Você está na página 1de 8

6WINDGate White Paper Multicore-based Large Scale NATs

Last Update: June 2011

6WINDGate Multicore-based Large Scale NATs


White Paper

What is a Large Scale NAT?

Large Scale NATs


Although NAT (Network Address Translation) introduces complexity to IP architectures, it has been used for more than 15 years to hide large private networks behind a limited number of public IP addresses. In the long term, IPv6 will provide a quasi-unlimited address space and could lead to a flat IP architecture that would obsolete NATs. However, the introduction of IPv6 is a long process and there are some needs for ISPs to deploy large scale NAT-based architectures to manage the depletion of IP addresses. Referring to Figure 1, Large Scale NAT (LSN) extends the traditional NAT concept by adding another layer of translation at the provider edge.

Figure 1: Large Scale NAT Architecture This architecture is named NAT444 because there are two stages of address translation. From the deployment point of view, this architecture is attractive as it does not change the CPE NATs. CPE NATs do not care if their outside address is public or private. The NAT444 concept is simple but it has also some drawbacks: 1. The first one is LSN scalability of the LSN as it has to manage a large number of CPE NATs, each hiding an increasing number of connected devices and each one able to open several applications at the same time. Moreover, this equipment represents a single point of failure for the network architecture so High Availability features are required to maintain NAT sessions in case of a failure. There are also some possible overlaps of addresses between the customers network and the private addresses used by the service provider.
-1-

2.

6WINDGate Multicore-based Large Scale NATs


White Paper

3.

Finally, when traffic flows between two CPEs connected to the same LSN, filtering policies in firewalls and router ACLs often block packets from outside the network that have private source addresses. As a consequence, these flows must go through the LSN to have their private address translated to a public address and then translated again through the LSN to go back to their destination. This imposes a significant additional processing load on the LSN. Hairpining techniques have been proposed to solve this issue.

The main requirements for LSN can be summarized as follow: Support the behavioral requirements described in RFC 4787 (UDP), RFC 5382(TCP) & RFC 5508(ICMP) Provide fairness by limiting the number of sessions per CPE Provide tracking by logging address and port assignment and logging of CPE assignment and departure Be able to assign a single public IP address and port range for each CPE Control the number of TCP sessions per second as well as the total number of sessions Provide reserved ports for always-on services Preserve port parity Support full cone and hairpin modes Provide High Availability capabilities Limit power consumption since this represents additional equipment in the network

Large Scale NATs

Packet Processing Requirements


Multicore processor technology is a very good candidate for LSN as it addresses its major requirements, high packet processing capabilities and limited power consumption. Multicore technology is by essence scalable and an architecture based on two multicore boards is very convenient for providing a redundant architecture. A multicore processor has to be equipped with high-performance packet processing software able to sustain the large number of sessions behind a LSN as well as a large amount of aggregated traffic. Due to Non Stop Forwarding (NSF) constraints, it also has to provide the necessary High Availability synchronization mechanisms to maintain a coherent view of the system (established NAT sessions) between several instances of packet processing software running on different multicore processors.

-2-

6WINDGate Multicore-based Large Scale NATs


White Paper

6WINDGate Solution

Software Architecture
The 6WINDGate software architecture for LSN is described in Figure 2. This reuses basic concepts of the 6WINDGate architecture. For more information on this, please read the 6WINDGate Architecture Overview document available for download here.

Figure 2: LSN Software Architecture


The NAT function is split into two parts. The fast path is only able to manage established NAT sessions and all the information it needs is available in the shared memory. When a session is not established, the first packets of a NAT session are processed as exceptions and are forwarded to the networking stack. The session is established if it matches the defined NAT rules and if the LSN accepts it according to the policy defined for the CPE (limitation of sessions per CPE etc.). The fast path has to keep the networking stack informed about the status of the sessions as the networking stack does not see the traffic any more once the session is established; thats the role of the periodic refresh notification function.

-3-

6WINDGate Multicore-based Large Scale NATs


White Paper

The databases for the NAT sessions are duplicated at the networking stack level and the fast path. The networking stacks database is larger as it has to store more information: timers, session states, etc. When an event occurs at the networking stack level such as an addition, a deletion of a NAT rule or a flush of rules, the Cache Manager listens to netlink messages and translates this into commands for the Fast Path Manager that updates the shared memory accordingly. For High Availability purposes, a userland daemon synchronizes the tables of the Linux stack kernel (refer to the next section).

