idnits 2.17.00 (12 Aug 2021) /tmp/idnits15902/draft-abdo-hostid-tcpopt-implementation-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 16, 2012) is 3589 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Abdo 3 Internet-Draft M. Boucadair 4 Intended status: Informational J. Queiroz 5 Expires: January 17, 2013 France Telecom 6 July 16, 2012 8 HOST_ID TCP Options: Implementation & Preliminary Test Results 9 draft-abdo-hostid-tcpopt-implementation-03 11 Abstract 13 This memo documents the implementation of the HOST_ID TCP Options. 14 It also discusses the preliminary results of the tests that have been 15 conducted to assess the technical feasibility of the approach as well 16 as its scalability. Several HOST_ID TCP options have been 17 implemented and tested. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 17, 2013. 36 Copyright Notice 38 Copyright (c) 2012 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3. NAT Reveal TCP Options: Overview . . . . . . . . . . . . . . . 5 56 3.1. HOST_ID_WING TCP Option . . . . . . . . . . . . . . . . . 5 57 3.2. HOST_ID_BOUCADAIR TCP Option . . . . . . . . . . . . . . . 5 58 3.2.1. SYN Mode . . . . . . . . . . . . . . . . . . . . . . . 6 59 3.2.2. ACK Mode . . . . . . . . . . . . . . . . . . . . . . . 7 60 4. Overview of the Linux Kernel Modifications . . . . . . . . . . 7 61 5. Testbed Setup & Configuration . . . . . . . . . . . . . . . . 8 62 5.1. Automated TCP Traffic Generator . . . . . . . . . . . . . 10 63 5.2. Testing Methodology and Procedure . . . . . . . . . . . . 10 64 5.3. Check HOST_ID TCP Options are Correctly Injected . . . . . 11 65 5.4. Top Site List . . . . . . . . . . . . . . . . . . . . . . 11 66 6. Experimentation Results . . . . . . . . . . . . . . . . . . . 11 67 6.1. HTTP Experimentation Results . . . . . . . . . . . . . . . 11 68 6.1.1. Configuration 1: Connected to an enterprise network . 12 69 6.1.1.1. Results . . . . . . . . . . . . . . . . . . . . . 12 70 6.1.1.2. Analysis . . . . . . . . . . . . . . . . . . . . . 14 71 6.1.2. Configuration 2: In a lab behind a firewall . . . . . 15 72 6.1.3. Configuration 3: Connected to two commercial ISP 73 networks . . . . . . . . . . . . . . . . . . . . . . . 15 74 6.1.4. Additional Results . . . . . . . . . . . . . . . . . . 16 75 6.1.5. Analysis . . . . . . . . . . . . . . . . . . . . . . . 16 76 6.2. FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 6.3. SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 78 6.4. Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . 18 79 7. AFTR Module Modifications . . . . . . . . . . . . . . . . . . 19 80 7.1. Specification . . . . . . . . . . . . . . . . . . . . . . 19 81 7.2. Verification . . . . . . . . . . . . . . . . . . . . . . . 20 82 7.3. CGN Performance Testing . . . . . . . . . . . . . . . . . 21 83 7.3.1. Configuration . . . . . . . . . . . . . . . . . . . . 21 84 7.3.2. HTTP Testing . . . . . . . . . . . . . . . . . . . . . 22 85 7.3.2.1. Analysis of results . . . . . . . . . . . . . . . 24 86 7.3.2.2. Conclusion . . . . . . . . . . . . . . . . . . . . 24 87 7.3.3. FTP . . . . . . . . . . . . . . . . . . . . . . . . . 25 88 8. IPTABLES: Modifications to Enforce Policies at the Server 89 Side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 90 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 25 91 8.2. Validation . . . . . . . . . . . . . . . . . . . . . . . . 26 92 8.3. Stripping HOST_ID Options . . . . . . . . . . . . . . . . 26 93 8.4. Logging a Specific HOST_ID Option Value . . . . . . . . . 27 94 8.5. Dropping a specific HOST_ID Option Value . . . . . . . . . 28 95 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 96 10. Security Considerations . . . . . . . . . . . . . . . . . . . 29 97 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 29 98 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 99 12.1. Normative References . . . . . . . . . . . . . . . . . . . 29 100 12.2. Informative References . . . . . . . . . . . . . . . . . . 29 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 103 1. Introduction 105 To ensure IPv4 service continuity, service providers will need to 106 deploy IPv4 address sharing techniques. Several issues are likely to 107 be encountered (refer to [RFC6269] for a detailed survey of the 108 issues) and they may affect the delivery of services that depends on 109 the enforcement of policies based upon the source IPv4 address. 111 Some of these issues may be mitigated owing to the activation of 112 advanced features. Among the solutions analyzed in 113 [I-D.boucadair-intarea-nat-reveal-analysis], the use of a new TCP 114 option to convey a HOST_ID seems to be a promising solution. 116 This memo documents some implementation and experimentation efforts 117 that have been conducted to assess the viability of using HOST_ID TCP 118 options at large scale. In particular, this document provides 119 experimentation results related to the support of the HOST_ID TCP 120 Options, the behavior of legacy TCP servers when receiving the 121 HOST_ID TCP options. This draft also discusses the impact of using a 122 HOST_ID TCP options on the time it takes to establish a connection; 123 it also tries to evaluate the impact of the new TCP options on the 124 performance of the CGN. Finally it presents the enforcement policies 125 that could be applied by remote servers based upon the HOST_ID 126 options contents. 128 2. Objectives 130 The implementation of several HOST_ID TCP options is primarily meant 131 to: 133 o Assess the validity of the HOST_ID TCP option approach 134 o Evaluate the impact on the TCP stack to support the HOST_ID TCP 135 options 136 o Improve filtering and logging capabilities based upon the contents 137 of the HOST_ID TCP option. This means the enforcement of various 138 policies based upon the content of the HOST_ID TCP option at the 139 server side: Log, Deny, Accept, etc. 140 o Assess the behavior of legacy TCP servers when receiving a HOST_ID 141 TCP option 142 o Assess the success ratio of TCP communications when a HOST_ID TCP 143 option is received 144 o Assess the impact of injecting a HOST_ID TCP option on the time it 145 takes to establish a connection 146 o Assess the performance impact on the CGN device that has been 147 configured to inject the HOST_ID option 149 3. NAT Reveal TCP Options: Overview 151 The original idea of defining a TCP option is documented in 152 [I-D.wing-nat-reveal-option] and denoted as HOST_ID_WING. 154 An additional TCP option is also considered and denoted as 155 HOST_ID_BOUCADAIR. The main motivation is to cover also the load- 156 balancer use case and provide richer functionality as Forwarded-For 157 HTTP header than HOST_ID_WING can provide. 159 The following sub-sections provide an overview of these HOST_ID TCP 160 options. 