Multicore Packet Processing Forum

By Yann Rapaport, 6WIND Customer Support and Service Manager

This is the sixth post of this series about High Availability capabilities for packet processing software. It illustrates the architecture concepts described in the five previous posts with a real-world example using 6WINDGate packet processing software. This post describes the requirements and the packet processing software architecture. Extensions for high availability will be described in the next post.

This example we choose is a Large Scale NAT.

Although NAT (Network Address Translation) introduces complexity in IP architectures, it has been used for more than 15 years to hide large private networks behind a limited number of public IP addresses. On the long term, IPv6 will provide a quasi unlimited address space and it could lead to a flat IP architecture that would obsolete NATs. However, IPv6 introduction is a long process and there are some immediate needs for ISPs to deploy large scale architecture using NATs to manage the depletion of IP addresses. Referring the figure hereunder, Large Scale NAT (LSN) extends the traditional NAT concept by adding another layer of translation at the provider edge. This architecture is named NAT444 because there are two stages of address translation.

From the deployment point of view, the architecture is attractive as it does not change the CPE (Customer Premises Equipment) NATs. CPE NATs do not care if their outside address is public or private. The NAT444 concept is simple but it has also some drawbacks:

• The first one is obviously the LSN scalability as it has to manage a large number of CPE NATs hiding themselves an increasing number of connected devices, each one able to open several applications at the same time.
• More, this system is a single point of failure of the architecture and high availability features are required to maintain NAT sessions in case of a failure.
• It is an additional system that increases power consumption. There are also some possible overlaps of addresses between the customer’s network and the private addresses used by the service provider.
• At last, when traffic flows between two CPE connected to the same LSN, filtering policies in firewalls, and router often block packets from the outside the network that have private source addresses. As a consequence, these flows must go through the LSN to have their private address translated to a public address and then translated again through the LSN to go back to destination. It brings a significant additional processing load on the LSN. “Hairpining” techniques have been proposed to solve this issue.

The packet processing software architecture for the LSN is described below.

The NAT function is split into two parts. The Fast Path is only able to manage established NAT sessions, all the information it needs is available in the shared memory. When a session is not established the first packets of a NAT session are processed as exceptions and they are forwarded to the Slow Path (Linux stack). The session is established if it matches the defined NAT rules and if LSN accepts it (limitation of sessions per CPE…).

The Fast Path has to keep the Slow Path informed about the status of the sessions as the Slow Path does not see the traffic anymore once the session is established; that’s the role of the “periodic refresh notification” function. Data bases of the NAT sessions are duplicated in the Slow Path and the Fast Path; the size of the data base in the Slow Path is larger as it has to store more information.

When an event occurs at the Slow Path level such as an addition, a deletion of a NAT rule of a flush of rules, this event has to be notified to the Fast Path. That’s the role of the synchronization software (Cache Manager). It listens to netlink messages that provide notifications of these events and translates them into commands for the Fast Path Manager that updates the shared memory to synchronize the Fast Path.

The next post will describe high availability extensions.

More information about 6WINDGate architecture can be found here.

6WINDGate High Availability Architecture Overview is available here.

You can check 6WINDGate FAQ here.