Internet DRAFT - draft-mrugalski-dhc-dhcpv6-failover-design
draft-mrugalski-dhc-dhcpv6-failover-design
Dynamic Host Configuration (DHC) T. Mrugalski
Internet-Draft ISC
Intended status: Standards Track K. Kinnear
Expires: September 13, 2012 Cisco
March 12, 2012
DHCPv6 Failover Design
draft-mrugalski-dhc-dhcpv6-failover-design-01
Abstract
DHCPv6 defined in [RFC3315] does not offer server redundancy. This
document defines a design for DHCPv6 failover, a mechanism for
running two servers on the same network with capability for either
server to take over clients' leases in case of server failure or
network partition. This is a DHCPv6 Failover design document, it is
not protocol specification document. It is a second document in a
planned series of three documents. DHCPv6 failover requirements are
specified in [requirements]. A protocol specification document is
planned to follow this document.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Mrugalski & Kinnear Expires September 13, 2012 [Page 1]
�
Internet-Draft DHCPv6 Failover Design March 2012
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Additional Requirements . . . . . . . . . . . . . . . . . 5
3.2. Features out of Scope: Load Balancing . . . . . . . . . . 6
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Failover Machine Sate Overview . . . . . . . . . . . . . . 7
5. Connection Management . . . . . . . . . . . . . . . . . . . . 9
5.1. Creating Connections . . . . . . . . . . . . . . . . . . . 9
5.2. Endpoint Identification . . . . . . . . . . . . . . . . . 10
6. Resource Allocation . . . . . . . . . . . . . . . . . . . . . 11
6.1. Proportional Allocation . . . . . . . . . . . . . . . . . 12
6.2. Independent Allocation . . . . . . . . . . . . . . . . . . 13
6.3. Determining Allocation Approach . . . . . . . . . . . . . 13
6.3.1. IPv6 Addresses . . . . . . . . . . . . . . . . . . . . 13
6.3.2. IPv6 Prefixes . . . . . . . . . . . . . . . . . . . . 13
7. Failover Mechanisms . . . . . . . . . . . . . . . . . . . . . 13
7.1. Time Skew . . . . . . . . . . . . . . . . . . . . . . . . 14
7.2. Time expression . . . . . . . . . . . . . . . . . . . . . 14
7.3. Lazy updates . . . . . . . . . . . . . . . . . . . . . . . 14
7.4. MCLT concept . . . . . . . . . . . . . . . . . . . . . . . 15
7.4.1. MCLT example . . . . . . . . . . . . . . . . . . . . . 16
7.5. Unreachability detection . . . . . . . . . . . . . . . . . 17
7.6. Re-allocating Leases . . . . . . . . . . . . . . . . . . . 17
7.7. Sending Data . . . . . . . . . . . . . . . . . . . . . . . 18
7.7.1. Required Data . . . . . . . . . . . . . . . . . . . . 18
7.7.2. Optional Data . . . . . . . . . . . . . . . . . . . . 18
7.8. Receiving Data . . . . . . . . . . . . . . . . . . . . . . 18
7.8.1. Conflict Resolution . . . . . . . . . . . . . . . . . 18
7.8.2. Acknowledging Reception . . . . . . . . . . . . . . . 19
8. Endpoint States . . . . . . . . . . . . . . . . . . . . . . . 19
8.1. State Machine Operation . . . . . . . . . . . . . . . . . 19
8.2. State Machine Initialization . . . . . . . . . . . . . . . 22
8.3. STARTUP State . . . . . . . . . . . . . . . . . . . . . . 22
8.3.1. Operation in STARTUP State . . . . . . . . . . . . . . 22
8.3.2. Transition Out of STARTUP State . . . . . . . . . . . 22
8.4. PARTNER-DOWN State . . . . . . . . . . . . . . . . . . . . 24
8.4.1. Operation in PARTNER-DOWN State . . . . . . . . . . . 24
8.4.2. Transition Out of PARTNER-DOWN State . . . . . . . . . 24
Mrugalski & Kinnear Expires September 13, 2012 [Page 2]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.5. RECOVER State . . . . . . . . . . . . . . . . . . . . . . 25
8.5.1. Operation in RECOVER State . . . . . . . . . . . . . . 25
8.5.2. Transition Out of RECOVER State . . . . . . . . . . . 25
8.6. RECOVER-WAIT State . . . . . . . . . . . . . . . . . . . . 27
8.6.1. Operation in RECOVER-WAIT State . . . . . . . . . . . 28
8.6.2. Transition Out of RECOVER-WAIT State . . . . . . . . . 28
8.7. RECOVER-DONE State . . . . . . . . . . . . . . . . . . . . 28
8.7.1. Operation in RECOVER-DONE State . . . . . . . . . . . 29
8.7.2. Transition Out of RECOVER-DONE State . . . . . . . . . 29
8.8. NORMAL State . . . . . . . . . . . . . . . . . . . . . . . 29
8.8.1. Operation in NORMAL State . . . . . . . . . . . . . . 29
8.8.2. Transition Out of NORMAL State . . . . . . . . . . . . 30
8.9. COMMUNICATIONS-INTERRUPTED State . . . . . . . . . . . . . 31
8.9.1. Operation in COMMUNICATIONS-INTERRUPTED State . . . . 31
8.9.2. Transition Out of COMMUNICATIONS-INTERRUPTED State . . 32
8.10. POTENTIAL-CONFLICT State . . . . . . . . . . . . . . . . . 33
8.10.1. Operation in POTENTIAL-CONFLICT State . . . . . . . . 34
8.10.2. Transition Out of POTENTIAL-CONFLICT State . . . . . . 34
8.11. RESOLUTION-INTERRUPTED State . . . . . . . . . . . . . . . 35
8.11.1. Operation in RESOLUTION-INTERRUPTED State . . . . . . 36
8.11.2. Transition Out of RESOLUTION-INTERRUPTED State . . . . 36
8.12. CONFLICT-DONE State . . . . . . . . . . . . . . . . . . . 36
8.12.1. Operation in CONFLICT-DONE State . . . . . . . . . . . 37
8.12.2. Transition Out of CONFLICT-DONE State . . . . . . . . 37
8.13. PAUSED State . . . . . . . . . . . . . . . . . . . . . . . 37
8.13.1. Operation in PAUSED State . . . . . . . . . . . . . . 37
8.13.2. Transition Out of PAUSED State . . . . . . . . . . . . 38
8.14. SHUTDOWN State . . . . . . . . . . . . . . . . . . . . . . 38
8.14.1. Operation in SHUTDOWN State . . . . . . . . . . . . . 38
8.14.2. Transition Out of SHUTDOWN State . . . . . . . . . . . 38
9. Proposed extensions . . . . . . . . . . . . . . . . . . . . . 38
9.1. Active-active mode . . . . . . . . . . . . . . . . . . . . 39
10. Dynamic DNS Considerations . . . . . . . . . . . . . . . . . . 39
11. Reservations and failover . . . . . . . . . . . . . . . . . . 39
12. Protocol entities . . . . . . . . . . . . . . . . . . . . . . 39
12.1. Failover Protocol . . . . . . . . . . . . . . . . . . . . 40
12.2. Protocol constants . . . . . . . . . . . . . . . . . . . . 40
13. Open questions . . . . . . . . . . . . . . . . . . . . . . . . 40
14. Security Considerations . . . . . . . . . . . . . . . . . . . 40
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
16. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 41
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41
17.1. Normative References . . . . . . . . . . . . . . . . . . . 41
17.2. Informative References . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42
Mrugalski & Kinnear Expires September 13, 2012 [Page 3]
�
Internet-Draft DHCPv6 Failover Design March 2012
1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Glossary
This is a supplemental glossary that should be combined with
definitions in Section 3 of [requirements].
o Failover endpoint - The failover protocol allows for there to be a
unique failover 'endpoint' per partner per role per relationship
(where role is primary or secondary and the relationship is
defined by the relationship-name). This failover endpoint can
take actions and hold unique states. Typically, there is a one
failover endpoint per partner (server), although there may be
more. 'Server' and 'failover endpoint' are synonymous only if the
server participates in only one failover relationship. However,
for the sake of simplicity 'Server' is used throughout the
document to refer to a failover endpoint unless to do so would be
confusing.
o Failover transmission - all messages exchanged between partners.
o Independent Allocation - a prefix allocation algorithm to split
the available pool of resources between the primary and secondary
servers that is particularly well suited for vast pools (i.e. when
available resources are not expected to deplete). See Section 6.2
for details.
o Primary Server
o Proportional Allocation - a prefix allocation algorithm to split
the available free leases between the primary and secondary
servers that is particularly well suited for more limited
resources. See Section 6.1 for details.
o Resource - an IPv6 address or a IPv6 prefix.
o Responsive - A server that is responsive, will respond to DHCPv6
client requests.
o Secondary Server
o Server - A DHCPv6 server that implements DHCPv6 failover.
'Server' and 'failover endpoint' as synonymous only if server
Mrugalski & Kinnear Expires September 13, 2012 [Page 4]
�
Internet-Draft DHCPv6 Failover Design March 2012
participates in only one failover relationship.
o Unresponsive - A server that is unresponsive will not respond to
DHCPv6 client requests.
