Re: [BEHAVE] New Version Notification for draft-nishizuka-cgn-deployment-considerations-00.txt
Dan Wing <dwing@cisco.com> Thu, 04 April 2013 16:04 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9AE921F95DB for <behave@ietfa.amsl.com>; Thu, 4 Apr 2013 09:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYXuvBmBRohO for <behave@ietfa.amsl.com>; Thu, 4 Apr 2013 09:04:45 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 6909821F958A for <behave@ietf.org>; Thu, 4 Apr 2013 09:04:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10771; q=dns/txt; s=iport; t=1365091485; x=1366301085; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=ky3SKnrKnKEKcZmb9tFj91In+0uHPK74EUGNEkSdutk=; b=jCX4D1pP+jP7XC71WAlJuwhWt7ryuP0kf/oCCZ6KnDbNEwDhEOlIkdDz WPFDd4jJ4rlupVm8O0SQw2HqIf29xrBoIQYuYASjeTvK1sC3KupUvnOYe sxaFbDF7G3ivQu0JI9KVgbRUb2W0C1vgsap2mpIuraKCNwAWVXW6P1JKg M=;
X-IronPort-AV: E=Sophos;i="4.87,410,1363132800"; d="scan'208";a="77760420"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-4.cisco.com with ESMTP; 04 Apr 2013 16:04:45 +0000
Received: from [10.21.74.54] ([10.21.74.54]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r34G4hAT017455; Thu, 4 Apr 2013 16:04:44 GMT
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <515CE7C7.2040605@nttv6.jp>
Date: Thu, 04 Apr 2013 09:04:44 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <ED5A90B6-5398-469F-8B6E-B5AAAF7067DA@cisco.com>
References: <CB1B483277FEC94E9B58357040EE5D0232430EAE@xmb-rcd-x15.cisco.com> <515CE7C7.2040605@nttv6.jp>
To: kaname nishizuka <kaname@nttv6.jp>
X-Mailer: Apple Mail (2.1503)
Cc: Shin Miyakawa <miyakawa@nttv6.jp>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] New Version Notification for draft-nishizuka-cgn-deployment-considerations-00.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 16:04:46 -0000
On Apr 3, 2013, at 7:39 PM, kaname nishizuka <kaname@nttv6.jp> wrote: > Thank you for your comments, > >> [Senthil] Most of the NATs use the entire port space from 1024-65536, did you find differently? >> >> If you had used the entire port space, you would only require 1526 addresses instead of 3051. >> >> I think not using the 1024-32768 is not practical and inefficient. > What you pointed out is reasonable enough, but our concern is that there are de-facto well-known port in 1024-32768 like 1433/tcp. > Especially in the static assignment, the subscriber who has a "dirty" range would be attacked more frequently than others. No more so than every subscriber is being attacked on those ports today, when subscribers are getting the entire port range. -d > We know that most of the NATs use the entire port space from 1024-65536, but we described it in the most safe side. > As you mentioned, the ratio of dynamic:static is the same. > > >> [Senthil] I think it should be mentioned that with binary format for the above logging information, you need 26 bytes. >> >> Transport Protocol - 1 byte >> >> Source IP address:port – 6 bytes >> Source IP address:port after translation – 6 bytes >> Timestamp – 8 bytes >> >> Add/Delete – 1 byte >> >> Subscriber ID/VRF ID – 4 bytes >> > I agree with that. It's useful and it supports the logic. > > Thanks, > kaname > > (2013/04/03 7:03), Senthil Sivakumar (ssenthil) wrote: >> Hi Kaname, >> It is a pretty interesting study. I have a few comments on the sections on your IP address requirements calculations.In the dynamic assignment, the ports of pool address are allocated >> >> >> >> >> >> " # of pool address (P) = # of Subscriber (S) * a * N / (65536 - R) >> >> Here, (R) is reserved TCP/UDP port list referred in >> [I-D.donley-behave-deterministic-cgn<http://tools.ietf.org/html/draft-nishizuka-cgn-deployment-considerations-00#ref-I-D.donley-behave-deterministic-cgn>]. CGN should eliminate the >> wellknown ports (0-1023 for TCP and UDP) to avoid the bad >> interpretation from destination servers. It is natural to translate >> source port of outgoing packet to ephemeral ports. The ports after >> 32768 is considered to be used without any problems because ephemeral >> ports are 32768-61000 for Linux and 49152-65535 in the IANA >> recommendations. As the result, 3,051 pool addresses are sufficient >> for 1,000,000 subscribers. The feasibility of configuration was >> confirmed in the verification." >> >> [Senthil] Most