BFD StabilityAalyria Technologiesashesh@aalyria.comArrcus, Inc.USAmjethanandani@gmail.comCiena Corporation3939 North 1st StreetSan JoseCA95134USAankurpsaxena@gmail.comwww.ciena.comZscalerBangaloreKarnataka560103Indiasantosh.pallagatti@gmail.comHuaweimach.chen@huawei.com
This document describes extensions to the Bidirectional
Forwarding Detection (BFD) protocol to measure BFD
stability. Specifically, it describes a mechanism for
the detection of BFD packet loss.The Bidirectional Forwarding Detection (BFD) protocol operates by transmitting and
receiving BFD control packets, generally at high frequency, over the
datapath being monitored. In order to prevent significant data loss due
to a datapath failure, BFD session detection time as defined in BFD is set to the smallest feasible value.
A BFD session will remain in the
Up state as long as it receives at least one BFD packet within the
Detection Time interval. However, additional packet loss
within that time interval is not noted by the BFD state
machinery. Noting the other missed packets provides a valuable
indicator of systemic issues or a deteriorating network that
may warrant preventive action.
This document proposes an experimental mechanism to detect
lost packets in a BFD session in addition to the datapath
fault detection mechanisms of BFD. Such a mechanism, combined
with 'received-packet-count' defined in the YANG Data Model for Bidrectional Forward
Detection (BFD) permits operators to measure the
stability of BFD sessions. The details of the motivation for
experimental status can be found in . Implementations may also do
additional analysis of the packet loss over a time
interval. Such an analysis is outside the scope of this
document.
This document does not propose any BFD extension to measure
data traffic loss or delay on a link or tunnel, and the scope
is limited to BFD packets.
This document uses several placeholder values throughout the
document. Please replace them as follows and remove this
section before publication.
RFC XXXX, where XXXX is the number assigned to this document
at the time of publication.
2025-10-30, with the actual date of the publication of this
document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC 2119 and RFC
8174.
The reader is expected to be familiar with the BFD. In particular, the term
'meticulous' specified in Meticulous Keyed
ISAAC for BFD Optimized Authentication means that the
Sequence number is incremented on every new packet that is
sent.
Bidirectional Forwarding Detection, as defined in BFD cannot detect any BFD packet loss
if the loss does not last for the Detection Time. This
document proposes a method to detect dropped packets on the
receiver. For example, if the receiver receives BFD control
packet k at time t but receives packet k+3 at time t+10ms, and
never receives packet k+1 and/or k+2, then it has experienced
a packet loss.
This proposal enables BFD implementations to generate
diagnostic information on the health of each BFD session that
could be used to preempt probability of a failure on a
datapath that BFD was monitoring by allowing time for a
corrective action to be taken.
In a faulty datapath scenario, an operator can use BFD health
information to trigger the delay and loss measurement OAM
protocol Connectivity Fault Management
(CFM) or Packet Loss and Delay
Measurement for MPLS Networks to further isolate the
issue.
BFD stability measurement requires that a BFD Meticulous Authentication
type is configured.
The ietf-bfd-stability YANG model, defined in this document, provides
the ability to configure BFD stability measurement for BFD sessions by
configuring the 'stability' flag. The 'lost-packet-count' leaf permits
monitoring of stability issues as defined in this document for BFD
sessions that have the stability flag enabled.
The configuration of BFD stability measurement and monitoring using
other methods than the attached YANG model is out of scope from this
document.
The NULL Authentication Type, defined in this document, can be
used to provide a meticulously increasing sequence number
BFD for stability measurement.
It provides none of the protections desired for authentication
and is used only to provide BFD stability services to BFD
sessions that otherwise have no authentication in use.If the Authentication Present (A) bit is set in the header
as defined in BFD,
and the Authentication Type field contains TBD, the
Authentication section has the following format:
where:
Auth Type (8 bits): The Authentication Type, which in this
case is TBD (NULL, to be assigned by IANA, with a suggested
value of 6).
Auth Len (8 bits): The length of the NULL Auth Type, in bytes;
i.e., 8 bytes
Auth Key ID (8 bits): The authentication key ID in use for this
packet. MUST be set to zero and MUST be ignored on receipt.
Reserved (8 bits): This byte MUST be set to zero on transmit
and MUST be ignored on receipt.
Sequence Number (32 bits): The sequence number for this
packet. This value is incremented for each successive packet
transmitted for a session. Implementations will use sequence
numbers (bfd.XmitAuthSeq) as defined in BFD.