3. Introduction
The failover protocol design provides a means for cooperating DHCPv6
servers to work together to provide a DHCPv6 service with
availability that is increased beyond that which could be provided by
a single DHCPv6 server operating alone. It is designed to protect
DHCPv6 clients against server unreachability, including server
failure and network partition. It is possible to deploy exactly two
servers that are able to continue providing a lease on an IPv6
address or on an IPv6 prefix without the DHCPv6 client experiencing
lease expiration or a reassignment of a lease to a different IPv6
address in the event of failure by one or the other of the two
servers.
This protocol defines active-passive mode, sometimes also called hot
standby model. This means that during normal operation one server is
active (i.e. actively responds to clients' requests) while the second
is passive (i.e. it does receive clients' requests, but does not
respond to them and only maintains a copy of lease database and is
ready to take over incoming queries in case of primary server
failure). Active-active mode (i.e. both servers actively handling
clients' requests) is currently not supported for the sake of
simplicity. Such mode may be defined as an exension at a later time.
The failover protocol is designed to provide lease stability for
leases with lease times beyond a short period. Due to the additional
overhead required, failover is not suitable for leases shorter than
30 seconds. The DHCPv6 Failover protocol MUST NOT be used for leases
shorter than 30 seconds.
This design attempts to fulfill all DHCPv6 failover requirements
defined in [requirements].
3.1. Additional Requirements
The following requirements are not related to failover mechanism in
general, but rather to this particular design.
1. Minimize Asymmetry - while there are two distinct roles in
failover (primary and secondary server), the differences between
those two roles should be as small as possible. This will yield
a simpler design as well as a simpler implementation of that
Mrugalski & Kinnear Expires September 13, 2012 [Page 5]
�
Internet-Draft DHCPv6 Failover Design March 2012
design.
3.2. Features out of Scope: Load Balancing
It may be tempting to extend DHCPv6 failover mechanism to also offer
load balancing, as DHCPv4 failover did. Here is the reasoning for
this decision. In general case (not related to failover) load
balancing solutions are used when each server is not able to handle
total incoming traffic. However, by the very definition, DHCPv6
failover is supposed to assume service availability despite failure
of one server. That leads to conclusion that each server must be
able to handle whole traffic. Therefore in properly provisioned
setup, load balancing is not needed.
4. Protocol Overview
The DHCPv6 Failover Protocol is defined as a communication between
failover partners with all associated algorithms and mechanisms.
Failover communication is conducted over a TCP connection established
between the partners. The protocol reuses the framing format
specified in Section 5.1 of DHCPv6 Bulk Leasequery [RFC5460], but
uses different message types. Additional failover-specific message
types will be defined. All information is sent over the connection
as typical DHCPv6 Options, following format defined in Section 22.1
of [RFC3315].
After initialization, the primary server establishes a TCP connection
with its partner. The primary server sends a CONNECT message with
initial parameters. Secondary server responds with CONNECTACK.
Depending on the failover state of each partner, they MUST initiate
one of the binding update procedures. Each server MAY send an UPDREQ
message to request its partner to send all updates that have not been
sent yet (this case applies when partner has an existing database and
wants to update it). Alternatively, a server MAY choose to send an
UPDREQALL message to request a full lease database transmission
including all leases (this case applies in case of booting up new
server after installation, corruption or complete loss of database,
or other catastrophic failure).
Servers exchange lease information by using BNDUPD messages.
Depending on local and remote state of a lease, a server may either
accept or reject the update. Reception of lease update information
is confirmed by responding with BNDACK message with appropriate
status. The majority of the messages sent over a failover TCP
connection consists of BNDUPD and BNDACK messages.
Mrugalski & Kinnear Expires September 13, 2012 [Page 6]
�
Internet-Draft DHCPv6 Failover Design March 2012
A subset of available resources (addresses or prefixes) is reserved
for secondary server use. This is required for handling a case where
both servers are able to communicate with clients, but unable to
communicate with each other. After initial connection is
established, the secondary server requests a pool of available
addresses by sending a POOLREQ message. The primary server assigns a
pool to the secondary by transmitting a POOLRESP message and then
sending a series of BNDUPD messages. The secondary server may
initiate such pool request at any time when maintaining communication
with primary server.
Failover servers use a lazy update mechanism to update their failover
partner about changes to their lease state database. After a server
performs any modifications to its lease state database (assign a new
lease, extend an existing one, release or expire a lease), it sends
its response to the client's request first (performing the "regular"
DHCPv6 operation) and then informs its failover partner using a
BNDUPD message. This BNDUPD message SHOULD be sent soon after the
response is sent to the DHCPv6 client, but there is no specific
requirement of a minimum time in which to do so.
The major problem with lazy update mechanism is the case when the
server crashes after sending response to client, but before sending
the lazy update to its partner (or when communication between
partners is interrupted). To solve this problem, concept known as
the Maximum Client Lead Time (MCLT) (initially designed for DHCPv4
failover) is used. The MCLT is the maximum amount of time that one
server can extend a lease for a client's binding beyond the time
known by its failover partner. See Section 7.4 for detailed
desciption how MCLT affects assigned lease times.
Servers verify each others availability by periodically exchanging
CONTACT messages. See Section 7.5 for discussion about detecting
partner's unreachability.
A server that is being shut down transmits a DISCONNECT message,
closes the connection with its failover partner and stops operation.
A Server SHOULD transmit any pending lease updates before
transmitting DISCONNECT message.
4.1. Failover Machine Sate Overview
The following section provides simplified description of all states.
For the sake of clarity and simplicity, it omits important details.
For complete description, see Section 8. In case of a disagreement
between simplified and complete description, please follow Section 8.
Each server may be in one of the well defines states. In each state
Mrugalski & Kinnear Expires September 13, 2012 [Page 7]
�
Internet-Draft DHCPv6 Failover Design March 2012
a server may be either responsive (responds to clients' queries) or
unresponsive (clients' queries are ignored).
A server starts its operation in short-lived STARTUP state. A server
determines its partner reachibility and state and usually returns
back to the state it was in before shutdown.
During typical operation when servers maintain communication, both
are in NORMAL state. In that state only primary responds to clients'
requests. A secondary server in unresponsive.
If a server discovers that its partner is no longer reachable, it
goes to COMMUNICATIONS-INTERRUPTED state. Server must be extra
cautious as it can't distingush if its partner is down or just
communication between servers is interrupted. Since communication
between partners is not possible, a server must act on the assumtion
that if its partner is up, it follows defined procedure. In
particular, not extend any lease beyond its partner knowledge by at
most MCLT. That imposes additional burden on the server. Therefore
it is not recommended to operate for prolonged periods in this state.
Once communication is reestablished, server may go into NORMAL,
POTENTIAL-CONFLICT or PARTNER-DOWN state. It may also stay in
COMMUNICATIONS-INTERRUPTED if certain conditions are met.
Once a server is switched into PARTNER-DOWN (when auto-partner-down
is used or as a result of administrative action), it can extend
leases, regardless of the original server that initially granted the
lease. In that state server handles leases from its own pool, but is
albo able to serve pool from its downed partner. MCLT restrictions
no longer apply. Operation in this mode is less demanding for the
server that remains operational, than in COMMUNICATIONS-INTERRUPTED
state, but PARTNER-DOWN does not offer any kind of redundancy.
When server loses its database (e.g. due to first time run or
catastrophic failure) or detects that is partner is in PARTNER-DOWN
state and additional conditions are met, it switches to RECOVER
state. In that state server acknowledges that content of its
database is doubtful and needs to refresh its database from its
partner. Once this operation is done, it switches to RECOVER-WAIT
and later to RECOVER-DONE.
Once servers reestablish connection, they discover each others'
state. Depending on the conditions, they may return to NORMAL or
move to POTENTINAL-CONFLICT in case of unexpected partner's state.
It is a goal of this protocol to minimize the possibility that
POTENTIAL-CONFLICT state is ever entered. Servers running in
POTENTIAL-CONFLICT do not respond to clients' requests and work on
resolving potential conflicts. Once outstanding lease updates are
Mrugalski & Kinnear Expires September 13, 2012 [Page 8]
�
Internet-Draft DHCPv6 Failover Design March 2012
exchanged, servers move to CONFLICT-DONE or NORMAL states.
Servers that are recovering from potential conflict and loose
communication, switch to RESOLUTION-INTERRUPTED.
Server that is being shut down, switches briefly to SHUTDOWN state
and communicates its state to its partner before actual termination.
5. Connection Management
5.1. Creating Connections
Every server implementing the failover protocol SHOULD attempt to
connect to all of its partners periodically, where the period is
implementation dependent and SHOULD be configurable. In the event
that a connection has been rejected by a CONNECTACK message with a
reject-reason option contained in it or a DISCONNECT message, a
server SHOULD reduce the frequency with which it attempts to connect
to that server but it SHOULD continue to attempt to connect
periodically.
When a connection attempt succeeds, if the server generating the
connection attempt is a primary server for that relationship, then it
MUST send a CONNECT message down the connection. If it is not a
primary server for the relationship, then it MUST just drop the
connection and wait for the primary server to connect to it.
When a connection attempt is received, the only information that the
receiving server has is the IP address of the partner initiating a
connection. It also knows whether it has the primary role for any
failover relationships with the connecting server. If it has any
relationships for which it is a primary server, it should initiate a
connection of its own to the partner server, one for each primary
relationship it has with that server.
If it has any relationships with the connecting server for which it
is a seconary server, it should just await the CONNECT message to
determine which relationship this connection is to serve.
