IETF Logo Mail Archive

Re: [v6ops] Please review draft-donley-behave-deterministic-cgn

Chris Donley <C.Donley@cablelabs.com> Tue, 10 January 2012 18:16 UTC

Return-Path: <C.Donley@cablelabs.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A73421F87CF for <v6ops@ietfa.amsl.com>; Tue, 10 Jan 2012 10:16:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.137
X-Spam-Level:
X-Spam-Status: No, score=0.137 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XwhG9+JicubT for <v6ops@ietfa.amsl.com>; Tue, 10 Jan 2012 10:16:03 -0800 (PST)
Received: from ondar.cablelabs.com (ondar.cablelabs.com [192.160.73.61]) by ietfa.amsl.com (Postfix) with ESMTP id 560FC21F862D for <v6ops@ietf.org>; Tue, 10 Jan 2012 10:15:59 -0800 (PST)
Received: from kyzyl.cablelabs.com (kyzyl [10.253.0.7]) by ondar.cablelabs.com (8.14.5/8.14.5) with ESMTP id q0AI7BWR002655; Tue, 10 Jan 2012 11:15:53 -0700
Received: from srvxchg.cablelabs.com (10.5.0.15) by kyzyl.cablelabs.com (F-Secure/fsigk_smtp/303/kyzyl.cablelabs.com); Tue, 10 Jan 2012 11:07:11 -0700 (MST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/303/kyzyl.cablelabs.com)
Received: from srvxchg.cablelabs.com ([10.5.0.15]) by srvxchg ([10.5.0.15]) with mapi; Tue, 10 Jan 2012 11:13:58 -0700
From: Chris Donley <C.Donley@cablelabs.com>
To: Fred Baker <fred@cisco.com>, "Joel M. Halpern" <jmh@joelhalpern.com>
Date: Tue, 10 Jan 2012 11:13:55 -0700
Thread-Topic: [v6ops] Please review draft-donley-behave-deterministic-cgn
Thread-Index: AczPw57BrPFU+hVVTiabSatHl9fObg==
Message-ID: <CB30CA3D.38617%c.donley@cablelabs.com>
In-Reply-To: <B591E95C-7713-49BE-900D-36AD2EAF47D7@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.13.0.110805
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Approved: ondar
Cc: v6ops v6ops WG <v6ops@ietf.org>, Dave Thaler <dthaler@microsoft.com>, Behave Chairs <behave-chairs@tools.ietf.org>, "draft-donley-behave-deterministic-cgn@tools.ietf.org" <draft-donley-behave-deterministic-cgn@tools.ietf.org>
Subject: Re: [v6ops] Please review draft-donley-behave-deterministic-cgn
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2012 18:16:04 -0000

This comes down to compression density.  You're right that most
subscribers use few ports, but a few subs do use a very large number (see
the WAND data).  If you pack a lot of subscribers (let's say 1,000) behind
a single IP address, each gets only a handful of ports, and this proposal
almost turns into bulk port logging since many subscribers will be
requesting additional allocations (we're not suggesting per-connection
logging on the overflow).  However, if you pack fewer subs behind a single
public IP (let's say 60), each sub gets ~1000 ports, and 99% or so will
never request another block. Then, using bulk port logging for the
remainder makes for a very small quantity of log messages.  In the example
I presented in Taipei, we can get 100,000x-1,000,000x reduction in log
messages, depending on the size of the port blocks offered for subsequent
allocation.

You're correct that there is a tradeoff between compression density
(per-connection logging wins) and minimizing logging volume (Juniper's
SD-NAT wins). On that continuum, we believe our proposal provides a
balance that keeps log sizes small, but allows a reasonable compression
density while allowing some flexibility to accommodate the 1% of users who
consume significant numbers of ports.


Chris




On 1/4/12 4:18 PM, "Fred Baker" <fred@cisco.com> wrote:

>
>On Jan 4, 2012, at 2:32 PM, Joel M. Halpern wrote:
>
>> When I asked on operator about the port distribution, their answer was
>>somewhat different.
>> What they said was that when the users are idle, they don't use many
>>ports.  But when the user is busy, they use a lot of ports.
>> This makes repeated, largeish, block allocation sensible, but makes
>>pre-allocation of a small number, and then individual allocation
>>thereafter, a bad strategy, as it will basically log as much as current.
>> 
>> I do not have access to any research results to disambiguate these two
>>reports.
>
>Chris should step in here.
>
>https://www.ietf.org/proceedings/82/slides/behave-5.pdf, quoting
>http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html
>also referenced by RFC 6269
>
>In the wand.net.nz HTML, look specifically for "mean number of peak
>sessions for active subscribers only for each 30 minute period"; the HTML
>doesn't have tags that would allow me to simply get you there.
>
>I suspect that Chris/WAND and your service provider might be defining
>"user" and "a lot" differently. The Waikato numbers are very likely
>typical of a residential network behind a NAT - in a home, even if
>several computers are in use, it's unlikely that everyone in the home is
>web surfing during the same minute. Common browsers usually limit the
>number of TCPs they open in parallel to something like 2 or 4, and those
>sessions usually stay open single digit numbers of seconds; this says
>that in a typical residential network, they see 2-4 computers
>simultaneously doing that, for a peak of 4-8 TCP sessions simultaneously
>active. That would be very surprising in a corporate network, but makes
>sense for residential network.
>
>Is the service provider you asked talking about corporate subscribers?
>
>> Yours,
>> Joel
>> 
>> On 1/4/2012 5:27 PM, Dave Thaler wrote:
>>> Yes operational commentary would be very welcome.
>>> 
>>> Also FYI, the author of the draft has declared IPR on it:
>>> https://datatracker.ietf.org/ipr/1617/
>>> 
>>> -Dave
>>> 
>>> -----Original Message-----
>>> From: Fred Baker [mailto:fred@cisco.com]
>>> Sent: Tuesday, October 11, 2011 6:52 AM
>>> To: v6ops v6ops WG
>>> Cc: Behave Chairs; draft-donley-behave-deterministic-cgn@tools.ietf.org
>>> Subject: Please review draft-donley-behave-deterministic-cgn
>>> 
>>> Operators subject to law enforcement subpoenas and using Carrier Grade
>>>NAT are having difficulties with the syslog rate for per-connection
>>>logging. Chris Donley has proposed a simplification; the provider
>>>allocates a deterministic set of source ports to his subscribers, and
>>>only needs to log exceptions. Research in the area suggests that usage
>>>of source ports is pareto distributed; a typical user has a requirement
>>>on the order of 4 port numbers in simultaneous use (median), but port
>>>scans and other large volume uses drive the average quite a bit higher.
>>> 
>>> They haven't asked for it, but I suspect the behave chairs would
>>>appreciate operational commentary on the draft.
>>> 
>>> http://tools.ietf.org/html/draft-donley-behave-deterministic-cgn
>>>   "Deterministic Address Mapping to Reduce Logging in Carrier Grade
>>>NATs",
>>>   Chris Donley, Chris Grundemann, Vikas Sarawat, Karthik Sundaresan,
>>>   26-Sep-11
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> 
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>
>_______________________________________________
>v6ops mailing list
>v6ops@ietf.org
>https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email