aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat44-ed
diff options
context:
space:
mode:
authorFilip Varga <fivarga@cisco.com>2022-05-26 13:49:22 +0200
committerDave Wallace <dwallacelf@gmail.com>2022-09-20 23:10:35 +0000
commitc119e796f535046c33430a92949addcf11dbf684 (patch)
tree633d1b7b279d953bdc834c9aab64353a823b6576 /src/plugins/nat/nat44-ed
parented9b67429e6c8e0b37c98ba37e876565f1d8e13e (diff)
nat: adding docs for nat44-ed sub plugin
Type: docs Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056 Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Diffstat (limited to 'src/plugins/nat/nat44-ed')
-rw-r--r--src/plugins/nat/nat44-ed/nat44_ed_doc.rst729
1 files changed, 729 insertions, 0 deletions
diff --git a/src/plugins/nat/nat44-ed/nat44_ed_doc.rst b/src/plugins/nat/nat44-ed/nat44_ed_doc.rst
new file mode 100644
index 00000000000..a54531c688c
--- /dev/null
+++ b/src/plugins/nat/nat44-ed/nat44_ed_doc.rst
@@ -0,0 +1,729 @@
+.. _NAT44_Endpoint_Dependent:
+
+.. toctree::
+
+NAT44-ED: NAT44 Endpoint Dependent
+==================================
+
+Introduction
+------------
+
+NAT44-ED is the IPv4 endpoint dependent network address translation
+plugin. The component implements an address and port-dependent mapping
+and address and port-dependent filtering NAT as described in
+`RFC4787 <https://tools.ietf.org/html/rfc4787>`__.
+
+The outside address and port (X1’:x1’) is reused for internal hosts
+(X:x) for different values of Y:y. A flow is matched by {source address,
+destination address, protocol, transport source port, transport
+destination port, fib index}. As long as all these are unique the
+mapping is valid. While a single outside address in theory allows for
+2^16 source ports \* 2^32 destination IP addresses \* 2^16 destination
+ports = 2^64 sessions, this number is much smaller in practice. Few
+destination ports are generally used (80, 443) and a fraction of the IP
+address space is available. The limitation is 2^16 bindings per outside
+IP address to a single destination address and port (Y:y).
+
+The implementation is split, a control-plane / slow-path and a
+data-plane / fast-path. Essentially acting as a flow router. The
+data-plane does a 6-tuple flow lookup (SA, DA, P, SP, DP, FIB) and on a
+match runs the per-flow packet handling instructions on the packet. On a
+flow lookup miss, the packet is punted to the slow-path, where depending
+on policy new sessions are created.
+
+The support set of packet handling instructions is ever-increasing.
+Currently, the implementation supports rewrite of SA, DA, SP, DP and TCP
+MSS. The fast-path also does connection tracking and expiry of older
+sessions.
+
+NAT44-ED uses 6
+tuple\ ``(src address, src port, dst address, dst port, protocol and fib)``\ for
+matching communication.
