Re: [bmwg] WG Adoption Call: Stateful NATxy Gateways using RFC 4814
Gábor LENCSE <lencse@hit.bme.hu> Thu, 16 June 2022 19:11 UTC
Return-Path: <lencse@hit.bme.hu>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6CE8C157B43 for <bmwg@ietfa.amsl.com>; Thu, 16 Jun 2022 12:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.785
X-Spam-Level:
X-Spam-Status: No, score=-8.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_HeLc-UB7_b for <bmwg@ietfa.amsl.com>; Thu, 16 Jun 2022 12:11:45 -0700 (PDT)
Received: from frogstar.hit.bme.hu (frogstar.hit.bme.hu [IPv6:2001:738:2001:4020::2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD15EC14F5E1 for <bmwg@ietf.org>; Thu, 16 Jun 2022 12:11:44 -0700 (PDT)
Received: from [192.168.1.145] (host-79-121-41-47.kabelnet.hu [79.121.41.47]) (authenticated bits=0) by frogstar.hit.bme.hu (8.15.2/8.15.2) with ESMTPSA id 25GJBR23004350 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <bmwg@ietf.org>; Thu, 16 Jun 2022 21:11:33 +0200 (CEST) (envelope-from lencse@hit.bme.hu)
X-Authentication-Warning: frogstar.hit.bme.hu: Host host-79-121-41-47.kabelnet.hu [79.121.41.47] claimed to be [192.168.1.145]
Content-Type: multipart/alternative; boundary="------------Mf8I3uxA5IvGFmxju6vWzb2j"
Message-ID: <cc1ddc52-6e3b-585a-711c-1f7c7aef05f5@hit.bme.hu>
Date: Thu, 16 Jun 2022 21:11:23 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: bmwg@ietf.org
References: <CH0PR02MB798001E3E9D0D9977474DFF3D3CF9@CH0PR02MB7980.namprd02.prod.outlook.com> <147F6665B1980A4496AE5D06F45C002A025698F66C@hold.ahol.co.hu>
From: Gábor LENCSE <lencse@hit.bme.hu>
In-Reply-To: <147F6665B1980A4496AE5D06F45C002A025698F66C@hold.ahol.co.hu>
X-Virus-Scanned: clamav-milter 0.103.2 at frogstar.hit.bme.hu
X-Virus-Status: Clean
Received-SPF: pass (frogstar.hit.bme.hu: authenticated connection) receiver=frogstar.hit.bme.hu; client-ip=79.121.41.47; helo=[192.168.1.145]; envelope-from=lencse@hit.bme.hu; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.10;
X-DCC--Metrics: frogstar.hit.bme.hu; whitelist
X-Scanned-By: MIMEDefang 2.79 on 152.66.248.44
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/NxpdHv7bcUN6tHVtM3m7WVTHgeU>
Subject: Re: [bmwg] WG Adoption Call: Stateful NATxy Gateways using RFC 4814
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 19:11:48 -0000
Dear Sandor, Thank you very much for your review and comments. Please see my answers inline. 2022.06.13. 18:07 keltezéssel, Sandor R. Repas Dr. írta: > Dear All, > > In my opinion, a standard method for measuring the performance of NAT gateways is very important. So thank Lencse and Shima for the hard work. However, I found some potential problems with the proposal: > There are three assumptions in In section 4.4 (https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-stateful-03#section-4.4), and the second one is: > " 2. The connection tracking table of the stateful NATxy is large enough to store all connections defined by the different source port number destination port number combinations." > It seems to be a rather strong assumption. How can one guarantee it? > Should one test it before the below described measurement methods can be used? Yes, your questions are completely valid. The hardship is that we need this assumption for the maximum connection establishment rate measurement to guarantee that loss of the test frames was caused by using too high rate and not because the capacity of the connection tracking table has been exhausted. As recommended by Al Morton earlier, now we are working on the connection tracking table capacity measurement. In theory, it is ready, but we haven't tested it yet. We plan to test it soon with iptables. If it will work, then we will be able to guarantee the condition. > In section 4.5 (https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-stateful-03#section-4.5) the measurement procedure only counts the number of test frames arrived to the Responder, however, it is not checked, whether every single test frame resulted in adding a new connection to the connection tracking table of the DUT. (Can it happen in an overloaded situation that a frame is forwarded but the connection is not registered into the connection to the connection tracking table of the DUT?) Yes, it can surely happen. We have met this case, when the combination of tayga (stateless NAT64) and iptables (stateless NAT44) was used to provide a stateful NAT64 gateway (the PLAT part of 464XLAT) using virtual machines. At a high enough overload, some of the source IPv4 addresses were not replaced, as you can see it in Fig. 5 of this paper: A. Al-Azzawi and G. Lencse, "Identification of the Possible Security Issues of the 464XLAT IPv6 Transition Technology", /Infocommunications Journal/, vol. 13, no. 4, pp. 10-18, December 2021, DOI: 10.36244/ICJ.2021.4.2 Full paper in PDF <http://www.hit.bme.hu/~lencse/publications/InfocomJ_2021_4_2_Al-Azzawi.pdf> This is why we wrote the below statement our draft: > In Note 2: "2. As for the successful translation, the Responder MAY (or SHOULD?) check that the source IP address is different than the original source IP address set by the Initiator." The above statement aimed to provide some kind of mitigation for the problem. But we plan to remove it from the next version, because: - it does not guarantee that the connection is really established - it can be rather inconvenient and inefficient to check it (at least I do not have an idea for an efficient implementation in siitperf) - and, mainly, because we have found a better method (see below). :-) > However, even if the translation was successful, it is not an ultimate guarantee that the connection was established in the DUT. We recommend a method for the validation of the connections. Its basic idea is that all four tuples extracted from the test frames by the Responder MUST be tested by sending test frames with all of them in the real test phase at a "low enough" frame rate. Some tests have already been performed, and we found that validation works well. We planned to submit a new version after the end of the adoption call (to avoid the situation that some people are reading the current text and we just replace it). I think this new part is already quite stable, so let me copy it here as a preliminary version of the text: 4.6. Validation of Connection Establishment Due to "black box" testing, the entries of the connection tracking table of the DUT may not be directly examined, but the presence of the connections can be checked easily by sending frames from the Responder to the Initiator in the Real Test Phase using all four tuples stored in the state table of the Tester (at a low enough frame rate). The arrival of all test frames indicates that the connections are really present. Procedure: When all the desired N number of test frames were sent by the Initiator to the Receiver at frame rate R in the Preliminary Phase for the maximum connection establishment rate measurement, and the Receiver has successfully received all the N frames, the establishment of the connections is checked in the Real Test Phase as follows: o The Responder sends test frames to the Initiator at frame rate: r=R*alpha, for the duration of N/r using a different four tuple from its state table for each test frame. o The Initiator counts the received frames, and if all N frames are arrived then the frame rate of the maximum connection establishment rate is raised, otherwise lowered (as well as in the case if test frames were missing in the preliminary phase). Notes: o The alpha is a kind of "safety factor", its aim is to make sure that the frame rate used for the validation is not too high, and test may fail only in the case if at least one connection is not present in the connection tracking table of the DUT. (So alpha should be typically less than 1, e.g. 0.8 or 0.5.) o The duration of N/r and the frame rate of r means that N frame are sent. o The order of four tuple selection is arbitrary provided that all four tuples MUST be used. o Please refer to Section 4.9 for a short analysis of the operation of the measurement and what problems may occur. We did some tests with Jool using different values for alpha. E.g. using 0.25 and 0.5, the validated connection establishment rate was the same as measured without validation. However, 0.6 and 0.8 proved to be too high. What do you think about the above method? Please let us know if you have any concerns or suggestions. And also, if you are satisfied with my answer. :-) Best regards, Gábor > Best regards, > Sandor > > -----Original Message----- > From: bmwg<bmwg-bounces@ietf.org> On Behalf Of MORTON JR., AL > Sent: 2022. május 16., hétfő 19:06 > To:bmwg@ietf.org > Cc:bmwg-chairs@ietf.org > Subject: [bmwg] WG Adoption Call: Stateful NATxy Gateways using RFC 4814 > > BMWG, > > This message begins a WG Adoption call for > > Benchmarking Methodology for Stateful NATxy Gateways using RFC 4814 > Pseudorandom Port Numbers > https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-stateful-03 > > The WG Adoption will run from May 16 to June 20, 2022. > > BMWG has discussed this draft at several meetings and on the list. There has been a moderate level of interest. > > Please review the latest draft and send comments and/or indications of support to the bmwg-list (bmwg@ietf.org) and/or to me (acmorton(at)att.com). > > Thanks and best regards, > Al > bmwg co-chair > > _______________________________________________ > bmwg mailing list > bmwg@ietf.org > https://www.ietf.org/mailman/listinfo/bmwg > > _______________________________________________ > bmwg mailing list > bmwg@ietf.org > https://www.ietf.org/mailman/listinfo/bmwg >
- [bmwg] WG Adoption Call: Stateful NATxy Gateways … MORTON JR., AL
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… Sandor R. Repas Dr.
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… Gábor LENCSE
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… MORTON JR., AL
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… Vasilenko Eduard
- [bmwg] the potential falsifying effect of storing… Gabor LENCSE
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… Gabor LENCSE
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… Gabor LENCSE
- Re: [bmwg] WG Adoption Call: Stateful NATxy Gatew… Vasilenko Eduard