Internet Engineering Task Force                       A. S. Maunder
Internet Draft                                        Cisco Systems
Expires in August, 2001
draft-ietf-ospf-scalability-00.txt                    G. Choudhury
                                                      AT&T Labs
                                                      March, 2001


Explicit Marking and Prioritized Treatment of Specific IGP Packets
for Faster IGP Convergence and Improved Network Scalability and
Stability

<draft-ietf-ospf-scalability-00.txt>

Status of this Memo

This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six
months
and may be updated, replaced, or obsoleted by other documents at
any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft
Shadow
Directories can be accessed at www.ietf.org/shadow.html.
Distribution of
this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

There has been a lot of interest in the networking community to
allow for fast failure detection followed by the fast restoration
and recovery. It may be possible to provide fast recovery using
special mechanisms; however, there is a strong interest in
addressing this issue at a more fundamental level i.e. at IGP
convergence because it addresses the problem at a much broader
scale.  Faster IGP convergence inevitably requires faster detection
by using smaller hello interval timers (unless one relies on link
level detection which is not always possible), fast flooding and
more frequent SPF calculations. However, we provide analytic and
simulation results*  to show that this compromises the scalability
and stability of the network, mainly because Hello packets received
at a router are indistinguishable from other packets and may
experience long queueing delays during a sudden burst of many LSA
updates. In this draft we suggest a need for Hello and potentially
some other IGP packets to be marked explicitly so that efficient

Maunder, et. al.         Expires: August, 2001           [page  1]








implementations can detect and act upon these messages in a priority
fashion thus allowing significant reduction in convergence time for
IGP while maintaining network stability.

The figures and graphs are missing from the ASCII version of the
draft. The pdf versions of this draft can be found in the Internet-
Drafts repository.

 Motivation

The motivation of this draft is to address two key issues:
(1) Fast restoration under failure conditions
(2) Increased network scalability and stability

The motivation for allowing fast restoration under failure
conditions is similar to the one provided in [1]draft-alaettinoglu-
isis-convergence-00.txt. The theoretical limit for link-state
routing protocols to re-route is in link propagation time scales,
i.e., in tens of milliseconds.  However, in practice it takes
seconds to tens of seconds to detect the link failure and
disseminate this information to the network followed by the
convergence on the new set of paths. This is an inordinately long
period of transient time for mission critical traffic destined to
the non-reachable nodes of the network. One component of the long
re-route time is the link failure detection time of between 20 and
 seconds through three missed Hello packets with the typical hello
interval of 10 seconds (between 30 and 40 seconds if missed hello
threshold is 4).  This component would be much shorter in the
presence of link level detection, but as pointed out in [1]draft-
alaettinoglu-isis-convergence-00.txt it does not work in some cases.
For example, a device driver may detect the link level failure but
fail to notify it to the IGP level.  Also, if a router fails behind
a switch in a switched environment then even though the switch gets
the link level notification it cannot communicate that to other
routers. Therefore for faster reliable detection at the IGP level,
one has to reduce the hello interval.  Reference [1]draft-
alaettinoglu-isis-convergence-00.txt suggests that this be reduced
to below a second, perhaps even to tens of milliseconds.  A second
component of the long re-route time is delayed SPF (shortest-path-
first) computation.  The typical delay value is 5 seconds but needs
to be reduced significantly to have sub-second rerouting.

The second issue we address is the ability of a network to withstand
the simultaneous or near-simultaneous update of a large number of
link-state- advertisement messages, or LSAs.  We call this event, an
LSA storm.  An LSA storm may be generated due to many reasons.  Here
are some examples:  (a) one or more link failures due to fiber cuts,
(b) one or more node failures for some reason, e.g., failed power
supply in an office, (c) requirement of taking down and later
bringing back many nodes during a software/hardware upgrade, (d)
near-synchronization of the once-in-30-minutes refresh instants of
some types of LSAs, (e) refresh of all LSAs in the system during a
change in software version. The LSA storm tends to drive the node
CPU utilization to 100% for a period of time and the duration of
this period increases with the size of the storm and the node
adjacency, i.e., the number of trunks connected to it. During this
period the Hello packets received at the node would see high delays
and if this delay exceeds typically three or four hello intervals

