IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-shen-traceroute-ping-ext-03.txt

Jared Mauch <jared@puck.nether.net> Sun, 08 January 2012 21:34 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD4DF21F84E6 for <int-area@ietfa.amsl.com>; Sun, 8 Jan 2012 13:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[AWL=-0.543, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIXE4waFL9to for <int-area@ietfa.amsl.com>; Sun, 8 Jan 2012 13:34:34 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id 1C61F21F8472 for <int-area@ietf.org>; Sun, 8 Jan 2012 13:34:34 -0800 (PST)
Received: from [10.0.0.163] (173-167-0-106-michigan.hfc.comcastbusiness.net [173.167.0.106]) (authenticated bits=0) by puck.nether.net (8.14.4/8.14.4) with ESMTP id q08LXjoh031187 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 8 Jan 2012 16:33:46 -0500
References: <13205C286662DE4387D9AF3AC30EF456D74ED699B3@EMBX01-WF.jnpr.net> <4F04B6B8.6030208@cisco.com> <201201042243.q04Mhpk8014959@cichlid.raleigh.ibm.com> <7E187243-EAB3-4814-A78C-56DCEAE2C67C@cisco.com> <B5B3DB49-80B1-4C44-B561-7DD9B65C8523@kumari.net> <6.2.5.6.2.20120108022206.0c765c58@resistor.net> <ADF42693-AFA5-4F57-BEDE-369D583841C8@cisco.com>
In-Reply-To: <ADF42693-AFA5-4F57-BEDE-369D583841C8@cisco.com>
Mime-Version: 1.0 (1.0)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <6B28E728-96FF-4948-AE3A-A90BF6D88899@puck.nether.net>
Content-Transfer-Encoding: quoted-printable
X-Mailer: iPhone Mail (9A405)
From: Jared Mauch <jared@puck.nether.net>
Date: Sun, 08 Jan 2012 16:34:30 -0500
To: Naiming Shen <naiming@cisco.com>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (puck.nether.net [204.42.254.5]); Sun, 08 Jan 2012 16:33:47 -0500 (EST)
Cc: "int-area@ietf.org" <int-area@ietf.org>
Subject: Re: [Int-area] I-D Action: draft-shen-traceroute-ping-ext-03.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2012 21:34:34 -0000

If your goal is to replace snmp since it doesn't do what you want, it seems like that is another I-d

Jared Mauch

On Jan 8, 2012, at 3:54 PM, Naiming Shen <naiming@cisco.com> wrote:

> 
> I have seen several comments regarding this extension having scaling issue on the Internet
> and this probably is due to confusion on how this extension will be used or how the
> traceroute/ping application is processed today. Let's do some analysis here.
> 
> Traceroute packets if they are not TTL expired you don't process them on the router;
> or Ping packets not destination to your address, you don't process them on your router.
> This extension does not change those behavior. You only check those extension while
> you are normally processing those packets anyway. So if you don't normally filter those
> packets (which is a good thing you are doing), you will have no need to filter them just
> because the router support this extension later. I hope this point is clear.
> 
> Now let's see what will be the percentage of processing which is actually related to this
> Traceroute/ping extension. For normal Traceroute for example, you need to check UDP
> header information, you need to verify things such as checksum, you need to fetch information
> to format packet to send back through your ICMP socket, information can be many, such as
> interface IP address, Nexthop information, interface names (all defined in RFCs now), copy the
> original payload (even you don't understand the format) and finally format the ICMP packet
> to send it back. Now with this extension, you just check (in a well known location of the packet)
> if it exists this extension by the magic#, if not there is nothing more to do. Or you can
> have a policy to check only if the probe source address is from network x.x.x.x/y,
> otherwise don't even bother with the extension. For those checks, I would say may be 2-5%
> of the original processing you have already needed to do. So, does this actually cause a
> concern of scaling on the Internet?
> 
> For every Traceroute/ping router implementation, they do rate-limiting. Some do flow
> based, some just do a flat time based rate-limiting, e.g. they only allow 100 such packets
> per minute. Let's forget about the Moor's Law, forget about the hardware/cpu capability
> these days, let's forget about multi-core cpu development anymore; let's only concentrate
> on the legacy stuff of the past. Say take a 15 years old router, let's upgrade the software
> to this extension for the Traceroute/ping. Let's assume also this extension actually consume
> 10% more cpu. So instead of default punting 100 such a packet per minute, now this
> router is programmed only punting 90 such packets to process. Nothing wrong with that.
> This 100 per minute was some vendor's arbitrary decision 15 years back, who can say
> 50 is not perfect or 200 is not the right thing for now. There is no place you actually need to do
> special filtering just due to this extension. The point here is that, if the implementation does
> want to take this overhead into account, they can adjust that easily with also in consideration
> of today's hardware/cpu capabilities.
> 
> Then if you think about this extension can actually ask for a subset of information, instead
> of just dumping everything the ICMP RFCs have defined, one may save some cpu and bandwidth
> in that sense.
> 
> On the other hand if one has an implementation using this extension, for example an
> OpenFlow ID trace which actually trace through the real path on the programed OpenFlow
> based switches. this operation let's say cost 100% of the normal Traceroute processing,
> but here we hope it does not do this for every Traceroute packet, and it actually checks to see
> if this is from an authorized network or station for using this feature. And this is a new feature
> you want so you are willing to spend more cpu on that.
> 
> thanks.
> - Naiming
> 
> 
> On Jan 8, 2012, at 2:49 AM, SM wrote:
> 
>> At 12:44 07-01-2012, Warren Kumari wrote:
>>> If ping processing goes from being a negligible use of resources to something noticeable, the only reasonable solution I have is "deny icmp any any echo" on edge.
>>> This is not good for me, this is not good for my customers, this is not good for the Internet at large.
>> 
>> Agreed.
>> 
>> If the authors really want to see draft-shen-traceroute-ping-ext-03 published, they could add an Applicability Statement saying that the domain of use is not the Internet.  Not giving due consideration to input from operators can only discourage them from providing input in future.
>> 
>> Regards,
>> -sm 
>> _______________________________________________
>> Int-area mailing list
>> Int-area@ietf.org
>> https://www.ietf.org/mailman/listinfo/int-area
> 
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email