Skip to main content

Telechat Review of draft-ietf-forces-ceha-09
review-ietf-forces-ceha-09-opsdir-telechat-dunbar-2013-12-12-00

Request Review of draft-ietf-forces-ceha
Requested revision No specific revision (document currently at 10)
Type Telechat Review
Team Ops Directorate (opsdir)
Deadline 2013-12-03
Requested 2013-11-28
Authors Kentaro Ogawa , Weiming Wang , Evangelos Haleplidis , Jamal Hadi Salim
I-D last updated 2013-12-12
Completed reviews Genart Early review of -08 by Francis Dupont (diff)
Genart Telechat review of -09 by Francis Dupont (diff)
Opsdir Telechat review of -09 by Linda Dunbar (diff)
Assignment Reviewer Linda Dunbar
State Completed
Request Telechat review on draft-ietf-forces-ceha by Ops Directorate Assigned
Reviewed revision 09 (document currently at 10)
Result Has issues
Completed 2013-12-12
review-ietf-forces-ceha-09-opsdir-telechat-dunbar-2013-12-12-00

Resend of historical review for tool tracking purposes





From:

Linda Dunbar

Sent:

Monday, November 11, 2013 3:54 PM

To:

Operations Directorate; 'draft-ietf-forces-ceha.all at tools.ietf.org'

Cc:

ops-ads at tools.ietf.org; Gunter Velde Van de

Subject:

Operations Directorate Review of draft-ietf-forces-ceha-08 by 2013-11-06



Hi!,



As a member of the Operations Directorate, I have reviewed the
draft-ietf-forces-ceha-08 for its operational impact.



This document proposes using multiple Control Elements as a way to achieve High
Availability within a ForCES Network Element.



I can’t find any specification in the draft on what condition to declare CE
failure.



The bullet 1 in 2.2 states that the extreme scenario is operator acting as the
monitoring entity to detect faulty CEs. Therefore, the detection time could be
hours or days.
 If the FE can sustain faulty CEs for hours or days, why not simply have
 operator reboot the CEs, instead having this sophisticated mechanisms? A CE is
 a software, which can be rebooted, or restarted.



IMHO, should use CE-FE interface status (Fp link in the figure 1) as a criteria
to determine CE failure, even though CE could malfunction with its interface to
FE still
 on. Having a CE protection mechanism without failure condition clearly defined
 is only have a solution.







The bullet 4 in 2.2 states that FE recovery time depends on the FE states. I am
just curious of what kind of states that FE could have?



Section 6 Security Consideration should specify that only FE can initiate
connection with CE, not other way around. So at least FE can be configured with
a list of legitimate
 CEs that will control the FE.





Linda Dunbar