NAT44-ED: NAT44 Endpoint Dependent

Introduction

NAT44-ED is the IPv4 endpoint dependent network address translation plugin. The component implements an address and port-dependent mapping and address and port-dependent filtering NAT as described in RFC4787.

The outside address and port (X1’:x1’) is reused for internal hosts (X:x) for different values of Y:y. A flow is matched by {source address, destination address, protocol, transport source port, transport destination port, fib index}. As long as all these are unique the mapping is valid. While a single outside address in theory allows for 2^16 source ports * 2^32 destination IP addresses * 2^16 destination ports = 2^64 sessions, this number is much smaller in practice. Few destination ports are generally used (80, 443) and a fraction of the IP address space is available. The limitation is 2^16 bindings per outside IP address to a single destination address and port (Y:y).

The implementation is split, a control-plane / slow-path and a data-plane / fast-path. Essentially acting as a flow router. The data-plane does a 6-tuple flow lookup (SA, DA, P, SP, DP, FIB) and on a match runs the per-flow packet handling instructions on the packet. On a flow lookup miss, the packet is punted to the slow-path, where depending on policy new sessions are created.

The support set of packet handling instructions is ever-increasing. Currently, the implementation supports rewrite of SA, DA, SP, DP and TCP MSS. The fast-path also does connection tracking and expiry of older sessions.

NAT44-ED uses 6 tuple(src address, src port, dst address, dst port, protocol and fib)for matching communication.

Structure

  1. Dynamic NAT

  • also called PAT (Port Address Translation)

  • supports port overloading

  1. Static NAT

  • types of Static NAT:

    1. identity mapping

    • exceptions to translations

    1. static mapping

    • supported features:

      1. address only mapping

      • one to one translation without ports

      1. twice-nat

      • double-nat, translation of source and destination

      1. self-twice-nat

      • double nat, translation of source and destination, where external host address is the same as local host address

      1. out2in-only mapping

      • session is created only from outside interface (out2in feature)

    1. load balanced static mapping

    • translates one frontend (addr:port) to multiple backends (addr:port)

  1. Interfaces

  1. inside interface (in2out feature) - local to external network translation - feature is before ip4-lookup

  2. outside interface (out2in feature) - external to local network translation - feature is before ip4-lookup

  3. inside & outside interface (classify feature) - local or external network translation - correct type of translation is determined per communication - feature is before ip4-lookup

  4. output interface (output feature) - used for post routing translation - feature is after ip4-lookup

  1. Addresses

  1. interface address - automatically managed external address - first address of VPP interface

  2. pool address - range of external addresses

  1. Logging and Accounting

  1. ipfix logging

  2. syslog

  1. Miscellaneous Features

  1. inter-vrf translation control 1. basic

    • nat44 plugin enable inside-vrf / outside-vrf

    • inside/outside interface vrf’s

      1. advanced

    • vrf table routing feature

  2. udp/tcp/icmp timeouts - configurable timeouts for these protocols

  3. session limiting 1. basic (plugin enable [sessions ] 2. advanced (per vrf table / global limiting)

  4. mss-clamping - MSS (maximum segment size) is by default determined by egress interface MTU (maximum transmission unit) size - used to lower MSS value in VPN tunnel scenarios where additional headers can enlarge the packet beyond MTU causing drops

  5. hairpinning - hosts on the same lan segment communicating via external address

  6. forwarding - if enabled translation only occurs if active session or static configuration exist, rest of the traffic is passed without being translated

Session Table

Session table exists per thread and contains pool of sessions that can be either expired or not expired. NAT44-ED plugin doesn’t use scavenging for clearing expired sessions. Rather then using scavenging plugin uses LRU doubly-linked list. LRU contains ordered list of sessions indices. Head of the list contains last updated session. Each session holds record of the LRU head (tcp transitory, tcp established, udp, icmp or unknown lru head). Because of this plugin can reach maximum number of sessions without requirement to clear old sessions. During session creation if a maximum number of sessions was reached LRU head is checked. Expired head record gets deleted and a new session gets created. For better performance LRU head records exist. Each time a new packet is received session index gets moved to the tail of LRU list.

Terminology

IN2OUT (inside to outside translation) OUT2IN (outside to inside translation)

NAT (network address translation) PAT (port address translation) MSS (maximum segment size) MTU (maximum transmission unit) VRF (virtual routing and forwarding)

HAIRPINNING

Dynamic NAT (Minimal Required Configuration)

    +-------------+
    | 10.0.0.0/24 |
    +-------------+
           |
+----------------------+
| GigabitEthernet0/8/0 |
+----------------------+
+----------------------+
| GigabitEthernet0/a/0 |
+----------------------+
           |
    +-------------+
    | 10.0.1.0/24 |
    +-------------+
  1. enable nat plugin

nat44 enable sessions 10000

  1. configure NAT interfaces, two options:

  1. add inside NAT interface on local VPP interface, add outside NAT interface on external VPP interface

set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/a/0

  1. add output NAT interface on external VPP interface

set interface nat44 in GigabitEthernet0/a/0 output-feature

  1. configure NAT address

  1. add external address range

nat44 add address 10.0.1.1

  1. add external VPP interface address

nat44 add interface address GigabitEthernet0/a/0

Static NAT

Identity Mapping

nat44 add identity mapping ip4-addr|external interface [protocol port] [vrf table-id] [del]

Static Mapping

nat44 add static mapping tcp|udp|icmp local addr [port|icmp-echo-id] external addr [port|icmp-echo-id] [vrf table-id] [twice-nat|self-twice-nat] [out2in-only] [exact pool-addr] [del]

Load Balanced Static Mapping

nat44 add load-balancing back-end protocol tcp|udp external addr:port local addr:port [vrf table-id] probability n [del]

nat44 add load-balancing static mapping protocol tcp|udp external addr:port local addr:port [vrf table-id] probability n [twice-nat|self-twice-nat] [out2in-only] [affinity timeout-seconds] [del]

Interfaces

Inside Interface

     NAT INSIDE IF
+----------------------+
| GigabitEthernet0/8/0 |
+----------------------+

set interface nat44 in GigabitEthernet0/8/0 [del]

NAT inside interface is used for translating local to external communication. Translates Dynamic and Static NAT traffic. If no matching session is found a new session is created for both Dynamic NAT and Static NAT. Dynamic NAT sessions can get created only on inside interface.

Outside Interface

     NAT OUTSIDE IF
+----------------------+
| GigabitEthernet0/a/0 |
+----------------------+

set interface nat44 out GigabitEthernet0/a/0 [del]

NAT outside interface is used for translating external to local communication. Translates Dynamic and Static NAT traffic. New session gets created only if no matching session is found and matching Static NAT configuration exists.

Inside & Outside Interface

    NAT IN AND OUT IF
+----------------------+
| GigabitEthernet0/8/0 |
+----------------------+
    NAT IN AND OUT IF
+----------------------+
| GigabitEthernet0/a/0 |
+----------------------+

set interface nat44 in GigabitEthernet0/8/0 out GigabitEthernet0/8/0 [del]

set interface nat44 in GigabitEthernet0/a/0 out GigabitEthernet0/a/0 [del]

If one VPP interface is configured both as inside and outside NAT interface then classification feature is used. By default NAT inside interface uses in2out feature and NAT outside uses out2in feature. Classification feature determines if the communication should be passed to in2out feature or to out2in feature. Traffic will get passed to out2in feature if destination address is one of NAT addresses or a static mapping in out2in direction flow matches this communication. By default all traffic is passed to in2out feature.

Output Interface

    +-------------+          +-------------+
    | 10.0.2.0/24 |          | 10.0.3.0/24 |
    +-------------+          +-------------+
           |                        |
+----------------------+ +----------------------+
| GigabitEthernet0/7/0 | | GigabitEthernet0/8/0 |
+----------------------+ +----------------------+
                  NAT OUTPUT IF
            +----------------------+
            | GigabitEthernet0/a/0 |
            +----------------------+
                   +----------+
                   | 10.0.1.1 |
                   +----------+
                        |
                  +-------------+
                  | 10.0.1.0/24 |
                  +-------------+

set interface nat44 in GigabitEthernet0/a/0 output-feature [del]

NAT output interface acts as both inside and outside interfaces. Inside rules apply for all egress communication on VPP interface and outside rules apply for all ingress communication. Compared to inside/outside NAT configuration method non of the local interfaces require to be configured as inside NAT interfaces. Translation only occurs after routing decision has been made and just before leaving NAT output interface. In above example all traffic destined for 10.0.1.0/24 from 10.0.2.0/24 or 10.0.3.0/24 will get translated. NAT output interface acts as post-routing feature.

