Re: [vpp-dev] nat with multiple in single out

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Please use "set interface nat44 in loop0 in loop1 in loop2 in loop3 out 
BondEthernet0" (you should set your one outside NAT interface only once).

Regards,
Matus

-Original Message-
From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Carlito Nueno
Sent: Wednesday, January 17, 2018 10:08 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] nat with multiple in single out

Hi,

I have 4 VLANs each with loopback interface and a tap interface. I want each of 
the tap interfaces to have access to the WAN (internet) via BondEthernet0 
interface. I am using ubuntu.

snat config:

nat44 add interface address BondEthernet0
set interface nat44 in loop0 out BondEthernet0   // gw addr 10.0.0.1 (ltap0)
set interface nat44 in loop1 out BondEthernet0   // gw 10.1.0.1 (ltap1)
set interface nat44 in loop2 out BondEthernet0   // gw 10.2.0.1 (ltap2)
set interface nat44 in loop3 out BondEthernet0   // gw 10.3.0.1 (ltap3)

I am setting route as:
sudo route add default gw 10.3.0.1 dev ltap3

I am not able to ping. (ping -I ltap3 google.com)

But when I change the order, move loop3 to second position or first position, I 
can ping via ltap3

nat44 add interface address BondEthernet0
set interface nat44 in loop0 out BondEthernet0   // gw addr 10.0.0.1 (ltap0)
set interface nat44 in loop3 out BondEthernet0   // gw 10.3.0.1 (ltap3)
set interface nat44 in loop1 out BondEthernet0   // gw 10.1.0.1 (ltap1)
set interface nat44 in loop2 out BondEthernet0   // gw 10.2.0.1 (ltap2)

I can only ping via whatever interfaces are set in first and second position.

Also when I have more than one set interface nat44, I see an error in the logs:
set interface nat44: add BondEthernet0 failed

when loop3 is in second position:

vpp# sh nat44 detail
NAT plugin mode: dynamic translations enabled
loop0 in
BondEthernet0 out
loop3 in
NAT44 pool addresses interfaces:
BondEthernet0
10.1.0.71
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
  0 busy icmp ports
0 users, 1 outside addresses, 0 active sessions, 0 static mappings Hash table 
in2out-ed
0 active elements
0 free lists
0 linear search buckets
0 cache hits, 0 cache misses
Hash table out2in-ed
0 active elements
0 free lists
0 linear search buckets
0 cache hits, 0 cache misses

Thanks
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] nat64 local ping problem

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

It goes to to ip4-lookup because it is translated from IPv6 to IPv4. There is 
currently one workaround, you need to set nat64 inside interface on loopback 
interface, add route for NAT64 prefix and use “nat64 add prefix 1:2:3::/96 
interface loop0”. We have plan to change this behaviour.

Regards,
Matus


From: Juan Salmon [mailto:salmonju...@gmail.com]
Sent: Thursday, January 11, 2018 10:08 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] nat64 local ping problem

I run with following configuration:

set int state GigabitEthernet0/4/0 up
set int state GigabitEthernet0/5/0 up
set int ip address GigabitEthernet0/4/0 2002::2/64
set int ip address GigabitEthernet0/5/0 192.168.5.2/24<http://192.168.5.2/24>
ip route add ::/0 via 2002::1
set int nat64 in GigabitEthernet0/4/0
set int nat64 out GigabitEthernet0/5/0
nat64 add prefix 1:2:3::/96
nat64 add pool address 192.168.50.1 - 192.168.50.19
trace add dpdk-input 100


when nat64 is enabled, and I run ping6 2002::2%3 in In inside node, the traffic 
goes to nat64-in2out and drop packets.
sample trace:


00:00:34:663182: dpdk-input
  GigabitEthernet0/4/0 rx queue 0
  buffer 0x4839: current data 14, length 104, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x4
  PKT MBUF: port 0, nb_segs 1, pkt_len 118
buf_len 2176, data_len 118, ol_flags 0x0, data_off 128, phys_addr 0x6a220e80
packet_type 0x0
  IP6: 52:54:00:93:37:e8 -> 52:54:00:94:26:53
  ICMP6: 2002::1 -> 2002::2
tos 0x00, flow label 0xead44, hop limit 64, payload length 64
  ICMP echo_request checksum 0x71c9
00:00:34:663198: ip6-input
  ICMP6: 2002::1 -> 2002::2
tos 0x00, flow label 0xead44, hop limit 64, payload length 64
  ICMP echo_request checksum 0x71c9
00:00:34:663201: nat64-in2out
  NAT64-in2out: sw_if_index 1, next index 0
00:00:34:663203: ip4-lookup
  fib 0 dpo-idx 0 flow hash: 0x
  ICMP: 192.168.50.1 -> 0.0.0.2
tos 0x00, ttl 64, length 84, checksum 0x87fe
fragment id 0x
  ICMP echo_request checksum 0x54dd
00:00:34:663203: ip4-drop
ICMP: 192.168.50.1 -> 0.0.0.2
  tos 0x00, ttl 64, length 84, checksum 0x87fe
  fragment id 0x
ICMP echo_request checksum 0x54dd
00:00:34:663204: error-drop
  ip4-input: ip4 adjacency drop


I think it should go to ip6-lookup not ip4-lookup.



Best Regards,
Juan Salmon.

On Thu, Jan 11, 2018 at 12:17 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi Juan,

What do you mean by that? Do you have packet trace?

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Juan Salmon
Sent: Thursday, January 11, 2018 8:45 AM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: [vpp-dev] nat64 local ping problem

Hi,
Does nat64 support local ping? It's failed in my test.

Best Regards,
Juan Salmon.

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] nat64 local ping problem

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi Juan,

What do you mean by that? Do you have packet trace?

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Juan Salmon
Sent: Thursday, January 11, 2018 8:45 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] nat64 local ping problem

Hi,
Does nat64 support local ping? It's failed in my test.

Best Regards,
Juan Salmon.
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] problem in enabling nat44 and nat64 simultaneously

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

NAT plugin currently doesn’t support same output interface for NAT44 and NAT64.

Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Juan Salmon
Sent: Tuesday, January 9, 2018 9:07 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] problem in enabling nat44 and nat64 simultaneously

Hi,
For testing nat64 and nat44 with following configuration, I have problem in 
output traffic of nat44. The output traffic goes to nat64-out2in node.
I checked the graph path, how can fix this problem? Anyway is it common to have 
nat44 and nat64 in one interface at the same time?



set interface ip address GigabitEthernet0/4/0 
11.11.11.100/24
set int nat44 in GigabitEthernet0/4/0
set int nat44 out GigabitEthernet0/5/0
nat44 add address 192.168.40.20 - 192.168.40.30
set int state GigabitEthernet0/4/0 up
set int state GigabitEthernet0/5/0 up

set int ip address GigabitEthernet0/4/0 2002::2/64
set int ip address GigabitEthernet0/5/0 192.168.5.2/24
ip route add ::/0 via 2002::1
set int nat64 in GigabitEthernet0/4/0
set int nat64 out GigabitEthernet0/5/0
nat64 add prefix 1:2:3::/96
nat64 add pool address 192.168.50.1 - 192.168.50.19


Best Regards,
Juan Salmon.
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] The performance problem of NAT plugin

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

I tested ARP with stable/1801 and it works fine
23:20:10.885539 ARP, Request who-has 3.3.3.5 tell 3.3.3.1, length 28
23:20:10.885769 ARP, Reply 3.3.3.5 is-at 08:00:27:c9:ea:36 (oui Unknown), 
length 46

Matus

From: 李洪亮 [mailto:lihongli...@360.cn]
Sent: Friday, December 22, 2017 4:36 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: The performance problem of NAT plugin

I find that when I use NAT , the ARP is abnormal;

AS, I use the 3.3.3.5 as the NAT pool address: nat44 add address  3.3.3.5

On target NIC(3.3.3.1), the tcpdump can capture the ARP request without reply:

23:21:57.783994 ARP, Request who-has 3.3.3.5 tell 3.3.3.1, length 28





___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] The performance problem of NAT plugin

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Could you please provide your full startup config? I will try reproduce issue 
and fix it.

Regards,
Matus


From: 李洪亮 [mailto:lihongli...@360.cn]
Sent: Thursday, December 28, 2017 5:09 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: The performance problem of NAT plugin

In my case, using 2 workers configed in startup.conf

when using“set nat worker 0”, it works well;
when using “set nat worker 1”, the problem appeared just like using default nat 
workers config ;





发件人:  <lihongli...@360.cn<mailto:lihongli...@360.cn>>
日期: 2017年12月24日 星期日 下午10:40
收件人: "Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)" 
<matfa...@cisco.com<mailto:matfa...@cisco.com>>
抄送: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
主题: Re: The performance problem of NAT plugin

I found that if use one working thread, the problem have resolved;
I think this is cause by multi-thread , the respond packets pass to other 
threads;


在 2017年12月21日，下午9:23，Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at 
Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> 写道：
Hi,

There are processed some packets in both NAT directions (in2out and out2in) so 
some packets pass NAT plugin. Do you see some packets on interfaces?

