Network Working Group E. Abdo Internet-Draft M. Boucadair Intended status: Informational J. Queiroz Expires: May 3, 2012 France Telecom October 31, 2011 HOST_ID TCP Options: Implementation & Preliminary Test Results draft-abdo-hostid-tcpopt-implementation-01 Abstract This memo documents the implementation of the HOST_ID TCP Options. It also discusses the preliminary results of the tests that have been conducted to assess the technical feasibility of the approach as well as its scalability. Several HOST_ID TCP options have been implemented and tested. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 3, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as Abdo, et al. Expires May 3, 2012 [Page 1] Internet-Draft Report of NAT Reveal TCP Options October 2011 described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. NAT Reveal TCP Options: Overview . . . . . . . . . . . . . . . 3 3.1. HOST_ID_WING TCP Option . . . . . . . . . . . . . . . . . 4 3.2. HOST_ID_BOUCADAIR TCP Option . . . . . . . . . . . . . . . 4 3.2.1. SYN Mode . . . . . . . . . . . . . . . . . . . . . . . 5 3.2.2. ACK Mode . . . . . . . . . . . . . . . . . . . . . . . 5 4. Overview of the Linux Kernel Modifications . . . . . . . . . . 6 5. Testbed Setup & Configuration . . . . . . . . . . . . . . . . 7 5.1. Automated TCP Traffic Generator . . . . . . . . . . . . . 8 5.2. Testing Methodology and Procedure . . . . . . . . . . . . 9 5.3. Check HOST_ID TCP Options are Correctely Injected . . . . 9 5.4. Top Site List . . . . . . . . . . . . . . . . . . . . . . 10 6. Experimentation Results . . . . . . . . . . . . . . . . . . . 10 6.1. HTTP Experimentation Results . . . . . . . . . . . . . . . 10 6.1.1. Proxy . . . . . . . . . . . . . . . . . . . . . . . . 14 6.1.2. Anomalies . . . . . . . . . . . . . . . . . . . . . . 14 6.1.3. CPEs Behaviour . . . . . . . . . . . . . . . . . . . . 16 6.2. FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.3. SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6.4. Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . 18 7. Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . 18 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 11.1. Normative References . . . . . . . . . . . . . . . . . . . 19 11.2. Informative References . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 Abdo, et al. Expires May 3, 2012 [Page 2] Internet-Draft Report of NAT Reveal TCP Options October 2011 1. Introduction To ensure IPv4 service continuity, service providers will need to deploy IPv4 address sharing techniques. Several issues are likely to be encountered (refer to [RFC6269] for a detailed survey of the issues) and they may affect the delivery of services that depends on the enforcement of policies based upon the source IPv4 address. Some of these issues may be mitigated owing to the activation of advanced features. Among the solutions analyzed in [I-D.boucadair-intarea-nat-reveal-analysis], the use of a new TCP option to convey a HOST_ID seems to be a promising solution. This memo documents some implementation and experimentation efforts that have been conducted to assess the viability of using Host_ID TCP options at large scale. In particular, this document provides experimentation results related to the support of the HOST_ID TCP Options, the behavior of legacy TCP servers when receiving the HOST_ID TCP option. This draft also discusses the impact of using a Host_ID TCP option on the time it takes to establish a connection. 