Addresses

Interface Address

nat44 add interface address interface twice-nat [del]

NAT interface address is a standard external pool address that gets auto added upon resolving first VPP interface address. Supports both standard address and twice-nat address. Twice-nat address is used in conjunction with static mapping twice-nat and self-twice-nat feature.

Pool Address

nat44 add address ip4-range-start [- ip4-range-end] [tenant-vrf vrf-id] twice-nat [del]

Statically configured address or range of addresses that supports both standard and twice-nat address. Specifying vrf-id lets user assign address/addresses to specific NAT inside interfaces that belong to the same vrf table.

Logging

nat set logging level level

Configuration of logging level is used only for internal VPP logging.

nat ipfix logging [domain domain-id] [src-port port] [disable]

Both syslog and ipfix support connection tracking capabilities. Session creation, session deletion, maximum sessions exceeded among other things are logged by syslog and ipfix.

Miscellaneous

VRFs

         VRF 0                    VRF 1
    +-------------+          +-------------+
    | 10.0.2.0/24 |          | 10.0.3.0/24 |
    +-------------+          +-------------+
           |                        |
     NAT INSIDE IF            NAT INSIDE IF
+----------------------+  +----------------------+
| GigabitEthernet0/7/0 |  | GigabitEthernet0/8/0 |
+----------------------+  +----------------------+
     NAT OUTSIDE IF           NAT OUTSIDE IF
+----------------------+  +----------------------+
| GigabitEthernet0/a/0 |  | GigabitEthernet0/b/0 |
+----------------------+  +----------------------+
         VRF 2                      VRF 3
           |                          |
           +--------------------------+
                        |
     +------------+------------+------------+
     |            |            |            |
+----------+ +----------+ +----------+ +----------+
| 10.0.0.1 | | 10.0.0.2 | | 10.0.1.1 | | 10.0.1.2 |
+----------+ +----------+ +----------+ +----------+
 VRF 0 POOL   VRF 1 POOL   VRF 0 POOL   VRF 1 POOL

nat44 add address ip4-addr [tenant-vrf vrf-id] [del]

nat44 plugin enable inside-vrf vrf-id outside-vrf vrf-id [disable]”,

Default behavior

By design NAT supports passing communication between VRFs. Passing communication between multiple different VRFs is also supported (GE0/7/0 -> GE0/b/0, GE0/8/0 -> GE0/a/0).

NAT pool address tenant-vrf configuration parameter is used to constrain pool address to specific inside VRF. Example communication (in the above diagram): 1) from GE0/7/0 -> GE0/b/0 would choose 10.0.1.1 pool address 2) from GE0/8/0 -> GE0/b/0 would choose 10.0.1.2 pool address

Plugin enable parameters inside-vrf and outside-vrf are used as follows:

Both inside-vrf and outside-vrf configuration parameters are used in conjunction with Static NAT, inside-vrf is only used for Static NAT.

inside VRF: - used only in conjunction with static mappings - default inside VRF parameter is used in in2out feature to lookup static mapping if mapping can’t be found by inside interface VRF - used as default when adding static mappings as in2out vrf

outside VRF: - used in conjunction with static mappings - secondary option for looking up static mappings in in2out feature based on outside VRF - used as default destination vrf in in2out feature during session creation if non of outside interfaces can resolve destination IP address

Session creation default behavior (in2out only): - ingress interface fib is used as inside fib - Outside fib is chosen based on ability to resolve destination address in one of the outside interface networks. if there is no such network that is able to resolve destination a default outside fib (outside vrf index) is used.

Default behavior enables use of multiple outside and inside fibs with some limitations. The limitation in the default behavior is that if each interface belonging to different fib contains default gateway every time first interface network fib gets used as outside fib index during session creation.

VRF tables

nat44 vrf table [add|del] vrf-id

nat44 vrf route [add|del] table vrf-id vrf-id

VRF tables change the default behavior of working with inter-vrf communication. Adding empty VRF table disables passing communication between VRFs. Adding additional routes to the table makes destination VRF decision making algorithm do lookups into these tables. During session creation destination VRF in in2out feature is resolved by traversing VRF routes in the matching VRF table. If VRF route resolves destination IPv4 address then this VRF gets used. If non VRF route can resolve destination IPv4 address If VRF route can’t be found source VRF will be used. Priority of VRF routes is based on order of configuration.

