Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Stateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas Graf Noiro Networks, Cisco
Agenda ● Connection Tracking ● NAT ● Integration of other stateful services
We had a performance problem ● With some traffic patterns, performance of OVS could be quite bad ● Last week, we added ...
Implementing a Firewall ● OVS has traditionally only supported stateless matches ● As an example, currently, two ways to...
Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – S...
Netfilter Conntrack Integration Userspace Netlink API Recirculation 1 4
Conntrack Example Conntrack example that only allows port 2 to respond to TCP traffic initiated from port 1: Match Acti...
Connection Tracking Zones
Flow Caching Works Open vSwitch Bridge 3 2.5 2 1.5 1 0.5 0 Pure Forwarding 1 FW Rule 100 FW Rules 1000 FW Rule...
Design Goals ● Performance implications must be thought through ● Thought needs to be put into API, since OVS and OpenFl...
Release Plan ● Will ship with OVS 2.4 ● Will include: – connmark – IP fragment reassembly – Hide break in pipeline fr...
Stateful NAT Overview ● SNAT and DNAT ● Based on connection tracking work ● Leverages stateful NAT mechanism of Netfilt...
Stateful NAT Flow
NAT Example SNAT all TCP packets on port 1 to the IP range 10.0.0.1/24 with reverse SNAT on port 2: Match Action in_po...
Stateful services integration: NFQUEUE action
NFQUEUE action ● Can reuse existing Netfilter queueing mechanism and libnfnetlink + libctnetlink ● Operational Modes: ...
Q&A ● More Information: – http://openvswitch.org/ ● Code: – Conntrack (WIP): ● https://github.com/justinpettit/ovs/tr...
Upcoming SlideShare
Loading in …5
×

Open vSwitch - Stateful Connection Tracking & Stateful NAT

3,469 views

Published on

Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.

Published in: Technology
no profile picture user

  • Be the first to comment

Show More

Open vSwitch - Stateful Connection Tracking & Stateful NAT

  1. 1. Stateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas Graf Noiro Networks, Cisco
  2. 2. Agenda ● Connection Tracking ● NAT ● Integration of other stateful services
  3. 3. We had a performance problem ● With some traffic patterns, performance of OVS could be quite bad ● Last week, we added a post to Network Heresy describing the changes we made to improve performance and the results ● Focus of past two years was on performance. Now that we feel good about the performance, we're back to looking at features ● Any addition to OVS must consider its implication on performance
  4. 4. Implementing a Firewall ● OVS has traditionally only supported stateless matches ● As an example, currently, two ways to implement a firewall in OVS – Match on TCP flags (Enforce policy on SYN, allow ACK|RST) ● Pro: Fast ● Con: Allows non-established flow through with ACK or RST set, only TCP – Use “learn” action to setup new flow in reverse direction ● Pro: More “correct” ● Con: Forces every new flow to OVS userspace, reducing flow setup by orders of magnitude – Neither approach supports “related” flows or TCP window enforcement
  5. 5. Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection
  6. 6. Netfilter Conntrack Integration Userspace Netlink API Recirculation 1 4
  7. 7. Conntrack Example Conntrack example that only allows port 2 to respond to TCP traffic initiated from port 1: Match Action in_port(1),tcp,conn_state=-tracked conntrack(zone=10),normal in_port(2),tcp,conn_state=-tracked conntrack(zone=10,flags=recirc) in_port(2),tcp,conn_state=+established output:1 in_port(2),tcp,conn_state=+new drop
  8. 8. Connection Tracking Zones
  9. 9. Flow Caching Works Open vSwitch Bridge 3 2.5 2 1.5 1 0.5 0 Pure Forwarding 1 FW Rule 100 FW Rules 1000 FW Rules ● Preliminary results are quite promising – OVS+conntrack uses a nearly consistent rate regardless of number of rules – Bridge+iptables uses more CPU as rule count increases Number of gigacycles per second required to saturate a 10Gbps link with netperf TCP_STREAM. (Lower is better)
  10. 10. Design Goals ● Performance implications must be thought through ● Thought needs to be put into API, since OVS and OpenFlow have traditionally been flow-based and stateless ● While this will only be supported on Linux initially, the API shouldn’t be Linux-specific ● New stateful features being discussed and leveraging kernel: – NAT – Load-balancing through IPVS – DPI
  11. 11. Release Plan ● Will ship with OVS 2.4 ● Will include: – connmark – IP fragment reassembly – Hide break in pipeline from userspace ● Available to try now: – https://github.com/justinpettit/ovs/tree/conntrack
  12. 12. Stateful NAT Overview ● SNAT and DNAT ● Based on connection tracking work ● Leverages stateful NAT mechanism of Netfilter ● Able to do port range and address range mappings to masquerade multiple IPs ● Mapping Modes – Persistent (across reboots) – Hash based – Fully random
  13. 13. Stateful NAT Flow
  14. 14. NAT Example SNAT all TCP packets on port 1 to the IP range 10.0.0.1/24 with reverse SNAT on port 2: Match Action in_port(1),tcp conntrack(zone=10), nat(type=src, min=10.0.0.1, max=10.0.0.255, type=hash) in_port(2),tcp,conn_state=-tracked conntrack(zone=10,flags=recirc) in_port(2),tcp,conn_state=+established nat(reverse) in_port(2),tcp,conn_state=+new drop
  15. 15. Stateful services integration: NFQUEUE action
  16. 16. NFQUEUE action ● Can reuse existing Netfilter queueing mechanism and libnfnetlink + libctnetlink ● Operational Modes: 1. Steal/Drop – Async verdict via CT template 2. Reinjection – Sync verdict via NFQA_MARK ● Needed netfilter modifications: – Reinjection routine for NFPROTO_BRIDGE back into netif_rx() ● OVS modifications – New nfqueue action
  17. 17. Q&A ● More Information: – http://openvswitch.org/ ● Code: – Conntrack (WIP): ● https://github.com/justinpettit/ovs/tree/conntrack – Stateful NAT (WIP): ● https://github.com/tgraf/ovs/tree/nat

×