Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2019-01-30 Thread JB
Hello everyone,   I've just come back from vacation and picked this up again. I've not yet found a pretty solution to the issues that are present when using NAT on a large scale and communicating with sources that require clients to communicate from the same external IP. I had hoped we wouldn't n

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-20 Thread JB
e Troan Cc: vpp-dev@lists.fd.io Subject: RE: [vpp-dev] Sanity check re: NAT for same-service mapping Hi, NAT address and port allocation is pluggable, you can write your own algorithm and use it instead of default (currently we support two additional port restricted algorithms map-e and port ran

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-19 Thread Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping ​I've noted a potential modification as to how we do dynamic NAT that would alleviate issues seen by for example banks (they depend on this a lo

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-19 Thread JB
4 PM To: Ole Troan; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Matus, Thanks, that's how I figured that it works, and was the root of my concern and the idea of reserv

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread JB
EON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Matus, Brilliant, thanks! However, then isn't it possible for a client to end up exposing two different external IPs to an endpoint if the client opens two separate sess

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
: Tuesday, December 18, 2018 2:23 PM To: Ole Troan ; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Matus, Brilliant, thanks! However, then isn't it possible for a client to end up exposin

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread JB
: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Matus, That is... Interesting. Is the behaviour dependent on the presence of STUN packets? Sincerely, John Sent from my phone On Tue, Dec 18, 2018 at 10:08 AM +0100, "Matus Fabian -X (matfabia - PANTH

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
=3ce83ea26022fac43045fc88bfb37466c78c98dd;hb=HEAD#l58 Matus From: John Biscevic Sent: Tuesday, December 18, 2018 10:53 AM To: Ole Troan ; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Matus, That is... Interesting. Is

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread JB
oint independent mapping is default behaviour Matus From: John Biscevic Sent: Tuesday, December 18, 2018 10:03 AM To: Ole Troan ; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Matus, Th

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
Endpoint independent mapping is default behaviour Matus From: John Biscevic Sent: Tuesday, December 18, 2018 10:03 AM To: Ole Troan ; Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-18 Thread JB
wiki.fd.io/view/VPP/NAT#NAT44 Matus -Original Message- From: vpp-dev@lists.fd.io On Behalf Of JB Sent: Tuesday, December 18, 2018 12:02 AM To: Ole Troan Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Ole, Absolutely, Endpoint independent mapping i

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-17 Thread Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
: Ole Troan Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping Hi Ole, Absolutely, Endpoint independent mapping is the safest bet, which is why it is recommended. It is unfortunate that we cannot rely on services being IP source agnostic or that STUN will

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-17 Thread JB
nd regards, John From: Ole Troan Sent: Monday, December 17, 2018 10:26 PM To: John Biscevic Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Sanity check re: NAT for same-service mapping > This might be best answered by Matus since it regards NAT, but

Re: [vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-17 Thread Ole Troan
> This might be best answered by Matus since it regards NAT, but I'll throw it > out there for the whole group. > > The endpoint-dependent feature of the NAT plugin – Endpoint address AND port > dependent I presume from the 6-tuple description of it – allows us to map the > same internal source

[vpp-dev] Sanity check re: NAT for same-service mapping

2018-12-17 Thread JB
Hello group, This might be best answered by Matus since it regards NAT, but I'll throw it out there for the whole group. The endpoint-dependent feature of the NAT plugin – Endpoint address AND port dependent I presume from the 6-tuple description of it – allows us to map the same internal sour