162 3.1. HOST_ID_WING TCP Option 164 HOST_ID_WING is defined in [I-D.wing-nat-reveal-option]. Figure 1 165 shows the format of this option. 167 +--------+--------+-----------------------+ 168 |Kind=TBD|Length=4| HOST_ID Data | 169 +--------+--------+-----------------------+ 171 Figure 1: Format of HOST_ID_WING TCP Option 173 This option must be sent only upon the initial connection request, 174 i.e., in SYN packets as shown in Figure 2 176 +------------+ +------------+ +------------+ 177 | TCP CLIENT | | CGN | | TCP SERVER | 178 +------------+ +------------+ +------------+ 179 | | | 180 |---TCP SYN---------->| | 181 | |---TCP SYN, HOST_ID=12345---->| 182 | | | 184 Figure 2: HOST_ID_WING TCP Option: Flow example 186 3.2. HOST_ID_BOUCADAIR TCP Option 188 As mentioned above, the HOST_ID_BOUCADAIR TCP Option is inspired from 189 HOST_ID_WING and XFF. 191 The HOST_ID_BOUCADAIR option is a 10-byte long TCP option, where 192 KIND, Length and lifetime-Origin fields fill one byte each, and 193 HOST_ID data is 7-byte long as shown in Figure 3 194 +--------+---------+---+---+--------..-------+ 195 |Kind=TBD|Length=10| L | O | HOST_ID_data | HOST_ID 196 +--------+---------+---+---+--------..-------+ 198 Figure 3: Format of HOST_ID_BOUCADAIR TCP option 200 o L: Indicates the validity lifetime of the enclosed data (in the 201 spirit of [RFC6250]). The following values are supported: 202 0: Permanent; 203 >0:Dynamic; this value indicates the validity time. 204 o Origin: Indicates the origin of the data conveyed in the data 205 field. The following values are supported: 206 0: Internal Port 207 1: Internal IPv4 address 208 2: Internal Port: Internal IPv4 address 209 3: IPv6 Prefix 210 >3: No particular semantic 211 o HOST_ID_data depends on the content of the Origin field; padding 212 is required. 214 Two modes are described below: the SYN mode (Section 3.2.1) and the 215 ACK mode. (Section 3.2.2). 217 If the ACK mode is used (Section 3.2.2), Figure 4 shows the 218 HOST_ID_ENABLED option (2-bytes long) to be included in the SYN. 220 +--------+---------+ 221 |Kind=TBD|Length=2 | HOST_ID_ENABLED 222 +--------+---------+ 224 Figure 4: Format of HOST_ID_ENABLED 226 3.2.1. SYN Mode 228 This mode is similar to the mode described in Section 3.1. In this 229 mode, HOST_ID_BOUCADAIR is sent in SYN packets. 231 +------------+ +------------+ +------------+ 232 | TCP CLIENT | | CGN | | TCP SERVER | 233 +------------+ +------------+ +------------+ 234 | | | 235 |---TCP SYN-------->| | 236 | |--TCP SYN, HOST_ID=2001:db8::/5482->| 237 | | | 239 Figure 5: HOST_ID_BOUCADAIR: SYN Mode 241 3.2.2. ACK Mode 243 The ACK Mode is as follows (see Figure 6): 244 o Send HOST_ID_ENABLED (Figure 4) in SYN 245 o If the remote TCP server supports that option, it must return it 246 in SYNACK 247 o Then the TCP Client sends an ACK in which the CGN injects 248 HOST_ID_BOUCADAIR (Figure 3) 250 +------------+ +------------+ +------------+ 251 | TCP CLIENT | | CGN | | TCP SERVER | 252 +------------+ +------------+ +------------+ 253 | | | 254 |---TCP SYN---------->| | 255 | |--TCP SYN, HOSTID_ENABLED=OK-->| 256 | |<-TCP SYNACK,HOSTID_ENABLED=OK-| 257 |<--TCP SYNACK--------| | 258 |---TCP ACK---------->| | 259 | |--TCP ACK, HOST_ID=2001:db8::->| 260 | | | 262 Figure 6: HOST_ID_BOUCADAIR: ACK Mode 264 4. Overview of the Linux Kernel Modifications 266 The objective of this phase is to support HOST_ID_WING, 267 HOST_ID_BOUCADAIR and HOST_ID_ENABLED in the SYN mode. 269 In order to support the injection of the HOST_ID TCP options 270 presented in Section 3, some modifications were applied to the Linux 271 Kernel (more precisely to the TCP stack part of the Kernel). The 272 header file tcp.h, file where are defined the TCP variables and 273 functions, is updated to define the new HOST_ID options' KINDs 274 (option numbers) and Lengths. 276 Major modifications have been made in the "tcp_output.c" file. This 277 file is responsible for building and transmitting all TCP packets. 278 For each HOST_ID TCP option, the required modifications to increase 279 the header size and to inject KIND, Length and the corresponding 280 HOST_ID data are implemented for the TCP SYN packets. 282 As we have three different HOST_ID options and as HOST_ID_BOUCADAIR 283 can convey different information the configuration of the HOST_ID 284 options have to be simple with minimal complexity. Since the 285 manipulation of HOST_ID options impacts the Kernel TCP drivers, a 286 suitable solution is to define new sysctl variables (system control 287 variables) that allow the modification of Kernel parameters at 288 runtime, without having to reboot the machine so that it takes into 289 account a new configuration. 291 Once modifications have taken place, the Kernel must be recompiled so 292 that the new TCP options are taken into account. 294 Kernel modifications and recompilation have been done and tested 295 successfully on Fedora and Debian Linux distributions, on different 296 kernel versions. 298 The following configuration options are supported: 299 o Enable/Disable injecting the TCP Option 300 o Support HOST_ID WING, HOST_ID BOUCADAIR and HOST_ID_ENABLED 301 o When the HOST_ID TCP option is supported, the information to be 302 injected is configurable: 303 * Source IPv6 address or the first 56 bits of the address 304 * Source IPv4 address 305 * Source port number 306 * Source IPv4 address and Source port 307 * IPv6 address or the first 56 bits of the B4 when DS-Lite is 308 activated 310 5. Testbed Setup & Configuration 312 The setup of three testbed configurations have been considered: 313 1. HOST_ID TCP option is injected by the host itself. No CGN is 314 present in the forwarding path (Figure 7) 315 2. HOST_ID TCP option is injected by hosts deployed behind a HTTP 316 proxy. No CGN is present in the forwarding path (Figure 8) 317 3. HOST_ID TCP option is injected by the DS-Lite AFTR element 318 (Figure 9). 320 +-----------+ 321 | HOST_1 |----+ 322 | NO-Option | | 323 +-----------+ | +--------------------+ +------------+ 324 | | |--------| server 1 | 325 +-----------+ | | | +------------+ 326 | HOST_2 |----|------| INTERNET | ::: 327 | (HOST_ID) | | | | +------------+ 328 +-----------+ | | |--------| server n | 329 | +--------------------+ +------------+ 330 +-----------+ | 331 | Local |----+ 332 | Server | 333 +-----------+ 335 Figure 7: Testbed setup: No Proxy and no CGN 337 +-----------+ 338 | HOST_1 |----+ 339 | NO-Option | | 340 +-----------+ | +--------------------+ +------------+ 341 | | |------| server 1 | 342 +-----------+ +-----+ | | +------------+ 343 | HOST_2 |--|PROXY|----| INTERNET | :: 344 | (HOST_ID) | +-----+ | | | +------------+ 345 +-----------+ | | |------| server n | 346 | +--------------------+ +------------+ 347 +-----------+ | 348 | Local |-----------+ 349 | Server | 350 +-----------+ 352 Figure 8: Testbed setup: HTTP Proxy 354 +----...