Matus


___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] The performance problem of NAT plugin

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

There are processed some packets in both NAT directions (in2out and out2in) so 
some packets pass NAT plugin. Do you see some packets on interfaces?

Matus


From: 李洪亮 [mailto:lihongli...@360.cn]
Sent: Thursday, December 21, 2017 2:17 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: The performance problem of NAT plugin

VPP version is 17.10;  And the performance using deterministic NAT is well


The “show node counters”result:

[root@h101 hugepages]# vppctl show node counters
   CountNode  Reason
   134  nat44-out2in  Good out2in packets processed
88  nat44-in2out-slowpath Good in2out packets processed
   289  nat44-in2out  Good in2out packets processed
   108ip4-glean   address overflow drops
  1071ip4-glean   ARP requests sent
31arp-input   ARP replies sent
  4179arp-input   ARP request IP4 source 
address learned
86  nat44-out2in  Good out2in packets processed
43  nat44-in2out-slowpath Good in2out packets processed
   172  nat44-in2out  Good in2out packets processed
   199ip4-glean   address overflow drops
  1110ip4-glean   ARP requests sent
   104  nat44-out2in  Good out2in packets processed
76  nat44-in2out-slowpath Good in2out packets processed
   226  nat44-in2out  Good in2out packets processed
   186ip4-glean   address overflow drops
  1126ip4-glean   ARP requests sent
33  nat44-in2out-slowpath Good in2out packets processed
33  nat44-in2out  Good in2out packets processed
   204ip4-glean   address overflow drops
  1007ip4-glean   ARP requests sent


[root@h101 hugepages]# vppctl show nat44 detail
NAT plugin mode: dynamic translations enabled
TenGigabitEthernet81/0/1 out
TenGigabitEthernet81/0/0 in
218.30.116.2
  tenant VRF independent
  0 busy udp ports
  239 busy tcp ports
  0 busy icmp ports
4 workers
  vpp_wk_0
  vpp_wk_1
  vpp_wk_2
  vpp_wk_3
209 users, 1 outside addresses, 240 active sessions, 0 static mappings
Hash table in2out-ed
0 active elements
0 free lists
0 linear search buckets
0 cache hits, 0 cache misses
Hash table out2in-ed
0 active elements
0 free lists
0 linear search buckets
0 cache hits, 0 cache misses
Thread 1 (vpp_wk_0 at lcore 7):
  Hash table in2out
88 active elements
1 free lists
0 linear search buckets
0 cache hits, 0 cache misses
  Hash table out2in
88 active elements
1 free lists
0 linear search buckets
0 cache hits, 0 cache misses
  158 list pool elements
  10.16.82.84: 1 dynamic translations, 0 static translations
  10.16.80.146: 2 dynamic translations, 0 static translations
  10.16.83.67: 2 dynamic translations, 0 static translations
  10.16.81.113: 2 dynamic translations, 0 static translations
  10.16.83.107: 1 dynamic translations, 0 static translations
  10.16.82.188: 1 dynamic translations, 0 static translations
  10.16.80.130: 1 dynamic translations, 0 static translations
  10.16.83.27: 1 dynamic translations, 0 static translations
  10.16.81.61: 1 dynamic translations, 0 static translations
  10.16.81.205: 1 dynamic translations, 0 static translations
  10.16.83.191: 2 dynamic translations, 0 static translations





发件人: "Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)" 
<matfa...@cisco.com<mailto:matfa...@cisco.com>>
日期: 2017年12月21日 星期四 下午1:40
收件人: 李洪亮 <lihongli...@360.cn<mailto:lihongli...@360.cn>>
抄送: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
主题: RE: The performance problem of NAT plugin

Hi,

What is your VPP version? From output you provided I see some NAT sessions. 
Could you please provide “show node counters” output and interface counters? I 
tested NAT plugin with 10K sessions and packet rate was over 10Mpps (2 
interfaces and 2 worker threads).

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of ???
Sent: Wednesday, December 20, 2017 4:33 PM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: [vpp-dev] The performance problem of NAT plugin

Hi All:

I want to use VPP NAT plugin as a typical SNAT .


(1.1.1.0/24)pkt_gen(2.2.2.1)|| (2.2.2.2)VPP(3.3.3.2)||(3.3.3.1)target|


the configuration of VPP is below:

v

Re: [vpp-dev] The performance problem of NAT plugin

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

What is your VPP version? From output you provided I see some NAT sessions. 
Could you please provide “show node counters” output and interface counters? I 
tested NAT plugin with 10K sessions and packet rate was over 10Mpps (2 
interfaces and 2 worker threads).

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of ???
Sent: Wednesday, December 20, 2017 4:33 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] The performance problem of NAT plugin

Hi All:

I want to use VPP NAT plugin as a typical SNAT .


(1.1.1.0/24)pkt_gen(2.2.2.1)|| (2.2.2.2)VPP(3.3.3.2)||(3.3.3.1)target|


the configuration of VPP is below:

vppctl set interface state TenGigabitEthernet81/0/0 up
vppctl set interface state TenGigabitEthernet81/0/1 up
vppctl set interface ip addr TenGigabitEthernet81/0/0  2.2.2.2/24
vppctl set interface ip addr TenGigabitEthernet81/0/1 3.3.3.2/24
vppctl  set interface nat44 in TenGigabitEthernet81/0/0 out 
TenGigabitEthernet81/0/1
vppctl ip route add 0.0.0.0/0 via 3.3.3.1
vppctl ip route add 1.1.1.0/24 via 2.2.2.1
vppctl nat44 add address  3.3.3.5
vppctl nat44 add address  3.3.3.4
vppctl nat44 add address  3.3.3.3


it works well when I use one test-server with IP 1.1.1.10 to ping 3.3.3.1;
[@node2 ~]$ ping 3.3.3.1
PING 3.3.3.1 (3.3.3.1) 56(84) bytes of data.
64 bytes from 3.3.3.1: icmp_seq=1 ttl=252 time=1.22 ms
64 bytes from 3.3.3.1: icmp_seq=2 ttl=252 time=0.693 ms
64 bytes from 3.3.3.1: icmp_seq=3 ttl=252 time=0.949 ms
64 bytes from 3.3.3.1: icmp_seq=4 ttl=252 time=1.46 ms
64 bytes from 3.3.3.1: icmp_seq=5 ttl=252 time=1.21 ms
64 bytes from 3.3.3.1: icmp_seq=6 ttl=252 time=0.578 ms
64 bytes from 3.3.3.1: icmp_seq=7 ttl=252 time=0.701 ms

but if use pkt_gen to generate some packet with a low rate(100pps); the NAT 
does not work, AND I even can not ping the IP on VPP interface;
the show nat44 detail result;
vpp# show nat44 detail
NAT plugin mode: dynamic translations enabled
TenGigabitEthernet81/0/0 in
TenGigabitEthernet81/0/1 out
3.3.3.5
  tenant VRF independent
  0 busy udp ports
  315 busy tcp ports
  1 busy icmp ports
3.3.3.6
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
  0 busy icmp ports
3.3.3.7
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
 0 busy icmp ports
3.3.3.8
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
  0 busy icmp ports
3.3.3.9
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
  0 busy icmp ports
4 workers
  vpp_wk_0
  vpp_wk_1
  vpp_wk_2
  vpp_wk_3
245 users, 5 outside addresses, 328 active sessions, 0 static mappings
Hash table in2out-ed
0 active elements
0 free lists
0 linear search buckets
0 cache hits, 0 cache misses
Hash table out2in-ed
0 active elements
0 free lists
0 linear search buckets
0 cache hits, 0 cache misses
Thread 1 (vpp_wk_0 at lcore 7):
  Hash table in2out
64 active elements
1 free lists
0 linear search buckets
0 cache hits, 0 cache misses
  Hash table out2in
64 active elements
1 free lists
0 linear search buckets
0 cache hits, 0 cache misses
  125 list pool elements
  1.1.1.33: 2 dynamic translations, 0 static translations
  1.1.1.29: 2 dynamic translations, 0 static translations
  1.1.1.37: 2 dynamic translations, 0 static translations
  1.1.1.57: 1 dynamic translations, 0 static translations
  1.1.1.61: 1 dynamic translations, 0 static translations
  1.1.1.65: 1 dynamic translations, 0 static translations
  1.1.1.73: 1 dynamic translations, 0 static translations
  1.1.1.77: 1 dynamic translations, 0 static translations
  1.1.1.85: 1 dynamic translations, 0 static translations
  1.1.1.41: 1 dynamic translations, 0 static translations
  1.1.1.45: 1 dynamic translations, 0 static translations
  1.1.1.49: 1 dynamic translations, 0 static translations
  1.1.1.53: 1 dynamic translations, 0 static translations
  1.1.1.69: 1 dynamic translations, 0 static translations
  1.1.1.89: 1 dynamic translations, 0 static translations
  1.1.1.81: 1 dynamic translations, 0 static translations
  1.1.1.145: 1 dynamic translations, 0 static translations
  1.1.1.161: 1 dynamic translations, 0 static translations
  1.1.1.169: 1 dynamic translations, 0 static translations
  1.1.1.157: 1 dynamic translations, 0 static translations
  1.1.1.165: 1 dynamic translations, 0 static translations
  ……


