown state). This means that a KEEPALIVE message is not sent nor is the KeepaliveTimer set. If the BFD session does not transition to the Up state, and the HoldTimer has been negotiated to a non-zero value, the BGP FSM will close the session appropriately. If the HoldTimer has been negotiated to a zero value, the session should be closed after a time of X. This time X is referred as "BGP BFD Hold time". The proposed default BGP BFD Hold time value is 30 seconds. The BGP BFD Hold time value is configurable. If BFD session is in the AdminDown state, then the BGP finite state machine will proceed normally without input from BFD. This means that BFD session "AdminDown" state WILL NOT prevent the BGP state transition to Established state from OpenConfirm. Once the BFD session has transitioned to the Up state, the BGP FSM may proceed to transition to the Established state from the OpenSent or OpenConfirm state appropriately. I.e. a KEEPALIVE message is sent, and the KeepaliveTimer is started. If either BGP peer has not advertised the BFD Strict-Mode Capability, then a BFD session WILL NOT be required for the BGP session to reach Established state. This does not preclude usage of BFD after BGP session establishment . If BFD is disabled for a BGP peer and the BGP session state is being held in OpenSent or OpenConfirm state, then the BGP will close session, and start a new TCP connect.

Manageability Considerations Auto-configuration is possible for the enabling BGP BFD Strict-Mode. However, the configuration automation is out of the scope of this document. A BGP NOTIFICATION message Subcode indicating BFD Hold timer expiration may be required for network management. (To be discussed in the next revision of this document.)

Security Considerations The mechanism defined in this document interacts with the BGP finite state machine when so configured. The security considerations of BFD thus, become considerations for BGP-4 so used. Given that a BFD session is required for a BGP session, a Denial-of-Service (DoS) attack on BGP can now be mounted by preventing a BFD session between the BGP peers from being established or interrupting an existing BFD session. The use of the BFD Authentication mechanism defined in is thus RECOMMENDED when used to protect BGP-4 .

IANA Considerations This document defines the BGP BFD capability. The Capability Code 74 has been assigned from the First-Come-First-Served range (64-238) of the Capability Codes registry.

Acknowledgement The authors would like to acknowledge the review and inputs from Shyam Sethuram, Mohammed Mirza, Bruno Decraene, Carlos Pignataro, and Enke Chen.