Re: [vpp-dev] ALG
Denis, > PPTP connection working well via Hairpin NAT 1:1. Good to hear! Now if I could ask you for one favour to settle if we need an ALG or not. Could you analyse all your PPTP sessions (or all sessions that aren't TCP/UDP for that matter) and determine the total number of concurrent sessions using the same external DA and IP protocol. That number will be the total number of IP addresses you need in the external pool. Also interesting to see other statistics about those flows of course. Number of packets in flow, length in time of flow, number of total sessions, max concurrent sessions and so on. Cheers, Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi, Ole!PPTP connection working well via Hairpin NAT 1:1.Thanks! -- Yours sincerely, Denis Lotarev On Tuesday, June 20, 2017, 5:07:48 PM GMT+5, Ole Troan wrote: Denis, Matus found the issue with hairpinning. Merged fix in https://gerrit.fd.io/r/#/c/7200/ Please let me know if that also fixes this issue. We'll do some better handling of fall-back to 3-tuple keys for normal NAPT mode, so we can support PPTP without configuring 1:1. Hold tight. https://jira.fd.io/browse/VPP-884 Best regards, Ole > On 20 Jun 2017, at 10:31, Denis Lotarev wrote: > > Ole, so sorry, we are explored network problem in our infrastructure due > testing with parallel connection to PPTP server B and PPTP server C. > So 2nd scheme works well :) Sorry for my mismatch. > But hairpining not working in 3rd scheme. I dumped traffic from Machine A, > when Machine B trying to connect. > Machine A 1.1.10.20 (private ip) > Machine B 2.2.2.2 (public ip) > > IP (tos 0x0, ttl 127, id 31202, offset 0, flags [DF], proto TCP (6), length > 52) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [S], cksum 0x1ef8 (correct), seq >1560475197, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 > IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [S.], cksum 0x27ba (incorrect -> >0x66f3), seq 3141773982, ack 1560475198, win 29200, options [mss >1460,nop,nop,sackOK,nop,wscale 9], length 0 > IP (tos 0x0, ttl 127, id 31203, offset 0, flags [DF], proto TCP (6), length > 40) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [.], cksum 0x18d8 (correct), seq 1, >ack 1, win 256, length 0 > IP (tos 0x0, ttl 127, id 31204, offset 0, flags [DF], proto TCP (6), length > 196) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0xbc65 (correct), seq >1:157, ack 1, win 256, length 156: pptp Length=156 CTRL-MSG >Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) >BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft) > IP (tos 0x0, ttl 64, id 40126, offset 0, flags [DF], proto TCP (6), length 40) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x27ae (incorrect -> >0x1900), seq 1, ack 157, win 60, length 0 > IP (tos 0x0, ttl 64, id 40127, offset 0, flags [DF], proto TCP (6), length > 196) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [P.], cksum 0x284a (incorrect -> >0x3092), seq 1:157, ack 157, win 60, length 156: pptp Length=156 CTRL-MSG >Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) >RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP() >BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) > IP (tos 0x0, ttl 127, id 31205, offset 0, flags [DF], proto TCP (6), length > 208) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0x621c (correct), seq >157:325, ack 157, win 256, length 168: pptp Length=168 CTRL-MSG >Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(2) CALL_SER_NUM(20) >MIN_BPS(300) MAX_BPS(1) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) >PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() > IP (tos 0x0, ttl 64, id 40128, offset 0, flags [DF], proto TCP (6), length 72) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [P.], cksum 0x27ce (incorrect -> >0x568b), seq 157:189, ack 325, win 62, length 32: pptp Length=32 CTRL-MSG >Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(3328) PEER_CALL_ID(2) >RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(1) >RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) > IP (tos 0x0, ttl 127, id 31206, offset 0, flags [DF], proto TCP (6), length > 64) > 2.2.2.2.44681 > 1.1.10.20.1723: Flags [P.], cksum 0xb318 (correct), seq >325:349, ack 189, win 255, length 24: pptp Length=24 CTRL-MSG >Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(3328) >SEND_ACCM(0x) RECV_ACCM(0x) > IP (tos 0x0, ttl 64, id 61692, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call >2, seq 0, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x: c021 0101 0019 > ACCM Option (0x02), length 6: 0x > 0x: > Auth-Prot Option (0x03), length 5: CHAP, MD5 > 0x: c223 05 > Magic-Num Option (0x05), length 6: 0x2afe416c > 0x: 2afe 416c > PFC Option (0x07), length 2 > ACFC Option (0x08), length 2 > IP (tos 0x0, ttl 64, id 40129, offset 0, flags [DF], proto TCP (6), length 40) > 1.1.10.20.1723 > 2.2.2.2.44681: Flags [.], cksum 0x27ae (incorrect -> >0x1782), seq 189, ack 349, win 62, length 0 > IP (tos 0x0, ttl 64, id 61817, offset 0, flags [DF], proto GRE (47), length > 61) > 1.1.10.20 > 2.2.2.2: GREv1, Flags [key present, sequence# present], call >2, seq 1, length 41 > LCP, Conf-Request (0x01), id 1, length 27 > encoded length 25 (=Option(s) length 21) > 0x: c021 0101 0019 > ACCM