2. Objectives The implementation of several HOST_ID TCP options is primarily meant to: o Assess the validity of the HOST_ID TCP option approach o Evaluate the impact on a TCP stack to support the HOST_ID TCP options o Improve filtering and logging capabilities based upon the contents of the HOST_ID TCP option. This means the enforcement of various policies based upon the content of the HOST_ID TCP option at the server side: Log, Deny, Accept, etc. o Assess the behavior of legacy TCP servers when receiving a HOST_ID TCP option o Assess the success ratio of TCP communications when a HOST_ID TCP option is received o Assess the impact of injecting a HOST_ID TCP option on the time it takes to establish a connection o Assess the performance impact on the CGN device that has been configured to inject the HOST_ID option 3. NAT Reveal TCP Options: Overview The original idea of defining a TCP option is documented in [I-D.wing-nat-reveal-option] (denoted as HOST_ID_WING). Abdo, et al. Expires May 3, 2012 [Page 3] Internet-Draft Report of NAT Reveal TCP Options October 2011 An additional TCP option format to convey a HOST_ID has been also considered (denoted as HOST_ID_BOUCADAIR). The main motivation is to cover also the load-balancer use case and provide richer functionality as Forwarded-For HTTP header [I-D.petersson-forwarded-for]. The following sub-sections provide an overview of these HOST_ID TCP options. 3.1. HOST_ID_WING TCP Option HOST_ID_WING is defined in [I-D.wing-nat-reveal-option]. Figure 1 shows the format of this option. +--------+--------+-----------------------+ |Kind=TBD|Length=4| USER_ID Data | +--------+--------+-----------------------+ Figure 1: Format of HOST_ID_WING TCP Option Figure 2 shows an example of using HOST_ID_WING TCP option. +------------+ +------------+ +------------+ | TCP CLIENT | | CGN | | TCP SERVER | +------------+ +------------+ +------------+ | | | |---TCP SYN---------->| | | |---TCP SYN, HOST_ID=12345---->| | | | Figure 2: HOST_ID_WING TCP Option: Flow example 3.2. HOST_ID_BOUCADAIR TCP Option As mentioned above, the HOST_ID_BOUCADAIR TCP Option is inspired form HOST_ID_WING and XFF. Figure 3 shows the format of HOST_ID_BOUCADAIR TCP Option. +--------+---------+---+---+--------..-------+ |Kind=TBD|Length=10| L | O |HOST_ID data | HOST_ID +--------+---------+---+---+--------..-------+ Figure 3: Format of HOST_ID_BOUCADAIR TCP option o L: Indicates the validity lifetime of the enclosed data (in the spirit of [RFC6250]). The following values are supported: Abdo, et al. Expires May 3, 2012 [Page 4] Internet-Draft Report of NAT Reveal TCP Options October 2011 0: Permanent; >0:Dynamic; this value indicates the validity time. o Origin: Indicates the origin of the data conveyed in the data field. The following values are supported: 0: Internal Port 1: Internal IPv4 address 2: Internal Port: Internal IPv4 address 3: IPv6 Prefix >3: No particular semantic o HOST_ID: depends on the content of the Origin field; padding is required. Two modes are described below: the SYN mode (Section 3.2.1) and the ACK mode. (Section 3.2.2). If the ACK mode is used (Section 3.2.2), Figure 4 shows the HOST_ID_ENABLED option to be included in the SYN. +--------+---------+ |Kind=TBD|Length=2 | HOST_ID_ENABLED +--------+---------+ Figure 4: Format of HOST_ID_ENABLED 3.2.1. SYN Mode This mode is similar to Section 3.1. In this mode, HOST_ID_BOUCADAIR is sent in SYN packets. +------------+ +------------+ +------------+ | TCP CLIENT | | CGN | | TCP SERVER | +------------+ +------------+ +------------+ | | | |---TCP SYN-------->| | | |--TCP SYN, HOST_ID=2001:db8::/5482->| | | | Figure 5: HOST_ID_BOUCADAIR: SYN Mode 3.2.2. ACK Mode The ACK Mode is as follows (see Figure 6): o Send HOST_ID_ENABLED (Figure 4) in SYN o If the remote TCP server supports that option, it must return it in SYNACK Abdo, et al. Expires May 3, 2012 [Page 5] Internet-Draft Report of NAT Reveal TCP Options October 2011 o Then the TCP Client sends HOST_ID_BOUCADAIR (Figure 3) in ACK +------------+ +------------+ +------------+ | TCP CLIENT | | CGN | | TCP SERVER | +------------+ +------------+ +------------+ | | | |---TCP SYN---------->| | | |--TCP SYN, HOSTID_ENABLED=OK-->| | |<-TCP SYNACK,HOSTID_ENABLED=OK-| |<--TCP SYNACK--------| | |---TCP ACK---------->| | | |--TCP ACK, USER_ID=2001:db8::->| | | | Figure 6 4. Overview of the Linux Kernel Modifications At this stage, only the SYN mode has been implemented for both HOST_ID_WING and HOST_ID_BOUCADAIR TCP options. In order to support the injection of the HOST_ID TCP options presented in Section 3, some modifications were applied to the Linux Kernel (more precisely to the TCP stack). Major