Re: [vpp-dev] Not able to ping host from VPP2

2021-02-14 Thread Milan Lenco 
Hi Rohan,


We have found the same issue and keep track of it here: 
https://jira.fd.io/browse/VPP-1970

My colleague is working on the fix and it should be ready soon. Watch the Jira 
for updates...


Regards,

Milan



Od: vpp-dev@lists.fd.io  v mene používateľa Rohan Shethia 

Odoslané: nedeľa, 14. februára 2021 12:32
Komu: vpp-dev@lists.fd.io
Predmet: [vpp-dev] Not able to ping host from VPP2

While I understand this is a very rudimentary question, I've looked around a 
bit and a bit in the vpp code too. Albeit not extensively
I'm going through the vpp progressive tutorial here: 
https://fd.io/docs/vpp/master/gettingstarted/progressivevpp/routing.html and 
while I'm
able to ping vpp2 from the host. I can't seem to ping the host from vpp2 (i.e 
ping 10.10.1.1 on vpp2 does not work). It fails with the following message:

vpp# ping 10.10.1.1 repeat 2
Failed: no source address for egress interface
Failed: no source address for egress interface

While looking through the code a bit I understand that it's not able to set the 
source address for the packet, but I don't understand why.
Even the routing table looks fine.

Would like to get some pointers as to what directions to look in to understand 
this. Attaching the topology for reference.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#18749): https://lists.fd.io/g/vpp-dev/message/18749
Mute This Topic: https://lists.fd.io/mt/80628707/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Endpoint-Independent Mapping on Determinate NAT

2020-09-30 Thread Milan Lenco 
Hi Joshua,


This is currently not supported by the deterministic NAT in VPP. Not sure 
if/when this will be added, so in the meantime you might want to consider 
customizing the plugin for yourself.

Start from snat_det_find_ses_by_in() function where the session entry matching 
is being done and compares also endpoint IP+port:

https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blob;f=src/plugins/nat/det44/det44.h;h=3ddba6d140596aa6db875aa13a4dd414d6f6b49e;hb=refs/heads/master#l376


Please note however that the implementation of det44 plugin is rather limited. 
As you will notice the session entry matching is being done with for-cycles 
causing it to have linear complexity. Also it is not possible to customize 
(external IP, ports) distribution across internal IPs - it is always done 
evenly (i.e. no per-subscriber limits). Also dynamic port range (for when 
static port range runs out) is not supported, etc.


Regards,

Milan



Od: vpp-dev@lists.fd.io  v mene používateľa Joshua Moore 

Odoslané: streda, 30. septembra 2020 3:33
Komu: vpp-dev@lists.fd.io
Predmet: [vpp-dev] Endpoint-Independent Mapping on Determinate NAT

Hello,

I have a need to relax the session lookup criteria on out2in packet processing 
with NAT44 determinate mode. The behavior I am looking for is so that as long 
as there is an initial session for a given destination IP:port then any return 
packet to the translated port should be allowed regardless of the source IP. 
Essentially, if I open a session from 100.65.0.2 to 
2.2.2.2:3074 and VPP creates a translation entry then the 
out2in processing should allow any n:3074 source IP and not restrict the 
translation to return packets only allowed from 2.2.2.2.

It looks like this may have been possible with the below feature but it's not 
available in determinate mode:
https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding

Are there any thoughts on this? Any suggestions on where I could perhaps 
compile my own version of that allows endpoint-independent mapping?



Thanks!


--Josh

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17601): https://lists.fd.io/g/vpp-dev/message/17601
Mute This Topic: https://lists.fd.io/mt/77210049/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] Invalid ESP padding

2020-08-19 Thread Milan Lenco 
Hello VPP developers,


In src/plugins/dpdk/ipsec/ipsec.h there is statically defined ESP padding to 
the maximum needed size (I suppose that padding larger than that is not needed 
for algorithms supported by VPP):


static const u8 pad_data[] =
  { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0 };


I believe that the last byte should be 16 instead of 0, but I'm not an expert 
on ESP so I need to confirm that with you first.


I have observed that both Windows 10 built-in IPSec client as well as this 
client for 
Android 
drop packets encrypted by VPP (with DPDK interface and AES alg.) where full 
pad_data are used (i.e. including that zero).

For example, in Android client this is the 
code
 that checks the padding and determines that the packet is incorrectly 
encrypted if zero is on the 16th byte.

FYI Even though it is required to check according to RFC, Linux xfrm apparently 
doesn't care about the padding and so the issue cannot be reproduced with IPSec 
clients/GWs based on Linux kernel encryption/decryption. Also, sadly, wireshark 
doesn't check the padding.