If I use the deterministic NAT, it seems working well;

I want to know what’s wrong with the dynamic NAT;



___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] IKE & IPsec configuration example

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi Yang

Here is example configuration 
https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Example_configuration_2

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Yang, Xiaowen 1. (NSB - CN/Hangzhou)
Sent: Wednesday, November 22, 2017 10:35 AM
To: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] IKE & IPsec configuration example

Hi
VPP experts
   I try to test VPP IPsec, but AUTHENTICATION_FAILED. Below is my 
configuration for VPP, can you help to check this ? Any ideas what I am doing 
wrong. thank you in advance .

set int state GigabitEthernet0/5/0 up
set int ip address GigabitEthernet0/5/0 25.12.61.7/8
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string ipsec
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn any
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 
192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 
192.168.125.255 port-range 0 - 65535 protocol 0

below is the vpp log:
DBGvpp# 1: ikev2_process_sa_init_req:567: ispi 9c9f23a5c4509a22 rspi 0 
nextpayload 21 version 20 exchange 22 flags 8 msgid 0 length 466
1: ikev2_parse_sa_payload:364: proposal num 1 len 44 last_or_more 0 id 1 
spi_size 0 num_transforms 4
1: ikev2_parse_sa_payload:406: transform num 0 len 12 last_or_more 3 type 
encr:aes-cbc-128 id 12 attrs 800e0080
1: ikev2_parse_sa_payload:406: transform num 1 len 8 last_or_more 3 type 
integ:sha1-96 id 2
1: ikev2_parse_sa_payload:406: transform num 2 len 8 last_or_more 3 type 
prf:hmac-sha1 id 2
1: ikev2_parse_sa_payload:406: transform num 3 len 8 last_or_more 0 type 
dh-group:modp-2048 id 14
1: ikev2_parse_notify_payload:464: msg_type NAT_DETECTION_SOURCE_IP len 28 data 
8bebafe7d09c78eb028a13006911c1fa250d6ced
1: ikev2_parse_notify_payload:464: msg_type NAT_DETECTION_DESTINATION_IP len 28 
data c54d55ccc132e9b47e7b2a652ef0423314b133a6
1: ikev2_parse_notify_payload:464: msg_type IKEV2_FRAGMENTATION_SUPPORTED len 8
1: ikev2_parse_notify_payload:464: msg_type SIGNATURE_HASH_ALGORITHMS len 18 
data 00010002000300040005
1: ikev2_parse_notify_payload:464: msg_type REDIRECT_SUPPORTED len 8
1: ikev2_process_sa_init_req:625: sa state changed to IKEV2_STATE_SA_INIT
1: ikev2_select_proposal:168: bitmap is 1e mandatory is 1e optional is 1e
1: ikev2_payload_add_sa:194: proposal num 1 protocol_id 1 last_or_more 0 
spi_size 0
1: ikev2_payload_add_sa:215: transform type encr transform_id 12 last_or_more 3 
attr_size 4 attrs 800e0080
1: ikev2_payload_add_sa:215: transform type integ transform_id 2 last_or_more 3 
attr_size 0
1: ikev2_payload_add_sa:215: transform type prf transform_id 2 last_or_more 3 
attr_size 0
1: ikev2_payload_add_sa:215: transform type dh-group transform_id 14 
last_or_more 0 attr_size 0
1: ikev2_process_auth_req:830: ispi 9c9f23a5c4509a22 rspi 701e2963eaf8d4aa 
nextpayload 2e version 20 exchange 23 flags 8 msgid 1 length 220
1: ikev2_decrypt_sk_payload:732: received IKEv2 payload SK, len 188
1: ikev2_process_auth_req:888: received payload IDi, len 4 id_type 1
1: ikev2_process_auth_req:919: received payload AUTH, len 20 auth_type 2
1: ikev2_process_auth_req:867: received payload SA, len 40
1: ikev2_parse_sa_payload:364: proposal num 1 len 40 last_or_more 0 id 3 
spi_size 4 num_transforms 3
1: ikev2_parse_sa_payload:406: transform num 0 len 12 last_or_more 3 type 
encr:aes-cbc-128 id 12 attrs 800e0080
1: ikev2_parse_sa_payload:406: transform num 1 len 8 last_or_more 3 type 
integ:sha1-96 id 2
1: ikev2_parse_sa_payload:406: transform num 2 len 8 last_or_more 0 type esn:no 
id 0
1: ikev2_process_auth_req:937: received payload TSi, len 20
1: ikev2_process_auth_req:945: received payload TSr, len 20
1: ikev2_parse_notify_payload:464: msg_type EAP_ONLY_AUTHENTICATION len 8
1: ikev2_parse_notify_payload:464: msg_type IKEV2_MESSAGE_ID_SYNC_SUPPORTED len 
8
1: ikev2_sa_auth:1422: sa state changed to IKEV2_STATE_AUTH_FAILED
1: ikev2_generate_message:1726: sa state changed to 
IKEV2_STATE_NOTIFY_AND_DELETE


strongswan:
conn %default
auto=route
keyexchange=ikev2
reauth=no
conn ext0~ext0
rekeymargin=3600
rekeyfuzz=100%
keyexchange=ikev2
left=25.12.61.14
right=25.12.61.7
leftsubnet=192.168.125.0/24
rightsubnet=192.168.124.0/24
authby=secret
#leftid=25.12.61.14
rightid=%any
ike=aes128-sha1-modp2048!
esp=aes128-sha1-noesn!
type=tunnel
ikelifetime=36000s
keylife=36000s
lifepackets=4294967295
marginpackets=1073741824
mobike=no
auto=route
replay_window=0
nopmtudisc=yes

~
~

Brs,
Yang xiaowen
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] nat44 address pool not fully used

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

You need to change “translation hash buckets” in startup configuration of the 
NAT plugin https://wiki.fd.io/view/VPP/NAT#Startup_config, we added session 
number limitation to avoid running out of memory crash in runtime (maximum 
sessions = 10 x “translation hash buckets”).

Regards,
Matus


From: Yuliang Li [mailto:yuliang...@yale.edu]
Sent: Monday, October 30, 2017 8:21 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] nat44 address pool not fully used

Here are the results:
   CountNode  Reason
 10240  nat44-in2out-slowpath Good in2out packets processed
   7847236  nat44-in2out-slowpath Maximum sessions exceeded
  23864696  nat44-in2out  Good in2out packets processed
 10240  nat44-in2out-slowpath Good in2out packets processed
   7846673  nat44-in2out-slowpath Maximum sessions exceeded
  23864371  nat44-in2out  Good in2out packets processed

It seems the number of maximum sessions limits. I just updated from an older 
version to the latest by pulling from https://gerrit.fd.io/r/vpp3 days ago. I 
did not change the configuration file that I used before. Is there any default 
parameter value change?

On Mon, Oct 30, 2017 at 1:29 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi,

Are you on latest?
Could you please provide “show node counters” output.

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Yuliang Li
Sent: Saturday, October 28, 2017 8:48 PM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: [vpp-dev] nat44 address pool not fully used

Hi,

I use "nat44 add addr 10.1.1.2-10.1.1.254", in the hope that in2out traffic can 
use any of the source IP in the range.

However, when I generate in2out traffic composing 65536 different internal 
source IP (with the same source port), only 10.1.1.2 is used for external 
source IP, and allocated 20162 port number. That means only 20162 internal IP 
get translated, while the rest are dropped. I am wondering why it does not 
allocate other addresses in the pool (e.g., 10.1.1.3)?

Here are the output of show nat44 detail:
10.1.1.2
  tenant VRF independent
  0 busy udp ports
  20162 busy tcp ports
  0 busy icmp ports
10.1.1.3
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
  0 busy icmp ports
 (all following shows 0 busy ports).

Thanks,
--
Yuliang Li
PhD student
Department of Computer Science
Yale University



--
Yuliang Li
PhD student
Department of Computer Science
Yale University
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] nat44 address pool not fully used

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Are you on latest?
Could you please provide “show node counters” output.

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Yuliang Li
Sent: Saturday, October 28, 2017 8:48 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] nat44 address pool not fully used

Hi,

I use "nat44 add addr 10.1.1.2-10.1.1.254", in the hope that in2out traffic can 
use any of the source IP in the range.

However, when I generate in2out traffic composing 65536 different internal 
source IP (with the same source port), only 10.1.1.2 is used for external 
source IP, and allocated 20162 port number. That means only 20162 internal IP 
get translated, while the rest are dropped. I am wondering why it does not 
allocate other addresses in the pool (e.g., 10.1.1.3)?

Here are the output of show nat44 detail:
10.1.1.2
  tenant VRF independent
  0 busy udp ports
  20162 busy tcp ports
  0 busy icmp ports
10.1.1.3
  tenant VRF independent
  0 busy udp ports
  0 busy tcp ports
  0 busy icmp ports
 (all following shows 0 busy ports).

