vyos-1x icon indicating copy to clipboard operation
vyos-1x copied to clipboard

Published 20 hours ago verified publisher icon vyos

T160: nat64: prototype

Open vfreex opened this issue 2 years ago • 6 comments

Use tayga to do NAT64 translation.

Example usage:

# Stateful NAT64
set interfaces nat64 nat64eth0 ipv4-address '192.168.64.1'
set interfaces nat64 nat64eth0 ipv6-address '2001:db8::1'
set interfaces nat64 nat64eth0 stateful ipv4-pool '192.168.64.0/24'
set interfaces nat64 nat64eth0 stateful prefix '2001:db8:64::/96'
commit
set protocols static route 192.168.64.0/24 interface nat64eth0
set protocols static route6 2001:db8:64::/96 interface nat64eth0
commit

ping6 2001:db8:64::8.8.8.8
PING 2001:db8:64::8.8.8.8(2001:db8:64::808:808) 56 data bytes
64 bytes from 2001:db8:64::808:808: icmp_seq=1 ttl=113 time=46.5 ms
64 bytes from 2001:db8:64::808:808: icmp_seq=2 ttl=113 time=47.1 ms
64 bytes from 2001:db8:64::808:808: icmp_seq=3 ttl=113 time=46.7 ms
64 bytes from 2001:db8:64::808:808: icmp_seq=4 ttl=113 time=47.0 ms
^C
--- 2001:db8:64::8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 46.518/46.836/47.138/0.290 ms


# static 1-1 mappings
set interfaces nat64 nat64eth0 host-mapping ipv6 2001:db8:1000::100 ipv4 192.168.64.100
set interfaces nat64 nat64eth0 host-mapping ipv6 2001:db8:1000::101 ipv4 192.168.64.101

Change Summary

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes)
  • [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • [ ] Other (please describe):

Related Task(s)

  • https://phabricator.vyos.net/T160

Component(s) name

Proposed changes

How to test

Checklist:

  • [x] I have read the CONTRIBUTING document
  • [x] I have linked this PR to one or more Phabricator Task(s)
  • [ ] I have run the components SMOKETESTS if applicable
  • [x] My commit headlines contain a valid Task id
  • [ ] My change requires a change to the documentation
  • [ ] I have updated the documentation accordingly

vfreex avatar Jul 11 '22 18:07 vfreex

This is just a prototype to explore how to integrate tayga into VyOS.

vfreex avatar Jul 11 '22 18:07 vfreex

Fixed MTU check.

vfreex avatar Jul 22 '22 04:07 vfreex

Are you going to implement NAT64? This is a nice feature!

jack9603301 avatar Aug 03 '22 12:08 jack9603301

@jack9603301 Hi, this is just a prototype PR to show how to implement NAT64 with tayga. I just tested the basic functionalities of NAT64 for this PR. It would be nice if someone can take over this work and get it into vyos.

Also as I posted in https://phabricator.vyos.net/T160, I know a lot of people want Jool because of its performance. However it would require a much larger effort to integrate and I am not sure how to get the firewall integrated correctly with Jool either. Another concern is that an out-of-tree kernel module could be hard to maintenance in the long term, unless it gets merged into upstream kernel.

So my take is:

  • If someone can get NAT64 implemented with Jool, go for it.
  • Otherwise, tayga sounds like something we can have NOW.

Another high performance option is using VPP. I don't know if vyos has a plan to integrate VPP, but I do have some thoughts and a working demo to show how to integrate it.

vfreex avatar Aug 09 '22 22:08 vfreex

@jack9603301 Hi, this is just a prototype PR to show how to implement NAT64 with tayga. I just tested the basic functionalities of NAT64 for this PR. It would be nice if someone can take over this work and get it into vyos.

Also as I posted in https://phabricator.vyos.net/T160, I know a lot of people want Jool because of its performance. However it would require a much larger effort to integrate and I am not sure how to get the firewall integrated correctly with Jool either. Another concern is that an out-of-tree kernel module could be hard to maintenance in the long term, unless it gets merged into upstream kernel.

So my take is:

* If someone can get NAT64 implemented with Jool, go for it.

* Otherwise, tayga sounds like something we can have NOW.

Another high performance option is using VPP. I don't know if vyos has a plan to integrate VPP, but I do have some thoughts and a working demo to show how to integrate it.

I think now may be an opportunity. I found the following link:

  • https://packages.debian.org/stable/jool-dkms (source package)
  • https://packages.debian.org/stable/jool-tools
  • https://packages.debian.org/stable/unbound
  • https://packages.debian.org/stable/dnsutils

Now there is no difficulty in maintaining its kernel module, it seems that debian has helped us maintain it

Maybe we need a little experimentation to make sure it works

But that means vyos needs to maintain each version of jool-dkms by itself

Also about VPP, I don't think vyos should and won't use VPP because VPP depends on DPDK

jack9603301 avatar Aug 31 '22 17:08 jack9603301

Thanks for the review and suggestions. I have updated the PR to address all the issues.

@jack9603301 Re JOOL, I would like to see a prototype in a separate PR. I may have a look at it as well if I have enough time.

vfreex avatar Sep 17 '22 09:09 vfreex

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Dec 12 '22 15:12 github-actions[bot]

@vfreex could you resolve conflicts?

sever-sever avatar Mar 29 '23 12:03 sever-sever

@sever-sever This PR means to be a demo and I don't think it is going to be merged as is. I will probably won't keep this PR up to date unless I see people are agreed to implement it this way.

vfreex avatar Jun 29 '23 17:06 vfreex

TAYGA hasn't been updated since 2011 and since it's a userspace implementation, it's going to be a huge performance concern. We will look into adding nftables support to Jool instead.

dmbaturin avatar Aug 31 '23 15:08 dmbaturin