Re: [Softwires] ISP CGN logging inc. Destination ??

[Gottlieb, Jordan J]

Hi Ian,

Agree and understand why CE is not always managed by the provider.  I suggested 
this as I have heard that there is a provider out there that was using MAP-T 
for public WiFi and who had full management access to the CE.  Without managing 
the CE there is no differentiate device (other than attempting to fingerprint 
which is not likely to result with the desired source IP/port)  behind a NAPT 
device without some additional layer on a per-client-device basis.

Quick answers to your questions:
Would the pre-BR device still identify flows, just at a different offset within 
the header?
Yes pre-BR device(s) Netflow data will have applicable src/dst port information 
and src/dst IPv4 information embedded within the IPv6 addresses.  You are just 
using plain old IPv6 Netflow data and extracting the IPv4 addresses that MAP-T 
bit-offsets within the IPv6 address.

Would the metadata conversion take place on the same device?
This should occur as augment to the SPs existing Netflow collection 
infrastructure.  I see no reason to add these use cases to generic SP routing 
infrastructure.

I would like to clarify a couple of items regarding my Netflow suggestion.  
First, I am suggesting Netflow as it is typically already in use in most 
service provider networks and could be leveraged without significant 
investment.  Netflow records are processed off the device as the provider is 
probably already doing this with their existing Netflow collector.

Another approach would be to take the Netflow records north of the BR in pure 
IPv4 form.  There is no conversion required here to obtain the source IPv4/port 
and destination IPv4/port.  Tying it to the subscriber requires is a little 
more work using the mapping rules to derive the originating subscriber by their 
IPv6 prefix allocations.  The drawback to this approach is that you could 
possibly miss some peer-to-peer traffic in the case where the BR is hairpinning 
all traffic (no FMRs).  Benefit to this approach is that it supports a MAP-E 
implementation where the pre-BR does not.

Both approaches will get you all the source/destination address and port 
metadata as well as the IPv6 unique identifier for the subscriber.  What you 
don’t get is any visibility to the addressing/port utilization for each 
subscriber device residing behind their gateway.

A while back I hacked (not the prettiest Python) together some tools that I 
built in Python3 that can do all the described bit manipulations 
(https://github.com/ejordangottlieb/pyswmap).  I have examples that demonstrate 
some of what I have described for extracting and doing some of the MAP 
calculations.

Thanks,

Jordan

From: ianfar...@gmx.com [mailto:ianfar...@gmx.com]
Sent: Friday, May 11, 2018 2:28 AM
To: Gottlieb, Jordan J
Cc: mohamed.boucad...@orange.com; Rajiv Asati (rajiva); 
ramesh.r.chan...@ril.com; yiu_...@comcast.com; softwires@ietf.org; 
int-a...@ietf.org
Subject: Re: [Softwires] ISP CGN logging inc. Destination ??

Hi Jordan,

Please see inline below.

Thanks,
Ian


On 9. May 2018, at 21:38, Gottlieb, Jordan J 
<jordan.gottl...@charter.com<mailto:jordan.gottl...@charter.com>> wrote:

If I understand this correctly it appears that requirement #1 would dictate the 
capability must be deployed on the CE.  The way I read it you are attempting to 
retain the pre-NAPT client address and port.  For the particular use case, is 
the CPE managed by the service provider?  If so, why not originate the logging 
from the CPE as it has the necessary visibility and state maintenance to meet 
all the requirements?

[if – This is a possibility in some networks, but in many countries (most of 
Europe AFIAK], SP’s must allow customers to attach their own equipment so this 
can’t be considered a secure device for meeting data retention regulations.]

There was also a comment in this thread regarding UDP and session completion.  
I don’t think this is practical on the BR as support for asymmetrical routing 
could result in incomplete session information on a particular BR (you would 
have to piece it together) as exit transit BR could be different from the 
return transit BR.  The only device with a complete view of the flow is the CE 
in this case as well.

[if – I agree that the collection is complicated if you have multiple BRs, but 
as stated above, I don’t see the CE being a viable solution for many 
deployments.]

