Hello Klement, Thanks for reply. Looks like I shold craft this idea by myself ;-)
The main problem for me - I'm network engeneer for past few years and do not program much for this time on C, but I try to try craft new patch. Thanks in advance. ________________________________ От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) <ksek...@cisco.com> Отправлено: 16 февраля 2021 г. 19:03 Кому: Юрий Иванов <format_...@outlook.com> Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com>; vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Тема: Re: [vpp-dev] NAT44 how to control external address assignment from pool? I see, so you’re not using deterministic NAT. Which NAT flavour are you using? I think what you are requesting is not provided by VPP at this moment, but looking at the allocation algorithm, it might be possible to implement such behaviour. It should be relatively straightforward in EI NAT and a little bit more complicated in ED NAT, requiring an extra hash table for user-outside address mappings as ED NAT has no “user” tracking. Another possibility would be to make it completely random - so for every connection there would be a random address picked, so e.g. user1 might get 1.0.0.7 for google.com, but 1.0.0.117 for duckduckgo.com. This would be even easier to implement. Would you like to give it a try and submit a patch? I can provide guidance… Regards, Klement > On 16 Feb 2021, at 15:22, Юрий Иванов <format_...@outlook.com> wrote: > > Thanks Klement, > > I want to use #1 option and try to think about #2 with DUT only as workaround. > > The simple random allocation (option #1) looks acceptable for me but I have > several issues with it now. > > I have big external pool (out network has /24 mask) I want to use all > addresses more evenly. > Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 > > But with such configuration all clients behind NAT will have external address > 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until all ports > are used up etc. > As the result all users gets google reCAPTCHA on most resources (i.e. > google.com search) because there are too many users are hiding behind the > same IP while others addresses in pool are not used at all. > > Since the standard Linux box can use option "persistent" which gives a client > random address from snat pool (on first translation) and preservers it until > the end of the user session I'm interested how to achieve this behavior with > VPP. > > Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will > have random external address, i.e. 1.0.0.7 (I mean random address from the > pool) and preserve it for all new connections until the end of the session, > second client 10.0.0.5 -> next random address etc. > > Thanks in advance. > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > <ksek...@cisco.com> > Отправлено: 16 февраля 2021 г. 14:01 > Кому: Юрий Иванов <format_...@outlook.com> > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > <fiva...@cisco.com>; vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hi, let me chime in and explain a bit more. > > DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to conform > to LI (lawful intercept) requirements. > > So, if you, as an internet provider are required by law to be able to provide > a user identification based on outside address + port made by that user, you > have two options: > > 1.) log every connection and keep the logs > 2.) make it deterministic, so you can always calculate inside address from > outside address + port > > DET NAT is #2 and thus it cannot be random. > > For random allocation, you can use either EI or ED NAT. But these of course > don’t provide any way to calculate user address from outside address. > > What is your use case? > > Thanks, > Klement > > > On 10 Feb 2021, at 19:14, Юрий Иванов <format_...@outlook.com> wrote: > > > > Hi Filip, > > > > Thanks, I understand, det44 plugin is working separately but we should > > manually manage mapping local network to external IP. > > > > But in case we try to use standard nut configuration with pools: > > vpp# nat44 forwarding enable > > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > > > All clients will have external address 1.0.0.100 until all ports are used > > up, next will get 1.0.0.99 until all ports are used up etc. > > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > > google.com search) because there are too many users are hiding behind the > > same IP while others addresses in pool are not used at all. > > I can afford to use pool with 255 addresses (/24 network), but in this case > > most of addresses will not be used at all (. > > > > I'm interested how to tune vpp to select a random address for every new > > client and leave this same source-/destination-address for each new > > connection. This should help more even use of the address pool. > > The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" > > snat to 1.0.0.3-1.0.0.100 persistent". > > > > Thanks in advance. > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > <fiva...