Re: [vpp-dev] ALG
Hi, Oleg! Today we had issue with one more subscriber under iptables NAT on linux 4.4.35-1-lts. More than one subscriber cannot connecting to any PPTP servers. We must to loaded two modules nf_nat_pptp and nf_conntrack_pptp. After this subscribers connect to their servers successfully. FIY, Linux begin to clean deprecated protocols. This message only for info, sorry. -- Yours sincerely, Denis Lotarev___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi Denis, > Today we are testing SNAT plugin and PPTP connection by public ip and this is > not working. > Both machines have a static mapping, we are testing pptp by snat hairpin. > Even if one machine (in outside VPP netwrok) can trying to connect to machine > in inside VPP network (with static mapping by public ip) - connection lost. > To be sure, we are testing this connection by local ips and this works. > Also, we are testing another two protocols - RTSP and L2TP and this works > fine... And you do have a static mapping on SNAT as well? https://wiki.fd.io/view/VPP/SNAT#1:1_NAT_example Cause if you used NAPT, then this wouldn't work, given that PPTP is GRE(-ish). Cheers, Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
15.06.2017, 08:18, "Denis Lotarev via vpp-dev" : > Hi, Ole! > Today we are testing SNAT plugin and PPTP connection by public ip and this is > not working. > Both machines have a static mapping, we are testing pptp by snat hairpin. > Even if one machine (in outside VPP netwrok) can trying to connect to machine > in inside VPP network (with static mapping by public ip) - connection lost. > To be sure, we are testing this connection by local ips and this works. > Also, we are testing another two protocols - RTSP and L2TP and this works > fine... PPTP is using GRE (IP protocol number 47) to transport data traffic and TCP for control connection. NAT of PPTP connection works fine in Netfilter even without any kind of helpers (unless you have (for example) NAT overload with one outside address and two inside users connecting to the same outside server). Maybe the problem is because of SNAT plugin is not supporting GRE? If I understood the code correctly this is the case. -- wbr, Oleg. "Anarchy is about taking complete responsibility for yourself." Alan Moore. ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi, Ole!Today we are testing SNAT plugin and PPTP connection by public ip and this is not working.Both machines have a static mapping, we are testing pptp by snat hairpin.Even if one machine (in outside VPP netwrok) can trying to connect to machine in inside VPP network (with static mapping by public ip) - connection lost.To be sure, we are testing this connection by local ips and this works. Also, we are testing another two protocols - RTSP and L2TP and this works fine... -- Yours sincerely, Denis Lotarev On Wednesday, June 14, 2017, 5:24:03 PM GMT+5, wrote: Hi Denis, > We are trying to test SIP to asterisk (which outside VPP network) port 5060 > UDP and its work normaly via SNAT plugin (static and dynamic nat working > well).Also we are trying to test SIP to yate (minimal sip server) inside VPP > network with SNAT hairpin and its work correctly too. And also we are > connected to yate from outside VPP network, this simply works! :-) > > Also we are testing FTP client from Internet Explorer Windows 10 and IRC > client they are works well too. That's cool! > After that testing we need only PPTP protocol via S-NAT plugin, which not > work today. I guess I need to read up on PPTP (sigh). Does the protocol work through a 1:1 NAT today? If so... what's the size of your external IPv4 pool? Are you able to perform some measurements of the number of PPTP sessions? Or rather the number of sessions you have which are not UDP, TCP. And sort them IP src, dst and protocol? The question I want to answer is. How big must the external IPv4 pool be, for a transport layer independent NAT to function. E.g. if all your PPTP sessions goes to _different_ destination addresses, a single IPv4 address works fine. But if a larger number than the number of source addresses PPTP sessions go to the _same_ destination address we would be in trouble. Best regards, Ole___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
