Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00

Reinaldo Penno <rpenno@juniper.net> Sat, 05 December 2009 08:34 UTC

Return-Path: <rpenno@juniper.net>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CA923A681F for <behave@core3.amsl.com>; Sat, 5 Dec 2009 00:34:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVwod37nP9N6 for <behave@core3.amsl.com>; Sat, 5 Dec 2009 00:34:00 -0800 (PST)
Received: from exprod7og108.obsmtp.com (exprod7og108.obsmtp.com [64.18.2.169]) by core3.amsl.com (Postfix) with ESMTP id 4363A3A6774 for <behave@ietf.org>; Sat, 5 Dec 2009 00:33:57 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob108.postini.com ([64.18.6.12]) with SMTP ID DSNKSxoa5uEsM0mj/jj5T6rI65SH2RhuVMdB@postini.com; Sat, 05 Dec 2009 00:33:51 PST
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.1.393.1; Sat, 5 Dec 2009 00:27:38 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Sat, 5 Dec 2009 03:27:38 -0500
From: Reinaldo Penno <rpenno@juniper.net>
To: Simon Perreault <simon.perreault@viagenie.ca>
Date: Sat, 5 Dec 2009 03:27:33 -0500
Thread-Topic: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00
Thread-Index: Acp0ZAZpBaJ+ST6SRVG/t5m2buoIgwBIMREP
Message-ID: <C73F5975.B918%rpenno@juniper.net>
In-Reply-To: <4B1834F8.3020903@viagenie.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-Entourage/13.0.0.090609
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: 'Xu, Cameron Byrne <cb.list6@gmail.com>, "behave@ietf.org" <behave@ietf.org>, Xiaohu' <xuxh@huawei.com>, Dan Wing <dwing@cisco.com>
Subject: Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2009 08:34:01 -0000

A few comments inline...


On 12/3/09 2:00 PM, "Simon Perreault" <simon.perreault@viagenie.ca> wrote:
> 
>> I re-read a _single_ section of NAT64 (3.2.4.  ICMP Query Session Handling).
>> I found that developers have the following choices (and this does not go
>> into implementation details):
>> 
>> * Local Security Policy can drop ICMPv6 packets (yes/no)
>> * Local Security Policy can drop ICMPv6 packets configurable per
>>   interface/rule/etc (yes/no for each one)> * ICMPv4 message will be sent
>> back to sender (yes/no/configurable)
>> * ICMPv4 message will be sent back to sender per configuration
>>   interface/nat rule/etc (yes/no each one)
>> * ICMPv4 message will be sent back to sender in case of filtering
>>   (yes/no/configurable)
>> * ICMPv4 message will be sent back to sender per configuration
>>   (interface/rule/etc)
> 
> These do not affect state.

Why not? If a certain mapping on NAT64-A does not send ICMPv4 packets back
for unsolicited sessions and another mapping does, this behavior must remain
the same on the fail-over box.

NAT state is the mapping state + ICMP behavior (discussed above) + filtering
behavior + timer settings (discussed below for ICMP) + log behavior
(yes/no/format) + others not discussed. Each of these can be different for
different NAT entries.

> 
>> * ICMPv6 lifetime can be configurable (yes/no)
>> * ICMPv6 lifetime can be configurable within a certain range (yes/no)
>> * ICMPv6 lifetime can be configurable with a granularity of ms/seconds/etc
>>   (yes/no)
>> * ICMPv4 lifetime can be configurable (yes/no)
>> * ICMPv4 lifetime can be configurable within a certain range (yes/no)
>> * ICMPv4 lifetime can be configurable with a granularity of ms/seconds/etc
>>   (yes/no)
> 
> 
> 
>> Can you elaborate on which tests need to be done in order to guarantee that
>> this scenario will work between two different vendors?
> 
> So you mean that because vendor A and vendor B will not swear that each
> other's This 
> statement
> has nothing to do with NATs and applies in many other cases you know...
> 

Some people made the opposite case and it brings to some of the basics. NAT
operational complexity is high and therefore brings special requirements to
the table. Based on your statement it seems you think there are similar
cases. 

Can you give an example that has the same characteristics as hot-standby for
NATs based on the few things that were discussed? If there are we should
look into how hot-standy across different devices & vendors was achieved in
that case.


>> Finally, If you pin down all specific behavior you need within all possible
>> permutations of different vendors, weigh the operational cost of a
>> multi-dimensional testing to find two boxes that can provide the High
>> Availability with the NAT behavior you need, I think you will find out that
>> NAT64-A and NAT64-B are made by the same vendor.
> 
> That could very well be true. It is also often the case for e.g. BGP speakers.
> But some people like to run stuff from multiple vendors. And it works, and it
> has advantages and disadvantages. Tradeoffs, etc.
> 
> Thanks,
> Simon