IETF Logo Mail Archive

Re: [pcp] PCP Extensions for Footprint Discovery

"Bertz, Lyle T [CTO]" <Lyle.T.Bertz@sprint.com> Wed, 03 September 2014 21:55 UTC

Return-Path: <Lyle.T.Bertz@sprint.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 018D21A06CE for <pcp@ietfa.amsl.com>; Wed, 3 Sep 2014 14:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJ-kluzoSuC6 for <pcp@ietfa.amsl.com>; Wed, 3 Sep 2014 14:55:54 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0184.outbound.protection.outlook.com [207.46.163.184]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE44B1A0655 for <pcp@ietf.org>; Wed, 3 Sep 2014 14:55:53 -0700 (PDT)
Received: from BN1AFFO11FD020.protection.gbl (10.58.52.31) by BN1AFFO11HUB017.protection.gbl (10.58.52.127) with Microsoft SMTP Server (TLS) id 15.0.1010.11; Wed, 3 Sep 2014 21:55:51 +0000
Received: from pdaasdm2.corp.sprint.com (144.229.32.57) by BN1AFFO11FD020.mail.protection.outlook.com (10.58.52.80) with Microsoft SMTP Server (TLS) id 15.0.1010.11 via Frontend Transport; Wed, 3 Sep 2014 21:55:52 +0000
Received: from plsasen1.corp.sprint.com (default-server.local [144.226.201.28]) by pdaasdm2.corp.sprint.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s83Lto7t018800 (version=TLSv1/SSLv3 cipher=ADH-AES256-SHA bits=256 verify=NO); Wed, 3 Sep 2014 16:55:50 -0500
Received: from PLSWE13M08.ad.sprint.com (plswe13m08.corp.sprint.com [144.229.214.27]) by plsasen1.corp.sprint.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s83LtnQp010867 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 3 Sep 2014 16:55:49 -0500
Received: from PLSWE13M07.ad.sprint.com (2002:90e5:d61a::90e5:d61a) by PLSWE13M08.ad.sprint.com (2002:90e5:d61b::90e5:d61b) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 3 Sep 2014 16:55:48 -0500
Received: from PLSWE13M07.ad.sprint.com ([fe80::b8a7:9769:a6fe:384c]) by PLSWE13M07.ad.sprint.com ([fe80::b8a7:9769:a6fe:384c%15]) with mapi id 15.00.0847.030; Wed, 3 Sep 2014 16:55:48 -0500
From: "Bertz, Lyle T [CTO]" <Lyle.T.Bertz@sprint.com>
To: 🔓Dan Wing <dwing@cisco.com>
Thread-Topic: [pcp] PCP Extensions for Footprint Discovery
Thread-Index: Ac/AaYdrVXOXqx/CQKe7j0y7BgTs0gALL6IwAANNS7ABUcVtAAAU4XgRAET1IoAAC0tCoAAPpBuAAABMEQA=
Date: Wed, 03 Sep 2014 21:55:47 +0000
Message-ID: <577b4b2c5456467baf834bbdf45122f6@PLSWE13M07.ad.sprint.com>
References: <f95d1f3132c74c86940b0607676761ce@PREWE13M19.ad.sprint.com> <44c75e331be64d05b19bd8e02d918308@PLSWE13M07.ad.sprint.com>, <6EC41307-6173-48B2-8487-3C8682EF8BC4@yegin.org> <d7e09a3b252b4f448ca2b4ee9aa94186@PLSWE13M07.ad.sprint.com> <C5ED1659-24A9-4D22-8B0A-3E624309037A@cisco.com> <97a1b0ea69da4a05a073e970c18be3ee@PLSWE13M07.ad.sprint.com> <41924ED3-A56C-4765-A321-129B070A41F6@cisco.com>
In-Reply-To: <41924ED3-A56C-4765-A321-129B070A41F6@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.214.116.30]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:144.229.32.57; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(438002)(377454003)(41574002)(51704005)(189002)(199003)(15404003)(24454002)(13464003)(2656002)(79102001)(4396001)(92566001)(20776003)(47776003)(64706001)(86362001)(6806004)(19580405001)(87936001)(83322001)(19580395003)(44976005)(83072002)(85852003)(90102001)(74502001)(31966008)(74662001)(80022001)(50466002)(21056001)(76482001)(77982001)(15975445006)(93886004)(85306004)(46102001)(23676002)(81542001)(108616004)(81342001)(110136001)(95666004)(106466001)(107046002)(77096002)(33646002)(26826002)(76176999)(50986999)(561944003)(54356999)(99396002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BN1AFFO11HUB017; H:pdaasdm2.corp.sprint.com; FPR:; MLV:ovrnspm; PTR:smtpda2.sprint.com; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-Forefront-PRVS: 032334F434
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.229.32.57 as permitted sender) receiver=protection.outlook.com; client-ip=144.229.32.57; helo=pdaasdm2.corp.sprint.com;
Authentication-Results: spf=pass (sender IP is 144.229.32.57) smtp.mailfrom=Lyle.T.Bertz@sprint.com;
X-OriginatorOrg: sprint.com
Archived-At: http://mailarchive.ietf.org/arch/msg/pcp/L_gP-dX_COq3Vg4yXivQn-jg7U4
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] PCP Extensions for Footprint Discovery
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 21:55:57 -0000

