IETF Logo Mail Archive

Re: [BEHAVE] Port Management To Reduce Logging In Large-Scale NATs

<mohamed.boucadair@orange-ftgroup.com> Fri, 03 September 2010 12:09 UTC

Return-Path: <mohamed.boucadair@orange-ftgroup.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 916403A685B for <behave@core3.amsl.com>; Fri, 3 Sep 2010 05:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.05
X-Spam-Level:
X-Spam-Status: No, score=-2.05 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FALJuN-v3d77 for <behave@core3.amsl.com>; Fri, 3 Sep 2010 05:09:33 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias243.francetelecom.com [80.12.204.243]) by core3.amsl.com (Postfix) with ESMTP id 3E03E3A687C for <behave@ietf.org>; Fri, 3 Sep 2010 05:09:33 -0700 (PDT)
Received: from omfeda07.si.francetelecom.fr (unknown [xx.xx.xx.200]) by omfeda09.si.francetelecom.fr (ESMTP service) with ESMTP id 1A858C0311; Fri, 3 Sep 2010 14:10:02 +0200 (CEST)
Received: from puexch91.nanterre.francetelecom.fr (unknown [10.101.44.48]) by omfeda07.si.francetelecom.fr (ESMTP service) with ESMTP id E49A6158061; Fri, 3 Sep 2010 14:10:00 +0200 (CEST)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.13]) by puexch91.nanterre.francetelecom.fr ([10.101.44.48]) with mapi; Fri, 3 Sep 2010 14:10:01 +0200
From: mohamed.boucadair@orange-ftgroup.com
To: Lars Eggert <lars.eggert@nokia.com>, Tina TSOU <tena@huawei.com>
Date: Fri, 03 Sep 2010 14:09:58 +0200
Thread-Topic: [BEHAVE] Port Management To Reduce Logging In Large-Scale NATs
Thread-Index: ActLRRuOPcDQ+t+KRYSAf2+qsVhrWwAGLg6A
Message-ID: <17006_1283515801_4C80E599_17006_1679467_1_94C682931C08B048B7A8645303FDC9F31C501E6E33@PUEXCB1B.nanterre.francetelecom.fr>
References: <979A43C06A7B488B93D6FFBA8395A033@china.huawei.com> <9245BF3C-D02C-4C91-8690-C6261758701A@nokia.com>
In-Reply-To: <9245BF3C-D02C-4C91-8690-C6261758701A@nokia.com>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.9.3.115114
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] Port Management To Reduce Logging In Large-Scale NATs
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2010 12:09:34 -0000

Dear Lars, all,

The use of port ranges instead of assigning individual port in CGNs has several effects, not only optimising the logs:

(1) The performance of the device are not impacted due to the writing operation (of each individual binding). For some implementations, we have seen a severe degradation when the device (in our case, it is a CGN DS-Lite) must log each individual entry. Note that, we have seen some implementations which loss packets when the port range bindings are not yet in place. But, I guess this is implementation-specific. 

(2) The amount of new sessions to be handled per second are drastically enhanced when a port range scheme is used instead of individual port assignment.
 
(3) As an aside effect, when port ranges are used the size of the log file is optimised (FWIW, see http://tools.ietf.org/html/draft-boucadair-port-range-02#section-15.2 for a simplified exercise). Of course this optimisation depends on length of the port range.

(4) The drawback of assigning port ranges in the CGN is that the destination address is not kept by the device. This may not be convenient in early stages of deployment of shared IP mechanisms in SPs domains. Indeed: 

(a) If a high address sharing ratio (e.g., 1:1000) is used, to avoid revealing the identity of all subscribers sharing the same address to answer to an abuse complaint by the authorities, we may rely on the destination address as an indicator to identify a/the concerned customer. In the meantime, we need to encourage servers to log the source port number in addition to the destination IP address. 
(b) If a small address sharing ratio (e.g., 1:5) is used, storing the destination address in the CGN may not be useful. 


Cheers,
Med 

-----Message d'origine-----
De : behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] De la part de Lars Eggert
Envoyé : vendredi 3 septembre 2010 10:49
À : Tina TSOU
Cc : behave@ietf.org
Objet : Re: [BEHAVE] Port Management To Reduce Logging In Large-Scale NATs

Hi,

On 2010-8-28, at 12:18, Tina TSOU wrote:
> http://tools.ietf.org/html/draft-tsou-behave-natx4-log-reduction-01
> 
> It is a short, straight forward I-D. I would like to hear your opinion and more comments. What's the next step for it?

I'm struggling a bit to understand the motivation for this draft. In the introduction, it says:

>   Some high performance NAT devices may need to create a large amount
>   of new sessions per second.  If logs are generated for each mapping
>   entry, the log traffic could reach tens of megabytes per second or
>   more, which would be a problem for log generation, transmission and
>   storage.

Let's run some numbers. How large is a log entry? Let's assume two IPv4 addresses plus two ports numbers, which is 12 bytes, plus a timestamp, which is maybe 4 bytes, plus some random bytes of stuff. Say, in total 32 bytes.

At a rate of     1,000 bindings/sec, that causes  32 KB/sec of log traffic.
At a rate of    10,000 bindings/sec, that causes 320 KB/sec of log traffic.
At a rate of   100,000 bindings/sec, that causes   3 MB/sec of log traffic.
At a rate of 1,000,000 bindings/sec, that causes  32 MB/sec of log traffic.

So we're really only going to his the "tens of megabytes per second" range for CGNs that see a million bindings per second. You'd need an awfully big box to handle this, and a significant amount of IPv4 space to number it.

As for storage, with a million bindings per second and 32 MB/sec of log traffic, you need about 2GB/min, i.e., 2.7 TB/day. And this is without compression - these logs should be highly compressable.

All in all, I'm not fully convinced we have a problem here. Or maybe I'm missing something?

Lars
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

v2.23.0 | Report a Bug | By Email