rfc9693.original   rfc9693.txt 
Benchmarking Methodology Working Group G. Lencse Internet Engineering Task Force (IETF) G. Lencse
Internet-Draft Széchenyi István University Request for Comments: 9693 Széchenyi István University
Intended status: Informational K. Shima Category: Informational K. Shima
Expires: 18 December 2024 SoftBank Corp. ISSN: 2070-1721 SoftBank Corp.
16 June 2024 January 2025
Benchmarking Methodology for Stateful NATxy Gateways using RFC 4814 Benchmarking Methodology for Stateful NATxy Gateways
Pseudorandom Port Numbers
draft-ietf-bmwg-benchmarking-stateful-09
Abstract Abstract
RFC 2544 has defined a benchmarking methodology for network RFC 2544 defines a benchmarking methodology for network interconnect
interconnect devices. RFC 5180 addressed IPv6 specificities and it devices. RFC 5180 addresses IPv6 specificities, and it also provides
also provided a technology update but excluded IPv6 transition a technology update but excludes IPv6 transition technologies. RFC
technologies. RFC 8219 addressed IPv6 transition technologies, 8219 addresses IPv6 transition technologies, including stateful
including stateful NAT64. However, none of them discussed how to NAT64. However, none of them discuss how to apply pseudorandom port
apply RFC 4814 pseudorandom port numbers to any stateful NATxy numbers from RFC 4814 to any stateful NATxy (such as NAT44, NAT64,
(NAT44, NAT64, NAT66) technologies. This document discusses why and NAT66) technologies. This document discusses why using
using pseudorandom port numbers with stateful NATxy gateways is a pseudorandom port numbers with stateful NATxy gateways is a difficult
difficult problem. It recommends a solution limiting the port number problem. It recommends a solution that limits the port number ranges
ranges and using two test phases (phase 1 and phase 2). It is shown and uses two test phases (phase 1 and phase 2). This document shows
how the classic performance measurement procedures (e.g. throughput, how the classic performance measurement procedures (e.g., throughput,
frame loss rate, latency, etc.) can be carried out. New performance frame loss rate, latency, etc.) can be carried out. New performance
metrics and measurement procedures are also defined for measuring metrics and measurement procedures are also defined for measuring the
maximum connection establishment rate, connection tear-down rate, and maximum connection establishment rate, connection tear-down rate, and
connection tracking table capacity. connection tracking table capacity.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 18 December 2024. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9693.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language
2. Pseudorandom Port Numbers and Stateful Translation . . . . . 4 2. Pseudorandom Port Numbers and Stateful Translation
3. Test Setup and Terminology . . . . . . . . . . . . . . . . . 4 3. Test Setup and Terminology
3.1. When Testing with a Single IP Address Pair . . . . . . . 5 3.1. When Testing with a Single IP Address Pair
3.2. When Testing with Multiple IP Addresses . . . . . . . . . 7 3.2. When Testing with Multiple IP Addresses
4. Recommended Benchmarking Method . . . . . . . . . . . . . . . 9 4. Recommended Benchmarking Method
4.1. Restricted Number of Network Flows . . . . . . . . . . . 9 4.1. Restricted Number of Network Flows
4.2. Test Phase 1 . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Test Phase 1
4.3. Consideration of the Cases of Stateful Operation . . . . 10 4.3. Consideration of the Cases of Stateful Operation
4.4. Control of the Connection Tracking Table Entries . . . . 11 4.4. Control of the Connection Tracking Table Entries
4.5. Measurement of the Maximum Connection Establishment 4.5. Measurement of the Maximum Connection Establishment Rate
Rate . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.6. Validation of Connection Establishment
4.6. Validation of Connection Establishment . . . . . . . . . 13 4.7. Test Phase 2
4.7. Test Phase 2 . . . . . . . . . . . . . . . . . . . . . . 14 4.8. Measurement of the Connection Tear-Down Rate
4.8. Measurement of the Connection Tear-down Rate . . . . . . 15 4.9. Measurement of the Connection Tracking Table Capacity
4.9. Measurement of the Connection Tracking Table Capacity . . 15 4.10. Writing and Reading Order of the State Table
4.10. Writing and Reading Order of the State Table . . . . . . 21 5. Scalability Measurements
5. Scalability Measurements . . . . . . . . . . . . . . . . . . 21 5.1. Scalability Against the Number of Network Flows
5.1. Scalability Against the Number of Network Flows . . . . . 21 5.2. Scalability Against the Number of CPU Cores
5.2. Scalability Against the Number of CPU Cores . . . . . . . 22 6. Reporting Format
6. Reporting Format . . . . . . . . . . . . . . . . . . . . . . 22 7. Implementation and Experience
7. Implementation and Experience . . . . . . . . . . . . . . . . 24 8. Limitations of Using UDP as a Transport Layer Protocol
8. Limitations of using UDP as Transport Layer Protocol . . . . 24 9. IANA Considerations
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25 10. Security Considerations
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 11. References
11. Security Considerations . . . . . . . . . . . . . . . . . . . 25 11.1. Normative References
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 11.2. Informative References
12.1. Normative References . . . . . . . . . . . . . . . . . . 26 Acknowledgements
12.2. Informative References . . . . . . . . . . . . . . . . . 27 Authors' Addresses
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 29
A.1. 00 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A.2. 01 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A.3. 02 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A.4. 03 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A.5. 04 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
A.6. 00 - WG item . . . . . . . . . . . . . . . . . . . . . . 29
A.7. 01 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.8. 02 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.9. 03 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.10. 04 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.11. 05 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.12. 06 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
A.13. 07 . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
[RFC2544] has defined a comprehensive benchmarking methodology for [RFC2544] defines a comprehensive benchmarking methodology for
network interconnect devices, which is still in use. It was mainly network interconnect devices that is still in use. It is mainly
IP version independent, but it used IPv4 in its examples. [RFC5180] independent of IP version, but it uses IPv4 in its examples.
addressed IPv6 specificities and also added technology updates, but [RFC5180] addresses IPv6 specificities and also adds technology
declared IPv6 transition technologies out of its scope. [RFC8219] updates but declares IPv6 transition technologies are out of its
addressed the IPv6 transition technologies, including stateful NAT64. scope. [RFC8219] addresses the IPv6 transition technologies,
It has reused several benchmarking procedures from [RFC2544] (e.g. including stateful NAT64. It reuses several benchmarking procedures
throughput, frame loss rate), it has redefined the latency from [RFC2544] (e.g., throughput, frame loss rate), and it redefines
measurement and added further ones, e.g. the PDV (packet delay the latency measurement and adds further ones (e.g., the Packet Delay
variation) measurement. Variation (PDV) measurement).
However, none of them discussed, how to apply [RFC4814] pseudorandom
port numbers, when benchmarking stateful NATxy (NAT44 (also called
NAPT) [RFC3022], NAT64 [RFC6146], and NAT66) gateways. (It should be
noted that stateful NAT66 is not an IETF specification but refers to
an IPv6 version of the stateful NAT44 specification.) The authors
are not aware of any other RFCs that address this question.
First, it is discussed why using pseudorandom port numbers with However, none of them discuss how to apply pseudorandom port numbers
stateful NATxy gateways is a difficult problem. from [RFC4814] when benchmarking stateful NATxy gateways (such as
NAT44 [RFC3022], NAT64 [RFC6146], and NAT66). (It should be noted
that stateful NAT66 is not an IETF specification but refers to an
IPv6 version of the stateful NAT44 specification.) The authors are
not aware of any other RFCs that address this question.
Then a solution is recommended. First, this document discusses why using pseudorandom port numbers
with stateful NATxy gateways is a difficult problem. Then, a
solution is recommended.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Pseudorandom Port Numbers and Stateful Translation 2. Pseudorandom Port Numbers and Stateful Translation
In its appendix, [RFC2544] has defined a frame format for test frames In its appendix, [RFC2544] defines a frame format for test frames,
including specific source and destination port numbers. [RFC4814] including specific source and destination port numbers. [RFC4814]
recommends using pseudorandom and uniformly distributed values for recommends using pseudorandom and uniformly distributed values for
both source and destination port numbers. However, stateful NATxy both source and destination port numbers. However, stateful NATxy
(NAT44, NAT64, NAT66) solutions use the port numbers to identify (such as NAT44, NAT64, and NAT66) solutions use the port numbers to
connections. The usage of pseudorandom port numbers causes different identify connections. The usage of pseudorandom port numbers causes
problems depending on the direction. different problems depending on the direction:
* As for the client-to-server direction, pseudorandom source and * For the client-to-server direction, pseudorandom source and
destination port numbers could be used, however, this approach destination port numbers could be used; however, this approach
would be a denial of service attack against the stateful NATxy would be a denial-of-service attack against the stateful NATxy
gateway, because it would exhaust its connection tracking table gateway, because it would exhaust its connection tracking table
capacity. To that end, let us see some calculations using the capacity. To that end, let us see some calculations using the
recommendations of RFC 4814: recommendations of [RFC4814]:
- The recommended source port range is: 1024-65535, thus its size - The recommended source port range is 1024-65535; thus, its size
is: 64512. is 64512.
- The recommended destination port range is: 1-49151, thus its - The recommended destination port range is 1-49151; thus, its
size is: 49151. size is 49151.
- The number of source and destination port number combinations - The number of source and destination port number combinations
is: 3,170,829,312. is 3,170,829,312.
It should be noted that the usage of different source and It should be noted that the usage of different source and
destination IP addresses further increases the number of destination IP addresses further increases the number of
connection tracking table entries. connection tracking table entries.
* As for the server-to-client direction, the stateful DUT (Device * For the server-to-client direction, the stateful Device Under Test
Under Test) would drop any packets that do not belong to an (DUT) would drop any packets that do not belong to an existing
existing connection, therefore, the direct usage of pseudorandom connection; therefore, the direct usage of pseudorandom port
port numbers from the above-mentioned ranges is not feasible. numbers from the ranges mentioned above is not feasible.
3. Test Setup and Terminology 3. Test Setup and Terminology
Section 12 of [RFC2544] requires testing first using a single Section 12 of [RFC2544] requires testing using a single protocol
protocol source and destination address pair an then also using source and destination address pair first and then also using
multiple protocol addresses. The same approach is followed: first, a multiple protocol addresses. The same approach is followed: first, a
single source and destination IP address pair is used, and then it is single source and destination IP address pair is used, and then it is
explained how to use multiple IP addresses. explained how to use multiple IP addresses.
3.1. When Testing with a Single IP Address Pair 3.1. When Testing with a Single IP Address Pair
The methodology works with any IP versions to benchmark stateful The methodology works with any IP version to benchmark stateful NATxy
NATxy gateways, where x and y are in {4, 6}. To facilitate an easy gateways, where x and y are in {4, 6}. To facilitate an easy
understanding, two typical examples are used: stateful NAT44 and understanding, two typical examples are used: stateful NAT44 and
stateful NAT64. stateful NAT64.