+
+Structure
+~~~~~~~~~
+
+1) Dynamic NAT
+
+- also called PAT (Port Address Translation)
+- supports port overloading
+
+2) Static NAT
+
+- types of Static NAT:
+
+ a) identity mapping
+
+ - exceptions to translations
+
+ b) static mapping
+
+ - supported features:
+
+ 1. address only mapping
+
+ - one to one translation without ports
+
+ 2. twice-nat
+
+ - double-nat, translation of source and destination
+
+ 3. self-twice-nat
+
+ - double nat, translation of source and destination, where
+ external host address is the same as local host address
+
+ 4. out2in-only mapping
+
+ - session is created only from outside interface (out2in feature)
+
+ c) load balanced static mapping
+
+ - translates one frontend (``addr``:``port``) to multiple backends
+ (``addr``:``port``)
+
+3) Interfaces
+
+a) inside interface (in2out feature) - local to external network
+ translation - feature is before ip4-lookup
+b) outside interface (out2in feature) - external to local network
+ translation - feature is before ip4-lookup
+c) inside & outside interface (classify feature) - local or external
+ network translation - correct type of translation is determined per
+ communication - feature is before ip4-lookup
+d) output interface (output feature) - used for post routing translation
+ - feature is after ip4-lookup
+
+4) Addresses
+
+a) interface address - automatically managed external address - first
+ address of VPP interface
+b) pool address - range of external addresses
+
+5) Logging and Accounting
+
+a) ipfix logging
+b) syslog
+
+6) Miscellaneous Features
+
+a) inter-vrf translation control 1. basic
+
+ - nat44 plugin enable inside-vrf / outside-vrf
+ - inside/outside interface vrf’s
+
+ 2. advanced
+
+ - vrf table routing feature
+
+b) udp/tcp/icmp timeouts - configurable timeouts for these protocols
+c) session limiting 1. basic (plugin enable [sessions ] 2. advanced
+ (per vrf table / global limiting)
+d) mss-clamping - MSS (maximum segment size) is by default determined by
+ egress interface MTU (maximum transmission unit) size - used to lower
+ MSS value in VPN tunnel scenarios where additional headers can
+ enlarge the packet beyond MTU causing drops
+e) hairpinning - hosts on the same lan segment communicating via
+ external address
+f) forwarding - if enabled translation only occurs if active session or
+ static configuration exist, rest of the traffic is passed without
+ being translated
+
+Session Table
+-------------
+
+Session table exists per thread and contains pool of sessions that can
+be either expired or not expired. NAT44-ED plugin doesn’t use scavenging
+for clearing expired sessions. Rather then using scavenging plugin uses
+LRU doubly-linked list. LRU contains ordered list of sessions indices.
+Head of the list contains last updated session. Each session holds
+record of the LRU head (tcp transitory, tcp established, udp, icmp or
+unknown lru head). Because of this plugin can reach maximum number of
+sessions without requirement to clear old sessions. During session
+creation if a maximum number of sessions was reached LRU head is
+checked. Expired head record gets deleted and a new session gets
+created. For better performance LRU head records exist. Each time a new
+packet is received session index gets moved to the tail of LRU list.
+
+Terminology
+-----------
+
+IN2OUT (inside to outside translation) OUT2IN (outside to inside
+translation)
+
+NAT (network address translation) PAT (port address translation) MSS
+(maximum segment size) MTU (maximum transmission unit) VRF (virtual
+routing and forwarding)
+
+HAIRPINNING
+
+Dynamic NAT (Minimal Required Configuration)
+--------------------------------------------
+
+::
+
+ +-------------+
+ | 10.0.0.0/24 |
+ +-------------+
+ |
+ +----------------------+
+ | GigabitEthernet0/8/0 |
+ +----------------------+
+ +----------------------+
+ | GigabitEthernet0/a/0 |
+ +----------------------+
+ |
+ +-------------+
+ | 10.0.1.0/24 |
+ +-------------+
+
+1) enable nat plugin
+
+..
+
+ nat44 enable sessions 10000
+
+2) configure NAT interfaces, two options:
+
+a) add inside NAT interface on local VPP interface, add outside NAT
+ interface on external VPP interface
+
+..
+
+ set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/a/0
+
+b) add output NAT interface on external VPP interface
+
+..
+
+ set interface nat44 in GigabitEthernet0/a/0 output-feature
+
+3) configure NAT address
+
+a) add external address range
+
+..
+
+ nat44 add address 10.0.1.1
+
+b) add external VPP interface address
+
+..