Thanks,
--
Yuliang Li
PhD student
Department of Computer Science
Yale University
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] syslog in snat

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Syslog in NAT plugin is not a part of 17.10 release.

Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Matt Paska
Sent: Friday, October 13, 2017 2:48 AM
To: Ole Troan <otr...@employees.org>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] syslog in snat

Hi all,

Is Syslog in SNAT planned for the upcoming 17.10 release?

Thanks!

On Thu, Jun 22, 2017 at 6:48 PM, Matt Paska 
<mattjpa...@gmail.com<mailto:mattjpa...@gmail.com>> wrote:
We just don't have ipfix collectors setup right now. We have a system for 
syslog and I was hoping to integrate vpp snat into that as well.

Thanks for the quick response.

On Thu, Jun 22, 2017 at 2:50 PM, Ole Troan 
<otr...@employees.org<mailto:otr...@employees.org>> wrote:
Tell me more.

Ole

On 22 Jun 2017, at 23:37, Matt Paska 
<mattjpa...@gmail.com<mailto:mattjpa...@gmail.com>> wrote:
Yes, we do need it. What's the current plan?

On Thu, Jun 22, 2017 at 1:05 PM, Ole Troan 
<otr...@employees.org<mailto:otr...@employees.org>> wrote:
Matt,

It will not have it for 17.07.
We have ipfix support now as well as deterministic.

Do you need it?

Cheers
Ole

On 22 Jun 2017, at 21:33, Matt Paska 
<mattjpa...@gmail.com<mailto:mattjpa...@gmail.com>> wrote:
Hi,

Is Snat syslog based logging support still planned for 17.07? I see it 
mentioned on the release plan 
wiki(https://wiki.fd.io/view/Projects/vpp/Release_Plans/Release_Plan_17.07) but 
not on the snat work list(https://wiki.fd.io/view/VPP/SNAT).

Thanks

On Tue, May 23, 2017 at 10:45 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi,

Snat plugin doesn’t support syslog logging, currently support only IPFIX.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Matt Paska
Sent: Tuesday, May 23, 2017 8:23 PM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; Jim Thompson 
<j...@netgate.com<mailto:j...@netgate.com>>
Cc: Andrew Taylor 
<andrew2016tay...@gmail.com<mailto:andrew2016tay...@gmail.com>>
Subject: Re: [vpp-dev] syslog in snat

Is there further info/docs on using syslog for snat on the wiki? I searched 
through but couldn't find anything.

Thanks.

On Sat, May 13, 2017 at 10:32 PM, Jim Thompson 
<j...@netgate.com<mailto:j...@netgate.com>> wrote:

On May 13, 2017, at 11:58 PM, Andrew Taylor 
<andrew2016tay...@gmail.com<mailto:andrew2016tay...@gmail.com>> wrote:

Hi,
Could you please explain what is "Syslog based SNAT login" in Release Plan 17.07

Added here, so you could ask
https://wiki.fd.io/index.php?title=Projects%2Fvpp%2FRelease_Plans%2FRelease_Plan_17.07<https://wiki.fd.io/index.php?title=Projects/vpp/Release_Plans/Release_Plan_17.07>iff=5072=5071<https://wiki.fd.io/index.php?title=Projects/vpp/Release_Plans/Release_Plan_17.07=5072=5071>


Is it an alternative option for logging session like IPFIX ?

I suspect this was intended to be “syslog-based SNAT logging”, and that only 
the final ‘g’ is missing.



___
vpp-dev mailing list
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
https://lists.fd.io/mailman/listinfo/vpp-dev


___
vpp-dev mailing list
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
https://lists.fd.io/mailman/listinfo/vpp-dev



___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] Invalid NAT addresses with 17.10rc

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

17.10 has new CLI syntax after plugin was renamed 
https://wiki.fd.io/view/VPP/NAT#CLI

From your show command output I see same external address for both ICMP 
translations (172.56.0.2)

Regards,
Matus


-Original Message-
From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Fabien THOMAS
Sent: Tuesday, October 3, 2017 10:30 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] Invalid NAT addresses with 17.10rc

Hi,

I’ve the following configuration in 17.07 which work correctly:

eth1:
172.56.0.2

…
snap add static mapping local 172.56.0.2 external 172.56.0.2 snap add interface 
address host-eth1 set interface snat in gre0 out host-eth1 …

In 17.10rc (from today) ICMP seems broken as packets are translated with random 
addresses (TCP/UDP works):

ping 8.8.8.8 :

15.113.89.211(http://15.113.89.211/): 1 dynamic translations, 0 static 
translations i2o 15.113.89.211 proto icmp port 12851 fib 0 o2i 172.56.0.2 proto 
icmp port 32376 fib 0 external host 68.231.0.11 last heard 17.55 total pkts 2, 
total bytes 168 dynamic translation

15.114.89.211(http://15.114.89.211/): 1 dynamic translations, 0 static 
translations i2o 15.114.89.211 proto icmp port 12851 fib 0 o2i 172.56.0.2 proto 
icmp port 51383 fib 0 external host 68.232.0.11 last heard 18.55 total pkts 2, 
total bytes 168 dynamic translation

Is it a known issue ?

Fabien
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] snat and fragmented packet

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

NAT plugin currently doesn't support fragmented packet translation, but it is 
currently under development (https://gerrit.fd.io/r/#/c/8056/).

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of yug...@telincn.com
Sent: Monday, September 4, 2017 2:49 AM
To: vpp-dev 
Subject: [vpp-dev] snat and fragmented packet

Hi all,
Does node snat surpport fragmented packet? My vpp version is 17.07.

Regards,
Ewan

yug...@telincn.com
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] VPP S-NAT rename

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

I’ve fixed link in jira.

Matus

From: Jim Thompson [mailto:j...@netgate.com]
Sent: Wednesday, August 23, 2017 11:40 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] VPP S-NAT rename


there is also some impact in jira
https://jira.fd.io/browse/VPP-441
https://jira.fd.io/browse/VPP-707

I don't think I have access to that level, or I'd attempt to fix it.

Jim


On Wed, Aug 23, 2017 at 9:02 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi,

I’ve updated NAT plugin wiki page https://wiki.fd.io/view/VPP/NAT after 
renaming.

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Ed Warnicke
Sent: Monday, August 21, 2017 6:03 PM
To: Marek Gradzki -X (mgradzki - PANTHEON TECHNOLOGIES at Cisco) 
<mgrad...@cisco.com<mailto:mgrad...@cisco.com>>
Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] VPP S-NAT rename

Overall, I think the rename is a good idea.  The Linux guys are used to 
thinking of SNAT as source NAT and DNAT as destination NAT.

Ed

On Mon, Aug 21, 2017 at 12:53 AM, Marek Gradzki -X (mgradzki - PANTHEON 
TECHNOLOGIES at Cisco) <mgrad...@cisco.com<mailto:mgrad...@cisco.com>> wrote:
Hi,

Hc2vpp uses SNAT API. The rename you suggest is very simple (I guess 
snat->nat44),
so we will not mind if there will be no parallel API.

Regards,
Marek

-Original Message-
From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Ole Troan
Sent: 21 sierpnia 2017 09:40
To: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] VPP S-NAT rename

Hi,

The 'S' in VPP's S-NAT plugin name has often been confused with Linux' "Source 
NAT". The 'S' originally stood for "Simple", implying that it was a less 
complex implementation of NAT than the previous VCGN implementation.

Because of this confusion (and possibly valid arguments that it isn't so simple 
anymore) we'd like to rename it.
The feature supports all flavours of NAT44 and NAT64.

The suggested new name is simply NAT. I.e. "VPP NAT".

The proposal is to change the name in the wiki, documentation, folder/files and 
CLI.
I am unsure if it is possible to change the API at this point. We might have to 
put in the new message names and allow those to live in parallel with the old 
ones for a release or two. Does anyone use the SNAT API?

Opinions?

Best regards,
Ole
___
vpp-dev mailing list
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
https://lists.fd.io/mailman/listinfo/vpp-dev


___
vpp-dev mailing list
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
https://lists.fd.io/mailman/listinfo/vpp-dev

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] VPP S-NAT rename

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

I’ve updated NAT plugin wiki page https://wiki.fd.io/view/VPP/NAT after 
renaming.

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Ed Warnicke
Sent: Monday, August 21, 2017 6:03 PM
To: Marek Gradzki -X (mgradzki - PANTHEON TECHNOLOGIES at Cisco) 

Cc: vpp-dev 
Subject: Re: [vpp-dev] VPP S-NAT rename

Overall, I think the rename is a good idea.  The Linux guys are used to 
thinking of SNAT as source NAT and DNAT as destination NAT.

Ed

On Mon, Aug 21, 2017 at 12:53 AM, Marek Gradzki -X (mgradzki - PANTHEON 
TECHNOLOGIES at Cisco) > wrote:
Hi,

Hc2vpp uses SNAT API. The rename you suggest is very simple (I guess 
snat->nat44),
so we will not mind if there will be no parallel API.