If bfd.AuthSeqKnown is 1, and the received Sequence Number
field is not equal to bfd.RcvAuthSeq + 1 (in a circular number
space), then the loss count is incremented by the difference
between the received Sequence Number and bfd.RcvAuthSeq and
bfd.RcvAuthSeq is set to the received Sequence Number.
Otherwise (bfd.AuthSeqKnown is 0), bfd.AuthSeqKnown MUST be
set to 1, and bfd.RcvAuthSeq MUST be set to the value of the
received Sequence Number field as defined in BFD, and the packet MUST
be accepted.
According to BFD a receiver MUST discard a received
packet that lies outside the range of bfd.RcvAuthSeq and
bfd.RcvAuthSeq + (3 * Detect Multi). If it is within that
range, but is missing a packet, it can be used to detect a
loss. In case of NULL authentication where packets containing
sequence numbers are accepted on receipt, an attacker with
unauthenticated sequence number could move the Sequence Number
forward. Meanwhile, the actual BFD neighbor that continues to
send packets will find them discarded and the session would
drop. To prevent such an attack, the received Sequence Number
MUST NOT be compared with bfd.RcvAuthSeq for purposes of
discarding the BFD packets.
This mechanism allows operators to measure the loss of BFD control
packets. A BFD authentication type carrying a meticulously increasing
sequence number is required to support this loss measurement.
Authentication types that provide for meticulously increasing sequence
numbers include:
Meticulously Keyed MD5 and SHA1, defined in
.
Meticulously Keyed ISAAC, defined in
.
The NULL authentication mechanism, which does not provide for
authentication but carries a meticulously increasing sequence number,
defined in this document.
Other authentication types that provide for meticulously increasing
sequence numbers appropriate for this mechanism may be defined in future
specifications.
Loss measurement counts the number of BFD control packets
missed at the receiver during any Detection Time BFD period. The loss is detected
by comparing the Sequence Number field in successive BFD
control packets. The Sequence Number in each successive
control packet generated on a BFD session by the transmitter
is incremented by one. This loss count can then be exposed
using the YANG module defined in the subsequent section. See
discussion on Out of
Order Packets later in the document.
The first BFD authentication section with a non-zero
sequence number, in a valid BFD control packet, processed by
the receiver, is used for bootstrapping the logic.
Some transmission mechanisms - for example, Link Aggregate Groups
(LAG), or Equal Cost Multipath (ECMP) - can result in out of order
packet delivery. In circumstances where BFD packets are not lost, but
are delivered out of order, strict comparison of increasing sequence
numbers may result in classifying the out of order packets as packet
loss.
Implementations MAY provide mechanisms wherein all expected
packets received across an expected interval, but delivered
out of order are not considered lost packets.
This YANG module augments the base BFD YANG module to add
attributes such as the flag 'stability' related
to the experiment of BFD Stability. The feature statement
'stability' needs to be enabled to indicate that BFD
Stability is supported by the implementation. In addition, a
loss count per-session or lsp for BFD packets that are lost
has also been added in this model.
This YANG module imports modules defined in Common YANG Types, A YANG Data Model for Routing, and
YANG Data Model for Bidirectional
Forwading Detection (BFD).
file "ietf-bfd-stability@2025-10-30.yang"
module ietf-bfd-stability {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-bfd-stability";
prefix "bfd-s";
import ietf-yang-types {
prefix "yang";
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-routing {
prefix "rt";
reference
"RFC 8349: A YANG Data Model for Routing Management
(NMDA version)";
}
import ietf-bfd {
prefix bfd;
reference
"RFC 9314: YANG Data Model for Bidirectional
Forwarding Detection.";
}
import ietf-bfd-ip-sh {
prefix bfd-ip-sh;
reference
"RFC 9314: YANG Data Model for Bidirectional
Forwarding Detection.";
}
import ietf-bfd-ip-mh {
prefix bfd-ip-mh;
reference
"RFC 9314: YANG Data Model for Bidirectional
Forwarding Detection.";
}
import ietf-bfd-lag {
prefix bfd-lag;
reference
"RFC 9314: YANG Data Model for Bidirectional
Forwarding Detection.";
}
import ietf-bfd-mpls {
prefix bfd-mpls;
reference
"RFC 9314: YANG Data Model for Bidirectional
Forwarding Detection.";
}
import ietf-key-chain {
prefix key-chain;
reference
"RFC 8177: YANG Key Chain.";
}
organization
"IETF BFD Working Group";
contact
"WG Web:
WG List:
Authors: Mahesh Jethanandani (mjethanandani@gmail.com)
Ashesh Mishra (mishra.ashesh@gmail.com)
Ankur Saxena (ankurpsaxena@gmail.com)
Santosh Pallagatti (santosh.pallagati@gmail.com)
Mach Chen (mach.chen@huawei.com).";
description
"This YANG module augments the base BFD YANG model to add
experimental attributes related to BFD Stability.
