IETF Logo Mail Archive

Re: [BEHAVE] proprietary implementation v.s standardised protocols //re: draft-xu-behave-nat-state-sync-00

<mohamed.boucadair@orange-ftgroup.com> Tue, 01 December 2009 07:18 UTC

Return-Path: <mohamed.boucadair@orange-ftgroup.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40F203A6B08 for <behave@core3.amsl.com>; Mon, 30 Nov 2009 23:18:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.83
X-Spam-Level:
X-Spam-Status: No, score=-1.83 tagged_above=-999 required=5 tests=[AWL=0.419, BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wl0ZwLARKpCO for <behave@core3.amsl.com>; Mon, 30 Nov 2009 23:18:39 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias244.francetelecom.com [80.12.204.244]) by core3.amsl.com (Postfix) with ESMTP id 37E723A6948 for <behave@ietf.org>; Mon, 30 Nov 2009 23:18:38 -0800 (PST)
Received: from omfeda06.si.francetelecom.fr (unknown [xx.xx.xx.199]) by omfeda11.si.francetelecom.fr (ESMTP service) with ESMTP id 3D74B1B81D1; Tue, 1 Dec 2009 08:18:30 +0100 (CET)
Received: from PUEXCH11.nanterre.francetelecom.fr (unknown [10.101.44.27]) by omfeda06.si.francetelecom.fr (ESMTP service) with ESMTP id 24559C8056; Tue, 1 Dec 2009 08:18:30 +0100 (CET)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.14]) by PUEXCH11.nanterre.francetelecom.fr ([10.101.44.27]) with mapi; Tue, 1 Dec 2009 08:18:29 +0100
From: mohamed.boucadair@orange-ftgroup.com
To: Cameron Byrne <cb.list6@gmail.com>
Date: Tue, 01 Dec 2009 08:18:29 +0100
Thread-Topic: [BEHAVE] proprietary implementation v.s standardised protocols //re: draft-xu-behave-nat-state-sync-00
Thread-Index: Acpx4UCfhzbdlnD4Q/6tRND1vjAbqAAcBtQQ
Message-ID: <2931_1259651910_4B14C346_2931_18116_1_94C682931C08B048B7A8645303FDC9F30EF2773DE5@PUEXCB1B.nanterre.francetelecom.fr>
References: <21422_1258094445_4AFCFF6D_21422_40641_1_94C682931C08B048B7A8645303FDC9F307914E625D@PUEXCB1B.nanterre.francetelecom.fr> <003401ca6db6$c2f6cc70$d40c6f0a@china.huawei.com> <bcff0fba0911250950k32af6c90pcc9de022d485d068@mail.gmail.com> <1001_1259222661_4B0E3685_1001_588_1_94C682931C08B048B7A8645303FDC9F307919CD022@PUEXCB1B.nanterre.francetelecom.fr> <bcff0fba0911260943q5a30a94fwe4b7ba67c8303bda@mail.gmail.com> <29016_1259585670_4B13C086_29016_21104_1_94C682931C08B048B7A8645303FDC9F30EF2773AF9@PUEXCB1B.nanterre.francetelecom.fr> <bcff0fba0911300919h7192f2eev64528c864a300cb1@mail.gmail.com>
In-Reply-To: <bcff0fba0911300919h7192f2eev64528c864a300cb1@mail.gmail.com>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-PMX-Version: 5.5.7.378829, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2009.12.1.61222
Cc: "behave@ietf.org" <behave@ietf.org>, Xu Xiaohu <xuxh@huawei.com>
Subject: Re: [BEHAVE] proprietary implementation v.s standardised protocols //re: draft-xu-behave-nat-state-sync-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 07:18:40 -0000

Dear Cameron, 

Please see inline.

Cheers,
Med 

-----Message d'origine-----
De : Cameron Byrne [mailto:cb.list6@gmail.com] 
Envoyé : lundi 30 novembre 2009 18:19
À : BOUCADAIR Mohamed NCPI/NAD/TIP
Cc : Xu Xiaohu; Brian E Carpenter; behave@ietf.org
Objet : Re: [BEHAVE] proprietary implementation v.s standardised protocols //re: draft-xu-behave-nat-state-sync-00

On Mon, Nov 30, 2009 at 4:54 AM,  <mohamed.boucadair@orange-ftgroup.com> wrote:
>
> Dear Cameron,
>
> The issue you are describing is more about load distribution rather than NAT state sync.

