BGP BFD Strict-Mode

Introduction Bidirectional Forwarding Detection BFD enables routers to monitor data plane connectivity and to detect faults in the bidirectional forwarding path between them. This functionality is leveraged by routing protocols such as BGP to rapidly react to topology changes in the face of path failures. The BFD interaction with BGP is specified in Section 10.2 of . When BFD is enabled for a BGP neighbor, faults in the bidirectional forwarding detected by BFD result in BGP session termination. It is possible in some failure scenarios for the network to be in a state such that a BGP session may be established but a BFD session cannot be established. In some other scenarios, it may be possible to establish a BGP session, but a degraded or poor-quality link may result in the corresponding BFD session going up and down frequently. To avoid situations that result in routing churn and to minimize the impact of network interruptions, it will be beneficial to disallow BGP to establish a session until BFD session is successfully established and has stabilized. We refer to this mode of operation as BFD "strict-mode". However, always using "strict-mode" would preclude BGP operation in an environment where not all routers support BFD strict-mode or have BFD enabled. This document defines BFD "strict-mode" operation as preventing BGP session establishment until both the local and remote speakers have an established BFD session. The document also specifies a BGP capability for announcing BFD parameters including a BGP speaker's support for "strict-mode"; i.e., requiring a BFD session for BGP session establishment.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

BGP Session Attributes for BFD Strict-Mode Defined in this document:

TBD-X) BfdEnabled:: A boolean value that is TRUE when BFD is configured and enabled for this BGP session.
TBD-X) BfdStrictEnabled:: A boolean value that is TRUE when BGP BFD Strict-Mode procedures are to be used when BFD is enabled for this BGP session. If BfdEnabled is not TRUE for this BGP session, this attribute has no impact.
TBD-X) BfdHoldTime:: Hold time value used for the BfdHoldTimer. The default value for this attribute is 30 seconds and is user configurable.
TBD-X) BfdHoldTimer:: Hold timer used when the BGP HoldTime has been negotiated to zero to ensure the BGP session terminates if the associated BFD session does not enter the Up state.
TBD-X) BfdStrictNegotiated:: A boolean value that is TRUE when the BFD strict-mode feature capability has been successfully negotiated for this BGP session. (See .)

Defined in RFC 5880:

bfd.SessionState:: The BFD session state associated with this BGP session when BFD is configured and enabled for the session. (See .)

BGP FSM Events for BFD Strict-Mode

Event TBD-X: BfdAdminDown

Definition:: The BFD session associated with this BGP session has transitioned to the AdminDown state.
Status:: Optional
Optional Attribute Status:: The BfdEnabled attribute for this BGP session SHOULD be set to TRUE.

Event TBD-X: BfdDown

Definition:: The BFD session associated with this BGP session has transitioned to the Down state.
Status:: Optional
Optional Attribute Status:

Event TBD-X: BfdUp

Definition:: The BFD session associated with this BGP session has transitioned to the Up state.
Status:: Optional
Optional Attribute Status:: The BfdEnabled attribute for this BGP session SHOULD be set to TRUE.

Event TBD-X: Bfd_Disabled

Definition:: The BfdEnabled session attribute has been changed to FALSE.
Status:: Optional
Optional Attribute Status:

Event TBD-X: BfdHoldTimer_Expires

Definition:

The BFD holdtimer, which is set when the negotiated BGP hold time is zero, has expired.

Status:

Optional

Optional Attribute Status:

The HoldTimer SHOULD NOT be running.
The negotiated HoldTime SHOULD be zero.
The BGP session state SHOULD be in Connect, Active, or OpenSent.

Event TBD-X: BfdStrict_ConfigChanged

Definition:: The configuration for the BFD strict configuration for the BGP session has been changed.
Status:: Optional
Optional Attribute Status:: If BfdEnabled is FALSE, this event MUST NOT occur. When BFD has been disabled, the local system will trigger a BfdAdminDown event instead.

