Escolar Documentos
Profissional Documentos
Cultura Documentos
Figure 1: Large Scale NAT Architecture This architecture is named NAT444 because there are two stages of address translation. From the deployment point of view, this architecture is attractive as it does not change the CPE NATs. CPE NATs do not care if their outside address is public or private. The NAT444 concept is simple but it has also some drawbacks: 1. The first one is LSN scalability of the LSN as it has to manage a large number of CPE NATs, each hiding an increasing number of connected devices and each one able to open several applications at the same time. Moreover, this equipment represents a single point of failure for the network architecture so High Availability features are required to maintain NAT sessions in case of a failure. There are also some possible overlaps of addresses between the customers network and the private addresses used by the service provider.
-1-
2.
3.
Finally, when traffic flows between two CPEs connected to the same LSN, filtering policies in firewalls and router ACLs often block packets from outside the network that have private source addresses. As a consequence, these flows must go through the LSN to have their private address translated to a public address and then translated again through the LSN to go back to their destination. This imposes a significant additional processing load on the LSN. Hairpining techniques have been proposed to solve this issue.
The main requirements for LSN can be summarized as follow: Support the behavioral requirements described in RFC 4787 (UDP), RFC 5382(TCP) & RFC 5508(ICMP) Provide fairness by limiting the number of sessions per CPE Provide tracking by logging address and port assignment and logging of CPE assignment and departure Be able to assign a single public IP address and port range for each CPE Control the number of TCP sessions per second as well as the total number of sessions Provide reserved ports for always-on services Preserve port parity Support full cone and hairpin modes Provide High Availability capabilities Limit power consumption since this represents additional equipment in the network
-2-
6WINDGate Solution
Software Architecture
The 6WINDGate software architecture for LSN is described in Figure 2. This reuses basic concepts of the 6WINDGate architecture. For more information on this, please read the 6WINDGate Architecture Overview document available for download here.
-3-
The databases for the NAT sessions are duplicated at the networking stack level and the fast path. The networking stacks database is larger as it has to store more information: timers, session states, etc. When an event occurs at the networking stack level such as an addition, a deletion of a NAT rule or a flush of rules, the Cache Manager listens to netlink messages and translates this into commands for the Fast Path Manager that updates the shared memory accordingly. For High Availability purposes, a userland daemon synchronizes the tables of the Linux stack kernel (refer to the next section).
6WINDGate Solution
High Availability
A LSN is a single point of failure in the network architecture. It is unacceptable to interrupt a large number of sessions as this would lead to a very long service interruption. High Availability features are required. A typical networking equipment architecture that provides HA capabilities is based on the N+M architecture; it brings a certain level of redundancy to the system. This architecture is based on active elements providing the expected service. There are some inactive elements that are not in operational use. The goal of the system is to replace a failing active element by an inactive one to restore the expected level of service within the shortest period of time. Several strategies can be implemented according to the requirements for service interruption. Once a failure has been detected, an inactive element is configured to replace the failing one. This means that the whole configuration has to be restored and complete information has to be learnt from the system by the new element to provide the service again. If we take LSN as an example, the configuration of the NAT sessions has to be performed on the new element and the NAT sessions that have suffered of an outage have to be re-established. This could take a long time that is not compatible with some High Availability requirements. To avoid such long interruptions of service, a more sophisticated architecture can be implemented based on continuous synchronization. A pair of elements is used: one active and one inactive. A process is defined to maintain a coherent view of the system in both elements. It synchronizes the required information between both elements. In case of a failure of the active element, the inactive one has all the information ready to provide the expected level of service again within a very short period. Figure 3 shows how this architecture can be implemented for the LSN. Two complete instances of 6WINDGate are required. Each instance is called a blade. There is one active control plane and one inactive control plane. Both fast paths can be used. The fast path that belongs to the blade with the active control plane is called the primary fast path. The fast path that belongs to the blade with the inactive control plane is called the secondary fast path.
-4-
The active control plane maintains a complete and coherent data base of established NAT sessions. It updates sessions for the inactive control plane to ensure that it also has a complete view of the system. The inactive control plane adds or removes sessions only on request from active control plane. This synchronization is done by the NAT synchronization daemon within 6WINDGate. The remote fast path is updated by the Cache Manager after notification of the change by the local NAT synchronization daemon (cf. Figure 2). Both fast paths are active and all the exceptions are forwarded to the active control plane. The secondary fast path also informs the primary fast path about the status of NAT sessions that are reported to the active control plane.
-5-
Performance
As a first example, consider a LSN configuration using a 16-core Cavium OCTEON 5860 processor running at 700MHz and configured with the 6WINDGate packet processing software. Two identical boards provide High Availability features. This configuration is able to: Manage 10 Gbps wire speed traffic of 512 byte NATed packets using only 10 cores. The remaining cores are used for the control plane. Manage 18 million NAT sessions in a fully-redundant architecture; these sessions use 8 Gbytes of memory (6 for the control plane & 2 for the fast path) on each board. Sustain a session establishment rate of 100,000 sessions per second.
A second LSN example is based on a 6-core Intel Westmere processor for the control plane running at 2.4 GHz and a 32-core NetLogic XLR732 running at 1.2 GHz for the data plane. The system is configured with the 6WINDGate packet processing software. Two identical sets of the two boards provide High Availability features. This configuration is able to: Manage 10 Gbps wire speed traffic of 512 byte NATed packets for the data plane. Manage 40 millions of NAT sessions in a fully-redundant architecture; these sessions use 24 Gbytes of memory for the control plane and 8 Gbytes for the data plane. Sustain a session establishment rate of 250,000 sessions per second.
Conclusion
LSN is a perfect illustration of the benefits of the combination of multicore processor technology and efficient packet processing software such as 6WINDGate. 6WINDGate provides a production-ready solution including full XML-based management (as well as a CLI that has not been described in this White Paper). 6WINDGate can also provide additional networking features such as VLAN to better integrate the LSN function in the ISPs complete network architecture. Its modular architecture allows further evolutions such as the DS-Lite option that introduces IPv6 instead of using a private address space for the ISP.
-6-
About 6WIND
6WIND provides high-performance packet processing software solutions used by leading suppliers of networking equipment, telecommunications infrastructure and security. The companys 6WINDGate solution eliminates up to twelve months from clients product development cycles, while maximizing the performance of their multi-core platforms. To ensure the availability of a complete system-level ecosystem, 6WIND partners with industry-leading suppliers of board-level products, operating systems and embedded software products worldwide. 6WIND is a privately owned company based near Paris, France with a US subsidiary in California, a sales and support office in Asia, and an R&D center in Beijing, China. For more information, visit www.6wind.com.
For more information, visit www.6wind.com. For further reading, several documents are available here including the 6WINDGate Architecture Overview. 6WINDGate supports market-leading multicore processors (Cavium, Freescale, Intel, NetLogic and Tilera) and validated on boards (ATCA / AMC / PCIe / PCI-X boards, 1U appliance servers, mono and dual multicore appliances) from major manufacturers. Click here to review our list of partners. Click here for a list of RFCs supported by 6WINDGate. 6WINDGate presentations, performance results and evaluation software are available upon request. Click here to contact us.
Copyright 2011. All rights reserved. 6WINDGate, Powered by 6WIND, 6WIND and the 6WIND logo are registered trademarks. All other trademarks, brands and copyrights remain the property of their respective owners and are acknowledged as such. 6WIND reserves the right to change the information given within this document without prior notice. No part of this document may be reproduced in any form or for any means without prior written consent of 6WIND.