Re: [BEHAVE] [OPSAWG] Out of port errors, resource errors in NAT MIB
Tom Taylor <tom.taylor.stds@gmail.com> Tue, 28 October 2014 20:47 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66B01A8AEC; Tue, 28 Oct 2014 13:47:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rNTA1B8JiDnJ; Tue, 28 Oct 2014 13:47:44 -0700 (PDT)
Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62D391A8AE7; Tue, 28 Oct 2014 13:47:44 -0700 (PDT)
Received: by mail-ie0-f171.google.com with SMTP id x19so1617709ier.30 for <multiple recipients>; Tue, 28 Oct 2014 13:47:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Lw2LDByxG6C39dIboJ+tBZJUmaFO3kO1w9JG8n6jzKA=; b=F1iH736UJ+mqRTjRfQKeD1rRZFkKZSGprGC2bnSS+VemTJktzls07A7bqV5s3YwH+4 UEj95ao0rvMHd5sYTqNAB6iTnyrgWhejJfLZrnGDHsHxcW9C+rRi4JfuUG71LV6aEbFl 6otWI99M0CS2siK3MFyZe5rAV99hEH2zJO4iMq+QmbUMPf870dpEYIORXICKcK0pJRw+ V4filOU58lx6drD2YKZNy4VgiKOpTr9STIze/ktwD3/HHmK28U3XUYia27REq4AybmAy ArvaBN0Eki4odl4UN17+tViSeyf/UDLCEcR7oR3e18TKZj0uICKhTZBJYHIoyfu97v7C 5NqQ==
X-Received: by 10.42.24.10 with SMTP id u10mr6362783icb.58.1414529263688; Tue, 28 Oct 2014 13:47:43 -0700 (PDT)
Received: from [192.168.0.102] (dsl-173-206-78-153.tor.primus.ca. [173.206.78.153]) by mx.google.com with ESMTPSA id 40sm1118126iom.43.2014.10.28.13.47.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 28 Oct 2014 13:47:43 -0700 (PDT)
Message-ID: <545000E7.50901@gmail.com>
Date: Tue, 28 Oct 2014 16:47:35 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: JF Tremblay <jean-francois.tremblay@viagenie.ca>
References: <544D772F.6060009@gmail.com> <CANO7kWCNnXN-+nzaygANpiXFcHxCepUiG3V9NLVaPDRoPjkHzw@mail.gmail.com> <544EEFEA.5040801@gmail.com> <ABF57D17-B040-4142-8369-E62B4F263A2A@viagenie.ca> <544FF421.60801@gmail.com> <BC969EED-3D7B-4994-B354-4875FFF6B110@viagenie.ca>
In-Reply-To: <BC969EED-3D7B-4994-B354-4875FFF6B110@viagenie.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/NPjp4A3nCbMRGw7TG6h3l86E640
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] [OPSAWG] Out of port errors, resource errors in NAT MIB
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 20:47:48 -0000
Response with [PTT2]. On 28/10/2014 4:34 PM, JF Tremblay wrote: > >> On Oct 28, 2014, at 3:53 PM, Tom Taylor <tom.taylor.stds@gmail.com> wrote: >> At the end with [PTT]. >> >> On 28/10/2014 12:00 PM, JF Tremblay wrote: >>> >>> >>> Let’s take a few examples of real-life CGN error cases (they are fairly common in my experience, but your-experience-may-vary-of-course): >>> 1. Out-of-ports because an administrative limit of port-per-user is reached. >>> 2. Out-of-ports because a single address doesn’t have enough available ports and address “pairing” is enforced. >>> 3. Out-of-ports/addresses because all addresses in all configured pools do not have enough available ports. >>> 4. Out-of-addresses because an administrative limit of users per address is reached on all addresses of all configured pools. >>> (in the above, “user” is loosely used as meaning a single inside source address) >>> ...>>> >> [PTT] Looks to me like the solution might be to have a counter per administrative limit, plus one each for can't allocate an address mapping, can't allocate an address-port mapping. > > Is that 4 counters? {admin | !admin} x { addresses | addresses-ports } > > For example: > natAdminOutOfAddressesDrops > natAdminOutOfAddressesPortsDrops > natOutOfPortsDrops > natOutOfAddressesPortsDrops > > Not sure natAdminOutOfAddressesPortsDrops above makes any sense. An administrative policy will be on ports only. No implementation will specify a limit in address-ports (even if this is what it is, actually). > > Suggestion: > natAdminOutOfAddressesDrops > natAdminOutOfPortsDrops > natOutOfPortsDrops > natOutOfAddressesPortsDrops > natResourceErrors > > Then the MIB behavior according to the scenarios above become: > > 1. natAdminOutOfPortsDrops++ > 2. natOutOfPortsDrops++ > 3. natOutOfAddressesPortsDrops++ > 4. natAdminOutOfAddressesDrops++ > > Makes sense? > [PTT2] It works. If we keep to the MIB in its current form, we need two more administrative counters because we have two more limits: on fragments, and on number of subscribers with active mappings. >> Then a general "other resources" counter. > > Ok. (added above) > >> That's not distinguishing your cases 2 and 3, but based on what Simon was saying this seems less tied to implementation than trying to make that distinction. Case 3 should make itself evident in other ways (resource pool utilization). > > Agreed, “utilization” information would provide an indication of a problem, but it will not provide an indication of how severe the problem is or has been. By looking at a counter, an operator can get additional information (how many drops actually happened). > > JF > > >
- [BEHAVE] Major NAT MIB Issue: Notifications and p… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Simon Perreault
- [BEHAVE] Out of port errors, resource errors in N… Tom Taylor
- Re: [BEHAVE] Out of port errors, resource errors … Simon Perreault
- Re: [BEHAVE] Out of port errors, resource errors … JF Tremblay
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… JF Tremblay
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Randy Presuhn
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Tom Taylor