+
+ nat44 add interface address GigabitEthernet0/a/0
+
+Static NAT
+----------
+
+Identity Mapping
+~~~~~~~~~~~~~~~~
+
+ nat44 add identity mapping ``ip4-addr``\ \|external ``interface``
+ [``protocol`` ``port``] [vrf ``table-id``] [del]
+
+Static Mapping
+~~~~~~~~~~~~~~
+
+ nat44 add static mapping tcp|udp|icmp local ``addr``
+ [``port|icmp-echo-id``] external ``addr`` [``port|icmp-echo-id``]
+ [vrf ``table-id``] [twice-nat|self-twice-nat] [out2in-only] [exact
+ ``pool-addr``] [del]
+
+Load Balanced Static Mapping
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ nat44 add load-balancing back-end protocol tcp|udp external
+ ``addr``:``port`` local ``addr``:``port`` [vrf ``table-id``]
+ probability ``n`` [del]
+
+..
+
+ nat44 add load-balancing static mapping protocol tcp|udp external
+ ``addr``:``port`` local ``addr``:``port`` [vrf ``table-id``]
+ probability ``n`` [twice-nat|self-twice-nat] [out2in-only] [affinity
+ ``timeout-seconds``] [del]
+
+Interfaces
+----------
+
+Inside Interface
+~~~~~~~~~~~~~~~~
+
+::
+
+ NAT INSIDE IF
+ +----------------------+
+ | GigabitEthernet0/8/0 |
+ +----------------------+
+
+..
+
+ set interface nat44 in GigabitEthernet0/8/0 [del]
+
+NAT inside interface is used for translating local to external
+communication. Translates Dynamic and Static NAT traffic. If no matching
+session is found a new session is created for both Dynamic NAT and
+Static NAT. Dynamic NAT sessions can get created only on inside
+interface.
+
+Outside Interface
+~~~~~~~~~~~~~~~~~
+
+::
+
+ NAT OUTSIDE IF
+ +----------------------+
+ | GigabitEthernet0/a/0 |
+ +----------------------+
+
+..
+
+ set interface nat44 out GigabitEthernet0/a/0 [del]
+
+NAT outside interface is used for translating external to local
+communication. Translates Dynamic and Static NAT traffic. New session
+gets created only if no matching session is found and matching Static
+NAT configuration exists.
+
+Inside & Outside Interface
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ NAT IN AND OUT IF
+ +----------------------+
+ | GigabitEthernet0/8/0 |
+ +----------------------+
+ NAT IN AND OUT IF
+ +----------------------+
+ | GigabitEthernet0/a/0 |
+ +----------------------+
+
+..
+
+ set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/8/0
+ [del]
+
+ set interface nat44 in GigabitEthernet0/a/0 out GigabitEthernet0/a/0
+ [del]
+
+If one VPP interface is configured both as inside and outside NAT
+interface then classification feature is used. By default NAT inside
+interface uses in2out feature and NAT outside uses out2in feature.
+Classification feature determines if the communication should be passed
+to in2out feature or to out2in feature. Traffic will get passed to
+out2in feature if destination address is one of NAT addresses or a
+static mapping in out2in direction flow matches this communication. By
+default all traffic is passed to in2out feature.
+
+Output Interface
+~~~~~~~~~~~~~~~~
+
+::
+
+ +-------------+ +-------------+
+ | 10.0.2.0/24 | | 10.0.3.0/24 |
+ +-------------+ +-------------+
+ | |
+ +----------------------+ +----------------------+
+ | GigabitEthernet0/7/0 | | GigabitEthernet0/8/0 |
+ +----------------------+ +----------------------+
+ NAT OUTPUT IF
+ +----------------------+
+ | GigabitEthernet0/a/0 |
+ +----------------------+
+ +----------+
+ | 10.0.1.1 |
+ +----------+
+ |
+ +-------------+
+ | 10.0.1.0/24 |
+ +-------------+
+
+..