If it has no secondary relationships with the connecting server, it
SHOULD drop the connection.
To summarize -- a primary server MUST use a connection that it has
initiated in order to send a CONNECT message. Every server that is a
secondary server in a relationship attempts to create a connection to
the server which is primary in the relationship, but that connection
is only used to stimulate the primary server into recognizing that
Mrugalski & Kinnear Expires September 13, 2012 [Page 9]
�
Internet-Draft DHCPv6 Failover Design March 2012
the secondary server is ready for operation. The reason behind this
is that the secondary server has no way to communicate to the primary
server which relationship a connection is designed to serve.
A server which has multiple secondary relationships with a primary
server SHOULD only send one stimulus connection attempt to the
primary server.
Once a connection is established, the primary server MUST send a
CONNECT message across the connection. A secondary server MUST wait
for the CONNECT message from a primary server. If the secondary
server doesn't receive a CONNECT message from the primary server in
an installation dependent amount of time, it MAY drop the connection
and send another stimulus connection attempt to the primary server.
Every CONNECT message includes a TLS-request option, and if the
CONNECTACK message does not reject the CONNECT message and the TLS-
reply option says TLS MUST be used, then the servers will immediately
enter into TLS negotiation.
Once TLS negotiation is complete, the primary server MUST resend the
CONNECT message on the newly secured TLS connection and then wait for
the CONNECTACK message in response. The TLS-request and TLS-reply
options MUST NOT appear in either this second CONNECT or its
associated CONNECTACK message as they had in the first messages.
The second message sent over a new connection (either a bare TCP
connection or a connection utilizing TLS) is a STATE message. Upon
the receipt of this message, the receiver can consider communications
up.
A secondary server MUST NOT respond to the closing of a TCP
connection with a blind attempt to reconnect -- there may be another
TCP connection to the same failover partner already in use.
5.2. Endpoint Identification
The proper operation of the failover protocol requires more than the
transmission of messages between one server and the other. Each
endpoint might seem to be a single DHCPv6 server, but in fact there
are situations where additional flexibility in configuration is
useful. A failover endpoint is always associated with a set of
DHCPv6 prefixes that are configured on the DHCPv6 server where the
endpoint appears. A DHCPv6 prefix MUST NOT be associated with more
than one failover endpoint.
The failover protocol SHOULD be configured with one failover
relationship between each pair of failover servers. In this case
Mrugalski & Kinnear Expires September 13, 2012 [Page 10]
�
Internet-Draft DHCPv6 Failover Design March 2012
there is one failover endpoint for that relationship on each failover
partner. This failover relationship MUST have a unique name.
There is typically little need for addtional relationships between
any two servers but there MAY be more than one failover relationship
between two servers -- however each MUST have a unique relationship
name.
Any failover endpoint can take actions and hold unique states.
This document frequently describes the behavior of the protocol in
terms of primary and secondary servers, not primary and secondary
failover endpoints. However, it is important to remember that every
'server' described in this document is in reality a failover endpoint
that resides in a particular process, and that several failover end-
points may reside in the same server process.
It is not the case that there is a unique failover endpoint for each
prefix that participates in a failover relationship. On one server,
there is (typically) one failover endpoint per partner, regardless of
how many prefixes are managed by that combination of partner and
role. Conversely, on a particular server, any given prefix will be
associated with exactly one failover endpoint.
When a connection is received from the partner, the unique failover
endpoint to which the message is directed is determined solely by the
IP address of the partner, the relationship-name, and the role of the
receiving server.
6. Resource Allocation
Currently there are two allocation algorithms defined for resources
(addresses or prefixes). Additional allocation schemes may be
defined as future extensions.
1. Proportional Allocation - This allocation algorithm is a direct
application of algorithm defined in [dhcpv4-failover] to DHCPv6.
Available resources are split between primary and secondary
server. Released resources are always returned to primary
server. Primary and secondary servers may initiate a rebalancing
procedure, when disparity between resources available to each
server reaches a preconfigured threshold. Only resources that
are not leased to any clients are "owned" by one of the servers.
This algorithm is particularly well suited for scenarios where
amount of available resources is limited, as may be the case for
prefix delegation. See Section 6.1 for details.
Mrugalski & Kinnear Expires September 13, 2012 [Page 11]
�
Internet-Draft DHCPv6 Failover Design March 2012
2. Independent Allocation - This allocation algorithm assumes that
available resources are split between primary and secondary
servers as well. In this case, however, resources are assigned
to a specific server for all time, regardless if they are
available or currently used. This algorithm is much simpler than
proportional allocation, because resource imbalance doesn't have
to be checked and there is no rebalancing for independent
allocation. This algorithm is particularly well suited for
scenarios where the there is an abundance of available resources
which is typically the case for DHCPv6 address allocation. See
Section 6.2 for details.
6.1. Proportional Allocation
In this allocation scheme, each server has its own pool of available
resources. Note that a resource is not "owned" by a particular
server throughout its entire lifetime. Only a resource which is
available is "owned" by a particular server -- once it has been
leased to a client, it is not owned by either failover partner. When
it finally becomes available again, it will be owned initially by the
primary server, and it may or may not be allocated to the secondary
server by the primary server.
So, the flow of a resource is as follows: initially a resource is
owned by the primary server. It may be allocated to the secondary
server if it is available, and then it is owned by the secondary
server. Either server can allocate available resources which they
own to clients, in which case they cease to own them. When the
client releases the resource or the lease on it expires, it will
again become available and will be owned by the primary.
A resource will not become owned by the server which allocated it
initially when it is released or the lease expires because, in
general, that server will have had to replenish its pool of available
resources well in advance of any likely lease expirations. Thus,
having a particular resource cycle back to the secondary might well
put the secondary more out of balance with respect to the primary
instead of enhancing the balance of available addresses or prefixes
between them.
TODO: Need to rework this v4-specific vocabulary to v6, once we
decide how things will look like in v6.
When they are used, these proportional pools are used for allocation
when in every state but PARTNER-DOWN state. In PARTNER-DOWN state a
failover server can allocate from either pool. This allocation and
maintenance of these address pools is an area of some sensitivity,
since the goal is to maintain a more or less constant ratio of
Mrugalski & Kinnear Expires September 13, 2012 [Page 12]
�
Internet-Draft DHCPv6 Failover Design March 2012
available addresses between the two servers.
TODO: Reuse rest of the description from section 5.4 from
[dhcpv4-failover] here.
6.2. Independent Allocation
In this allocation scheme, available resources are split between
servers. Available resources are split between the primary and
secondary servers as part of initial connection establishment. Once
resources are allocated to each server, there is no need to reassign
them. This algorithm is simpler than proportional allocation since
it requires no less initial communicagtion and does not require a
rebalancing mechanism, but it assumes that the pool assigned to each
server will never deplete. That is often a reasonable assumption for
IPv6 addresses (e.g. servers are often assigned a /64 pool that
contains many more addresses than existing electronic devices on
Earth). This allocation mechanism SHOULD be used for IPv6 addresses,
unless configured address pool is small or is otherwise
administratively limited.
Once each server is assigned a resource pool during initial
connection establishment, it may allocate assigned resources to
clients. Once a client release a resource or its lease is expired,
the returned resource returns to pool for the same server. Resources
never changes servers.
During COMMUNICATION-INTERRUPTED events, a partner MAY continue
extending existing leases when requested by clients. A healthy
partner MUST NOT lease resources that were assigned to its downed
partner and later released by a client unless it is in PARTNER-DOWN
state.
6.3. Determining Allocation Approach
6.3.1. IPv6 Addresses
6.3.2. IPv6 Prefixes
7. Failover Mechanisms
This section lays out an overview of the communication between
partners and other mechanisms required for failover operation. As
this is a design document, not a protocol specification, high level
ideas are presented without implementation specific details (e.g.
lack of on-wire formats). Implementation details will be specified
in a separate draft.
Mrugalski & Kinnear Expires September 13, 2012 [Page 13]
�
Internet-Draft DHCPv6 Failover Design March 2012
7.1. Time Skew
Partners exchange information about known lease states. To reliably
compare a known lease state with an update received from a partner,
servers must be able to reliably compare the times stored in the
known lease state with the times received in the update. Although a
simple approach would be to require both partners to use synchronized
time, e.g. by using NTP, such a service may become unavailable in
some scenarios that failover expects to cover, e.g. network
partition. Therefore a mechanism to measure and track relative time
differences between servers is necessary. To do so, each message
MUST contain FO_TIMESTAMP option that contains the timestamp of the
transmission in the time context of the transmitter. The
transmitting server MUST set this as close to the actual transmission
as possible. The receiving partner MUST store its own timestamp of
reception event as close to the actual reception as possible. The
received timestamp information is then compared with local timestamp.
To account for packet delay variation (jitter), the measured
difference is not used directly, but rather the moving average of
last TIME_SKEW_PKTS_AVG packets time difference is calculated. This
averaged value is referred to as the time skew. Note that the time
skew algorithm allows cooperation between clients with completely
desynchronized clocks as well as those whose desynchronization itself
is not constant.
7.2. Time expression
Timestamps are expressed as number of seconds since midnight (UTC),
January 1, 2000, modulo 2^32. Note: that is the same approach as
used in creation of DUID-LLT (see Section 9.2 of [RFC3315]).
Time differences are expressed in seconds and are signed.