Maunder, et. al.         Expires: August, 2001           [page  2]






(typically 30 or 40 seconds) then the associated trunk would be
declared down.  Depending on the implementation, there may be other
impacts of a long CPU busy period as well.  For example, in a
reliable node architecture with an active and a standby processor, a
processor-switch may result during an extended CPU-busy period which
may mean that all the adjacencies would be lost and need to be re-
established.  Both of the above events would cause more database
synchronization with neighbors and network-wide LSA flooding which
in turn might cause extended CPU-busy periods at other nodes.  This
may cause unstable behavior in the network for an extended period of
time and potentially a meltdown in the extreme case.  Due to world-
wide increased traffic demand, data networks are ever increasing in
size. As the network size grows, a bigger LSA storm and a higher
adjacency at certain nodes would be more likely and so would
increase the probability of unstable behavior.  One way to address
the scalability issue is to divide the network hierarchically into
different areas so that flooding of LSAs remains localized within
areas.  However, this approach increases the network management and
design complexity and less optimal routing between areas. Also area
 may see the flooding of a large number of summary LSAs and some of
the new protocols may not work well under the hierarchical system.
Thus it is important to allow the network to grow towards as large a
size as possible under a single area. The undesirable impact of
large LSA storms is understood in the networking community and it is
well known that large scale flooding of control messages (either
naturally or due to a bug) has been responsible for several network
events in the past causing a meltdown or a near-meltdown.  Recently,
proposals have been submitted to avoid synchronization of LSA
refreshes [2]draft-ietf-ospf-refresh-guide-01.txt and reduce
flooding overhead in case more than one interface goes to the same
neighbor [3] draft-ietf-ospf-isis-flood-opt-00.txt, and [4]draft-
ietf-ospf-ppp-flood-00.txt.

In this proposal we would like to make the point that reducing hello
intervals and more frequent SPF computation would in fact reduce
network scalability and stability. We will use a simple and
approximate but easy-to-understand analytic model for this purpose.
We will also use a more involved simulation model.  Next, we would
like to make the point that many of the underlying causes of network
scalability could be avoided if certain IGP messages could be
specially marked and provided prioritized treatment.

 Analytic Model for Delay seen By a Received Hello Packet During a
LSA Storm

For every trunk interface, a node has to send and receive a Hello
packet once every hello interval.  Sending of a Hello packet can be
triggered by a timer and it is possible to give higher priority to
timer-driven jobs and thereby ensure that it is not excessively
delayed even during extended CPU-busy periods.  However, a received
Hello packet cannot be easily distinguished from other IGP or IP
packets and therefore is typically served in a first-come-first-
served fashion.  We do a simple and approximate analysis of the
delay experienced by this packet during an LSA storm at a node with
highest adjacency.  LetÆs assume:
? S = Size of LSA storm (i.e., number of LSAs in it).  Also, it
is assumed that each LSA is carried in one LSU packet.
? L = Link adjacency of the node under consideration.  This is

Maunder, et. al.         Expires: August, 2001           [page  3]







assumed to be the maximum in the network.
? t1 = Time to send or receive one IGP packet over an interface
(the same time is assumed for Hello, LSA, duplicate LSA and LSA
acknowledgement even though in general there may be some
differences.  However, this would be a good approximation if
majority of the time is in the act of receiving or sending and a
relatively small part for packet-type-specific work.  In the
numerical examples we assume t1 = 1 ms.
? t2 = Time to do one SPF calculation. For large network, this
time is usually in hundreds of ms and in the numerical examples
we assume t2 = 200 ms.
? Hi = Hello interval.
? Si = minimum interval between successive SPF calculations.
? ro = Rate at which non-IGP work comes to the node (e.g.,
forwarding of data packets).  For the numerical examples we
assume ro = 0.2.
? T = Total work brought in to the node during the LSA storm.
For each LSA update generated elsewhere, the node will receive
one new LSA packet over one interface, send an acknowledgement
packet over that interface, and send copies of the LSA packet
over the remaining L-1 interfaces. Also, assuming that the
implicit acknowledgement mechanism is in use, the node will
subsequently receive either an acknowledgement or a duplicate LSA
over the remaining L-1 interfaces.  So over each interface one
packet is sent and one is received.  It can be seen that the same
would be true for self-generated LSAs.   So the total work per
LSA update is 2*L*t1.  Since there are S LSAs in the storm, we
get

