AFTR setup
Francis Dupont
fdupont at isc.org
Thu Mar 15 14:20:41 UTC 2012
For the B4 setup Paul has some docs, there are some too in the AFTR
distrib with some samples in conf/b4-openwrt and conf/b4-ubuntu
(and of course the conf/testbeds).
For the SD part in SD-B4 I have only the messages (in French)
exchanged with Alain Durand. But the principle is simple:
change the script where the NAt is configured: add a --to-ports
(it is a MASQUERADE, for a SNAT it should be a --to-sources
to change) for tcp, udp and icmp with the given port range.
Now about the AFTR.
To build the binary is easy, the only issue is with RedHat/CentOS
which needs a USE_TUN_PI define (or IPv6 doesn't go through tun0).
Address setup is usually the problem: the box needs an IPv6 and
an IPv4 address for itself, the IPv6 on the interface facing CPE(s),
the IPv4 on the interface facing the Internet.
The AFTR function needs a *different* IPv6 address to be used as
its tunnel end point address, and a not empty set of mapped addresses.
The rule is simple but often misunderstood: these addresses must
be routed (vs, assigned) through the tun0 interface. So if you
give one to the tun0 interface you are bad, if you ping the IPv6
address and it answers you are bad (there is a ticket about adding
an echo responder but not the code, BTW IMHO it is not a good idea).
For the IPv6 address side (in fact usually the problems begin there),
there are 3 cases:
- CGEs and the AFTR share a link: the AFTR box address and CGEs'
addresses are in the same /64 global prefix, it is enough to add
a route to at least the AFTR service address, via the AFTR box on CGEs,
through the tun0 interface on the AFTR (cf aftr-script)
- there is at least a router under your control in the middle: route
the AFTR service address via the AFTR box
- there is at least a router not under your control in the middle:
add a proxy NDP entry (the VM AFTR is in this case, BTW proxy ARP
is a total mess in Linux :-)
About the config, there are a lot of examples so I go to the better one,
conf/testbeds/vm/aftr-sdaftr1.conf (better == the only for a SD-AFTR):
- there are two mandatory global tuning parameters:
* a "default pcpd stateless" saying no dynamic NAT entry will be
created and an ICMPv4 admin prohib is returned when the code
reaches the point where a dynamic NAT entry should be created.
This is needed for the port range check of a SD-AFTR on packets
from a SD-B4 to the Internet.
* a "default private" adding the global mapped address to the
address lists expected from a SD-B4.
- there are some required parameters:
* the IPv6 ACL (aftr doesn't start without it, BTW as it is a positive
list, i.e., with an implicit deny all at the end, it is really needed :-)
* the AFTR service end point address
* the IPv4 source address for generated ICMPs (note there are some silly
constraints on Linux about it, it is safe and natural to use the
mapped address here)
* a pool declaration per protocol giving the port ranges to be used
for dynamic NAT entries (which will be in fact never used so the
only constraint is to avoid conflicts).
- the reloadable parameters (reloadable means you can add / remove
some from the config file and do a reload, of course it makes
more sense with dynamic NAT entries as a reboot flushes them).
There are three possibilities:
* the algorithm is none, i.e., ports are not translated: there is
a short cut named "prr" for a+p entries (a+p doesn't work well
for C variable names, prr (for port range router) is an alias of
a+p (for address + port))
* the algorithm is direct, i.e., ports are just shift by a
per B4 constant. No real interest...
* the algorith is p310, an instance of the MAP / GMA algo.
There is a python script building the need static NAT config
named sdgen.py.
IMHO only the last algo makes sense in the real world, but it seems
it was not in the plan of SD-NAT authors to do more than none.
Anyway the VM tests were done with one SDB4, no client, and the
none algo.
Regards
Francis Dupont <fdupont at isc.org>
More information about the sdcpe-devel
mailing list