Re: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis

ivan c <ivan@cacaoweb.org> Tue, 18 June 2013 16:50 UTC

Return-Path: <ivan@cacaoweb.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2E621F9A5F for <behave@ietfa.amsl.com>; Tue, 18 Jun 2013 09:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.25
X-Spam-Level:
X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_25=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kn-jaAtfrgM9 for <behave@ietfa.amsl.com>; Tue, 18 Jun 2013 09:49:58 -0700 (PDT)
Received: from mail.cacaoweb.org (mail.cacaoweb.org [46.105.102.78]) by ietfa.amsl.com (Postfix) with ESMTP id 47E8221F9A34 for <behave@ietf.org>; Tue, 18 Jun 2013 09:49:58 -0700 (PDT)
Received: from www-data by mail.cacaoweb.org with local (Exim 4.72) (envelope-from <ivan@cacaoweb.org>) id 1Uoz7I-000526-NC for behave@ietf.org; Tue, 18 Jun 2013 18:50:48 +0200
To: Behave <behave@ietf.org>
X-PHP-Originating-Script: 0:func.inc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Date: Tue, 18 Jun 2013 18:50:48 +0200
From: ivan c <ivan@cacaoweb.org>
Organization: cacaoweb
In-Reply-To: <51BFE896.2000006@lab.ntt.co.jp>
References: <3a724be2431cf7249b3d46cf378f85bf@cacaoweb.org> <51BFE896.2000006@lab.ntt.co.jp>
Message-ID: <1d235e99689e55aba94258ff65895f75@cacaoweb.org>
X-Sender: ivan@cacaoweb.org
User-Agent: RoundCube Webmail/0.3.1
Subject: Re: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ivan@cacaoweb.org
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 16:50:03 -0000

Hi Kengo, 

See my answers interleaved below.

On Tue, 18 Jun 2013 13:56:54 +0900, Kengo Naito  wrote:   

>  Then, how about using 3.1.2.2 ? This alternative do not rewrite
> timestamps nor ISNs.
>  Also, I do not intend to make 3.1.2.1 "must", this is only one of
> alternatives. 

3.1.2.1 will be most definitely frowned upon. Before suggesting such
alternative, the benefits need to be quantified in terms of CGN resources
usage. Is the TIME_WAIT state really that much of an issue for CGN resource
utilization? It looks to me as a micro-optimization. Of course, this can
still be suggested as a MAY in the document (as it's an interesting idea).

3.1.2.2 I was unable to fully grasp the idea and its relationship with the
TIME_WAIT state, it would be nice if you could elaborate on this.

3.1.2.3 you're mangling with the TCP protocol itself, which is arguably
even more intrusive than mangling with so fields in the TCP header like in
3.1.2.1

3.1.2.4 I don't think that RFC6191 is widely deployed, do you have any
reference for this?


> In
> the draft, I meant that Port overlapping behavior can only be used when
the
> 5-tupple of connections are different.
> So I think it is a bit different from overlapping behavior you wrote.
> Does this behavior cause any bad effect?


There are a few issues with the section 4. of the draft.

Quoting: "This document clarifies that this port
   overlapping behavior can be extended to connections originating from
   different interal source IP:ports as long as their destinations are
   different.  This known as EDM (Endpoint Dependent Mapping)."

No, EDM, EIM, always refer to sessions originating from the *same local
endpoint*.
Here you are describing a "port overlapping" behavior for sessions
originating from distinct endpoints. This is known as "port overloading".
EDM refers to the case where we can sometimes "break" the EIM requirement,
for example when we know it doesn't adversely affect the application (such
as with HTTP).

In your second paragraph, you clearly describe the "port overloading"
behavior. Thus, I think you should drop the "port overlapping" terminology,
replace it with "port overloading", and don't mention EDM
(Endpoint-Dependent Mapping), which is not directly related to the topic.

Port overloading does not have any bad effects. Of course, as long as the
5-tuple uniqueness is preserved by the NAT, which is a MUST in any case.
However, doing aggressive port overloading generates opportunities for
collisions, which must be dealt with by dropping a session or breaking the
EIM requirement, which is a serious problem for UDP, but not so much for
TCP. Such collision events remain rare, and it is OK to break EIM sometimes
for TCP, as the application can make a retry (using a new ephemeral local
port), that will most certainly work the second time.


I can help you develop and improve the section 4. of the draft with you if
you'd like.



Regards,
Ivan