Regards,
Marek

-Original Message-
From: vpp-dev-boun...@lists.fd.io 
[mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Ole Troan
Sent: 21 sierpnia 2017 09:40
To: vpp-dev >
Subject: [vpp-dev] VPP S-NAT rename

Hi,

The 'S' in VPP's S-NAT plugin name has often been confused with Linux' "Source 
NAT". The 'S' originally stood for "Simple", implying that it was a less 
complex implementation of NAT than the previous VCGN implementation.

Because of this confusion (and possibly valid arguments that it isn't so simple 
anymore) we'd like to rename it.
The feature supports all flavours of NAT44 and NAT64.

The suggested new name is simply NAT. I.e. "VPP NAT".

The proposal is to change the name in the wiki, documentation, folder/files and 
CLI.
I am unsure if it is possible to change the API at this point. We might have to 
put in the new message names and allow those to live in parallel with the old 
ones for a release or two. Does anyone use the SNAT API?

Opinions?

Best regards,
Ole
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] Workers for SNAT may compete for the same outside address and port?

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

https://gerrit.fd.io/r/#/c/7893/

Regards,
Matus


From: yug...@telincn.com [mailto:yug...@telincn.com]
Sent: Thursday, August 3, 2017 1:27 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>; chupenghong <javin...@163.com>; vpp-dev 
<vpp-dev@lists.fd.io>
Subject: Re: Re: [vpp-dev] Workers for SNAT may compete for the same outside 
address and port?

Hi，
Please let us know about it then, thanks.

Regards,
Ewan


yug...@telincn.com<mailto:yug...@telincn.com>

From: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at 
Cisco)<mailto:matfa...@cisco.com>
Date: 2017-08-03 13:32
To: chupenghong<mailto:javin...@163.com>; 
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] Workers for SNAT may compete for the same outside 
address and port?
Hi,

You are right, there is a chance to allocate same outside address and port pair 
for different users. I will fix it (assign a block of port numbers to each 
worker).

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of chupenghong
Sent: Wednesday, August 2, 2017 5:15 PM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: [vpp-dev] Workers for SNAT may compete for the same outside address 
and port?

Hi all,
I read the SNAT plugin code and found that 2 or more worker threads may 
call  the function "snat_alloc_outside_address_and_port" to allocate outside 
address and port at the same time. Because the address and port are allocated  
from global varible snat_main.addresses , there is a chance to allocate the 
same outside address and port for different users. It would be not good for 
SNAT.
  I'm not sure I understand the code excatly. Please help me to check out 
it. Thanks!!

Regards
chu.penghong






___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] Workers for SNAT may compete for the same outside address and port?

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

You are right, there is a chance to allocate same outside address and port pair 
for different users. I will fix it (assign a block of port numbers to each 
worker).

Regards,
Matus


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of chupenghong
Sent: Wednesday, August 2, 2017 5:15 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] Workers for SNAT may compete for the same outside address 
and port?

Hi all,
I read the SNAT plugin code and found that 2 or more worker threads may 
call  the function "snat_alloc_outside_address_and_port" to allocate outside 
address and port at the same time. Because the address and port are allocated  
from global varible snat_main.addresses , there is a chance to allocate the 
same outside address and port for different users. It would be not good for 
SNAT.
  I'm not sure I understand the code excatly. Please help me to check out 
it. Thanks!!

Regards
chu.penghong






___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] stop handoff in SNAT

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

right and handoff is faster than locking

Matus


From: Yuliang Li [mailto:yuliang...@yale.edu]
Sent: Friday, July 21, 2017 12:48 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] stop handoff in SNAT

I think I get the reason. If the flow space split is dynamic, each thread has 
to propagate the state across all threads when new flows come, which requires 
locking. Using static flow space split can avoid this, at the cost of handoff 
for both directions.

On Thu, Jul 20, 2017 at 9:44 AM, Yuliang Li 
<yuliang...@yale.edu<mailto:yuliang...@yale.edu>> wrote:
Thanks. That's a good point. But can I just use handoff on out2in? Because the 
in2out traffic is already split by RSS.

On Wed, Jul 19, 2017 at 10:15 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi,

You need handoff when running multithread because traffic for specific inside 
network user must be processed always on same thread in both directions.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Yuliang Li
Sent: Thursday, July 20, 2017 5:58 AM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: [vpp-dev] stop handoff in SNAT

Hi,

Is there a way to stop handoff (move packet from one thread to another) in 
SNAT? I already use RSS to split packets across threads at the input, so I do 
not need it to spread traffic across threads again.

Thanks,
--
Yuliang Li
PhD student
Department of Computer Science
Yale University



--
Yuliang Li
PhD student
Department of Computer Science
Yale University



--
Yuliang Li
PhD student
Department of Computer Science
Yale University
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] stop handoff in SNAT

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

You need handoff when running multithread because traffic for specific inside 
network user must be processed always on same thread in both directions.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Yuliang Li
Sent: Thursday, July 20, 2017 5:58 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] stop handoff in SNAT

Hi,

Is there a way to stop handoff (move packet from one thread to another) in 
SNAT? I already use RSS to split packets across threads at the input, so I do 
not need it to spread traffic across threads again.

Thanks,
--
Yuliang Li
PhD student
Department of Computer Science
Yale University
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] det nat expire

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Life time (expire time) is updated when packet is translated, session expire 
only when no packets are processed.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of yug...@telincn.com
Sent: Thursday, June 15, 2017 10:07 AM
To: vpp-dev 
Subject: [vpp-dev] det nat expire

Hi all,
Every nat session has it's life time, if only beyond that time, it will be 
deleted.
So what if one user is downloading huge file and the downloading time is beyond 
the session life time.
I have't seen any code on this, am i missed something?

Regards,
Ewan



yug...@telincn.com
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] IPSEC IPV6

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

IPSec AH (authentication only) is not supported.

Regards,
Matus

From: 薛欣颖 [mailto:xy...@fiberhome.com]
Sent: Friday, May 26, 2017 7:51 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>; vpp-dev <vpp-dev@lists.fd.io>
Subject: 回复: RE: [vpp-dev] IPSEC IPV6

Hi Matus,

In https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Enable_SPD_on_an_interface I can 
only find the configuration about IPSEC ESP .What should I do to configure 
IPSec AH in tunnel or transport mode?


Thanks,
xyxue

发件人： Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at 
Cisco)<mailto:matfa...@cisco.com>
发送时间： 2017-05-22 14:17
收件人： 薛欣颖<mailto:xy...@fiberhome.com>; vpp-dev<mailto:vpp-dev@lists.fd.io>
主题： RE: RE: [vpp-dev] IPSEC IPV6
Hi,

Ipsec tunnel interface support only IPv4, IPv6 works only when you create SA 
and SPD entry and enable IPSec feature on interface 
(https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Enable_SPD_on_an_interface). 
Supported is only AH+ESP in tunnel or transport mode.

Regards,
Matus

From: 薛欣颖 [mailto:xy...@fiberhome.com]
Sent: Monday, May 22, 2017 8:09 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com<mailto:matfa...@cisco.com>>; vpp-dev 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: 回复: RE: [vpp-dev] IPSEC IPV6


Hi Matus,

There is only ip4 address in create_ipsec_tunnel_command_fn and 
ipsec_add_del_tunnel_args_t

 if (unformat
  (line_input, "local-ip %U", unformat_ip4_address, _ip))
num_m_args++;
  else
if (unformat
(line_input, "remote-ip %U", unformat_ip4_address, 
_ip))
num_m_args++;

ip4_address_t local_ip, remote_ip;

When I add ipv6 addr and input,then I configure ipsec ipv6 ,will IPSec IPv6 
work?



By the way, does vpp support IPSEC AH? What about IPSEC AH + ESP?



Thanks,
xyxue




发件人： Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at 
Cisco)<mailto:matfa...@cisco.com>
发送时间： 2017-05-22 12:50
收件人： 薛欣颖<mailto:xy...@fiberhome.com>; 
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
主题： RE: [vpp-dev] IPSEC IPV6
Hi,

IPSec has IPv6 support, see examples here 
https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec and use IPv6 adresses instead 
of IPv4.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of ???
Sent: Saturday, May 20, 2017 8:05 AM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: [vpp-dev] IPSEC IPV6


Hi guys,

Is it possible to configure IPSEC IPV6 now? And how can I configure it?

Thanks,
xyxue
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] syslog in snat

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Configuration looks good. Did you trigger some event (supported events 
https://wiki.fd.io/view/VPP/SNAT#NAT_IPFIX_logging)?