Assuming CPE is not an option, MAP-T , and that requirement #1 is not the 
privately addressed customer endpoint (laptop, tablet, smartphone, etc..) one 
could use netflow pre-BR (IPv6) and some simple program to convert to the 
required metadata.  Destination address is trivial as it is a fixed set of bits 
within the DMR(s).  Source address is not hard as long as the conversion 
program has an accurate list of active mapping rules.  Obviously sampling rate 
comes into play but I believe we have the same issue with IPFIX.

[if - I’m not sure I follow this proposal. Would the pre-BR device still 
identify flows, just at a different offset within the header? Would the 
metadata conversion take place on the same device?]




Cheers,

Jordan

From: Softwires [mailto:softwires-boun...@ietf.org] On Behalf Of 
mohamed.boucad...@orange.com<mailto:mohamed.boucad...@orange.com>
Sent: Wednesday, May 09, 2018 1:31 AM
To: Rajiv Asati (rajiva); 
ramesh.r.chan...@ril.com<mailto:ramesh.r.chan...@ril.com>; 
yiu_...@comcast.com<mailto:yiu_...@comcast.com>
Cc: softwires@ietf.org<mailto:softwires@ietf.org>; 
int-a...@ietf.org<mailto:int-a...@ietf.org>
Subject: Re: [Softwires] ISP CGN logging inc. Destination ??

Hi Rajiv,

What concerns me with this requirement is that it nullifies one of the 
motivations for stateless address sharing:
https://tools.ietf.org/html/draft-ietf-softwire-stateless-4v6-motivation-05#section-3.1.3(Logging
 - No Need for Dynamic Binding Notifications)

especially, this part:

   Some Service Providers have a requirement to use only existing
   logging systems and to avoid introducing new ones (mainly because of
   Capital Expenditure (CAPEX) considerations).  This requirement is
   easily met with stateless solutions.

Cheers,
Med

De : Softwires [mailto:softwires-boun...@ietf.org] De la part de Rajiv Asati 
(rajiva)
Envoyé : mardi 8 mai 2018 23:43
À : ramesh.r.chan...@ril.com<mailto:ramesh.r.chan...@ril.com>; 
yiu_...@comcast.com<mailto:yiu_...@comcast.com>
Cc : softwires@ietf.org<mailto:softwires@ietf.org>; 
int-a...@ietf.org<mailto:int-a...@ietf.org>
Objet : Re: [Softwires] [EXTERNAL] Re: ISP CGN logging inc. Destination ??

Agree with Ramesh. DHCP(v6) helps with logging source IP assignment, but that’s 
it.

The requirement here is about keeping track of not only source IP+port, but 
also destination IP+port per connection. DHCP(v6) doesn’t apply here.

--
Cheers,
Rajiv

From: "ramesh.r.chan...@ril.com<mailto:ramesh.r.chan...@ril.com>" 
<ramesh.r.chan...@ril.com<mailto:ramesh.r.chan...@ril.com>>
Date: Tuesday, May 8, 2018 at 1:15 AM
To: "yiu_...@comcast.com<mailto:yiu_...@comcast.com>" 
<yiu_...@comcast.com<mailto:yiu_...@comcast.com>>
Cc: "ianfar...@gmx.com<mailto:ianfar...@gmx.com>" 
<ianfar...@gmx.com<mailto:ianfar...@gmx.com>>, Rajiv Asati 
<raj...@cisco.com<mailto:raj...@cisco.com>>, Softwires-wg list 
<softwires@ietf.org<mailto:softwires@ietf.org>>, 
"int-a...@ietf.org<mailto:int-a...@ietf.org>" 
<int-a...@ietf.org<mailto:int-a...@ietf.org>>
Subject: RE: [EXTERNAL] Re: [Softwires] ISP CGN logging inc. Destination ??

Not really. Need IPv4 because desitination IP is on IPv4.

Regds
ramesh chandra
M#: +91 90829 61303
O#: +91 22 7965 9762

-----Original Message-----
From: Lee, Yiu [mailto:yiu_...@comcast.com]
Sent: 07 May 2018 16:46
To: Ramesh R Chandra
Cc: ianfar...@gmx.com<mailto:ianfar...@gmx.com>; 
raj...@cisco.com<mailto:raj...@cisco.com>; 
softwires@ietf.org<mailto:softwires@ietf.org>; 
int-a...@ietf.org<mailto:int-a...@ietf.org>
Subject: Re: [EXTERNAL] Re: [Softwires] ISP CGN logging inc. Destination ??