T = 2*S*L*t1      (1)

In Equation (1) we ignore retransmissions of LSAs in case
acknowledgements are not received or processed within 5 seconds.
This impact and other details are taken into account in the
simulation model to be presented later.
? T2 = Time period over which the work comes. Due to differences
in propagation times and congestion at other nodes, it is
possible for the work arrival time to be spread out over a long
interval.  However, since we are considering the node with
highest adjacency, i.e., one with highest congestion, (this is
assuming that all nodes have the same processing power and about
the same non-IGP workload) most of the work will come in one
chunk.  We verified this to be usually true using simulations.
One part of T2 will be of the order of link propagation delay and
we assume that there is a second part which is proportional to T.
Therefore we get,

T2 = A + B*T    (2)

   Where A and B are constants.  For the numerical examples we
assume
   A = 10 ms and B = 0.1.

? D = Maximum delay experienced by a Hello packet during the LSA
storm.  We assume first-come-first-served service and hence the
delay seen by the Hello packet would be the total outstanding
work at the node at the arrival instant plus its own processing
time.  We assume that outstanding work steadily increases over

Maunder, et. al.         Expires: August, 2001           [page  4]







the interval T2 and so the maximum delay is seen by a Hello
packet that comes near the end of this interval.  We write down
an approximate expression for D and then explain the various
terms on the right hand side:

D = T û T2 + max(1,2*T2/Hi)*t1 + max(1,T2/Si)*t2 + ro*T2 (3)

The first term is the total work brought in due to the LSA storm.
The second term is the work the node was able to finish since we are
assuming that it was continuously busy during the period T2.  The
third term is the total work due to the sending and receiving of
Hello packets during the period T2.  Note that it is assumed that at
least one Hello packet is processed, i.e., itself.  The fourth term
is due to SPF processing during the period T2 and we assume that at
least one SPF processing is done.  The last term is the total non-
IGP work coming to the node over the interval T2

? Dmax = maximum allowed value of D, i.e., if D exceeds this
value then the associated link would be declared down. In the
numerical examples below we assume

Dmax = 3*Hi     (4)

   If we assume that the previous Hello packet was minimally
delayed then exceeding Dmax really means four missed hellos since
the Hello packet under study itself came after a period Hi.  In
the numerical examples below, both D and Dmax change with choice
of system parameters and we are mainly interested in identifying
if D exceeds Dmax.  For this purpose we define the following
ratio variable

Delay Ratio = D/Dmax      (5)

and identify if Delay Ratio exceeds 1.

In Figures 1-3 we plot the Delay Ratio as a function of LSA Storm
size with node adjacencies 10, 20 and 50 respectively.  All
parameters except for the ones noted explicitly on the figures are
as stated earlier.  Figure 1 assumes Hello packets every 10 seconds
and SPF calculation every 5 seconds which are typical default values
today.  With a node adjacency of 10, the Delay Ratio is below 1 even
with an LSA storm of size 1000.  However, with a node adjacency of
20, the Delay Ratio exceeds 1 at around a storm of size 800 and with
a node adjacency of 50, the Delay Ratio exceeds 1 at around a storm
of size 325.

Figure 1: Delay Ratio with Hello Every 10 Seconds, SPF Every 5
Seconds, Dmax = 30 seconds

In a large network it is not unusual to have LSA storms of size
several hundreds since the LSA database size may be several
thousands. This is particularly true if there are many type 5 LSAs
and there are special LSAs for carrying information about available
bandwidth at trunks as is common in ATM networks and might be used
in MPLS-based networks as well.
Figure 2 decreases the hello interval to 2 seconds and SPF
calculation is done once a second.  LSA storm thresholds are
significantly reduced.  Specifically, with a node adjacency of 10,

Maunder, et. al.         Expires: August, 2001           [page  5]






the Delay Ratio exceeds 1 at around a storm of size 310; with a node
adjacency of 20, the Delay Ratio exceeds 1 at around a storm of size
160; and with a node adjacency of 50, the Delay Ratio exceeds 1 at
around a storm of size only 65.