+
+ set interface nat44 in GigabitEthernet0/a/0 output-feature [del]
+
+NAT output interface acts as both inside and outside interfaces. Inside
+rules apply for all egress communication on VPP interface and outside
+rules apply for all ingress communication. Compared to inside/outside
+NAT configuration method non of the local interfaces require to be
+configured as inside NAT interfaces. Translation only occurs after
+routing decision has been made and just before leaving NAT output
+interface. In above example all traffic destined for 10.0.1.0/24 from
+10.0.2.0/24 or 10.0.3.0/24 will get translated. NAT output interface
+acts as post-routing feature.
+
+Addresses
+---------
+
+Interface Address
+~~~~~~~~~~~~~~~~~
+
+ nat44 add interface address ``interface`` `twice-nat <#twice-nat>`__
+ [del]
+
+NAT interface address is a standard external pool address that gets auto
+added upon resolving first VPP interface address. Supports both standard
+address and twice-nat address. Twice-nat address is used in conjunction
+with static mapping twice-nat and self-twice-nat feature.
+
+Pool Address
+~~~~~~~~~~~~
+
+ nat44 add address ``ip4-range-start`` [- ``ip4-range-end``]
+ [tenant-vrf ``vrf-id``] `twice-nat <#twice-nat>`__ [del]
+
+Statically configured address or range of addresses that supports both
+standard and twice-nat address. Specifying vrf-id lets user assign
+address/addresses to specific NAT inside interfaces that belong to the
+same vrf table.
+
+Logging
+-------
+
+ nat set logging level ``level``
+
+Configuration of logging level is used only for internal VPP logging.
+
+ nat ipfix logging [domain ``domain-id``] [src-port ``port``]
+ [disable]
+
+Both syslog and ipfix support connection tracking capabilities. Session
+creation, session deletion, maximum sessions exceeded among other things
+are logged by syslog and ipfix.
+
+Miscellaneous
+-------------
+
+VRFs
+~~~~
+
+::
+
+ VRF 0 VRF 1
+ +-------------+ +-------------+
+ | 10.0.2.0/24 | | 10.0.3.0/24 |
+ +-------------+ +-------------+
+ | |
+ NAT INSIDE IF NAT INSIDE IF
+ +----------------------+ +----------------------+
+ | GigabitEthernet0/7/0 | | GigabitEthernet0/8/0 |
+ +----------------------+ +----------------------+
+ NAT OUTSIDE IF NAT OUTSIDE IF
+ +----------------------+ +----------------------+
+ | GigabitEthernet0/a/0 | | GigabitEthernet0/b/0 |
+ +----------------------+ +----------------------+
+ VRF 2 VRF 3
+ | |
+ +--------------------------+
+ |
+ +------------+------------+------------+
+ | | | |
+ +----------+ +----------+ +----------+ +----------+
+ | 10.0.0.1 | | 10.0.0.2 | | 10.0.1.1 | | 10.0.1.2 |
+ +----------+ +----------+ +----------+ +----------+
+ VRF 0 POOL VRF 1 POOL VRF 0 POOL VRF 1 POOL
+
+..
+
+ nat44 add address ``ip4-addr`` [tenant-vrf ``vrf-id``] [del]
+
+ nat44 plugin enable inside-vrf ``vrf-id`` outside-vrf ``vrf-id``
+ [disable]",
+
+Default behavior
+^^^^^^^^^^^^^^^^
+
+By design NAT supports passing communication between VRFs. Passing
+communication between multiple different VRFs is also supported (GE0/7/0
+-> GE0/b/0, GE0/8/0 -> GE0/a/0).
+
+NAT pool address tenant-vrf configuration parameter is used to constrain
+pool address to specific inside VRF. Example communication (in the above
+diagram): 1) from GE0/7/0 -> GE0/b/0 would choose 10.0.1.1 pool address
+2) from GE0/8/0 -> GE0/b/0 would choose 10.0.1.2 pool address
+
+Plugin enable parameters inside-vrf and outside-vrf are used as follows:
+
+Both ``inside-vrf`` and ``outside-vrf`` configuration parameters are
+used in conjunction with Static NAT, inside-vrf is only used for Static
+NAT.