> I guess I need to read up on PPTP (sigh). > Does the protocol work through a 1:1 NAT today? We need a little time to check this inside VPP network (install any pptp server inside VPP network and connect via public IPs inside VPP network between server and client). Or if you are talking about current _iptables_ scheme? In our current iptables scheme pptp traffic going through a dynamic NAT and 1:1 NAT too. > If so... what's the size of your external IPv4 pool? We have four servers for NAT pooling, each server have one network block /24 public addressing (summary four network block by /24 using).Another two servers have four network blocks /24 public addressing for 1:1 NAT (one server active, second backup). > Are you able to perform some measurements of the number of PPTP sessions? So, are you talking about totally pps for this PPTP sessions? > E.g. if all your PPTP sessions goes to _different_ destination addresses, a > single IPv4 address works fine. > But if a larger number than the number of source addresses PPTP sessions go > to the _same_ destination address we would be in trouble. Each inside suscriber (src_ips is different) connected to outside network (dst_ips is different), going throught pool NAT (dynamic NAT) (nat_public_ips is differnet, because every suscriber is hashing by iptables, as i know) and 1:1 NAT (if suscriber has this option). Thanks! -- Yours sincerely, Denis Lotarev On Wednesday, June 14, 2017, 5:24:03 PM GMT+5, wrote: Hi Denis, > We are trying to test SIP to asterisk (which outside VPP network) port 5060 > UDP and its work normaly via SNAT plugin (static and dynamic nat working > well).Also we are trying to test SIP to yate (minimal sip server) inside VPP > network with SNAT hairpin and its work correctly too. And also we are > connected to yate from outside VPP network, this simply works! :-) > > Also we are testing FTP client from Internet Explorer Windows 10 and IRC > client they are works well too. That's cool! > After that testing we need only PPTP protocol via S-NAT plugin, which not > work today. I guess I need to read up on PPTP (sigh). Does the protocol work through a 1:1 NAT today? If so... what's the size of your external IPv4 pool? Are you able to perform some measurements of the number of PPTP sessions? Or rather the number of sessions you have which are not UDP, TCP. And sort them IP src, dst and protocol? The question I want to answer is. How big must the external IPv4 pool be, for a transport layer independent NAT to function. E.g. if all your PPTP sessions goes to _different_ destination addresses, a single IPv4 address works fine. But if a larger number than the number of source addresses PPTP sessions go to the _same_ destination address we would be in trouble. Best regards, Ole___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi Denis, > We are trying to test SIP to asterisk (which outside VPP network) port 5060 > UDP and its work normaly via SNAT plugin (static and dynamic nat working > well).Also we are trying to test SIP to yate (minimal sip server) inside VPP > network with SNAT hairpin and its work correctly too. And also we are > connected to yate from outside VPP network, this simply works! :-) > > Also we are testing FTP client from Internet Explorer Windows 10 and IRC > client they are works well too. That's cool! > After that testing we need only PPTP protocol via S-NAT plugin, which not > work today. I guess I need to read up on PPTP (sigh). Does the protocol work through a 1:1 NAT today? If so... what's the size of your external IPv4 pool? Are you able to perform some measurements of the number of PPTP sessions? Or rather the number of sessions you have which are not UDP, TCP. And sort them IP src, dst and protocol? The question I want to answer is. How big must the external IPv4 pool be, for a transport layer independent NAT to function. E.g. if all your PPTP sessions goes to _different_ destination addresses, a single IPv4 address works fine. But if a larger number than the number of source addresses PPTP sessions go to the _same_ destination address we would be in trouble. Best regards, Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi, Ole. We are trying to test SIP to asterisk (which outside VPP network) port 5060 UDP and its work normaly via SNAT plugin (static and dynamic nat working well).Also we are trying to test SIP to yate (minimal sip server) inside VPP network with SNAT hairpin and its work correctly too. And also we are connected to yate from outside VPP network, this simply works! :-) Also we are testing FTP client from Internet Explorer Windows 10 and IRC client they are works well too. After that testing we need only PPTP protocol via S-NAT plugin, which not work today. -- Yours sincerely, Denis Lotarev On Tuesday, June 13, 2017, 6:23:14 PM GMT+5, wrote: Denis, > Hi! Im working on Internet service provider, and ALG require for clients > which connected to their offices via pptp, sip, etc. > But current SNAT plugin in master (build #2482) doesnt support pptp proto > inside (maybe sip also). Yeah, don't use PPTP. Insecure and broken. SIP applications must use ICE. I'm sure whomever is using PPTP is looking for an excuse to move away from that protocol. ;-) Best regards, Ole ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi! > Certainly cool if you could find a use for VPP this way. Yes, we will be glad to use VPP as hight perfomance NAT server in our