----+ +----------+ 355 +----+ | | | |---| server 1 | 356 |HOST|---| +----+ | +------+ | | | +----------+ 357 +----+ |--| B4 |---|---| AFTR |---|---| INTERNET | :: 358 +----+ | +------+ | | | +----------+ 359 | | |---| server n | 360 +----...----+ +----------+ 362 Figure 9: DS-Lite CGN Environment 364 Figure 7 and Figure 8 are used to assess the behavior of the top 365 100,000 sites when a HOST_ID option is enabled and to evaluate the 366 impact of the option on both the session establishment delay and the 367 success ratio. 369 On the other hand, the configuration shown in Figure 9 will be used 370 to evaluate the impact on the CGN performances when HOST_ID TCP 371 option is injected by the CGN. 373 5.1. Automated TCP Traffic Generator 375 A Python-encoded robot has been used as the traffic generator. The 376 robot automates the retrieval of HTTP pages identified by URLs, and 377 returns different connection information. The retrieval of pages is 378 based upon Pycurl, a Python interface of libcurl. Libcurl is an URL 379 transfer library that supports different protocols (e.g., HTTP, FTP). 381 The robot consists of two programs: 383 1. The first one takes an URL as a input parameter, performs the DNS 384 lookup and then tries to connect to the corresponding machine. 385 It returns either different time values and connection status or 386 an error message with the source of the error in case of 387 connection failure (e.g., DNS error). The TCP connection 388 establishment time is calculated as the difference between the 389 CONNECT_TIME and NAMELOOKUP_TIME where: 390 * NAMELOOKUP_TIME is the time it took from the start until the 391 name resolution is completed. 392 * CONNECT_TIME is the time it took from the start until the 393 connection to the remote host (or proxy) is completed. 394 2. The second program aims to increase efficiency and speed of the 395 testing by using a multi-thread technique. It takes the number 396 of threads and an input file listing URLs as parameters. This 397 program prints URLs to an output file with the corresponding 398 connection time. If something wrong happened so that the 399 connection failed, the program returns an error message with the 400 corresponding error type. 402 5.2. Testing Methodology and Procedure 404 The testing is done using two machines, one that supports the HOST_ID 405 TCP options and the other that does not. The second machine is used 406 as a reference for the measurements. Testing is performed in 407 parallel on the two machines that are directly connected to the 408 Internet. For each HOST_ID TCP option, the test is repeated many 409 times. The cycle is repeated in different days. Then results are 410 grouped into tables where averages are calculated. The comparison 411 between the different HOST_ID options results is made by using the 412 no-option testing results as a reference. 414 Testing was also performed behind a proxy (Figure 8) to evaluate the 415 impact of embedding the HOST_ID TCP options on the connection 416 establishment time when a proxy is in the path. When a proxy is 417 present, the connection delay is impacted (the delay is calculated 418 for the connection between the host and the proxy). 420 Tests have been conducted from hosts: 421 1. Connected to an enterprise network 422 2. In a lab behind a firewall 423 3. Connected to two (2) commercial ISP networks 425 5.3. Check HOST_ID TCP Options are Correctly Injected 427 To check whether the HOST_ID TCP options are correctly injected, the 428 local server in Figure 7 is configured to be reachable from Internet. 429 Packets conveying the HOST_ID TCP options are sent from a host 430 supporting the options. These packets are used without alteration by 431 the local server. 433 This configuration confirms the packets sent to remote servers 434 conveys HOST_ID TCP options. 436 5.4. Top Site List 438 The Alexa top sites list has been used to conduct the HTTP tests. 440 Anonymous FTP sites list from ftp-sites.org has been used to conduct 441 the FTP tests. 443 6. Experimentation Results 445 Various combinations of the HOST_ID TCP options have been tested: 446 1. HOST_ID_WING 447 2. HOST_ID_WING has also been adapted to include 32 bits and 64 bits 448 values. No particular impact on session establishment has been 449 observed. 450 3. HOST_ID_BOUCADAIR (source port) 451 4. HOST_ID_BOUCADAIR (IPv4 address) 452 5. HOST_ID_BOUCADAIR (source port:IPv4 address) 453 6. HOST_ID_BOUCADAIR (IPv6 Prefix) 454 7. HOST_ID_ENABLED 456 Both the success ratio and the average time to establish the TCP 457 session are reported below. 459 6.1. HTTP Experimentation Results 461 Tests have been conducted from hosts: 463 1. Connected to an enterprise network 464 2. Connected to two commercial ISP networks 465 3. In a lab behind a firewall 467 6.1.1. Configuration 1: Connected to an enterprise network 469 The results show that the success ratio for establishing TCP 470 connection with legacy servers is almost the same for all the HOST_ID 471 options as shown in Figure 10, Figure 11 and Figure 12. 473 6.1.1.1. Results 475 +--------------+--------------+--------------+ 476 | NO-OPTION | O-WING | Failure Ratio| 477 -----------+--------------+--------------+--------------+ 478 Top10 | 100,00000% | 100,00000% | 0,00000% | 479 Top100 | 100,00000% | 100,00000% | 0,00000% | 480 Top200 | 100,00000% | 100,00000% | 0,00000% | 481 Top300 | 99,66667% | 99,66667% | 0,00000% | 482 Top400 | 99,50000% | 99,50000% | 0,00000% | 483 Top500 | 99,40000% | 99,40000% | 0,00000% | 484 Top600 | 99,50000% | 99,50000% | 0,00000% | 485 Top700 | 99,57143% | 99,57143% | 0,00000% | 486 Top800 | 99,50000% | 99,50000% | 0,00000% | 487 Top900 | 99,44444% | 99,44444% | 0,00000% | 488 Top1000 | 99,50000% | 99,50000% | 0,00000% | 489 Top2000 | 99,35000% | 99,30000% | 0,05000% | 490 Top3000 | 99,10000% | 99,06667% | 0,03333% | 491 Top4000 | 99,10000% | 99,05000% | 0,05000% | 492 Top5000 | 99,14000% | 99,10000% | 0,04000% | 493 Top6000 | 99,21667% | 99,18333% | 0,03333% | 494 Top7000 | 99,25714% | 99,21429% | 0,04286% | 495 Top8000 | 99,15000% | 99,10000% | 0,05000% | 496 Top9000 | 99,16667% | 99,12222% | 0,04444% | 497 Top10000 | 99,16000% | 99,12000% | 0,04000% | 498 Top20000 | 98,50500% | 98,44000% | 0,06500% | 499 Top30000 | 98,21667% | 98,11667% | 0,10000% | 500 Top40000 | 98,10750% | 98,00750% | 0,10000% | 501 Top50000 | 98,00000% | 97,89800% | 0,10200% | 502 Top60000 | 97,95167% | 97,85000% | 0,10167% | 503 Top70000 | 97,88857% | 97,78857% | 0,10000% | 504 Top80000 | 97,84500% | 97,74875% | 0,09625% | 505 Top90000 | 97,79444% | 97,69889% | 0,09556% | 506 Top100000 | 97,75100% | 97,64800% | 0,10300% | 507 -----------+--------------+--------------+--------------+ 