Correct, i believe we can best provide service availability in the
macro network with DNS64 controlled load distribution.  NAT sync in
the macro network faces too many challenges to be useful

>
> I agree with the requirement you have (BTW, similar solutions exist for the selection of the outbound proxy SIP) but this may be easy to implement with stateless NATxy rather than stateful one since the path MUST be symmetric (the same NAT device must be crossed) and appropriate routing actions should be undertaken to redirect the traffic to the appropriate NATxy device. If you have a fully distributed NATxy and all advertise the same IPv4 net, then the symmetry requirement is difficult to meet. Not to mention that the load should be controlled in both sides of the NAT.
>

Unfortunately, i have yet to find an useful application for stateless
NATxy in my network.  The NAT44 i have deployed today require
multiplexing many users behind a small pool public IP address.
Changing the source from IPv4 to IPv6 will face the same limitation
that requires multiplexing many users behind a few IPv4 addresses and
consequently requires a stateful multiplexed solution.

Med: Good point. I fully agree that 1:1 mapping can be used only if we have sufficient IPv4 addresses. Otherwise, shared IPv4 address (e.g., stateful NAT64, stateless a+p, etc.) should be used instead. 

Regarding symmetrical flows, I don't really understand your comment.

Med: The comment is that for stateful mode, the same NAT device should be used for both flow directions otherwise communications will fail.
This requirement is difficult to implement if all NAT devices "represent" the same IPv4 address pool and a distributed mode is adopted (not located in the same zone/cluster).

I don't support the idea of macro network state sync, and i do see
that people who try to deploy that will have a symmetry issue.

My expectation is that each stateful NAT64 (local 1+1) with a unique
PREF64 will advertise a unique IPv4 prefix, so the flows are always
symmetric.

Med: With these conditions, the symmetry requirement is met.

The entire network has many stateful NAT64 (local 1+1) and
the translation load and resiliency is solved by distributing these
autonomous building blocks of capacity and availability throughout the
network.

Med: This leads to 2*N model and not N+1. N+1 model can easily be deployed owing to 
(1) appropriate setting of routing weights
(2) all static mapping will be backuped
(3) states with short duration are not backuped. Only states with "long" lifetime will be secured.  

Does this model make sense?