Figure 2: Delay Ratio with Hello Every 2 Seconds, SPF Every 1
Second, Dmax = 6 seconds

Figure 3 decreases the hello interval even further to 300 ms and SPF
calculation is done once every 500 ms. LSA storm thresholds are
really small now.  Specifically, with a node adjacency of 10, the
Delay Ratio exceeds 1 at around a storm of size 40, with a node
adjacency of 20, the Delay Ratio exceeds 1 at around a storm of size
20, and with a node adjacency of 50, the Delay Ratio is already over
 even with a storm of size 10.

Figure 3: Delay Ratio with Hello Every 300 ms, SPF Every 500 ms,
Dmax = 900 ms

Whenever Delay Ratio exceeds 1, the associated link is declared down
even if it is actually up and eventually other undesirable events
start (e.g., trunk flapping and cascading of extended CPU overload
periods to other nodes).  Therefore, the LSA storm threshold at
which the Delay Ratio exceeds 1 may also roughly be considered as
the network stability threshold.  Figures 1-3 show that the
stability threshold rapidly decreases as the hello interval and SPF
computation interval decreases.  One reason for this is the
increased CPU work due to more frequent hello and SPF computations,
but the dominant reason is that Dmax itself decreases and so a
smaller CPU busy interval is needed to exceed it.  Specifically,
Dmax is 30 seconds in Figure 1, 6 Seconds in Figure 2 and only 900
ms in Figure 3. It is clear from the above examples that in order to
maintain network stability as the hello interval decreases, it is
necessary to provide faster prioritized treatment to received Hello
packets which can of course be only done if those packets can be
distinguished from other IGP or IP packets.


 Simulation Study

We have also developed a simulation model to capture more accurately
the impact of an LSA storm on all the nodes of the network.  It
captures the actual congestion seen at various nodes, propagation
delay between nodes and retransmissions in case an LSA is not
acknowledged. It also tries to approximate a real network
implementation and uses processing times that are roughly in the
same order of magnitude as measured in the real network (of the
order of milliseconds).  There are two categories of IGP messages.
Category one messages are triggered by a timer and include the Hello
refresh, LSA refresh and retransmission packets. Category 2 messages
are not triggered by a timer and include received Hello, received
LSA and received acknowledgements. Timer-triggered messages are
given non-preemptive priority over the other type. A beneficial
effect of this strategy is that Hello packets are sent out with
little delay even under intense CPU overload.  However, the received
Hello packets and the received acknowledgement packets may see long
queueing delays under intense CPU overload. Figures 4 and 5 below
show sample results of the simulation study when applied to a

Maunder, et. al.         Expires: August, 2001           [page  6]






network with about 300 nodes and 800 trunks.  The hello interval is
assumed to be 5 seconds, the minimum interval between successive SPF
calculations is 1 second, and a trunk is declared down if no Hello
packet is received for three successive hello intervals, i.e., 15
seconds.   During the study, an LSA storm of size 300 and 600
(Figures 4 and 5 respectively) are created at instant of time 100
seconds.  Three LSAs are packed within one LSU packet and it is
assumed that they remain packed the same way during the flooding
process.  Besides the storm, there are also the normal once-in-
thirty-minutes LSA refreshes and those LSAs are packed one per LSU
packet. We define a quantity ôdispersionö which is the number of LSU
packets generated in the network but not received and processed in
at least one node.  Figures 4 and 5 plot dispersion as a function of
time.  Before the LSA storm, the dispersion due to normal LSA
refreshes remains small.  As expected, right after the storm the
dispersion jumps and then comes down again to the pre-storm level
after some period of time.  In Figure 4 with an LSA storm size 300,
the ôheavy dispersion periodö lasted about 11 seconds and no trunk
losses were observed.  In Figure 5 with an LSA storm of size 600,
the ôheavy dispersion periodö lasted about 40 seconds.  Some trunk
losses were observed a little after 15 seconds within the ôheavy
dispersion periodö but eventually all trunks recovered and the
dispersion came down to the pre-storm level.