BFD Strict-Mode Capability Definition The BFD Strict-Mode Capability is a BGP Capability defined as follows: Capability code: 74 Capability length: 0 octets

BFD Strict-Mode Capability Negotiation A BGP speaker which supports capabilities advertisement and has BFD strict-mode enabled MUST include the BFD Strict-Mode Capability in its OPEN message. A BGP speaker which supports the BFD Strict-Mode Capability examines the list of capabilities received from its peer. If both the local and remote BGP speakers include the BFD Strict-Mode Capability, the BfdStrictNegotiated session attribute ( below) is set to TRUE.

Starting and Stopping BFD Sessions Associated BGP BFD Strict-Mode Implementations SHOULD start the BFD session associated with the BGP BFD strict-mode session prior to the BGP FSM starting. The motivation is to avoid delaying BGP FSM transitions while waiting for the BFD session reach the Up state. Similarly, to support BFD hold-down requirements for detecting BFD session stability (see ), implementations SHOULD NOT immediately destroy BFD sessions when associated BGP connections transition to Idle.

BGP FSM State Changes

Overview of BFD Strict FSM Changes When BFD is enabled, and BFD strict-mode is enabled and negotiated, the BGP finite state machine is prevented from send a KEEPALIVE to the remote BGP speaker and advancing to the OpenConfirm state until the associated BFD session has reached the Up state. In the FSM defined in , sending of a KEEPALIVE to the remote BGP speaker and advancement to the OpenConfirm state happens:

In the Connect state upon receiving an OPEN message and the DelayOpenTimer is running.
In the Active state upon receiving an OPEN message and the DelayOpenTimer is running.
In the OpenSent upon receiving an OPEN message.

For each of these scenarios, when BFD is enabled, and BFD strict-mode is negotiated, a sub-state is introduced to track the pending BFD Up event:

ConnectDelayOpenBfdUpPending
ActiveDelayOpenBfdUpPending
OpenSentBfdUpPending

If BFD strict-mode configuration is changed once the BGP FSM has started executing, but has not reached the Established state, the session is reset to the Idle state to ensure consistent behavior. I.e., no unexpected timers are running, and the BGP session's transition to Established is not lingering on a pending event. Once the BGP session has reached the Established state, changes to BFD strict-mode are irrelevant since the work of this feature has been completed. The following changes are made to the BGP FSM defined in :

Changes to the Idle State In the "Idle State", the BfdAdminDown, BfdDown, BfdUp, Bfd_Disabled, BfdStrict_ConfigChanged events are ignored. In the "Idle State", the BfdHoldTimer_Expires event is ignored, but only would occur as an error in the FSM implementation.

Changes to the Connect State The BfdHoldTimer is reset to zero and stopped on any transition to the Idle state.

Handling BfdAdminDown / Bfd_Disabled / BfdUp In response to the BfdAdminDown event (Event TBD-X), the Bfd_Disabled event (Event TBD-X), or the BfdUp event (Event TBD-X) the the local system checks to see if it is in the ConnectDelayOpenBfdUpPending sub-state. If the FSM is in the ConnectDelayOpenBfdUpPending sub-state, the local system:

sends a KEEPALIVE message,
if the HoldTimer initial value is non-zero,
- starts the KeepaliveTimer with the initial value and
- resets the BfdHoldTimer value to zero,
and changes its state to OpenConfirm (leaves ConnectDelayOpenBfdUpPending).

If the FSM is not in the ConnectDelayOpenBfdUpPending sub-state, the local system:

stays in the Connect state.

Handling BfdDown The BfdDown event (Event TBD-X) is ignored while in the Connect state. A BFD session can transition to Down from the Init state, indicating the session has failed to come Up, or transition to Down from the AdminDown as part of starting the BFD state machine.