509 Figure 10: Cumulated Success ratio (HOST_ID_WING) 510 +-----------+-----------+--------------+ 511 | NO-OPTION | O-WING | Failure Ratio| 512 -------------+-----------+-----------+--------------+ 513 1-100 | 100,00% | 100,00% | 0,00% | 514 101-200 | 100,00% | 100,00% | 0,00% | 515 201-300 | 99,00% | 99,00% | 0,00% | 516 301-400 | 99,00% | 99,00% | 0,00% | 517 401-500 | 99,00% | 99,00% | 0,00% | 518 501-600 | 100,00% | 100,00% | 0,00% | 519 601-700 | 100,00% | 100,00% | 0,00% | 520 701-800 | 99,00% | 99,00% | 0,00% | 521 801-900 | 99,00% | 99,00% | 0,00% | 522 901-1000 | 100,00% | 100,00% | 0,00% | 523 1-1000 | 99,50% | 99,50% | 0,00% | 524 1001-2000 | 99,20% | 99,10% | 0,10% | 525 2001-3000 | 98,60% | 98,60% | 0,00% | 526 3001-4000 | 99,10% | 99,00% | 0,10% | 527 4001-5000 | 99,30% | 99,30% | 0,00% | 528 5001-6000 | 99,60% | 99,60% | 0,00% | 529 6001-7000 | 99,50% | 99,40% | 0,10% | 530 7001-8000 | 98,40% | 98,30% | 0,10% | 531 8001-9000 | 99,30% | 99,30% | 0,00% | 532 9001-10000 | 99,10% | 99,10% | 0,00% | 533 10001-20000 | 97,85% | 97,76% | 0,90% | 534 20001-30000 | 97,64% | 97,47% | 1,70% | 535 30001-40000 | 97,78% | 97,68% | 1,00% | 536 40001-50000 | 97,57% | 97,46% | 1,10% | 537 50001-60000 | 97,71% | 97,61% | 1,00% | 538 60001-70000 | 97,61% | 97,52% | 0,90% | 539 70001-80000 | 97,44% | 97,37% | 0,70% | 540 80001-90000 | 97,39% | 97,30% | 0,90% | 541 90001-100000 | 97,36% | 97,19% | 1,70% | 542 -------------+-----------+-----------+--------------+ 544 Figure 11: TopX000 Success Ratio (HOST_ID_WING) 545 +-----------+-----------+--------------+ 546 | NO-OPTION |O-BOUCADAIR| Failure Ratio| 547 -------------+-----------+-----------+--------------+ 548 1-100 | 100,00% | 100,00% | 0,00% | 549 101-200 | 100,00% | 100,00% | 0,00% | 550 201-300 | 99,00% | 99,00% | 0,00% | 551 301-400 | 99,00% | 99,00% | 0,00% | 552 401-500 | 99,00% | 99,00% | 0,00% | 553 501-600 | 100,00% | 100,00% | 0,00% | 554 601-700 | 100,00% | 100,00% | 0,00% | 555 701-800 | 99,00% | 99,00% | 0,00% | 556 801-900 | 99,00% | 99,00% | 0,00% | 557 901-1000 | 100,00% | 100,00% | 0,00% | 558 0-1000 | 99,50% | 99,50% | 0,00% | 559 1001-2000 | 99,20% | 99,10% | 0,10% | 560 2001-3000 | 98,60% | 98,60% | 0,00% | 561 3001-4000 | 99,30% | 99,30% | 0,00% | 562 5001-6000 | 99,60% | 99,60% | 0,00% | 563 6001-7000 | 99,50% | 99,40% | 0,10% | 564 7001-8000 | 98,40% | 98,30% | 0,10% | 565 8001-9000 | 99,30% | 99,20% | 0,10% | 566 9001-10000 | 99,10% | 99,10% | 0,00% | 567 10001-20000 | 97,85% | 97,76% | 0,90% | 568 20001-30000 | 97,64% | 97,46% | 1,80% | 569 30001-40000 | 97,78% | 97,66% | 1,20% | 570 40001-50000 | 97,57% | 97,46% | 1,10% | 571 50001-60000 | 97,71% | 97,61% | 1,00% | 572 60001-70000 | 97,61% | 97,51% | 1,00% | 573 70001-80000 | 97,44% | 97,36% | 0,80% | 574 80001-90000 | 97,39% | 97,30% | 0,90% | 575 90001-100000 | 97,36% | 97,19% | 1,70% | 576 -------------+-----------+-----------+--------------+ 578 Figure 12: TopX000 Success Ratio (HOST_ID_BOUCADAIR) 580 6.1.1.2. Analysis 582 o For the top 100,000 sites, connection failures occur for 2249 HTTP 583 sites. These failures were reported as being caused by DNS issues 584 (servers not mounted), connection timeouts (servers down...), 585 connection resets by peers, connection problems and empty replies 586 from servers. The 2249 failures occur, whether HOST_ID options 587 are injected or not. 588 o When any HOST_ID TCP option is conveyed, 103 servers did not 589 respond; however when no option is injected, all these servers 590 responded normally. 592 o Same results were obtained for HOST_ID_WING and HOST_ID_ENABLED. 593 o Same results were obtained for all the HOST_ID_BOUCADAIR options 594 (source port, IPv6 prefix, etc.). 596 When HOST_ID_BOUCADAIR is enabled, six (6) additional servers did not 597 respond: 598 o Three (3) servers (www.teufel.de - www.1001fonts.com - www.sigur- 599 ros.co.uk) did not respond to the SYN packets sent by the host. 600 o Three (3) servers (www.lawyers.com, www.lexis.com, www.nexis.com) 601 responded with "strange" SYN/ACK packets with same TCP options 602 length including a part of the HOST_ID options that was sent. 603 This part of HOST_ID option caused an erroneous SYN/ACK packet 604 received by the host: in fact the second byte of the HOST_ID part 605 is considered as its length and this length does not really fit 606 with the real length of the part. So the machine does not respond 607 back to the server with an ACK packet. This is why we have no 608 response for these servers. 610 When HOST_ID_WING or HOST_ID_ENABLED is enabled, also strange SYN/ 611 ACKs were received by the host but no errors in these packets (a long 612 series of NOP options). This justifies the connection success for 613 these 2 options. 615 The results show that including a HOST_ID TCP option does not 616 systematically imply an extra delay for the establishment of the TCP 617 session. Based on the average of session establishment with the top 618 100 000 sites, the following results have been obtained: 619 o delay(HOST_ID_WING) < delay(NO_OPTION): 42,55 % 620 o delay(HOST_ID_BOUCADAIR ) < delay(NO_OPTION): 48,16 % 621 o delay(HOST_ID_ENABLED) < delay(NO_OPTION): 51,28 % 623 6.1.2. Configuration 2: In a lab behind a firewall 625 When a HTTP proxy is in the path, the injection of HOST_ID TCP option 626 does not impact the success ratio. This is due to that the HTTP 627 proxy strips the HOST_ID TCP options; these options are not leaked to 628 remote Internet servers. The testing has been done by observing 629 packets received to a server installed with a public IP address (no 630 HOST_ID options were seen in the received SYN packets). 632 6.1.3. Configuration 3: Connected to two commercial ISP networks 634 The results obtained when testing was performed by connecting to two 635 ISP networks confirmed the results obtained in the testing described 636 in Section 6.1.1 638 6.1.4. Additional Results 640 In one of our testing for top 1000 sites, when padding was badly 641 implemented for HOST_ID_BOUCADAIR (padding was implemented as a 642 prefix so option's Length does not correspond to the real length 643 because the padding was not counted), we got for configuration(1) in 644 the lab and for one of the ISP the following results: 646 +-------------+-------------+--------------+ 647 | No-Option | O-BOUCADAIR | Failure Ratio| 648 --------+-------------+-------------+--------------+ 649 Top10 | 100,00000% | 100,00000% | 0,00000% | 650 Top100 | 100,00000% | 100,00000% | 0,00000% | 651 Top200 | 100,00000% | 100,00000% | 0,00000% | 652 Top300 | 100,00000% | 99,66667% | 0,33333% | 653 Top400 | 99,75000% | 99,00000% | 0,75000% | 654 Top500 | 99,80000% | 99,00000% | 0,80000% | 655 Top600 | 99,83333% | 98,66667% | 1,16667% | 656 Top700 | 99,85714% | 98,14286% | 1,71429% | 657 Top800 | 99,75000% | 98,00000% | 1,75000% | 658 Top900 | 99.66667% | 97,33333% | 2,33333% | 659 Top1000 | 99,70000% | 97,10000% | 2,60000% | 660 --------+-------------+-------------+--------------+ 662 Cumulated Success ratio (HOST_ID_Boucadair with wrong padding) 664 The results for HOST_ID_WING for all three configurations are the 665 same as Section 6 (this option was correctly coded). Results 666 obtained for HOST_ID_BOUCADAIR are not the same. 668 For the configuration (2) behind a firewall, we did not face any 669 rejection because of parsing the TCP options (the HOST_ID options 670 were retrieved from the packet). 