The Test Setup for the well-known stateful NAT44 (also called NAPT: The test setup for the well-known stateful NAT44 (also called Network
Network Address and Port Translation) solution is shown in Figure 1. Address and Port Translation (NAPT)) solution is shown in Figure 1.
Note that the [RFC1918] private IP addresses are used to facilitate Note that the private IP addresses from [RFC1918] are used to
an easy understanding of the example. And the usage of the IP facilitate an easy understanding of the example, and the usage of the
addresses reserved for benchmarking is absolutely legitimate. IP addresses reserved for benchmarking is absolutely legitimate.
+--------------------------------------+ +--------------------------------------+
10.0.0.2 |Initiator Responder| 198.19.0.2 10.0.0.2 |Initiator Responder| 198.19.0.2
+-------------| Tester |<------------+ +-------------| Tester |<------------+
| private IPv4| [state table]| public IPv4 | | private IPv4| [state table]| public IPv4 |
| +--------------------------------------+ | | +--------------------------------------+ |
| | | |
| +--------------------------------------+ | | +--------------------------------------+ |
| 10.0.0.1 | DUT: | 198.19.0.1 | | 10.0.0.1 | DUT: | 198.19.0.1 |
+------------>| Stateful NAT44 gateway |-------------+ +------------>| Stateful NAT44 gateway |-------------+
private IPv4| [connection tracking table] | public IPv4 private IPv4| [connection tracking table] | public IPv4
+--------------------------------------+ +--------------------------------------+
Figure 1: Test setup for benchmarking stateful NAT44 gateways Figure 1: Test Setup for Benchmarking Stateful NAT44 Gateways
The Test Setup for the also widely used stateful NAT64 [RFC6146] The test setup for the stateful NAT64 solution [RFC6146], which is
solution is shown in Figure 2. also widely used, is shown in Figure 2.
+--------------------------------------+ +--------------------------------------+
2001:2::2 |Initiator Responder| 198.19.0.2 2001:2::2 |Initiator Responder| 198.19.0.2
+-------------| Tester |<------------+ +-------------| Tester |<------------+
| IPv6 address| [state table]| IPv4 address| | IPv6 address| [state table]| IPv4 address|
| +--------------------------------------+ | | +--------------------------------------+ |
| | | |
| +--------------------------------------+ | | +--------------------------------------+ |
| 2001:2::1 | DUT: | 198.19.0.1 | | 2001:2::1 | DUT: | 198.19.0.1 |
+------------>| Stateful NAT64 gateway |-------------+ +------------>| Stateful NAT64 gateway |-------------+
IPv6 address| [connection tracking table] | IPv4 address IPv6 address| [connection tracking table] | IPv4 address
+--------------------------------------+ +--------------------------------------+
Figure 2: Test setup for benchmarking stateful NAT64 gateways Figure 2: Test Setup for Benchmarking Stateful NAT64 Gateways
As for transport layer protocol, [RFC2544] recommended testing with As for the transport layer protocol, [RFC2544] recommended testing
UDP, and it was kept also in [RFC8219]. For the general with UDP, and it was also kept in [RFC8219]. UDP is also kept for a
recommendation, UDP is also kept, thus the port numbers in the general recommendation; thus, the port numbers in the following text
following text are to be understood as UDP port numbers. The are to be understood as UDP port numbers. The rationale and
rationale and limitations of this approach are discussed in limitations of this approach are discussed in Section 8.
Section 8.
The most important elements of the proposed benchmarking system are The most important elements of the proposed benchmarking system are
defined as follows. defined as follows:
* Connection: Although UDP itself is a connection-less protocol, Connection: Although UDP itself is a connectionless protocol,
stateful NATxy gateways keep track of their translation mappings stateful NATxy gateways keep track of their translation mappings
in the form of a "connection" also in the case of UDP using the in the form of a "connection" as well as in the case of UDP using
same kind of entries as in the case of TCP. the same kind of entries as in TCP.
* Connection tracking table: The stateful NATxy gateway uses a Connection tracking table: The stateful NATxy gateway uses a
connection tracking table to be able to perform the stateful connection tracking table to be able to perform the stateful
translation in the server to client direction. Its size, policy, translation in the server-to-client direction. Its size, policy,
and content are unknown to the Tester. and content are unknown to the Tester.
* Four tuple: The four numbers that identify a connection are source Four tuple: The four numbers that identify a connection are source
IP address, source port number, destination IP address, IP address, source port number, destination IP address, and
destination port number. destination port number.
* State table: The Responder of the Tester extracts the four tuple State table: The Responder of the Tester extracts the four tuple
from each received test frame and stores it in its state table. from each received test frame and stores it in its state table. A
Recommendation is given for writing and reading order of the state recommendation is given for the writing and reading order of the
table in Section 4.10. state table in Section 4.10.
* Initiator: The port of the Tester that may initiate a connection Initiator: The port of the Tester that may initiate a connection
through the stateful DUT in the client-to-server direction. through the stateful DUT in the client-to-server direction.
Theoretically, it can use any source and destination port numbers Theoretically, it can use any source and destination port numbers
from the ranges recommended by [RFC4814]: if the used four tuple from the ranges recommended by [RFC4814]: if the used four tuple
does not belong to an existing connection, the DUT will register a does not belong to an existing connection, the DUT will register a
new connection into its connection tracking table. new connection into its connection tracking table.
* Responder: The port of the Tester that may not initiate a Responder: The port of the Tester that may not initiate a connection
connection through the stateful DUT in the server-to-client through the stateful DUT in the server-to-client direction. It
direction. It may send only frames that belong to an existing may only send frames that belong to an existing connection. To
connection. To that end, it uses four tuples that have been that end, it uses four tuples that have been previously extracted
previously extracted from the received test frames and stored in from the received test frames and stores in its state table.
its state table.
* Test phase 1: Test frames are sent only by the Initiator to the Test phase 1: The test frames are sent only by the Initiator to the
Responder through the DUT to fill both the connection tracking Responder through the DUT to fill both the connection tracking
table of the DUT and the state table of the Responder. This is a table of the DUT and the state table of the Responder. This is a
newly introduced operation phase for stateful NATxy benchmarking. newly introduced operation phase for stateful NATxy benchmarking.
The necessity of this test phase is explained in Section 4.2. The necessity of this test phase is explained in Section 4.2.
* Test phase 2: The measurement procedures defined by [RFC8219] Test phase 2: The measurement procedures defined by [RFC8219] (e.g.,
(e.g. throughput, latency, etc.) are performed in this test phase throughput, latency, etc.) are performed in this test phase after
after the completion of test phase 1. Test frames are sent as the completion of test phase 1. Test frames are sent as required
required (e.g. bidirectional test or unidirectional test in any of (e.g., a bidirectional test or a unidirectional test in any of the
the two directions). two directions).
One further definition is used in the text of this document: One further definition is used in the text of this document:
* Black box testing: It is a testing approach when the Tester is not Black box testing: A testing approach when the Tester is not aware
aware of the details of the internal structure and operation of of the details of the internal structure and operation of the DUT.
the DUT. It can send input to the DUT and observe the output of It can send input to the DUT and observe the output of the DUT.
the DUT.
3.2. When Testing with Multiple IP Addresses 3.2. When Testing with Multiple IP Addresses
The number of the necessary and available IP addresses are This section considers the number of the necessary and available IP
considered. addresses.
In Figure 1, the single 198.19.0.1 IPv4 address is used on the WAN In Figure 1, the single 198.19.0.1 IPv4 address is used on the WAN
side port of the stateful NAT44 gateway. However, in practice, not a side port of the stateful NAT44 gateway. However, in practice, it is
single IP address, but an IP address range is assigned to the WAN not a single IP address, but rather an IP address range that is
side port of the stateful NAT44 gateways. Its required size depends assigned to the WAN side port of the stateful NAT44 gateways. Its
on the number of client nodes and on the type of the stateful NAT44 required size depends on the number of client nodes and on the type
algorithm. (The traditional algorithm always replaces the source of the stateful NAT44 algorithm. (The traditional algorithm always
port number, when a new connection is established. Thus it requires replaces the source port number when a new connection is established.
a larger range than the extended algorithm, which replaces the source Thus, it requires a larger range than the extended algorithm, which
port number only when it is necessary. Please refer to Table 1 and replaces the source port number only when it is necessary. Please
Table 2 of [LEN2015].) refer to Tables 1 and 2 of [LEN2015].)
When router testing is done, section 12 of [RFC2544] requires testing When router testing is done, Section 12 of [RFC2544] requires testing
first using a single source and destination IP address pair, and then using a single source and destination IP address pair first and then
using destination IP addresses from 256 different networks. The using destination IP addresses from 256 different networks. The
16-23 bits of the 198.18.0.0/24 and 198.19.0.0/24 addresses can be 16-23 bits of the 198.18.0.0/24 and 198.19.0.0/24 addresses can be
used to express the 256 networks. As this document does not deal used to express the 256 networks. As this document does not deal
with router testing, no multiple destination networks are needed, with router testing, no multiple destination networks are needed;
therefore, these bits are available for expressing multiple IP therefore, these bits are available for expressing multiple IP
addresses that belong to the same "/16" network. Moreover, both the addresses that belong to the same "/16" network. Moreover, both the
198.18.0.0/16 and the 198.19.0.0/16 networks can be used on the right 198.18.0.0/16 and the 198.19.0.0/16 networks can be used on the right
side of the test setup as private IP addresses from the 10.0.0.0/16 side of the test setup, as private IP addresses from the 10.0.0.0/16
network are used on its left side. network are used on its left side.
10.0.0.2/16 10.0.255.254/16 198.19.0.0/15 - 198.19.255.254/15 10.0.0.2/16 - 10.0.255.254/16 198.19.0.0/15 - 198.19.255.254/15
\ +--------------------------------------+ / \ +--------------------------------------+ /
\ |Initiator Responder| / \ |Initiator Responder| /
+-------------| Tester |<------------+ +-------------| Tester |<------------+
| private IPv4| [state table]| public IPv4 | | private IPv4| [state table]| public IPv4 |
| +--------------------------------------+ | | +--------------------------------------+ |
| | | |
| +--------------------------------------+ | | +--------------------------------------+ |
| 10.0.0.1/16 | DUT: | public IPv4 | | 10.0.0.1/16 | DUT: | public IPv4 |
+------------>| Stateful NAT44 gateway |-------------+ +------------>| Stateful NAT44 gateway |-------------+
private IPv4| [connection tracking table] | \ private IPv4| [connection tracking table] | \
+--------------------------------------+ \ +--------------------------------------+ \
198.18.0.1/15 - 198.18.255.255/15 198.18.0.1/15 - 198.18.255.255/15
Figure 3: Test setup for benchmarking stateful NAT44 gateways Figure 3: Test Setup for Benchmarking Stateful NAT44 Gateways
using multiple IPv4 addresses Using Multiple IPv4 Addresses
A possible solution for assigning multiple IPv4 addresses is shown in A possible solution for assigning multiple IPv4 addresses is shown in
Figure 3. On the left side, the private IP address range is Figure 3. On the left side, the private IP address range is
abundantly large. (The 16-31 bits were used for generating nearly abundantly large. (The 16-31 bits were used for generating nearly
64k potential different source addresses, but the 8-15 bits are also 64k potential different source addresses, but the 8-15 bits are also
available if needed.) On the right side, the 198.18.0.0./15 network available if needed.) On the right side, the 198.18.0.0./15 network
is used, and it was cut into two equal parts. (Asymmetric division is used, and it was cut into two equal parts. (Asymmetric division
is also possible, if needed.) is also possible, if needed.)
It should be noted that these are the potential address ranges. The It should be noted that these are the potential address ranges. The
actual address ranges to be used are discussed in Section 4.1. actual address ranges to be used are discussed in Section 4.1.
In the case of stateful NAT64, a single "/64" IPv6 prefix contains a In the case of stateful NAT64, a single "/64" IPv6 prefix contains a
high number of bits to express different IPv6 addresses. Figure 4 high number of bits to express different IPv6 addresses. Figure 4
shows an example, where bits 96-111 are used for that purpose. shows an example where bits 96-111 are used for that purpose.
2001:2::[0000-ffff]:0002/64 198.19.0.0/15 - 198.19.255.254/15 2001:2::[0000-ffff]:0002/64 198.19.0.0/15 - 198.19.255.254/15
\ +--------------------------------------+ / \ +--------------------------------------+ /
IPv6 \ |Initiator Responder| / IPv6 \ |Initiator Responder| /
+-------------| Tester |<------------+ +-------------| Tester |<------------+
| addresses | [state table]| public IPv4 | | addresses | [state table]| public IPv4 |
| +--------------------------------------+ | | +--------------------------------------+ |
| | | |
| +--------------------------------------+ | | +--------------------------------------+ |
| 2001:2::1/64| DUT: | public IPv4 | | 2001:2::1/64| DUT: | public IPv4 |
+------------>| Stateful NAT64 gateway |-------------+ +------------>| Stateful NAT64 gateway |-------------+
IPv6 address | [connection tracking table] | \ IPv6 address | [connection tracking table] | \
+--------------------------------------+ \ +--------------------------------------+ \
198.18.0.1/15 - 198.18.255.255/15 198.18.0.1/15 - 198.18.255.255/15
Figure 4: Test Setup for benchmarking stateful NAT64 gateways Figure 4: Test Setup for Benchmarking Stateful NAT64 Gateways
using multiple IPv6 and IPv4 addresses Using Multiple IPv6 and IPv4 Addresses
4. Recommended Benchmarking Method 4. Recommended Benchmarking Method
4.1. Restricted Number of Network Flows 4.1. Restricted Number of Network Flows
When a single IP address pair is used for testing then the number of When a single IP address pair is used for testing, then the number of
network flows is determined by the number of source port number network flows is determined by the number of source and destination
destination port number combinations. port number combinations.
The Initiator SHOULD use restricted ranges for source and destination The Initiator SHOULD use restricted ranges for source and destination
port numbers to avoid the exhaustion of the connection tracking table port numbers to avoid the exhaustion of the connection tracking table
capacity of the DUT as described in Section 2. If it is possible, capacity of the DUT as described in Section 2. If it is possible,
the size of the source port number range SHOULD be larger (e.g. in the size of the source port number range SHOULD be larger (e.g., in
the order of a few times ten thousand), whereas the size of the the order of a few tens of thousands), whereas the size of the
destination port number range SHOULD be smaller (may vary from a few destination port number range SHOULD be smaller (e.g., it may vary
to several hundreds or thousands as needed). The rationale is that from a few to several hundreds or thousands as needed). The
source and destination port numbers that can be observed in the rationale is that source and destination port numbers that can be
Internet traffic are not symmetrical. Whereas source port numbers observed in Internet traffic are not symmetrical. Whereas source
may be random, there are a few very popular destination port numbers port numbers may be random, there are a few very popular destination
(e.g. 443, 80, etc., see [IIR2020]), and others hardly occur. And it port numbers (e.g., 443 or 80; see [IIR2020]), and others hardly
was found that their role is also asymmetric in the Linux kernel occur. Additionally, it was found that their role is also asymmetric
routing hash function [LEN2020]. in the Linux kernel routing hash function [LEN2020].
However, in some special cases, the size of the source port range is However, in some special cases, the size of the source port range is
limited. E.g. when benchmarking the CE and BR of a MAP-T [RFC7599] limited. For example, when benchmarking the Customer Edge (CE) and
system together (as a compound system performing stateful NAT44), Border Relay (BR) of a Mapping of Address and Port using Translation
then the source port range is limited to the number of source port (MAP-T) system [RFC7599] together (as a compound system performing
numbers assigned to each subscriber. (It could be as low as 2048 stateful NAT44), the source port range is limited to the number of
ports.) source port numbers assigned to each subscriber. (It could be as low
as 2048 ports.)
When multiple IP addresses are used, then the port number ranges When multiple IP addresses are used, then the port number ranges
should be even more restricted, as the number of potential network should be even more restricted, as the number of potential network
flows is the product of the size of the source IP address range, the flows is the product of the size of:
size of the source port number range, the size of the destination IP
address range, and the size of the destination port number range. * the source IP address range,
And the recommended method requires the enumeration of all their
possible combinations in test phase 1 as described in Section 4.4. * the source port number range,
* the destination IP address range, and
* the destination port number range.
In addition, the recommended method requires the enumeration of all
their possible combinations in test phase 1 as described in
Section 4.4.
The number of network flows can be used as a parameter. The The number of network flows can be used as a parameter. The
performance of the stateful NATxy gateway MAY be examined as a performance of the stateful NATxy gateway MAY be examined as a
function of this parameter as described in Section 5.1. function of this parameter as described in Section 5.1.
4.2. Test Phase 1 4.2. Test Phase 1
Test phase 1 serves two purposes: Test phase 1 serves two purposes:
1. The connection tracking table of the DUT is filled. It is 1. The connection tracking table of the DUT is filled. This is
important, because its maximum connection establishment rate may important because its maximum connection establishment rate may
be lower than its maximum frame forwarding rate (that is be lower than its maximum frame forwarding rate (that is, its
throughput). throughput).
2. The state table of the Responder is filled with valid four 2. The state table of the Responder is filled with valid four
tuples. It is a precondition for the Responder to be able to tuples. It is a precondition for the Responder to be able to
transmit frames that belong to connections that exist in the transmit frames that belong to connections that exist in the
connection tracking table of the DUT. connection tracking table of the DUT.
Whereas the above two things are always necessary before test phase Whereas the above two things are always necessary before test phase
2, test phase 1 can be used without test phase 2. It is done so when 2, test phase 1 can be used without test phase 2. This is done when
the maximum connection establishment rate is measured (as described the maximum connection establishment rate is measured (as described
in Section 4.5). in Section 4.5).
Test phase 1 MUST be performed before all tests performed in test Test phase 1 MUST be performed before all tests are performed in test
phase 2. The following things happen in test phase 1: phase 2. The following things happen in test phase 1:
1. The Initiator sends test frames to the Responder through the DUT 1. The Initiator sends test frames to the Responder through the DUT
at a specific frame rate. at a specific frame rate.
2. The DUT performs the stateful translation of the test frames and 2. The DUT performs the stateful translation of the test frames, and
it also stores the new connections in its connection tracking it also stores the new connections in its connection tracking
table. table.
3. The Responder receives the translated test frames and updates its 3. The Responder receives the translated test frames and updates its
state table with the received four tuples. The responder state table with the received four tuples. The Responder
transmits no test frames during test phase 1. transmits no test frames during test phase 1.
When test phase 1 is performed in preparation for test phase 2, the When test phase 1 is performed in preparation for test phase 2, the
applied frame rate SHOULD be safely lower than the maximum connection applied frame rate SHOULD be safely lower than the maximum connection
establishment rate. (It implies that maximum connection establishment rate. (It implies that maximum connection
establishment rate measurement MUST be performed first.) Please establishment rate measurement MUST be performed first.) Please
refer to Section 4.4 for further conditions regarding timeout and the refer to Section 4.4 for further conditions regarding timeout and the
enumeration of all possible four tuples. enumeration of all possible four tuples.
4.3. Consideration of the Cases of Stateful Operation 4.3. Consideration of the Cases of Stateful Operation
The authors consider the most important events that may happen during The authors consider the most important events that may happen during
the operation of a stateful NATxy gateway, and the Actions of the the operation of a stateful NATxy gateway and the Actions of the
gateway as follows. gateway as follows.
1. EVENT: A packet not belonging to an existing connection arrives 1. EVENT: A packet not belonging to an existing connection arrives
in the client-to-server direction. ACTION: A new connection is in the client-to-server direction.
registered into the connection tracking table and the packet is
translated and forwarded. ACTION: A new connection is registered into the connection
tracking table, and the packet is translated and forwarded.
2. EVENT: A packet not belonging to an existing connection arrives 2. EVENT: A packet not belonging to an existing connection arrives
in the server-to-client direction. ACTION: The packet is in the server-to-client direction.
discarded.
ACTION: The packet is discarded.
3. EVENT: A packet belonging to an existing connection arrives (in 3. EVENT: A packet belonging to an existing connection arrives (in
any direction). ACTION: The packet is translated and forwarded any direction).
and the timeout counter of the corresponding connection tracking
table entry is reset.
4. EVENT: A connection tracking table entry times out. ACTION: The ACTION: The packet is translated and forwarded, and the timeout
entry is deleted from the connection tracking table. counter of the corresponding connection tracking table entry is
reset.
4. EVENT: A connection tracking table entry times out.
ACTION: The entry is deleted from the connection tracking table.
Due to "black box" testing, the Tester is not able to directly Due to "black box" testing, the Tester is not able to directly
examine (or delete) the entries of the connection tracking table. examine (or delete) the entries of the connection tracking table.
But the entries can be and MUST be controlled by setting an However, the entries can and MUST be controlled by setting an
appropriate timeout value and carefully selecting the port numbers of appropriate timeout value and carefully selecting the port numbers of
the packets (as described in Section 4.4) to be able to produce the packets (as described in Section 4.4) to be able to produce
meaningful and repeatable measurement results. meaningful and repeatable measurement results.
This document aims to support the measurement of the following This document aims to support the measurement of the following
performance characteristics of a stateful NATxy gateway: performance characteristics of a stateful NATxy gateway:
1. maximum connection establishment rate * maximum connection establishment rate
2. all "classic" performance metrics like throughput, frame loss * all "classic" performance metrics like throughput, frame loss
rate, latency, etc. rate, latency, etc.