7.3. Lazy updates
Lazy update refers to the requirement placed on a server implementing
a failover protocol to update its failover partner whenever the
binding database changes. A failover protocol which didn't support
lazy update would require the failover partner update to complete
before a DHCPv6 server could respond to a DHCPv6 client request. The
lazy update mechanism allows a server to allocate a new or extend an
existing lease and then update its failover partner as time permits.
Although the lazy update mechanism does not introduce additional
delays in server response times, it introduces other difficulties.
The key problem with lazy update is that when a server fails after
updating a client with a particular lease time and before updating
Mrugalski & Kinnear Expires September 13, 2012 [Page 14]
�
Internet-Draft DHCPv6 Failover Design March 2012
its partner, the partner will believe that a lease has expired even
though the client still retains a valid lease on that address or
prefix.
7.4. MCLT concept
In order to handle problem introduced by lazy updates (see
Section 7.3), a period of time known as the "Maximum Client Lead
Time" (MCLT) is defined and must be known to both the primary and
secondary servers. Proper use of this time interval places an upper
bound on the difference allowed between the lease time provided to a
DHCPv6 client by a server and the lease time known by that server's
failover partner.
The MCLT is typically much less than the lease time that a server has
been configured to offer a client, and so some strategy must exist to
allow a server to offer the configured lease time to a client.
During a lazy update the updating server typically updates its
partner with a potential expiration time which is longer than the
lease time previously given to the client and which is longer than
the lease time that the server has been configured to give a client.
This allows that server to give a longer lease time to the client the
next time the client renews its lease, since the time that it will
give to the client will not exceed the MCLT beyond the potential
expiration time acknowledged by its partner.
The fundamental relationship on which much of The correctness of this
protocol depends is that the lease expiration time known to a DHCPv6
client MUST NOT under any circumstances be more than the maximum
client lead time (MCLT) greater than the potential expiration time
known to a server's partner.
The remainder of this section makes the above fundamental
relationship more explicit.
This protocol requires a DHCPv6 server to deal with several different
lease intervals and places specific restrictions on their
relationships. The purpose of these restrictions is to allow the
other server in the pair to be able to make certain assumptions in
the absence of an ability to communicate between servers.
The different times are:
desired valid lifetime:
The desired valid lifetime is the lease interval that a DHCPv6
server would like to give to a DHCPv6 client in the absence of any
restrictions imposed by the failover protocol. Its determination
is outside of the scope of this protocol. Typically this is the
Mrugalski & Kinnear Expires September 13, 2012 [Page 15]
�
Internet-Draft DHCPv6 Failover Design March 2012
result of external configuration of a DHCPv6 server.
actual valid lifetime:
The actual valid lifetime is the lease interval that a DHCPv6
server gives out to a DHCPv6 client. It may be shorter than the
desired valid lifetime (as explained below).
potential valid lifetime:
The potential valid lifetime is the potential lease expiration
interval the local server tells to its partner in a BNDUPD
message.
acknowledged potential valid lifetime:
The acknowledged potential valid lifetime is the potential lease
interval the partner server has most recently acknowledged in a
BNDACK message.
7.4.1. MCLT example
The following example demonstrates the MCLT concept in practice. The
values used are arbitrarily chosen are and not a recommendation for
actual values. The MCLT in this case is 1 hour. The desired valid
lifetime is 3 days, and its renewal time is half the valid lifetime.
When a server makes an offer for a new lease on an IP address to a
DHCPv6 client, it determines the desired valid lifetime (in this
case, 3 days). It then examines the acknowledged potential valid
lifetime (which in this case is zero) and determines the remainder of
the time left to run, which is also zero. To this it adds the MCLT.
Since the actual valid lifetime cannot be allowed to exceed the
remainder of the current acknowledged potential valid lifetime plus
the MCLT, the offer made to the client is for the remainder of the
current acknowledged potential valid lifetime (i.e., zero) plus the
MCLT. Thus, the actual valid lifetime is 1 hour.
Once the server has sent the REPLY to the DHCPv6 client, it will
update its failover partner with the lease information. However, the
desired potential valid lifetime will be composed of one half of the
current actual valid lifetime added to the desired valid lifetime.
Thus, the failover partner is updated with a BNDUPD with a potential
valid lifetime of 3 days + 1/2 hour.
When the primary server receives a BNDACK to its update of the
secondary server's (partner's) potential valid lifetime, it records
that as the acknowledged potential valid lifetime. A server MUST NOT
send a BNDACK in response to a BNDUPD message until it is sure that
the information in the BNDUPD message has been updated in its lease
database. Thus, the primary server in this case can be sure that the
Mrugalski & Kinnear Expires September 13, 2012 [Page 16]
�
Internet-Draft DHCPv6 Failover Design March 2012
secondary server has recorded the potential lease interval in its
stable storage when the primary server receives a BNDACK message from
the secondary server.
When the DHCPv6 client attempts to renew at T1 (approximately one
half an hour from the start of the lease), the primary server again
determines the desired valid lifetime, which is still 3 days. It
then compares this with the remaining acknowledged potential valid
lifetime (3 days + 1/2 hour) and adjusts for the time passed since
the secondary was last updated (1/2 hour). Thus the time remaining
of the acknowledged potential valid interval is 3 days. Adding the
MCLT to this yields 3 days plus 1 hour, which is more than the
desired valid lifetime of 3 days. So the client is renewed for the
desired valid lifetime -- 3 days.
When the primary DHCPv6 server updates the secondary DHCPv6 server
after the DHCPv6 client's renewal REPLY is complete, it will
calculate the desired potential valid lifetime as the T1 fraction of
the actual client valid lifetime (1/2 of 3 days this time = 1.5
days). To this it will add the desired client valid lifetime of 3
days, yielding a total desired potential valid lifetime of 4.5 days.
In this way, the primary attempts to have the secondary always "lead"
the client in its understanding of the client's valid lifetime so as
to be able to always offer the client the desired client valid
lifetime.
Once the initial actual client valid lifetime of the MCLT is past,
the protocol operates effectively like the DHCPv6 protocol does today
in its behavior concerning valid lifetimes. However, the guarantee
that the actual client valid lifetime will never exceed the remaining
acknowledged partner server potential valid lifetime by more than the
MCLT allows full recovery from a variety of failures.
7.5. Unreachability detection
Each partner maintains an FO_SEND timer for each partner connection.
The FO_SEND timer is reset every time any message is transmitted. If
the timer reaches the FO_SEND_MAX value, a CONTACT message is
transmitted and timer is reset. The CONTACT message may be
transmitted at any time.
Discussion: Perhaps it would be more reasonable to use echo-reply
approach, rather than periodic transmissions?
7.6. Re-allocating Leases
TODO: Describe controlled re-allocation of released/expired leases to
different clients.
Mrugalski & Kinnear Expires September 13, 2012 [Page 17]
�
Internet-Draft DHCPv6 Failover Design March 2012
7.7. Sending Data
Each server updates its failover partner about recent changes in
lease states. Each update must include following information:
1. resource type - non-temporary address or a prefix
2. resource information - actual address or prefix
3. valid life time requested by client
4. IAID - Identity Association used by client, while obtaining this
lease. (Note1: one client may use many IAID simulatenously.
Note2: IAID for IA, TA and PD are orthogonal number spaces.)
5. valid life time sent to client
6. potential valid life time
7. preferred life time sent to client
8. CLTT - Client Last Transaction Time, a timestamp of the last
received transmission from a client
9. assigned FQDN names, if any (optional)
Discussion: Do we need T1 as well? Something like next expected
client transmission?
Q: Maybe we could reuse IA_NA and IA_PD options here? Yes.
Q: Do we care about preferred lifetime? (presumably no). Certainly
not what was requested by the client.
Q: Do we care about IAID? (presumably yes) Yes.
7.7.1. Required Data
7.7.2. Optional Data
7.8. Receiving Data
7.8.1. Conflict Resolution
TODO: This is just a loose collection of notes. This section will
probably need to be rewritten as a a flowchart of some kind.
The server receiving a lease update from its partner must evaluate
Mrugalski & Kinnear Expires September 13, 2012 [Page 18]
�
Internet-Draft DHCPv6 Failover Design March 2012
the received lease information to see if it is consistent with
already known state and decide which information - previously known
or just received - is "better". The server should take into
consideration the following aspects: if the lease is already assigned
to specific client, who had contact with client recently, start time
of the lease, etc.
The lease update may be accepted or rejected. Rejection SHOULD NOT
change the flag in a lease that says that it should be transmitted to
the failover partner. If this flag is set, then it should be
transmitted, but if it is not already set, the rejection of a lease
state update SHOULD NOT trigger an automatic update of the failover
partner sending the rejected update. The potential for update storms
is too great, and in the unusual case where the servers simply can't
agree, that disagreement is better than an update storm.
Discussion: There will definitely be different types of update
rejections. For example, this will allow a server to treat
differently a case when receiving a new lease that it previously
haven't seen than a case when partner sents old version of a lease
for which a newer state is known.
7.8.2. Acknowledging Reception
8. Endpoint States
8.1. State Machine Operation
Each server (or, more accurately, failover endpoint) can take on a
variety of failover states. These states play a crucial role in
determining the actions that a server will perform when processing a
request from a DHCPv6 client as well as dealing with changing
external conditions (e.g., loss of connection to a failover partner).