modifications have been made in the tcp_output.c file (file responsible for building and transmitting all TCP packets). New variables have been defined and functions manipulating the TCP options in SYN packets have been modified to inject the configured TCP option in the corresponding SYN packet. Since different options can be injected, they have to be easily configurable. System control variables (a.k.a., sysctl variables) are defined for this purpose. The Kernel must be recompiled so that the new TCP options are taken into account. Kernel modifications and recompilation have been done and tested successfully on Fedora and Debian Linux distributions, on different kernel versions. The following configuration options are supported: o Enable/Disable injecting the TCP Option o Support HOST_ID WING and HOST_ID BOUCADAIR Abdo, et al. Expires May 3, 2012 [Page 6] Internet-Draft Report of NAT Reveal TCP Options October 2011 o When the HOST_ID TCP option is supported, the information to be injected is configurable: * Source IPv6 address or the first 64 bits of the address * Source IPv4 address * Source port number * Source IPv4 address and Source port * IPv6 address or the first 64 bits of the B4 when DS-Lite is activated o When the HOST_ID TCP option is enabled, stripping any existing HOST_ID TCP option is enabled by default. 5. Testbed Setup & Configuration The setup of three testbed configurations have been considered: 1. HOST_ID TCP option is injected by the host itself. No CGN is present in the communication path (Figure 7) 2. HOST_ID TCP option is injected by hosts deployed behind a HTTP proxy. No CGN is present in the communication path (Figure 8) 3. HOST_ID TCP option is injected by the DS-Lite AFTR element (Figure 9). +-----------+ | HOST_1 |----+ | NO-Option | | +-----------+ | +--------------------+ +------------+ | | |--------| server 1 | +-----------+ | | | +------------+ | HOST_2 |----|------| INTERNET | :: | (HOST_ID) | | | | +------------+ +-----------+ | | |--------| server n | | +--------------------+ +------------+ +-----------+ | | Local |----+ | Server | +-----------+ Figure 7: Testbed setup: No Proxy and no CGN Abdo, et al. Expires May 3, 2012 [Page 7] Internet-Draft Report of NAT Reveal TCP Options October 2011 +-----------+ | HOST_1 |----+ | NO-Option | | +-----------+ | +--------------------+ +------------+ | | |------| server 1 | +-----------+ +-----+ | | +------------+ | HOST_2 |--|PROXY|----| INTERNET | :: | (HOST_ID) | +-----+ | | | +------------+ +-----------+ | | |------| server n | | +--------------------+ +------------+ +-----------+ | | Local |-----------+ | Server | +-----------+ Figure 8: Testbed setup: HTTP Proxy +----...----+ +----------+ +----+ | | | |---| server 1 | |HOST|---| +----+ | +------+ | | | +----------+ +----+ |--| B4 |---|---| AFTR |---|---| INTERNET | :: +----+ | +------+ | | | +----------+ | | |---| server n | +----...----+ +----------+ Figure 9: DS-Lite CGN Environment Figure 7 and Figure 8 are used to assess the behavior of the top 1000 sites when a HOST_ID option is enabled and to evaluate the impact of the option on both the session establishment delay and the success ratio. On the other hand, the configuration shown in Figure 9 will be used to evaluate the impact on the CGN performances when HOST_ID TCP option is injected by the CGN. 5.1. Automated TCP Traffic Generator A Python-coded robot has been used as the traffic generator. The robot automates the retrieval of HTTP pages identified by URLs, and returns different connection information. The web pages retrieval is based on Pycurl, a Python interface of libcurl. Libcurl is an URL transfer library that supports different protocols (e.g., HTTP, FTP). The robot consists of two programs: Abdo, et al. Expires May 3, 2012 [Page 8] Internet-Draft Report of NAT Reveal TCP Options October 2011 1. The first one takes an URL as a input parameter, performs the DNS lookup and then tries to connect to the corresponding machine. It returns either different time values and connection status or an error message with the source of the error in case of connection failure (e.g., DNS error). The TCP connection establishment time is calculated as the difference between the CONNECT_TIME and NAMELOOKUP_TIME where: * NAMELOOKUP_TIME is the time it took from the start until the name resolution is completed. * CONNECT_TIME is the time it took from the start until the connection to the remote host (or proxy) is completed. 