3. connection tear-down rate * connection tear-down rate
4. connection tracking table capacity * connection tracking table capacity
4.4. Control of the Connection Tracking Table Entries 4.4. Control of the Connection Tracking Table Entries
It is necessary to control the connection tracking table entries of It is necessary to control the connection tracking table entries of
the DUT to achieve clear conditions for the measurements. One can the DUT to achieve clear conditions for the measurements. One can
simply achieve the following two extreme situations: simply achieve the following two extreme situations:
1. All frames create a new entry in the connection tracking table of 1. All frames create a new entry in the connection tracking table of
the DUT and no old entries are deleted during the test. This is the DUT, and no old entries are deleted during the test. This is
required for measuring the maximum connection establishment rate. required for measuring the maximum connection establishment rate.
2. No new entries are created in the connection tracking table of 2. No new entries are created in the connection tracking table of
the DUT and no old ones are deleted during the test. This is the DUT, and no old ones are deleted during the test. This is
ideal for the measurements to be executed in phase 2, like ideal for the measurements to be executed in phase 2, like
throughput, latency, etc. throughput, latency, etc.
From this point, the following two assumptions are used: From this point, the following two assumptions are used:
1. The connection tracking table of the stateful NATxy is large 1. The connection tracking table of the stateful NATxy is large
enough to store all connections defined by the different four enough to store all connections defined by the different four
tuples. tuples.
2. Each experiment is started with an empty connection tracking 2. Each experiment is started with an empty connection tracking
table. (It can be ensured by deleting its content before the table. (This can be ensured by deleting its content before the
experiment.) experiment.)
The first extreme situation can be achieved by The first extreme situation can be achieved by:
* using different four tuples for every single test frame in test * using different four tuples for every single test frame in test
phase 1 and phase 1 and
* setting the UDP timeout of the NATxy gateway to a value higher * setting the UDP timeout of the NATxy gateway to a value higher
than the length of test phase 1. than the length of test phase 1.
The second extreme situation can be achieved by The second extreme situation can be achieved by:
* enumerating all possible four tuples in test phase 1 and * enumerating all possible four tuples in test phase 1 and
* setting the UDP timeout of the NATxy gateway to a value higher * setting the UDP timeout of the NATxy gateway to a value higher
than the length of test phase 1 plus the gap between the two than the length of test phase 1 plus the gap between the two
phases plus the length of test phase 2. phases plus the length of test phase 2.
[RFC4814] REQUIRES pseudorandom port numbers, which the authors As described in [RFC4814], pseudorandom port numbers are REQUIRED,
believe is a good approximation of the distribution of the source which the authors believe is a good approximation of the distribution
port numbers a NATxy gateway on the Internet may face with. of the source port numbers a NATxy gateway on the Internet may be
faced with.
It should be noted that although the enumeration of all possible four Although the enumeration of all possible four tuples is not a
tuples is not a requirement for the first extreme situation and the requirement for the first extreme situation and the usage of
usage of different four tuples in test phase 1 is not a requirement different four tuples in test phase 1 is not a requirement for the
for the second extreme situation, pseudorandom enumeration of all second extreme situation, pseudorandom enumeration of all possible
possible four tuples in test phase 1 is a good solution in both four tuples in test phase 1 is a good solution in both cases.
cases. It may be computing efficiently generated by preparing a Pseudorandom enumeration of all possible four tuples may be generated
random permutation of the previously enumerated all possible four in a computationally efficient way by using Durstenfeld's random
tuples using Dustenfeld's random shuffle algorithm [DUST1964]. shuffle algorithm [DUST1964] to prepare a random permutation of the
previously enumerated all possible four tuples.
The enumeration of the four tuples in increasing or decreasing order The enumeration of the four tuples in increasing or decreasing order
(or in any other specific order) MAY be used as an additional (or in any other specific order) MAY be used as an additional
measurement. measurement.
4.5. Measurement of the Maximum Connection Establishment Rate 4.5. Measurement of the Maximum Connection Establishment Rate
The maximum connection establishment rate is an important The maximum connection establishment rate is an important
characteristic of the stateful NATxy gateway and its determination is characteristic of the stateful NATxy gateway, and its determination
necessary for the safe execution of test phase 1 (without frame loss) is necessary for the safe execution of test phase 1 (without frame
before test phase 2. loss) before test phase 2.
The measurement procedure of the maximum connection establishment The measurement procedure of the maximum connection establishment
rate is very similar to the throughput measurement procedure defined rate is very similar to the throughput measurement procedure defined
in [RFC2544]. in [RFC2544].
Procedure: The Initiator sends a specific number of test frames using The procedure is as follows:
all different four tuples at a specific rate through the DUT. The
Responder counts the frames that are successfully translated by the * The Initiator sends a specific number of test frames using all
DUT. If the count of offered frames is equal to the count of different four tuples at a specific rate through the DUT.
received frames, the rate of the offered stream is raised and the
test is rerun. If fewer frames are received than were transmitted, * The Responder counts the frames that are successfully translated
the rate of the offered stream is reduced and the test is rerun. by the DUT.
* If the count of offered frames is equal to the count of received
frames, the rate of the offered stream is raised and the test is
rerun.
* If fewer frames are received than were transmitted, the rate of
the offered stream is reduced and the test is rerun.
The maximum connection establishment rate is the fastest rate at The maximum connection establishment rate is the fastest rate at
which the count of test frames successfully translated by the DUT is which the count of test frames successfully translated by the DUT is
equal to the number of test frames sent to it by the Initiator. equal to the number of test frames sent to it by the Initiator.
Note: In practice, the usage of binary search is RECOMMENDED. Note: In practice, the usage of binary search is RECOMMENDED.
4.6. Validation of Connection Establishment 4.6. Validation of Connection Establishment
Due to "black box" testing, the entries of the connection tracking Due to "black box" testing, the entries of the connection tracking
table of the DUT may not be directly examined, but the presence of table of the DUT may not be directly examined. However, the presence
the connections can be checked easily by sending frames from the of the connections can be checked easily by sending frames from the
Responder to the Initiator in test phase 2 using all four tuples Responder to the Initiator in test phase 2 using all four tuples
stored in the state table of the Tester (at a low enough frame rate). stored in the state table of the Tester (at a low enough frame rate).
The arrival of all test frames indicates that the connections are The arrival of all test frames indicates that the connections are
indeed present. indeed present.
Procedure: When all the desired N number of test frames were sent by The procedure is as follows:
the Initiator to the Receiver at frame rate R in test phase 1 for the
maximum connection establishment rate measurement, and the Receiver When all the desired N number of test frames are sent by the
Initiator to the Receiver at frame rate R in test phase 1 for the
maximum connection establishment rate measurement and the Receiver
has successfully received all the N frames, the establishment of the has successfully received all the N frames, the establishment of the
connections is checked in test phase 2 as follows: connections is checked in test phase 2 as follows:
* The Responder sends test frames to the Initiator at frame rate * The Responder sends test frames to the Initiator at frame rate
r=R*alpha, for the duration of N/r using a different four tuple r=R*alpha for the duration of N/r, using a different four tuple
from its state table for each test frame. from its state table for each test frame.
* The Initiator counts the received frames, and if all N frames are * The Initiator counts the received frames, and if all N frames have
arrived then the R frame rate of the maximum connection arrived, then the R frame rate of the maximum connection
establishment rate measurement (performed in test phase 1) is establishment rate measurement (performed in test phase 1) is
raised for the next iteration, otherwise lowered (as well as in raised for the next iteration; otherwise, it is lowered (as well
the case if test frames were missing in the preliminary test as in the case that test frames were missing in the preliminary
phase). test phase, as well).
Notes: Notes:
* The alpha is a kind of "safety factor", it aims to make sure that * The alpha is a kind of "safety factor"; it aims to make sure that
the frame rate used for the validation is not too high, and test the frame rate used for the validation is not too high, and the
may fail only in the case if at least one connection is not test may fail only in the case of if at least one connection is
present in the connection tracking table of the DUT. (So alpha not present in the connection tracking table of the DUT.
should be typically less than 1, e.g. 0.8 or 0.5.) (Therefore, alpha should be typically less than 1, e.g., 0.8 or
0.5.)
* The duration of N/r and the frame rate of r means that N frames * The duration of N/r and the frame rate of r means that N frames
are sent for validation. are sent for validation.
* The order of four tuple selection is arbitrary provided that all * The order of four tuple selection is arbitrary, provided that all
four tuples MUST be used. four tuples MUST be used.
* Please refer to Section 4.9 for a short analysis of the operation * Please refer to Section 4.9 for a short analysis of the operation
of the measurement and what problems may occur. of the measurement and what problems may occur.
4.7. Test Phase 2 4.7. Test Phase 2
As for the traffic direction, there are three possible cases during As for the traffic direction, there are three possible cases during
test phase 2: test phase 2:
* bidirectional traffic: The Initiator sends test frames to the 1. Bidirectional traffic: The Initiator sends test frames to the
Responder and the Responder sends test frames to the Initiator. Responder, and the Responder sends test frames to the Initiator.
* unidirectional traffic from the Initiator to the Responder: The 2. Unidirectional traffic from the Initiator to the Responder: The
Initiator sends test frames to the Responder but the Responder Initiator sends test frames to the Responder, but the Responder
does not send test frames to the Initiator. does not send test frames to the Initiator.
* unidirectional traffic from the Responder to the Initiator: The 3. Unidirectional traffic from the Responder to the Initiator: The
Responder sends test frames to the Initiator but the Initiator Responder sends test frames to the Initiator, but the Initiator
does not send test frames to the Responder. does not send test frames to the Responder.
If the Initiator sends test frames, then it uses pseudorandom source If the Initiator sends test frames, then it uses pseudorandom source
port numbers and destination port numbers from the restricted port port numbers and destination port numbers from the restricted port
number ranges. (If it uses multiple source and/or destination IP number ranges. (If it uses multiple source and/or destination IP
addresses, then their ranges are also limited.) The responder addresses, then their ranges are also limited.) The Responder
receives the test frames, updates its state table, and processes the receives the test frames, updates its state table, and processes the
test frames as required by the given measurement procedure (e.g. only test frames as required by the given measurement procedure (e.g.,
counts them for the throughput test, handles timestamps for latency only counts them for the throughput test, handles timestamps for
or PDV tests, etc.). latency or PDV tests, etc.).
If the Responder sends test frames, then it uses the four tuples from If the Responder sends test frames, then it uses the four tuples from
its state table. The reading order of the state table may follow its state table. The reading order of the state table may follow
different policies (discussed in Section 4.10). The Initiator different policies (discussed in Section 4.10). The Initiator
receives the test frames and processes them as required by the given receives the test frames and processes them as required by the given
measurement procedure. measurement procedure.
As for the actual measurement procedures, the usage of the updated As for the actual measurement procedures, the usage of the updated
ones from Section 7 of [RFC8219] is RECOMMENDED. ones from Section 7 of [RFC8219] is RECOMMENDED.
4.8. Measurement of the Connection Tear-down Rate 4.8. Measurement of the Connection Tear-Down Rate
Connection tear-down can cause significant load for the NATxy Connection tear-down can cause significant load for the NATxy
gateway. The connection tear-down performance can be measured as gateway. The connection tear-down performance can be measured as
follows: follows:
1. Load a certain number of connections (N) into the connection 1. Load a certain number of connections (N) into the connection
tracking table of the DUT (in the same way as done to measure the tracking table of the DUT (in the same way as done to measure the
maximum connection establishment rate). maximum connection establishment rate).
