New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Host-Based Edge Translation #177

Closed
ydahhrk opened this Issue Sep 30, 2015 · 4 comments

Comments

Projects
None yet
2 participants
@ydahhrk
Copy link
Member

ydahhrk commented Sep 30, 2015

Branched off #140.

"Host-Based Edge Translation" is when a machine translates its own IP traffic.

This is due 3.4.0 because network namespace support was already achieved (14a233d), and therefore there's now a theoretical (I haven't tested it) way to achieve HBET even though we haven't migrated frameworks.

(This can be proven false by the testing, of course.)

@toreanderson

This comment has been minimized.

Copy link
Contributor

toreanderson commented Oct 1, 2015

I just tested this by setting up local CLAT termination to trex.fi's public NAT64 instance. It works!

### 1: Create private Jool namespace and veth pair connecting it to global netns
$ ip netns add jool
$ ip link add name to_jool type veth peer name to_world
$ ip link set up dev to_jool
$ ip link set dev to_world netns jool
$ ip netns exec jool ip link set up dev to_world

### 2: Determine link-local addresses of veth pair (used as nexthops later)
$ ip -6 address show scope link dev to_jool
4: to_jool: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::2ca5:c7ff:feb5:4f07/64 scope link 
       valid_lft forever preferred_lft forever
$ ip netns exec jool ip -6 address show scope link dev to_world
3: to_world: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::e8d1:81ff:fee5:2406/64 scope link 
       valid_lft forever preferred_lft forever

### 3: Set up IP addressing and routing inside Jool namespace
$ ip netns exec jool ip -6 route add default via fe80::2ca5:c7ff:feb5:4f07 dev to_world
$ ip netns exec jool ip -4 address add 192.0.0.2/29 dev to_world

### 4: Set up IP addressing and routing in global namespace
# The IPv6 CLAT address is stolen from the /64 on eth0, so we'll need proxy-nd
$ echo 1 > /proc/sys/net/ipv6/conf/eth0/proxy_ndp
$ ip -6 neigh add proxy 2a02:c0:400:104::4646 dev eth0
$ ip -6 route add 2a02:c0:400:104::4646 via fe80::e8d1:81ff:fee5:2406 dev to_jool
$ ip -4 address add 192.0.0.1/29 dev to_jool
$ ip -4 route add default via 192.0.0.2 dev to_jool
$ echo 1 | tee /proc/sys/net/ipv6/conf/*/forwarding

### 5: Fire up Jool inside network namespace
$ ip netns exec jool modprobe jool_siit
$ ip netns exec jool jool_siit --pool6 --add 2001:67c:2b0:db32:0:1::/96
$ ip netns exec jool jool_siit --eamt --add 192.0.0.1 2a02:c0:400:104::4646

### 6: Confirm that it works:
$ ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=47 time=26.5 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 26.520/26.520/26.520/0.000 ms
$ mtr -r -c 10 8.8.8.8
Start: Thu Oct  1 09:50:23 2015
HOST: kvmtest.i.bitbit.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.0.0.2                  0.0%    10    0.1   0.2   0.1   0.4   0.0
  2.|-- 192.0.0.2                  0.0%    10    0.2   0.3   0.2   0.3   0.0
  3.|-- 192.0.0.2                  0.0%    10    0.7   0.6   0.5   1.0   0.0
  4.|-- 192.0.0.2                  0.0%    10    1.6   1.6   1.4   1.8   0.0
  5.|-- 192.0.0.2                  0.0%    10    0.8   0.7   0.6   1.0   0.0
  6.|-- 192.0.0.2                  0.0%    10    0.8   0.8   0.7   1.1   0.0
  7.|-- 192.0.0.2                  0.0%    10    7.6   7.7   7.5   7.9   0.0
  8.|-- 192.0.0.2                  0.0%    10   13.4  13.6  13.4  13.9   0.0
  9.|-- 192.0.0.2                  0.0%    10   16.9  17.0  16.8  17.7   0.0
 10.|-- 192.0.0.2                  0.0%    10   16.7  16.9  16.6  17.4   0.0
 11.|-- 192.0.0.2                  0.0%    10   16.9  16.9  16.9  17.1   0.0
 12.|-- 192.0.0.2                  0.0%    10   16.8  17.0  16.8  17.5   0.0
 13.|-- hanna.bb.trex.fi           0.0%    10   17.5  17.5  17.4  18.0   0.0
 14.|-- eunetip1.unicast.trex.fi   0.0%    10   20.6  20.6  20.4  20.9   0.0
 15.|-- 213.192.184.74             0.0%    10   26.2  26.7  26.2  27.8   0.0
 16.|-- 74.125.50.145              0.0%    10   33.2  27.3  26.0  33.2   2.2
 17.|-- 216.239.54.181             0.0%    10   26.6  26.9  26.6  27.7   0.0
 18.|-- 209.85.251.227             0.0%    10   26.6  26.6  26.4  26.9   0.0
 19.|-- google-public-dns-a.googl  0.0%    10   26.2  26.4  26.2  26.8   0.0
@toreanderson

This comment has been minimized.

Copy link
Contributor

toreanderson commented Oct 1, 2015

This functionality can also be used to make the same node run both SIIT Jool and NAT64 Jool (in their own namespaces). However, one thing that's missing is multiple instances of the same Jool flavour, for example:

$ ip netns add jool1
$ ip netns exec jool1 insmod /lib/modules/3.13.0-63-generic/updates/dkms/jool.ko
$ ip netns add jool2
$ ip netns exec jool2 insmod /lib/modules/3.13.0-63-generic/updates/dkms/jool.ko
insmod: ERROR: could not insert module /lib/modules/3.13.0-63-generic/updates/dkms/jool.ko: File exists
$ ip netns exec jool2 jool
Could not send the request to Jool (is it really up?).
Netlink error message: Unspecific failure (Code -1)

Being able to do this would have been truly wonderful - and perfect for integration of SIIT-DC into OpenStack Neutron. If in addition it would be possible to run NAT64 and SIIT Jool simultaneously, inside the same network namespace, then you have achieved perfection. :-)

@ydahhrk

This comment has been minimized.

Copy link
Member

ydahhrk commented Oct 1, 2015

I just tested this by setting up local CLAT termination to trex.fi's public NAT64 instance. It works!

W00t!

@ydahhrk

This comment has been minimized.

Copy link
Member

ydahhrk commented Nov 10, 2015

OK, Node-Based Translation is possible now.

I'm going to branch the multiple Jools problem into a new issue, so I pruned a bunch of text off my previous comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment