IETF Logo Mail Archive

Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00

"Joel M. Halpern" <jmh@joelhalpern.com> Wed, 02 December 2009 04:45 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55A893A69EE for <behave@core3.amsl.com>; Tue, 1 Dec 2009 20:45:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.424
X-Spam-Level:
X-Spam-Status: No, score=-3.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hFofjxC3Jd2 for <behave@core3.amsl.com>; Tue, 1 Dec 2009 20:45:56 -0800 (PST)
Received: from hermes.mail.tigertech.net (hermes.mail.tigertech.net [64.62.209.72]) by core3.amsl.com (Postfix) with ESMTP id 6445C3A69E2 for <behave@ietf.org>; Tue, 1 Dec 2009 20:45:56 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.tigertech.net (Postfix) with ESMTP id 2739843B315; Tue, 1 Dec 2009 20:45:49 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at hermes.tigertech.net
Received: from [10.10.10.102] (pool-71-161-50-79.clppva.btas.verizon.net [71.161.50.79]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hermes.tigertech.net (Postfix) with ESMTP id 0CA6743B314; Tue, 1 Dec 2009 20:45:47 -0800 (PST)
Message-ID: <4B15F0FC.5000509@joelhalpern.com>
Date: Tue, 01 Dec 2009 23:45:48 -0500
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Cameron Byrne <cb.list6@gmail.com>
References: <4B156B5C.7060800@viagenie.ca> <003401ca72f1$7d0d0310$d40c6f0a@china.huawei.com> <000001ca72f4$1e1a30a0$c3f0200a@cisco.com> <bcff0fba0912012037m3c24bbccyf6d9dde59299362d@mail.gmail.com>
In-Reply-To: <bcff0fba0912012037m3c24bbccyf6d9dde59299362d@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: behave@ietf.org, Xu Xiaohu <xuxh@huawei.com>, Dan Wing <dwing@cisco.com>
Subject: Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2009 04:45:57 -0000

I believe we have agreed that we want to support the configuration of 
multiple stateful NAT64s in a cluster sharing state (using the same 
prefix, backing each other up / sharing load / ... ).

While it is true that one can deploy that with solutions from a single 
vendor, it seems natural and consistent with the rest of what we do here 
that we want to allow folks to build such a cluster using devices from 
different vendors.  Arguing about why an operator might or might not do 
that is a waste of time.  Some will want multiple vendors.  Some will 
want a single vendor.  Some will want the ability to migrate to a new 
vendor.

For the IETF therefore, the protocol for the state sharing seems a 
sensible thing to standardize.

Yours,
Joel

Cameron Byrne wrote:
> On Tue, Dec 1, 2009 at 6:06 PM, Dan Wing <dwing@cisco.com> wrote:
>> ...
>>>> * Cluster = A set of synchronized NAT64 boxes sharing a
>>>> single Pref64::/n.
>>> Does that mean a set of NAT64 boxes within a cluster should
>>> be from a single
>>> vendor? If so, how to deal with the case that some abnormal
>>> packets cause
>>> NAT boxes (using the same OS) within a cluster to crash
>>> simultaneously due to a bug with that OS?
>> The vendor fixes the bug.
>>
> 
> 100% agree.  The counter to Xu Xiaohu's point is what happens when
> vendor X sends a buggy sync update to vendor Y, and now vendor Y
> crashes.... ok.  We traded one unlikely (but real) bad situation for
> another unlikely but bad situation.
> 
> 
>> The operational complexity of running two NATs, from two different vendors, is
>> very high:  different CLIs, different alarming/alerting (e.g., SYSLOG, SNMP,
>> per-session NAT logging), different features (e.g., IPsec Passthru, SCTP),
>> different implementation of features (e.g., TCP MSS adjustment, fragmentation
>> [timeouts?  how much memory dedicated to reassembly?  out-of-order packets
>> supported?]), bandwidth and throughput (Mbps, pps),  make it too hard to
>> operate both NATs.
> 
> 100% agree.
> 
>> To my knowledge, sites do not run two different implementations of DNS servers
>> (e.g., ISC BIND and InfoBlox, or Microsoft and Unbound) where both DNSs back
>> up each other.  Like NAT, DNS needs to be rock-solid reliable, and a single
>> packet could take out a DNS server.
>>
>> -d
>>
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
>>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave
>

v2.23.0 | Report a Bug | By Email