Timeouts

set nat timeout [udp sec | tcp-established sec tcp-transitory sec | icmp sec | reset]

Session Limiting

nat44 enable sessions max-number

Maximum number of sessions value is used on per-thread (per-worker) basis.

set nat44 session limit limit [vrf table-id]

Per-vrf session limiting makes it possible to split maximum number of sessions between different VRFs.

MSS Clamping

nat mss-clamping mss-value|disable

Forwarding

nat44 forwarding enable|disable

Additional Configuration Commands

set nat frame-queue-nelts number
set nat workers workers-list
nat44 del session in|out addr:port tcp|udp|icmp [vrf id] [external-host addr:port]

Show commands

show nat workers
show nat timeouts
show nat44 summary
show nat44 sessions
show nat44 addresses
show nat mss-clamping
show nat44 interfaces
show nat44 vrf tables
show nat44 hash tables
nat44 show static mappings
show nat44 interface address

Configuration Examples

TWICE-NAT

Twice NAT lets you translate both the source and destination address in a single rule. Currently, twice NAT44 is supported only for local network service session initiated from outside network. Twice NAT static mappings can only get initiated (create sessions) from outside network.

Topology

+--------------------------+
| 10.0.0.2/24 (local host) |
+--------------------------+
            |
+---------------------------------+
| 10.0.0.1/24 (eth0) (nat inside) |
| 20.0.0.1/24 (eth1) (nat outside)|
+---------------------------------+
            |
+---------------------------+
| 20.0.0.2/24 (remote host) |
+---------------------------+

In this example traffic will be initiated from remote host. Remote host will be accessing local host via twice-nat mapping.

Translation will occur as follows:

outside to inside translation:

src address: 20.0.0.2 -> 192.168.160.101
dst address: 20.0.0.1 -> 10.0.0.2

inside to outside translation:

src address: 10.0.0.2 -> 20.0.0.1
dst address: 192.168.160.101 -> 20.0.0.2

Configuration

Enable nat44-ed plugin:

nat44 enable sessions 1000

Configure inside interface:

set int state eth0 up
set int ip address eth0 10.0.0.1/24
set int nat44 in eth0

Configure outside interface:

set int state eth1 up
set int ip address eth1 20.0.0.1/24
set int nat44 out eth1

Configure nat address pools:

nat44 add address 20.0.0.1
nat44 add address 192.168.160.101 twice-nat
  • alternatively we could use nat44 add interface address eth1

  • both pools are required

  • pool 20.0.0.1 is used for out2in incoming traffic

  • special twice-nat pool 192.168.160.101 is used for secondary translation

Finally, add twice-nat mapping:

nat44 add static mapping tcp local 10.0.0.2 5201 external 20.0.0.1 5201 twice-nat

SELF TWICE-NAT

Self twice NAT works similar to twice NAT with few exceptions. Self twice NAT is a feature that lets client and service running on the same host to communicate via NAT device. This means that external address is the same address as local address. Self twice NAT static mappings can only get initiated (create sessions) from outside network.

Topology

+--------------------------+
| 10.0.0.2/24 (local host) |
+--------------------------+
            |
+-------------------------------------------+
| 10.0.0.1/24 (eth0) (nat inside & outside) |
+-------------------------------------------+

In this example traffic will be initiated from local host. Local host will be accessing itself via self-twice-nat mapping.

Translation will occur as follows:

outside to inside translation:

src address: 10.0.0.2 -> 192.168.160.101
dst address: 10.0.0.1 -> 10.0.0.2

inside to outside translation:

src address: 10.0.0.2 -> 10.0.0.1
dst address: 192.168.160.101 -> 10.0.0.2

Configuration

Enable nat44-ed plugin:

nat44 enable sessions 1000

Configure NAT interface:

set int state eth0 up
set int ip address eth0 10.0.0.1/24
set int nat44 in eth0
set int nat44 out eth0

Configure nat address pools:

nat44 add address 10.0.0.1
nat44 add address 192.168.160.101 twice-nat

Finally, add self-twice-nat mapping:

nat44 add static mapping tcp local 10.0.0.2 5201 external 10.0.0.1 5201 self-twice-nat