infrastructure, if this will work stability :) Nowaday we are using six servers with double 10G NIC with 12 cpu cores every.This works on simple SNAT iptables module (only one rule in iptables) for NAT with pooling subscribers and NETMAP module for 1:1 NAT. But this scheme is hard to scale.And it will be cool to use only two NAT servers (in VRRP mode, one active and one backup) with 12 cores and 40G NIC one port (Intel XL710BM1), using tagged VLANs. Speed shaper and subscriber access realizing by CISCO SCE8000. Our network topology consist of about ten hardware routers on different regions and this routers have a default route to NAT servers (this is static route). In other words every region router depended on NAT server. We want to keep this topology, because this works good. > So you already run double NAT? No, we doesnt do this scheme, VPP only for testing purpose in our office only, not for all subscribers yet. > Any idea of how many PPTP users you have? E.g if you are restricting to one > PPTP session per subscriber, you may be able to create transport independent > sessions for those. That is only use IP src, dst and protocol. Yes, im running tcpdump on every NAT servers and calculate how much subscribers using PPTP sessions, but this statistic only for 3 hours. Its about 1000 subscribers, im thinking this number is bigger at another time. We can thinking that 3000 subscribers can using PPTP. But this will be difficultly to support transport independent sessions for those. > Does iptables have a PPTP ALG? Yes, iptables support PPTP ALG (in Linux kernel 3.10, CentOS 7). > For the other IPv4 sunsetting mechanisms (MAP-E, MAP-T, LW46, ...), we (as in > the IETF) decided to not support those protocols. Not sure, that we are needed this mechanisms. > Just move people to IPv6. ;-) This will planned after... sometimes ;-) But if seriously this is very expensive, ipv6 addressing much more expensive, then ipv4. > Another approach would be to do ALGs as plugins into the SNAT code. Need to > think some more about that. Its not critical how to integrate this to VPP staticaly or pluggable. If this will be doing, we can integrate VPP to our production network. SIP proto is needed too.So, i dont khow about SNMP, as im understand this is not working to via SNAT plugin too. But im thinking that SNMP not using much subscribers, but if using, we can recommend those to use SNMP in any tunnel transport. Thanks! -- Yours sincerely, Denis Lotarev On Wednesday, June 14, 2017, 1:31:28 AM GMT+5, otr...@employees.org wrote: Denis, [off-list] > Im agree with you as the end user, that this protocols are insecure and > deprecated, but so on the other hand, as service provider we are should > transmit all client traffic to another point :) > Service provider shouldnt tell the client what protocols to use or not use. > And if ISP have about 1 clients with pptp or sip protocols (only for > forward this traffic to another point), what should do service provider > without supporting ALG? Certainly cool if you could find a use for VPP this way. So you already run double NAT? Any idea of how many PPTP users you have? E.g if you are restricting to one PPTP session per subscriber, you may be able to create transport independent sessions for those. That is only use IP src, dst and protocol. For SIP that approach might be trickier. Does iptables have a PPTP ALG? For the other IPv4 sunsetting mechanisms (MAP-E, MAP-T, LW46, ...), we (as in the IETF) decided to not support those protocols. Just move people to IPv6. ;-) Another approach would be to do ALGs as plugins into the SNAT code. Need to think some more about that. Cheers, Ole___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
And so for a "joke", we would like to replace six servers with double 10G NICs running on Linux Iptables by VPP (dpdk) solution, because linux netfilter is so old, and deprecated (but this supported ALG). -- Yours sincerely, Denis Lotarev On Tuesday, June 13, 2017, 6:23:14 PM GMT+5, wrote: Denis, > Hi! Im working on Internet service provider, and ALG require for clients > which connected to their offices via pptp, sip, etc. > But current SNAT plugin in master (build #2482) doesnt support pptp proto > inside (maybe sip also). Yeah, don't use PPTP. Insecure and broken. SIP applications must use ICE. I'm sure whomever is using PPTP is looking for an excuse to move away from that protocol. ;-) Best regards, Ole ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Im agree with you as the end user, that this protocols are insecure and deprecated, but so on the other hand, as service provider we are should transmit all client traffic to another point :)Service provider shouldnt tell the client what protocols to use or not use.And if ISP have about 1 clients with pptp or sip protocols (only for forward this traffic to another point), what should do service provider without supporting ALG? -- Yours sincerely, Denis Lotarev On Tuesday, June 13, 2017, 6:23:14 PM