IETF Logo Mail Archive

Re: [nvo3] draft-ietf-nvo3-encap-00 should add considerations of traversing NAPT

Dan Wing <dwing@vmware.com> Wed, 12 July 2017 23:08 UTC

Return-Path: <dwing@vmware.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81AD12F26D; Wed, 12 Jul 2017 16:08:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=onevmw.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCsbz-pRpNVz; Wed, 12 Jul 2017 16:08:37 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0056.outbound.protection.outlook.com [104.47.32.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9FA4127735; Wed, 12 Jul 2017 16:08:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onevmw.onmicrosoft.com; s=selector1-vmware-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=a9JNiAoHSnz3iidiUzIvqudaYalLgKBxouoNoHEus8M=; b=ncY5qmSmrRjxhqQqN+IaeVOXXOBhTI9PujL3Kk5fIG+VuaCxrbBRhveUmCX8AwHF/ZS+Sxf/BokWEStfQr9WlGBgsxmgtDj9SWHXAx/eu1zPNaptlgfoQRRsI1twfvNiTEQ/OZSecFDTRHoY0tXgbkeyEwn0Owpq1HhT8VsYUT8=
Received: from CO2PR05MB2648.namprd05.prod.outlook.com (10.166.95.12) by CO2PR05MB795.namprd05.prod.outlook.com (10.141.226.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.4; Wed, 12 Jul 2017 23:08:33 +0000
Received: from CO2PR05MB2648.namprd05.prod.outlook.com ([10.166.95.12]) by CO2PR05MB2648.namprd05.prod.outlook.com ([10.166.95.12]) with mapi id 15.01.1261.007; Wed, 12 Jul 2017 23:08:33 +0000
From: Dan Wing <dwing@vmware.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
CC: NVO3 <nvo3@ietf.org>, "draft-ietf-nvo3-encap@ietf.org" <draft-ietf-nvo3-encap@ietf.org>
Thread-Topic: [nvo3] draft-ietf-nvo3-encap-00 should add considerations of traversing NAPT
Thread-Index: AdL7Q+/ZfEDwvo9TRzm5LoTlMhYAfAAH9f4A
Date: Wed, 12 Jul 2017 23:08:32 +0000
Message-ID: <F254185B-6142-479D-BBDA-983A1189580D@vmware.com>
References: <4A95BA014132FF49AE685FAB4B9F17F6593FAA91@SJCEML702-CHM.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F6593FAA91@SJCEML702-CHM.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=vmware.com;
x-originating-ip: [208.91.1.34]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CO2PR05MB795; 20:c5hNxRLIvz6b4DOe051jEe6CrlZVFKUfJh8S2wIii56rUpCzNZBNb8Z4WJB9Y/axGekB6PBjoWVs7QwspurTrqRRjI9mbbsvgzoal/Os4SC/sPkG+dZ7+tlb4M5xB5edfD3XpcyhVzU4j5/UB7GH8CpShS7NulxqppfJPm3ScqA=
x-ms-office365-filtering-correlation-id: 24ed37ba-7282-4fbb-e7f1-08d4c97aeb00
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CO2PR05MB795;
x-ms-traffictypediagnostic: CO2PR05MB795:
x-exchange-antispam-report-test: UriScan:(158342451672863)(133145235818549)(10436049006162)(236129657087228)(50582790962513)(247924648384137);
x-microsoft-antispam-prvs: <CO2PR05MB79578D1AF637177E9DE3490DCAF0@CO2PR05MB795.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(2017060910075)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(20161123558100)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CO2PR05MB795; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CO2PR05MB795;
x-forefront-prvs: 036614DD9C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(39840400002)(39410400002)(39850400002)(39450400003)(39400400002)(377454003)(24454002)(54906002)(36756003)(478600001)(14454004)(99286003)(3280700002)(33656002)(77096006)(3660700001)(6486002)(230783001)(966005)(6436002)(2900100001)(6512007)(83716003)(229853002)(6246003)(5660300001)(38730400002)(53936002)(6506006)(82746002)(110136004)(305945005)(6306002)(81166006)(189998001)(6916009)(53546010)(76176999)(2906002)(6116002)(575784001)(50986999)(8676002)(86362001)(102836003)(3846002)(7736002)(8936002)(25786009)(66066001)(2950100002)(4326008)(54356999); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR05MB795; H:CO2PR05MB2648.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <66C50967C2F3C34998B5367404201698@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2017 23:08:32.9728 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR05MB795
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/U7AkDadmsyPlVFRm1O-BkFo09r4>
Subject: Re: [nvo3] draft-ietf-nvo3-encap-00 should add considerations of traversing NAPT
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2017 23:08:40 -0000