of the NATs use the entire port space from 1024-65536, did you find differently? >> >> If you had used the entire port space, you would only require 1526 addresses instead of 3051. >> >> I think not using the 1024-32768 is not practical and inefficient. >> >> >> >> On the other hand, in static assignment, the ports are allocated a >> priori for every users. The pool addresses and ports are reserved to >> every users, so most of them could be a dead stock because there are >> light users and heavy users in aspect of port consumption. The max >> number of port consumption in all subscribers is the key value for >> static assignment. The true peak number of the session by a heavy >> user could be over 10,000 sessions. However it is assumed that such >> a severe consumption of ports to be an abuse, so the number of >> statically assigned port (M) is controllable parameter by each >> providers. In the static assignment, the required number of the pool >> address is as follows: >> >> # of pool address (P) = # of Subscriber (S) * M / (65536 - R) >> >> Taking account into the investigation of number of sessions of >> applications, the desirable value of (M) is over 1,000. As the >> result, no less than 30,517 pool addresses are needed for 1,000,000 >> subscribers. The compression ratio is one tenth of the case of >> dynamic assignment." >> >> >> [Senthil] Going by the same standards of using the entire available port range, you should require 15259 addresses. >> But the point is the cost of static allocation to dynamic allocation is 10:1, which is huge and given the fact there is only so little >> address space that is available, it should be used efficiently. Just by looking at that calculation, it seems amply clear that dynamic is preferred over static, >> as you have noted. >> That leads us to the next topic on logging. >> >> >> >> " In addition, the indicator of the allocation and deallocation are >> needed because it assures that the identified subscriber certainly >> had been using the translated IP address and port. Plus, including >> the index of the CGN host, the average size of NAT log is about 120 >> byte in ASCII format. Every active subscriber generate 400 sessions >> in average for a certain amount of time. It is assumed that the >> event happens every 5 minute in the most severe condition. The size >> of the log (L) for time frame (T) can be estimated as follows: >> >> The size of log (L) = # of Subscriber (S) * a * N * 120byte * 2 * ( >> Time frame(T) / 5 min. ) >> >> >> >> It should be noted that the log is generated at the timing of NAT >> table creation and freeing. As the result, for 1,000,000 users, the >> size of log is piled up to 6.4 terabytes per day. The verification >> result confirm the existing estimation referred in >> [I-D.donley-behave-deterministic-cgn<http://tools.ietf.org/html/draft-nishizuka-cgn-deployment-considerations-00#ref-I-D.donley-behave-deterministic-cgn>]." >> >> [Senthil] I think it should be mentioned that with binary format for the above logging information, you need 26 bytes. >> >> Transport Protocol - 1 byte >> >> Source IP address:port – 6 bytes >> Source IP address:port after translation – 6 bytes >> Timestamp – 8 bytes >> >> Add/Delete – 1 byte >> >> Subscriber ID/VRF ID – 4 bytes >> >> >> I would help a lot to add the binary logging calculation in addition to the ascii format to help people choose the right method for them. >> >> Going by the same formula you need 1.36 TB/day with binary logging. Assuming that the compression ratio is the same >> >> For both ascii and binary data, you have 1/4-1/5th of advantage with binary logging. >> >> You spread the cost of 1.36TB across a 1,000,000 subscribers assuming cost of 1TB is US$80, >> >> we come to 0.00008 cents/subscriber/day or 0.024 cents/subscriber/month. Even with ASCII logging requirements this doesn’t sound like a mammoth cost. >> >> Sure, there are other operating expenses involved but comparing that with the efficiency of a dynamic port allocation mechanism and requiring 10 times less >> >> public addresses seems to be a compelling winning argument than changing every CGN implementation to save for logging costs. >> >> >> Thanks >> >> Senthil >> >> >> >> >> >> >> >> >> From: kaname nishizuka <kaname@nttv6.jp<mailto:kaname@nttv6.jp>> >> Date: Tuesday, April 2, 2013 4:37 AM >> To: "behave@ietf.org<mailto:behave@ietf.org>" <behave@ietf.org<mailto:behave@ietf.org>> >> Cc: Shin Miyakawa <miyakawa@nttv6.jp<mailto:miyakawa@nttv6.jp>> >> Subject: [BEHAVE] Fwd: New Version Notification for draft-nishizuka-cgn-deployment-considerations-00.txt >> >> >> Dear all, >> >> I'm kaname from NTT communications in Japan. >> We are testing CGN under the support of Japanese Government. >> Now, we've uploaded a new draft based on the result of our verification. >> The useful information about the average consumption of the ports are available on the document. >> Please look through it, and all kind of feedback are welcome. >> >> By conducting realistic experiment, this draft is answering to "draft-ietf-behave-lsn-requirements-10" which will be the newest RFC very soon. >> >> The document is *NOT* intended to be Standards Track. It's for Informational. >> The wrong description is just mere mistake, so we'll soon correct it in the next revision. >> >> The full report of our work will be available soon on the Web in English. >> I'll also announce it when it's available to this mailing-list. >> >> Best regards, >> >> kaname >> >> >> >> >> >> -------- Original Message -------- >> Subject: New Version Notification for draft-nishizuka-cgn-deployment-considerations-00.txt >> Date: Thu, 28 Mar 2013 07:12:25 -0700 >> From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> >> To: kaname@nttv6.jp<mailto:kaname@nttv6.jp> >> >> >> >> A new version of I-D, draft-nishizuka-cgn-deployment-considerations-00.txt >> has been successfully submitted by Kaname Nishizuka and posted to the >> IETF repository. >> >> Filename: draft-nishizuka-cgn-deployment-considerations >> Revision: 00 >> Title: Carrier-Grade-NAT (CGN) Deployment Considerations. >> Creation date: 2013-03-29 >> Group: Individual Submission >> Number of pages: 16 >> URL: http://www.ietf.org/internet-drafts/draft-nishizuka-cgn-deployment-considerations-00.txt >> Status: http://datatracker.ietf.org/doc/draft-nishizuka-cgn-deployment-considerations >> Htmlized: http://tools.ietf.org/html/draft-nishizuka-cgn-deployment-considerations-00 >> >> >> Abstract: >> This document provides deployment considerations for Carrier-Grade- >> NAT (CGN) based on the verification result include the investigation >> of the number of sessions of applications. The verification was >> conducted in StarBED which is one of the largest scale network >> experiment environment in Japan. A million of subscribers was >> emulated and it revealed the realistic behavior of CGN. >> >> >> >> >> The IETF Secretariat >> >> >> >> >> >> >> >> -- >> ---- >> Kaname Nishizuka >> Innovative Architecture Center >> NTT Communications Corporation >> +81-50-3812-4704 >> > > > -- > ---- > Kaname Nishizuka > Innovative Architecture Center > NTT Communications Corporation > +81-50-3812-4704 > > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Fwd: New Version Notification for draft-… kaname nishizuka
- Re: [BEHAVE] New Version Notification for draft-n… Dan Wing
- Re: [BEHAVE] New Version Notification for draft-n… Rajiv Asati (rajiva)
- Re: [BEHAVE] Fwd: New Version Notification for dr… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] New Version Notification for draft-n… Simon Perreault
- Re: [BEHAVE] Fwd: New Version Notification for dr… Simon Perreault
- Re: [BEHAVE] Fwd: New Version Notification for dr… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: New Version Notification for dr… Simon Perreault
- Re: [BEHAVE] Fwd: New Version Notification for dr… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: New Version Notification for dr… Howard, Lee
- Re: [BEHAVE] New Version Notification for draft-n… kaname nishizuka
- Re: [BEHAVE] New Version Notification for draft-n… Dan Wing
- Re: [BEHAVE] Fwd: New Version Notification for dr… kaname nishizuka
- Re: [BEHAVE] Fwd: New Version Notification for dr… Simon Perreault
- Re: [BEHAVE] New Version Notification for draft-n… Dan Wing
- Re: [BEHAVE] Fwd: New Version Notification for dr… Rajiv Asati (rajiva)
- Re: [BEHAVE] Fwd: New Version Notification for dr… Simon Perreault
- Re: [BEHAVE] Fwd: New Version Notification for dr… kaname nishizuka
- Re: [BEHAVE] Fwd: New Version Notification for dr… Rajiv Asati (rajiva)