The failover state in which a server is running controls the
following behaviors:
o Responsiveness -- the server is either responsive to DHCPv6 client
requests or it is not.
o Allocation Pool -- which pool of addresses (or prefixes) can be
used for allocation on receipt of a SOLICIT message.
o MCLT -- ensure that valid lifetimes are not beyond what the
partner has acked plus the MCLT (or not).
A server will transition from one failover state to another based on
Mrugalski & Kinnear Expires September 13, 2012 [Page 19]
�
Internet-Draft DHCPv6 Failover Design March 2012
the specific values held by the following state variables:
o Current failover state.
o Communications status (OK or not OK).
o Partner's failover state (if known).
Whenever the either of the last two of the above state variables
changes state, the state machine is invoked, which may then trigger a
change in the current failove state. Thus, whenever the
communications status changes, the state machine is processing is
invoked. This may or may not result in a change in the current
failover state.
Whenever a server transitions to a new failover state, the new state
MUST be communicated to its failover partner in a STATE message if
the communications status is OK. In addition, whenever a server
makes a transition into a new state, it MUST record the new state,
its current understanding of its partner's state, and the time at
which it entered the new state in stable storage.
The following state transition diagram gives a condensed view of the
state machine. If there is a difference between the words describing
a particular state and the diagram below, the words should be
considered authoritative.
A transition into SHUTDOWN or PAUSED state is not represented in the
following figure, since other than sending that state to its partner,
the remaining actions involved look just like the server halting in
its otherwise current state, which then becomes the previous state
upon server restart.
Mrugalski & Kinnear Expires September 13, 2012 [Page 20]
�
Internet-Draft DHCPv6 Failover Design March 2012
+---------------+ V +--------------+
| RECOVER -|+| | | STARTUP - |
|(unresponsive) | +->+(unresponsive)|
+------+--------+ +--------------+
+-Comm. OK +-----------------+
| Other State: | PARTNER DOWN - +<----------------------+
| RESOLUTION-INTER. | (responsive) | ^
All POTENTIAL- +----+------------+ |
Others CONFLICT------------ | --------+ |
| CONFLICT-DONE Comm. OK | +--------------+ |
UPDREQ or Other State: | +--+ RESOLUTION - | |
UPDREQALL | | | | | INTERRUPTED | |
Rcv UPDDONE RECOVER All | | | (responsive) | |
| +---------------+ | Others | | +------------+-+ |
+->+RECOVER-WAIT +-| RECOVER | | | ^ | |
|(unresponsive) | WAIT or | | Comm. | Ext. |
+-----------+---+ DONE | | OK Comm. Cmd----->+
Comm.---+ Wait MCLT | V V V Failed |
Changed | V +---+ +---+-----+--+-+ | |
| +---+----------++ | | POTENTIAL + +-------+ |
| |RECOVER-DONE +-| Wait | CONFLICT +------+ |
+->+(unresponsive) | for |(unresponsive)| Primary |
+------+--------+ Other +>+----+--------++ resolve Comm. |
Comm. OK State: | | ^ conflict Changed |
+---Other State:-+ RECOVER | Secondary | V V | |
| | | DONE | resolve | ++----------+---++ |
| All Others: POTENT. | | conflict | |CONFLICT-DONE-|+| |
| Wait for CONFLICT- | ----+ see (9.10) | | (responsive) | |
| Other State: V V | +------+---------+ |
| NORMAL or RECOVER ++------------+---+ Other State: NORMAL |
| | DONE | NORMAL + +<--------------+ |
| +--+----------+-->+ (balanced) +-------External Command--->+
| ^ ^ +--------+--------+ or Other State: |
| | | | | SHUTDOWN |
| Wait for Comm. OK Comm. Failed or | |
| Other Other Other State: PAUSED | External
| State: State: | | Command
| RECOVER-DONE NORMAL Start Safe Comm. OK or
| | COMM. INT. Period Timer Other State: Safe
| Comm. OK. | V All Others Period
| Other State: | +---------+--------+ | expiration
| RECOVER +--+ COMMUNICATIONS - +----+ |
| +-------------+ INTERRUPTED | |
RECOVER | (responsive) +-------------------------->+
RECOVER-WAIT--------->+------------------+
Figure 1: Failover Endpoint State Machine
Mrugalski & Kinnear Expires September 13, 2012 [Page 21]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.2. State Machine Initialization
TODO
8.3. STARTUP State
The STARTUP state affords an opportunity for a server to probe its
partner server, before starting to service DHCP clients. When in the
STARTUP state, a server attempts to learn its partner's state and
determine (using that information if it is available) what state it
should enter.
The STARTUP state is not shown with any specific state transitions in
the state machine diagram (Figure 1) because the processing during
the STARTUP state can cause the server to transition to any of the
other states, so that specific state transition arcs would only
obscure other information.
8.3.1. Operation in STARTUP State
The server MUST NOT be responsive in STARTUP state.
Whenever a STATE message is sent to the partner while in STARTUP
state the STARTUP flag MUST be set the message and the previously
recorded failover state MUST be placed in the server-state option.
8.3.2. Transition Out of STARTUP State
The following algorithm is followed every time the server initializes
itself, and enters STARTUP state.
Step 1:
If there is any record in stable storage of a previous failover state
for this server, set PREVIOUS-STATE to the last recorded value in
stable storage, and go to Step 2.
If there is no record of any previous failover state in stable
storage for this server, then set the PREVIOUS-STATE to RECOVER and
set the TIME-OF-FAILURE to 0. This will allow two servers which
already have lease information to synchronize themselves prior to
operating.
In some cases, an existing server will be commissioned as a failover
server and brought back into operation where its partner is not yet
available. In this case, the newly commissioned failover server will
not operate until its partner comes online -- but it has operational
responsibilities as a DHCP server nonetheless. To properly handle
Mrugalski & Kinnear Expires September 13, 2012 [Page 22]
�
Internet-Draft DHCPv6 Failover Design March 2012
this situation, a server SHOULD be configurable in such a way as to
move directly into PARTNER-DOWN state after the startup period
expires if it has been unable to contact its partner during the
startup period.
Step 2:
If the previous state is one where communications was "OK", then set
the previous state to the state that is the result of the
communications failed state transition (if such transition exists --
some states don't have a communications failed state transition,
since they allow both commun- ications OK and failed).
Step 3:
Start the STARTUP state timer. The time that a server remains in the
STARTUP state (absent any communications with its partner) is
implementation dependent but SHOULD be short. It SHOULD be long
enough for a TCP connection to be created to a heavily loaded partner
across a slow network.
Step 4:
Attempt to create a TCP connection to the failover partner.
Step 5:
Wait for "communications OK".
When and if communications become "okay", clear the STARTUP flag, and
set the current state to the PREVIOUS-STATE.
If the partner is in PARTNER-DOWN state, and if the time at which it
entered PARTNER-DOWN state (as received in the start-time-of-state
option in the STATE message) is later than the last recorded time of
operation of this server, then set CURRENT-STATE to RECOVER. If the
time at which it entered PARTNER-DOWN state is earlier than the last
recorded time of operation of this server, then set CURRENT-STATE to
POTENTIAL-CONFLICT.
Then, transition to the current state and take the "communications
OK" state transition based on the current state of this server and
the partner.
Step 6:
If the startup time expires the server SHOULD go transition to the
PREVIOUS-STATE.
Mrugalski & Kinnear Expires September 13, 2012 [Page 23]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.4. PARTNER-DOWN State
PARTNER-DOWN state is a state either server can enter. When in this
state, the server assumes that it is the only server operating and
serving the client base. If one server is in PARTNER-DOWN state, the
other server MUST NOT be operating.
8.4.1. Operation in PARTNER-DOWN State
The server MUST be responsive in PARTNER-DOWN state.
It will allow renewal of all outstanding leases on IP addresses. For
those IP addresses for which the server is using proportional
allocation, it will allocate IP addresses from its own pool, and
after a fixed period of time (the MCLT interval) has elapsed from
entry into PARTNER-DOWN state, it will allocate IP addresses from the
set of all available IP addresses.
Any IP address tagged as available for allocation by the other server
(at entry to PARTNER-DOWN state) MUST NOT be allocated to a new
client until the maximum-client-lead-time beyond the entry into
PARTNER-DOWN state has elapsed.
A server in PARTNER-DOWN state MUST NOT allocate an IP address to a
DHCP client different from that to which it was allocated at the
entrance to PARTNER-DOWN state until the maximum-client-lead-time
beyond the maximum of the following times: client expiration time,
most recently transmitted potential-expiration-time, most recently
received ack of potential-expiration-time from the partner, and most
recently acked potential-expiration-time to the partner. See section
7.1.5 for details. If this time would be earlier than the current
time plus the maximum-client-lead-time, then the time the server
entered PARTNER-DOWN state plus the maximum-client-lead-time is used.
The server is not restricted by the MCLT when offering lease tmes
while in PARTNER-DOWN state.
8.4.2. Transition Out of PARTNER-DOWN State
When a server in PARTNER-DOWN state succeeds in establishing a con-
nection to its partner, its actions are conditional on the state and
flags received in the STATE message from the other server as part of
the process of establishing the connection.
