[BEHAVE] Out of port errors, resource errors in NAT MIB
Tom Taylor <tom.taylor.stds@gmail.com> Tue, 28 October 2014 01:23 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4294F1A882C; Mon, 27 Oct 2014 18:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fBYgggGVUwhF; Mon, 27 Oct 2014 18:23:01 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C37E61A8829; Mon, 27 Oct 2014 18:23:00 -0700 (PDT)
Received: by mail-ig0-f170.google.com with SMTP id hn18so7014582igb.5 for <multiple recipients>; Mon, 27 Oct 2014 18:23:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=KvFfxG+4wKTNQ/6vUSPu/ZM2wzh4dxzVf/Ns+egny5Q=; b=uhqfesqe9LCnBmFGzdiwz3lbYVhNM4iLGvPwEWqvlU6yvZ3NgPgxeU5RZ+oSMqY8fD mGDQn0LrDkkx7gBPmiM4EvOY/ZSIcrwwr2PQS7kHG1G/P4P0xy8FKOZ+RD3m9ikJY8hw aehwi/v+RvKV5nPWijhSVnD9EL1l9qo/c4j1zcqc1xda2CRew9N1nyaYrAHH1CqpUSpK OTWKju40gTvELYTyY+LrYKvlrg78L6tXssS/9wvySIyjXtIz/4vTcevmolUnvTmU+TKd wlVJrmcx6zA8p+tsD3bi+sGKU91e/AASVcCVw6jlRs5Wq+8n0OXBSB9PNWqfSj9gnTdr +uoA==
X-Received: by 10.107.172.210 with SMTP id v201mr123690ioe.19.1414459380167; Mon, 27 Oct 2014 18:23:00 -0700 (PDT)
Received: from [192.168.0.102] (dsl-207-112-123-240.tor.primus.ca. [207.112.123.240]) by mx.google.com with ESMTPSA id a10sm241278igo.22.2014.10.27.18.22.59 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 27 Oct 2014 18:22:59 -0700 (PDT)
Message-ID: <544EEFEA.5040801@gmail.com>
Date: Mon, 27 Oct 2014 21:22:50 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Simon Perreault <sperreault@jive.com>
References: <544D772F.6060009@gmail.com> <CANO7kWCNnXN-+nzaygANpiXFcHxCepUiG3V9NLVaPDRoPjkHzw@mail.gmail.com>
In-Reply-To: <CANO7kWCNnXN-+nzaygANpiXFcHxCepUiG3V9NLVaPDRoPjkHzw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/7W9O5KsrMhMjUkMYDPGH7Y602I4
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: [BEHAVE] Out of port errors, resource errors in NAT MIB
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 01:23:03 -0000
Leaving aside the notification question for research, the discussion below suggests that the boundary between port exhaustion and address exhaustion is somewhat indeterminate. The MIB currently has two counters (showing up in various tables, another issue), OutOfPortErrors and ResourceErrors, with the latter supposedly picking up address exhaustion. I'd suggest we make the first one OutOfAddressPortErrors and thereby eliminate the ambiguity. I'd also call these Drops rather than Errors to make the consequences clearer. Tom Taylor On 27/10/2014 9:35 AM, Simon Perreault wrote: > On Sun, Oct 26, 2014 at 6:35 PM, Tom Taylor <tom.taylor.stds@gmail.com> > wrote: ... > > The problem with NAT pool monitoring is that the pool actually contains two >> resources, addresses and ports, and how they get used up depends on RFC >> 4787 pooling behaviour. >> > > Well, yes, but I don't see how this is a problem. > > Keep in mind that some NATs don't bother with ports and allocate full > addresses. That is supported with the current pool and mapping models. > > For the RECOMMENDED pooling behaviour of 'paired', port exhaustion occurs >> when all the ports for the desired protocol available to the subscriber on >> a mapped external address are used up, the NAT cannot (for reasons of >> policy or availability) assign additional ports to that subscriber on that >> same address, and the NAT cannot assign an additional address containing >> free ports to that subscriber. (This last condition is subject to >> discussion: is it port exhaustion or address exhaustion?) >> > > It depends on what you mean by "cannot". A "paired" NAT may decide to > allocate a mapping from any other available address and not even consider > this an exhaustion condition. It may decide to replace the current address > mapping with this new address. Or it may consider this a "temporary address > mapping" to be reverted eventually. Or it may not record this new mapping > at all, and just allocate mappings from any random address as long as the > primary address is exhausted. Or it may refuse to create a new mapping, as > you seem to imply. > > We should not "think" too much about NAT implementation... What matters is > observable behaviour, and in particular observable behaviour that is > general enough that it can be usefully modelled in a MIB. Whatever triggers > an exhaustion event is not absolutely important. We just need to be able to > report it. It will be up to the NAT administrator to determine, based on > the particular NAT implementation, what exactly exhaustion means. Some NATs > are very configurable in this matter. > > For a pooling behaviour of 'arbitrary', port exhaustion occurs when there >> is no available port for the desired protocol at any of the addresses in >> the pool. Clearly port exhaustion will be a rarer event in the 'arbitrary' >> case. >> > ...
- [BEHAVE] Major NAT MIB Issue: Notifications and p… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Simon Perreault
- [BEHAVE] Out of port errors, resource errors in N… Tom Taylor
- Re: [BEHAVE] Out of port errors, resource errors … Simon Perreault
- Re: [BEHAVE] Out of port errors, resource errors … JF Tremblay
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… JF Tremblay
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Randy Presuhn
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Tom Taylor