Difference between revisions of "VPP/NAT"
From fd.io
< VPP
(Created page with "= S-NAT = == Introduction == What are we building? A general purpose stateful NAT44 that can be used as IPv4 CPE NAT, CGN or as an 1:1 NAT in a data centre environment. It c...") |
|||
| Line 1: | Line 1: | ||
| − | = | + | = VPP NAT implementation = |
== Introduction == | == Introduction == | ||
| Line 13: | Line 13: | ||
Logging, initially with Netflow and telemetry. | Logging, initially with Netflow and telemetry. | ||
Integration with MAP-E, MAP-T, LW46 to build MAP CEs. | Integration with MAP-E, MAP-T, LW46 to build MAP CEs. | ||
| + | |||
| + | == Requirements == | ||
| + | * Scale to millions of bindings | ||
| + | * User quotas | ||
| + | * Thread safe | ||
| + | * Efficient port utilisation. Endpoint independent for applications requiring it, address and port filtering otherwise | ||
| + | * No ALGs | ||
| + | * Configurable IP address pooling behavour | ||
| + | * Plugable with MAP-E/T to create MAP-E/T CE, 464XLAT | ||
| + | * Stateful NAT64 | ||
| + | * Support for NAT on a stick (single inside / outside interface) | ||
== Work list == | == Work list == | ||
| Line 33: | Line 44: | ||
| 0 | | 0 | ||
| Committed | | Committed | ||
| − | | https://jira.fd.io/browse/VPP-339 VPP-339] | + | | [https://jira.fd.io/browse/VPP-339 VPP-339] |
|- | |- | ||
| 1:1 NAT with disabled dynamic translation | | 1:1 NAT with disabled dynamic translation | ||
| Line 39: | Line 50: | ||
| 0 | | 0 | ||
| Committed | | Committed | ||
| − | | https://jira.fd.io/browse/VPP-339 VPP-339] add "static mapping only [connection tracking]" to snat startup config. | + | | [https://jira.fd.io/browse/VPP-339 VPP-339] add "static mapping only [connection tracking]" to snat startup config. |
|- | |- | ||
| VRF awareness | | VRF awareness | ||
| Line 112: | Line 123: | ||
| | | | ||
|} | |} | ||
| + | |||
| + | == API == | ||
| + | |||
| + | == CLI == | ||
| + | |||
| + | == YANG model == | ||
| + | |||
| + | == References == | ||
| + | * [http://tools.ietf.org/html/rfc2663 RFC2663] - NAT terminology and considerations | ||
| + | * [http://tools.ietf.org/html/rfc4787 RFC4787] - NAT requirements for UDP | ||
| + | * [http://tools.ietf.org/html/rfc5382 RFC5382] - NAT requirements for TCP | ||
| + | * [http://tools.ietf.org/html/rfc5508 RFC5508] - NAT requirements for ICMP | ||
| + | * [http://tools.ietf.org/html/rfc6888 RFC6888] - CGN requirements - qualify and plan dev sequence: | ||
| + | * [http://tools.ietf.org/html/rfc7422 RFC7422] - Deterministic address mapping | ||
| + | * [http://tools.ietf.org/html/draft-ietf-behave-ipfix-nat-logging draft-ietf-behave-ipfix-nat-logging] - IPFIX Information Elements for logging NAT Events | ||
Revision as of 10:57, 27 September 2016
Contents
VPP NAT implementation
Introduction
What are we building? A general purpose stateful NAT44 that can be used as IPv4 CPE NAT, CGN or as an 1:1 NAT in a data centre environment. It can also be combined with other features to build e.g. 464XLAT or a MAP-E CE. General features: Stateful NAT44, stateful NAT64. We do not intend to support any ALGs. Support for millions of static and dynamic sessions. Wth the goal of 10Mpps /core. Ability to enforce per-user (aka inside address) session limitations. Configurable address and port selection algorithm. Dynamically choose between endpoint dependent and endpoint independent behaviour. Logging, initially with Netflow and telemetry. Integration with MAP-E, MAP-T, LW46 to build MAP CEs.
Requirements
- Scale to millions of bindings
- User quotas
- Thread safe
- Efficient port utilisation. Endpoint independent for applications requiring it, address and port filtering otherwise
- No ALGs
- Configurable IP address pooling behavour
- Plugable with MAP-E/T to create MAP-E/T CE, 464XLAT
- Stateful NAT64
- Support for NAT on a stick (single inside / outside interface)
Work list
| Task | Owner | Priority | Status | Description |
|---|---|---|---|---|
| 1:1 NAT | Matus | 0 | Committed | VPP-339 |
| 1:1 NAT with ports | Matus | 0 | Committed | VPP-339 |
| 1:1 NAT with disabled dynamic translation | Matus | 0 | Committed | VPP-339 add "static mapping only [connection tracking]" to snat startup config. |
| VRF awareness | Matus | 0 | WIP | |
| Multiple inside interface - Multiple subnets | 0 | Multiple inside interfaces for the same "tenant" with non-overlapping address space. | ||
| Inside overlapping interfaces | 0 | Tenants on separate interfaces, separate VRFs with overlapping address space. | ||
| Thread safe | 0 | |||
| Hairpinning | 1 | Hosts communicating behind the same NAT using the external representation of their address. | ||
| Logging | 1 | Netflow - IPFix | ||
| API (Java and Python) | ||||
| Input ACL support before NAT | ||||
| Multiple outside interfaces | ||||
| ICMP error packet translation | ||||
| DS-lite | ||||
| NAT64 |
API
CLI
YANG model
References
- RFC2663 - NAT terminology and considerations
- RFC4787 - NAT requirements for UDP
- RFC5382 - NAT requirements for TCP
- RFC5508 - NAT requirements for ICMP
- RFC6888 - CGN requirements - qualify and plan dev sequence:
- RFC7422 - Deterministic address mapping
- draft-ietf-behave-ipfix-nat-logging - IPFIX Information Elements for logging NAT Events
