Difference between revisions of "VPP/NAT"
From fd.io
< VPP
m (→Work list) |
(→API) |
||
| Line 133: | Line 133: | ||
== API == | == API == | ||
| + | add/del 1:1 NAT: | ||
define snat_add_static_mapping { | define snat_add_static_mapping { | ||
u32 client_index; | u32 client_index; | ||
| Line 143: | Line 144: | ||
u16 local_port; | u16 local_port; | ||
u16 external_port; | u16 external_port; | ||
| + | u32 vrf_id; | ||
}; | }; | ||
| + | |||
| + | dump 1:1 NAT: | ||
| + | define snat_static_mapping_dump { | ||
| + | u32 client_index; | ||
| + | u32 context; | ||
| + | }; | ||
| + | |||
| + | define snat_static_mapping_details { | ||
| + | u32 context; | ||
| + | u8 is_ip4; | ||
| + | u8 addr_only; | ||
| + | u8 local_ip_address[16]; | ||
| + | u8 external_ip_address[16]; | ||
| + | u16 local_port; | ||
| + | u16 external_port; | ||
| + | u32 vrf_id; | ||
| + | }; | ||
| + | |||
| + | dump S-NAT plugin config: | ||
| + | define snat_show_config { | ||
| + | u32 client_index; | ||
| + | u32 context; | ||
| + | }; | ||
| + | |||
| + | define snat_show_config_reply { | ||
| + | u32 context; | ||
| + | i32 retval; | ||
| + | u8 static_mapping_only; | ||
| + | u8 static_mapping_connection_tracking; | ||
| + | u32 translation_buckets; | ||
| + | u32 translation_memory_size; | ||
| + | u32 user_buckets; | ||
| + | u32 user_memory_size; | ||
| + | u32 max_translations_per_user; | ||
| + | u32 outside_vrf_id; | ||
| + | u32 inside_vrf_id; | ||
| + | }; | ||
== CLI == | == CLI == | ||
Revision as of 12:06, 29 September 2016
Contents
VPP NAT implementation
Introduction
The VPP SNAT is an implementation of NAT44. It is a plugin and is meant to replace the VCGN component. The target use case is a general IPv4 CPE NAT, a CGN and to act as a NAT44 in a Openstack deployment.
It is intended to be pluggable, in the sense that it should be possible to plug the NAT44 function together with the MAP-E IPv4 to IPv6 translator to create a MAP-E CE, likewise one can plug the NAT44 together with MAP-T to create a MAP-T CE or 464XLAT.
Features are tracked as they are developed in the following VPP-441.
Until code is upstreamed it is developed on gitub.
Requirements
- Scale to millions of bindings
- Performance goal of 10Mpps/core.
- Configurable address and port selection algorithm.
- User quotas for sessions.
- Thread safe
- Efficient port utilisation. Endpoint independent for applications requiring it, address and port filtering otherwise
- No ALGs
- Configurable IP address pooling behavour
- Plugable with MAP-E/T to create MAP-E/T CE, 464XLAT
- Stateful NAT64
- Support for NAT on a stick (single inside / outside interface)
Work list
| Task | Owner | Priority | Status | Description | |
|---|---|---|---|---|---|
| 1:1 NAT | Matus | 0 | Committed | VPP-339 | |
| 1:1 NAT with ports | Matus | 0 | Committed | VPP-339 | |
| 1:1 NAT with disabled dynamic translation | Matus | 0 | Committed | VPP-339 add "static mapping only [connection tracking]" to snat startup config. | |
| VRF awareness | Matus | 0 | Committed | VPP-339 One tenant == One VRF. One VRF == multiple interfaces / multiple subnets, add vrf to static mapping API/CLI. | |
| 1:1 NAT delete and dump API | Matus | 0 | Committed | VPP-339 | |
| Multiple inside interface - Multiple subnets | 0 | VPP-447 Multiple inside interfaces for the same "tenant" with non-overlapping address space. | |||
| Inside overlapping interfaces | 0 | VPP-446 Tenants on separate interfaces, separate VRFs with overlapping address space. | |||
| Thread safe | 0 | VPP-443 | |||
| Hairpinning | 1 | VPP-444 Hosts communicating behind the same NAT using the external representation of their address. | |||
| Logging | 1 | VPP-445 | Netflow - IPFix | ||
| API (Java and Python) | |||||
| Input ACL support before NAT | |||||
| Multiple outside interfaces | |||||
| ICMP error packet translation | |||||
| DS-lite | |||||
| NAT64 |
API
add/del 1:1 NAT:
define snat_add_static_mapping {
u32 client_index;
u32 context;
u8 is_add;
u8 is_ip4;
u8 addr_only;
u8 local_ip_address[16];
u8 external_ip_address[16];
u16 local_port;
u16 external_port;
u32 vrf_id;
};
dump 1:1 NAT: define snat_static_mapping_dump {
u32 client_index; u32 context;
};
define snat_static_mapping_details {
u32 context; u8 is_ip4; u8 addr_only; u8 local_ip_address[16]; u8 external_ip_address[16]; u16 local_port; u16 external_port; u32 vrf_id;
};
dump S-NAT plugin config: define snat_show_config {
u32 client_index; u32 context;
};
define snat_show_config_reply {
u32 context; i32 retval; u8 static_mapping_only; u8 static_mapping_connection_tracking; u32 translation_buckets; u32 translation_memory_size; u32 user_buckets; u32 user_memory_size; u32 max_translations_per_user; u32 outside_vrf_id; u32 inside_vrf_id;
};
CLI
snat add static mapping local <ip4-addr> [<port>] external <ip4-addr> [<port>]
YANG model
References
- RFC2663 - NAT terminology and considerations
- RFC4787 - NAT requirements for UDP
- RFC5382 - NAT requirements for TCP
- RFC5508 - NAT requirements for ICMP
- RFC6888 - CGN requirements - qualify and plan dev sequence:
- RFC7422 - Deterministic address mapping
- draft-ietf-behave-ipfix-nat-logging - IPFIX Information Elements for logging NAT Events