@cisco.com> > > Отправлено: 10 февраля 2021 г. 14:25 > > Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io > > <vpp-dev@lists.fd.io> > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > > pool? > > > > Hello, > > > > For clarification i will explain how the nat is devided. > > > > At this point NAT functionality is devided in multiple sub plugins because > > of it’s previous complexity and issues with it. > > We have det44 and nat44 plugins that are completely separate. The whole > > separation is still in progress. So changes in nat44 like picking up pool > > allocation algorithm or anything else will not affect det44 plugin. These > > two plugins operate completely independently and share just some NAT > > library for common stuff. > > > > Regarding the det44 allocation algorithm. No at this point it is not > > supported to pick up a new randomly selected address as you are asking. > > Det44 is / should act in predetermined way so logging is not required. > > > > I will look further in the code and plugins if i can help you find some > > solution. > > > > Best regards, > > Filip > > > > From: Юрий Иванов <format_...@outlook.com> > > Sent: Wednesday, February 10, 2021 8:47 AM > > To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > <fiva...@cisco.com>; vpp-dev@lists.fd.io > > Subject: RE: [vpp-dev] NAT44 how to control external address assignment > > from pool? > > Importance: High > > > > Hi Filip, thanks for reply. > > > > This is only for host mapping and looks that it can be done with det44 > > plugin - very strange btw that it operates separatly from standard nat44 > > (meaning that I do need to configure nat at all to use it). > > > > My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all clients > > always get the last address from the pool (.100) until external IP run out > > of ports and only after that client will get .99 IP untile this IP will run > > out of ports and etc. > > > > Is there way to select new random address from pool for new client and > > after that use this randomly selected same source-/destination-address for > > each client connection. > > > > Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, > > because it utilizes several IP addresses where most IP from pool leave > > unused. > > > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > <fiva...@cisco.com> > > Отправлено: 9 февраля 2021 г. 13:54 > > Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io > > <vpp-dev@lists.fd.io> > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > > pool? > > > > Hi, > > > > If you are looking for option to specify exact outside translation address > > from a specific pool. You should try : > > > > nat44 add static mapping ... exact <pool-addr> > > > > Also supported by API. > > This will give you exact address picked from pool. > > > > Best regards, > > Filip Varga > > > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of ???? ?????? > > Sent: Monday, February 8, 2021 11:04 AM > > To: vpp-dev@lists.fd.io > > Subject: Re: [vpp-dev] NAT44 how to control external address assignment > > from pool? > > Importance: High > > > > Just an update, to perform manual translation we should do: > > > > det44 plugin enable > > det44 add in 10.0.1.0/29 out 1.0.0.7/32 > > det44 add in 10.0.1.16/29 out 1.0.0.5/32 > > ... > > set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 > > > > Ignoring specific nat configuration. > > > > Nevertheless, maybe there is some option to select different IP addres from > > pool? > > От: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> от имени Юрий Иванов > > <format_...@outlook.com> > > Отправлено: 7 февраля 2021 г. 12:10 > > Кому: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > > Тема: [vpp-dev] NAT44 how to control external address assignment from pool? > > > > Hi, > > > > I've got basic nat setup in a lab which works as expected except extarnat > > IP address allocation. > > > > My clients, behind NAT, has addresses: > > vpp# show ip neighbors > > Time IP Flags Ethernet > > Interface > > 1421.5929 10.0.1.30 D > > 00:50:79:66:68:00 GigabitEthernet0/5/0 > > 1424.3609 10.0.1.55 D > > 00:50:79:66:68:02 GigabitEthernet0/5/0 > > 1423.1650 10.0.1.41 D > > 00:50:79:66:68:01 GigabitEthernet0/5/0 > > 1389.2929 10.0.1.20 D > > 00:50:79:66:68:04 GigabitEthernet0/5/0 > > 1377.1449 10.0.1.2 D > > 00:50:79:66:68:03 GigabitEthernet0/5/0 > > > > All can reach external 1.0.0.2 IP which looks good, but for all client > > external address is 1.0.0.100 (the last IP in a range). > > I think it will be more better to randomly select different address in > > range like nftables do with this configuration stranza: > > "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" > > > > After changing > > vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 > > the only difference that external address become 1.0.0.1 for all clients. > > > > I of cource can map host to external address with: > > vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 > > But with 30 thousands clients it will very strange idea to map every host > > route manually. > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18778): https://lists.fd.io/g/vpp-dev/message/18778 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