Regards,
Matus

From: Andrew Taylor [mailto:andrew2016tay...@gmail.com]
Sent: Wednesday, May 24, 2017 7:48 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: Matt Paska <mattjpa...@gmail.com>; vpp-dev@lists.fd.io; Jim Thompson 
<j...@netgate.com>
Subject: Re: [vpp-dev] syslog in snat

Hi,
I tested IPFIX in snat plugin, but it only create  template packet.

my configuration is:

set ipfix exporter collector 192.168.30.231 src 192.168.30.235
snat ipfix logging src-port 2020
Thanks,

On Wed, May 24, 2017 at 10:15 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi,

Snat plugin doesn’t support syslog logging, currently support only IPFIX.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> 
[mailto:vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io>] On 
Behalf Of Matt Paska
Sent: Tuesday, May 23, 2017 8:23 PM
To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; Jim Thompson 
<j...@netgate.com<mailto:j...@netgate.com>>
Cc: Andrew Taylor 
<andrew2016tay...@gmail.com<mailto:andrew2016tay...@gmail.com>>
Subject: Re: [vpp-dev] syslog in snat

Is there further info/docs on using syslog for snat on the wiki? I searched 
through but couldn't find anything.

Thanks.

On Sat, May 13, 2017 at 10:32 PM, Jim Thompson 
<j...@netgate.com<mailto:j...@netgate.com>> wrote:

On May 13, 2017, at 11:58 PM, Andrew Taylor 
<andrew2016tay...@gmail.com<mailto:andrew2016tay...@gmail.com>> wrote:

Hi,
Could you please explain what is "Syslog based SNAT login" in Release Plan 17.07

Added here, so you could ask
https://wiki.fd.io/index.php?title=Projects%2Fvpp%2FRelease_Plans%2FRelease_Plan_17.07<https://wiki.fd.io/index.php?title=Projects/vpp/Release_Plans/Release_Plan_17.07>iff=5072=5071<https://wiki.fd.io/index.php?title=Projects/vpp/Release_Plans/Release_Plan_17.07=5072=5071>


Is it an alternative option for logging session like IPFIX ?

I suspect this was intended to be “syslog-based SNAT logging”, and that only 
the final ‘g’ is missing.



___
vpp-dev mailing list
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
https://lists.fd.io/mailman/listinfo/vpp-dev


___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] syslog in snat

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Snat plugin doesn’t support syslog logging, currently support only IPFIX.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Matt Paska
Sent: Tuesday, May 23, 2017 8:23 PM
To: vpp-dev@lists.fd.io; Jim Thompson 
Cc: Andrew Taylor 
Subject: Re: [vpp-dev] syslog in snat

Is there further info/docs on using syslog for snat on the wiki? I searched 
through but couldn't find anything.

Thanks.

On Sat, May 13, 2017 at 10:32 PM, Jim Thompson 
> wrote:

On May 13, 2017, at 11:58 PM, Andrew Taylor 
> wrote:

Hi,
Could you please explain what is "Syslog based SNAT login" in Release Plan 17.07

Added here, so you could ask
https://wiki.fd.io/index.php?title=Projects%2Fvpp%2FRelease_Plans%2FRelease_Plan_17.07iff=5072=5071



Is it an alternative option for logging session like IPFIX ?

I suspect this was intended to be “syslog-based SNAT logging”, and that only 
the final ‘g’ is missing.



___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] five tuple nat

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

You probably use older VPP version, ICMP support for deterministic NAT was 
added later on Apr 11 (https://gerrit.fd.io/r/#/c/6031/).

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of yug...@telincn.com
Sent: Sunday, May 21, 2017 5:32 AM
To: otroan 
Cc: vpp-dev 
Subject: Re: [vpp-dev] five tuple nat

Hi,
There is no code to process ICMP in func "snat_det_in2out_node_fn", so it 
treats ICMP packet as UDP packet, then we get the wrong output packet.

Regards,
Ewan

yug...@telincn.com

From: otroan
Date: 2017-05-20 20:00
To: yug...@telincn.com
CC: vpp-dev
Subject: Re: [vpp-dev] five tuple nat
Hi,

> Thanks, it seems that there is no icmp procedure in det nat, why is it like 
> this?

Yes, there should be ICMP support.

E.g. through:

commit b33f413af46ec8dff7f222dbd5bc3bcec1502d3d
Author: Juraj Sloboda >
Date:   Wed Feb 8 23:54:21 2017 -0800

Add handling of ICMP error packets in SNAT (VPP-629)

Change-Id: I8d2022b7cb3ef3da736c085bccbb5b9c057a8d76
Signed-off-by: Juraj Sloboda 
>
> Regards,
> Ewan
> ewan
>
> From: otroan
> Date: 2017-04-25 16:06
> To: yugang
> CC: vpp-dev
> Subject: Re: [vpp-dev] five tuple nat
> Ewan,
>
> > Do we have any plan to surpport  five tuple nat like linux kernel?
>
> That should already be supported in the SNAT plugin.
> https://wiki.fd.io/view/VPP/SNAT
>
> Best regards,
> Ole

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] IPSEC IPV6

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

IPSec has IPv6 support, see examples here 
https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec and use IPv6 adresses instead 
of IPv4.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of ???
Sent: Saturday, May 20, 2017 8:05 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] IPSEC IPV6


Hi guys,

Is it possible to configure IPSEC IPV6 now? And how can I configure it?

Thanks,
xyxue
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] An issue about SNAT when using different in and out interfaces

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

It looks like there is some bug when snat interface doesn't have address (if 
snat interfaces have address it works fine). I will fix issue.

Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Ni, Hongjun
Sent: Tuesday, April 25, 2017 6:05 AM
To: vpp-dev@lists.fd.io
Cc: nsh_sfc-...@lists.fd.io
Subject: [vpp-dev] An issue about SNAT when using different in and out 
interfaces

Hey,

When I applied SNAT in different in and out interfaces, I run into an issue:

My configuration:
set interface snat in TenGigabitEthernet5/0/0 out TenGigabitEthernet5/0/1
snat add static mapping local 192.168.50.76 external 10.10.23.45

I sent packets from TenGigabitEthernet5/0/0.
In previous code about a month ago, the packets are sent to  
TenGigabitEthernet5/0/1 as expected.

But in current 17.04 code, packets are sent to TenGigabitEthernet5/0/0, which 
is not expected.
Could you give some advice on how to fix this issue?

Below is the interface and snat detail:
DBGvpp# sh int
  Name   Idx   State  Counter  Count
TenGigabitEthernet5/0/0   1 up   rx packets 
1
 rx bytes   
   60
 tx packets 
1
 tx bytes   
   60
 ip4
1
TenGigabitEthernet5/0/1   2 up
local00down
DBGvpp#
DBGvpp# sh snat detail
SNAT mode: dynamic translations enabled
TenGigabitEthernet5/0/0 in
TenGigabitEthernet5/0/1 out
0 users, 0 outside addresses, 0 active sessions, 1 static mappings
Hash table in2out
0 active elements
0 free lists
0 linear search buckets
Hash table out2in
0 active elements
0 free lists
0 linear search buckets
Hash table worker-by-in
0 active elements
0 free lists
0 linear search buckets
Hash table worker-by-out
0 active elements
0 free lists
0 linear search buckets
static mappings:
local 192.168.50.76 external 10.10.23.45 vrf 0


Below is the packet trace:

00:02:16:415613: dpdk-input
  TenGigabitEthernet5/0/0 rx queue 0
  buffer 0xbf9c22: current data 14, length 46, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x0
  PKT MBUF: port 0, nb_segs 1, pkt_len 60
buf_len 2176, data_len 60, ol_flags 0x180, data_off 128, phys_addr 
0x28e6c780
packet_type 0x0
Packet Offload Flags
  PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
  PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
  IP4: 08:00:27:61:07:05 -> 90:e2:ba:48:7a:80
  UDP: 192.168.50.76 -> 10.10.23.46
tos 0x00, ttl 64, length 46, checksum 0x6693
fragment id 0x
  UDP: 63 -> 63
length 26, checksum 0xa2be
00:02:16:415653: ip4-input-no-checksum
  UDP: 192.168.50.76 -> 10.10.23.46
tos 0x00, ttl 64, length 46, checksum 0x6693
fragment id 0x
  UDP: 63 -> 63
length 26, checksum 0xa2be
00:02:16:415668: snat-in2out
  SNAT_IN2OUT_FAST_PATH: sw_if_index 1, next index 2, session -1
00:02:16:415685: snat-in2out-slowpath
  SNAT_IN2OUT_SLOW_PATH: sw_if_index 1, next index 0, session -1
00:02:16:415695: ip4-lookup
  fib 0 dpo-idx 3 flow hash: 0x
  UDP: 192.168.50.76 -> 10.10.23.46
tos 0x00, ttl 64, length 46, checksum 0x6693
fragment id 0x
  UDP: 63 -> 63
length 26, checksum 0xa2be
00:02:16:415703: ip4-rewrite
  tx_sw_if_index 1 dpo-idx 3 : ipv4 via 10.10.23.46 TenGigabitEthernet5/0/0: 
90e2ba48234590e2ba487a800800 flow hash: 0x
  : 90e2ba48234590e2ba487a800800452e3f116793c0a8324c0a0a
  0020: 172e003f003f001aa2be000102030405060708090a0b0c0d0e0f1011
00:02:16:415709: TenGigabitEthernet5/0/0-output
  TenGigabitEthernet5/0/0
  IP4: 90:e2:ba:48:7a:80 -> 90:e2:ba:48:23:45
  UDP: 192.168.50.76 -> 10.10.23.46
tos 0x00, ttl 63, length 46, checksum 0x6793
fragment id 0x
  UDP: 63 -> 63
length 26, checksum 0xa2be
00:02:16:415718: TenGigabitEthernet5/0/0-tx
  TenGigabitEthernet5/0/0 tx queue 0
  buffer 0xbf9c22: current data 0, length 60, free-list 0, clone-count 0, 
totlen-nifb 0, trace 0x0
  IP4: 90:e2:ba:48:7a:80 -> 90:e2:ba:48:23:45
  UDP: 192.168.50.76 -> 10.10.23.46
tos 0x00, ttl 63, length 46, checksum 0x6793
fragment id 0x
  UDP: 63 -> 63
length 26, checksum 0xa2be

Thanks,
Hongjun
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] what's wrong with my ipsec tunnel mode test?