2. Record TimestampA. 2. Record TimestampA.
3. Delete the content of the connection tracking table of the DUT. 3. Delete the content of the connection tracking table of the DUT.
4. Record TimestampB. 4. Record TimestampB.
The connection tear-down rate can be computed as: The connection tear-down rate can be computed as:
connection tear-down rate = N / ( TimestampB - TimestampA) connection tear-down rate = N / ( TimestampB - TimestampA)
The connection tear-down rate SHOULD be measured for various values The connection tear-down rate SHOULD be measured for various values
of N. of N.
It is assumed that the content of the connection tracking table may It is assumed that the content of the connection tracking table may
be deleted by an out-of-band control mechanism specific to the given be deleted by an out-of-band control mechanism specific to the given
NATxy gateway implementation. (E.g. by removing the appropriate NATxy gateway implementation (e.g., by removing the appropriate
kernel module under Linux.) kernel module under Linux).
It is noted that the performance of removing the entire content of It is noted that the performance of removing the entire content of
the connection tracking table at one time may be different from the connection tracking table at one time may be different from
removing all the entries one by one. removing all the entries one by one.
4.9. Measurement of the Connection Tracking Table Capacity 4.9. Measurement of the Connection Tracking Table Capacity
The connection tracking table capacity is an important metric of The connection tracking table capacity is an important metric of
stateful NATxy gateways. Its measurement is not easy, because an stateful NATxy gateways. Its measurement is not easy, because an
elementary step of a validated maximum connection establishment rate elementary step of a validated maximum connection establishment rate
measurement (defined in Section 4.6) may have only a few distinct measurement (defined in Section 4.6) may have only a few distinct
observable outcomes, but some of them may have different root causes: observable outcomes, but some of them may have different root causes:
1. During test phase 1, the number of test frames received by the * During test phase 1, the number of test frames received by the
Responder is less than the number of test frames sent by the Responder is less than the number of test frames sent by the
Initiator. It may have different root causes, including: Initiator. It may have different root causes, including:
1. The R frame sending rate was higher than the maximum - The R frame sending rate was higher than the maximum connection
connection establishment rate. (Note that now the maximum establishment rate. (Note that now the maximum connection
connection establishment rate is considered unknown because establishment rate is considered unknown because one cannot
one can not measure the maximum connection establishment measure the maximum connection establishment without assumption
without assumption 1 in Section 4.4!) This root cause may be 1 in Section 4.4.) This root cause may be eliminated by
eliminated by lowering the R rate and re-executing the test. lowering the R rate and re-executing the test. (This step may
(This step may be performed multiple times, while R>0.) be performed multiple times while R>0.)
2. The capacity of the connection tracking table of the DUT has - The capacity of the connection tracking table of the DUT has
been exhausted. (And either the DUT does not want to delete been exhausted (and either the DUT does not want to delete
connections or the deletion of the connections makes it connections or the deletion of the connections makes it slower;
slower. This case is not investigated further in test phase this case is not investigated further in test phase 1).
1.)
2. During test phase 1, the number of test frames received by the * During test phase 1, the number of test frames received by the
Responder equals the number of test frames sent by the Initiator. Responder equals the number of test frames sent by the Initiator.
In this case, the connections are validated in test phase 1. The In this case, the connections are validated in test phase 2. The
validation may have two kinds of observable results: validation may have two kinds of observable results:
1. The number of validation frames received by the Initiator 1. The number of validation frames received by the Initiator
equals the number of validation frames sent by the Responder. equals the number of validation frames sent by the Responder.
(It proves that the capacity of the connection tracking table (It proves that the capacity of the connection tracking table
of the DUT is enough and both R and r were chosen properly.) of the DUT is enough and both R and r were chosen properly.)
2. The number of validation frames received by the Initiator is 2. The number of validation frames received by the Initiator is
less than the number of validation frames sent by the less than the number of validation frames sent by the
Responder. This phenomenon may have various root causes: Responder. This phenomenon may have various root causes:
1. The capacity of the connection tracking table of the DUT - The capacity of the connection tracking table of the DUT
has been exhausted. (It does not matter, whether some has been exhausted. (It does not matter whether some
existing connections are discarded and new ones are existing connections are discarded and new ones are stored
stored, or the new connections are discarded. Some or if the new connections are discarded. Some connections
connections are lost anyway, and it makes validation are lost anyway, and it makes validation fail.)
fail.)
2. The R frame sending rate used by the Initiator was too - The R frame sending rate used by the Initiator was too high
high in test phase 1 and thus some connections were not in test phase 1; thus, some connections were not
established, even though all test frames arrived at the established even though all test frames arrived at the
Responder. This root cause may be eliminated by lowering Responder. This root cause may be eliminated by lowering
the R rate and re-executing the test. (This step may be the R rate and re-executing the test. (This step may be
performed multiple times, while R>0.) performed multiple times while R>0.)
3. The r frame sending rate used by the Responder was too - The r frame sending rate used by the Responder was too high
high in test phase 2 and thus some test frames did not in test phase 2; thus, some test frames did not arrive at
arrive at the Initiator, even though all connections were the Initiator even though all connections were present in
present in the connection tracking table of the DUT. the connection tracking table of the DUT. This root cause
This root cause may be eliminated by lowering the r rate may be eliminated by lowering the r rate and re-executing
and re-executing the test. (This step may be performed the test. (This step may be performed multiple times while
multiple times, while r>0.) r>0.)
And here is the problem: as the above three root causes are This is the problem: As the above three root causes are
indistinguishable, it is not easy to decide, whether R or r indistinguishable, it is not easy to decide whether R or r
should be decreased. should be decreased.
Experience shows that the DUT may collapse if its memory is Experience shows that the DUT may collapse if its memory is
exhausted. Such a situation may make the connection tracking table exhausted. Such a situation may make the connection tracking table
capacity measurements rather inconvenient. This possibility is capacity measurements rather inconvenient. This possibility is
included in the recommended measurement procedure, but the detection included in the recommended measurement procedure, but the detection
and elimination of such a situation is not addressed. (E.g. how the and elimination of such a situation is not addressed (e.g., how the
algorithm can reset the DUT.) algorithm can reset the DUT).
For the connection tracking table size measurement, first one needs a For the connection tracking table size measurement, first, one needs
safe number: C0. It is a precondition, that C0 number of connections a safe number: C0. It is a precondition that C0 number of
can surely be stored in the connection tracking table of the DUT. connections can surely be stored in the connection tracking table of
Using C0, one can determine the maximum connection establishment rate the DUT. Using C0, one can determine the maximum connection
using C0 number of connections. It is done with a binary search establishment rate using C0 number of connections. It is done with a
using validation. The result is R0. The values C0 and R0 will serve binary search using validation. The result is R0. The values C0 and
as "safe" starting values for the following two searches. R0 will serve as "safe" starting values for the following two
searches.
First, an exponential search is performed to find the order of First, an exponential search is performed to find the order of
magnitude of the connection tracking table capacity. The search magnitude of the connection tracking table capacity. The search
stops if the DUT collapses OR the maximum connection establishment stops if the DUT collapses OR the maximum connection establishment
rate severely drops (e.g. to its one tenth) due to doubling the rate severely drops (e.g., to its one tenth) due to doubling the
number of connections. number of connections.
Then, the result of the exponential search gives the order of Then, the result of the exponential search gives the order of
magnitude of the size of the connection tracking table. Before magnitude of the size of the connection tracking table. Before
disclosing the possible algorithms to determine the exact size of the disclosing the possible algorithms to determine the exact size of the
connection tracking table, three possible replacement policies for connection tracking table, three possible replacement policies for
the NATxy gateway are considered: the NATxy gateway are considered:
1. The gateway does not delete any live connections until their 1. The gateway does not delete any live connections until their
timeout expires. timeout expires.
2. The gateway replaces the live connections according to LRU (least 2. The gateway replaces the live connections according to the Least
recently used) policy. Recently Used (LRU) policy.
3. The gateway does a garbage collection when its connection 3. The gateway does a garbage collection when its connection
tracking table is full and a frame with a new four tuple arrives. tracking table is full and a frame with a new four tuple arrives.
During the garbage collection, it deletes the K least recently During the garbage collection, it deletes the K LRU connections,
used connections, where K is greater than 1. where K is greater than 1.
Now, it is examined what happens and how many validation frames Now, it is examined what happens and how many validation frames
arrive in the there cases. Let the size of the connection tracking arrive in the three cases. Let the size of the connection tracking
table be S, and the number of preliminary frames be N, where S is table be S and the number of preliminary frames be N, where S is less
less than N. than N.
1. The connections defined by the first S test frames are registered 1. The connections defined by the first S test frames are registered
into the connection tracking table of the DUT, and the last N-S into the connection tracking table of the DUT, and the last N-S
connections are lost. (It is another question if the last N-S connections are lost. (It is another question if the last N-S
test frames are translated and forwarded in test phase 1 or test frames are translated and forwarded in test phase 1 or
simply dropped.) During validation, the validation frames with simply dropped.) During validation, the validation frames with
four tuples corresponding to the first S test frames will arrive four tuples corresponding to the first S test frames will arrive
at the Initiator and the other N-S validation frames will be at the Initiator and the other N-S validation frames will be
lost. lost.
2. All connections are registered into the connection tracking table 2. All connections are registered into the connection tracking table
of the DUT, but the first N-S connections are replaced (and thus of the DUT, but the first N-S connections are replaced (and thus
lost). During validation, the validation frames with four tuples lost). During validation, the validation frames with four tuples
corresponding to the last S test frames will arrive to the corresponding to the last S test frames will arrive to the
Initiator, and the other N-S validation frames will be lost. Initiator, and the other N-S validation frames will be lost.
3. Depending on the values of K, S, and N, maybe less than S 3. Depending on the values of K, S, and N, maybe less than S
connections will survive. In the worst case, only S-K+1 connections will survive. In the worst case, only S-K+1
validation frames arrive, even though, the size of the connection validation frames arrive, even though the size of the connection
tracking table is S. tracking table is S.
If one knows that the stateful NATxy gateway uses the first or second If one knows that the stateful NATxy gateway uses the first or second
replacement policy and one also knows that both R and r rates are low replacement policy and one also knows that both R and r rates are low
enough, then the final step of determining the size of the connection enough, then the final step of determining the size of the connection
tracking table is simple. If the Responder sent N validation frames tracking table is simple. If the Responder sent N validation frames
and the Initiator received N' of them, then the size of the and the Initiator received N' of them, then the size of the
connection tracking table is N'. connection tracking table is N'.
