Hi Xuo, That is a fair point but i don’t it should be NAT’s responsibility implementing DoS prevention mechanisms. This would require having some sort of list of ip addresses for all dynamic clients and that would greatly decrease performance of NAT. This kind of protection could be achieved through some other plugin preceding NAT making it more modular.
Best regards, Filip From: Xuo Guoto <xuogu...@protonmail.com> Sent: Tuesday, March 30, 2021 10:26 AM To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com> Cc: vpp-dev@lists.fd.io Subject: RE: [vpp-dev] nat-ed and max translations per user Importance: High Thanks Filip! Its clear that ED do not support per ip session limiting, but one question remaining is that what if one private IP generates so many sessions that entire sessions of that thread is taken by sessions from that IP? This can happen in the case of a virus or worm infected machine in LAN. How can VPP defend itself in this case? X. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, March 29, 2021 9:27 PM, Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com<mailto:fiva...@cisco.com>> wrote: Hello, Max translations per user is a NAT44 EI (endpoint independent) plugin concept. EI plugin was previously mode of NAT. NAT would run either EI or ED (endpoint dependent). If you are interested in running EI mode please use the plugin configuration as follows: nat44 ei enable nat44 ei add interface nat44 ei add static interface ... All nat44 ei plugin commands are prefixed with ei. In NAT44 ed plugin you are not able to specify session limiting based on internal ip address in othre words user. You can only specify per vrf limit if you like so: set nat44 session limit P.S. nat44 ed commands will be also prefixed with ed in the near future. Best regards, Filip Varga From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Xuo Guoto via lists.fd.io Sent: Monday, March 29, 2021 5:48 PM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] nat-ed and max translations per user Importance: High Hello, While going through the nat configuration of latest VPP, I find that max translations per user is missing and is kind of replaced by "nat44 enable sessions 400000 endpoint-dependent" which limit max translations per thread. Is there any equivalent config of max translations per user in latest VPP? If not, how to prevent one user (possibly infected) from using up all the sessions of a thread and create a DoS situation? X.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19057): https://lists.fd.io/g/vpp-dev/message/19057 Mute This Topic: https://lists.fd.io/mt/81699736/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
