IETF Logo Mail Archive

Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Randomization starts now (April 1st))

Fernando Gont <fernando@gont.com.ar> Wed, 27 May 2009 17:08 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 179B528C0F7 for <tsvwg@core3.amsl.com>; Wed, 27 May 2009 10:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id is5CLmqRNqeN for <tsvwg@core3.amsl.com>; Wed, 27 May 2009 10:08:52 -0700 (PDT)
Received: from mail-gx0-f164.google.com (mail-gx0-f164.google.com [209.85.217.164]) by core3.amsl.com (Postfix) with ESMTP id 141E128C0E7 for <tsvwg@ietf.org>; Wed, 27 May 2009 10:08:51 -0700 (PDT)
Received: by gxk8 with SMTP id 8so654623gxk.13 for <tsvwg@ietf.org>; Wed, 27 May 2009 10:08:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=baAwPDnXYKFNs+toAVbhjY9SyyIhowFKzp9l2ddrpVg=; b=W5T4lhSf/IzmpcEcdYvO3PdE4eoEQ6dTLUfwQEqAOLmwl2nnEnCNcd3xGVgn3ajopp DKUF+CHiQGeYr5Ep1EQQEG3sYzYaFETLgwxpzmpipt+0bz63JzxEYfJDODIJKuvUIT/z zTZ98TpwrTNMM9DWNED147aOTHqVP5J7F1Z3w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=ANagB1JSp7sdtk+Y1EkaDRBPlh9THYn45OhTe0cDFsQJ1TCYnKT4BOO6np6Jo8Lqpf bWljZuRyBX7/atUDZH7Y7PgnmSsYQkj4Z+xsHt8QEbsy7S0d5A2PBC5ipsCmOSD4NNpY NgYo0OaIT0XOX9djXnfpf6qiNGhD7Hz3H6Pmc=
Received: by 10.90.55.3 with SMTP id d3mr135005aga.100.1243444079713; Wed, 27 May 2009 10:07:59 -0700 (PDT)
Received: from ?168.77.196.154? (154.196.lacnicxii.lacnic.net [168.77.196.154]) by mx.google.com with ESMTPS id 17sm2332935agd.66.2009.05.27.10.07.54 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 27 May 2009 10:07:58 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4A1D7364.5040708@gont.com.ar>
Date: Wed, 27 May 2009 14:07:48 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: mallman@icir.org
References: <20090527032316.0F0E3293746@lawyers.icir.org>
In-Reply-To: <20090527032316.0F0E3293746@lawyers.icir.org>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Alfred Hönes <ah@tr-sys.de>, "James M. Polk" <jmpolk@cisco.com>, tsvwg <tsvwg@ietf.org>
Subject: Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Randomization starts now (April 1st))
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2009 17:08:53 -0000

Mark Allman wrote:

>>>   - Further in 3.3.1 you note that web proxies and NATs are examples of
>>>     systems that "create many connections from a single local IP address
>>>     to a single service".  I think that's pretty dubious.  You might say
>>>     that they make more connections to popular services than end hosts
>>>     do (because of the aggregation) and thus increase the population of
>>>     used ephemeral ports and hence the chance of collision using Alg. 1
>>>     or 2.  But, I think it's sort of dubious to just leave it hanging as
>>>     these things hit the problematic case as a matter of course, which
>>>     is not generally true, I bet.
>> This is the scenario that lead to users of FreeBSD and OpenBSD to hit
>> the aforementioned problem. And what led FreeBSD to disable port
>> randomization when the connection-establishment rate is "high".
[....]
> I am not familiar enough with the FreeBSD/OpenBSD experience.  But,
> you're formulation is pretty tightly scoped.  If there is some box
> making a bajillion connections to some service then sure... the port
> space is going to be used and it is going to be more difficult to choose
> additional ports.  But, I don't see that as the norm.  I think the
> formulation I sketch that NATs (proxies, etc.) create more contention by
> aggregating multiple peers into one port space is a reasonable point to
> make.  And, in fact, is shown in the data.  

I agree with this.


> But, the data also shows
> that even in this case the collision rate is very low.

This is the one I'm not sure about. Yes, I believe in the result of your
research. However, can we really assume that the network scenario in
which you measure connections really represents most network scenarios,
and that therefore we can broadly claim that "collision rates resulting
from NATs are very low"?

I'm not saying that is not the case. I'm just wondering whether it would
be appropriate that the data we have represent mosts network scenarios.

e.g., it is not unusual to have a large number of clients behind a NAT
connecting every few seconds to a mailserver on the public side of the
NAT.This may be a dumb thing to do... but it does happen.

Thoughts?

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email