> On Jul 12, 2017, at 12:37 PM, Linda Dunbar <linda.dunbar@huawei.com> wrote:
> 
> Sami, et al,
> 
>  
> 
> The draft-ietf-nvo3-encap-00 is written very clear.
> 
>  
> 
> However, the Section 6 (Common Encapsulation Considerations) should add a sub-section on the consideration of traversing NAPT.  Encapsulated traffic could go to different data centers or WAN, which could go through Network Address Port Translation devices
> 
>  
> 
> Using VxLAN as an example: VxLAN specification [RFC 7348] uses a set of Port numbers to achieve better traffic distribution among multiple paths, which is fine within one data center, but causing trouble when traversing NAPT.

You're describing a problem with Geneve, which mimics VXLAN in that both of them suggest using a wide range of UDP ports to help underlay ECMP and to help receiver CPU load balancing, specifically this text of https://tools.ietf.org/html/draft-ietf-nvo3-geneve:

   Source port:  A source port selected by the originating tunnel
      endpoint.  This source port SHOULD be the same for all packets
      belonging to a single encapsulated flow to prevent reordering due
      to the use of different paths.  To encourage an even distribution
      of flows across multiple links, the source port SHOULD be
      calculated using a hash of the encapsulated packet headers using,
      for example, a traditional 5-tuple.  Since the port represents a
      flow identifier rather than a true UDP connection, the entire
      16-bit range MAY be used to maximize entropy.

If a reduced set of source ports is used instead, as you propose, the ECMP and CPU load balancing benefits are lost.  That seems problematic.

> NAPT use Port number to map back the source address. With a set of port numbers, NAPT can’t easily figure out the reverse direction traffic’s final IP addresses.

The reverse traffic doesn't use the inverted 5-tuple.  The reverse traffic is sent to the Geneve destination port (6081), and a firewall or NAT or NAPT mapping is necessary for UDP/6081 traffic -- on both datacenters, which both probably have their own underlay NAPTs.  Those firewalls (or NATs or NAPTs) need to have appropriate pinholes for UDP/6081.

> In addition, since the IP of packets change through NAPT device, it can mess up the learning of the peer NVE used in encapsulation.

The underlay did the NAPT, so I don't see a problem with the NVE overlay getting confused.  Could you explain in more detail?

> STUN can be used to get changed IP and port from NAPT device, but it requires NAPT device support STUN.

NAPT devices are not expected to implement STUN.  STUN is expected to be implemented in the hosts behind the NAT and on a server on the other side of the NAT (usually on a server on the Internet).  See Figure 1 on page 6 of https://tools.ietf.org/html/rfc5389#page-6.

> That’s not available in some scenarios. Furthermore, it can’t solve the aforementioned five-tuple issue.
> 
>  
> 
> VXLAN over IPSec may be used to deal with the above problems,

Both Geneve and VXLAN run over UDP, and both use a fixed destination port (rather than inverted 5-tuple) for return traffic.  Not sure how VXLAN succeeds at dealing with the above problems, but I would love to learn.

> but IPSec brings up to 88 bytes of overhead plus the key distribution management, which can lower the efficiency.

Should be able to use IPsec transport mode, which is more around 40 bytes overhead.

-d


>  
> 
>  
> 
> Suggestion: Add Section 6.10 Traversing NAPT consideration.
> 
> I can help to provide the text if you all think the suggestion is acceptable.
> 
>  
> 
> We can discuss more in Prague.
> 
>  
> 
> Thanks, Linda Dunbar
> 
>  
> 
> Huawei USA IP Technology Lab
> 
> 5340 Legacy Drive,
> 
> Plano, TX 75024
> 
> Tel: +1 469-277 - 5840
> 
> Fax: +1 469 -277 - 5900
> 
>  
> 
> _______________________________________________
> nvo3 mailing list
> nvo3@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_nvo3&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=IMDU0f3LtPMQf5XkZ06fNg&m=60T3yKN2I7oCxe8OH9mfZix-2ykSSjL-P-RoXCkZGdg&s=q7A_LzZuDp-yZnlA7Xw_N7yuLk4HO7K07jgl3Z78Ixg&e=

v2.23.0 | Report a Bug | By Email