+
+inside VRF: - used only in conjunction with static mappings - default
+inside VRF parameter is used in in2out feature to lookup static mapping
+if mapping can’t be found by inside interface VRF - used as default when
+adding static mappings as in2out vrf
+
+outside VRF: - used in conjunction with static mappings - secondary
+option for looking up static mappings in in2out feature based on outside
+VRF - used as default destination vrf in in2out feature during session
+creation if non of outside interfaces can resolve destination IP address
+
+Session creation default behavior (in2out only): - ingress interface fib
+is used as inside fib - Outside fib is chosen based on ability to
+resolve destination address in one of the outside interface networks. if
+there is no such network that is able to resolve destination a default
+outside fib (outside vrf index) is used.
+
+Default behavior enables use of multiple outside and inside fibs with
+some limitations. The limitation in the default behavior is that if each
+interface belonging to different fib contains default gateway every time
+first interface network fib gets used as outside fib index during
+session creation.
+
+VRF tables
+^^^^^^^^^^
+
+ nat44 vrf table [add|del] ``vrf-id``
+
+..
+
+ nat44 vrf route [add|del] table ``vrf-id`` ``vrf-id``
+
+VRF tables change the default behavior of working with inter-vrf
+communication. Adding empty VRF table disables passing communication
+between VRFs. Adding additional routes to the table makes destination
+VRF decision making algorithm do lookups into these tables. During
+session creation destination VRF in in2out feature is resolved by
+traversing VRF routes in the matching VRF table. If VRF route resolves
+destination IPv4 address then this VRF gets used. If non VRF route can
+resolve destination IPv4 address If VRF route can’t be found source VRF
+will be used. Priority of VRF routes is based on order of configuration.
+
+Timeouts
+~~~~~~~~
+
+ set nat timeout [udp ``sec`` \| tcp-established ``sec``
+ tcp-transitory ``sec`` \| icmp ``sec`` \| reset]
+
+Session Limiting
+~~~~~~~~~~~~~~~~
+
+ nat44 enable sessions ``max-number``
+
+Maximum number of sessions value is used on per-thread (per-worker)
+basis.
+
+ set nat44 session limit ``limit`` [vrf ``table-id``]
+
+Per-vrf session limiting makes it possible to split maximum number of
+sessions between different VRFs.
+
+MSS Clamping
+~~~~~~~~~~~~
+
+ nat mss-clamping ``mss-value``\ \|disable
+
+Forwarding
+~~~~~~~~~~
+
+ nat44 forwarding enable|disable
+
+Additional Configuration Commands
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ | set nat frame-queue-nelts ``number``
+ | set nat workers ``workers-list``
+ | nat44 del session in|out ``addr``:``port`` tcp|udp|icmp [vrf
+ ``id``] [external-host ``addr``:``port``]
+
+Show commands
+^^^^^^^^^^^^^
+
+::
+
+ show nat workers
+ show nat timeouts
+ show nat44 summary
+ show nat44 sessions
+ show nat44 addresses
+ show nat mss-clamping
+ show nat44 interfaces
+ show nat44 vrf tables
+ show nat44 hash tables
+ nat44 show static mappings
+ show nat44 interface address
+
+Configuration Examples
+----------------------
+
+TWICE-NAT
+~~~~~~~~~
+
+Twice NAT lets you translate both the source and destination address in
+a single rule. Currently, twice NAT44 is supported only for local
+network service session initiated from outside network. Twice NAT static
+mappings can only get initiated (create sessions) from outside network.
+
+Topology
+^^^^^^^^
+
+::
+
+ +--------------------------+
+ | 10.0.0.2/24 (local host) |
+ +--------------------------+
+ |
+ +---------------------------------+
+ | 10.0.0.1/24 (eth0) (nat inside) |
+ | 20.0.0.1/24 (eth1) (nat outside)|
+ +---------------------------------+
+ |
+ +---------------------------+
+ | 20.0.0.2/24 (remote host) |
+ +---------------------------+
+
+In this example traffic will be initiated from remote host. Remote host
+will be accessing local host via twice-nat mapping.