672 6.1.5. Analysis 674 Configuration (1) in Lab and for one of the two CPEs lead to the 675 results because 2.6% of these 1000 servers perform parsing validation 676 for the received options so when the bad HOST_ID_BOUCADAIR option is 677 sent, 2.6% of the servers treat the received SYN packets as erroneous 678 packets and discard them. 680 For the connection behind the second ISP, we didn't get a response 681 for any of the servers. After investigation, the reason was that the 682 Box validates the received packets before sending them to the 683 Internet. The erroneous SYN packets holding badly encoded options 684 (HOST_ID_BOUCADAIR in this case) were dropped and no connection was 685 established. On the other hand, the other box did not validate 686 options length for received packets before sending them to the 687 Internet. 689 6.2. FTP 691 Various combinations of the HOST_ID TCP options have been tested: 693 1. HOST_ID_WING 694 2. HOST_ID_BOUCADAIR (source port) 695 3. HOST_ID_BOUCADAIR (source port:IPv4 address) 697 A list of 5591 FTP servers has been used to conduct these testings. 698 Among this list, only 2045 were reachable: 699 o Failure to reach 942 FTP servers due to connection timeout 700 o Failure to reach 1286 FTP servers due to DNS errors 701 o Failure to reach 717 FTP servers because access was denied 702 o Could not connect to 500 FTP servers 703 o Response reading failed for 81 servers 704 o Bad response from server for 20 servers 706 When HOST_ID TCP options are injected, 9 errors are observed 707 (connection timeout). 709 Figure 13 and Figure 14 provide more data about the error 710 distribution. 712 +-----------+-----------+--------------+ 713 | NOB | HOST_ID | Failure Ratio| 714 -----------+-----------+-----------+--------------+ 715 1-100 | 100% | 100% | 0,000% | 716 101-200 | 100% | 99% | 1,000% | 717 201-300 | 100% | 99% | 1,000% | 718 301-400 | 100% | 100% | 0,000% | 719 401-500 | 100% | 100% | 0,000% | 720 501-600 | 100% | 100% | 0,000% | 721 601-700 | 100% | 100% | 0,000% | 722 701-800 | 100% | 100% | 0,000% | 723 801-900 | 100% | 99% | 1,000% | 724 901-1000 | 100% | 99% | 1,000% | 725 1001-2000 | 100% | 99,5% | 0,500% | 726 2000-2045 | 100% | 100% | 0,000% | 727 -----------+-----------+-----------+--------------+ 729 Figure 13: Cumulated Success Ratio (FTP) 730 +-----------+-----------+--------------+ 731 | NOB | HOST_ID | Failure Ratio| 732 ----------+-----------+-----------+--------------+ 733 first 10 | 100,000% | 100,000% | 0,000% | 734 first 100 | 100,000% | 100,000% | 0,000% | 735 first 200 | 100,000% | 99,500% | 0,500% | 736 first 300 | 100,000% | 99,333% | 0,667% | 737 first 400 | 100,000% | 99,500% | 0,500% | 738 first 500 | 100,000% | 99,600% | 0,400% | 739 first 600 | 100,000% | 99,667% | 0,333% | 740 first 700 | 100,000% | 99,714% | 0,286% | 741 first 800 | 100,000% | 99,750% | 0,250% | 742 first 900 | 100,000% | 99,667% | 0,333% | 743 first 1000| 100,000% | 99,600% | 0,400% | 744 first 2000| 100,000% | 99,550% | 0,450% | 745 first 2045| 100,000% | 99,560% | 0,440% | 746 ----------+-----------+-----------+--------------+ 748 Figure 14: FirstXXX FTP Servers 750 The results show that including a HOST_ID TCP option does not 751 systematically imply an extra delay for the establishment of the TCP 752 session with remote FTP servers. Based upon the average of the 753 session establishment with the 2045 FTP sites, the following results 754 have been obtained: 756 o delay(HOST_ID_WING) < delay(NO_OPTION): 49,36585 % 757 o delay(HOST_ID_BOUCADAIR (source port:IPv4 address)) < 758 delay(NO_OPTION): 48,41076% 759 o delay(HOST_ID_BOUCADAIR (source port)) < delay(NO_OPTION): 760 48,43902 % 762 6.3. SSH 764 The secure shell service has been tested between a host and a SSH 765 server connected to the same network. 767 SSH connections have been successfully established with the server 768 for all the HOST_ID TCP options. Same results were obtained using 769 configuration (1) and configuration (2). 771 6.4. Telnet 773 Telnet sessions have been successfully initiated for all HOST_ID TCP 774 options with a server (the CGN used in Figure 9). 776 7. AFTR Module Modifications 778 This section highlights the support the HOST_ID functionalities in 779 the AFTR element of the DS-Lite model (Figure 9) and presents the 780 testing results in order to conclude about the HOST_ID TCP options 781 impacts on the performance of the CGN. 783 We used ISC AFTR implementation. 785 7.1. Specification 787 All privately-addressed IPv4 packets sent from DS-Lite serviced hosts 788 go through an AFTR device where an isc_aftr daemon program is 789 responsible for establishing the tunnel, configuring network 790 interfaces and processing received packets. 792 The aftr.c source code controls all functionalities to be included or 793 modified on packets received by the CGN, e.g., patching TCP MSS 794 values, fix MTU, etc. 796 In order to activate/deactivate such functionalities, the 797 corresponding parameters can be configured in a specific 798 configuration file called "aftr.conf". In this file, other 799 parameters are configured, e.g., the IPv6 addresses assigned to the 800 tunnel endpoint and the global IPv4 address pool maintained by the 801 CGN. 803 To support the injection of HOST_ID TCP options, "aftr.c" must be 804 updated to inject, retrieve or verify the HOST_ID options depending 805 on the HOST_ID parameters defined in "aftr.conf" file. Four HOST_ID 806 parameters are defined in the configuration file: 807 1. hostid: to enable the injection, retrieval, matching... of 808 HOST_ID options 809 2. hostid_wing: to enable injection/verification of HOST_ID_WING - 810 to disable injection or to remove HOST_ID_WING 811 3. hostid_boucadair: to enable injection/verification of 812 HOST_ID_BOUCADAIR - to disable injection or to remove 813 HOST_ID_BOUCADAIR 814 4. hostid_enabled: to enable or disable HOST_ID_ENABLED injection 816 hostid, hostid_wing and hostid_enabled can be simply enabled or 817 disabled. hostid_boucadair can be disabled or enabled with the 818 corresponding Origin as HOST_ID data can be: 819 o Source Port Number 820 o Source IPv4 Address 821 o Source IPv4 Address + Source Port Number 822 o 56 bits of Tunnel Softwire IPv6 Source Address. 