2. The second program aims to increase efficiency and speed of the testing by using a multi-thread technique. It takes the number of threads and an input file listing URLs as parameters. This program prints URLs to an output file with the corresponding connection time. If something wrong happened so that the connection failed, the program returns an error message with the corresponding error type. 5.2. Testing Methodology and Procedure The testing is done using two machines, one that supports the HOST_ID TCP options and the other that does not. The second machine is used as a reference for the measurements. Testing is performed in parallel on the two machines that are directly connected to the Internet. For each HOST_ID TCP option, the test is performed 10 times. The cycle is repeated in different days. Then results are grouped into tables where averages are calculated. The comparison between the different HOST_ID options results is made by using the no-option testing results as a reference. Testing was also performed behind a proxy (Figure 8) to evaluate the impact of embedding the HOST_ID TCP options on the connection establishment time when a proxy is in the path. When a proxy is present, the connection delay is impacted. Tests have been conducted from hosts: 1. Connected to two (2) commercial ISP networks 2. Connected to an enterprise network 3. In a lab behind a firewall 5.3. Check HOST_ID TCP Options are Correctely Injected To check whether the HOST_ID TCP options are correctly injected, the local server in Figure 7 is configured to be reachable from Internet. Packets conveying the HOST_ID TCP options are sent from a host supporting the options. These packets are used without alteration by the local server. Abdo, et al. Expires May 3, 2012 [Page 9] Internet-Draft Report of NAT Reveal TCP Options October 2011 This configuration confirms the packets sent to remote servers conveys HOST_ID TCP options. 5.4. Top Site List The Alexa top sites list has been used to conduct the HTTP tests. Anonymous FTP sites list from ftp-sites.org has been used to conduct the FTP tests. 6. Experimentation Results 6.1. HTTP Experimentation Results Various combinations of the HOST_ID TCP options have been tested: 1. HOST_ID_WING HOST_ID_WING has also been adapted to include 32 bits and 64 bits values. No particular impact on session establishment has been observed. 2. HOST_ID_BOUCADAIR (source port) 3. HOST_ID_BOUCADAIR (IPv4 address) 4. HOST_ID_BOUCADAIR (source port:IPv4 address) 5. HOST_ID_BOUCADAIR (IPv6 Prefix) Both the success ratio and the average time to establish the TCP session are reported below. The results show that the success ratio for establishing TCP connection with legacy servers, is almost the same for all the HOST_ID options Figure 10 Figure 11 and Figure 12. Abdo, et al. Expires May 3, 2012 [Page 10] Internet-Draft Report of NAT Reveal TCP Options October 2011 +-----------+-----------+--------------+ | NO_OPTION | WING | Failure Ratio| ---------+-----------+-----------+--------------+ Top10 |100,00000% |100,00000% | 0,00000% | Top100 |100,00000% |100,00000% | 0,00000% | Top200 |100,00000% |100,00000% | 0,00000% | Top300 | 99,66667% | 99,66667% | 0,00000% | Top400 | 99,50000% | 99,50000% | 0,00000% | Top500 | 99,40000% | 99,40000% | 0,00000% | Top600 | 99,33333% | 99,33333% | 0,00000% | Top700 | 99,42857% | 99,42857% | 0,00000% | Top800 | 99,37500% | 99,37500% | 0,00000% | Top900 | 99,33333% | 99,33333% | 0,00000% | Top1000 | 99,40000% | 99,40000% | 0,00000% | Top2000 | 99,25000% | 99,20000% | 0,05000% | Top3000 | 99,13333% | 99,10000% | 0,03333% | Top4000 | 99,10000% | 99,05000% | 0,05000% | Top5000 | 99,08000% | 99,04000% | 