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

Probably missing following config in vpp
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
If it not help please provide HOST A (ubuntu) config too.

Regards,
Matus
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] api to get swIdx.

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

sw_interface_dump has name filter and reply sw_interface_details contains 
sw_if_index

Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Sharath
Sent: Thursday, April 13, 2017 7:15 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] api to get swIdx.

HI,

is there an api to find the swIdx of an interface given its name.

Thanks
Sharath
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] snat -- multiple outside interfaces

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

You can configure multiple outside interface with SNAT plugin feature (you can 
specify only outside interface and you can enter out/in multiple times in CLI 
command)

set interface snat out GigabitEthernet0/8/0 out GigabitEthernet0/9/0
or

set interface snat out GigabitEthernet0/8/0

set interface snat out GigabitEthernet0/9/0


Regards,
Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of John Pearson
Sent: Friday, March 10, 2017 3:35 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] snat -- multiple outside interfaces

Hi, I was looking through the SNAT plugin to figure out how to configure 
multiple outside interfaces. I'd like to setup redundancy/failover so that 
there is a backup route going outside.

Searching through the docs and wiki, I see it mentioned on the SNAT 
wiki(https://wiki.fd.io/view/VPP/SNAT) work list. Does anyone have any pointers 
on it's implementation?

Thanks!

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] SNAT Future API Questions

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

There is currently work on dump API  for SNAT runtime data (users and 
sessions). It will be finished in next few days.

Matus

From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Jon Loeliger
Sent: Wednesday, February 22, 2017 9:42 PM
To: vpp-dev 
Subject: [vpp-dev] SNAT Future API Questions

Dudes and Dudettes,

As you may have guessed by now, I am working my way through
the SNAT Realm these days.  And now I have a question about
some possible, future API messages for obtaining some running
state information, notably for some form of "show snat" command.

In VAT's current implementation, there is an API call to obtain the
config data established from VPP's config file at startup time.
One can do a series of *_DUMP-style API calls to regurgitate the
configurations fed to SNAT.  That's all good.

However, there is no way to determine any of the runtime state.
In VAT today, there is a "show" command that inspects the internal
data structures directly; there is no API call to obtain any of that
same information.  Naturally that won't work for an external UI Agent.

So:  Is there a plan to add such API calls in the future?  Is it on
someone's plate already?   If not, would we entertain suggestions
or even patches to add that support?

Thanks,
jdl

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] SNAT API Question

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi Jon,

comments inline,


Matus

From: Jon Loeliger [mailto:j...@netgate.com]
Sent: Monday, February 20, 2017 9:14 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] SNAT API Question

Hi Matus,

Thanks for your answers here.

On Sat, Feb 18, 2017 at 12:36 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
If external_sw_if_index value is ~0 (-1) external_ip_address is ussed from API 
(snat.c line 363).

OK, I see that in the code, but it is nowhere described in the API itself.
That is my issue here.  Magic values like this *are* part of the API as they
will affect changes on the VPP-side of the API interface.

snat_add_address_range – add address range to SNAT address pool
snat_add_del_interface_addr – add address of the interface to SNAT address pool 
(address is added/removed automatically when interface address is changed by 
configuration or DHCP)

So one could use either or both, as they wish?
[mf:] yes you could use both

I guess I'm having a bit of hard time trying to figure out what the
canonical API call sequence would be to set up various useful
and standard NAT situations.  Yes, I've read the Wiki page; No it
isn't clear on the proper, expected sequence of the API calls.
[mf:] I can add something like this to wiki, please provide some example NAT 
situations

How does those API sequences change for the different values of the config
variables "static_mapping_only" and "static_mapping_connection_tracking"?
[mf:] in both cases only static mappings (1:1 NAT) are enabled, 
static_mapping_only do not create dynamic state data (no session data, so 
packets for specific user can be processed on each worker thread otherwise 
user’s traffic is processed always by same worker) just only translate packets 
based on configured static mappings, second mode create session data

And on that note -- How do you change the value of those config varaibles
at run time?  I know how to alter the config file and re-read them in VAT.
I'm not using VAT.  I'm writing a totally different system.  Can those values
be changed at run-time?  There is no API to do so, so at this point in time
the answer must be "no."  Is it expected that the sequence to change these
configuration values at run time is to: 1) Stop VPP, 2) write a new config file
with the new desired values, 3) restart VPP?  That seems bad to me.
[mf:] You can’t switch between SNAT modes at run-time. I think this is not 
something you need to change at runtime and at the moment there is no plan to 
do it at runtime using API.


I think 1024 is not significant, it's just a warning that you add a lot of 
addresses to SNAT address pool, it was here before I started work on SNAT 
plugin.

Well, 1024 is arbitrary.  Who is to say that I don't need 2048 and don't care
about the warning in my environment?   To be clear, I'm not blaming you (Matus),
or anyone for that matter.  I'm merely pointing out that it is an arbitrary and
undocumented limit in the current system.

Matus

Thanks,
jdl

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] Verify job failures due to external IP address lookup

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

same issue https://gerrit.fd.io/r/#/c/4966/

Regards,




Matus Fabian
Engineer - Software
matfa...@cisco.com
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here for 
Company Registration Information.



From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Dave Wallace
Sent: Wednesday, February 1, 2017 4:25 AM
To: helpd...@fd.io
Cc: vpp-dev@lists.fd.io
Subject: [vpp-dev] Verify job failures due to external IP address lookup

The following verify jobs are failing for https://gerrit.fd.io/r/#/c/4897:

https://jenkins.fd.io/job/vpp-verify-master-ubuntu1604/3568
https://jenkins.fd.io/job/vpp-csit-verify-virl-master/3572

Both have the same error signature ("make install-dep" fails):

01:36:21 Err:1 http://ubuntu.mirror.vexxhost.com/ubuntu xenial-security/main 
amd64 libssl-dev amd64 1.0.2g-1ubuntu4.6
01:36:21   404  Not Found [IP: 162.253.53.24 80]
01:36:21 Err:2 http://ubuntu.mirror.vexxhost.com/ubuntu xenial-security/main 
amd64 libssl1.0.0 amd64 1.0.2g-1ubuntu4.6
01:36:21   404  Not Found [IP: 162.253.53.24 80]
01:36:21 Get:3 http://ubuntu.mirror.vexxhost.com/ubuntu xenial/universe amd64 
chrpath amd64 0.16-1 [12.9 kB]
01:36:21 Get:4 http://ubuntu.mirror.vexxhost.com/ubuntu xenial/main amd64 
default-jre-headless amd64 2:1.8-56ubuntu2 [4,380 B]
01:36:21 Get:5 http://ubuntu.mirror.vexxhost.com/ubuntu xenial/main amd64 
default-jdk-headless amd64 2:1.8-56ubuntu2 [986 B]
01:36:21 Get:6 http://ubuntu.mirror.vexxhost.com/ubuntu xenial/main amd64 
pkg-config amd64 0.29.1-0ubuntu1 [45.0 kB]
01:36:21 Fetched 63.3 kB in 0s (314 kB/s)
01:36:21 W: --force-yes is deprecated, use one of the options starting with 
--allow instead.
01:36:21 E: Failed to fetch 
http://ubuntu.mirror.vexxhost.com/ubuntu/pool/main/o/openssl/libssl-dev_1.0.2g-1ubuntu4.6_amd64.deb
  404  Not Found [IP: 162.253.53.24 80]
01:36:21
01:36:21 E: Failed to fetch 
http://ubuntu.mirror.vexxhost.com/ubuntu/pool/main/o/openssl/libssl1.0.0_1.0.2g-1ubuntu4.6_amd64.deb
  404  Not Found [IP: 162.253.53.24 80]
01:36:21
01:36:21 E: Unable to fetch some archives, maybe run apt-get update or try with 
--fix-missing?
01:36:21 Makefile:166: recipe for target 'install-dep' failed
01:36:21 make: *** [install-dep] Error 100

"make verify" works fine with this patch set on a bare-metal Ubuntu 16.10 
desktop machine in my home network.

Thanks,
-daw-
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] SNAT Plugin Use

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

You should use SNAT plugin like all other plugins. Documentation for SNAT 
plugin is here https://wiki.fd.io/view/VPP/SNAT

Regards,




Matus Fabian
Engineer - Software
matfa...@cisco.com
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here for 
Company Registration Information.



From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Jon Loeliger
Sent: Wednesday, January 25, 2017 12:46 AM
To: vpp-dev 
Subject: [vpp-dev] SNAT Plugin Use

Folks,

What is the expected method to use the SNAT plugin within the
framework of the rest of a VPP system?

Specifically, what is the expected use of VL_MSG_FIRST_AVAILABLE?
It is several (4) enum include files, and they conflict if two or more are
used in the same source file.  Here is a terse example.

Did I miss some documentation that shows how to use the SNAT plugin?
I don't think I need to use the "plugin-ness" of SNAT, as we will always
need to have it present in our app.

Thanks,
jdl


CC interface.c
In file included from interface.c:13:0:
/usr/include/vpp_plugins/snat/snat_msg_enum.h:27:5: error: redeclaration of 
enumerator ‘VL_MSG_FIRST_AVAILABLE’
 VL_MSG_FIRST_AVAILABLE,
 ^
In file included from interface.c:12:0:
/usr/include/vpp/api/vpe_msg_enum.h:25:3: note: previous definition of 
‘VL_MSG_FIRST_AVAILABLE’ was here
   VL_MSG_FIRST_AVAILABLE,
   ^
In file included from interface.c:13:0:
/usr/include/vpp_plugins/snat/snat_msg_enum.h:28:3: error: conflicting types 
for ‘vl_msg_id_t’
 } vl_msg_id_t;
   ^
In file included from interface.c:12:0:
/usr/include/vpp/api/vpe_msg_enum.h:26:3: note: previous declaration of 
‘vl_msg_id_t’ was here
 } vl_msg_id_t;
   ^
make: *** [interface.o] Error 1

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] SNAT and tap for SSH problem

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

please try latest VPP code, https://gerrit.fd.io/r/#/c/4751/ should fix your 
problem.

Regards,

[banner3a1]



Matus Fabian
Engineer - Software
matfa...@cisco.com
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here for 
Company Registration Information.


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Denis Lotarev via vpp-dev
Sent: Tuesday, January 24, 2017 1:02 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] SNAT and tap for SSH problem

Hi all!

I have a problem when SNAT enable on VPP side.

"Machine A" 1.1.2.10/24 with default route 10.2.1.1
"VPP host" (linux machine) 1.1.1.10/24 with static route 1.1.2.0/24 via 1.1.1.1
On VPP side GigabitEthernet2/0/0 with ip 1.1.2.1/24 looking to Machine "A", 
tap-0 with ip 1.1.1.1/24 looking to "VPP host", and GigabitEthernet2/0/1.871 
with 2.2.2.2/24 looking to Internet

# cat /etc/vpp/startup.conf
unix {
  nodaemon
  log /tmp/vpp.log
  full-coredump
  cli-listen localhost:5002
  exec /etc/vpp/111
}

dpdk {
dev :02:00.0
dev :02:00.1
}
snat {
  translation hash buckets 20971520
  translation hash memory 1073741824
  user hash buckets 12288
  user hash memory 20971520
  max translations per user 5
}
api-trace {
  on
}

api-segment {
  gid vpp
}


# cat /etc/vpp/111
create sub-interfaces GigabitEthernet2/0/1 871
set int state GigabitEthernet2/0/1 up
set int state GigabitEthernet2/0/0 up
set int state GigabitEthernet2/0/1.871 up
set int ip address GigabitEthernet2/0/1.871 2.2.2.2/24
set int ip address GigabitEthernet2/0/0 1.1.2.1/24
set int snat out GigabitEthernet2/0/1.871
ip route add 0.0.0.0/0 via 2.2.2.1 GigabitEthernet2/0/1.871
set int snat in GigabitEthernet2/0/0 out GigabitEthernet2/0/1.871
snat add address 2.2.2.3
tap connect vppctl
set int state tap-0 up
set int ip address tap-0 1.1.1.1/24





With this configuration SNAT working very good from Machine A, but i cannot 
ping from Machine A (1.1.2.10) to VPP host (1.1.1.10).
When i delete only one rule set int snat in GigabitEthernet2/0/0 out 
GigabitEthernet2/0/1.871 then i can ping VPP host, but SNAT lost.


How to get working both SNAT and SSH via tap device?
I can send additional information if needed.





Thank you for your help!






--
Yours sincerely,
Denis Lotarev
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] snat multi-thread support problem

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

SNAT plugin cli config (there is only snat startup config)?

Regards,

[banner3a1]



Matus Fabian
Engineer - Software
matfa...@cisco.com<mailto:matfa...@cisco.com>
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for 
Company Registration Information.


From: Juan Salmon [mailto:salmonju...@gmail.com]
Sent: Tuesday, December 20, 2016 12:46 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] snat multi-thread support problem

Hi,

Test Env:

I used trex as packet generator in client-server mode using two ports ,sending 
delay_10_https_0.pcap with 1.5 mpps.

the vpp/snat config:

dpdk {
  socket-mem 1024
  dev default {
num-rx-queues 2
  }
  num-mbufs 131072
  no-multi-seg
}

cpu {
  workers 2
}

heapsize 3096M

snat {
  translation hash buckets 20971520
  translation hash memory 1073741824
  user hash buckets 12288
  user hash memory 20971520
  max translations per user 10
}

And the multi-queue config:

vpp# sh dpdk interface placement
Thread 1 (vpp_wk_0 at lcore 1):
  TenGigabitEthernet5/0/0 queue 0
  TenGigabitEthernet5/0/1 queue 0
Thread 2 (vpp_wk_1 at lcore 2):
  TenGigabitEthernet5/0/0 queue 1
  TenGigabitEthernet5/0/1 queue 1


Best Regards,
Juan Salmon.

On Tue, Dec 20, 2016 at 1:27 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote:
Hi,

Fix for port allocation was merged to master yesterday.
Could you please provide SNAT plugin configuration and some information about 
traffic, I didn’t see worker thread deadlock before when testing SNAT plugin.

Regards,

[banner3a1]



Matus Fabian
Engineer - Software
matfa...@cisco.com<mailto:matfa...@cisco.com>
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com<http://cisco.com>


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for 
Company Registration Information.


From: Juan Salmon [mailto:salmonju...@gmail.com<mailto:salmonju...@gmail.com>]
Sent: Tuesday, December 20, 2016 8:59 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
<matfa...@cisco.com<mailto:matfa...@cisco.com>>; 
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] snat multi-thread support problem

Hi,
Thanks for your response Matus.
I've changed the code as you said. but after a few minutes VPP halts
and by entering any command, following message returned:

vlib_worker_thread_barrier_sync: worker thread deadlock
Failed to save post-mortem API trace to /tmp/api_post_mortem.15825
Best Regards,
Juan Salmon.

___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] snat multi-thread support problem

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,


You can use same configuration and snat will use all workers or you can specify 
worker by “set snat workers ” 
https://wiki.fd.io/view/VPP/SNAT#Set_S-NAT_workers_example.

Could you please provide more details?



Regards,

[banner3a1]



Matus Fabian
Engineer - Software
matfa...@cisco.com
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here for 
Company Registration Information.


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Juan Salmon
Sent: Wednesday, December 14, 2016 3:36 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] snat multi-thread support problem

Hello guys,
I ran the new commit of snat that supports multi-thread. but it failed at ip 
and port allocation function in multi-thread mode.
I don't know if I missed some configuration or there is another problem?!
Best Regards,
Juan Salmon
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] VPP || Limiting interface rate

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)]

Hi,

There is no documentation for policer.

Simple example
To configure policer (you can set conform/exceed/violate action 
transmit/mark-and-transmit/drop) use:
configure policer name policy2 cir 102 eir 2345 cb 12 eb 67 rate pps round up 
type 2r3c-4115 conform-action transmit exceed-action mark-and-transmit AF43 
violate-action drop
To set policer classifier (you can precolor traffic with 
conform-color/exceed-color) use:
classify table mask l3 ip4 src
classify session policer-hit-next policy1 exceed-color table-index 0 match l3 
ip4 src 16.0.0.1
set policer classify interface GigabitEthernet0/8/0 ip4-table 0

Regards,

[banner3a1]



Matus Fabian
Engineer - Software
matfa...@cisco.com
Tel:

Cisco Systems, Inc.



Slovakia
cisco.com


[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you 
print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click 
here for 
Company Registration Information.


From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of Mohammed Sayed
Sent: Monday, November 28, 2016 10:29 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] VPP || Limiting interface rate

Hello VPP Developers,

I am trying to implement a simple topology, where i would like to limit the 
rate of a physical Sub-interface inside VPP.

According to the VPP Wiki features page, this is not applicable. However i 
found some commands in the VPP CLI as the below, but they are not clear at all.
For example

  *   vppctl classify
  *   vppctl set policer
Is there any sort of documentation or help or examples for such scenario?

Thanks
Best Regards

Mohammed Sayed Abdel Aziz

[cid:image003.png@01D24A12.18B186C0]
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev