VPP/NAT
From fd.io
Contents
- 1 VPP NAT implementation
- 1.1 Introduction
- 1.2 Requirements
- 1.3 Work list
- 1.4 API
- 1.5 CLI
- 1.5.1 Enable S-NAT feature example
- 1.5.2 NAPT - add pool address example
- 1.5.3 1:1 NAT example
- 1.5.4 1:1 NAT with ports example
- 1.5.5 Set S-NAT workers example
- 1.5.6 Enable S-NAT IPFIX logging example
- 1.5.7 Add S-NAT pool address from specific (DHCP addressed) interfce example
- 1.5.8 1:1 NAT for DHCP addressed interface example
- 1.6 Startup config
- 1.7 NAT IPFIX logging
- 1.8 YANG model
- 1.9 References
VPP NAT implementation
Introduction
The VPP SNAT is an implementation of NAT44. It is a plugin and is meant to replace the VCGN component. The target use case is a general IPv4 CPE NAT, a CGN and to act as a NAT44 in a Openstack deployment.
It is intended to be pluggable, in the sense that it should be possible to plug the NAT44 function together with the MAP-E IPv4 to IPv6 translator to create a MAP-E CE, likewise one can plug the NAT44 together with MAP-T to create a MAP-T CE or 464XLAT.
Features are tracked as they are developed in the following VPP-441.
Until code is upstreamed it is developed on gitub.
Requirements
- Scale to millions of bindings
- Performance goal of 10Mpps/core.
- Configurable address and port selection algorithm.
- User quotas for sessions.
- Thread safe
- Efficient port utilisation. Endpoint independent for applications requiring it, address and port filtering otherwise
- No ALGs
- Configurable IP address pooling behavour
- Plugable with MAP-E/T to create MAP-E/T CE, 464XLAT
- Stateful NAT64
- Support for NAT on a stick (single inside / outside interface)
Work list
| Task | Owner | Planned Release | Status | Description |
|---|---|---|---|---|
| 1:1 NAT | Matus | 0 | Committed | VPP-339 |
| 1:1 NAT with ports | Matus | 0 | Committed | VPP-339 |
| 1:1 NAT with disabled dynamic translation | Matus | 0 | Committed | VPP-339 add "static mapping only [connection tracking]" to snat startup config. |
| VRF awareness | Matus | 0 | Committed | VPP-339 One tenant == One VRF. One VRF == multiple interfaces / multiple subnets, add vrf to static mapping API/CLI. |
| 1:1 NAT delete and dump API | Matus | 0 | Committed | VPP-339 |
| SNAT: Delete and dump addresses | Matus | 0 | Committed | VPP-453 |
| Multiple inside interface - Multiple subnets | Matus | 0 | DONE | VPP-447 Multiple inside interfaces for the same "tenant" with non-overlapping address space. |
| Inside overlapping interfaces | Matus | 0 | Committed | VPP-446 Tenants on separate interfaces, separate VRFs with overlapping address space. |
| Thread safe | Matus | 0 | Committed | VPP-443 All traffic corresponding to a specific session to be handled by a CPU core. |
| SNAT: Dump API for in and out interfaces | Matus | 0 | Committed | VPP-459 |
| SNAT: Address range overlapping | Matus | 0 | Committed | VPP-478 |
| API (Java and Python) | 0 | Done | HONEYCOMB-135 SNAT - Honeycomb | |
| SNAT: make test | Matus | DONE | ||
| Hairpinning | Matus | 1 | DONE | VPP-444 Hosts communicating behind the same NAT using the external representation of their address. hairpinning |
| Logging | Matus | 17.04 | DONE | VPP-445 Netflow - IPFix |
| Configurable Port Allocation Algorithms | Matus | 17.04 | WIP | CGN. High efficiency port utilisation. Dynamic endpoint-independent filtering versus address-dependent filtering. VPP-623 |
| Configurable IP address pooling behaviour | 17.04 | CGN. | ||
| Port allocation per protocol | Matus | 17.04 | DONE | CGN VPP-622 |
| SNAT: static mappings for dhcp addressed interfaces | Matus | 17.04 | DONE | home gateway VPP-590 |
| SNAT: Add outside addresses to FIB | Matus | 17.04 | DONE | FDS VPP-613 |
| Performance | 10Mpps/core. Linear scaling with number of cores. | |||
| Scale | 10 million sessions. | |||
| Input ACL support before NAT | ||||
| Multiple outside interfaces | ||||
| ICMP error packet translation | Juraj | 17.04 | DONE | VPP-629 |
| MAP-E CE | 1 | |||
| DS-lite | ||||
| NAT64 | ||||
| IP fragmentation | ||||
| PCP | No plan. |
API
add S-NAT plugin external address range:
define snat_add_address_range {
u32 client_index;
u32 context;
u8 is_ip4;
u8 first_ip_address[16];
u8 last_ip_address[16];
u8 is_add;
};
dump S-NAT plugin external addresses:
define snat_address_dump {
u32 client_index;
u32 context;
};
define snat_address_details {
u32 context;
u8 is_ip4;
u8 ip_address[16];
};
enable/disable S-NAT feature on the interface:
define snat_interface_add_del_feature {
u32 client_index;
u32 context;
u8 is_add;
u8 is_inside;
u32 sw_if_index;
};
dump interfaces with S-NAT feature:
define snat_interface_dump {
u32 client_index;
u32 context;
};
define snat_interface_details {
u32 context;
u8 is_inside;
u32 sw_if_index;
};
add/del 1:1 NAT:
define snat_add_static_mapping {
u32 client_index;
u32 context;
u8 is_add;
u8 is_ip4;
u8 addr_only;
