crossbow discuss - Apr 2008 - Use of virtual IP addresses (and NAT) to cross containers

IHAC asking if a virtual IP address created in a given Solaris container 
can be NAT''ed to a "real IP address" in another container?
Traffic
destined for the virtual IP address (and presumably TCP port) would then 
be shuttled into the destination container after have been NAT''ed where
it terminates on the real IP address and port? Each contain maintains 
its own private routing space.

The situation, as described above, was the basis for virtualization in 
the Nauticus Load Balancer. Customers liked it because traffic can be 
directed across virtual routing domains based the establishment of an 
awaiting virtual service (IP address and port). Only traffic classified 
as a match to the virtual IP and port is NAT''ed to  fit within the 
routing domain of the destination container and then it is delivered. 
The destination container must maintain state about the nature of the 
arriving packets so that responses can be NAT''ed in the return path.

The principal advantage of this capability (beyond the context of load 
balancing) is that is eliminates the need for ACLs to restrict traffic 
between routing domains. Only intended traffic (IP and Port) will pass.


Thanks

David

David Caplan wrote:
> IHAC asking if a virtual IP address created in a given Solaris container 
> can be NAT''ed to a "real IP address" in another
container? Traffic
> destined for the virtual IP address (and presumably TCP port) would then 
> be shuttled into the destination container after have been NAT''ed
where
> it terminates on the real IP address and port? Each contain maintains 
> its own private routing space.
Yes, you can have one container (an exclusive-IP zone) that has IP 
Filter NAT configured and give that container connectivity to other 
containers using VNICs over Ethernet stub interfaces.

    Erik
> The situation, as described above, was the basis for virtualization in 
> the Nauticus Load Balancer. Customers liked it because traffic can be 
> directed across virtual routing domains based the establishment of an 
> awaiting virtual service (IP address and port). Only traffic classified 
> as a match to the virtual IP and port is NAT''ed to  fit within the
> routing domain of the destination container and then it is delivered. 
> The destination container must maintain state about the nature of the 
> arriving packets so that responses can be NAT''ed in the return
path.
> 
> The principal advantage of this capability (beyond the context of load 
> balancing) is that is eliminates the need for ACLs to restrict traffic 
> between routing domains. Only intended traffic (IP and Port) will pass.
> 
> 
> Thanks
> 
> David
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss

Erik Nordmark wrote:
> David Caplan wrote:
>> IHAC asking if a virtual IP address created in a given Solaris
container
>> can be NAT''ed to a "real IP address" in another
container? Traffic
>> destined for the virtual IP address (and presumably TCP port) would
then
>> be shuttled into the destination container after have been
NAT''ed where
>> it terminates on the real IP address and port? Each contain maintains 
>> its own private routing space.
> 
> Yes, you can have one container (an exclusive-IP zone) that has IP 
> Filter NAT configured and give that container connectivity to other 
> containers using VNICs over Ethernet stub interfaces.
You can check out my blog at http://blog.sun.com/sunay to see how
to configure a virtual network like this. All the steps necessary
are there. And you cand check out Nicolas''s blog as well which has
additional example. I believe crossbow''s opensolaris webpage has the
links and details as well.

Cheers,
Sunay



-- 
Sunay Tripathi
Distinguished Engineer
Solaris Core Operating System
Sun MicroSystems Inc.

Solaris Networking:     http://www.opensolaris.org/os/community/networking
Project Crossbow:       http://www.opensolaris.org/os/project/crossbow