824 Based on different HOST_ID parameters, the "aftr.c" code has been 825 modified to control HOST_ID options; the AFTR is able to: 826 o Inject the enabled HOST_ID TCP option if it is not already present 827 in the packet 828 o Retrieve an existing HOST_ID TCP option if this option is not 829 enabled 830 o Check an existing HOST_ID option's content if it is enabled; if 831 the content's verification failed, the AFTR replaces the HOST_ID 832 contents with the suitable information 834 The implementation takes into consideration the SYN mode for all the 835 HOST_ID options (even for HOST_ID_enabled). The Support of 836 HOST_ID_BOUCADAIR in the ACK mode needs implementation on the 837 server's side and since both Enabled and Boucadair's options have 838 been tested and no impact observed; the ACK mode should not imply any 839 complication in implementation or impact on the performance. 841 7.2. Verification 843 The verification of HOST_ID implementation in the CGN has taken place 844 using the testbed setup shown in Figure 9. The host used in this 845 testing is a modified Linux machine that can inject HOST_ID options. 846 The objective of the testing is to verify the different 847 functionalities implemented in the AFTR. Verification has occurred 848 using a local server where all the received packets were observed to 849 make sure that the content of the HOST_ID fields is consistent with 850 the enabled option. 852 The testing consists in observing the SYN packets (as SYN mode is 853 supported) sent by the host and in comparing these packets to those 854 received by the server. Different combinations of HOST_ID options 855 sent by the host and HOST_ID configured options at the CGN level have 856 been used. 858 The results show that once the host sends packets without any HOST_ID 859 option injected, the SYN packets received by the server contain the 860 correct option that has been enabled by the CGN (if any). Once 861 HOST_ID_WING or HOST_ID_BOUCADAIR are injected by the host, if the 862 hostid parameter in aftr.conf is enabled, the enabled (in 863 "aftr.conf") HOST_ID option will be injected if not already present, 864 or else its content will be verified and corrected (if wrong); the 865 other disabled option will be discarded if it has already been sent 866 by the host. 868 One additional case has been tested when both Wing's and Boucadair's 869 HOST_ID options are sent by the host, the contents of the enabled 870 option are checked and corrected (if wrong), the other option is 871 retrieved from the packet. The two options are dropped from the 872 packet if they are both disabled. 874 The testing has been repeated for all the HOST_ID options sent by the 875 host and enabled by the CGN. Verification also occurred for 876 HOST_ID_ENABLED option. 878 7.3. CGN Performance Testing 880 To conclude about the impact of using HOST_ID, a commercial testing 881 product has been used. This tool supports multiple application 882 protocols such as HTTP and FTP for both IPv4 and IPv6 (including 883 encapsulation). The DS-Lite model can be built directly from a port 884 of this product: IPv4 packets are directly encapsulated in an IPv6 885 tunnel; the client's port emulates hosts and B4 elements at the same 886 time. This port is directly connected to the AFTR tunnel endpoint. 887 The AFTR's IPv4 interface is connected to the testing product server 888 side where servers are assigned IPv4 addresses. 890 The testbed setup of this testing is shown in Figure 15: 892 clients' port +------------------+ servers' side 893 +------------------+ Testing Tool +------------------+ 894 | +------------------+ | 895 | | 896 | | 897 |IPv4-in-IPv6 tunnel | 898 | | 899 | | 900 | +------------------+ | 901 +------------------+ AFTR +------------------+ 902 +------------------+ 904 Figure 15: Platform Testbed 906 7.3.1. Configuration 908 At the IP level, the testing client port was configured with IPv6 909 addresses representing the B4. The testing tool also supports the 910 DS-Lite "level" where the number of clients connected to each B4 and 911 their addresses are configured. The AFTR address is defined at this 912 level. 914 In the current testing, the total number of B4 elements is 5000 915 behind; One client is connected to each B4 (in total, 5000 clients 916 are configured). However, the number of active users varies from 10 917 to 100, 500, 1000 and 10,000 during each testing simulation. 919 From the server standpoint, five servers have been assigned IPv4 920 addresses. These servers support HTTP and FTP traffic. For each 921 HOST_ID TCP option, the testing was repeated for a different number 922 of active users (N=10, 100, 500, 1000 and 10,000) and for HTTP and 923 FTP traffic. 925 The HOST_ID options are injected by the CGN. 927 7.3.2. HTTP Testing 929 The testing duration was about 50 seconds during which the number of 930 active users varies as a function of time: during the first 10s, the 931 number of active users reaches the maximum and remains the same for 932 the next 20 s. Then it decreases to zero during the next 20s. 934 Hereafter are provided some testing statistics providing some details 935 about connections' success ratio, latency and other information that 936 can be useful to evaluate the impact of HOST_ID on the CGN. 937 +-------+-------+------------+---------+ 938 |No-Opt |O-WING |O-BOUCADAIR3|O-ENABLED| 939 -----------------------------+-------+-------+------------+---------+ 940 TCP connection established | 1378 | 1267 | 1363 | 1369 | 941 TCP SYN SENT | 1378 | 1267 | 1363 | 1369 | 942 Success Ratio | 100 | 100 | 100 | 100 | 943 TCP Retries | 193 | 193 | 197 | 177 | 944 TCP timeouts | 140 | 136 | 152 | 111 | 945 HTTP connect' latencies t=20s| 0,11 | 0,21 | 0,20 | 0,1 | 946 t=40s| 0,40 | 0,50 | 0,50 | 0,45 | 947 t=60s| 0,60 | 0,60 | 0,50 | 0,6 | 948 HTTP throughput received | 46,47 | 45,31 | 45,88 | 46,12 | 949 TCP Connections Established/s| 20,29 | 19,88 | 20,06 | 20,18 | 950 -----------------------------+-------+-------+------------+---------+ 952 Figure 16: Results HTTP (N=10) 953 +-------+-------+------------+---------+ 954 |No-Opt |O-WING |O-BOUCADAIR3|O-ENABLED| 955 -----------------------------+-------+-------+------------+---------+ 956 TCP connection established | 1662 | 1739 | 1813 | 1679 | 957 TCP SYN SENT | 1718 | 1770 | 1819 | 1729 | 958 Success Ratio | 96 | 98 | 99 | 97 | 959 TCP Retries | 1577 | 1569 | 1783 | 1576 | 960 TCP timeouts | 798 | 806 | 934 | 808 | 961 HTTP connect' latencies t=20s| 1,70 | 2,00 | 1,90 | 1,80 | 962 t=30s| 3,30 | 2,40 | 2,25 | 3,30 | 963 t=40s| 4,20 | 3,70 | 3,75 | 4,00 | 964 t=50s| 5,00 | 4,80 | 4,50 | 5,00 | 965 HTTP throughput received | 47,56 | 46,65 | 48,59 | 48,06 | 966 TCP Connections Established/s| 20,94 | 20,53 | 21,35 | 21,19 | 967 -----------------------------+-------+-------+------------+---------+ 969 Figure 17: Results HTTP (N=100) 971 +-------+-------+------------+---------+ 972 |No-Opt |O-WING |O-BOUCADAIR3|O-ENABLED| 973 -----------------------------+-------+-------+------------+---------+ 974 TCP connection established | 1956 | 1923 | 1944 | 1873 | 975 TCP SYN SENT | 2088 | 2095 | 2137 | 1986 | 976 Success Ratio | 93 | 91 | 90 | 94 | 977 TCP Retries | 2734 | 2576 | 2453 | 2773 | 978 TCP timeouts | 1261 | 1110 | 995 | 1213 | 979 HTTP connect' latencies t=20s| 2,00 | 1,80 | 1,50 | 2,30 | 980 t=40s| 4,00 | 3,30 | 2,80 | 4,30 | 981 t=50s| 6,50 | 6,90 | 6,00 | 8,00 | 982 HTTP throughput received | 70,19 | 65,00 | 69,81 | 67,13 | 983 TCP Connections Established/s| 30,69 | 28,41 | 30,50 | 29,38 | 984 -----------------------------+-------+-------+------------+---------+ 986 Figure 18: Results HTTP (N=1000) 987 +-------+-------+------------+---------+ 988 |No-Opt |O-WING |O-BOUCADAIR4|O-ENABLED| 989 -----------------------------+-------+-------+------------+---------+ 990 TCP connection established | 1576 | 2000 | 1796 | 1998 | 991 TCP SYN SENT | 2088 | 2304 | 2009 | 2262 | 992 Success Ratio | 87 | 86 | 89 | 88 | 993 TCP Retries | 3018 | 3101 | 3013 | 3148 | 994 TCP timeouts | 1167 | 1298 | 1213 | 1417 | 995 HTTP connect' latencies t=20s| 2,20 | 3,00 | 2,20 | 2,50 | 996 t=40s| 3,70 | 3,00 | 3,30 | 3,00 | 997 t=60s| 7,80 | 5,00 | 7,00 | 5,60 | 998 t=70s| 9,60 | 6,00 | 8,70 | 7,00 | 999 HTTP throughput received | 45,00 | 54,52 | 51,45 | 57,20 | 1000 TCP Connections Established/s| 19,98 | 24,05 | 22,45 | 25,04 | 1001 -----------------------------+-------+-------+------------+---------+ 1003 Figure 19: Results HTTP (N=10000) 1005 7.3.2.1. Analysis of results 1007 The results clearly show that there is no impact of any HOST_ID 1008 option on session establishment success ratio, which is quite similar 1009 to the success ratio when packets do not hold options or when HOST_ID 1010 options are not used. Also, the number of established connections 1011 does not decrease when any HOST_ID option is injected, so the CGN 1012 performance is not impacted by the fact of adding the HOST_ID 1013 options. 1015 Another important factor to study is the latency that can be caused 1016 by HOST_ID injection. As the results show, the HTTP connection 1017 latency does not increase when HOST_ID is present if we compare the 1018 latency measured at different times for the different options. 1020 As a result, we clearly see that the average throughput measured at 1021 servers is identical, whether HOST_ID options are used or not (given 1022 that the number of session established is quite the same). 1024 Another consequence is that the TCP connection establishment rate at 1025 servers is not decreasing when a HOST_ID option is taken into 1026 account. 1028 7.3.2.2. Conclusion 1030 The results that have been obtained show that the performance of the 1031 CGN is not impacted by HOST_ID option injection even when the number 1032 of active users is high (10,000 is not negligible for a CGN run on an 1033 ordinary Linux machine): neither the session success ratio, nor the 1034 connection latency are impacted by the presence of the HOST_ID in SYN 1035 packets. 1037 7.3.3. FTP 1039 The same testing was also run for FTP traffic. No particular impact 1040 on the performance of the CGN has been observed. 1042 8. IPTABLES: Modifications to Enforce Policies at the Server Side 1044 8.1. Overview 1046 iptables module has been updated to: 1047 o Log the content of TCP header with HOST_ID 1048 o Drop packets holding a HOST_ID option 1049 o Match any HOST_ID value 1050 o Drop packets holding a specific HOST_ID value 1051 o Strip any existing HOST_ID option 1053 To support the above functionalities, modification should take into 1054 consideration stripping and matching options as described below: 1056 1. To strip the content of any existing HOST_ID option, the shared 1057 library "libxt_TCPOPTSTRIP.so" is modified: the HOST_ID_WING and 1058 HOST_ID_BOUCADAIR Kinds' numbers were defined in the 1059 corresponding source file (libxt_TCPOPTSTRIP.c) with the 1060 corresponding names to enforce the iptables stripping rule. 1061 After enforcing these changes, the shared library must be created 1062 to replace the existing one and to allow applying the rule of 1063 stripping of the HOST_ID options. Once modifications have taken 1064 place, the following command should be used to strip the HOST_ID 1065 options: 1067 iptables -t mangle -A INPUT -j TCPOPTSTRIP -p tcp --strip-options 1068 hostid_wing, hostid_boucadair 1070 2. In order to allow blocking, logging or applying any rule based 1071 upon the HOST_ID_WING or HOST_ID_BOUCADAIR values or range of 1072 values, a HOST_ID shared library must be created to: 1073 * Match HOST_ID options values entered in corresponding iptables 1074 rules, 1075 * Print the HOST_ID rules on screen, 1076 * Save values, 1077 * Check the values (or range values) entered by user if they 1078 respect the limit values of these options. 1080 In addition to the shared library: a specific Kernel module must 1081 be built to apply HOST_ID matching rules on the packets passing 1082 through the network interfaces. This module compares the HOST_ID 1083 options' values held by packets with the HOST_ID values specified 1084 in the iptables rule table: when a packet matches the HOST_ID's 1085 range, the corresponding rule will be applied for this packet. 1086 The HOST_ID_WING matching value is 2 bytes long corresponding to 1087 HOST_ID_WING data. 1088 The HOST_ID_BOUCADAIR matching value is 8 bytes long corresponding 1089 to Lifetime + Origin field (1 byte) and HOST_ID_WING data (7 1090 bytes). 1092 8.2. Validation 1094 After having updated the iptables package with the suitable HOST_ID 1095 libraries and module, different HOST_ID policies should be applied 1096 and tested on the server side. The testing has been done using a 1097 simple configuration as shown below (Figure 20). 1099 +--------+ +--------+ +--------+ +--------------+ 1100 | HOST |-----| B4 |-----| AFTR |-----| local server | 1101 +--------+ +--------+ +--------+ +--------------+ 1103 Figure 20: Platform configuration: HOST_ID enforcing policies 1105 In the current testing, the AFTR supports HOST_ID options injection 1106 and iptables is modified at the local server. Logging 1107 recommendations consists of logging the IPv4 address and the HOST_ID 1108 option for each connection. Because HOST_ID is sent only in SYN 1109 packets (in the current implementation), only SYN packets will be 1110 logged to a specific file called iptables.log: the rsyslog.d must be 1111 updated with the corresponding command to log iptables messages into 1112 the specific file. Then rsyslog must be reloaded to apply changes. 