Comments below.


-----Original Message-----
From: 🔓Dan Wing [mailto:dwing@cisco.com]
Sent: Wednesday, September 03, 2014 11:26 AM
To: Bertz, Lyle T [CTO]
Cc: Alper Yegin; pcp@ietf.org
Subject: Re: [pcp] PCP Extensions for Footprint Discovery


On Sep 3, 2014, at 7:56 AM, Bertz, Lyle T [CTO] <Lyle.T.Bertz@sprint.com> wrote:

> Dan,
>
> This is pulled from nroff so hopefully it stays intact :)
>
> The following Figure shows a common deployment scenario.  For illustrative purpose we will use IPv4 Mobility Home Agents.
>
> +------------+
> | Home Agent |
> +------------+
>   | A/24  |
>   |       | C
>   |   +----------+    +----------+
>   |   | Service  |    | Services |
>   |   | Node     |--->| Firewall |
>   |   | (Server) |    +----------+
>   |   +----------+
>   |
>   |
> +-------------------+
> |      Hosts        |
> |     Firewall      |
> |                   |
> |   R1         R2   |
> | A/25      A.128/25|
> | Forward     NAPT  |
> | (No NAT)   (B/27) |
> +-------------------+
>          |
>       Internet
>
> Here the Home Subnet of A/24 when forwarded to the Hosts Firewall has two distinct rules applied.  Rule 1 (R1) merely forwards the traffic from the first half of subnet A without any form of address translation.  Rule 2 (R2) affects the upper half of subnet A (addresses ending with 128-255) sent through a NAPT function which externally maps them to the subnet B/27. In this case the Service Node will serve a site footprint of A/25 and B/27 for any requests received by corresponding nodes on the Internet (past the firewall).  This is referred to as the public or external footprint of the Node.   Any node at the site would view the internal footprint of the Service Node as A/24.  The endpoint of the Service is the Host address C.


So the problem is determining if packets, sent by a handset to a certain IP address, are routed directly or go through a NAT?

>>>> 3 issues.  A. What subnets are hosted at the site?  B. Are they going through a NAT if destined to a uCDN?  C. If so (yes to Answer B), what are the addresses used in the NAT?

> In the case of an ALTO based service, e.g. CDNI which notes ALTO is one option of accomplishing the Endpoint determination, any request sent from the site to an upstream CDN (uCDN) that resides on the Internet would ultimately need to be identified with the downstream CDN (dCDN) that the Service Node is a part of.   The Endpoint must then resolve to C for correct routing in this example.
>
> ALTO provides the structure of the network map and cost map for a network.  How the footprint, i.e. a collection of CIDRs in IPv4, is acquired through what the protocol [draft-ietf-alto-protocol] describes as "Dynamic Network Information" (see Figure 1 of [draft-ietf-alto-protocol]). "Routing Protocols" are also described as an option to determine topology but the internal rules of the Firewall are not discoverable via routing protocols nor is it obvious from routing protocols that a firewall is present in the network.  Such detection would require routing protocol participation on both sides of the firewall which often involves participation in multiple types of routing protocols.
>
> The footprint for the Service Node can only be determined through two steps.
> 1. The acquisition of the addresses allocated to local hosts at the site.  In the case of IP Mobility these are the Home Networks at the site.
> 2. The determine of the application of any address translation that may occur by downstream elements, e.g. carrier NATs / firewalls.
>
> The internal routing of the site further complicates the discovery of the correct egress firewall to the Internet.  In the example distinct firewalls exist and no direct route between the Service Node and the Hosts Firewall is present.  This separation of concerns provides more security and is common in operator networks.
>
> PCP [ref] has resolved how to determine if some form of translation occurs along a path from a Host regardless of a site's internal routing configuration. If PCP is to be used a some matters must be resolved:
>
> 1. As a third party, the Service Node cannot use PCP as a traditional client - a Host that has been assigned an address that is part of the subnet it needs to learn more about.  This is especially true in IP Mobility where the Service Node is likely to not support IP Mobility and, therefore, could not be assigned an address from the subnet by the Home Agent.  A proposal for 3rd Party Authorization [ref] can provide security if the Service Node can act as an PCP Client to a PCP Server in an indirect manner.