In the general case, a binary search is performed to find the exact In the general case, a binary search is performed to find the exact
value of the connection tracking table capacity within E error. The value of the connection tracking table capacity within E error. The
search chooses the lower half of the interval if the DUT collapses OR search chooses the lower half of the interval if the DUT collapses OR
the maximum connection establishment rate severely drops (e.g. to its the maximum connection establishment rate severely drops (e.g., to
half) otherwise it chooses the higher half. The search stops if the its half); otherwise, it chooses the higher half. The search stops
size of the interval is less than the E error. if the size of the interval is less than the E error.
The algorithms for the general case are defined using C like The algorithms for the general case are defined using C-like
pseudocode in Figure 5. In practice, this algorithm may be made more pseudocode in Figure 5. In practice, this algorithm may be made more
efficient in a way that the binary search for the maximum connection efficient in the way that the binary search for the maximum
establishment rate stops, if an elementary test fails at a rate under connection establishment rate stops if an elementary test fails at a
RS*beta or RS*gamma during the external search or during the final rate under RS*beta or RS*gamma during the external search or during
binary search for the capacity of the connection tracking table, the final binary search for the capacity of the connection tracking
respectively. (This saves a high amount of execution time by table, respectively. (This saves a high amount of execution time by
eliminating the long-lasting tests at low rates.) eliminating the long-lasting tests at low rates.)
// The binarySearchForMaximumConnectionCstablishmentRate(c,r) // The binarySearchForMaximumConnectionCstablishmentRate(c,r)
// function performs a binary search for the maximum connection // function performs a binary search for the maximum connection
// establishment rate in the [0, r] interval using c number of // establishment rate in the [0, r] interval using c number of
// connections. // connections.
// This is an exponential search for finding the order of magnitude // This is an exponential search for finding the order of magnitude
// of the connection tracking table capacity // of the connection tracking table capacity
// Variables: // Variables:
// C0 and R0 are beginning safe values for the connection // C0 and R0 are beginning safe values for the connection
// tracking table size and connection establishment rate, // tracking table size and connection establishment rate,
// respectively // respectively
// CS and RS are their currently used safe values // CS and RS are their currently used safe values
// CT and RT are their values for the current examination // CT and RT are their values for the current examination
// beta is a factor expressing an unacceptable drop in R (e.g. // beta is a factor expressing an unacceptable drop in R (e.g.,
// beta=0.1) // beta=0.1)
// maxrate is the maximum frame rate for the media // maxrate is the maximum frame rate for the media
R0=binarySearchForMaximumConnectionCstablishmentRate(C0,maxrate); R0=binarySearchForMaximumConnectionCstablishmentRate(C0,maxrate);
for ( CS=C0, RS=R0; 1; CS=CT, RS=RT ) for ( CS=C0, RS=R0; 1; CS=CT, RS=RT )
{ {
CT=2*CS; CT=2*CS;
RT=binarySearchForMaximumConnectionCstablishmentRate(CT,RS); RT=binarySearchForMaximumConnectionCstablishmentRate(CT,RS);
if ( DUT_collapsed || RT < RS*beta ) if ( DUT_collapsed || RT < RS*beta )
break; break;
} }
// At this point, the size of the connection tracking table is // At this point, the size of the connection tracking table is
// between CS and CT. // between CS and CT.
// This is the final binary search for finding the connection // This is the final binary search for finding the connection
// tracking table capacity within E error // tracking table capacity within E error
// Variables: // Variables:
// CS and RS are the safe values for connection tracking table size // CS and RS are the safe values for connection tracking table size
// and connection establishment rate, respectively // and connection establishment rate, respectively
// C and R are the values for the current examination // C and R are the values for the current examination
// gamma is a factor expressing an unacceptable drop in R // gamma is a factor expressing an unacceptable drop in R
// (e.g. gamma=0.5) // (e.g., gamma=0.5)
for ( D=CT-CS; D>E; D=CT-CS ) for ( D=CT-CS; D>E; D=CT-CS )
{ {
C=(CS+CT)/2; C=(CS+CT)/2;
R=binarySearchForMaximumConnectionCstablishmentRate(C,RS); R=binarySearchForMaximumConnectionCstablishmentRate(C,RS);
if ( DUT_collapsed || R < RS*gamma ) if ( DUT_collapsed || R < RS*gamma )
CT=C; // take the lower half of the interval CT=C; // take the lower half of the interval
else else
CS=C,RS=R; // take the upper half of the interval CS=C,RS=R; // take the upper half of the interval
} }
// At this point, the size of the connection tracking table is // At this point, the size of the connection tracking table is
skipping to change at page 21, line 17 skipping to change at line 902
As for the writing policy of the state table of the Responder, round As for the writing policy of the state table of the Responder, round
robin is RECOMMENDED, because it ensures that its entries are robin is RECOMMENDED, because it ensures that its entries are
automatically kept fresh and consistent with that of the connection automatically kept fresh and consistent with that of the connection
tracking table of the DUT. tracking table of the DUT.
The Responder can read its state table in various orders, for The Responder can read its state table in various orders, for
example: example:
* pseudorandom * pseudorandom
* round-robin * round robin
Pseudorandom is RECOMMENDED to follow the approach of [RFC4814]. Pseudorandom is RECOMMENDED to follow the approach of [RFC4814].
Round-robin may be used as a computationally cheaper alternative. Round robin may be used as a computationally cheaper alternative.
5. Scalability Measurements 5. Scalability Measurements
As for scalability measurements, no new types of performance metrics As for scalability measurements, no new types of performance metrics
are defined, but it is RECOMMENDED to perform measurement series are defined, but it is RECOMMENDED to perform measurement series
through which the value of one or more parameter(s) is/are changed to through which the value of one or more parameter(s) are changed to
discover how the various values of the given parameter(s) influence discover how the various values of the given parameter(s) influence
the performance of the DUT. the performance of the DUT.
5.1. Scalability Against the Number of Network Flows 5.1. Scalability Against the Number of Network Flows
The scalability measurements aim to quantify how the performance of The scalability measurements aim to quantify how the performance of
the stateful NATxy gateways degrades with the increase of the number the stateful NATxy gateways degrades with the increase of the number
of network flows. of network flows.
As for the actual values for the number of network flows to be used As for the actual values for the number of network flows to be used
during the measurement series, it is RECOMMENDED to use some during the measurement series, it is RECOMMENDED to use some
representative values from the range of the potential number of representative values from the range of the potential number of
network flows the DUT may be faced with during its intended usage. network flows the DUT may be faced with during its intended usage.
It is important, how the given number of network flows are generated. It is important how the given number of network flows are generated.
The sizes of the ranges of the source and destination IP addresses The sizes of the ranges of the source and destination IP addresses
and port numbers are essential parameters to be reported together and port numbers are essential parameters to be reported together
with the results. Please see also Section 6 about the reporting with the results. Please also see Section 6 about the reporting
format. format.
If a single IP address pair is used, then it is RECOMMENDED to use If a single IP address pair is used, then it is RECOMMENDED to use:
* a fixed, larger source port number range (e.g., a few times * a fixed, larger source port number range (e.g., a few times
10,000) 10,000) and
* a variable size destination port number range (e.g. 10; 100; * a variable-size destination port number range (e.g., 10, 100,
1,000; etc.), where its expedient granularity depends on the 1,000, etc.), where its expedient granularity depends on the
purpose. purpose.
5.2. Scalability Against the Number of CPU Cores 5.2. Scalability Against the Number of CPU Cores
Stateful NATxy gateways are often implemented in software that are Stateful NATxy gateways are often implemented in software that is not
not bound to a specific hardware but can be executed by commodity bound to a specific hardware but can be executed by commodity
servers. To facilitate the comparison of their performance, it can servers. To facilitate the comparison of their performance, it can
be useful to determine be useful to determine:
* the performance of the various implementations using a single core * the performance of the various implementations using a single core
of a well-known CPU of a well-known CPU and
* the scale-up of the performance of the various implementations * the scale-up of the performance of the various implementations
with the number of CPU cores. with the number of CPU cores.
If the number of the available CPU cores is a power of two, then it If the number of the available CPU cores is a power of two, then it
is RECOMMENDED to perform the tests with 1, 2, 4, 8, 16, etc. number is RECOMMENDED to perform the tests with 1, 2, 4, 8, 16, etc. number
of active CPU cores of the DUT. of active CPU cores of the DUT.
6. Reporting Format 6. Reporting Format
Measurements MUST be executed multiple times. The necessary number Measurements MUST be executed multiple times. The necessary number
of repetitions to achieve statistically reliable results may depend of repetitions to achieve statistically reliable results may depend
on the consistent or scattered nature of the results. The report of on the consistent or scattered nature of the results. The report of
the results MUST contain the number of repetitions of the the results MUST contain the number of repetitions of the
measurements. Median is RECOMMENDED as the summarizing function of measurements. The median is RECOMMENDED as the summarizing function
the results complemented with the first percentile and the 99th of the results complemented with the first percentile and the 99th
percentile as indices of the dispersion of the results. Average and percentile as indices of the dispersion of the results. The average
standard deviation MAY also be reported. and standard deviation MAY also be reported.
All parameters and settings that may influence the performance of the All parameters and settings that may influence the performance of the
DUT MUST be reported. Some of them may be specific to the given DUT MUST be reported. Some of them may be specific to the given
NATxy gateway implementation, like the "hashsize" (hash table size) NATxy gateway implementation, like the "hashsize" (hash table size)
and "nf_conntrack_max" (number of connection tracking table entries) and "nf_conntrack_max" (number of connection tracking table entries)
values for iptables or the limit of the number of states for OpenBSD values for iptables or the limit of the number of states for OpenBSD
PF (set by the "set limit states number" command in the pf.conf PF (set by the "set limit states number" command in the pf.conf
file). file).