GMT+5, wrote: Denis, > Hi! Im working on Internet service provider, and ALG require for clients > which connected to their offices via pptp, sip, etc. > But current SNAT plugin in master (build #2482) doesnt support pptp proto > inside (maybe sip also). Yeah, don't use PPTP. Insecure and broken. SIP applications must use ICE. I'm sure whomever is using PPTP is looking for an excuse to move away from that protocol. ;-) Best regards, Ole ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Denis, > Hi! Im working on Internet service provider, and ALG require for clients > which connected to their offices via pptp, sip, etc. > But current SNAT plugin in master (build #2482) doesnt support pptp proto > inside (maybe sip also). Yeah, don't use PPTP. Insecure and broken. SIP applications must use ICE. I'm sure whomever is using PPTP is looking for an excuse to move away from that protocol. ;-) Best regards, Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi! Im working on Internet service provider, and ALG require for clients which connected to their offices via pptp, sip, etc.But current SNAT plugin in master (build #2482) doesnt support pptp proto inside (maybe sip also). -- Yours sincerely, Denis Lotarev___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi there, New applications can do this themselves, but what about old applications such as TFTP? Regards, Ewan yug...@telincn.com From: otroan Date: 2017-05-26 16:52 To: yugang CC: vpp-dev Subject: Re: [vpp-dev] ALG Hi there, > Many applications have two channels, one is data channel, the other is > control channel, both have different ports, > so we need ALG to help these protocols to cut through FW, i think it is a > pretty important feature and > it has been surpported by almost every manufacturer on their NAT devices. It has been supported with varying success. Take RFC5389 and the XOR-MAPPED-ADDRESS, where the STUN protocol where forced to hide IP addresses in the payload because misguided ALGs rewrote them. ALGs are often more of a hinderance to application developers than not. ALGs are hard to get right, and they lead to ossification. It is easier to write application if you have a predictable network. Any application on todays network either uses port 443 or it has to deal with NAT traversal. The IPv4 Internet wth address exhaustion is evolving. Address sharing is a fundamental part of the architecture now. Take mechanisms like MAP-E (RFC7597) where ALGs will not be included. If you have a specific request for a particular application we can talk about it. But in general my stance is "not the network's problem to solve". Best regards, Ole ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi there, > Many applications have two channels, one is data channel, the other is > control channel, both have different ports, > so we need ALG to help these protocols to cut through FW, i think it is a > pretty important feature and > it has been surpported by almost every manufacturer on their NAT devices. It has been supported with varying success. Take RFC5389 and the XOR-MAPPED-ADDRESS, where the STUN protocol where forced to hide IP addresses in the payload because misguided ALGs rewrote them. ALGs are often more of a hinderance to application developers than not. ALGs are hard to get right, and they lead to ossification. It is easier to write application if you have a predictable network. Any application on todays network either uses port 443 or it has to deal with NAT traversal. The IPv4 Internet wth address exhaustion is evolving. Address sharing is a fundamental part of the architecture now. Take mechanisms like MAP-E (RFC7597) where ALGs will not be included. If you have a specific request for a particular application we can talk about it. But in general my stance is "not the network's problem to solve". Best regards, Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi Ole, Many applications have two channels, one is data channel, the other is control channel, both have different ports, so we need ALG to help these protocols to cut through FW, i think it is a pretty important feature and it has been surpported by almost every manufacturer on their NAT devices. Regards, Ewan yug...@telincn.com From: otroan Date: 2017-05-23 18:42 To: yugang CC: vpp-dev Subject: Re: [vpp-dev] ALG Hi Ewan, > Is there any plan to surpport ALG? I am quite the non-believer with regards to ALGs. But you can always make a proposal. What ALGs do you need and why? Best regards, Ole ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
Re: [vpp-dev] ALG
Hi Ewan, > Is there any plan to surpport ALG? I am quite the non-believer with regards to ALGs. But you can always make a proposal. What ALGs do you need and why? Best regards, Ole signature.asc Description: Message signed with OpenPGP ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
[vpp-dev] ALG
Hi all, Is there any plan to surpport ALG? Regards, Ewan ewan ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