Thank you,

Milan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#17262): https://lists.fd.io/g/vpp-dev/message/17262
Mute This Topic: https://lists.fd.io/mt/76288914/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Q) Service function chaining

2019-05-23 Thread Milan Lenco 
Hi Chul-Woong,


Both projects are actually based on ligato/vpp-agent 
(https://github.com/ligato/vpp-agent), which is a control plane for VPP.

The sfc controller from ligato however is most likely outdated and probably 
will be deprecated. The NSM project, albeit bit younger and very much

in-progress, is much more active at the moment so perhaps check that one first.


Additionally, there is a CNI plugin for Kubernetes, also based on 
ligato/vpp-agent, called Contiv/VPP (https://github.com/contiv/vpp). Up until 
now

the project was focused on implementing all the features a K8s network plugin 
must/should have (connectivity between pods, nodes, K8s policies,

K8s services, and also IPv6 support).

But now the focus is to add the sfc-like features into the Contiv. For example, 
as a first step, support for multiple interfaces was added:

https://github.com/contiv/vpp/blob/master/docs/operation/CUSTOM_POD_INTERFACES.md

So additionally to tap (eth0 in pod), you can have memifs connected to pod, 
etc. The service chaining is to be done. But what is cool about Contiv, is that 
the network configuration can be further extended and customized 
(https://github.com/contiv/vpp/blob/master/docs/dev-guide/EXTERNAL_CONFIG.md). 
So you could implement the chaining also yourself by requesting further config 
objects (such as bridge domains, L2 x-connects between pods, etc.) and the 
Contiv will ensure this configuration is applied and kept-in-sync between 
restarts, etc. Also this configuration is given to Contiv in a declarative 
higher-level format (like YANG, but using protobuf and simpler - here are the 
models: https://github.com/ligato/vpp-agent/tree/master/api/models), so it is 
much easier to work with than to program these things directly into VPP through 
a complicated set of binary APIs.



Regards,

Milan



Od: Chul-Woong Yang 
Odoslané: streda, 22. mája 2019 3:52
Komu: vpp-dev@lists.fd.io
Predmet: [vpp-dev] Q) Service function chaining

Hi, all.

I'm looking for ways to service function chaining in container-native 
environments.
My use case is security vnfs. I've developed on-premise boxes for several years 
and want to make vnfs using vpp now.

As far as I surveyed, ligato/sfc project and nsm(network service mesh) are only 
two viable solutions.

What sfc way do you suggest, in terms of active development, maturity, and user 
community?

Now I'm trying ligato/sfc quick start 
(https://github.com/ligato/sfc-controller) but docker image is missing and
have trouble in finding ligato community.

Can you share your experience on doing sfc?

Best regards,
Chul-Woong
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#13134): https://lists.fd.io/g/vpp-dev/message/13134
Mute This Topic: https://lists.fd.io/mt/31715546/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] containers interconnect via memif

2018-05-27 Thread Milan Lenco 
Hi Sara,


Please forward your original question to Jakub Grajciar: jgraj...@cisco.com

He is the author of the library, who has also prepared the docker containers 
for the demonstration.

Originally it was possible to connect two instances of libmemif directly (i.e. 
without VPP), but recently there have been some upgrades that may have omitted 
this scenario. The container contains the old version of the library.


Regards,

Milan


Od: Edward Warnicke 
Odoslané: nedeľa, 27. mája 2018 17:23:28
Komu: Sara Gittlin
Kópia: vpp-dev@lists.fd.io
Predmet: Re: [vpp-dev] containers interconnect via memif

OK, just to be clear, memif lets you pass L2 or L3 packets... but it does not 
provide a TCP stack (if you need a TCP stack, we have one of those too :) ).

Ed

On Sun, May 27, 2018 at 2:02 AM Sara Gittlin 
mailto:sara.gitt...@gmail.com>> wrote:
Ed,
there are some use-cases , for example:
- 2 work loads under same tenant - need to exchange info
- CNF's implementing SFC
Thank you
-Sara


On Thu, May 24, 2018 at 7:12 PM, Ed Warnicke 
mailto:hagb...@gmail.com>> wrote:
Sara,

A couple  question:

What are you wanting to connect via memif in your containers?  Is it a CNF 
(Cloud-native Network Function... ie something meant to process packets) or a 
traditional app (think webserver, databace, etc)?

Ed

On Thu, May 24, 2018 at 3:37 AM Sara Gittlin 
mailto:sara.gitt...@gmail.com>> wrote:
Hello All,
I've followed the example as per https://docs.fd.io/vpp/17.10/libmemif_doc.html 
.
everything works fine.
My  question is how to connect 2 containers where the container image is a 
common  image [not necessarily libmemif-sample-service] ?
what to install ? how to create the memif interface ? connect ?
in the vpp example - we create the interface in vpp and connect in the 
container daemon with the specific image 'conn' command.
i understand that memif is a feature under VPP although VPP is not required  
for containers interconect

Thank you
-Sara