IETF Logo Mail Archive

[nvo3] draft-ietf-nvo3-encap-00 should add considerations of traversing NAPT

Linda Dunbar <linda.dunbar@huawei.com> Wed, 12 July 2017 19:37 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF7512EC17; Wed, 12 Jul 2017 12:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bv1FJKZUr-UA; Wed, 12 Jul 2017 12:37:16 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5061012EA74; Wed, 12 Jul 2017 12:37:15 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DKG40477; Wed, 12 Jul 2017 19:37:13 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 12 Jul 2017 20:37:13 +0100
Received: from SJCEML702-CHM.china.huawei.com ([169.254.4.142]) by SJCEML701-CHM.china.huawei.com ([169.254.3.186]) with mapi id 14.03.0301.000; Wed, 12 Jul 2017 12:37:10 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-encap@ietf.org" <draft-ietf-nvo3-encap@ietf.org>
Thread-Topic: draft-ietf-nvo3-encap-00 should add considerations of traversing NAPT
Thread-Index: AdL7Q+/ZfEDwvo9TRzm5LoTlMhYAfA==
Date: Wed, 12 Jul 2017 19:37:09 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F6593FAA91@SJCEML702-CHM.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.171]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F6593FAA91SJCEML702CHMchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.59667A69.0240, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.142, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 9211c2cbe5ea57fd0df1cb800cc5ac59
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/JSwiMLwxNsTjtChR-uRIIQIwlJ4>
Subject: [nvo3] draft-ietf-nvo3-encap-00 should add considerations of traversing NAPT
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2017 19:37:18 -0000

Sami, et al,

The draft-ietf-nvo3-encap-00 is written very clear.

However, the Section 6 (Common Encapsulation Considerations) should add a sub-section on the consideration of traversing NAPT.  Encapsulated traffic could go to different data centers or WAN, which could go through Network Address Port Translation devices

Using VxLAN as an example: VxLAN specification [RFC 7348] uses a set of Port numbers to achieve better traffic distribution among multiple paths, which is fine within one data center, but causing trouble when traversing NAPT. NAPT use Port number to map back the source address. With a set of port numbers, NAPT can't easily figure out the reverse direction traffic's final IP addresses.

In addition, since the IP of packets change through NAPT device, it can mess up the learning of the peer NVE used in encapsulation.

STUN can be used to get changed IP and port from NAPT device, but it requires NAPT device support STUN. That's not available in some scenarios. Furthermore, it can't solve the aforementioned five-tuple issue.

VXLAN over IPSec may be used to deal with the above problems, but IPSec brings up to 88 bytes of overhead plus the key distribution management, which can lower the efficiency.


Suggestion: Add Section 6.10 Traversing NAPT consideration.
I can help to provide the text if you all think the suggestion is acceptable.

We can discuss more in Prague.

Thanks, Linda Dunbar

Huawei USA IP Technology Lab
5340 Legacy Drive,
Plano, TX 75024
Tel: +1 469-277 - 5840
Fax: +1 469 -277 - 5900

v2.23.0 | Report a Bug | By Email