Handling BfdHoldTimer_Expires In response to the BfdHoldTimer_Expires event (Event TBD-X), the local system:

sends a NOTIFICATION message with the error code Cease (6) and error subcode BFD Down (10),
drops the TCP connection,
releases all BGP resources,
increments the ConnectRetryCounter,
(optionally) performs peer oscillation damping if the DampPeerOscillations attribute is set to TRUE, and
changes its state to Idle.

Handling BfdStrict_ConfigChanged In response to the BfdStrict_ConfigChanged event (Event TBD-X) the local system:

drops the TCP connection,
releases all BGP resources,
sets ConnectRetryCounter to zero,
stops the ConnectRetryTimer and sets ConnectRetryTimer to zero, and
changes its state to Idle.

Handling Event 20, BGPOpen with DelayOpenTimer running. In the "Connect State", the handling of Event 20, an OPEN message is received while the DelayOpenTimer is running, is revised as follows: Old Text:

stops the ConnectRetryTimer (if running) and sets the ConnectRetryTimer to zero,
completes the BGP initialization,
stops and clears the DelayOpenTimer (sets the value to zero),
sends an OPEN message,
sends a KEEPALIVE message,
if the HoldTimer initial value is non-zero,
- starts the KeepaliveTimer with the initial value and
- resets the HoldTimer to the negotiated value,
else, if the HoldTimer initial value is zero,
- resets the KeepaliveTimer and
- resets the HoldTimer value to zero,
and changes its state to OpenConfirm.

If the value of the autonomous system field is the same as the local Autonomous System number, set the connection status to an internal connection; otherwise it will be "external". New Text:

stops the ConnectRetryTimer (if running) and sets the ConnectRetryTimer to zero,
completes the BGP initialization,
stops and clears the DelayOpenTimer (sets the value to zero),
sends an OPEN message,
If BfdEnabled is TRUE, and BfdStrictNegotiated is TRUE, and bfd.SessionState is neither Up nor AdminDown,
- DOES NOT send a KEEPALIVE message,
- if the HoldTimer initial value is non-zero,
  - DOES NOT start the KeepaliveTimer
  - resets the HoldTimer to the negotiated value,
- else, if the HoldTimer initial value is zero,
  - resets the KeepaliveTimer and
  - resets the HoldTimer value to zero,
  - starts the BfdHoldTimer with the value BfdHoldTime,
- stays in the Connect state (enters ConnectDelayOpenBfdUpPending).
else,
- sends a KEEPALIVE message,
- if the HoldTimer initial value is non-zero,
  - starts the KeepaliveTimer with the initial value and
  - resets the HoldTimer to the negotiated value,
- else, if the HoldTimer initial value is zero,
  - resets the KeepaliveTimer and
  - resets the HoldTimer value to zero,
- and changes its state to OpenConfirm.

If the value of the autonomous system field is the same as the local Autonomous System number, set the connection status to an internal connection; otherwise it will be "external".

Changes to the Active State The BfdHoldTimer is reset to zero and stopped for any transition to the Idle state.

Handling BfdAdminDown / Bfd_Disabled / BfdUp In response to the BfdAdminDown event (Event TBD-X), the Bfd_Disabled event (Event TBD-X), or the BfdUp event (Event TBD-X), the local system checks to see if it is in the ActiveDelayOpenBfdUpPending sub-state. If the FSM is in the ActiveDelayOpenBfdUpPending sub-state, the local system:

sends a KEEPALIVE message,
if the HoldTimer initial value is non-zero,
- starts the KeepaliveTimer with the initial value and
- resets the BfdHoldTimer value to zero,
and changes its state to OpenConfirm (leaves ActiveDelayOpenBfdUpPending).

If the FSM is not in the ActiveDelayOpenBfdUpPending sub-state, the local system:

stays in the Active state.

Handling BfdDown The BfdDown event (Event TBD-X) is ignored while in the Active state. A BFD session can transition to Down from the Init state, indicating the session has failed to come Up, or transition to Down from the AdminDown as part of starting the BFD state machine.

