IETF Logo Mail Archive

Re: [lisp] LISP NAT Traversal [Was: Virtual meeting]

Dino Farinacci <farinacci@gmail.com> Wed, 01 April 2020 00:21 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564243A0E0F for <lisp@ietfa.amsl.com>; Tue, 31 Mar 2020 17:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LvSCfaoKLEA for <lisp@ietfa.amsl.com>; Tue, 31 Mar 2020 17:21:10 -0700 (PDT)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 600A83A0E0B for <lisp@ietf.org>; Tue, 31 Mar 2020 17:21:10 -0700 (PDT)
Received: by mail-pf1-x436.google.com with SMTP id a24so4348105pfc.8 for <lisp@ietf.org>; Tue, 31 Mar 2020 17:21:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=o15PZyvbdsmJ8MBbJOM/ml13Ya3uZntbUZr0laKyvl4=; b=Pm0fo2cNJdWRT8KAiab0LJaOlVGwbiIb8wchTIAEf/zPcEW8SHJwtpF5qHkhdJugqQ WJggEg0Nv5M3eRmUzRKyRDDHJ9Soet/7akUSQj/gy31Cu1uTFkbuWKzlCZk8tRTjoaEO 79G71hkDx2mYDe0w+qnFUn7iXaULwVtCV3Wb7LrC58DzZO6PRr4MBz3QO4BgjLBhrVYC Kwz3cME49LW/5TDN8QaLFJ5LuRih2Fs+HABjpUS0arV707qSzxS2kLYTrc8GrKxkoDZD AC87x78yj4j2ub8UyPRjZIgOhVij6q5GddSCTKTstp+IvkstyGjrShumCKM9LUVF8nl0 rD4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=o15PZyvbdsmJ8MBbJOM/ml13Ya3uZntbUZr0laKyvl4=; b=O1Wql+h8ECtxHa+qA32Vgb7t5wruIgZCEEco1UsIVYT8ifQ/PDsUHK5/2u7QPUYaLJ yF+hICarsl0aLmLWWG28AGpB3Yj1MQSwo0v79Kn7MMsajBH/VBg36x7EnjpttLvT9fiV wLdEiB3ynAMHvaNHdci5vYjoPV0CylvM97A84XWdc9lucOhvgFvfqT0Y/pNp7AteOUc/ 3N/ECQEpAwJdMX91zgzob/uvY5CAXP1D7Avp2XMuel+yzk9oYy72PhcTUg+8FpbHSfLx txCK54M7+tNt9FHNMV5va8AEkCkWTVvKgUzQzgUNftOdSSYdTwWuRtuBm2VgT4VkrHGo buww==
X-Gm-Message-State: AGi0PuY+ZBtnqRwb3ZJICbv5GnVt4Fn34oxfWXj6+vt3ru/u8lTgp7GY nc5xO3iiHgT2xFDa8yxEVyTDMAjp9kc=
X-Google-Smtp-Source: APiQypLUVWwJW1+XQBWwULdTFKTBDc5NRsqzBzY5HpJst5+sZChc+jBtqhWTtM8YNmCzcK6XiLrmyg==
X-Received: by 2002:a63:a34d:: with SMTP id v13mr6506793pgn.10.1585700468987; Tue, 31 Mar 2020 17:21:08 -0700 (PDT)
Received: from ?IPv6:2601:646:9600:af10:1896:ffbf:722e:92d5? ([2601:646:9600:af10:1896:ffbf:722e:92d5]) by smtp.gmail.com with ESMTPSA id a75sm196535pje.31.2020.03.31.17.20.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Mar 2020 17:21:05 -0700 (PDT)
From: Dino Farinacci <farinacci@gmail.com>
Message-Id: <9FD16389-6CA4-49B9-BC47-8DA13BF377E2@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D3A8BC6-F5DF-4A67-8129-8B370852D2CE"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Tue, 31 Mar 2020 17:20:56 -0700
In-Reply-To: <14dbe527-85db-5cc3-e2de-039b6216e89f@ac.upc.edu>
Cc: lisp@ietf.org
To: Albert Lopez <alopez@ac.upc.edu>
References: <55b348e3-66c3-0e5c-8028-446a3afa4249@ac.upc.edu> <8C01E061-9B4A-4C99-8BE6-1151B1BCB155@gmail.com> <14dbe527-85db-5cc3-e2de-039b6216e89f@ac.upc.edu>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/ULTOgDdXRTJwm59RJJMaR-cwxTI>
Subject: Re: [lisp] LISP NAT Traversal [Was: Virtual meeting]
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 00:21:17 -0000

> Thanks Dino for your reply. Answers inline

No prob.

