IETF Logo Mail Archive

Re: [v6ops] Disadvantages of MAP protocols -- Re: Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas

Ole Troan <otroan@employees.org> Wed, 13 June 2018 19:37 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03BD130E87 for <v6ops@ietfa.amsl.com>; Wed, 13 Jun 2018 12:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ae4-xi7EmK1F for <v6ops@ietfa.amsl.com>; Wed, 13 Jun 2018 12:37:28 -0700 (PDT)
Received: from accordion.employees.org (accordion.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CCDB12426A for <v6ops@ietf.org>; Wed, 13 Jun 2018 12:37:28 -0700 (PDT)
Received: from h.hanazo.no (145.51-175-104.customer.lyse.net [51.175.104.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by accordion.employees.org (Postfix) with ESMTPSA id B461C2D51D4; Wed, 13 Jun 2018 19:37:26 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id 669992031EA72D; Wed, 13 Jun 2018 21:37:24 +0200 (CEST)
From: Ole Troan <otroan@employees.org>
Message-Id: <671083EC-62E4-44ED-91AD-EBD0DFB086F6@employees.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_01520383-DD8E-486E-9FA9-E667687306DE"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Wed, 13 Jun 2018 21:37:23 +0200
In-Reply-To: <7eb46aa1-699a-7397-d0d9-51d1160b4148@hit.bme.hu>
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
To: Lencse Gábor <lencse@hit.bme.hu>
References: <FEACFE5A-F2E6-4533-8602-C05F8A1FB59A@consulintel.es> <28C9E7B4-1D2F-4C65-A121-90E9AFB470AD@gmail.com> <CAHL_VyDc1iF7T4k3J1uQvDYUpxaRg7_eOqK6poV_cZ-NAFAEDQ@mail.gmail.com> <7B87AAA7-E5C5-498E-A41E-8927BC554F29@consulintel.es> <CAKD1Yr2HpJFvW3=CQQV6HVr6tOGSW=Kj5mpO-rLLrEEuPZ4vmg@mail.gmail.com> <966D347E-0A4F-4F51-90AB-03D178EF4CEB@consulintel.es> <CAKD1Yr3uSr-KJCOhTJvaf1xh4g7hOqwzxZSv7TNH5fB5Z1VigQ@mail.gmail.com> <C48F6BAD-84CE-4121-B862-218004A417D3@consulintel.es> <CAKD1Yr1_NeLyAmdAJitd=jUKeY0kW8qxV_9FWGCbNf1__ppecw@mail.gmail.com> <018DD24B-DD2F-4B31-A939-328173891F3E@consulintel.es> <CAKD1Yr1ohmb9BUV+KO2Ff+LJ1+pNwQ+-UJ6t7MmwY6PV3MLhyA@mail.gmail.com> <0F82C180-CE02-4DC1-88EE-5BB6CEC46F3C@consulintel.es> <CAKD1Yr1FVdWt446zq9mDec4fsCmN6K=M1MkK4FUWv=RBMQMrbQ@mail.gmail.com> <da095b32-3bb9-d2ec-dd41-e6e526cff83f@hit.bme.hu> <CAKD1Yr3ZbOLbsXFmZqa78ZJ9aaiFnCxAPUVOX26=VoqChA1g-A@mail.gmail.com> <7eb46aa1-699a-7397-d0d9-51d1160b4148@hit.bme.hu>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/9kuxbjofIujSwKzLPgQPqnBb-LA>
Subject: Re: [v6ops] Disadvantages of MAP protocols -- Re: Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 19:37:31 -0000

> For a balanced view, I think it is useful to point out that the MAP protocols have their disadvantages, too.
> 
> 1. Port numbers
> 
> As Jordi has already pointed it out, one needs to dedicate a fix number of ports per CPE. Some advice that a few hundred will do for this value, but I think that it is not so simple:
> - The lack of port situation may cause serious problems in the operation of certain programs, for more information see [1].
> - The port number consumption of different applications is highly varying and e.g. in the case of web browsing it depends on several factors [2].
> - There may be several users behind a CPE, especially in the wired case (e.g. Internet is used by different members of a family simultaneously), thus sometimes even a few thousands may not be enough.
> 
> Stateful NAT64 (used by 464XLAT) can use port numbers (and thus public IP addresses) much more economically.

While that is correct, you can build endpoint dependent NATs that are extremely efficient when it comes to port utilisation.
(Reusing the same port for communication to different end systems).

> 2. Complexity and security
> 
> The operation of the MAP solution is rather complex, now I give only some highlights. Let us consider MAP-T. (MAP-E works similarly, but it uses encapsulation.) "First, the MAP-T CE (Customer Edge) device performs a NAT44 operation to restrict the available TCP/UDP port numbers for the user.  Then the CE device performs a special stateless translation from IPv4 to IPv6, where the source IPv4 address and the selected port bits are encoded into the source IPv6 address according to the MAP-T rules. The IPv6 packets can be destined to other users, where similar CEs perform the necessary transformations, or to the outside IPv4 Internet, in which case the MAP-T Border Relay performs the necessary transformations." [3]
> 
> This complexity has performance and security implications:
> - Whereas the IPv6 backbone traffic of 464XLAT is normal IPv6 traffic, which can be inspected e.g. by firewalls, the IPv6 backbone traffic of MAP-T (as well as that of MAP-E) needs to be first "decoded", which causes further costs (both CAPEX and OPEX).

This is incorrect. MAP-T IPv6 traffic is just as 'normal' as 464XLAT IPv6 packets.

> -  Complex code may contain more bugs and thus also security holes. (In the simplest model, the number of bugs is proportional to the number of code lines.)

On the PE side, stateful NAT64 is a lot more complex than any of the MAPs. While MAP-T is somewhat more complex (in number of lines of code) than MAP-E.
You have logging considerations as well as much more complex scaling. Scaling a MAP system is trivial. Scaling a stateful NAT system quickly requires state synchronisation between systems.

On the CPE side complexity is similar. NAT44 -> NAT46 or NAT44 -> tunnel. (Actually the 464XLAT case where even the second NAT is stateful is worse.

> 3. MAP-T and MAP-E are different
> 
> On the one hand, if double translation may cause the loss of some IPv4 fields (BTW: What exactly did you mean?), then it is also applies for MAP-T.
> On the other hand, MAP-E uses encapsulation, which results in an overhead. An IPv6 header is at least 40 bytes, which may be a significant overhead in the case of small packets, e.g. TCP acknowledgments.

Yes. At the benefit of transparency and simplicity. 464XLAT/MAP-T adds 20 bytes, encap another 20.
> 
> 4. What other IPv6 transition solutions did you also consider?
> 
> As you have now mentioned only MAP,  I wonder what other solutions you could consider better than 464XLAT?

Please don't call these IPv6 transition solutions.
These solutions are about keeping IPv4 alive a little longer.

The main "benefit" of 464XLAT is two-fold. It was lighter on provisioning than e.g. MAP-E or MAP-T and it could reuse a stateful NAT64, which could serve IPv6 only hosts reaching the IPv4 Internet.
How easy it is to provision 464XLAT or NAT64 to a CE device has in hindsight been shown to be arguable.

Cheers,
Ole

v2.23.0 | Report a Bug | By Email