Handling BfdHoldTimer_Expires In response to the BfdHoldTimer_Expires event (Event TBD-X), the local system:

sends a NOTIFICATION message with the error code Cease (6) and error subcode BFD Down (10),
drops the TCP connection,
releases all BGP resources,
increments the ConnectRetryCounter,
(optionally) performs peer oscillation damping if the DampPeerOscillations attribute is set to TRUE, and
changes its state to Idle.

Handling BfdStrict_ConfigChanged In response to the BfdStrict_ConfigChanged event (Event TBD-X), the local system:

drops the TCP connection,
releases all BGP resources,
sets ConnectRetryCounter to zero,
stops the ConnectRetryTimer and sets ConnectRetryTimer to zero, and
changes its state to Idle.

Handling Event 20, BGPOpen with DelayOpenTimer running. In the "Active State", the handling of Event 20, an OPEN message is received while the DelayOpenTimer is running, is revised as follows: Old Text:

stops the ConnectRetryTimer (if running) and sets the ConnectRetryTimer to zero,
completes the BGP initialization,
stops and clears the DelayOpenTimer (sets the value to zero),
sends an OPEN message,
sends a KEEPALIVE message,
if the HoldTimer initial value is non-zero,
- starts the KeepaliveTimer with the initial value and
- resets the HoldTimer to the negotiated value,
else, if the HoldTimer initial value is zero,
- resets the KeepaliveTimer and
- resets the HoldTimer value to zero,
and changes its state to OpenConfirm.

If the value of the autonomous system field is the same as the local Autonomous System number, set the connection status to an internal connection; otherwise it will be "external". New Text:

stops the ConnectRetryTimer (if running) and sets the ConnectRetryTimer to zero,
completes the BGP initialization,
stops and clears the DelayOpenTimer (sets the value to zero),
sends an OPEN message,
If BfdEnabled is TRUE, and BfdStrictNegotiated is TRUE, and bfd.SessionState is neither Up nor AdminDown,
- DOES NOT send a KEEPALIVE message,
- if the HoldTimer initial value is non-zero,
  - DOES NOT start the KeepaliveTimer
  - resets the HoldTimer to the negotiated value,
- else, if the HoldTimer initial value is zero,
  - resets the KeepaliveTimer and
  - resets the HoldTimer value to zero,
  - starts the BfdHoldTimer with the value BfdHoldTime,
- stays in the Active state (enters ActiveDelayOpenBfdUpPending).
else,
- sends a KEEPALIVE message,
- if the HoldTimer initial value is non-zero,
  - starts the KeepaliveTimer with the initial value and
  - resets the HoldTimer to the negotiated value,
- else, if the HoldTimer initial value is zero,
  - resets the KeepaliveTimer and
  - resets the HoldTimer value to zero,
- and changes its state to OpenConfirm.

If the value of the autonomous system field is the same as the local Autonomous System number, set the connection status to an internal connection; otherwise it will be "external".

Changes to the OpenSent State The BfdHoldTimer is reset to zero and stopped for any transition to the Idle state.

Handling BfdAdminDown / Bfd_Disabled / BfdUp In response to the the BfdAdminDown event (Event TBD-X), the Bfd_Disabled event (Event TBD-X), or the BfdUp event (Event TBD-X), and the FSM is in the OpenSentBfdUpPending sub-state, the local system:

sends a KEEPALIVE message, and
sets a KeepaliveTimer (via the text below)
resets the BfdHoldTimer value to zero,
changes its state to OpenConfirm (leaves OpenSentBfdUpPending).

If the FSM is not in the OpenSentBfdUpPending sub-state, the local system:

stays in the OpenSent state.

