[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03

Network Working Group                                            E. Abdo
Internet-Draft                                              M. Boucadair
Intended status: Informational                                J. Queiroz
Expires: May 3, 2012                                      France Telecom
                                                        October 31, 2011


     HOST_ID TCP Options: Implementation & Preliminary Test Results
               draft-abdo-hostid-tcpopt-implementation-01

Abstract

   This memo documents the implementation of the HOST_ID TCP Options.
   It also discusses the preliminary results of the tests that have been
   conducted to assess the technical feasibility of the approach as well
   as its scalability.  Several HOST_ID TCP options have been
   implemented and tested.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 3, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as



Abdo, et al.               Expires May 3, 2012                  [Page 1]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Objectives . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  NAT Reveal TCP Options: Overview . . . . . . . . . . . . . . .  3
     3.1.  HOST_ID_WING TCP Option  . . . . . . . . . . . . . . . . .  4
     3.2.  HOST_ID_BOUCADAIR TCP Option . . . . . . . . . . . . . . .  4
       3.2.1.  SYN Mode . . . . . . . . . . . . . . . . . . . . . . .  5
       3.2.2.  ACK Mode . . . . . . . . . . . . . . . . . . . . . . .  5
   4.  Overview of the Linux Kernel Modifications . . . . . . . . . .  6
   5.  Testbed Setup & Configuration  . . . . . . . . . . . . . . . .  7
     5.1.  Automated TCP Traffic Generator  . . . . . . . . . . . . .  8
     5.2.  Testing Methodology and Procedure  . . . . . . . . . . . .  9
     5.3.  Check HOST_ID TCP Options are Correctely Injected  . . . .  9
     5.4.  Top Site List  . . . . . . . . . . . . . . . . . . . . . . 10
   6.  Experimentation Results  . . . . . . . . . . . . . . . . . . . 10
     6.1.  HTTP Experimentation Results . . . . . . . . . . . . . . . 10
       6.1.1.  Proxy  . . . . . . . . . . . . . . . . . . . . . . . . 14
       6.1.2.  Anomalies  . . . . . . . . . . . . . . . . . . . . . . 14
       6.1.3.  CPEs Behaviour . . . . . . . . . . . . . . . . . . . . 16
     6.2.  FTP  . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
     6.3.  SSH  . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
     6.4.  Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . 18
   7.  Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . 18
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 18
   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 18
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 19
     11.2. Informative References . . . . . . . . . . . . . . . . . . 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19

















Abdo, et al.               Expires May 3, 2012                  [Page 2]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


1.  Introduction

   To ensure IPv4 service continuity, service providers will need to
   deploy IPv4 address sharing techniques.  Several issues are likely to
   be encountered (refer to [RFC6269] for a detailed survey of the
   issues) and they may affect the delivery of services that depends on
   the enforcement of policies based upon the source IPv4 address.

   Some of these issues may be mitigated owing to the activation of
   advanced features.  Among the solutions analyzed in
   [I-D.boucadair-intarea-nat-reveal-analysis], the use of a new TCP
   option to convey a HOST_ID seems to be a promising solution.

   This memo documents some implementation and experimentation efforts
   that have been conducted to assess the viability of using Host_ID TCP
   options at large scale.  In particular, this document provides
   experimentation results related to the support of the HOST_ID TCP
   Options, the behavior of legacy TCP servers when receiving the
   HOST_ID TCP option.  This draft also discusses the impact of using a
   Host_ID TCP option on the time it takes to establish a connection.


2.  Objectives

   The implementation of several HOST_ID TCP options is primarily meant
   to:

   o  Assess the validity of the HOST_ID TCP option approach
   o  Evaluate the impact on a TCP stack to support the HOST_ID TCP
      options
   o  Improve filtering and logging capabilities based upon the contents
      of the HOST_ID TCP option.  This means the enforcement of various
      policies based upon the content of the HOST_ID TCP option at the
      server side: Log, Deny, Accept, etc.
   o  Assess the behavior of legacy TCP servers when receiving a HOST_ID
      TCP option
   o  Assess the success ratio of TCP communications when a HOST_ID TCP
      option is received
   o  Assess the impact of injecting a HOST_ID TCP option on the time it
      takes to establish a connection
   o  Assess the performance impact on the CGN device that has been
      configured to inject the HOST_ID option


3.  NAT Reveal TCP Options: Overview

   The original idea of defining a TCP option is documented in
   [I-D.wing-nat-reveal-option] (denoted as HOST_ID_WING).



