Resend of historical review for tool tracking purposes     From:                                   Linda Dunbar Sent:                                    Monday, November 11, 2013 3:54 PM To:                                        Operations Directorate; 'draft-ietf-forces-ceha.all at tools.ietf.org' Cc:                                        ops-ads at tools.ietf.org; Gunter Velde Van de Subject:                               Operations Directorate Review of draft-ietf-forces-ceha-08 by 2013-11-06   Hi!,   As a member of the Operations Directorate, I have reviewed the draft-ietf-forces-ceha-08 for its operational impact.   This document proposes using multiple Control Elements as a way to achieve High Availability within a ForCES Network Element.   I can’t find any specification in the draft on what condition to declare CE failure.   The bullet 1 in 2.2 states that the extreme scenario is operator acting as the monitoring entity to detect faulty CEs. Therefore, the detection time could be hours or days. If the FE can sustain faulty CEs for hours or days, why not simply have operator reboot the CEs, instead having this sophisticated mechanisms? A CE is a software, which can be rebooted, or restarted.   IMHO, should use CE-FE interface status (Fp link in the figure 1) as a criteria to determine CE failure, even though CE could malfunction with its interface to FE still on. Having a CE protection mechanism without failure condition clearly defined is only have a solution.       The bullet 4 in 2.2 states that FE recovery time depends on the FE states. I am just curious of what kind of states that FE could have?   Section 6 Security Consideration should specify that only FE can initiate connection with CE, not other way around. So at least FE can be configured with a list of legitimate CEs that will control the FE.     Linda Dunbar