In particular, it adds a per-session count for BFD packets
that are lost.
Copyright (c) 2025 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.";
revision "2025-10-30" {
description
"Initial Version.";
reference
"RFC XXXX: BFD Stability.";
}
feature stability {
description
"This feature enables BFD sessions to be monitored for lost
packets.";
}
identity null-auth {
base key-chain:crypto-algorithm;
description
"BFD Null Auth type defined in this draft.";
reference
"RFC XXXX: BFD Stability.";
}
grouping lost-packet-count {
leaf lost-packet-count {
if-feature "stability";
type yang:counter64;
description
"Number of BFD packets that were lost, where loss is
determined by the fact that the sequence number is
not consecutive. This counter should be present only if
stability is configured.";
}
description
"Grouping of statistics related to BFD stability.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-ip-sh:ip-sh/" +
"bfd-ip-sh:sessions/bfd-ip-sh:session" {
leaf stability {
if-feature "stability";
type boolean;
must "../bfd-ip-sh:authentication/bfd-ip-sh:meticulous = " +
"'true'";
default false;
description
"If set to true, this enables the BFD session to monitor
for stability, i.e., to watch how many packets are getting
dropped.";
}
description
"Augment the 'bfd' container to add attributes related to BFD
stability for IP Single Hop Sessions.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-ip-mh:ip-mh/" +
"bfd-ip-mh:session-groups/bfd-ip-mh:session-group" {
leaf stability {
if-feature "stability";
type boolean;
must "../bfd-ip-mh:authentication/bfd-ip-mh:meticulous = " +
"'true'";
default false;
description
"If set to true, this enables the BFD session to monitor
for stability, i.e., to watch how many packets are getting
dropped.";
}
description
"Augment the 'bfd' container to add attributes related to BFD
stability for Multi Hop Sessions.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-lag:lag/" +
"bfd-lag:sessions/bfd-lag:session" {
leaf stability {
if-feature "stability";
type boolean;
must "../bfd-lag:authentication/bfd-lag:meticulous = " +
"'true'";
default false;
description
"If set to true, this enables the BFD session to monitor
for stability, i.e., to watch how many packets are getting
dropped.";
}
description
"Augment the 'bfd' container to add attributes related to BFD
stability for LAG session.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-mpls:mpls/" +
"bfd-mpls:session-groups/bfd-mpls:session-group" {
leaf stability {
if-feature "stability";
type boolean;
must "../bfd-mpls:authentication/bfd-mpls:meticulous = " +
"'true'";
default false;
description
"If set to true, this enables the BFD session to monitor
for stability, i.e., to watch how many packets are getting
dropped.";
}
description
"Augment the 'bfd' container to add attributes related to BFD
stability for MPLS.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-ip-sh:ip-sh/" +
"bfd-ip-sh:sessions/bfd-ip-sh:session/" +
"bfd-ip-sh:session-statistics" {
uses lost-packet-count;
description
"Augment the 'bfd' container to add statistics related to BFD
stability for IP Single Hop Sessions.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-ip-mh:ip-mh/" +
"bfd-ip-mh:session-groups/bfd-ip-mh:session-group/" +
"bfd-ip-mh:sessions/bfd-ip-mh:session-statistics" {
uses lost-packet-count;
description
"Augment the 'bfd' container to add statistics related to BFD
stability for IP Multi Hop Sessions.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-lag:lag/" +
"bfd-lag:sessions/bfd-lag:session/bfd-lag:member-links/" +
"bfd-lag:micro-bfd-ipv4/bfd-lag:session-statistics" {
uses lost-packet-count;
description
"Augment the 'bfd' container to add statistics related to BFD
stability for Micro BFD sessions for IPv4.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-lag:lag/" +
"bfd-lag:sessions/bfd-lag:session/bfd-lag:member-links/" +
"bfd-lag:micro-bfd-ipv6/bfd-lag:session-statistics" {
uses lost-packet-count;
description
"Augment the 'bfd' container to add statistics related to BFD
stability for Micro BFD sessions for IPv6.";
}
augment "/rt:routing/rt:control-plane-protocols/" +
"rt:control-plane-protocol/bfd:bfd/bfd-mpls:mpls/" +
"bfd-mpls:session-groups/bfd-mpls:session-group/" +
"bfd-mpls:sessions/bfd-mpls:session-statistics" {
uses lost-packet-count;
description
"Augment the 'bfd' container to add statistics related to BFD
stability for MPLS sessions.";
}
}
]]>
This document requests one new authentication type and
registers one URIs in the "ns" subregistry of the "IETF XML"
registry .