Abdo, et al.               Expires May 3, 2012                  [Page 3]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   An additional TCP option format to convey a HOST_ID has been also
   considered (denoted as HOST_ID_BOUCADAIR).  The main motivation is to
   cover also the load-balancer use case and provide richer
   functionality as Forwarded-For HTTP header
   [I-D.petersson-forwarded-for].

   The following sub-sections provide an overview of these HOST_ID TCP
   options.

3.1.  HOST_ID_WING TCP Option

   HOST_ID_WING is defined in [I-D.wing-nat-reveal-option].  Figure 1
   shows the format of this option.

                +--------+--------+-----------------------+
                |Kind=TBD|Length=4|    USER_ID Data       |
                +--------+--------+-----------------------+

                Figure 1: Format of HOST_ID_WING TCP Option

   Figure 2 shows an example of using HOST_ID_WING TCP option.

    +------------+        +------------+                 +------------+
    | TCP CLIENT |        |     CGN    |                 | TCP SERVER |
    +------------+        +------------+                 +------------+
          |                     |                              |
          |---TCP SYN---------->|                              |
          |                     |---TCP SYN, HOST_ID=12345---->|
          |                     |                              |

              Figure 2: HOST_ID_WING TCP Option: Flow example

3.2.  HOST_ID_BOUCADAIR TCP Option

   As mentioned above, the HOST_ID_BOUCADAIR TCP Option is inspired form
   HOST_ID_WING and XFF.  Figure 3 shows the format of HOST_ID_BOUCADAIR
   TCP Option.

           +--------+---------+---+---+--------..-------+
           |Kind=TBD|Length=10| L | O |HOST_ID data     | HOST_ID
           +--------+---------+---+---+--------..-------+

             Figure 3: Format of HOST_ID_BOUCADAIR TCP option

   o  L: Indicates the validity lifetime of the enclosed data (in the
      spirit of [RFC6250]).  The following values are supported:





Abdo, et al.               Expires May 3, 2012                  [Page 4]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


         0: Permanent;
         >0:Dynamic; this value indicates the validity time.
   o  Origin: Indicates the origin of the data conveyed in the data
      field.  The following values are supported:
         0: Internal Port
         1: Internal IPv4 address
         2: Internal Port: Internal IPv4 address
         3: IPv6 Prefix
         >3: No particular semantic
   o  HOST_ID: depends on the content of the Origin field; padding is
      required.

   Two modes are described below: the SYN mode (Section 3.2.1) and the
   ACK mode.  (Section 3.2.2).

   If the ACK mode is used (Section 3.2.2), Figure 4 shows the
   HOST_ID_ENABLED option to be included in the SYN.

                   +--------+---------+
                   |Kind=TBD|Length=2 |   HOST_ID_ENABLED
                   +--------+---------+


                    Figure 4: Format of HOST_ID_ENABLED

3.2.1.  SYN Mode

   This mode is similar to Section 3.1.  In this mode, HOST_ID_BOUCADAIR
   is sent in SYN packets.

   +------------+      +------------+                     +------------+
   | TCP CLIENT |      |     CGN    |                     | TCP SERVER |
   +------------+      +------------+                     +------------+
         |                   |                                    |
         |---TCP SYN-------->|                                    |
         |                   |--TCP SYN, HOST_ID=2001:db8::/5482->|
         |                   |                                    |


                   Figure 5: HOST_ID_BOUCADAIR: SYN Mode

3.2.2.  ACK Mode

   The ACK Mode is as follows (see Figure 6):
   o  Send HOST_ID_ENABLED (Figure 4) in SYN
   o  If the remote TCP server supports that option, it must return it
      in SYNACK




Abdo, et al.               Expires May 3, 2012                  [Page 5]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   o  Then the TCP Client sends HOST_ID_BOUCADAIR (Figure 3) in ACK

    +------------+        +------------+                 +------------+
    | TCP CLIENT |        |     CGN    |                 | TCP SERVER |
    +------------+        +------------+                 +------------+
          |                     |                               |
          |---TCP SYN---------->|                               |
          |                     |--TCP SYN, HOSTID_ENABLED=OK-->|
          |                     |<-TCP SYNACK,HOSTID_ENABLED=OK-|
          |<--TCP SYNACK--------|                               |
          |---TCP ACK---------->|                               |
          |                     |--TCP ACK, USER_ID=2001:db8::->|
          |                     |                               |


                                 Figure 6


4.  Overview of the Linux Kernel Modifications

   At this stage, only the SYN mode has been implemented for both
   HOST_ID_WING and HOST_ID_BOUCADAIR TCP options.