If the STARTUP bit is set in the server-flags option of a received
STATE message, a server in PARTNER-DOWN state MUST NOT take any state
transitions based on reestablishing communications. Essentially, if
a server is in PARTNER-DOWN state, it ignores all STATE messages from
Mrugalski & Kinnear Expires September 13, 2012 [Page 24]
�
Internet-Draft DHCPv6 Failover Design March 2012
its partner that have the STARTUP bit set in the server-flags option
of the STATE message. THIS NEEDS TO BE MOVED
If the STARTUP bit is not set in the server-flags option of a STATE
message received from its partner, then a server in PARTNER-DOWN
state takes the following actions based on the state of the partner
as received in a STATE message (either immediately after establishing
communications or at any time later when a new state is received)
If the partner is in:
NORMAL, COMMUNICATIONS-INTERRUPTED, PARTNER-DOWN, POTENTIAL-CONFLICT,
RESOLUTION-INTERRUPTED, or CONFLICT-DONE state
transition to POTENTIAL-CONFLICT state
If the partner is in:
RECOVER, RECOVER-WAIT, SHUTDOWN, PAUSED state
stay in PARTNER-DOWN state
If the partner is in:
RECOVER-DONE state
transition into NORMAL state
8.5. RECOVER State
This state indicates that the server has no information in its stable
storage or that it is re-integrating with a server in PARTNER-DOWN
state after it has been down. A server in this state MUST attempt to
refresh its stable storage from the other server.
8.5.1. Operation in RECOVER State
The server MUST NOT be responsive in RECOVER state.
A server in RECOVER state will attempt to reestablish communications
with the other server.
8.5.2. Transition Out of RECOVER State
If the other server is in POTENTIAL-CONFLICT, RESOLUTION-INTERRUPTED,
or CONFLICT-DONE state when communications are reestablished, then
the server in RECOVER state will move to POTENTIAL-CONFLICT state
itself.
Mrugalski & Kinnear Expires September 13, 2012 [Page 25]
�
Internet-Draft DHCPv6 Failover Design March 2012
If the other server is in any other state, then the server in RECOVER
state will request an update of missing binding information by
sending an UPDREQ message. If the server has determined that it has
lost its stable storage because it has no record of ever having
talked to its partner, while its partner does have a record of
communicating with it, it MUST send an UPDREQALL message, otherwise
it MUST send an UPDREQ message.
It will wait for an UPDDONE message, and upon receipt of that message
it will transition to RECOVER-WAIT state.
If communications fails during the reception of the results of the
UPDREQ or UPDREQALL message, the server will remain in RECOVER state,
and will re-issue the UPDREQ or UPDREQALL when communications are re-
established.
If an UPDDONE message isn't received within an implementation
dependent amount of time, and no BNDUPD messages are being received,
the connection SHOULD be dropped.
Mrugalski & Kinnear Expires September 13, 2012 [Page 26]
�
Internet-Draft DHCPv6 Failover Design March 2012
A B
Server Server
| |
RECOVER PARTNER-DOWN
| |
| >--UPDREQ--------------------> |
| |
| <---------------------BNDUPD--< |
| >--BNDACK--------------------> |
... ...
| |
| <---------------------BNDUPD--< |
| >--BNDACK--------------------> |
| |
| <--------------------UPDDONE--< |
| |
RECOVER-WAIT |
| |
| >--STATE-(RECOVER-WAIT)------> |
| |
| |
Wait MCLT from last known |
time of failover operation |
| |
RECOVER-DONE |
| |
| >--STATE-(RECOVER-DONE)------> |
| NORMAL
| <-------------(NORMAL)-STATE--< |
NORMAL |
| >---- State-(NORMAL)---------------> |
| |
| |
Figure 2: Transition out of RECOVER state
If, at any time while a server is in RECOVER state communications
fails, the server will stay in RECOVER state. When communications
are restored, it will restart the process of transitioning out of
RECOVER state.
8.6. RECOVER-WAIT State
This state indicates that the server has done an UPDREQ or UPDREQALL
and has received the UPDDONE message indicating that it has received
all outstanding binding update information. In the RECOVER-WAIT
state the server will wait for the MCLT in order to ensure that any
Mrugalski & Kinnear Expires September 13, 2012 [Page 27]
�
Internet-Draft DHCPv6 Failover Design March 2012
processing that this server might have done prior to losing its
stable storage will not cause future difficulties.
8.6.1. Operation in RECOVER-WAIT State
The server MUST NOT be responsive in RECOVER-WAIT state.
8.6.2. Transition Out of RECOVER-WAIT State
Upon entry to RECOVER-WAIT state the server MUST start a timer whose
expiration is set to a time equal to the time the server went down
(if known) or the time the server started (if the down-time is
unknown) plus the maximum-client-lead-time. When this timer expires,
the server will transition into RECOVER-DONE state.
This is to allow any IP addresses that were allocated by this server
prior to loss of its client binding information in stable storage to
contact the other server or to time out.
If this is the first time this server has run failover -- as
determined by the information received from the partner, not
necessarily only as determined by this server's stable storage (as
that may have been lost), then the waiting time discussed above may
be skipped, and the server may transition immediately to RECOVER-DONE
state.
If the server has never before run failover, then there is no need to
wait in this state -- but, again, to determine if this server has run
failover it is vital that the information provided by the partner be
utilized, since the stable storage of this server may have been lost.
If communications fails while a server is in RECOVER-WAIT state, it
has no effect on the operation of this state. The server SHOULD
continue to operate its timer, and the timer expires during the
period where communications with the other server have failed, then
the server SHOULD transition to RECOVER-DONE state. This is rare --
failover state transitions are not usually made while communications
are interrupted, but in this case there is no reason to inhibit the
timer.
8.7. RECOVER-DONE State
This state exists to allow an interlocked transition for one server
from RECOVER state and another server from PARTNER-DOWN or
COMMUNICATIONS-INTERRUPTED state into NORMAL state.
Mrugalski & Kinnear Expires September 13, 2012 [Page 28]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.7.1. Operation in RECOVER-DONE State
A server in RECOVER-DONE state MUST respond only to DHCPREQUEST/
RENEWAL and DHCPREQUEST/REBINDING DHCP messages.
8.7.2. Transition Out of RECOVER-DONE State
When a server in RECOVER-DONE state determines that its partner
server has entered NORMAL or RECOVER-DONE state, then it will
transition into NORMAL state.
If communications fails while in RECOVER-DONE state, a server will
stay in RECOVER-DONE state.
8.8. NORMAL State
NORMAL state is the state used by a server when it is communicating
with the other server, and any required resynchronization has been
performed. While some bindings database synchronization is performed
in NORMAL state, potential conflicts are resolved prior to entry into
NORMAL state as is binding database data loss.
When entering NORMAL state, a server will send to the other server
all currently unacknowledged binding updates as BNDUPD messages.
When the above process is complete, if the server entering NORMAL
state is a secondary server, then it will request IP addresses for
allocation using the POOLREQ message.
8.8.1. Operation in NORMAL State
When in NORMAL state a server will operate in the following manner:
Lease time calculations
As discussed in Section 7.4, the lease interval given to a DHCP
client can never be more than the MCLT greater than the most
recently received potential- expiration-time from the failover
partner or the current time, whichever is later.
As long as a server adheres to this constraint, the specifics of
the lease interval that it gives to a DHCP client or the value of
the potential-expiration-time sent to its failover partner are
implementation dependent.
Lazy update of partner server
After sending an REPLY that includes lease update to a client, the
server servicing a DHCP client request attempts to update its
partner with the new binding information. Server transmits both
Mrugalski & Kinnear Expires September 13, 2012 [Page 29]
�
Internet-Draft DHCPv6 Failover Design March 2012
desired valid lifetime and actual valid lifetime.
Reallocation of IP addresses between clients
Whenever a client binding is released or expires, a BNDUPD mes-
sage must be sent to the partner, setting the binding state to
RELEASED or EXPIRED. However, until a BNDACK is received for this
message, the IP address cannot be allocated to another client. It
cannot be allocated to the same client again if a BNDUPD was sent,
otherwise it can. See Section 7.6.
In normal state, each server receives binding updates from its
partner server in BNDUPD messages. It records these in its client
binding database in stable storage and then sends a corresponding
BNDACK message to its partner server.
8.8.2. Transition Out of NORMAL State
If an external command is received by a server in NORMAL state
informing it that its partner is down, then transition into PARTNER-
DOWN state. Generally, this would be an unusual situation, where
some external agency knew the partner server was down. Using the
command in this case would be appropriate if the polling interval and
timeout were long.
If a server in NORMAL state fails to receive acks to messages sent to
its partner for an implementation dependent period of time, it MAY
move into COMMUNICATIONS-INTERRUPTED state. This situation might
occur if the partner server was capable of maintaining the TCP con-
nection between the server and also capable of sending a CONTACT mes-
sage every tSend seconds, but was (for some reason) incapable of pro-
cessing BNDUPD messages.
If the communications is determined to not be "ok" (as defined in
Section 7.5), then transition into COMMUNICATIONS-INTERRUPTED state.
If a server in NORMAL state receives any messages from its partner
where the partner has changed state from that expected by the server
in NORMAL state, then the server should transition into
COMMUNICATIONS-INTERRUPTED state and take the appropriate state tran-
sition from there. For example, it would be expected for the partner
to transition from POTENTIAL-CONFLICT into NORMAL state, but not for
the partner to transition from NORMAL into POTENTIAL-CONFLICT state.
If a server in NORMAL state receives any messages from its partner
where the PARTNER has changed into SHUTDOWN state, the server should
transition into PARTNER-DOWN state.