This document requests an update to the registry titled "BFD
Authentication Types". IANA is requested to assign a new
BFD AuthType:
NULL Auth Type, with a suggested value of 6.
Following the format in , the following
registrations are requested:
This document registers one YANG module in the "YANG Module
Names" registry . Following the
format in , the following
registrations are requested:
The use of a BFD authentication mechanism that protects the
BFD packets is RECOMMENDED.
The Security Considerations of for
unauthenticated BFD all apply to the new NULL authentication
type. The NULL Authentication type, defined in this
document, provides none of the properties desired for
authenticating BFD packets. It is intended to provide BFD
sessions that otherwise would not use authentication, a
sequence number that can be used for purposes of detecting
lost packets.
The lack of a computed AuthKey/Digest over the BFD packet,
but the presence of a Sequence Number makes this
authentication type susceptible to injection attacks. BFD
without authentication is vulnerable to session resets; the
NULL Auth type does not change this.
When the NULL Authentication type is used for BFD Stability
purposes, maliciously injected packets that do not reset the
BFD session can resemble high packet loss. Sessions such as
multi-hop routed paths, tunnels without authentication, or
MPLS LSP, therefore, have security guarantees that are
identical to situations where BFD is run without
authentication.
The YANG module specified in this document defines a schema
for data that is designed to be accessed via network
management protocols such as NETCONF or RESTCONF. These YANG-based
management protocols have to use a secure transport layer
(e.g., SSH, TLS, and QUIC) and have to use mutual
authentication.
The NETCONF Access Control Model
(NACM) provides the means to restrict access for
particular NETCONF or RESTCONF users to a preconfigured
subset of all available NETCONF or RESTCONF protocol
operations and content.
The YANG module does not define any
writeable/creatable/deletable data nodes that can have an
adverse impact on a BFD session.
The only readable data nodes in YANG module may be considered
sensitive or vulnerable in some network environments. It is
thus important to control read access (e.g., via get,
get-config, or notification) to these data nodes.
The model defines a read-only node to indicate the number of
packets that were lost. Access to this information may allow
a malicious user information on which links are experiencing
issues. In addition, and as stated in Out of Order Packets,
on links such as LAG or ECMP, there is a possibility of
packets being delivered out-of-order. A strict comparison of
increasing sequence numbers may result in classifying those
out of order packets as packet loss.
The YANG module does not define any RPC operations.
The authors of this document would like to acknowledge Jeff
Haas as a contributor to this document. His contribution lead
to a significant improvement of the document. In addition,
Manav Bhatia contributed to this document.
Authors would like to thank Nobo Akiya, Dileep Singh, Basil
Saji, Sagar Soni, Albert Fu, Peng Fang, and Mallik Mudigonda
who contributed to this document. Thanks to Christian Huitema
for the SECDIR and Ebben Aries for the YANG Doctors review.
Thanks to Reshad Rehman for being the shepherd of the
document.
OAM Functions and Mechanisms for Ethernet-based Networks
ITU-T
This document describes an experiment that will present a
candidate solution to predict whether a given BFD session will continue to be
stable. The experiment will use the packet lost count and the
'received-packet-count' defined in the YANG Data Model for Bidirectional Forward
Detection (BFD) to determine how stable is the
session. The reason why this document is on an
Experimental track is because there are no known
implementations or proof-of-concept. As a result, the authors
are not clear whether a simple lost count is enough to predict
the stability or there will be a need to have a more granular
count.
This document is classified as Experimental and is not part of
the IETF Standards Track.
This section tries to show some examples in how the model can
be configured for stability.
This example demonstrates how a Single Hop BFD session can
be configured to enable monitoring of a session for
stability.
bfd-stability-config"An example for BFD Stabalized configuration."
552025-01-01T00:00:00Z2025-02-01T00:00:00Z2024-12-31T23:59:55Z2025-02-01T00:00:05Zkc:sha-1eth0if-type:ethernetCsmacdbfd-types:bfdv1name:BFDeth02001:db8:0:113::10110000
10000
truebfd-stability-configtrue
]]>
This example demonstrates how to configure NULL Auth
to enable monitoring of a session for stability.
bfd-stability-config"An example for BFD Stability configuration."
552025-01-01T00:00:00Z2025-02-01T00:00:00Z2024-12-31T23:59:55Z2025-02-01T00:00:05Zstability:null-autheth0if-type:ethernetCsmacdbfd-types:bfdv1name:BFDeth02001:db8:0:113::10110000
10000
truebfd-stability-configtrue
]]>