   In order to support the injection of the HOST_ID TCP options
   presented in Section 3, some modifications were applied to the Linux
   Kernel (more precisely to the TCP stack).  Major modifications have
   been made in the tcp_output.c file (file responsible for building and
   transmitting all TCP packets).  New variables have been defined and
   functions manipulating the TCP options in SYN packets have been
   modified to inject the configured TCP option in the corresponding SYN
   packet.

   Since different options can be injected, they have to be easily
   configurable.  System control variables (a.k.a., sysctl variables)
   are defined for this purpose.

   The Kernel must be recompiled so that the new TCP options are taken
   into account.

   Kernel modifications and recompilation have been done and tested
   successfully on Fedora and Debian Linux distributions, on different
   kernel versions.

   The following configuration options are supported:
   o  Enable/Disable injecting the TCP Option
   o  Support HOST_ID WING and HOST_ID BOUCADAIR





Abdo, et al.               Expires May 3, 2012                  [Page 6]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   o  When the HOST_ID TCP option is supported, the information to be
      injected is configurable:
      *  Source IPv6 address or the first 64 bits of the address
      *  Source IPv4 address
      *  Source port number
      *  Source IPv4 address and Source port
      *  IPv6 address or the first 64 bits of the B4 when DS-Lite is
         activated
   o  When the HOST_ID TCP option is enabled, stripping any existing
      HOST_ID TCP option is enabled by default.


5.  Testbed Setup & Configuration

   The setup of three testbed configurations have been considered:
   1.  HOST_ID TCP option is injected by the host itself.  No CGN is
       present in the communication path (Figure 7)
   2.  HOST_ID TCP option is injected by hosts deployed behind a HTTP
       proxy.  No CGN is present in the communication path (Figure 8)
   3.  HOST_ID TCP option is injected by the DS-Lite AFTR element
       (Figure 9).

    +-----------+
    |  HOST_1   |----+
    | NO-Option |    |
    +-----------+    |      +--------------------+        +------------+
                     |      |                    |--------|  server 1  |
    +-----------+    |      |                    |        +------------+
    |  HOST_2   |----|------|        INTERNET    |               ::
    | (HOST_ID) |    |      |                    |        +------------+
    +-----------+    |      |                    |--------|   server n |
                     |      +--------------------+        +------------+
    +-----------+    |
    |  Local    |----+
    |  Server   |
    +-----------+

               Figure 7: Testbed setup: No Proxy and no CGN













Abdo, et al.               Expires May 3, 2012                  [Page 7]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


    +-----------+
    |  HOST_1   |----+
    | NO-Option |    |
    +-----------+    |        +--------------------+      +------------+
                     |        |                    |------|  server 1  |
    +-----------+  +-----+    |                    |      +------------+
    |  HOST_2   |--|PROXY|----|      INTERNET      |            ::
    | (HOST_ID) |  +-----+  | |                    |      +------------+
    +-----------+           | |                    |------|   server n |
                            | +--------------------+      +------------+
    +-----------+           |
    |  Local    |-----------+
    |  Server   |
    +-----------+

                    Figure 8: Testbed setup: HTTP Proxy

                                            +----...----+   +----------+
    +----+   |           |                  |           |---| server 1 |
    |HOST|---|  +----+   |   +------+   |   |           |   +----------+
    +----+   |--| B4 |---|---| AFTR |---|---| INTERNET  |        ::
                +----+   |   +------+   |   |           |   +----------+
                         |                  |           |---| server n |
                                            +----...----+   +----------+

                     Figure 9: DS-Lite CGN Environment

   Figure 7 and Figure 8 are used to assess the behavior of the top 1000
   sites when a HOST_ID option is enabled and to evaluate the impact of
   the option on both the session establishment delay and the success
   ratio.