6WINDGate Solution

High Availability
A LSN is a single point of failure in the network architecture. It is unacceptable to interrupt a large number of sessions as this would lead to a very long service interruption. High Availability features are required. A typical networking equipment architecture that provides HA capabilities is based on the N+M architecture; it brings a certain level of redundancy to the system. This architecture is based on active elements providing the expected service. There are some inactive elements that are not in operational use. The goal of the system is to replace a failing active element by an inactive one to restore the expected level of service within the shortest period of time. Several strategies can be implemented according to the requirements for service interruption. Once a failure has been detected, an inactive element is configured to replace the failing one. This means that the whole configuration has to be restored and complete information has to be learnt from the system by the new element to provide the service again. If we take LSN as an example, the configuration of the NAT sessions has to be performed on the new element and the NAT sessions that have suffered of an outage have to be re-established. This could take a long time that is not compatible with some High Availability requirements. To avoid such long interruptions of service, a more sophisticated architecture can be implemented based on continuous synchronization. A pair of elements is used: one active and one inactive. A process is defined to maintain a coherent view of the system in both elements. It synchronizes the required information between both elements. In case of a failure of the active element, the inactive one has all the information ready to provide the expected level of service again within a very short period. Figure 3 shows how this architecture can be implemented for the LSN. Two complete instances of 6WINDGate are required. Each instance is called a blade. There is one active control plane and one inactive control plane. Both fast paths can be used. The fast path that belongs to the blade with the active control plane is called the primary fast path. The fast path that belongs to the blade with the inactive control plane is called the secondary fast path.

-4-

6WINDGate Multicore-based Large Scale NATs


White Paper

The active control plane maintains a complete and coherent data base of established NAT sessions. It updates sessions for the inactive control plane to ensure that it also has a complete view of the system. The inactive control plane adds or removes sessions only on request from active control plane. This synchronization is done by the NAT synchronization daemon within 6WINDGate. The remote fast path is updated by the Cache Manager after notification of the change by the local NAT synchronization daemon (cf. Figure 2). Both fast paths are active and all the exceptions are forwarded to the active control plane. The secondary fast path also informs the primary fast path about the status of NAT sessions that are reported to the active control plane.

Figure 3: High Availability for LSN

-5-

6WINDGate Multicore-based Large Scale NATs


White Paper

6WINDGate LargeScale NAT Performance

Performance
As a first example, consider a LSN configuration using a 16-core Cavium OCTEON 5860 processor running at 700MHz and configured with the 6WINDGate packet processing software. Two identical boards provide High Availability features. This configuration is able to: Manage 10 Gbps wire speed traffic of 512 byte NATed packets using only 10 cores. The remaining cores are used for the control plane. Manage 18 million NAT sessions in a fully-redundant architecture; these sessions use 8 Gbytes of memory (6 for the control plane & 2 for the fast path) on each board. Sustain a session establishment rate of 100,000 sessions per second.

A second LSN example is based on a 6-core Intel Westmere processor for the control plane running at 2.4 GHz and a 32-core NetLogic XLR732 running at 1.2 GHz for the data plane. The system is configured with the 6WINDGate packet processing software. Two identical sets of the two boards provide High Availability features. This configuration is able to: Manage 10 Gbps wire speed traffic of 512 byte NATed packets for the data plane. Manage 40 millions of NAT sessions in a fully-redundant architecture; these sessions use 24 Gbytes of memory for the control plane and 8 Gbytes for the data plane. Sustain a session establishment rate of 250,000 sessions per second.

Conclusion
LSN is a perfect illustration of the benefits of the combination of multicore processor technology and efficient packet processing software such as 6WINDGate. 6WINDGate provides a production-ready solution including full XML-based management (as well as a CLI that has not been described in this White Paper). 6WINDGate can also provide additional networking features such as VLAN to better integrate the LSN function in the ISPs complete network architecture. Its modular architecture allows further evolutions such as the DS-Lite option that introduces IPv6 instead of using a private address space for the ISP.

-6-

6WINDGate Multicore-based Large Scale NATs


White Paper

About 6WIND

6WIND provides high-performance packet processing software solutions used by leading suppliers of networking equipment, telecommunications infrastructure and security. The companys 6WINDGate solution eliminates up to twelve months from clients product development cycles, while maximizing the performance of their multi-core platforms. To ensure the availability of a complete system-level ecosystem, 6WIND partners with industry-leading suppliers of board-level products, operating systems and embedded software products worldwide. 6WIND is a privately owned company based near Paris, France with a US subsidiary in California, a sales and support office in Asia, and an R&D center in Beijing, China. For more information, visit www.6wind.com.

More Information on 6WIND

For more information, visit www.6wind.com. For further reading, several documents are available here including the 6WINDGate Architecture Overview. 6WINDGate supports market-leading multicore processors (Cavium, Freescale, Intel, NetLogic and Tilera) and validated on boards (ATCA / AMC / PCIe / PCI-X boards, 1U appliance servers, mono and dual multicore appliances) from major manufacturers. Click here to review our list of partners. Click here for a list of RFCs supported by 6WINDGate. 6WINDGate presentations, performance results and evaluation software are available upon request. Click here to contact us.

Copyright 2011. All rights reserved. 6WINDGate, Powered by 6WIND, 6WIND and the 6WIND logo are registered trademarks. All other trademarks, brands and copyrights remain the property of their respective owners and are acknowledged as such. 6WIND reserves the right to change the information given within this document without prior notice. No part of this document may be reproduced in any form or for any means without prior written consent of 6WIND.

Você também pode gostar