IETF Logo Mail Archive

Re: [BEHAVE] [OPSAWG] Out of port errors, resource errors in NAT MIB

Tom Taylor <tom.taylor.stds@gmail.com> Tue, 28 October 2014 19:53 UTC

Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0701ACDAF; Tue, 28 Oct 2014 12:53:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyuldtGWLH1C; Tue, 28 Oct 2014 12:53:23 -0700 (PDT)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDA361ACD6E; Tue, 28 Oct 2014 12:53:05 -0700 (PDT)
Received: by mail-ie0-f175.google.com with SMTP id at20so1457261iec.6 for <multiple recipients>; Tue, 28 Oct 2014 12:53:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=56WtRhAiU9QGVu1zXBStHqllyFbZ/GWST21BR1iPWFM=; b=wEHGEglyCA0erVKagljtz3YqHaMTj4OsVFzFLaj//X8120FIjcKTaAA8Xj9tUJ/Gbf pbWB7EpGCZbXdSm425pACgx1/vElGN/3cp2r+HLua+9skCuUJYIU16yvqUM3rUNkvu3f 6UfNe8oIEv7/4mTw3ickNthupFjKw7h5bw8MkBUavZRd2yZ8OR2/dkwcpPdxr8c3Jb2b eDnOsHsHG8Wg65Wzoz0Iwx1GzGjNaPRwrIbnKBRNB0275clg+AbI+r1dYDGZDO4iYS9p 18IrDAp8bvu4zhFwWcc5c5umGtjvtwdmg0B4SHwaiGfRhx1yemaY6uidVzwOSUuaJfA5 ewDw==
X-Received: by 10.107.15.8 with SMTP id x8mr6491549ioi.13.1414525985011; Tue, 28 Oct 2014 12:53:05 -0700 (PDT)
Received: from [192.168.0.102] (dsl-173-206-78-153.tor.primus.ca. [173.206.78.153]) by mx.google.com with ESMTPSA id a192sm1057651ioa.34.2014.10.28.12.53.04 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 28 Oct 2014 12:53:04 -0700 (PDT)
Message-ID: <544FF421.60801@gmail.com>
Date: Tue, 28 Oct 2014 15:53:05 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: JF Tremblay <jean-francois.tremblay@viagenie.ca>, "behave@ietf.org" <behave@ietf.org>
References: <544D772F.6060009@gmail.com> <CANO7kWCNnXN-+nzaygANpiXFcHxCepUiG3V9NLVaPDRoPjkHzw@mail.gmail.com> <544EEFEA.5040801@gmail.com> <ABF57D17-B040-4142-8369-E62B4F263A2A@viagenie.ca>
In-Reply-To: <ABF57D17-B040-4142-8369-E62B4F263A2A@viagenie.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/GWFzlrQtKra7woD5RoOaUa7pIOA
Cc: "opsawg@ietf.org" <opsawg@ietf.org>
Subject: Re: [BEHAVE] [OPSAWG] Out of port errors, resource errors in NAT MIB
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 19:53:25 -0000

At the end with [PTT].

On 28/10/2014 12:00 PM, JF Tremblay wrote:
>
>> On Oct 27, 2014, at 9:22 PM, Tom Taylor <tom.taylor.stds@gmail.com> wrote:
>>
>> Leaving aside the notification question for research, the discussion below suggests that the boundary between port exhaustion and address exhaustion is somewhat indeterminate. The MIB currently has two counters (showing up in various tables, another issue), OutOfPortErrors and ResourceErrors, with the latter supposedly picking up address exhaustion. I'd suggest we make the first one OutOfAddressPortErrors and thereby eliminate the ambiguity. I'd also call these Drops rather than Errors to make the consequences clearer.
>
> +1
> I believe it’s useful for a NAT operator to differentiate between these types of errors.
>
> As Tom mentioned, we shouldn’t dwelve* in implementation-specific details, but the MIB should provide enough flexibility to express real-life error conditions in a meaningful way. Where meaningful == clear enough for an operation person not to have to dig the MIB definition at 2:00 in the morning to figure out which problem needs fixing.
>
> This begs the question: are these objects sufficient and aptly named in the MIB to reach the goal above?
>
> Let’s take a few examples of real-life CGN error cases (they are fairly common in my experience, but your-experience-may-vary-of-course):
> 1. Out-of-ports because an administrative limit of port-per-user is reached.
> 2. Out-of-ports because a single address doesn’t have enough available ports and address “pairing” is enforced.
> 3. Out-of-ports/addresses because all addresses in all configured pools do not have enough available ports.
> 4. Out-of-addresses because an administrative limit of users per address is reached on all addresses of all configured pools.
> (in the above, “user” is loosely used as meaning a single inside source address)
>
> MIB behaviour (in my opinion):
> 1. natQuotaDrops incremented
> 2. Is natQuotaDrops or natOutOfPortErrors incremented? The MIB prohibits incrementing both. natOutOfPortsError would probably be preferable.
> 3. natOutOfAddressPortErrors incremented
> 4. natQuotaDrops incremented (probably)
>
> Note that natResourceErrors isn’t used above, but it’s probably useful to keep it as it is now.
>
> Possible corrective actions:
> a) Add addresses to currently configured pools: cases 3 and 4
> b) Review the administrative boundaries policies (long term action): cases 2 and 4
>
> In this light, Tom’s suggestion of adding natOutOfAddressesPortErrors is definitely useful, as it covers case 3 well and provides a way to differentiate it from case 1. However the current fields might not be sufficient to cover all cases, like differentiating cases 1 and 4 above. This might be left to implementation-dependant enterprise MIBs, but it would have been nice to have enough coverage in the standard MIB for most common cases.
>
> Suggestion:
> natQuotaDrops could be split in natAddressQuotaDrops and natPortsQuotaDrops. It would make it somewhat clearer that a "per port” or a “per address” policy is involved.
>
> My 2.302 cents (the exchange rate isn’t what it used to be)
>
> /JF
>
[PTT] Looks to me like the solution might be to have a counter per 
administrative limit, plus one each for can't allocate an address 
mapping, can't allocate an address-port mapping. Then a general "other 
resources" counter. That's not distinguishing your cases 2 and 3, but 
based on what Simon was saying this seems less tied to implementation 
than trying to make that distinction. Case 3 should make itself evident 
in other ways (resource pool utilization).
>
> * I just learned that “dwelve” isn’t a real word after all. Interesting, I’ll go to sleep a little less idiot tonight (loose translation of a local expression).
>
[PTT] You've mingled two applicable words. You could have said "dwell on 
implementation details" or "delve into implementation details".
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>

v2.23.0 | Report a Bug | By Email