   On the other hand, the configuration shown in Figure 9 will be used
   to evaluate the impact on the CGN performances when HOST_ID TCP
   option is injected by the CGN.

5.1.  Automated TCP Traffic Generator

   A Python-coded robot has been used as the traffic generator.  The
   robot automates the retrieval of HTTP pages identified by URLs, and
   returns different connection information.  The web pages retrieval is
   based on Pycurl, a Python interface of libcurl.  Libcurl is an URL
   transfer library that supports different protocols (e.g., HTTP, FTP).

   The robot consists of two programs:






Abdo, et al.               Expires May 3, 2012                  [Page 8]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   1.  The first one takes an URL as a input parameter, performs the DNS
       lookup and then tries to connect to the corresponding machine.
       It returns either different time values and connection status or
       an error message with the source of the error in case of
       connection failure (e.g., DNS error).  The TCP connection
       establishment time is calculated as the difference between the
       CONNECT_TIME and NAMELOOKUP_TIME where:
       *  NAMELOOKUP_TIME is the time it took from the start until the
          name resolution is completed.
       *  CONNECT_TIME is the time it took from the start until the
          connection to the remote host (or proxy) is completed.
   2.  The second program aims to increase efficiency and speed of the
       testing by using a multi-thread technique.  It takes the number
       of threads and an input file listing URLs as parameters.  This
       program prints URLs to an output file with the corresponding
       connection time.  If something wrong happened so that the
       connection failed, the program returns an error message with the
       corresponding error type.

5.2.  Testing Methodology and Procedure

   The testing is done using two machines, one that supports the HOST_ID
   TCP options and the other that does not.  The second machine is used
   as a reference for the measurements.  Testing is performed in
   parallel on the two machines that are directly connected to the
   Internet.  For each HOST_ID TCP option, the test is performed 10
   times.  The cycle is repeated in different days.  Then results are
   grouped into tables where averages are calculated.  The comparison
   between the different HOST_ID options results is made by using the
   no-option testing results as a reference.

   Testing was also performed behind a proxy (Figure 8) to evaluate the
   impact of embedding the HOST_ID TCP options on the connection
   establishment time when a proxy is in the path.  When a proxy is
   present, the connection delay is impacted.

   Tests have been conducted from hosts:
   1.  Connected to two (2) commercial ISP networks
   2.  Connected to an enterprise network
   3.  In a lab behind a firewall

5.3.  Check HOST_ID TCP Options are Correctely Injected

   To check whether the HOST_ID TCP options are correctly injected, the
   local server in Figure 7 is configured to be reachable from Internet.
   Packets conveying the HOST_ID TCP options are sent from a host
   supporting the options.  These packets are used without alteration by
   the local server.



Abdo, et al.               Expires May 3, 2012                  [Page 9]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   This configuration confirms the packets sent to remote servers
   conveys HOST_ID TCP options.

5.4.  Top Site List

   The Alexa top sites list has been used to conduct the HTTP tests.

   Anonymous FTP sites list from ftp-sites.org has been used to conduct
   the FTP tests.


6.  Experimentation Results

6.1.  HTTP Experimentation Results

   Various combinations of the HOST_ID TCP options have been tested:

   1.  HOST_ID_WING
          HOST_ID_WING has also been adapted to include 32 bits and 64
          bits values.  No particular impact on session establishment
          has been observed.
   2.  HOST_ID_BOUCADAIR (source port)
   3.  HOST_ID_BOUCADAIR (IPv4 address)
   4.  HOST_ID_BOUCADAIR (source port:IPv4 address)
   5.  HOST_ID_BOUCADAIR (IPv6 Prefix)

   Both the success ratio and the average time to establish the TCP
   session are reported below.

   The results show that the success ratio for establishing TCP
   connection with legacy servers, is almost the same for all the
   HOST_ID options Figure 10 Figure 11 and Figure 12.



















Abdo, et al.               Expires May 3, 2012                 [Page 10]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


                      +-----------+-----------+--------------+
                      | NO_OPTION |   WING    | Failure Ratio|
             ---------+-----------+-----------+--------------+
             Top10    |100,00000% |100,00000% |   0,00000%   |
             Top100   |100,00000% |100,00000% |   0,00000%   |
             Top200   |100,00000% |100,00000% |   0,00000%   |
             Top300   | 99,66667% | 99,66667% |   0,00000%   |
             Top400   | 99,50000% | 99,50000% |   0,00000%   |
             Top500   | 99,40000% | 99,40000% |   0,00000%   |
             Top600   | 99,33333% | 99,33333% |   0,00000%   |
             Top700   | 99,42857% | 99,42857% |   0,00000%   |
             Top800   | 99,37500% | 99,37500% |   0,00000%   |
             Top900   | 99,33333% | 99,33333% |   0,00000%   |
             Top1000  | 99,40000% | 99,40000% |   0,00000%   |
             Top2000  | 99,25000% | 99,20000% |   0,05000%   |
             Top3000  | 99,13333% | 99,10000% |   0,03333%   |
             Top4000  | 99,10000% | 99,05000% |   0,05000%   |
             Top5000  | 99,08000% | 99,04000% |   0,04000%   |
             Top6000  | 99,18333% | 99,15000% |   0,03333%   |
             Top7000  | 99,21429% | 99,15714% |   0,05714%   |
             Top8000  | 99,11250% | 99,05000% |   0,06250%   |
             Top9000  | 99,11111% | 99,05556% |   0,05556%   |
             Top10000 | 99,12000% | 99,07000% |   0,05000%   |
             ---------+-----------+-----------+--------------+


             Figure 10: Cumulated Success Ratio (HOST_ID_WING)
























Abdo, et al.               Expires May 3, 2012                 [Page 11]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


                           +------+-------+--------------+
                           | NOP  |  WING | Failure Ratio|
                 ----------+------+-------+--------------+
                 1-100     | 100% | 100%  |    0,00%     |
                 101-200   | 100% | 100%  |    0,00%     |
                 201-300   | 100% | 100%  |    0,00%     |
                 301-400   | 99%  | 99%   |    0,00%     |
                 401-500   | 100% | 100%  |    0,00%     |
                 501-600   | 100% | 100%  |    0,00%     |
                 601-700   | 100% | 100%  |    0,00%     |
                 701-800   | 99%  | 99%   |    0,00%     |
                 801-900   | 99%  | 99%   |    0,00%     |
                 901-1000  | 100% | 100%  |    0,00%     |
                 0-1000    |99,4% | 99,4% |    0,00%     |
                 1001-2000 |99,1% | 99,0% |    0,10%     |
                 2001-3000 |98,9% | 98,9% |    0,00%     |
                 3001-4000 |99,0% | 98,9% |    0,10%     |
                 4001-5000 |99,0% | 99,0% |    0,00%     |
                 5001-6000 |99,7% | 99,7% |    0,00%     |
                 6001-7000 |99,4% | 99,2% |    0,20%     |
                 7001-8000 |98,4% | 98,3% |    0,10%     |
                 8001-9000 |99,1% | 99,1% |    0,00%     |
                 9001-10000|99,3% | 99,3% |    0,00%     |
                 ----------+------+-------+--------------+


              Figure 11: TopX000 Success Ratio (HOST_ID_WING)
























Abdo, et al.               Expires May 3, 2012                 [Page 12]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


                           +------+-------+--------------+
                           | NOP  |  OB   | Failure Ratio|
                 ----------+------+-------+--------------+
                 1-100     | 100% | 100%  |    0,00%     |
                 101-200   | 100% | 100%  |    0,00%     |
                 201-300   | 100% | 100%  |    0,00%     |
                 301-400   | 99%  | 99%   |    0,00%     |
                 401-500   | 100% | 100%  |    0,00%     |
                 501-600   | 100% | 100%  |    0,00%     |
                 601-700   | 100% | 100%  |    0,00%     |
                 701-800   | 99%  | 99%   |    0,00%     |
                 801-900   | 99%  | 99%   |    0,00%     |
                 901-1000  | 100% | 100%  |    0,00%     |
                 0-1000    |99,4% | 99,4% |    0,00%     |
                 1001-2000 |99,1% | 99,0% |    0,10%     |
                 2001-3000 |98,9% | 98,9% |    0,00%     |
                 3001-4000 |99,0% | 98,9% |    0,10%     |
                 4001-5000 |99,0% | 99,0% |    0,00%     |
                 5001-6000 |99,7% | 99,7% |    0,00%     |
                 6001-7000 |99,4% | 99,2% |    0,20%     |
                 7001-8000 |98,4% | 98,3% |    0,10%     |
                 8001-9000 |99,1% | 99,0% |    0,10%     |
                 9001-10000|99,3% | 99,3% |    0,00%     |
                 ----------+------+-------+--------------+


           Figure 12: TopX000 Success Ratio (HOST_ID_BOUCADAIR)

                          +------+-----------+---------------+
                          | NOP  |  OPT_WING | OPT_BOUCADAIR |
              ------------+------+-----------+---------------+
              Timeout     |  44  |    48     |     49        |
              ------------+------+-----------+---------------+
              DNS Failure |  26  |    26     |     26        |
              ------------+------+-----------+---------------+

                      Figure 13: Failure Distribution

   The above tables (Figure 10Figure 11 and Figure 12) show that only
   very few servers are impacted by the injection of the HOST_ID option.

   For the top10000, the main cause of failure is DNS (see Figure 13)

   For the Top10000 websites, 5 servers do not reply when a HOST_ID TCP
   option is included:
      www.barclays.co.uk





Abdo, et al.               Expires May 3, 2012                 [Page 13]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


      www.carrefour.fr
      www.morguefile.com
      www.gamespress.com
      www.mymovies.it

   When HOST_ID_BOUCADAIR is used, an additional server does not reply:
      www.lawyers.com

   These results show that including a HOST_ID TCP option does not
   systematically imply an extra delay for the establishment of the TCP
   session.  Based upon the average of the session establishment with
   the top10000 sites, the following results have been obtained:
   o  delay(HOST_ID_WING) < delay(NO_OPTION): 47,85 %
   o  delay(HOST_ID_BOUCADAIR (source port:IPv4 address)) <
      delay(NO_OPTION): 47,06 %
   o  delay(HOST_ID_BOUCADAIR (source port)) < delay(NO_OPTION): 54,9 %

6.1.1.  Proxy

   When a HTTP proxy is in the path, the injection of HSOT_ID TCP option
   does not impact the success ratio.  This is because the HTTP proxy
   strips the HOST_ID TCP options; these options are not leaked to
   remote Internet servers.

6.1.2.  Anomalies

   Tests have been conducted from hosts:
   1.  Connected to two commercial ISP networks (using two CPEs each
       connected to an ISP network)
   2.  Connected to an enterprise network
   3.  In a lab behind a firewall

   The results for HOST_ID_WING for all three configurations are the
   same as Section 6.  Surprisingly, results obtained for
   HOST_ID_BOUCADAIR are not the same.  Indeed, (1) and (2)
   configurations lead to the results documented in Section 6 but
   failures have been observed for configuration (3).  Figure 14 and
   Figure 15 shows the observed results.  Note that failures are
   encountered for the same set of servers.












Abdo, et al.               Expires May 3, 2012                 [Page 14]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


                      +-----------+-----------+--------------+
                      | NOB       | OB        | Failure Ratio|
              --------+-----------+-----------+--------------+
              Top10   |100,00000% |100,00000% |   0,00000%   |
              Top100  |100,00000% |100,00000% |   0,00000%   |
              Top200  |100,00000% |100,00000% |   0,00000%   |
              Top300  |100,00000% | 99,66667% |   0,33333%   |
              Top400  | 99,75000% | 99,00000% |   0,75000%   |
              Top500  | 99,80000% | 99,00000% |   0,80000%   |
              Top600  | 99,83333% | 98,66667% |   1,16667%   |
              Top700  | 99,85714% | 98,14286% |   1,71429%   |
              Top800  | 99,75000% | 98,00000% |   1,75000%   |
              Top900  | 99.66667% | 97,33333% |   2,33333%   |
              Top1000 | 99,70000% | 97,10000% |   2,60000%   |
              -------+-----------+------------+--------------+

                    Figure 14: Cumulated success ratio

                          +------+-------+--------------+
                          | NOB  |HOST_ID| Failure Ratio|
                  --------+------+-------+--------------+
                  1-100   | 100% | 100%  |    0,00%     |
                  101-200 | 100% | 100%  |    0,00%     |
                  201-300 | 100% |  99%  |    1,00%     |
                  301-400 | 99%  |  97%  |    2,00%     |
                  401-500 | 100% |  99%  |    1,00%     |
                  501-600 | 100% |  97%  |    3,00%     |
                  601-700 | 100% |  95%  |    5,00%     |
                  701-800 | 99%  |  97%  |    2,00%     |
                  801-900 | 99%  |  92%  |    7,00%     |
                  901-1000| 100% |  95%  |    5,00%     |
                  --------+------+-------+--------------+
                   Total  | 997  | 971   |    2,60%     |
                  --------+--------------+--------------+

                      Figure 15: TopX00 Success Ratio

   After investigation, it has been concluded that the failure cause is
   due to padding bits Section 3.2.  Indeed, if the padding is encoded
   as a prefix, failures are observed.  These failures are not observed
   when the padding bits are encoded as a suffix.  The main conclusions
   of this testing shows that:

      2,6% of servers which do not support the HOST_ID TCP option
      proceed to some parsing validation.






Abdo, et al.               Expires May 3, 2012                 [Page 15]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


6.1.3.  CPEs Behaviour

   Tests have been also conducted behind two branded CPEs connected to
   distinct ISP networks.  The main conclusions of these tests are:

   1.  One commercial CPE discard all connections when HOST_ID_BOUCADAIR
       option is conveyed.  This CPE proceeds to some parsing function
       before relaying TCP packets to Internet.

   2.  For the second CPE, the same results (for the first top1000) as
       Section 6.1 have been obtained even with the padding encoded as a
       suffix.

   3.  After modifying the implementation (Section 4), the same results
       (for the first top1000) as Section 6.1 have been obtained for
       both branded CPEs.

6.2.  FTP

   Various combinations of the HOST_ID TCP options have been tested:

   1.  HOST_ID_WING

   2.  HOST_ID_BOUCADAIR (source port)

   3.  HOST_ID_BOUCADAIR (source port:IPv4 address)

   A list of 5591 FTP servers has been used to conduct these testings.
   Among this list, only 2050 was reachable:

   o  Failure to reach 937 FTP servers due to connection timeout.

   o  Failure to reach 1286 FTP servers due to DNS errors.

   o  Failure to reach 717 FTP servers because access was denied.

   o  Could not connect to 500 FTP servers

   o  Etc.

   5 errors are experienced to reach the 2050 FTP servers with/without
   HOST_ID TCP options (connection timeout).  When HOST_ID TCP options
   are injected, 9 errors are observed (connection timeout).

   Figure 16 and Figure 17 provides more data about the error
   distribution.





Abdo, et al.               Expires May 3, 2012                 [Page 16]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


                      +-----------+-----------+--------------+
                      |    NOB    |  HOST_ID  | Failure Ratio|
             ---------+-----------+-----------+--------------+
             1-100    |    100%   |    100%   |   0,00000%   |
             101-200  |    100%   |    99%    |   1,00000%   |
             201-300  |    100%   |    99%    |   1,00000%   |
             301-400  |    99%    |    99%    |   0,00000%   |
             401-500  |    100%   |    100%   |   0,00000%   |
             501-600  |    100%   |    100%   |   0,00000%   |
             601-700  |    99%    |    99%    |   0,00000%   |
             701-800  |    100%   |    100%   |   0,00000%   |
             801-900  |    100%   |    99%    |   1,00000%   |
             901-1000 |    100%   |    99%    |   1,00000%   |
             1001-2000|    99,7%  |    99,2%  |   0,50000%   |
             2000-2050|    100%   |    100%   |   0,00000%   |
             ---------+-----------+-----------+--------------+

                 Figure 16: Cumulated Success Ratio (FTP)

                       +-----------+-----------+--------------+
                       |    NOB    |  HOST_ID  | Failure Ratio|
             ----------+-----------+-----------+--------------+
             first 10  | 100,0000% | 100,00000%|  0,00000%    |
             first 100 | 100,0000% | 100,00000%|  0,00000%    |
             first 200 | 100,0000% | 99,50000% |  0,50000%    |
             first 300 | 100,0000% | 99,33333% |  0,66667%    |
             first 400 | 99,75000% | 99,25000% |  0,50000%    |
             first 500 | 99,80000% | 99,40000% |  0,40000%    |
             first 600 | 99,83333% | 99,50000% |  0,33333%    |
             first 700 | 99,71429% | 99,42857% |  0,28571%    |
             first 800 | 99,75000% | 99,50000% |  0,25000%    |
             first 900 | 99,77778% | 99,44444% |  0,33333%    |
             first 1000| 99,80000% | 99,40000% |  0,40000%    |
             first 2000| 99,75000% | 99,30000% |  0,45000%    |
             first 2050| 99,75610% | 99,31707% |  0,43902%    |
             ----------+-----------+-----------+--------------+


                      Figure 17: FirstXXX FTP Servers

   The results show that including a HOST_ID TCP option does not
   systematically imply an extra delay for the establishment of the TCP
   session with remote FTP servers.  Based upon the average of the
   session establishment with the top10000 sites, the following results
   have been obtained:






Abdo, et al.               Expires May 3, 2012                 [Page 17]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   o  delay(HOST_ID_WING) < delay(NO_OPTION): 48,43902 %

   o  delay(HOST_ID_BOUCADAIR (source port:IPv4 address)) <
      delay(NO_OPTION): 47,41463 %

   o  delay(HOST_ID_BOUCADAIR (source port)) < delay(NO_OPTION):
      48,43902 %

6.3.  SSH

   The secure shell service has been tested between a host and a ssh
   server located in the same network.

   SSH connections have been successfully established with the server
   for all the HOST_ID TCP options.

6.4.  Telnet

   Telnet sessions have been successfully initiated for all HOST_ID TCP
   options with a server (the CGN used in Figure 9).


7.  Next Steps

   o  Support the HOST_ID Injection in ACK mode
   o  Support TCP options injection by the CGN and drive the appropriate
      testing to conclude about impact of using these options on the CGN
      performances
   o  Update the iptables module to enforce policies based upon the
      content of the HOST_ID TCP option
   o  Test for top1million websites


8.  IANA Considerations

   This document makes no request of IANA.


9.  Security Considerations

   Security considerations discussed in [I-D.wing-nat-reveal-option]
   should be taken into account.


10.  Acknowledgments

   Many thanks to M. Meulle, P. Ng Tung and L. Valeyre for their help
   and review.  Special thanks to C. Jacquenet for his careful review



Abdo, et al.               Expires May 3, 2012                 [Page 18]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   and to D. Wing for providing a pointer to FTP sites list.


11.  References

11.1.  Normative References

   [I-D.wing-nat-reveal-option]
              Yourtchenko, A. and D. Wing, "Revealing hosts sharing an
              IP address using TCP option",
              draft-wing-nat-reveal-option-02 (work in progress),
              June 2011.

   [RFC6250]  Thaler, D., "Evolution of the IP Model", RFC 6250,
              May 2011.

11.2.  Informative References

   [I-D.boucadair-intarea-nat-reveal-analysis]
              Boucadair, M., Touch, J., Levis, P., and R. Penno,
              "Analysis of Solution Candidates to Reveal a Host
              Identifier in Shared Address Deployments",
              draft-boucadair-intarea-nat-reveal-analysis-04 (work in
              progress), September 2011.

   [I-D.petersson-forwarded-for]
              Petersson, A. and M. Nilsson, "Forwarded HTTP Extension",
              draft-petersson-forwarded-for-01 (work in progress),
              October 2011.

   [RFC6269]  Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
              Roberts, "Issues with IP Address Sharing", RFC 6269,
              June 2011.


Authors' Addresses

   Elie Abdo
   France Telecom
   Issy Les Moulineaux


   Email: elie.abdo@orange.com








Abdo, et al.               Expires May 3, 2012                 [Page 19]


Internet-Draft      Report of NAT Reveal TCP Options        October 2011


   Mohamed Boucadair
   France Telecom

   Email: mohamed.boucadair@orange.com


   Jaqueline Queiroz
   France Telecom
   Issy Les Moulineaux


   Email: jaqueline.queiroz@orange.com







































Abdo, et al.               Expires May 3, 2012                 [Page 20]


Html markup produced by rfcmarkup 1.123, available from https://tools.ietf.org/tools/rfcmarkup/