Just a quick thought. Will the dhcpv6 logs help?

Sent from mobile device, pardon possible typo.

On May 7, 2018, at 7:06 AM, 
"ramesh.r.chan...@ril.com<mailto:ramesh.r.chan...@ril.com>" 
<ramesh.r.chan...@ril.com<mailto:ramesh.r.chan...@ril.com>> wrote:
Dear Ian,  thanks for clarifications.
Regulator in India mandated to preserve the following details for each flow.
1.    Source IP + Port (private for end subscriber device)
2.    Destination IP + Port (public)
3.    Translated IP + port (public)
4.    Date and time
There is no brainer and all this is available in NAT44. MAP being stateless, no 
such data available from MAP-BR. We are exploring alternate option on BR to 
create this data in MAP.
Pls advise.
Regds
ramesh
-----Original Message-----
From: ianfar...@gmx.com<mailto:ianfar...@gmx.com> [mailto:ianfar...@gmx.com]
Sent: 04 May 2018 17:28
To: Rajiv Asati (rajiva)
Cc: Softwires-wg list; int-a...@ietf.org<mailto:int-a...@ietf.org>; Ramesh R 
Chandra
Subject: Re: [Softwires] ISP CGN logging inc. Destination ??
Hi Rajiv,
Please see inline.
Cheers,
Ian
On 4. May 2018, at 12:01, Rajiv Asati (rajiva) 
<raj...@cisco.com<mailto:raj...@cisco.com>> wrote:
Ian,
Thanks for sharing the URL. While not explicit, “all metadata” would include 
both source and destination A+P. Is that the right interpretation?
[if - My understanding is that per-flow logging is necessary to meet
the requirement, but I’m not familiar enough with the legislation to
know what exactly needs to be stored.]
If an ISP were to use “binding” mode on the BR, then without using net 
flow/IPFIX, How could the compliance be achieved ?
[if - If there’s address sharing and the requirement is to provide an exact 
match to a data retention request (in some countries, a list of e.g. 16 users 
is OK), then AFAICS, you have to use IPFIX.
The implementation problem for this is compounded by the lack of state
table on most BR implementations (e.g. how do you know when a UDP
session has completed without state for that flow?)]
"Confidentiality Warning: This message and any attachments are intended only 
for the use of the intended recipient(s).
are confidential and may be privileged. If you are not the intended
recipient. you are hereby notified that any review. re-transmission.
conversion to hard copy. copying. circulation or other use of this message and 
any attachments is strictly prohibited. If you are not the intended recipient. 
please notify the sender immediately by return email.
and delete this message and any attachments from your system.
Virus Warning: Although the company has taken reasonable precautions to ensure 
no viruses are present in this email.
The company cannot accept responsibility for any loss or damage arising from 
the use of this email or attachment."
_______________________________________________
Softwires mailing list
Softwires@ietf.org<mailto:Softwires@ietf.org>
https://www.ietf.org/mailman/listinfo/softwires
"Confidentiality Warning: This message and any attachments are intended only 
for the use of the intended recipient(s).
are confidential and may be privileged. If you are not the intended recipient. 
you are hereby notified that any
review. re-transmission. conversion to hard copy. copying. circulation or other 
use of this message and any attachments is
strictly prohibited. If you are not the intended recipient. please notify the 
sender immediately by return email.
and delete this message and any attachments from your system.

Virus Warning: Although the company has taken reasonable precautions to ensure 
no viruses are present in this email.
The company cannot accept responsibility for any loss or damage arising from 
the use of this email or attachment."

The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited. _______________________________________________
Softwires mailing list
Softwires@ietf.org<mailto:Softwires@ietf.org>
https://www.ietf.org/mailman/listinfo/softwires

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

_______________________________________________
Softwires mailing list
Softwires@ietf.org
https://www.ietf.org/mailman/listinfo/softwires