0,04000% | Top6000 | 99,18333% | 99,15000% | 0,03333% | Top7000 | 99,21429% | 99,15714% | 0,05714% | Top8000 | 99,11250% | 99,05000% | 0,06250% | Top9000 | 99,11111% | 99,05556% | 0,05556% | Top10000 | 99,12000% | 99,07000% | 0,05000% | ---------+-----------+-----------+--------------+ Figure 10: Cumulated Success Ratio (HOST_ID_WING) Abdo, et al. Expires May 3, 2012 [Page 11] Internet-Draft Report of NAT Reveal TCP Options October 2011 +------+-------+--------------+ | NOP | WING | Failure Ratio| ----------+------+-------+--------------+ 1-100 | 100% | 100% | 0,00% | 101-200 | 100% | 100% | 0,00% | 201-300 | 100% | 100% | 0,00% | 301-400 | 99% | 99% | 0,00% | 401-500 | 100% | 100% | 0,00% | 501-600 | 100% | 100% | 0,00% | 601-700 | 100% | 100% | 0,00% | 701-800 | 99% | 99% | 0,00% | 801-900 | 99% | 99% | 0,00% | 901-1000 | 100% | 100% | 0,00% | 0-1000 |99,4% | 99,4% | 0,00% | 1001-2000 |99,1% | 99,0% | 0,10% | 2001-3000 |98,9% | 98,9% | 0,00% | 3001-4000 |99,0% | 98,9% | 0,10% | 4001-5000 |99,0% | 99,0% | 0,00% | 5001-6000 |99,7% | 99,7% | 0,00% | 6001-7000 |99,4% | 99,2% | 0,20% | 7001-8000 |98,4% | 98,3% | 0,10% | 8001-9000 |99,1% | 99,1% | 0,00% | 9001-10000|99,3% | 99,3% | 0,00% | ----------+------+-------+--------------+ Figure 11: TopX000 Success Ratio (HOST_ID_WING) Abdo, et al. Expires May 3, 2012 [Page 12] Internet-Draft Report of NAT Reveal TCP Options October 2011 +------+-------+--------------+ | NOP | OB | Failure Ratio| ----------+------+-------+--------------+ 1-100 | 100% | 100% | 0,00% | 101-200 | 100% | 100% | 0,00% | 201-300 | 100% | 100% | 0,00% | 301-400 | 99% | 99% | 0,00% | 401-500 | 100% | 100% | 0,00% | 501-600 | 100% | 100% | 0,00% | 601-700 | 100% | 100% | 0,00% | 701-800 | 99% | 99% | 0,00% | 801-900 | 99% | 99% | 0,00% | 901-1000 | 100% | 100% | 0,00% | 0-1000 |99,4% | 99,4% | 0,00% | 1001-2000 |99,1% | 99,0% | 0,10% | 2001-3000 |98,9% | 98,9% | 0,00% | 3001-4000 |99,0% | 98,9% | 0,10% | 4001-5000 |99,0% | 99,0% | 0,00% | 5001-6000 |99,7% | 99,7% | 0,00% | 6001-7000 |99,4% | 99,2% | 0,20% | 7001-8000 |98,4% | 98,3% | 0,10% | 8001-9000 |99,1% | 99,0% | 0,10% | 9001-10000|99,3% | 99,3% | 0,00% | ----------+------+-------+--------------+ Figure 12: TopX000 Success Ratio (HOST_ID_BOUCADAIR) +------+-----------+---------------+ | NOP | OPT_WING | OPT_BOUCADAIR | ------------+------+-----------+---------------+ Timeout | 44 | 48 | 49 | ------------+------+-----------+---------------+ DNS Failure | 26 | 26 | 26 | ------------+------+-----------+---------------+ Figure 13: Failure Distribution The above tables (Figure 10Figure 11 and Figure 12) show that only very few servers are impacted by the injection of the HOST_ID option. For the top10000, the main cause of failure is DNS (see Figure 13) For the Top10000 websites, 5 servers do not reply when a HOST_ID TCP option is included: www.barclays.co.uk Abdo, et al. Expires May 3, 2012 [Page 13] Internet-Draft Report of NAT Reveal TCP Options October 2011 www.carrefour.fr www.morguefile.com www.gamespress.com www.mymovies.it When HOST_ID_BOUCADAIR is used, an additional server does not reply: www.lawyers.com These results show that including a HOST_ID TCP option does not systematically imply an extra delay for the establishment of the TCP session. Based upon the average of the session establishment with the top10000 sites, the following results have been obtained: o delay(HOST_ID_WING) < delay(NO_OPTION): 47,85 % o delay(HOST_ID_BOUCADAIR (source port:IPv4 address)) < delay(NO_OPTION): 47,06 % o delay(HOST_ID_BOUCADAIR (source port)) < delay(NO_OPTION): 54,9 % 6.1.1. Proxy When a HTTP proxy is in the path, the injection of HSOT_ID TCP option does not impact the success ratio. This is because the HTTP proxy strips the HOST_ID TCP options; these options are not leaked to remote Internet servers. 