> Cheers,
> Med
>
>
> -----Message d'origine-----
> De : Cameron Byrne [mailto:cb.list6@gmail.com]
> Envoyé : jeudi 26 novembre 2009 18:43
> À : BOUCADAIR Mohamed NCPI/NAD/TIP
> Cc : Xu Xiaohu; Brian E Carpenter; behave@ietf.org
> Objet : Re: [BEHAVE] proprietary implementation v.s standardised protocols //re: draft-xu-behave-nat-state-sync-00
>
> On Thu, Nov 26, 2009 at 12:04 AM,  <mohamed.boucadair@orange-ftgroup.com> wrote:
>>
>> Dear Cameron,
>>
>> This may be true for 1+1 redundancy schemes, but what about N+1 ones?
>
> In other threads i have proposed using multiple  NAT64 / PREF64 pairs
> handed out by the DNS64, and having feedback from the NAT64 to the
> DNS64 to communicate health of NAT64 box such that the PREF64 can be
> taken out of rotation if needed by the DNS64.  This is how global site
> load balancing works today for web sites and CDNs.  I do expect this
> type of implementation to have NAT64 in 1+1 for local instant fault
> tolerance and the DNS64 to be a more macro level recovery and load
> sharing technique
>
> If can't get it into the standard, i can get a vendor to do it.  And,
> if i can't get a vendor to do it i can probably rig it myself with a
> perl script to SNMP poll the NAT64 for health and load and reset the
> DNS64 config automatically to redirect traffic from bad PREF64 /
> NAT64s to good PREF64 NAT64s
>
> I know the tricks that global site load balancing does are not pure,
> but my perpective is that this is the reality of the internet, it is
> the only way google, facebook, yahoo can scale.  It is the only way
> NAT64 can scale linearly as a system of hardware building blocks and
> survive at a macro level.
>
> Cameron
>
>>
>> Cheers
>> Med
>>
>>
>> -----Message d'origine-----
>> De : Cameron Byrne [mailto:cb.list6@gmail.com]
>> Envoyé : mercredi 25 novembre 2009 18:50
>> À : Xu Xiaohu
>> Cc : BOUCADAIR Mohamed NCPI/NAD/TIP; Brian E Carpenter; behave@ietf.org
>> Objet : Re: [BEHAVE] proprietary implementation v.s standardised protocols //re: draft-xu-behave-nat-state-sync-00
>>
>> On Wed, Nov 25, 2009 at 2:05 AM, Xu Xiaohu <xuxh@huawei.com> wrote:
>>>
>>>> -----邮件原件-----
>>>> 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] 代表
>>>> mohamed.boucadair@orange-ftgroup.com
>>>> 发送时间: 2009年11月13日 14:41
>>>> 收件人: Brian E Carpenter; behave@ietf.org
>>>> 主题: Re: [BEHAVE] draft-xu-behave-nat-state-sync-00
>>>>
>>>>
>>>> Dear all,
>>>>
>>>> I guess that the question should be asked priori to yours:
>>>>
>>>> Do we let vendors define their proprietary solutions or does the IETF define
>>>> a solution based on standardised protocols to achieve reliable state
>>>> synchronisation?
>>>
>>> For a small enterprise network, maybe it's acceptable to deploy two or more NAT boxes purchased from the same vendor for redundancy. However, for a large ISP network or large enterprise network, it is not reliable enough. For example, an abnormal packet will cause the router OS to crash, it is not absolutely acceptable. Hence I believe the standardization of NAT redundancy is necessary.
>>>
>>
>> In the large scale NAT44 we run today, all vendors have 1+1
>> proprietary state sync.  They also sync configuration and other OAM
>> elements over this sync channel.  I do not think it is at all required
>> for vendors to have a standard state sync.  If I deploy multiple
>> vendors for NAT, i will keep the 1+1 pairs of the same vendor and use
>> different vendor 1+1 pairs for higher level network topology driven
>> redundancy, not local state synchronization.
>>
>> Cameron Byrne
>> Principal Engineer
>> T-Mobile USA
>>
>>> Xiaohu
>>>
>>>
>>>> From a service provider perspective, I'd like to see a solution with IETF stamp
>>>> so as to be included in our RFPs/analysis. Vendors are then free to propose
>>>> more reliable solutions, if any, compared to the one standardised by IETF.
>>>>
>>>> Cheers,
>>>> Med
>>>>
>>>>
>>>> -----Message d'origine-----
>>>> De : behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] De la part de
>>>> Brian E Carpenter
>>>> Envoyé : vendredi 13 novembre 2009 02:55
>>>> À : behave@ietf.org
>>>> Objet : [BEHAVE] draft-xu-behave-nat-state-sync-00
>>>>
>>>> My question about this draft is whether there is available code and
>>>> implementation experience with SCSP, which was defined in 1998.
>>>>
>>>> If there isn't code and experience, since it is a quite complex design, I would
>>>> be a bit worried.
>>>>
>>>> On the other hand, I believe that something of the complexity of SCSP is
>>>> absolutely required to provide reliable synchronisation.
>>>> There is no simple, lightweight way to do this reliably.
>>>>
>>>>     Brian
>>>>
>>>> _______________________________________________
>>>> Behave mailing list
>>>> Behave@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/behave
>>>>
>>>> *********************************
>>>> This message and any attachments (the "message") are confidential and intended
>>>> solely for the addressees.
>>>> Any unauthorised use or dissemination is prohibited.
>>>> Messages are susceptible to alteration.
>>>> France Telecom Group shall not be liable for the message if altered, changed
>>>> or falsified.
>>>> If you are not the intended addressee of this message, please cancel it
>>>> immediately and inform the sender.
>>>> ********************************
>>>>
>>>> _______________________________________________
>>>> Behave mailing list
>>>> Behave@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/behave
>>>
>>> _______________________________________________
>>> Behave mailing list
>>> Behave@ietf.org
>>> https://www.ietf.org/mailman/listinfo/behave
>>>
>>
>> *********************************
>> This message and any attachments (the "message") are confidential and intended solely for the addressees.
>> Any unauthorised use or dissemination is prohibited.
>> Messages are susceptible to alteration.
>> France Telecom Group shall not be liable for the message if altered, changed or falsified.
>> If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
>> ********************************
>>
>>
>
> *********************************
> This message and any attachments (the "message") are confidential and intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> Messages are susceptible to alteration.
> France Telecom Group shall not be liable for the message if altered, changed or falsified.
> If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
> ********************************
>
>

*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

v2.23.0 | Report a Bug | By Email