IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-shen-traceroute-ping-ext-03.txt

Naiming Shen <naiming@cisco.com> Sun, 08 January 2012 20:54 UTC

Return-Path: <naiming@cisco.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A78D21F852D for <int-area@ietfa.amsl.com>; Sun, 8 Jan 2012 12:54:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.564
X-Spam-Level:
X-Spam-Status: No, score=-6.564 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKqbbZWyB+qd for <int-area@ietfa.amsl.com>; Sun, 8 Jan 2012 12:54:13 -0800 (PST)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 776C221F852C for <int-area@ietf.org>; Sun, 8 Jan 2012 12:54:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=naiming@cisco.com; l=4687; q=dns/txt; s=iport; t=1326056053; x=1327265653; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=0gQuo2+GknsqTQC9t7xt/83Rnyk4pc9AQ9DFwVsdkas=; b=HKV24i82R8OGWeQQABvYDIGBiQS9pwJh1UoDTIExxlzuj72wFrYLbMsM H8Ji3/bEeVppIb0mRyEVvUbq27g1EKsRCp7NNPcst+Mvf9ZRQSLGsBSrC HwRalmS2Yt4hWaRzqsrjj8oJhwLBZzQBAhUOA5obnazo/7/XrGofF87oP g=;
X-IronPort-AV: E=Sophos;i="4.71,476,1320624000"; d="scan'208";a="24375452"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-2.cisco.com with ESMTP; 08 Jan 2012 20:54:12 +0000
Received: from sjc-vpn3-507.cisco.com (sjc-vpn3-507.cisco.com [10.21.65.251]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id q08KsCrg009946; Sun, 8 Jan 2012 20:54:12 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Naiming Shen <naiming@cisco.com>
In-Reply-To: <6.2.5.6.2.20120108022206.0c765c58@resistor.net>
Date: Sun, 08 Jan 2012 12:54:11 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <ADF42693-AFA5-4F57-BEDE-369D583841C8@cisco.com>
References: <13205C286662DE4387D9AF3AC30EF456D74ED699B3@EMBX01-WF.jnpr.net> <4F04B6B8.6030208@cisco.com> <201201042243.q04Mhpk8014959@cichlid.raleigh.ibm.com> <7E187243-EAB3-4814-A78C-56DCEAE2C67C@cisco.com> <B5B3DB49-80B1-4C44-B561-7DD9B65C8523@kumari.net> <6.2.5.6.2.20120108022206.0c765c58@resistor.net>
To: SM <sm@resistor.net>
X-Mailer: Apple Mail (2.1084)
Cc: int-area@ietf.org
Subject: Re: [Int-area] I-D Action: draft-shen-traceroute-ping-ext-03.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2012 20:54:14 -0000

I have seen several comments regarding this extension having scaling issue on the Internet
and this probably is due to confusion on how this extension will be used or how the
traceroute/ping application is processed today. Let's do some analysis here.

Traceroute packets if they are not TTL expired you don't process them on the router;
or Ping packets not destination to your address, you don't process them on your router.
This extension does not change those behavior. You only check those extension while
you are normally processing those packets anyway. So if you don't normally filter those
packets (which is a good thing you are doing), you will have no need to filter them just
because the router support this extension later. I hope this point is clear.

Now let's see what will be the percentage of processing which is actually related to this
Traceroute/ping extension. For normal Traceroute for example, you need to check UDP
header information, you need to verify things such as checksum, you need to fetch information
to format packet to send back through your ICMP socket, information can be many, such as
interface IP address, Nexthop information, interface names (all defined in RFCs now), copy the
original payload (even you don't understand the format) and finally format the ICMP packet
to send it back. Now with this extension, you just check (in a well known location of the packet)
if it exists this extension by the magic#, if not there is nothing more to do. Or you can
have a policy to check only if the probe source address is from network x.x.x.x/y,
otherwise don't even bother with the extension. For those checks, I would say may be 2-5%
of the original processing you have already needed to do. So, does this actually cause a
concern of scaling on the Internet?

For every Traceroute/ping router implementation, they do rate-limiting. Some do flow
based, some just do a flat time based rate-limiting, e.g. they only allow 100 such packets
per minute. Let's forget about the Moor's Law, forget about the hardware/cpu capability
these days, let's forget about multi-core cpu development anymore; let's only concentrate
on the legacy stuff of the past. Say take a 15 years old router, let's upgrade the software
to this extension for the Traceroute/ping. Let's assume also this extension actually consume
10% more cpu. So instead of default punting 100 such a packet per minute, now this
router is programmed only punting 90 such packets to process. Nothing wrong with that.
This 100 per minute was some vendor's arbitrary decision 15 years back, who can say
50 is not perfect or 200 is not the right thing for now. There is no place you actually need to do
special filtering just due to this extension. The point here is that, if the implementation does
want to take this overhead into account, they can adjust that easily with also in consideration
of today's hardware/cpu capabilities.

Then if you think about this extension can actually ask for a subset of information, instead
of just dumping everything the ICMP RFCs have defined, one may save some cpu and bandwidth
in that sense.

On the other hand if one has an implementation using this extension, for example an
OpenFlow ID trace which actually trace through the real path on the programed OpenFlow
based switches. this operation let's say cost 100% of the normal Traceroute processing,
but here we hope it does not do this for every Traceroute packet, and it actually checks to see
if this is from an authorized network or station for using this feature. And this is a new feature
you want so you are willing to spend more cpu on that.

thanks.
- Naiming


On Jan 8, 2012, at 2:49 AM, SM wrote:

> At 12:44 07-01-2012, Warren Kumari wrote:
>> If ping processing goes from being a negligible use of resources to something noticeable, the only reasonable solution I have is "deny icmp any any echo" on edge.
>> This is not good for me, this is not good for my customers, this is not good for the Internet at large.
> 
> Agreed.
> 
> If the authors really want to see draft-shen-traceroute-ping-ext-03 published, they could add an Applicability Statement saying that the domain of use is not the Internet.  Not giving due consideration to input from operators can only discourage them from providing input in future.
> 
> Regards,
> -sm 
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email