Figure 4: Dispersion Versus Time (LSA Storm Size = 300)



Figure 5: Dispersion Versus Time (LSA Storm Size = 600)


 Need for Special Marking and Prioritized Treatment of Specific IGP
packets

The analytic and simulation models show that a major cause for
unstable behavior in networks is received Hello packets at a node
getting queued behind other work brought in to the node during an
LSA storm and missing the deadline of typically three or four hello
intervals.  This need not happen to outgoing Hello packets that are
triggered by a timer since the node CPU can give it prioritized
treatment.  Clearly, if the received Hello packet can be specially
marked to distinguish it from other IGP and IP packets then they can
also be given prioritized treatment and they would not miss the
deadline even during a large LSA storm.  Some specific field of IP
packets may be used for this purpose.  Besides the Hello packets
there may be other IGP packets that could also benefit from special
marking and prioritized marking. We give two examples but clearly
others are possible.
? One example is the LSA acknowledgement packet.  This packet
disables retransmission and if a large queueing delay to this
packet expires the retransmission timer (typical default value is
 seconds) then a needless retransmission will happen causing
extra traffic load.  Retransmission event is usually rare due to
the reliable nature of transmission links, but during the 600 LSA
storm simulation in Figure 5 many retransmission events were
noted.  Usually, retransmission events happen more with a longer
CPU busy period.  Clearly, a special marking and prioritization

Maunder, et. al.         Expires: August, 2001           [page  7]







of the LSA acknowledgement packet would eliminate many needless
retransmissions.
? A second example is an LSA carrying a bad news, i.e., a failure
of a trunk or a node. It is preferable to transmit this
information faster than other LSAs in the network that either
carry good news or are just once-in-30-minutes refreshes. The
explicit identification can also be used to trigger the SPF
calculation after processing LSAes carrying bad information. This
will obviate the need of lowering the SPF calculation interval
under all circumstances and thus reducing the processing
overhead.

The example in this draft focussed explicitly on the control domain.
However, it can easily be seen that having an explicit
identification for certain æchosenÆ packets will help minimize their
drop probability in the traffic plane also. The explicit
identification allows these control packets to be easily
distinguished from the data packets in the line card and hence their
processing (forwarding) can be expedited even under large traffic
conditions.

 Summary

In this proposal we point out that if a large LSA storm is generated
as a result of some type of failure/recovery of nodes/trunks or
synchronization among refreshes then the Hello packets received at a
node may see large queueing delays and miss the deadline of
typically three or four hello intervals.  This causes the trunk to
be down and is potentially the beginning of unstable behavior in the
network.  This is already a concern in todayÆs network but would be
a much bigger concern if the hello interval and minimum interval
between SPF calculations are substantially reduced (below or perhaps
well below a second) in order to allow faster rerouting, as proposed
in [1]draft-alaettinoglu-isis-convergence-00.txt.  To avoid the
above, we propose the use of a special marking for Hello packets
(perhaps using a special field in IP packets) so that they may be
distinguished from other IGP and IP packets and provided a
prioritized treatment during intense CPU overload periods caused by
LSA storms.  We also point out that other IGP packets could benefit
from special markings as well.  Two examples are LSA acknowledgement
packets and LSA packets carrying bad news.


 Acknowledgments

The authors would like to thank members of the High-Speed Packet
Switching division of AT&T for their help during the study.

 References

[] draft-alaettinoglu-isis-convergence-00.txt   November, 2000

[] draft-ietf-ospf-refresh-guide-01.txt     July, 2000

[] draft-ietf-ospf-isis-flood-opt-00.txt    October, 2000

[] draft-ietf-ospf-ppp-flood-00.txt         November, 2000


Maunder, et. al.         Expires: August, 2001           [page  8]








 Authors' Addresses

Anurag S. Maunder
Cisco Systems
email: amaunder@cisco.com

Gagan Choudhury
AT&T Labs, Middletown, NJ, USA
email: gchoudhury@att.com





*The study was done when Anurag S. Maunder was a Sr. Member of
Techical Staff at AT&T.