Yeah, PCP isn't intended to be used as a network configuration protocol between network elements; PCP is designed and deployed as an end-host (PC, tablet, smartphone) to firewall/NAT protocol.

>>>> Understood.  That is why we mentioned this is not ideal.

But SNMP is pretty ideal for an SDN function.  Does the NAT MIB (draft-ietf-behave-nat-mib) provide the mapping information you need?  Afterall, you're trying to see what the mapping rules are, not information about a dynamic connection itself.  If draft-ietf-behave-nat-mib doesn't provide the information you need, perhaps it can be changed to provide that information.

>>>> This isn't SDN.  The MIB has what looks to be ideal data but SNMP is not considered a viable protocol to form call control decisions (like routes and route table updates).  Any update to the MIB would require the 'discovery element' to rescan the entire MIB, parse for changes and then inject ALTO updates.   Constant SNMP polling would be required.   Forget about using Informs for updates.   Regardless of this the discovery of the allocated pool, discovery of the SNMP agent, surety that the routing occurs between the gateway and the pool and participation in the internal routing protocol for any updates along with SNMP to read the MIB with constant polling are all still challenges.    For example, using OSPF as the internal routing protocol the 'discovery service' would need at least SNMP, OSPF, some way of discovering the pools on the gateways and constant polling to figure out if a rout changed.  That only works if a routing protocol is in the LAN.  If these are hard coded links in the switches then we would require SNMP access to all elements, assuming the support it, at the site to reverse the network map to get a subnet and a NAT pool.

> 2. For IP Mobility, the anchor gateways can be augmented to become PCP servers and support new Allocation opcodes to note the subnets allocated on the Server.
>
> 3. For DHCP allocated subnets there is a possibility to query the DHCP server but how to determine downstream firewalls and routing for a specific subnet becomes quite problematic.

Could you elaborate on the concern around firewalls, which you have brought up several times in this email?  I don't understand how they could get in the way of solving the problem.  One thing mentioned earlier is a firewall is between separate routing domains, but of course separate routing domains often exist without a firewall between them, too -- the problem (in that case) isn't the presence of the firewall but rather the presence of separate routing domains, likely because of separate administrative domains.

>>>> Sure.  At the boundary of a network the firewall may participate in different routing protocols on the interior (trusted/semi-trusted) vs. exterior (untrusted).  To get both sides you need some way to participate in the routing on both sides of the firewall.  From a security perspective that is problematic (read 'not permitted' to have another server span 2 different zones of trust by security policy).  On the inside of the site just because a firewall has a mapping for an IP address group it does not imply the packets for a particular subnet use only that firewall - it could be part of a load balanced group, a backup, etc.   You really can't get that information from a single MIB or listening to just the interior routing protocol - you would need to constantly listen, poll and scan more MIBs in hopes you can construct a decent site wide picture.

> 4. A gateway can use PCP server discovery process(es) to determine PCP Servers.

I don't know where the 'gateway' (router?) is located in the network topology.

>>>> IP Mobility anchor from the example - a Home Agent or in LTE a P-GW.

> Alternatively it could allocate itself an address on a specific subnet and act as a traditional client.   Otherwise, Server (firewall) discovery will need to be rethought in terms of broadcasts and how a PCP server may respond when the requesting PCP client is not from the subnet it is querying about - this can be mitigated by use of locally broadcast and 3rd party authorization.  Alternatively placing a PCP server in a routing element and sending this new kind of discovery to a subnet broadcast address may provide a method by which 'discovery' of the PCP server (allocating gateway) may take place.

-d


>
>
>
> -----Original Message-----
> From: 🔓Dan Wing [mailto:dwing@cisco.com]
> Sent: Tuesday, September 02, 2014 10:35 PM
> To: Bertz, Lyle T [CTO]
> Cc: Alper Yegin; pcp@ietf.org
> Subject: Re: [pcp] PCP Extensions for Footprint Discovery
>
>
> On Sep 1, 2014, at 4:59 PM, Bertz, Lyle T [CTO] <Lyle.T.Bertz@sprint.com> wrote:
>
>> Not for IP Mobility.  In that case the pools are allocated by the mobility (anchor) points, or Diameter/Radius protocols and there is one option for DHCP but it is not used often in production for other reasons.  Diameter is also used for LTE but I would not worry too much about this matter if it were only a 3GPP issue.
>>
>> In both cases (IP Mobility/LTE) as well as DHCP you get gratuitous ARPs in some implementations - that helps some but then participation in the interior routing protocol is required to be sure about pool size used in a footprint.  There is still one more step though.
>>
>> The next step is to interrogate any NAT functions regarding how the pools are translated.  For instance, an IPv4 /24 subnet/pool could have the lower half ran through a NAT and the upper sent through a firewall without translation.  It is not always obvious how the pools are exposed to another network.
>>
>> Manual provisioning is out of the question for large operators.
>>
>> Rather than trying to determine the route between a mobility gateway and the NAT / firewall via internal routing participation (which can be a number of protocols or worst case a series of statically defined routes in which case I have no immediate idea of how to solve it) it seems more realistic to ask the gateway about the allocations (pools) it owns and let it forward requests regarding how peer mappings occur to carrier grade NATs in the network.  The pools that have no NAT function assigned to them are public if they are known public publics, e.g. not a 10.x.x.x..  Otherwise they are translated and the public pools are what should be advertised as footprints.
>>
>> A typical operator is looking at several /8 networks that are divided over tens to hundreds of sites that may have multiple functions that could use ALTO.  In that case they also contain firewalls and probably have a NAT function in place as well.
>>
>> I hope that clarifies the challenge a bit more.
>
> I asked one of our CDNI experts and I admit that after reading your draft, talking with him, and reading your email, that I do not understand the 'footprint' problem well enough so I can't evaluate if PCP is the best solution.  Is there an explanation of the CDN footprint problem?  That is, where is the pain, and what needs to be known to which endpoint (client, server, some Javascript running in the browser to choose a certain server, or whatever -- I honestly don't know).
>
> -d
>
>
>
>>
>> From: Alper Yegin <alper.yegin@yegin.org>
>> Sent: Monday, September 1, 2014 3:42 AM
>> To: Bertz, Lyle T [CTO]
>> Cc: pcp-chairs@tools.ietf.org; pcp@ietf.org
>> Subject: Re: [pcp] PCP Extensions for Footprint Discovery
>>
>> Hello Lyle,
>>
>>
>> Couldn't DHCP be used for that purpose?
>>
>>
>> Alper
>>
>>
>>
>> On Aug 25, 2014, at 11:32 PM, Bertz, Lyle T [CTO] wrote:
>>
>>> I wanted to forward this on Brent’s behalf. It is on the agenda tomorrow.
>>>
>>> Thanks!
>>>
>>> Lyle
>>>
>>> From: Hirschman, Brent B [CTO]
>>> Sent: Monday, August 25, 2014 8:36 AM
>>> To: 'pcp@ietf.org'; 'pcp-chairs@tools.ietf.org'
>>> Subject: PCP Extensions for Footprint Discovery
>>>
>>> Here are the slides for a quick discussion on how we feel PCP can be easily extended to aid footprint discovery, e.g., internal network CDNI endpoints.  This is meant as an introductory discussion to hopefully generate more interest in this idea.
>>>
>>> Brent Hirschman
>>> Tech Dev Strategist III
>>> Sprint Corporation
>>> 6220 Sprint Parkway
>>> Overland Park, KS 66251
>>> Office – 913-762-6736
>>> Mobile – 913-593-6221
>>>
>>>
>>>
>>> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
>>> <IETF 90 - PCP Extensions For Footprint Discovery.pptx>_______________________________________________
>>> pcp mailing list
>>> pcp@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pcp
>>
>>
>>
>> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
>> _______________________________________________
>> pcp mailing list
>> pcp@ietf.org
>> https://www.ietf.org/mailman/listinfo/pcp
>
>
> ________________________________
>
> This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.


________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

v2.23.0 | Report a Bug | By Email