Handling BfdDown In response to the BfdDown event (Event TBD-X):

if BfdEnabled is TRUE, and BfdStrictNegotiated is TRUE, the local system:
- sends a NOTIFICATION message with the error code Cease (6) and error subcode BFD Down (10),
- drops the TCP connection,
- releases all BGP resources,
- sets ConnectRetryCounter to zero,
- stops the ConnectRetryTimer and sets ConnectRetryTimer to zero, and
- changes its state to Idle.
else,
- stays in the OpenSent State

Handling BfdHoldTimer_Expires In response to the BfdHoldTimer_Expires event (Event TBD-X), the local system:

sends a NOTIFICATION message with the error code Cease (6) and error subcode BFD Down (10),
drops the TCP connection,
releases all BGP resources,
increments the ConnectRetryCounter,
(optionally) performs peer oscillation damping if the DampPeerOscillations attribute is set to TRUE, and
changes its state to Idle.

Handling BfdStrict_ConfigChanged In response to the BfdStrict_ConfigChanged event (Event TBD-X), the local system:

sends the NOTIFICATION with an error code Cease (6), error subcode Other Configuration Change (6),
drops the TCP connection,
releases all BGP resources,
sets ConnectRetryCounter to zero,
stops the ConnectRetryTimer and sets ConnectRetryTimer to zero, and
changes its state to Idle.

Handling Event 19, BGPOpen Old Text: When an OPEN message is received, all fields are checked for correctness. If there are no errors in the OPEN message (Event 19), the local system:

resets the DelayOpenTimer to zero,
sets the BGP ConnectRetryTimer to zero,
sends a KEEPALIVE message, and
sets a KeepaliveTimer (via the text below)
sets the HoldTimer according to the negotiated value (see Section 4.2), - changes its state to OpenConfirm.

If the negotiated hold time value is zero, then the HoldTimer and KeepaliveTimer are not started. If the value of the Autonomous System field is the same as the local Autonomous System number, then the connection is an "internal" connection; otherwise, it is an "external" connection. New Text: When an OPEN message is received, all fields are checked for correctness. If there are no errors in the OPEN message (Event 19), the local system:

resets the DelayOpenTimer to zero,
sets the BGP ConnectRetryTimer to zero,
sets the HoldTimer according to the negotiated value (see Section 4.2),
If BfdEnabled is TRUE, and BfdStrictNegotiated is TRUE, and bfd.SessionState is neither Up nor AdminDown,
- DOES NOT send a KEEPALIVE message, and
- DOES NOT start the KeepaliveTimer
- if the HoldTimer negotiated value is zero,
  - starts the BfdHoldTimer with the value BfdHoldTime,
- stays in OpenSent state (OpenSentBfdUpPending)
else,
- sends a KEEPALIVE message, and
- sets a KeepaliveTimer (via the text below)
- changes its state to OpenConfirm.

Changes to the OpenConfirm State

Handling BfdAdminDown / Bfd_Disabled / BfdUp The BfdAdminDown, Bfd_Disabled, and BfdUp events are ignored in the OpenConfirm state.

Handling BfdDown In response to the BfdDown event (Event TBD-X):

if BfdEnabled is TRUE, and BfdStrictNegotiated is TRUE, the local system:
- sends a NOTIFICATION message with the error code Cease (6) and error subcode BFD Down (10),
- drops the TCP connection,
- releases all BGP resources,
- sets ConnectRetryCounter to zero,
- stops the ConnectRetryTimer and sets ConnectRetryTimer to zero, and
- changes its state to Idle.
else,
- stays in the OpenConfirm State

Handling BfdStrict_ConfigChanged In response to the BfdStrict_ConfigChanged event (Event TBD-X), the local system:

sends a NOTIFICATION message with the error code Cease (6) and error subcode Other Configuration Change (6),
drops the TCP connection,
releases all BGP resources,
sets ConnectRetryCounter to zero,
stops the ConnectRetryTimer and sets ConnectRetryTimer to zero, and
changes its state to Idle.

Changes to the Established State

Handling BfdAdminDown / Bfd_Disabled / BfdUp The BfdAdminDown, Bfd_Disabled, and BfdUp events are ignored in the Established state.

