T160: nat64: prototype

[vfreex]

Use tayga to do NAT64 translation.

Example usage:

# Stateful NAT64
set interfaces nat64 nat64eth0 ipv4-address '192.168.64.1'
set interfaces nat64 nat64eth0 ipv6-address '2001:db8::1'
set interfaces nat64 nat64eth0 stateful ipv4-pool '192.168.64.0/24'
set interfaces nat64 nat64eth0 stateful prefix '2001:db8:64::/96'
commit
set protocols static route 192.168.64.0/24 interface nat64eth0
set protocols static route6 2001:db8:64::/96 interface nat64eth0
commit

ping6 2001:db8:64::8.8.8.8
PING 2001:db8:64::8.8.8.8(2001:db8:64::808:808) 56 data bytes
64 bytes from 2001:db8:64::808:808: icmp_seq=1 ttl=113 time=46.5 ms
64 bytes from 2001:db8:64::808:808: icmp_seq=2 ttl=113 time=47.1 ms
64 bytes from 2001:db8:64::808:808: icmp_seq=3 ttl=113 time=46.7 ms
64 bytes from 2001:db8:64::808:808: icmp_seq=4 ttl=113 time=47.0 ms
^C
--- 2001:db8:64::8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 46.518/46.836/47.138/0.290 ms


# static 1-1 mappings
set interfaces nat64 nat64eth0 host-mapping ipv6 2001:db8:1000::100 ipv4 192.168.64.100
set interfaces nat64 nat64eth0 host-mapping ipv6 2001:db8:1000::101 ipv4 192.168.64.101

Change Summary

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://phabricator.vyos.net/T160

Component(s) name

Proposed changes

How to test

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[vfreex]

This is just a prototype to explore how to integrate tayga into VyOS.

[c-po]

please use vyos_defined

[c-po]

Can be 2022 ;)

[c-po]

I see no use of a VRF - I guess its a copy/paste issue ...

[vfreex]

Besides VRF, I also copy-pasted other common config options like netns, mtu, mirror, redirect. I assume those options will be honored by the base class method Interface.update. However I didn't test them. If my assumption is wrong, I can remove them.

[c-po]

Well we should start low and not asume VRF works out of the box. It needs to be tested and could be added later on. In general I like the idea of a per VRF nat64 gateway - but we need to check if the daemon supports it. Please drop:

• netns
• mirror
• redirect

[vfreex]

Fixed MTU check.

[jack9603301]

Are you going to implement NAT64? This is a nice feature!

[vfreex]

@jack9603301 Hi, this is just a prototype PR to show how to implement NAT64 with tayga. I just tested the basic functionalities of NAT64 for this PR. It would be nice if someone can take over this work and get it into vyos.

Also as I posted in https://phabricator.vyos.net/T160, I know a lot of people want Jool because of its performance. However it would require a much larger effort to integrate and I am not sure how to get the firewall integrated correctly with Jool either. Another concern is that an out-of-tree kernel module could be hard to maintenance in the long term, unless it gets merged into upstream kernel.

So my take is:

• If someone can get NAT64 implemented with Jool, go for it.
• Otherwise, tayga sounds like something we can have NOW.

Another high performance option is using VPP. I don't know if vyos has a plan to integrate VPP, but I do have some thoughts and a working demo to show how to integrate it.

[c-po]

Well we should start low and not asume VRF works out of the box. It needs to be tested and could be added later on. In general I like the idea of a per VRF nat64 gateway - but we need to check if the daemon supports it. Please drop:

• netns
• mirror
• redirect

[c-po]

Please use reload-or-restart instead. Even it reload is yet not supported we should stick to a pattern if possible.

[c-po]

Please use #include <include/generic-disable-node.xml.i> instead

[c-po]

Please use #include <include/generic-description.xml.i>

[jack9603301]

@jack9603301 Hi, this is just a prototype PR to show how to implement NAT64 with tayga. I just tested the basic functionalities of NAT64 for this PR. It would be nice if someone can take over this work and get it into vyos.

Also as I posted in https://phabricator.vyos.net/T160, I know a lot of people want Jool because of its performance. However it would require a much larger effort to integrate and I am not sure how to get the firewall integrated correctly with Jool either. Another concern is that an out-of-tree kernel module could be hard to maintenance in the long term, unless it gets merged into upstream kernel.

So my take is:

* If someone can get NAT64 implemented with Jool, go for it.

* Otherwise, tayga sounds like something we can have NOW.

Another high performance option is using VPP. I don't know if vyos has a plan to integrate VPP, but I do have some thoughts and a working demo to show how to integrate it.

I think now may be an opportunity. I found the following link:

• https://packages.debian.org/stable/jool-dkms (source package)
• https://packages.debian.org/stable/jool-tools
• https://packages.debian.org/stable/unbound
• https://packages.debian.org/stable/dnsutils

Now there is no difficulty in maintaining its kernel module, it seems that debian has helped us maintain it

Maybe we need a little experimentation to make sure it works

But that means vyos needs to maintain each version of jool-dkms by itself

Also about VPP, I don't think vyos should and won't use VPP because VPP depends on DPDK

[c-po]

This is not required as the base class handles it all.

[vfreex]

Thanks for the review and suggestions. I have updated the PR to address all the issues.

@jack9603301 Re JOOL, I would like to see a prototype in a separate PR. I may have a look at it as well if I have enough time.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[sever-sever]

@vfreex could you resolve conflicts?

[vfreex]

@sever-sever This PR means to be a demo and I don't think it is going to be merged as is. I will probably won't keep this PR up to date unless I see people are agreed to implement it this way.

[dmbaturin]

TAYGA hasn't been updated since 2011 and since it's a userspace implementation, it's going to be a huge performance concern. We will look into adding nftables support to Jool instead.