Mrugalski & Kinnear Expires September 13, 2012 [Page 30]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.9. COMMUNICATIONS-INTERRUPTED State
A server goes into COMMUNICATIONS-INTERRUPTED state whenever it is
unable to communicate with its partner. Primary and secondary
servers cycle automatically (without administrative intervention)
between NORMAL and COMMUNICATIONS-INTERRUPTED state as the network
connection between them fails and recovers, or as the partner server
cycles between operational and non-operational. No duplicate IP
address allocation can occur while the servers cycle between these
states.
When a server enters COMMUNICATIONS-INTERRUPTED state, if it has been
configured to support an automatic transition out of COMMUNICATIONS-
INTERRUPTED state and into PARTNER-DOWN state (i.e., a "safe period"
has been configured, see section 10), then a timer MUST be started
for the length of the configured safe period.
A server transitioning into the COMMUNICATIONS-INTERRUPTED state from
the NORMAL state SHOULD raise some alarm condition to alert
administrative staff to a potential problem in the DHCP subsystem.
8.9.1. Operation in COMMUNICATIONS-INTERRUPTED State
In this state a server MUST respond to all DHCP client requests.
When allocating new lease, each server allocates from its own pool,
where the primary MUST allocate only FREE resources (addresses or
prefixes), and the secondary MUST allocate only BACKUP resources
(addresses or prefixes). When responding to RENEW messages, each
server will allow continued renewal of a DHCP client's current lease
on an IP address or prefix irrespective of whether that lease was
given out by the receiving server or not, although the renewal period
MUST NOT exceed the maximum client lead time (MCLT) beyond the latest
of: 1) the potential valid lifetime already acknowledged by the other
server, or 2) the lease- expiration-time , or 3) the potential valid
lifetime received from the partner server.
However, since the server cannot communicate with its partner in this
state, the acknowledged potential valid lifetime will not be updated
in any new bindings. This is likely to eventually cause the actual
valid lifetimes to be the current time plus the MCLT (unless this is
greater than the desired-client-lease- time).
The server should continue to try to establish a connection with its
partner.
Mrugalski & Kinnear Expires September 13, 2012 [Page 31]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.9.2. Transition Out of COMMUNICATIONS-INTERRUPTED State
If the safe period timer expires while a server is in the
COMMUNICATIONS-INTERRUPTED state, it will transition immediately into
PARTNER-DOWN state.
If an external command is received by a server in COMMUNICATIONS-
INTERRUPTED state informing it that its partner is down, it will
transition immediately into PARTNER-DOWN state.
If communications is restored with the other server, then the server
in COMMUNICATIONS-INTERRUPTED state will transition into another
state based on the state of the partner:
o NORMAL or COMMUNICATIONS-INTERRUPTED: Transition into the NORMAL
state.
o RECOVER: Stay in COMMUNICATIONS-INTERRUPTED state.
o RECOVER-DONE: Transition into NORMAL state.
o PARTNER-DOWN, POTENTIAL-CONFLICT, CONFLICT-DONE, or RESOLUTION-
INTERRUPTED: Transition into POTENTIAL-CONFLICT state.
o SHUTDOWN: Transition into PARTNER-DOWN state.
The following figure illustrates the transition from NORMAL to
COMMUNICATIONS-INTERRUPTED state and then back to NORMAL state again.
Mrugalski & Kinnear Expires September 13, 2012 [Page 32]
�
Internet-Draft DHCPv6 Failover Design March 2012
Primary Secondary
Server Server
NORMAL NORMAL
| >--CONTACT-------------------> |
| <--------------------CONTACT--< |
| [TCP connection broken] |
COMMUNICATIONS : COMMUNICATIONS
INTERRUPTED : INTERRUPTED
| [attempt new TCP connection] |
| [connection succeeds] |
| |
| >--CONNECT-------------------> |
| <-----------------CONNECTACK--< |
| NORMAL
| <-------------------STATE-----< |
NORMAL |
| >--STATE---------------------> |
|
| >--BNDUPD--------------------> |
| <---------------------BNDACK--< |
| |
| <---------------------BNDUPD--< |
| >------BNDACK----------------> |
... ...
| |
| <--------------------POOLREQ--< |
| >--POOLRESP-(2)--------------> |
t> | |
| >--BNDUPD-(#1)---------------> |
| <---------------------BNDACK--< |
| |
| <--------------------POOLREQ--< |
| >--POOLRESP-(0)--------------> |
| |
| >--BNDUPD-(#2)---------------> |
| <---------------------BNDACK--< |
| |
Figure 3: Transition from NORMAL to COMMUNICATIONS-INTERRUPTED and
back (example with 2 addresses allocated to secondary)
8.10. POTENTIAL-CONFLICT State
This state indicates that the two servers are attempting to
reintegrate with each other, but at least one of them was running in
a state that did not guarantee automatic reintegration would be
possible. In POTENTIAL-CONFLICT state the servers may determine that
Mrugalski & Kinnear Expires September 13, 2012 [Page 33]
�
Internet-Draft DHCPv6 Failover Design March 2012
the same resource has been offered and accepted by two different
clients.
It is a goal of this protocol to minimize the possibility that
POTENTIAL-CONFLICT state is ever entered.
When a primary server enters POTENTIAL-CONFLICT state it should
request that the secondary send it all updates of which it is
currently unaware by sending an UPDREQ message to the secondary
server.
A secondary server entering POTENTIAL-CONFLICT state will wait for
the primary to send it an UPDREQ message.
8.10.1. Operation in POTENTIAL-CONFLICT State
Any server in POTENTIAL-CONFLICT state MUST NOT process any incoming
DHCP requests.
8.10.2. Transition Out of POTENTIAL-CONFLICT State
If communications fails with the partner while in POTENTIAL-CONFLICT
state, then the server will transition to RESOLUTION-INTERRUPTED
state.
Whenever either server receives an UPDDONE message from its partner
while in POTENTIAL-CONFLICT state, it MUST transition to a new state.
The primary MUST transition to CONFLICT-DONE state, and the secondary
MUST transition to NORMAL state. This will cause the primary server
to leave POTENTIAL-CONFLICT state prior to the secondary, since the
primary sends an UPDREQ message and receives an UPDDONE before the
secondary sends an UPDREQ message and receives its UPDDONE message.
When a secondary server receives an indication that the primary
server has made a transition from POTENTIAL-CONFLICT to CONFLICT-DONE
state, it SHOULD send an UPDREQ message to the primary server.
Mrugalski & Kinnear Expires September 13, 2012 [Page 34]
�
Internet-Draft DHCPv6 Failover Design March 2012
Primary Secondary
Server Server
| |
POTENTIAL-CONFLICT POTENTIAL-CONFLICT
| |
| >--UPDREQ--------------------> |
| |
| <---------------------BNDUPD--< |
| >--BNDACK--------------------> |
... ...
| |
| <---------------------BNDUPD--< |
| >--BNDACK--------------------> |
| |
| <--------------------UPDDONE--< |
CONFLICT-DONE |
| >--STATE--(CONFLICT-DONE)----> |
| <---------------------UPDREQ--< |
| |
| >--BNDUPD--------------------> |
| <---------------------BNDACK--< |
... ...
| >--BNDUPD--------------------> |
| <---------------------BNDACK--< |
| |
| >--UPDDONE-------------------> |
| NORMAL
| <------------STATE--(NORMAL)--< |
NORMAL |
| >--STATE--(NORMAL)-----------> |
| |
| <--------------------POOLREQ--< |
| >------POOLRESP-(n)----------> |
| addresses |
Figure 4: Transition out of POTENTIAL-CONFLICT
8.11. RESOLUTION-INTERRUPTED State
This state indicates that the two servers were attempting to
reintegrate with each other in POTENTIAL-CONFLICT state, but
communications failed prior to completion of re-integration.
If the servers remained in POTENTIAL-CONFLICT while communications
was interrupted, neither server would be responsive to DHCP client
requests, and if one server had crashed, then there might be no
server able to process DHCP requests.
Mrugalski & Kinnear Expires September 13, 2012 [Page 35]
�
Internet-Draft DHCPv6 Failover Design March 2012
When a server enters RESOLUTION-INTERRUPTED state it SHOULD raise an
alarm condition to alert administrative staff of a problem in the
DHCP subsystem.
8.11.1. Operation in RESOLUTION-INTERRUPTED State
In this state a server MUST respond to all DHCP client requests.
When allocating new resources (addresses or prefixes), each server
SHOULD allocate from its own pool (if that can be determined), where
the primary SHOULD allocate only FREE resources, and the secondary
SHOULD allocate only BACKUP resources. When responding to renewal
requests, each server will allow continued renewal of a DHCP client's
current lease irrespective of whether that lease was given out by the
receiving server or not, although the renewal period MUST not exceed
the maximum client lead time (MCLT) beyond the latest of: 1) the
potential valid lifetime already acknowledged by the other server or
2) the lease-expiration-time or 3) potential valid lifetime received
from the partner server.
However, since the server cannot communicate with its partner in this
state, the acknowledged potential valid lifetime will not be updated
in any new bindings.
8.11.2. Transition Out of RESOLUTION-INTERRUPTED State
If an external command is received by a server in RESOLUTION-
INTERRUPTED state informing it that its partner is down, it will
transition immediately into PARTNER-DOWN state.
If communications is restored with the other server, then the server
in RESOLUTION-INTERRUPTED state will transition into POTENTIAL-
CONFLICT state.
8.12. CONFLICT-DONE State
This state indicates that during the process where the two servers
are attempting to re-integrate with each other, the primary server
has received all of the updates from the secondary server. It make a
transition into CONFLICT-DONE state in order that it may be totally
responsive to the client load, as opposed to NORMAL state where it
would be in a "balanced" responsive state, running the load balancing
algorithm.
TODO: We do not support load balancing, so CONFLICT-DONE is actually
equal to NORMAL. Need to remove CONFLICT-DONE and replace all its
references to NORMAL.
Mrugalski & Kinnear Expires September 13, 2012 [Page 36]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.12.1. Operation in CONFLICT-DONE State
A primary server in CONFLICT-DONE state is fully responsive to all
DHCP clients (similar to the situation in COMMUNICATIONS-INTERRUPTED
state).
If communications fails, remain in CONFLICT-DONE state. If
communications becomes OK, remain in CONFLICT-DONE state until the
conditions for transition out become satisfied.
8.12.2. Transition Out of CONFLICT-DONE State
If communications fails with the partner while in CONFLICT-DONE
state, then the server will remain in CONFLICT-DONE state.
When a primary server determines that the secondary server has made a
transition into NORMAL state, the primary server will also transition
into NORMAL state.
8.13. PAUSED State
TODO: Remove PAUSED state completely
This state exists to allow one server to inform another that it will
be out of service for what is predicted to be a relatively short
time, and to allow the other server to transition to COMMUNICATIONS-
INTERRUPTED state immediately and to begin servicing all DHCP clients
with no interruption in service to new DHCP clients.
A server which is aware that it is shutting down temporarily SHOULD
send a STATE message with the server-state option containing PAUSED
state and close the TCP connection.
While a server may or may not transition internally into PAUSED
state, the 'previous' state determined when it is restarted MUST be
the state the server was in prior to receiving the command to shut-
down and restart and which precedes its entry into the PAUSED state.
See Section 8.3.2 concerning the use of the previous state upon
server restart.
When entering PAUSED state, the server MUST store the previous state
in stable storage, and use that state as the previous state when it
is restarted.
8.13.1. Operation in PAUSED State
Server MUST NOT perform any operation while in PAUSED state.
Mrugalski & Kinnear Expires September 13, 2012 [Page 37]
�
Internet-Draft DHCPv6 Failover Design March 2012
8.13.2. Transition Out of PAUSED State
A server makes a transition out of PAUSED state by being restarted.
At that time, the previous state MUST be the state the server was in
prior to entering the PAUSED state.
8.14. SHUTDOWN State
This state exists to allow one server to inform another that it will
be out of service for what is predicted to be a relatively long time,
and to allow the other server to transition immediately to PARTNER-
DOWN state, and take over completely for the server going down.
When entering SHUTDOWN state, the server MUST record the previous
state in stable storage for use when the server is restarted. It
also MUST record the current time as the last time operational.
A server which is aware that it is shutting down SHOULD send a STATE
message with the server-state field containing SHUTDOWN.
8.14.1. Operation in SHUTDOWN State
A server in SHUTDOWN state MUST NOT respond to any DHCP client input.
If a server receives any message indicating that the partner has
moved to PARTNER-DOWN state while it is in SHUTDOWN state then it
MUST record RECOVER state as the previous state to be used when it is
restarted.
A server SHOULD wait for a few seconds after informing the partner of
entry into SHUTDOWN state (if communications are okay) to determine
if the partner entered PARTNER-DOWN state.
8.14.2. Transition Out of SHUTDOWN State
A server makes a transition out of SHUTDOWN state by being restarted.
9. Proposed extensions
The following section discusses possible extensions to the proposed
failover mechanism. Listed extensions must be sufficiently simple to
not further complicate failover protocol. Any proposals that are
considered complex will be defined as stand-alone extensions in
separate documents.
Mrugalski & Kinnear Expires September 13, 2012 [Page 38]
�
Internet-Draft DHCPv6 Failover Design March 2012
9.1. Active-active mode
A very simple way to achieve active-active mode is to remove the
restriction that seconary server MUST NOT respond to SOLICIT and
REQUEST messages. Instead it could respond, but MUST have lower
preference than primary server. Clients discovering available
servers will receive ADVERTISE messages from both servers, but are
expected to select the primary server as it has higher preference
value configured. The following REQUEST message will be directed to
primary server.
Discussion: Do DHCPv6 clients actually do this? DHCPv4 clients were
rumored to wait for a "while" to accept the best offer, but to a
first approximation, they all take the first offer they receive that
is even acceptable.
The benefit of this approach, compared to the "basic" active--passive
solution is that there is no delay between primary failure and the
moment when secondary starts serving requests.
Discussion: The possibility of setting both servers preference to an
equal value could theoretically work as a crude attempt to provide
load balancing. It wouldn't do much good on its own, as one (faster)
server could be chosen more frequently (assuming that with equal
preference sets clients will pick first responding server, which is
not mandated by DHCPv6). We could design a simple mechanism of
dynamically updating preference depending on usage of available
resources. This concept hasn't been investigated in detail yet.
10. Dynamic DNS Considerations
TODO: Descibe DNS Updates challenges in failover environment. It is
nicely described in Section 5.12 of [dhcpv4-failover].
11. Reservations and failover
TODO: Describe how lease reservation works with failover. See
Section 5.13 in [dhcpv4-failover].
12. Protocol entities
Discussion: It is unclear if following sections belong to design or
protocol draft. It is currently kept here as a scratchbook with list
of things that will have to be defined eventually. Whether or not it
will stay in this document or will be moved to the protocol spec
Mrugalski & Kinnear Expires September 13, 2012 [Page 39]
�
Internet-Draft DHCPv6 Failover Design March 2012
document is TBD.
12.1. Failover Protocol
This section enumerates list of options that will be defined in
failover protocol specification. Rough description of purpose and
content for each option is specified. Exact on wire format will be
defined in protocol specification.
1. OPTION_FO_TIMESTAMP - convey information about timestamp. It is
used by time skew measurement algorithm (see Section 7.1).
12.2. Protocol constants
This section enumerates various constants that have to be defined in
actual protocol specification.
1. TIME_SKEW_PKTS_AVG - number of packets that are used to calculate
average time skew between partners. See (see Section 7.1).
13. Open questions
This is scratchbook. This section will be removed once questions are
answered.
Q: Do we want to support temporary addresses? I think not. They are
short-lived by definition, so clients should not mind getting new
temporary addresses.
Q: Do we want to support CGA-registered addresses? There is
currently work in DHC WG about this, but I haven't looked at it yet.
If that is complicated, we may not define it here, but rather as an
extension. [If it moves forward, we need to support it.]
14. Security Considerations
TODO: Security considerations section will contain loose notes and
will be transformed into consistent text once the core design
solidifies.
15. IANA Considerations
IANA is not requested to perform any actions at this time.
Mrugalski & Kinnear Expires September 13, 2012 [Page 40]
�
Internet-Draft DHCPv6 Failover Design March 2012
16. Acknowledgements
This document extensively uses concepts, definitions and other parts
of [dhcpv4-failover] document. Authors would like to thank Shawn
Routher, Greg Rabil, and Bernie Volz for their significant
involvement and contributions.
This work has been partially supported by Department of Computer
Communications (a division of Gdansk University of Technology) and
the Polish Ministry of Science and Higher Education under the
European Regional Development Fund, Grant No. POIG.01.01.02-00-045/
09-00 (Future Internet Engineering Project).
17. References
17.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, March 1997.
[RFC3074] Volz, B., Gonczi, S., Lemon, T., and R. Stevens, "DHC Load
Balancing Algorithm", RFC 3074, February 2001.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633,
December 2003.
[RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for
IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN)
Option", RFC 4704, October 2006.
[RFC5460] Stapp, M., "DHCPv6 Bulk Leasequery", RFC 5460,
February 2009.
17.2. Informative References
[I-D.ietf-dhc-dhcpv6-redundancy-consider]
Tremblay, J., Brzozowski, J., Chen, J., and T. Mrugalski,
"DHCPv6 Redundancy Deployment Considerations",
draft-ietf-dhc-dhcpv6-redundancy-consider-02 (work in
Mrugalski & Kinnear Expires September 13, 2012 [Page 41]
�
Internet-Draft DHCPv6 Failover Design March 2012
progress), October 2011.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997.
[dhcpv4-failover]
Droms, R., Kinnear, K., Stapp, M., Volz, B., Gonczi, S.,
Rabil, G., Dooley, M., and A. Kapur, "DHCP Failover
Protocol", draft-ietf-dhc-failover-12 (work in progress),
March 2003.
[requirements]
Mrugalski, T. and K. Kinnear, "DHCPv6 Failover
Requirements",
draft-ietf-dhc-dhcpv6-failover-requirements-00 (work in
progress), October 2011.
Authors' Addresses
Tomasz Mrugalski
Internet Systems Consortium, Inc.
950 Charter Street
Redwood City, CA 94063
USA
Phone: +1 650 423 1345
Email: tomasz.mrugalski@gmail.com
Kim Kinnear
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, Massachusetts 01719
USA
Phone: +1 (978) 936-0000
Email: kkinnear@cisco.com
Mrugalski & Kinnear Expires September 13, 2012 [Page 42]
�
