1 Network Address Translation IPv4 to IPv4
2 ----------------------------------------
7 NAT44 prefix bindings should be representative to target applications,
8 where a number of private IPv4 addresses from the range defined by
9 :rfc:`1918` is mapped to a smaller set of public IPv4 addresses from the
12 Following quantities are used to describe inside to outside IP address
13 and port bindings scenarios:
15 - Inside-addresses, number of inside source addresses
16 (representing inside hosts).
17 - Ports-per-inside-address, number of TCP/UDP source
18 ports per inside source address.
19 - Outside-addresses, number of outside (public) source addresses
21 - Ports-per-outside-address, number of TCP/UDP source
22 ports per outside source address. The maximal number of
23 ports-per-outside-address usable for NAT is 64 512
24 (in non-reserved port range 1024-65535, :rfc:`4787`).
25 - Sharing-ratio, equal to inside-addresses / outside-addresses.
27 CSIT NAT44 tests are designed to take into account the maximum number of
28 ports (sessions) required per inside host (inside-address) and at the
29 same time to maximize the use of outside-address range by using all
30 available outside ports. With this in mind, the following scheme of
31 NAT44 sharing ratios has been devised for use in CSIT:
33 +--------------------------+---------------+
34 | ports-per-inside-address | sharing-ratio |
35 +==========================+===============+
37 +--------------------------+---------------+
39 +--------------------------+---------------+
41 +--------------------------+---------------+
43 +--------------------------+---------------+
45 Initial CSIT NAT44 tests, including associated TG/TRex traffic profiles,
46 are based on ports-per-inside-address set to 63 and the sharing ratio of
47 1024. This approach is currently used for all NAT44 tests including
48 NAT44det (NAT44 deterministic used for Carrier Grade NAT applications)
49 and NAT44ed (Endpoint Dependent).
51 Private address ranges to be used in tests:
53 - 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
55 - Total of 2^16 (65 536) of usable IPv4 addresses.
56 - Used in tests for up to 65 536 inside addresses (inside hosts).
58 - 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
60 - Total of 2^20 (1 048 576) of usable IPv4 addresses.
61 - Used in tests for up to 1 048 576 inside addresses (inside hosts).
66 NAT44 session scale tested is govern by the following logic:
68 - Number of inside-addresses(hosts) H[i] = (H[i-1] x 2^2) with H(0)=1 024,
71 - H[i] = 1 024, 4 096, 16 384, 65 536, 262 144, ...
73 - Number of sessions S[i] = H[i] * ports-per-inside-address
75 - ports-per-inside-address = 63
77 +---+---------+------------+
78 | i | hosts | sessions |
79 +===+=========+============+
80 | 0 | 1 024 | 64 512 |
81 +---+---------+------------+
82 | 1 | 4 096 | 258 048 |
83 +---+---------+------------+
84 | 2 | 16 384 | 1 032 192 |
85 +---+---------+------------+
86 | 3 | 65 536 | 4 128 768 |
87 +---+---------+------------+
88 | 4 | 262 144 | 16 515 072 |
89 +---+---------+------------+
94 NAT44det throughput tests are using TRex STL (Stateless) API and traffic
95 profiles, similar to all other stateless packet forwarding tests like
96 ip4, ip6 and l2, sending UDP packets in both directions
97 inside-to-outside and outside-to-inside. See
98 :ref:`data_plane_throughput` for more detail.
100 The inside-to-outside traffic uses single destination address (20.0.0.0)
102 The inside-to-outside traffic covers whole inside address and port range,
103 the outside-to-inside traffic covers whole outside address and port range.
105 NAT44det translation entries are created during the ramp-up phase
106 preceding the throughput test, followed by verification that all entries
107 are present, before proceeding to the throughput test. This ensures
108 session setup does not impact the forwarding performance test.
110 Associated CSIT test cases use the following naming scheme to indicate
111 NAT44det scenario tested:
113 - ethip4udp-nat44det-h{H}-p{P}-s{S}-[mrr|ndrpdr|soak]
115 - {H}, number of inside hosts, H = 1024, 4096, 16384, 65536, 262144.
116 - {P}, number of ports per inside host, P = 63.
117 - {S}, number of sessions, S = 64512, 258048, 1032192, 4128768,
119 - [mrr|ndrpdr|soak], MRR, NDRPDR or SOAK test.
122 TODO: The -s{S} part is redundant,
123 we can save space by removing it.
124 TODO: Make traffic profile names resemble suite names more closely.
126 NAT44 Endpoint-Dependent
127 ^^^^^^^^^^^^^^^^^^^^^^^^
130 TODO: Is it possible to test a NAT44ed scenario where the outside source
131 address and port is limited to just one value?
132 In theory, as long as every inside source address&port traffic
133 uses a different destination address&port, there will be no conflicts,
134 and we could use bidirectional stateless profiles.
135 Possibly, VPP requires some amount of outside source address&port
136 to remain unused for security reasons. But we can try to see what happens.
138 In order to excercise NAT44ed ability to translate based on both
139 source and destination address and port, the inside-to-outside traffic
140 varies also destination address and port. Destination port is the same
141 as source port, destination address has the same offset as the source address,
142 but applied to different subnet (starting with 20.0.0.0).
144 As the mapping is not deterministic (for security reasons),
145 we cannot easily use stateless bidirectional traffic profiles.
146 Outside address and port range is fully covered,
147 but we do not know which outside-to-inside source address and port to use
148 to hit an open session of a particular outside address and port.
150 Therefore, NAT44ed is benchmarked using following methodologies:
152 - Unidirectional throughput using *stateless* traffic profile.
153 - Connections-per-second using *stateful* traffic profile.
154 - Bidirectional PPS (see below) using *stateful* traffic profile.
156 Unidirectional NAT44ed throughput tests are using TRex STL (Stateless)
157 APIs and traffic profiles, but with packets sent only in
158 inside-to-outside direction.
159 Similarly to NAT44det, NAT44ed unidirectional throughput tests include
160 a ramp-up phase to establish and verify the presence of required NAT44ed
163 Stateful NAT44ed tests are using TRex ASTF (Advanced Stateful) APIs and
164 traffic profiles, with packets sent in both directions. Tests are run
165 with both UDP and TCP/IP sessions.
166 As both NAT44ed CPS (connections-per-second) and PPS (packets-per-second)
167 stateful tests measure (also) session opening performance,
168 they use state reset instead of ramp-up trial.
169 That is also the reason why PPS tests are not called throughput tests.
171 Associated CSIT test cases use the following naming scheme to indicate
172 NAT44DET case tested:
174 - Stateless: ethip4udp-nat44ed-h{H}-p{P}-s{S}-udir-[mrr|ndrpdr|soak]
176 - {H}, number of inside hosts, H = 1024, 4096, 16384, 65536, 262144.
177 - {P}, number of ports per inside host, P = 63.
178 - {S}, number of sessions, S = 64512, 258048, 1032192, 4128768,
180 - udir-[mrr|ndrpdr|soak], unidirectional stateless tests MRR, NDRPDR
183 - Stateful: ethip4[udp|tcp]-nat44ed-h{H}-p{P}-s{S}-[cps|pps]-[mrr|ndrpdr]
185 - [udp|tcp], UDP or TCP/IP sessions
186 - {H}, number of inside hosts, H = 1024, 4096, 16384, 65536, 262144.
187 - {P}, number of ports per inside host, P = 63.
188 - {S}, number of sessions, S = 64512, 258048, 1032192, 4128768,
190 - [cps|pps], connections-per-second session establishment rate or
191 packets-per-second throughput rate.
192 - [mrr|ndrpdr], bidirectional stateful tests MRR, NDRPDR.
194 Stateful traffic profiles
195 ^^^^^^^^^^^^^^^^^^^^^^^^^
214 Contrary to stateless traffic profiles, we do not have a simple limit
215 that would guarantee TRex is able to send traffic at specified load.
216 For that reason, we have added tests where "nat44ed" is replaced by "ip4base".
217 Instead of NAT44ed processing, the tests set minimalistic IPv4 routes,
218 so that packets are forwarded in both inside-to-outside and outside-to-inside
221 The packets arrive to server end of TRex with different source address&port
222 than in NAT44ed tests (no translation to outside values is done with ip4base),
223 but those are not specified in the stateful traffic profiles.
224 The server end uses the received address&port as destination
225 for outside-to-inside traffic. Therefore the same stateful traffic profile
226 works for both NAT44ed and ip4base test (of the same scale).
228 The NAT44ed results are displayed together with corresponding ip4base results.
229 If they are similar, TRex is probably the bottleneck.
230 If NAT44ed result is visibly smaller, it describes the real VPP performance.