> 
> On 31/3/20 1:27, Dino Farinacci wrote:
>>> I would also like to add the NAT Traversal draft discussion into the agenda.
>>> 
>> I agree it should on the agenda and an over-due work item we need to get working.
>> 
>> 
>>> We have experience implementing the NAT traversal functionality in our LISP open source implementation (OOR) which have support for Android and IOS devices. We believe that NAT traversal is a critical point for LISP-MN and we would like to share our experience on that. .
>>> 
>>> Our implementation is based on the draft-ermagan-lisp-nat-traversal and during its study some questions have emerged that could be interesting to discus:
>>> 
>> I have an implementation of NAT-traversal in the lispers.net
>>  implementation which is a subset and simpler version of the draft-ermagan-lisp-nat-traversal. I think that NAT-traversal is so important as a core functionality for LISP because many people use it today just to traverse NATs.
>> 
>> I would suggest we make this a working group document. It is in the charter and is long over-due to move from individual submission.
>> 
>> 
>>> 	• What happens when a device handovers between NAT and not NAT interfaces? The xTR has to notify the remote ITRs, however an xTR behind NAT usually only has a default map cache entry with the RTR as a default gateway. Therefore, the xTR cannot notify directly ITRs of the change of the mapping.
>>> 
>> If the remote ITR subscribes for 0.0.0.0/0 then any more specific mappings which are registered and Map-Notified by the Map-Server to the subscribers. That is one way the problem can be solved. 
> So here, you are suggesting to use the publish/subscribe draft isn’t it? Yes this could be a good solution. Is there any study of scalability regarding this option?

Yes, that is what I’m suggesting.

>> Another way is now that the xTR is not behind a NAT, it can SMR currently RLOCs it is talking to. Which also may be an RTR that the remote ITRs can be using (when they are behind NATs). That causes the non-NAT ITR and the remote RTR to do mapping lookup to get the global/non-translated RLOC of this xTR.
> When the xTR is only using the RTR (I believe is the usual case), xTR doesn’t know who are its remote ITRs to send and SMR so it depends on how the RTR react to SMR.

When the remote ETR isn’t behind NAT, the RTR can reach it directly but so can the ITR. 

>>> 	• What happens in the previous case if the not NAT interface is IPv6? IPv6 is a ­special case. We want to maintain the connectivity with established connections (keep using the same RTR, which has the map-cache). For that to work, the RTR needs to have an IPv6 to receive an SMR from the xTR after the handover (from the new xTR’s IPv6 RLOC). Therefore RTRs announced by the Map Server should have both IPv4 and IPv6. As we don't know which RTR IPv6 addresses map to which IPv4 addresses, all RTRs should be notified.
>>> 
>> It can be a local decision if an ITR uses an RTR for IPv6 traffic or just encapsulate directly to the ETRs that register the EID. Most customers are going to want the shortest path so I have seen the latter be deployed.
>> 
>> I would suggest you only use RTRs for IPv6 when you are either doing (1) signal-free IPv6 multicast or (2) have a traffic-engineering requirement. Both in general, specify that IPv4 and IPv6 can and should run ships-in-the-night.
>> 
> What I was referring with this question is , If we are behind NAT using an RTR as a default gateway and then we handover to an IPv6 connection (at that point we are not considering the publish/subscribe solution), If we don't want to lose established connections, xTR has to notify the RTR (SMR) of the change of the mapping. To notify it,

Yes. But now I’m not clear if you the “IPv6 connection” is referring to an IPv6 EID or RLOC. Please clarify.

> the RTR should have an IPv6 RLOC that should be included in the list of RTRs of the Info Reply message.  Depending on what the RTR does with the SMR,  remote ITRs could move stablished connections to direct path or continue using the RTR.

If IPv6 is an RLOC, it is assumed anyone can reach it and a site xTR need not encap packets to an RTR. RTRs for NAT-traversal are used only for IPv4 RLOCs, regardless if the EID is IPv4 or IPv6.

>>> 	• Which should be the procedure of an RTR in front of receiving an SMR from the xTR that just handover from NAT to not NAT? Probably the answer is that the xTR sends an SMR to the RTR which then has two options 1) the 
>>> 
>>> RTR can do an SMR to the appropriates ITRs based on the map-cache entries (but then how to know which of the map-cache entries were used by the xTR) or 2) it can act as a PxTR for the xTR that performed the handover. In that case, until when? Until the expiration of the TTL? Furthermore, what happens when an xTR roams again before the previous TTL expires.
>>> 
>> This is no different than any other type of RLOC change. And we have many mechanisms documented for this. They are:
>> TTL-expiry, SMRs, pubsub Map-Notify from mappingn system.
>> 
> TTL-expiry is not realistic for mobility scenarios where handovers can be frequent and you don’t know when will happen

Well you will find with experience that link-layer assocaition estalishment takes seconds. So having the map-cache TTL around 3-5 seconds is reasonable. Follow the numbered flows.

> The behaviour of an RTR receiving an SMR is what I would like to clarify with this question
> 
> 
> pubsub is a good option but at this point I would like to clarify what happens when an RTR receive an SMR.

Note, that SMRs will cause a flurry of messages depending on how aggressive the ETR wants the ITRs sending to it to be updated. And requires queuing demands on the ETR for reliable delivery. Hence why data-driven SMRs were introduced in implementations. But that only happens for EID-mobility (EID is not co-located with RLOC) and not in LISP-MN (where EID and RLOC are co-located).

