Re: [v6ops] Operational Consensus on deployment
Tore Anderson <tore@fud.no> Wed, 06 August 2014 06:06 UTC
Return-Path: <tore@fud.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55B751B28E0 for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 23:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_AFFORDABLE=1, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxFbz3nhBtMl for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 23:06:19 -0700 (PDT)
Received: from greed.fud.no (greed.fud.no [IPv6:2a02:c0:1001:100::145]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08B4A1B2C7D for <v6ops@ietf.org>; Tue, 5 Aug 2014 23:06:18 -0700 (PDT)
Received: from [2a02:c0:2:1:1194:17:0:1000] (port=37642 helo=echo.ms.redpill-linpro.com) by greed.fud.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <tore@fud.no>) id 1XEuMa-0005Bt-G1; Wed, 06 Aug 2014 08:06:16 +0200
Message-ID: <53E1C587.4000506@fud.no>
Date: Wed, 06 Aug 2014 08:04:55 +0200
From: Tore Anderson <tore@fud.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: Ross Chandler <ross@eircom.net>, IPv6 Ops WG <v6ops@ietf.org>
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <53E0C548.9050706@fud.no> <5C9FC57A-0DA5-4D36-84AE-CF1D6D17FB44@eircom.net>
In-Reply-To: <5C9FC57A-0DA5-4D36-84AE-CF1D6D17FB44@eircom.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/gK0UZN6sbOETtGELz8EKJGQB4QM
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 06:06:22 -0000
* Ross Chandler > What’s your position on NAPT44 being put in front of an IP service > address pool that used RFC1918 space? Not advocating for that but it > would inevitably be tried. I find this undesirable for several reasons. From the top of my head: 1) The NAPT44 device needs to maintain per-flow state for each flow. This creates some new undesirable scaling properties, in particular limitations on concurrent flow count and and flow initiation rate which generally are reached long before the available interface bandwidth is exhausted. This in turn typically makes such boxes be the first thing to stop working under DDoS attacks, as the flow table gets filled up with junk flow entries, and/or that new flow entries cannot be added to the table fast enough. 2) Related to #1, NAPT44 devices tends to be much more expensive than stateless devices, because they are much harder to implement and scale. A normal IP router that can forward, say, 50 Gbps of mostly HTTP traffic is quite affordable. A NAPT44 device/blade that can do the same gets much more expensive (and that extra expense would probably come in addition to the router that you're likely to need anyway). 3) All packets in a single flow must pass bi-directionally across a single NAPT44 instance. This causes a new set of challenges: 3a) You cannot scale the solution horizontally by adding more NAPT44 boxes and using e.g. ECMP to balance across them. If you've reached the limit of what your NAPT44 device can do, you'll have to buy a bigger one. 3b) The device might rewrite the source address of the end users to a pool assigned to the NAPT44 device itself. This ensures return traffic is routed back to the NAPT44 device, but also means that the source address of the end user is lost, and that the application has no way of doing stuff like Geo-Location or otherwise track users based on IP. 3c) If the device does not rewrite the source address, then you must point your default route at it, which means that all the traffic in your network must pass through it (even traffic that did not need to undergo NAT!) making it an even more attractive DDoS target. (Or, you could avoid this at the expense of added complexity, by having a separate VRF for NAPT44-bound traffic). 3d) You cannot do closest exit/hot potato routing, you must backhaul the return traffic to the NAT instance that handled the initial inbound packet. This can be avoided by buying NAPT44 devices for each location, which in turn will add to your CapEx and OpEx. 3e) Failure events are highly disruptive. If your primary NAPT44 box goes down and traffic is redirected onto the backup, every single flow is reset. Or, you could have an implementation that did some form of continuous replication of the state table from the primary to the backup, which complicates the implementation even more and probably makes it more expensive. 4) NAPT44 does absolutely nothing to help me deploy IPv6. Quite the contrary, such an undertaking actually be quite damaging to IPv6 deployment - my time and budgets are finite, and any time and budget that go into deploying and maintaining a NAPT44 solution is time and budget that won't get spent on deploying IPv6. However, the NAPT44 does not give me a pass on deploying IPv6, which means that I have that ordeal to look forward to anyway. I would much rather have to do only 1 painful migration project rather than 2 (or 3, if you count the eventual removal of IPv4 from throughout your infrastructure). For me, deploying NAPT44 seems like a terribly shortsighted effort that comes with a number of undesirable technical limitations. At best it would be akin to treading water; I'd much rather be swimming for shore. All of that said, YMMV; if you or anyone else use NAPT44 in your data centres, and are happy with it, then that's great, I have no philosophical/"religious" objections to that. I just need an alternative for myself, and preferably make it into one that others could use too, if they are in a situation similar to mine. Tore
- [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Mark Andrews
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Czerwonka Michał 1 - Hurt
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment William F. Maton Sotomayor
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Czerwonka Michał 1 - Hurt
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roaming… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Ted Lemon
- Re: [v6ops] Operational Consensus on deployment Brian E Carpenter
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Mikael Abrahamsson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roaming… Tore Anderson
- Re: [v6ops] IPv4v6 roaming Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Vízdal Aleš
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] Operational Consensus on deployment Vízdal Aleš
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… holger.metschulat
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Lee Howard
- Re: [v6ops] Operational Consensus on deployment Philip Homburg
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ca By
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Dave Michaud
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ca By
- Re: [v6ops] Operational Consensus on deployment Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] Operational Consensus on deployment Ca By
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… GangChen
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Jouni
- Re: [v6ops] Operational Consensus on deployment Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Dave Michaud
- Re: [v6ops] Operational Consensus on deployment Lorenzo Colitti
- Re: [v6ops] Operational Consensus on deployment Kossut Tomasz - Hurt
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Ross Chandler
- Re: [v6ops] Operational Consensus on deployment Tore Anderson
- Re: [v6ops] Operational Consensus on deployment Ross Chandler
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-roa… Geir Egeland
- Re: [v6ops] Operational Consensus on deployment Ray Hunter
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Mark Andrews
- Re: [v6ops] Operational Consensus on deployment George Michaelson
- Re: [v6ops] Operational Consensus on deployment Heatley, Nick
- Re: [v6ops] Operational Consensus on deployment Kossut Tomasz - Hurt
- Re: [v6ops] Operational Consensus on deployment Eric Vyncke (evyncke)
- Re: [v6ops] Operational Consensus on deployment Owen DeLong
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment James Woodyatt
- Re: [v6ops] Operational Consensus on deployment Fred Baker (fred)
- Re: [v6ops] Operational Consensus on deployment James Woodyatt
- Re: [v6ops] Operational Consensus on deployment Mark Andrews