number of sessions (req.) 0.4M 4M 40M 400M +----------------------------+--------+--------+--------+--------+
source port numbers (req.) 40,000 40,000 40,000 40,000 | number of sessions (req.) | 0.4M | 4M | 40M | 400M |
destination port numbers (req.) 10 100 1,000 10,000 +----------------------------+--------+--------+--------+--------+
"hashsize" (i.s.) 2^17 2^20 2^23 2^27 | source port numbers (req.) | 40,000 | 40,000 | 40,000 | 40,000 |
"nf_conntrack_max" (i.s.) 2^20 2^23 2^26 2^30 +----------------------------+--------+--------+--------+--------+
num. sessions / "hashsize" (i.s.) 3.05 3.81 4.77 2.98 | destination port numbers | 10 | 100 | 1,000 | 10,000 |
number of experiments (req.) 10 10 10 10 | (req.) | | | | |
error of binary search (req.) 1,000 1,000 1,000 1,000 +----------------------------+--------+--------+--------+--------+
connections/s median (req.) | "hashsize" (i.s.) | 2^17 | 2^20 | 2^23 | 2^27 |
connections/s 1st perc. (req.) +----------------------------+--------+--------+--------+--------+
connections/s 99th perc. (req.) | "nf_conntrack_max" (i.s.) | 2^20 | 2^23 | 2^26 | 2^30 |
+----------------------------+--------+--------+--------+--------+
| num. sessions / "hashsize" | 3.05 | 3.81 | 4.77 | 2.98 |
| (i.s.) | | | | |
+----------------------------+--------+--------+--------+--------+
| number of experiments | 10 | 10 | 10 | 10 |
| (req.) | | | | |
+----------------------------+--------+--------+--------+--------+
| error of binary search | 1,000 | 1,000 | 1,000 | 1,000 |
| (req.) | | | | |
+----------------------------+--------+--------+--------+--------+
| connections/s median | | | | |
| (req.) | | | | |
+----------------------------+--------+--------+--------+--------+
| connections/s 1st perc. | | | | |
| (req.) | | | | |
+----------------------------+--------+--------+--------+--------+
| connections/s 99th perc. | | | | |
| (req.) | | | | |
+----------------------------+--------+--------+--------+--------+
Figure 6: Example table: Maximum connection establishment rate of Table 1: Example Table of the Maximum Connection Establishment
iptables against the number of sessions Rate of Iptables Against the Number of Sessions
Figure 6 shows an example of table headings for reporting the Table 1 shows an example of table headings for reporting the
measurement results for the scalability of the iptables stateful measurement results regarding the scalability of the iptables
NAT44 implementation against the number of sessions. The table stateful NAT44 implementation against the number of sessions. The
indicates the always required fields (req.) and the implementation- table indicates the required fields (req.) and the implementation-
specific ones (i.s.). A computed value was also added in row 6; it specific ones (i.s.). A computed value was also added in row 6; it
is the number of sessions per hashsize ratio, which helps the reader is the number of sessions per hashsize ratio, which helps the reader
to interpret the achieved maximum connection establishment rate. (A to interpret the achieved maximum connection establishment rate. (A
lower value results in shorter linked lists hanging on the entries of lower value results in shorter linked lists hanging on the entries of
the hash table thus facilitating higher performance. The ratio is the hash table, thus facilitating higher performance. The ratio is
varying, because the number of sessions is always a power of 10, varying, because the number of sessions is always a power of 10,
whereas the hash table size is a power of 2.) To reflect the whereas the hash table size is a power of 2.) To reflect the
accuracy of the results, the table contains the value of the "error" accuracy of the results, the table contains the value of the "error"
of the binary search, which expresses the stopping criterion for the of the binary search, which expresses the stopping criterion for the
binary search. The binary search stops, when the difference between binary search. The binary search stops when the difference between
the "higher limit" and "lower limit" of the binary search is less the "higher limit" and "lower limit" of the binary search is less
than or equal to "error". than or equal to the "error".
The table MUST be complemented with reporting the relevant parameters The table MUST be complemented with reporting the relevant parameters
of the DUT. If the DUT is a general-purpose computer and some of the DUT. If the DUT is a general-purpose computer and some
software NATxy gateway implementation is tested, then the hardware software NATxy gateway implementation is tested, then the hardware
description SHOULD include: computer type, CPU type, and number of description SHOULD include the following:
active CPU cores, memory type, size and speed, network interface card
type (reflecting also the speed), the fact that direct cable * computer type
connections were used or the type of the switch used for
interconnecting the Tester and the DUT. Operating system type and * CPU type
version, kernel version, and the version of the NATxy gateway
implementation (including last commit date and number if applicable) * number of active CPU cores
SHOULD also be given.
* memory type, size, and speed
* network interface card type (also reflecting the speed)
* the fact that direct cable connections were use or the type of
switch used for interconnecting the Tester and the DUT
The operating system type and version, kernel version, and version of
the NATxy gateway implementation (including the last commit date and
number if applicable) SHOULD also be given.
7. Implementation and Experience 7. Implementation and Experience
The stateful extension of siitperf [SIITPERF] is an implementation of The stateful extension of siitperf [SIITPERF] is an implementation of
this concept. Its first version only supporting multiple port this concept. Its first version that only supports multiple port
numbers is documented in this (open access) paper [LEN2022]. Its numbers is documented in this (open access) paper: [LEN2022]. Its
extended version also supporting multiple IP addresses is documented extended version that also supports multiple IP addresses is
in this (open access) paper [LEN2024b]. documented in this (open access) paper: [LEN2024b].
The proposed benchmarking methodology has been validated by The proposed benchmarking methodology has been validated by
performing benchmarking measurements with three radically different performing benchmarking measurements with three radically different
stateful NAT64 implementations (Jool, tayga+iptables, OpenBSD PF) in stateful NAT64 implementations (Jool, tayga+iptables, and OpenBSD PF)
(open access) paper [LEN2023]. in this (open access) paper: [LEN2023].
Further experience with this methodology using siitperf for measuring Further experience with this methodology of using siitperf for
the scalability of the iptables stateful NAT44 and Jool stateful measuring the scalability of the iptables stateful NAT44 and Jool
NAT64 implementations are described in stateful NAT64 implementations are described in [SCALABILITY].
[I-D.lencse-v6ops-transition-scalability].
This methodology was successfully applied for the benchmarking of This methodology was successfully applied for the benchmarking of
various IPv4aas (IPv4-as-a-Service) technologies without the usage of various IPv4-as-a-Service (IPv4aas) technologies without the usage of
technology-specific Testers by reducing the aggregate of their CE technology-specific Testers by reducing the aggregate of their
(Customer Edge) and PE (Provider Edge) devices to a stateful NAT44 Customer Edge (CE) and Provider Edge (PE) devices to a stateful NAT44
gateway documented in (open access) paper [LEN2024a]. gateway documented in this (open access) paper: [LEN2024a].
8. Limitations of using UDP as Transport Layer Protocol 8. Limitations of Using UDP as a Transport Layer Protocol
The test frame format defined in RFC 2544 exclusively uses UDP (and The test frame format defined in [RFC2544] exclusively uses UDP (and
not TCP) as a transport layer protocol. Testing with UDP was kept in not TCP) as a transport layer protocol. Testing with UDP was kept in
both RFC 5180 and RFC 8219 regarding the standard benchmarking both [RFC5180] and [RFC8219] regarding the standard benchmarking
procedures (throughput, latency, frame loss rate, etc.). The procedures (throughput, latency, frame loss rate, etc.). The
benchmarking methodology proposed in this document follows this long benchmarking methodology proposed in this document follows this long-
established benchmarking tradition using UDP as a transport layer established benchmarking tradition using UDP as a transport layer
protocol, too. The rationale for this is that the standard protocol, too. The rationale for this is that the standard
benchmarking procedures require sending frames at arbitrary constant benchmarking procedures require sending frames at arbitrary constant
frame rates, which would violate the flow control and congestion frame rates, which would violate the flow control and congestion
control algorithms of the TCP protocol. TCP connection setup (using control algorithms of the TCP protocol. TCP connection setup (using
the three-way handshake) would further complicate testing. the three-way handshake) would further complicate testing.
Further potential transport layer protocols e.g., DCCP [RFC4340] and Further potential transport layer protocols, e.g., the Datagram
SCTP [RFC9260] are outside of the scope of this document, as the Congestion Control Protocol (DCCP) [RFC4340] and the Stream Control
widely-used stateful NAT44 and stateful NAT64 implementations do not Transmission Protocol (SCTP) [RFC9260], are outside of the scope of
support them. Although QUIC [RFC9000] is also considered a transport this document, as the widely used stateful NAT44 and stateful NAT64
layer protocol, but QUIC packets are carried in UDP datagrams thus implementations do not support them. Although QUIC [RFC9000] is also
QUIC does not need a special handling. considered a transport layer protocol, QUIC packets are carried in
UDP datagrams; thus, QUIC does not need a special handling.
Some stateful NATxy solutions handle TCP and UDP differently, e.g. Some stateful NATxy solutions handle TCP and UDP differently, e.g.,
iptables uses 30s timeout for UDP and 60s timeout for TCP. Thus iptables use a 30s timeout for UDP and a 60s timeout for TCP. Thus,
benchmarking results produced using UDP do not necessarily benchmarking results produced using UDP do not necessarily
characterize the performance of a NATxy gateway well enough when they characterize the performance of a NATxy gateway well enough when they
are used for forwarding Internet traffic. As for the given example, are used for forwarding Internet traffic. As for the given example,
timeout values of the DUT may be adjusted, but it requires extra timeout values of the DUT may be adjusted, but it requires extra
consideration. consideration.
Other differences in handling UDP or TCP are also possible. Thus, Other differences in handling UDP or TCP are also possible. Thus,
the authors recommend that further investigations should be performed the authors recommend that further investigations should be performed
in this field. in this field.
As a mitigation of this problem, this document recommends that As a mitigation of this problem, this document recommends that
testing with protocols using TCP (like HTTP and HTTPS up to version testing with protocols using TCP (like HTTP and HTTPS up to version
2) can be performed as described in [RFC9411]. This approach also 2) can be performed as described in [RFC9411]. This approach also
solves the potential problem of protocol helpers may be present in solves the potential problem of protocol helpers that may be present
the stateful DUT. in the stateful DUT.
As for HTTP/3, it uses QUIC, which uses UDP as stated above. It As for HTTP/3, it uses QUIC, which uses UDP as stated above. It
should be noted that QUIC is treated as any other UDP payload. The should be noted that QUIC is treated as any other UDP payload. The
proposed measurement method does not aim to measure the performance proposed measurement method does not aim to measure the performance
of QUIC, rather it aims to measure the performance of the stateful of QUIC, rather, it aims to measure the performance of the stateful
NATxy gateway. NATxy gateway.
9. Acknowledgements 9. IANA Considerations
The authors would like to thank Al Morton, Sarah Banks, Edwin
Cordeiro, Lukasz Bromirski, Sándor Répás, Tamás Hetényi, Timothy
Winters, Eduard Vasilenko, Minh Ngoc Tran, Paolo Volpato, Zeqi Lai,
and Bertalan Kovács for their comments.
The authors thank Warren Kumari, Michael Scharf, Alexey Melnikov,
Robert Sparks, David Dong, Roman Danyliw, Erik Kline, Murray
Kucherawy, Zaheduzzaman Sarker, and Éric Vyncke for their reviews and
comments.
This work was supported by the Japan Trust International Research
Cooperation Program of the National Institute of Information and
Communications Technology (NICT), Japan.
10. IANA Considerations
This document does not make any request to IANA. This document has no IANA actions.
11. Security Considerations 10. Security Considerations
This document has no further security considerations beyond that of This document has no further security considerations beyond that of
[RFC8219]. They should be cited here so that they be applied not [RFC8219]. They should be cited here so that they can be applied not
only for the benchmarking of IPv6 transition technologies but also only for the benchmarking of IPv6 transition technologies but also
for the benchmarking of any stateful NATxy gateways (allowing for for the benchmarking of any stateful NATxy gateways (allowing for
x=y, too). x=y, too).
12. References 11. References
12.1. Normative References 11.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
J., and E. Lear, "Address Allocation for Private J., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
February 1996, <https://www.rfc-editor.org/info/rfc1918>. February 1996, <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 27, line 28 skipping to change at line 1203
[RFC9260] Stewart, R., Tüxen, M., and K. Nielsen, "Stream Control [RFC9260] Stewart, R., Tüxen, M., and K. Nielsen, "Stream Control
Transmission Protocol", RFC 9260, DOI 10.17487/RFC9260, Transmission Protocol", RFC 9260, DOI 10.17487/RFC9260,
June 2022, <https://www.rfc-editor.org/info/rfc9260>. June 2022, <https://www.rfc-editor.org/info/rfc9260>.
[RFC9411] Balarajah, B., Rossenhoevel, C., and B. Monkman, [RFC9411] Balarajah, B., Rossenhoevel, C., and B. Monkman,
"Benchmarking Methodology for Network Security Device "Benchmarking Methodology for Network Security Device
Performance", RFC 9411, DOI 10.17487/RFC9411, March 2023, Performance", RFC 9411, DOI 10.17487/RFC9411, March 2023,
<https://www.rfc-editor.org/info/rfc9411>. <https://www.rfc-editor.org/info/rfc9411>.
12.2. Informative References 11.2. Informative References
[DUST1964] Durstenfeld, R., "Algorithm 235: Random
permutation", Communications of the ACM, vol. 7, no. 7,
p.420., DOI 10.1145/364520.364540, July 1964,
<https://dl.acm.org/doi/10.1145/364520.364540>.
[I-D.lencse-v6ops-transition-scalability] [DUST1964] Durstenfeld, R., "Algorithm 235: Random permutation",
Lencse, G., "Scalability of IPv6 Transition Technologies Communications of the ACM, vol. 7, no. 7, p. 420,
for IPv4aaS", Work in Progress, Internet-Draft, draft- DOI 10.1145/364520.364540, July 1964,
lencse-v6ops-transition-scalability-05, 14 October 2023, <https://dl.acm.org/doi/pdf/10.1145/364520.364540>.
<https://datatracker.ietf.org/doc/html/draft-lencse-v6ops-
transition-scalability-05>.
[IIR2020] Kurahashi, T., Matsuzaki, Y., Sasaki, T., Saito, T., and [IIR2020] Kurahashi, T., Matsuzaki, Y., Sasaki, T., Saito, T., and
F. Tsutsuji, "Periodic observation report: Internet trends F. Tsutsuji, "Periodic Observation Report: Internet Trends
as seen from IIJ infrastructure - 2020", Internet as Seen from IIJ Infrastructure - 2020", Internet
Infrastructure Review, vol. 49, December 2020, Initiative Japan Inc., Internet Infrastructure Review,
vol. 49, December 2020,
<https://www.iij.ad.jp/en/dev/iir/pdf/ <https://www.iij.ad.jp/en/dev/iir/pdf/
iir_vol49_report_EN.pdf>. iir_vol49_report_EN.pdf>.
[LEN2015] Lencse, G., "Estimation of the Port Number Consumption of [LEN2015] Lencse, G., "Estimation of the Port Number Consumption of
Web Browsing", IEICE Transactions on Communications, vol. Web Browsing", IEICE Transactions on Communications, vol.
E98-B, no. 8. pp. 1580-1588, DOI DOI: E98-B, no. 8. pp. 1580-1588,
10.1587/transcom.E98.B.1580, 1 August 2015, DOI 10.1587/transcom.E98.B.1580, August 2015,
<http://www.hit.bme.hu/~lencse/publications/ <https://www.hit.bme.hu/~lencse/publications/
e98-b_8_1580.pdf>. e98-b_8_1580.pdf>.
[LEN2020] Lencse, G., "Adding RFC 4814 Random Port Feature to [LEN2020] Lencse, G., "Adding RFC 4814 Random Port Feature to
Siitperf: Design, Implementation and Performance Siitperf: Design, Implementation and Performance
Estimation", International Journal of Advances in Estimation", International Journal of Advances in
Telecommunications, Electrotechnics, Signals and Systems, Telecommunications, Electrotechnics, Signals and Systems,
vol 9, no 3, pp. 18-26., DOI 10.11601/ijates.v9i3.291, vol 9, no 3, pp. 18-26., DOI 10.11601/ijates.v9i3.291,
2020, November 2020,
<http://ijates.org/index.php/ijates/article/view/291>. <http://ijates.org/index.php/ijates/article/view/291>.
[LEN2022] Lencse, G., "Design and Implementation of a Software [LEN2022] Lencse, G., "Design and Implementation of a Software
Tester for Benchmarking Stateful NAT64xy Gateways: Theory Tester for Benchmarking Stateful NAT64xy Gateways: Theory
and Practice of Extending Siitperf for Stateful and Practice of Extending Siitperf for Stateful Tests",
Tests", Computer Communications, vol. 172, no. 1, pp. Computer Communications, vol. 192, pp. 75-88,
75-88, DOI 10.1016/j.comcom.2022.05.028, 1 August 2022, DOI 10.1016/j.comcom.2022.05.028, August 2022,
<https://www.sciencedirect.com/science/article/pii/ <https://www.sciencedirect.com/science/article/pii/
S0140366422001803>. S0140366422001803>.
[LEN2023] Lencse, G., Shima, K., and K. Cho, "Benchmarking [LEN2023] Lencse, G., Shima, K., and K. Cho, "Benchmarking
methodology for stateful NAT64 gateways", Computer methodology for stateful NAT64 gateways", Computer
Communications, vol. 210, no. 1, pp. 256-272, Communications, vol. 210, pp. 256-272,
DOI 10.1016/j.comcom.2023.08.009, 1 October 2023, DOI 10.1016/j.comcom.2023.08.009, October 2023,
<https://www.sciencedirect.com/science/article/pii/ <https://www.sciencedirect.com/science/article/pii/
S0140366423002931>. S0140366423002931>.
[LEN2024a] Lencse, G. and Á. Bazsó, "Benchmarking methodology for [LEN2024a] Lencse, G. and Á. Bazsó, "Benchmarking methodology for
IPv4aaS technologies: Comparison of the scalability of the IPv4aaS technologies: Comparison of the scalability of the
Jool implementation of 464XLAT and MAP-T", Computer Jool implementation of 464XLAT and MAP-T", Computer
Communications, vol. 219, no. 1, pp. 243-258, Communications, vol. 219, pp. 243-258,
DOI 10.1016/j.comcom.2024.03.007, 1 April 2024, DOI 10.1016/j.comcom.2024.03.007, April 2024,
<https://www.sciencedirect.com/science/article/pii/ <https://www.sciencedirect.com/science/article/pii/
S0140366424000999>. S0140366424000999>.
[LEN2024b] Lencse, G., "Making stateless and stateful network [LEN2024b] Lencse, G., "Making stateless and stateful network
performance measurements unbiased", Computer performance measurements unbiased", Computer
Communications, DOI 10.1016/j.comcom.2024.05.018, Communications, vol. 225, pp. 141-155,
DOI 10.1016/j.comcom.2024.05.018, September 2024,
<https://www.sciencedirect.com/science/article/abs/pii/ <https://www.sciencedirect.com/science/article/abs/pii/
S0140366424001993>. S0140366424001993>.
[SIITPERF] Lencse, G., "Siitperf: An RFC 8219 compliant SIIT and [SCALABILITY]
stateful NAT64/NAT44 tester written in C++ using Lencse, G., "Scalability of IPv6 Transition Technologies
DPDK", source code, available from GitHub, 2019-2023, for IPv4aaS", Work in Progress, Internet-Draft, draft-
<https://github.com/lencsegabor/siitperf>. lencse-v6ops-transition-scalability-05, 14 October 2023,
<https://datatracker.ietf.org/doc/html/draft-lencse-v6ops-
Appendix A. Change Log transition-scalability-05>.
A.1. 00
Initial version.
A.2. 01
Updates based on the comments received on the BMWG mailing list and
minor corrections.
A.3. 02
Section 4.4 was completely re-written. As a consequence, the
occurrences of the now undefined "mostly different" source port
number destination port number combinations were deleted from
Section 4.5, too.
A.4. 03
Added Section 4.3 about the consideration of the cases of stateful
operation.
Consistency checking. Removal of some parts obsoleted by the
previous re-writing of Section 4.4.
Added Section 4.8 about the method for measuring connection tear-down
rate.
Updates for Section 7 about the implementation and experience.
A.5. 04
Update of the abstract.
Added Section 4.6 about validation of connection establishment.
Added Section 4.9 about the method for measuring connection tracking
table capacity.
Consistency checking and corrections.
A.6. 00 - WG item
Added measurement setup for Stateful NAT64 gateways.
Consistency checking and corrections.
A.7. 01
Added Section 4.5.1 about typical types of measurement series and
reporting format.
A.8. 02
Added the usage of multiple IP addresses.
Section 4.5.1 was removed and split into two Sections: Section 5
about scalability measurements and Section 6 about reporting format.
A.9. 03
Updated the usage of multiple IP addresses.
Test phases were renamed as follows:
* preliminary test phase --> test phase 1
* real test phase --> test phase 2.
A.10. 04
Minor updates to Section 3.2 and Section 7.
A.11. 05
Minor updates addressing WGLC nits (adding the definition of "black [SIITPERF] "Siitperf: An RFC 8219 compliant SIIT and stateful NAT64/
box", and performing a high amount of grammatical corrections). NAT44 tester", commit 165cb7f, September 2023,
<https://github.com/lencsegabor/siitperf>.
A.12. 06 Acknowledgements
Language editing addressing preliminary AD review comments by The authors would like to thank Al Morton, Sarah Banks, Edwin
eliminating the occurrences of first person singular ("we", "our"). Cordeiro, Lukasz Bromirski, Sándor Répás, Tamás Hetényi, Timothy
Winters, Eduard Vasilenko, Minh Ngoc Tran, Paolo Volpato, Zeqi Lai,
and Bertalan Kovács for their comments.
A.13. 07 The authors thank Warren Kumari, Michael Scharf, Alexey Melnikov,
Robert Sparks, David Dong, Roman Danyliw, Erik Kline, Murray
Kucherawy, Zaheduzzaman Sarker, and Éric Vyncke for their reviews and
comments.
Updates addressing IESG Last Call comments. This work was supported by the Japan Trust International Research
Cooperation Program of the National Institute of Information and
Communications Technology (NICT), Japan.
Authors' Addresses Authors' Addresses
Gábor Lencse Gábor Lencse
Széchenyi István University Széchenyi István University
Győr Győr
Egyetem tér 1. Egyetem tér 1.
H-9026 H-9026
Hungary Hungary
Email: lencse@sze.hu Email: lencse@sze.hu
Keiichi Shima Keiichi Shima
SoftBank Corp. SoftBank Corp.
1-7-1 Kaigan, Tokyo 1-7-1 Kaigan, Minato-ku, Tokyo
105-7529 105-7529
Japan Japan
Email: shima@wide.ad.jp Email: shima@wide.ad.jp
URI: https://softbank.co.jp/ URI: https://softbank.co.jp/
 End of changes. 170 change blocks. 
590 lines changed or deleted 537 lines changed or added

This html diff was produced by rfcdiff 1.48.