>>> 	• Which is the mechanism to change the RTR used by and xTR?
>>> 
>> Note the xTR gets periodic Info-Replies back from the map-server. The list of RTRs can change. So when the list of RTRs is changed, it is configured in the map-server and the next Info-Request that the NAT-assisted xTR sends is returned with the new list. The lispers.net implementation updates RTRs when the list changes and RLOC-probes each one to make sure they have reachability before using.
> I believe this answer is replying  next question. With this question, my intention was to make constance that the draft doesn’t specify (may be it is not needed to go into this detail level) a mechanism, from the xTR point of view, to use a different RTR from the list of the info reply (for example, due to a better latency time)

We should fix that in the spec then. Thanks for finding it.

>>> 	• Is there any procedure from MS point of view to notify associated xTRs to change the RTR they are using?
>>> 
>> Yes, in the Info-Reply messages the map-sever send, that is in draft-ermagan-lisp-nat-traversal.
>> 
>> 
>>> 	• If a NATed device wants to manage their map request and map replies, which ITR RLOCS should use to fill the Map Request?
>>> 
>> It needs to be reachable RLOCs. And in the lispers.net implementation, an xTR behind a NAT registers it’s translated RLOC and the RTR RLOCs. That is so the remote RTR can use the translated RLOC (and the translated port it learns from Info-Requests) and remote ITRs to use the RTR’s RLOC (since that RTR is the only node that can get packets through the NAT).
> I don’t have the full details of the lispers implementation of NAT-Traversal solution. Is any document describing it?.

I don’t have something written up but I do have slides that show protocol flow. See at the end of this email. It can all be explained in one slide. ;-)

> My concern here is regarding section 5.1.2 of the draft (Map-Request and Map-Reply handling). When we sent an Encap Map-Request to get a mapping, we add a list of iTR addresses to receive the Map-Reply. We can add here the global address of the xTR but if the NAT has not been previously punched, we will not receive never a Map-Reply, at least for symetrics NATs.

You MUST put public-RLOCs in the mapping and the only node that can do that is the ETR. And it discovers its public-RLOC but receiving a Info-Reply from the MS that echos the outer source address and source UDP port from the Info-Request message. The message that the NAT translated the source address and source port.

> 
>> Another topic but related to NAT-traversal.
>> 
>> Note there is a problem I came across during deployment of an IoT use-case. This is a description of the problem with an example. Say I am xTR1 and learn from the Map-Server RTRs A, B, and C. and I want to encapsulate packets for an EID behind xTR2. The encapsulation algorithms indicate that xTR1 use a 5-tuple hash to load-split packets across A, B, and C. And xTR1 knows that A, B, and C are reachable via RLOC-probing. However, xTR1 has no idea if any of A, B, or C, can reach xTR2. So xTR1 can choose an RTR that would drop packets if it couldn’t reach xTR2.
>> 
>> I solved this in the 
>> lispers.net
>>  implementation to have the ETRs only register the RLOC addresses of RTRs if they are currently reachable via RLOC-probing. This is how it works using the example from above:
>> 
>> (1) xTR2 learns of RTRs A, B, and C from the map-server.
>> (2) It uses those RTRs as the RLOCs for the map-cache entry 0.0.0.0/0.
>> (3) It RLOC-probes A, B, and C.
>> (4) It registers its translated RLOC and RTRs A, B, and C in 4 RLOC-records of the Map-Register.
>> (5) That means any remote ITR (xTR1) would encap to either A, B, or C.
>> (6) If xTR2 lost reachability to A, then what is registered is only B and C (and the translated RLOC).
>> (7) Then xTR1 only has a choice of B and C to encapsulate to for the EID behind xTR2.
>> 
>> What limits the solution is asymmetry. Meaning if the path from xTR2 to RTR A is down but the path from RTR A to xTR2 is up, xTR1 would not use RTR A. So bidirectional connectivity is required (for the pair of RLOCs that are part of the RLOC-probe).
>> 
> In the scenario you are proposing, both xTR are behind NAT using the same MS or at least the same RTRs isn’t it?

Well as a LISP-MN roams, it uses the same Map-Server no matter where it attaches to the network. Thereby using the same RTR-list for what the Map-Server is configured with. The Map-Server with policy COULD return a different RTR-list based on the LISP-MN RLOC address or GPS coordinates it registers with.

> What would happen if the xTR 2 is not behind NAT  or it is behind NAT but using different RTRs?

I don’t have it implemented for a multiple sets of RTR-lists. 

NAT-traversal, doing it dynamically and seamless to the user and network administrator is one of the toughest problems I had to solve in my career. It is so messy and has too many combinations that need to work.

Also note, there is a requirement for an xTR to have two interfaces, each connected to different NATs. And load-splitting is required across the two intefaces (inbound)

Dino

> Regards,
> 
> Albert L.
>

v2.23.0 | Report a Bug | By Email