1114 8.3. Stripping HOST_ID Options 1116 To strip a certain HOST_ID option, TCPOPTSTRIP rule must be called. 1117 Verification consists in logging and then checking the SYN packets 1118 and more precisely the corresponding TCP options, e.g., the following 1119 rules must be applied to strip HOST_ID_WING: 1121 iptables -t mangle -A INPUT -j TCPOPTSTRIP -p tcp --strip-options 1122 hostid_wing 1123 iptables -A INPUT -j LOG --log-tcp-options -p tcp --syn 1125 The first rule applies for the mangle table. This table allows 1126 stripping HOST_ID_WING whose role is to remove option Wing's fields 1127 and replaces them by NOP options (NOP=No Operation=0x01). The second 1128 rule enables the logging of SYN packets with the corresponding TCP 1129 options. 1131 After applying these rules (to strip and log HOST_ID_WING) on the 1132 local server, we tried to access the server's HTTP pages from the 1133 host. The test is repeated several times and a different HOST_ID 1134 option is enabled by the AFTR each time. 1136 Then the "iptables.log" file is checked: only one SYN packet is 1137 logged with 4 bytes stripped out in the TCP option part. All IPv4 1138 packets going through the AFTR are also logged to be compared with 1139 the server's logged stripped packets. 1141 The comparison of the SYN packets logged by the server with the SYN 1142 packets sent by the AFTR clearly shows that the stripped option is 1143 HOST_ID_WING (all the header fields have been verified to ensure 1144 packet matching): the 4 bytes corresponding to the HOST_ID_WING 1145 option are replaced with NOP options (each one of the 4 bytes is 1146 equal to '1' = NOP). 1148 The same testing was repeated with HOST_ID_BOUCADAIR. The testing 1149 shows that the 10 bytes corresponding to this option were 1150 successfully stripped. 1152 8.4. Logging a Specific HOST_ID Option Value 1154 The remote server should be able to track connections coming from 1155 different clients; it should log packets headers including the 1156 HOST_ID TCP option information. This can be enforced using the 1157 following command: 1159 iptables -t mangle -A INPUT -j TCPOPTSTRIP -p tcp --strip-options 1160 hostid_wing 1162 Now, to log packets matching a certain HOST_ID value or range of 1163 values, the following rule must be applied: 1165 iptables -A INPUT -p tcp --syn -m hostid --hostid_wing value[:value] 1166 -j LOG -log-tcp-options 1168 This command matches the HOST_ID_WING values held by SYN packets with 1169 the specific value [or the specific range of values] determined by 1170 the rule. 1172 The testing configuration in Figure 20 was used. The HOST_ID_WING 1173 data are implemented as being the last 16 bits of the IPv4 private 1174 source address. When the HOST_ID_WING option is injected by the CGN, 1175 if the data field value corresponds to the iptables value (or range 1176 of values), the packet header is logged. Otherwise, if the 1177 HOST_ID_WING data is said out of range or the packet does not hold 1178 the HOST_ID_WING option, the packet is not logged. 1180 The same testing was repeated to match HOST_ID_BOUCADAIR data 1181 information: 1183 iptables -A INPUT -p tcp --syn -m hostid --hostid_boucadair value 1184 [:value] -j LOG -log-tcp-options 1186 To verify the logging of a specific Boucadair's value, the 1187 Boucadair's options holding source IP address (Origin=2) or IPv6 1188 prefix (Origin=4) were tested successfully; these data values are 1189 fixed since they depend on the host's address. The two other options 1190 that include source port numbers (variable) cannot be tested by value 1191 because the port number varies for each connection. 1193 The iptables rules to log HOST_ID_BOUCADAIR range values have been 1194 verified successfully for all four HOST_ID_BOUCADAIR options. 1196 8.5. Dropping a specific HOST_ID Option Value 1198 The same testing methodology described in the previous section was 1199 repeated to drop packets matching HOST_ID value (or a range of 1200 values); e.g. to drop SYN packets matching a particular HOST_ID_WING 1201 value: 1203 iptables -A INPUT -p tcp --syn -m hostid --hostid_wing value[:value] 1204 -j DROP 1206 In this testing, the HOST_ID_WING option is enabled at the CGN level. 1207 After applying the previous rule where Wing's specified value 1208 corresponds to the HOST_ID_WING data value (last 16 bits of the 1209 host's IPv4 source address), the hosts tries to access HTTP pages of 1210 the local server. It sends SYN packets but the server does not 1211 respond. Because this packet matches the iptables matching value, 1212 the corresponding rule is applied to the SYN packets: a SYN packet is 1213 dropped so the host does not receive any packet in return. 1215 When the host is still trying to retrieve pages by sending SYN 1216 packets, the command 'iptables -F' will flush all iptables rules. 1217 Once applied, this command will let the host retrieve the required 1218 pages and the connection is therefore established successfully. 1220 The same testing was repeated for HOST_ID_BOUCADAIR options. SYN 1221 packets matching the corresponding rule value or range of values were 1222 dropped. Once iptables rules are flushed, connection is established 1223 normally. 1225 9. IANA Considerations 1227 This document makes no request of IANA. 1229 10. Security Considerations 1231 Security considerations discussed in [I-D.wing-nat-reveal-option] 1232 should be taken into account. 1234 11. Acknowledgments 1236 Many thanks to M. Meulle, P. Ng Tung and L. Valeyre for their help 1237 and review. Special thanks to C. Jacquenet for his careful review. 1239 12. References 1241 12.1. Normative References 1243 [I-D.wing-nat-reveal-option] 1244 Yourtchenko, A. and D. Wing, "Revealing hosts sharing an 1245 IP address using TCP option", 1246 draft-wing-nat-reveal-option-03 (work in progress), 1247 December 2011. 1249 [RFC6250] Thaler, D., "Evolution of the IP Model", RFC 6250, 1250 May 2011. 1252 12.2. Informative References 1254 [I-D.boucadair-intarea-nat-reveal-analysis] 1255 Boucadair, M., Touch, J., Levis, P., and R. Penno, 1256 "Analysis of Solution Candidates to Reveal a Host 1257 Identifier in Shared Address Deployments", 1258 draft-boucadair-intarea-nat-reveal-analysis-04 (work in 1259 progress), September 2011. 1261 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 1262 Roberts, "Issues with IP Address Sharing", RFC 6269, 1263 June 2011. 1265 Authors' Addresses 1267 Elie Abdo 1268 France Telecom 1269 Issy-les-Moulineaux 1271 Email: elie.abdo@orange.com 1273 Mohamed Boucadair 1274 France Telecom 1276 Email: mohamed.boucadair@orange.com 1278 Jaqueline Queiroz 1279 France Telecom 1280 Issy-les-Moulineaux 1282 Email: jaqueline.queiroz@orange.com