+
+Translation will occur as follows:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+outside to inside translation:
+
+
+ | src address: 20.0.0.2 -> 192.168.160.101
+ | dst address: 20.0.0.1 -> 10.0.0.2
+
+inside to outside translation:
+
+
+ | src address: 10.0.0.2 -> 20.0.0.1
+ | dst address: 192.168.160.101 -> 20.0.0.2
+
+Configuration
+^^^^^^^^^^^^^
+
+Enable nat44-ed plugin:
+
+
+::
+
+ nat44 enable sessions 1000
+
+Configure inside interface:
+
+
+::
+
+ set int state eth0 up
+ set int ip address eth0 10.0.0.1/24
+ set int nat44 in eth0
+
+Configure outside interface:
+
+
+::
+
+ set int state eth1 up
+ set int ip address eth1 20.0.0.1/24
+ set int nat44 out eth1
+
+Configure nat address pools:
+
+
+::
+
+ nat44 add address 20.0.0.1
+ nat44 add address 192.168.160.101 twice-nat
+
+- alternatively we could use ``nat44 add interface address eth1``
+- both pools are required
+- pool ``20.0.0.1`` is used for out2in incoming traffic
+- special twice-nat pool ``192.168.160.101`` is used for secondary
+ translation
+
+Finally, add twice-nat mapping:
+
+
+ nat44 add static mapping tcp local 10.0.0.2 5201 external 20.0.0.1
+ 5201 twice-nat
+
+SELF TWICE-NAT
+~~~~~~~~~~~~~~
+
+Self twice NAT works similar to twice NAT with few exceptions. Self
+twice NAT is a feature that lets client and service running on the same
+host to communicate via NAT device. This means that external address is
+the same address as local address. Self twice NAT static mappings can
+only get initiated (create sessions) from outside network.
+
+.. _topology-self-twice-nat:
+
+Topology
+^^^^^^^^
+
+::
+
+ +--------------------------+
+ | 10.0.0.2/24 (local host) |
+ +--------------------------+
+ |
+ +-------------------------------------------+
+ | 10.0.0.1/24 (eth0) (nat inside & outside) |
+ +-------------------------------------------+
+
+In this example traffic will be initiated from local host. Local host
+will be accessing itself via self-twice-nat mapping.
+
+.. _translation-will-occur-as-follows-1:
+
+Translation will occur as follows:
+''''''''''''''''''''''''''''''''''
+
+.. _outside-to-inside-translation-1:
+
+outside to inside translation:
+
+
+ | src address: 10.0.0.2 -> 192.168.160.101
+ | dst address: 10.0.0.1 -> 10.0.0.2
+
+.. _inside-to-outside-translation-1:
+
+inside to outside translation:
+
+
+ | src address: 10.0.0.2 -> 10.0.0.1
+ | dst address: 192.168.160.101 -> 10.0.0.2
+
+.. _configuration-1:
+
+Configuration
+^^^^^^^^^^^^^
+
+.. _enable-nat44-ed-plugin-1:
+
+Enable nat44-ed plugin:
+
+
+::
+
+ nat44 enable sessions 1000
+
+Configure NAT interface:
+
+
+::
+
+ set int state eth0 up
+ set int ip address eth0 10.0.0.1/24
+ set int nat44 in eth0
+ set int nat44 out eth0
+
+.. _configure-nat-address-pools-1:
+
+Configure nat address pools:
+
+
+::
+
+ nat44 add address 10.0.0.1
+ nat44 add address 192.168.160.101 twice-nat
+
+Finally, add self-twice-nat mapping:
+
+
+ nat44 add static mapping tcp local 10.0.0.2 5201 external 10.0.0.1
+ 5201 self-twice-nat