Re: [BEHAVE] [OPSAWG] Out of port errors, resource errors in NAT MIB
JF Tremblay <jean-francois.tremblay@viagenie.ca> Tue, 28 October 2014 20:34 UTC
Return-Path: <jean-francois.tremblay@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D4A1ACE15; Tue, 28 Oct 2014 13:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.604
X-Spam-Level:
X-Spam-Status: No, score=-0.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, TRACKER_ID=1.306, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1RVd2ZYrSuL; Tue, 28 Oct 2014 13:34:39 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id BDF0F1ACDEC; Tue, 28 Oct 2014 13:34:38 -0700 (PDT)
Received: from h200.viagenie.ca (h200.viagenie.ca [206.123.31.200]) by jazz.viagenie.ca (Postfix) with ESMTPSA id D9A16400A5; Tue, 28 Oct 2014 16:34:37 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_13E9AC79-E623-4BC1-B3F9-81E672023DFC"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: JF Tremblay <jean-francois.tremblay@viagenie.ca>
In-Reply-To: <544FF421.60801@gmail.com>
Date: Tue, 28 Oct 2014 16:34:37 -0400
Message-Id: <BC969EED-3D7B-4994-B354-4875FFF6B110@viagenie.ca>
References: <544D772F.6060009@gmail.com> <CANO7kWCNnXN-+nzaygANpiXFcHxCepUiG3V9NLVaPDRoPjkHzw@mail.gmail.com> <544EEFEA.5040801@gmail.com> <ABF57D17-B040-4142-8369-E62B4F263A2A@viagenie.ca> <544FF421.60801@gmail.com>
To: Tom Taylor <tom.taylor.stds@gmail.com>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/inLYsmBpfhOH9cyjh79H32Zwzbk
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] [OPSAWG] Out of port errors, resource errors in NAT MIB
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 20:34:40 -0000
> On Oct 28, 2014, at 3:53 PM, Tom Taylor <tom.taylor.stds@gmail.com> wrote: > At the end with [PTT]. > > On 28/10/2014 12:00 PM, JF Tremblay wrote: >> >> >> Let’s take a few examples of real-life CGN error cases (they are fairly common in my experience, but your-experience-may-vary-of-course): >> 1. Out-of-ports because an administrative limit of port-per-user is reached. >> 2. Out-of-ports because a single address doesn’t have enough available ports and address “pairing” is enforced. >> 3. Out-of-ports/addresses because all addresses in all configured pools do not have enough available ports. >> 4. Out-of-addresses because an administrative limit of users per address is reached on all addresses of all configured pools. >> (in the above, “user” is loosely used as meaning a single inside source address) >> >> MIB behaviour (in my opinion): >> 1. natQuotaDrops incremented >> 2. Is natQuotaDrops or natOutOfPortErrors incremented? The MIB prohibits incrementing both. natOutOfPortsError would probably be preferable. >> 3. natOutOfAddressPortErrors incremented >> 4. natQuotaDrops incremented (probably) >> >> Suggestion: >> natQuotaDrops could be split in natAddressQuotaDrops and natPortsQuotaDrops. It would make it somewhat clearer that a "per port” or a “per address” policy is involved. >> > [PTT] Looks to me like the solution might be to have a counter per administrative limit, plus one each for can't allocate an address mapping, can't allocate an address-port mapping. Is that 4 counters? {admin | !admin} x { addresses | addresses-ports } For example: natAdminOutOfAddressesDrops natAdminOutOfAddressesPortsDrops natOutOfPortsDrops natOutOfAddressesPortsDrops Not sure natAdminOutOfAddressesPortsDrops above makes any sense. An administrative policy will be on ports only. No implementation will specify a limit in address-ports (even if this is what it is, actually). Suggestion: natAdminOutOfAddressesDrops natAdminOutOfPortsDrops natOutOfPortsDrops natOutOfAddressesPortsDrops natResourceErrors Then the MIB behavior according to the scenarios above become: 1. natAdminOutOfPortsDrops++ 2. natOutOfPortsDrops++ 3. natOutOfAddressesPortsDrops++ 4. natAdminOutOfAddressesDrops++ Makes sense? > Then a general "other resources" counter. Ok. (added above) > That's not distinguishing your cases 2 and 3, but based on what Simon was saying this seems less tied to implementation than trying to make that distinction. Case 3 should make itself evident in other ways (resource pool utilization). Agreed, “utilization” information would provide an indication of a problem, but it will not provide an indication of how severe the problem is or has been. By looking at a counter, an operator can get additional information (how many drops actually happened). JF
- [BEHAVE] Major NAT MIB Issue: Notifications and p… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Simon Perreault
- [BEHAVE] Out of port errors, resource errors in N… Tom Taylor
- Re: [BEHAVE] Out of port errors, resource errors … Simon Perreault
- Re: [BEHAVE] Out of port errors, resource errors … JF Tremblay
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… JF Tremblay
- Re: [BEHAVE] [OPSAWG] Out of port errors, resourc… Tom Taylor
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Randy Presuhn
- Re: [BEHAVE] [OPSAWG] Major NAT MIB Issue: Notifi… Tom Taylor