Handling BfdDown In response to the BfdDown event (Event TBD-X), the local system:

sends a NOTIFICATION message with the error code Cease (6) and error subcode BFD Down (10),
drops the TCP connection,
deletes all routes associated with this connection,
releases all BGP resources,
increments the ConnectRetryCounter by 1,
(optionally) performs peer oscillation damping if the DampPeerOscillations attribute is set to TRUE, and
changes its state to Idle.

Handling BfdStrict_ConfigChanged / BfdHoldTimer_Expires The BfdStrict_ConfigChange event is ignored in the Established state. The BfdHoldTimer_Expires event in the Established state is a FSM error, and is ignored.

Closing BGP Sessions When BGP sessions are closed according to the procedures in this document, the session SHOULD be terminated with a NOTIFICATION message with the Cease Code (6) and the "BFD Down" Subcode (10); see . This informs the operator that interaction with BFD is the root cause of the BGP session being unable to move to the Established state.

Stability Considerations The use of BFD strict-mode along with mechanisms such as hold-down (a delay in the initial BGP Establishment state following BFD session establishment) and/or dampening (a delay in the BGP Establishment state following failure detected by BFD) may help reduce the frequency of BGP session flaps and therefore reduce the associated routing churn. To avoid deadlock when utilizing both BFD hold-down and BFD strict-mode, when strict-mode is enabled for a peer, the BGP FSM MUST be enabled. That is, BFD hold-down procedures MUST NOT prevent BGP from establishing a connection with the remote BGP speaker. If both the local and remote BGP speakers include the BFD Strict-Mode Capability, the BGP state machine is permitted to transition to the Established state from the OpenConfirm state after the locally configured BFD hold-down interval is observed. That is, the BFD session has been Up for the desired amount of time. It is RECOMMENDED that the BFD hold-down intervals used with BFD strict-mode, when configured, use similar values. Similarly, the negotiated BGP holdtime SHOULD be long enough to account for the time between the BGP FSM reaching the OpenConfirm state, the BFD hold-down interval, and any delay for the BFD session being initiated. Failure to do so can result in the BGP speaker that has transitioned to the Established state expiring its BGP holdtime and closing the connection. This is because the remote BGP speaker hasn't transitioned to Established and begun sending KEEPALIVE messages. A BGP speaker SHOULD log a message if it closes its session due to hold timer expiration while waiting for the BFD hold-down interval. The behavior of BGP speakers implementing BFD hold-down without negotiating the BFD strict-mode feature is out of scope of this document. However, the authors are aware that inconsistent behaviors in BGP implementations for BFD hold-down without BFD strict-mode may result in BGP session deadlock.

Manageability Considerations Auto-configuration is possible for enabling BFD strict-mode. However, the configuration automation is out of the scope of this document. To simplify troubleshooting and avoid inconsistencies, it is RECOMMENDED that BFD strict-mode configuration be consistent for both BGP peers. This draft introduces sub-states in the existing BGP finite state machine for tracking BFD session status inputs for strict mode operation. Implementations SHOULD provide visibility for these sub-states in its display of the BGP finite state machine.

Security Considerations The mechanism defined in this document interacts with the BGP finite state machine when so configured. The security considerations for BFD thus, become BGP-4 considerations when so used. Given that a BFD session is required for a BGP session, a Denial-of-Service (DoS) attack on BGP can now be mounted by preventing a BFD session between the BGP peers from reaching the Up state, or interrupting an existing BFD session. The use of a BFD Authentication mechanism, some of which are defined in , is thus RECOMMENDED when used to protect BGP-4 .

IANA Considerations This document defines the BFD Strict-Mode Capability. The Capability Code 74 has been assigned from the First-Come-First-Served range (64-238) of the Capability Codes registry.

Acknowledgement The authors would like to acknowledge the review and inputs from Shyam Sethuram, Mohammed Mirza, Bruno Decraene, Carlos Pignataro, Enke Chen, Anup Kumar, and Ketan Talalukar.