Hi!
> Certainly cool if you could find a use for VPP this way.
Yes, we will be glad to use VPP as hight perfomance NAT server in our
infrastructure, if this will work stability :)
Nowaday we are using six servers with double 10G NIC with 12 cpu cores
every.This works on simple SNAT iptables module (only one rule in iptables) for
NAT with pooling subscribers and NETMAP module for 1:1 NAT. But this scheme is
hard to scale.And it will be cool to use only two NAT servers (in VRRP mode,
one active and one backup) with 12 cores and 40G NIC one port (Intel XL710BM1),
using tagged VLANs.
Speed shaper and subscriber access realizing by CISCO SCE8000.
Our network topology consist of about ten hardware routers on different regions
and this routers have a default route to NAT servers (this is static route). In
other words every region router depended on NAT server. We want to keep this
topology, because this works good.
> So you already run double NAT?
No, we doesnt do this scheme, VPP only for testing purpose in our office only,
not for all subscribers yet.
> Any idea of how many PPTP users you have? E.g if you are restricting to one
> PPTP session per subscriber, you may be able to create transport independent
> sessions for those. That is only use IP src, dst and protocol.
Yes, im running tcpdump on every NAT servers and calculate how much subscribers
using PPTP sessions, but this statistic only for 3 hours. Its about 1000
subscribers, im thinking this number is bigger at another time. We can thinking
that 3000 subscribers can using PPTP. But this will be difficultly to support
transport independent sessions for those.
> Does iptables have a PPTP ALG?
Yes, iptables support PPTP ALG (in Linux kernel 3.10, CentOS 7).
> For the other IPv4 sunsetting mechanisms (MAP-E, MAP-T, LW46, ...), we (as in
> the IETF) decided to not support those protocols.
Not sure, that we are needed this mechanisms.
> Just move people to IPv6. ;-)
This will planned after... sometimes ;-) But if seriously this is very
expensive, ipv6 addressing much more expensive, then ipv4.
> Another approach would be to do ALGs as plugins into the SNAT code. Need to
> think some more about that.
Its not critical how to integrate this to VPP staticaly or pluggable. If this
will be doing, we can integrate VPP to our production network. SIP proto is
needed too.So, i dont khow about SNMP, as im understand this is not working to
via SNAT plugin too. But im thinking that SNMP not using much subscribers, but
if using, we can recommend those to use SNMP in any tunnel transport.
Thanks!
--
Yours sincerely,
Denis Lotarev
On Wednesday, June 14, 2017, 1:31:28 AM GMT+5, otr...@employees.org
<otr...@employees.org> wrote:
Denis,
[off-list]
> Im agree with you as the end user, that this protocols are insecure and
> deprecated, but so on the other hand, as service provider we are should
> transmit all client traffic to another point :)
> Service provider shouldnt tell the client what protocols to use or not use.
> And if ISP have about 10000 clients with pptp or sip protocols (only for
> forward this traffic to another point), what should do service provider
> without supporting ALG?
Certainly cool if you could find a use for VPP this way.
So you already run double NAT?
Any idea of how many PPTP users you have? E.g if you are restricting to one
PPTP session per subscriber, you may be able to create transport independent
sessions for those. That is only use IP src, dst and protocol.
For SIP that approach might be trickier.
Does iptables have a PPTP ALG?
For the other IPv4 sunsetting mechanisms (MAP-E, MAP-T, LW46, ...), we (as in
the IETF) decided to not support those protocols.
Just move people to IPv6. ;-)
Another approach would be to do ALGs as plugins into the SNAT code. Need to
think some more about that.
Cheers,
Ole
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