6.1.2. Anomalies Tests have been conducted from hosts: 1. Connected to two commercial ISP networks (using two CPEs each connected to an ISP network) 2. Connected to an enterprise network 3. In a lab behind a firewall The results for HOST_ID_WING for all three configurations are the same as Section 6. Surprisingly, results obtained for HOST_ID_BOUCADAIR are not the same. Indeed, (1) and (2) configurations lead to the results documented in Section 6 but failures have been observed for configuration (3). Figure 14 and Figure 15 shows the observed results. Note that failures are encountered for the same set of servers. Abdo, et al. Expires May 3, 2012 [Page 14] Internet-Draft Report of NAT Reveal TCP Options October 2011 +-----------+-----------+--------------+ | NOB | OB | Failure Ratio| --------+-----------+-----------+--------------+ Top10 |100,00000% |100,00000% | 0,00000% | Top100 |100,00000% |100,00000% | 0,00000% | Top200 |100,00000% |100,00000% | 0,00000% | Top300 |100,00000% | 99,66667% | 0,33333% | Top400 | 99,75000% | 99,00000% | 0,75000% | Top500 | 99,80000% | 99,00000% | 0,80000% | Top600 | 99,83333% | 98,66667% | 1,16667% | Top700 | 99,85714% | 98,14286% | 1,71429% | Top800 | 99,75000% | 98,00000% | 1,75000% | Top900 | 99.66667% | 97,33333% | 2,33333% | Top1000 | 99,70000% | 97,10000% | 2,60000% | -------+-----------+------------+--------------+ Figure 14: Cumulated success ratio +------+-------+--------------+ | NOB |HOST_ID| Failure Ratio| --------+------+-------+--------------+ 1-100 | 100% | 100% | 0,00% | 101-200 | 100% | 100% | 0,00% | 201-300 | 100% | 99% | 1,00% | 301-400 | 99% | 97% | 2,00% | 401-500 | 100% | 99% | 1,00% | 501-600 | 100% | 97% | 3,00% | 601-700 | 100% | 95% | 5,00% | 701-800 | 99% | 97% | 2,00% | 801-900 | 99% | 92% | 7,00% | 901-1000| 100% | 95% | 5,00% | --------+------+-------+--------------+ Total | 997 | 971 | 2,60% | --------+--------------+--------------+ Figure 15: TopX00 Success Ratio After investigation, it has been concluded that the failure cause is due to padding bits Section 3.2. Indeed, if the padding is encoded as a prefix, failures are observed. These failures are not observed when the padding bits are encoded as a suffix. The main conclusions of this testing shows that: 2,6% of servers which do not support the HOST_ID TCP option proceed to some parsing validation. Abdo, et al. Expires May 3, 2012 [Page 15] Internet-Draft Report of NAT Reveal TCP Options October 2011 6.1.3. CPEs Behaviour Tests have been also conducted behind two branded CPEs connected to distinct ISP networks. The main conclusions of these tests are: 1. One commercial CPE discard all connections when HOST_ID_BOUCADAIR option is conveyed. This CPE proceeds to some parsing function before relaying TCP packets to Internet. 2. For the second CPE, the same results (for the first top1000) as Section 6.1 have been obtained even with the padding encoded as a suffix. 3. After modifying the implementation (Section 4), the same results (for the first top1000) as Section 6.1 have been obtained for both branded CPEs. 6.2. FTP Various combinations of the HOST_ID TCP options have been tested: 1. HOST_ID_WING 2. HOST_ID_BOUCADAIR (source port) 3. HOST_ID_BOUCADAIR (source port:IPv4 address) A list of 5591 FTP servers has been used to conduct these testings. Among this list, only 2050 was reachable: o Failure to reach 937 FTP servers due to connection timeout. o Failure to reach 1286 FTP servers due to DNS errors. o Failure to reach 717 FTP servers because access was denied. o Could not connect to 500 FTP servers o Etc. 5 errors are experienced to reach the 2050 FTP servers with/without HOST_ID TCP options (connection timeout). When HOST_ID TCP options are injected, 9 errors are observed (connection timeout). Figure 16 and Figure 17 provides more data about the error distribution. Abdo, et al. Expires May 3, 2012 [Page 16] Internet-Draft Report of NAT Reveal TCP Options October 2011 +-----------+-----------+--------------+ | NOB | HOST_ID | Failure Ratio| ---------+-----------+-----------+--------------+ 1-100 | 100% | 100% | 0,00000% | 101-200 | 100% | 99% | 1,00000% | 201-300 | 100% | 99% | 1,00000% | 301-400 | 99% | 99% | 0,00000% | 401-500 | 100% | 100% | 0,00000% | 501-600 | 100% | 100% | 0,00000% | 601-700 | 99% | 99% | 0,00000% | 701-800 | 100% | 100% | 0,00000% | 