u8 local_ip_address[16];
u8 external_ip_address[16];
u8 protocol;
u16 local_port;
u16 external_port;
u32 external_sw_if_index;
u32 vrf_id;
};
dump 1:1 NAT:
define snat_static_mapping_dump {
u32 client_index;
u32 context;
};
define snat_static_mapping_details {
u32 context;
u8 is_ip4;
u8 addr_only;
u8 local_ip_address[16];
u8 external_ip_address[16];
u8 protocol;
u16 local_port;
u16 external_port;
u32 vrf_id;
};
show S-NAT plugin config:
define snat_show_config {
u32 client_index;
u32 context;
};
define snat_show_config_reply {
u32 context;
i32 retval;
u8 static_mapping_only;
u8 static_mapping_connection_tracking;
u32 translation_buckets;
u32 translation_memory_size;
u32 user_buckets;
u32 user_memory_size;
u32 max_translations_per_user;
u32 outside_vrf_id;
u32 inside_vrf_id;
};
set S-NAT plugin workers:
define snat_set_workers {
u32 client_index;
u32 context;
u64 worker_mask;
};
dump S-NAT plugin workers:
define snat_worker_dump {
u32 client_index;
u32 context;
};
define snat_worker_details {
u32 context;
u32 worker_index;
u32 lcore_id;
u8 name[64];
};
add/del S-NAT pool address from specific interfce:
define snat_add_del_interface_addr {
u32 client_index;
u32 context;
u8 is_add;
u8 is_inside;
u32 sw_if_index;
};
dump S-NAT pool addresses interfaces:
define snat_interface_addr_dump {
u32 client_index;
u32 context;
};
define snat_interface_addr_details {
u32 context;
u32 sw_if_index;
};
enable/disable S-NAT IPFIX logging:
define snat_ipfix_enable_disable {
u32 client_index;
u32 context;
u32 domain_id;
u16 src_port;
u8 enable;
};
CLI
set interface snat in <intfc> out <intfc> [del] snat add addresses <ip4-range-start> [- <ip4-range-end>] snat add static mapping tcp|udp|icmp local <ip4-addr> [<port>] external (<ip4-addr>|<intfc>) [<port>] [vrf <table-id>] [del] set snat workers <workers-list> snat ipfix logging [domain <domain-id>] [src-port <port>] [disable] snat add interface address <interface> [del] show snat [detail|verbose]
Enable S-NAT feature example
To enable NAT feature with local network interface GigabitEthernet0/8/0 and external network interface GigabitEthernet0/a/0 use:
vpp# set interface snat in GigabitEthernet0/8/0 out GigabitEthernet0/a/0
NAPT - add pool address example
To add NAT pool address use:
vpp# snat add address 172.16.1.3 vpp# snat add address 172.16.2.2 - 172.16.2.24
1:1 NAT example
To create static mapping between local address 10.0.0.3 and external address 4.4.4.4 use:
vpp# snat add static mapping local 10.0.0.3 external 4.4.4.4
1:1 NAT with ports example
If not runnig "static mapping only" S-NAT plugin mode first use:
vpp# snat add address 4.4.4.4
To create static mapping between local host address 10.0.0.3 port 6303 and external address 4.4.4.4 port 3606 for TCP protocol use:
vpp# snat add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
Set S-NAT workers example
To set S-NAT workers (2 or more workers available, by default S-NAT use all available worker threads) use:
vpp# set snat workers 0-1
Enable S-NAT IPFIX logging example
To set IPFIX exporter use:
vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
To enable SNAT IPFIX logging use:
vpp# snat ipfix logging
Add S-NAT pool address from specific (DHCP addressed) interfce example
To add S-NAT pool address from specific interfce use:
vpp# snat add interface address GigabitEthernet0/8/0
1:1 NAT for DHCP addressed interface example
To add static mapping for DHCP addressed interface use:
vpp# snat add static mapping tcp local 10.0.0.3 6303 external GigabitEthernet0/a/0 3606
Startup config
translation hash buckets <n> - default 1024 translation hash memory <n> - default 128<<20 user hash buckets <n> - default 128 user hash memory <n> - default 64<<20 max translations per user <n> - default 100 outside VRF id <table-id> - default 0 inside VRF id <table-id> - default 0 static mapping only [connection tracking] - default dynamic traslations enabled
NAT IPFIX logging
Supported NAT events:
| Event Name | Value |
|---|---|
| NAT Addresses exhausted | 3 |
| NAT44 Session create | 4 |
| NAT44 Session delete | 5 |
Address Exhausted event template:
| Field Name | Size (bits) |
|---|---|
| observationTimeMilliseconds | 64 |
| natEvent | 8 |
| natPoolId | 32 |
NAT44 Session delete/create template:
| Field Name | Size (bits) |
|---|---|
| observationTimeMilliseconds | 64 |
| natEvent | 8 |
| sourceIPv4Address | 32 |
| postNATSourceIPv4Address | 32 |
| protocolIdentifier | 8 |
| sourceTransportPort | 16 |
| postNAPTSourceTransportPort | 16 |
| ingressVRFID | 32 |
YANG model
References
- RFC2663 - NAT terminology and considerations
- RFC4787 - NAT requirements for UDP
- RFC5382 - NAT requirements for TCP
- RFC5508 - NAT requirements for ICMP
- RFC6888 - CGN requirements - qualify and plan dev sequence:
- RFC7422 - Deterministic address mapping
- draft-ietf-behave-ipfix-nat-logging - IPFIX Information Elements for logging NAT Events