801-900 | 100% | 99% | 1,00000% | 901-1000 | 100% | 99% | 1,00000% | 1001-2000| 99,7% | 99,2% | 0,50000% | 2000-2050| 100% | 100% | 0,00000% | ---------+-----------+-----------+--------------+ Figure 16: Cumulated Success Ratio (FTP) +-----------+-----------+--------------+ | NOB | HOST_ID | Failure Ratio| ----------+-----------+-----------+--------------+ first 10 | 100,0000% | 100,00000%| 0,00000% | first 100 | 100,0000% | 100,00000%| 0,00000% | first 200 | 100,0000% | 99,50000% | 0,50000% | first 300 | 100,0000% | 99,33333% | 0,66667% | first 400 | 99,75000% | 99,25000% | 0,50000% | first 500 | 99,80000% | 99,40000% | 0,40000% | first 600 | 99,83333% | 99,50000% | 0,33333% | first 700 | 99,71429% | 99,42857% | 0,28571% | first 800 | 99,75000% | 99,50000% | 0,25000% | first 900 | 99,77778% | 99,44444% | 0,33333% | first 1000| 99,80000% | 99,40000% | 0,40000% | first 2000| 99,75000% | 99,30000% | 0,45000% | first 2050| 99,75610% | 99,31707% | 0,43902% | ----------+-----------+-----------+--------------+ Figure 17: FirstXXX FTP Servers The results show that including a HOST_ID TCP option does not systematically imply an extra delay for the establishment of the TCP session with remote FTP servers. Based upon the average of the session establishment with the top10000 sites, the following results have been obtained: Abdo, et al. Expires May 3, 2012 [Page 17] Internet-Draft Report of NAT Reveal TCP Options October 2011 o delay(HOST_ID_WING) < delay(NO_OPTION): 48,43902 % o delay(HOST_ID_BOUCADAIR (source port:IPv4 address)) < delay(NO_OPTION): 47,41463 % o delay(HOST_ID_BOUCADAIR (source port)) < delay(NO_OPTION): 48,43902 % 6.3. SSH The secure shell service has been tested between a host and a ssh server located in the same network. SSH connections have been successfully established with the server for all the HOST_ID TCP options. 6.4. Telnet Telnet sessions have been successfully initiated for all HOST_ID TCP options with a server (the CGN used in Figure 9). 7. Next Steps o Support the HOST_ID Injection in ACK mode o Support TCP options injection by the CGN and drive the appropriate testing to conclude about impact of using these options on the CGN performances o Update the iptables module to enforce policies based upon the content of the HOST_ID TCP option o Test for top1million websites 8. IANA Considerations This document makes no request of IANA. 9. Security Considerations Security considerations discussed in [I-D.wing-nat-reveal-option] should be taken into account. 10. Acknowledgments Many thanks to M. Meulle, P. Ng Tung and L. Valeyre for their help and review. Special thanks to C. Jacquenet for his careful review Abdo, et al. Expires May 3, 2012 [Page 18] Internet-Draft Report of NAT Reveal TCP Options October 2011 and to D. Wing for providing a pointer to FTP sites list. 11. References 11.1. Normative References [I-D.wing-nat-reveal-option] Yourtchenko, A. and D. Wing, "Revealing hosts sharing an IP address using TCP option", draft-wing-nat-reveal-option-02 (work in progress), June 2011. [RFC6250] Thaler, D., "Evolution of the IP Model", RFC 6250, May 2011. 11.2. Informative References [I-D.boucadair-intarea-nat-reveal-analysis] Boucadair, M., Touch, J., Levis, P., and R. Penno, "Analysis of Solution Candidates to Reveal a Host Identifier in Shared Address Deployments", draft-boucadair-intarea-nat-reveal-analysis-04 (work in progress), September 2011. [I-D.petersson-forwarded-for] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", draft-petersson-forwarded-for-01 (work in progress), October 2011. [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. Roberts, "Issues with IP Address Sharing", RFC 6269, June 2011. Authors' Addresses Elie Abdo France Telecom Issy Les Moulineaux Email: elie.abdo@orange.com Abdo, et al. Expires May 3, 2012 [Page 19] Internet-Draft Report of NAT Reveal TCP Options October 2011 Mohamed Boucadair France Telecom Email: mohamed.boucadair@orange.com Jaqueline Queiroz France Telecom Issy Les Moulineaux Email: jaqueline.queiroz@orange.com Abdo, et al. Expires May 3, 2012 [Page 20]