NFV

VPN

Vxlan on Linux

端到端VXLAN(unicast) ip a ip link add vxlan0 type vxlan \ id 42 \ dstport 4789 \ remote 10.12.0.172 \ local 10.12.2.95 \ dev eth0 ip -d link show dev vxlan0 ip addr add 192.168.8.101/24 dev vxlan0 ip link set vxlan0 up ip r default via 10.12.0.1 dev eth0 10.12.0.0/21 dev eth0 proto kernel scope link src 10.12.2.95 192.168.8.0/24 dev vxlan0 proto kernel scope link src 192.168.8.101 bridge fdb | grep vxlan0 ip neigh 多播vxlan(multicast)

Wireguard开发参考

git clone https://git.zx2c4.com/wireguard-go

SR-IOV vs DPDK/VPP for NFV

Linux Bridge supported GRE Tunnels, but not the newer and more scalable VXLAN model https://vincent.bernat.ch/en/blog/2017-vxlan-linux This post will talk about the various building blocks available to speed up packet processing both hardware based e.g.SR-IOV, RDT, QAT, VMDq, VTD and software based e.g. DPDK, Fd.io/VPP, OVS etc and give hands on lab experience https://www.telcocloudbridge.com/blog/dpdk-vs-sr-iov-for-nfv-why-a-wrong-decision-can-impact-performance/

Vpn With Wireguard

安装 sudo add-apt-repository ppa:wireguard/wireguard sudo apt-get update sudo apt-get install wireguard -y 打开安全组 配置 创建key wg genkey | tee privatekey | wg pubkey > publickey private_key=$(wg genkey) public_key=$(echo $private_key | wg pubkey) 配置 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 0a:81:39:72:97:90 brd ff:ff:ff:ff:ff:ff inet 10.

Vpn客户端设置参考

安装 https://download.wireguard.com/windows-client/wireguard-amd64-0.0.38.msi 配置 更改公钥 Endpoint所在的vpn服务器地址 https://github.com/Nyr/openvpn-install https://github.com/hwdsl2/setup-ipsec-vpn https://wireguard.isystem.io/ https://github.com/meshbird/meshbird https://www.tinc-vpn.org/ https://github.com/isystem-io/wireguard-aws Download and install the TunSafe, which is a Wireguard client for Windows. wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh --2020-01-01 22:26:54-- https://git.io/vpnsetup Resolving git.io (git.io)... 54.165.216.26, 54.224.175.112, 34.227.147.55, ... Connecting to git.io (git.io)|54.165.216.26|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/vpnsetup.sh [following] --2020-01-01 22:26:55-- https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/vpnsetup.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.188.133 Connecting to raw.

Aws SR IOV

Enabling Enhanced Networking on Ubuntu sudo apt-get update && sudo apt-get upgrade -y linux-aws https://docs.aws.amazon.com/AWSEC2/latest/UserGuide//sriov-networking.html#enhanced-networking-ubuntu

NFV Notes

VLAN VLAN(802.1Q)是一个局域网技术,能够将一个局域网的广播域隔离为多个广播域,常被用来实现一个站点内不同的部门间的隔离 数据中心网络虚拟化——NVo3技术端到端隧道 NVo3(Network Virtualization over Layer 3),是IETF 2014年十月份提出的数据中心虚拟化技术框架。 NVo3基于IP/MPLS作为传输网,在其上通过隧道连接的方式,构建大规模的二层租户网络。NVo3的技术模型如下所示, PE设备称为NVE(Network Virtualization Element),VN Context作为Tag标识租户网络,P设备即为普通的IP/MPLS路由器。 NVo3在设计之初,VxLAN与SDN的联合部署已经成为了数据中心的大趋势,因此NVo3的模型中专门画出了 NVA(Network Virtualization Authority)作为NVE设备的控制器负责隧道建立、地址学习等控制逻辑 VxLAN(Virtual eXtensible LAN,RFC 7348) Vmware和Cisco联合提出的一种二层技术,突破了VLAN ID只有4k的限制,允许通过现有的IP网络进行隧道的传输。 别看VxLAN名字听起来和VLAN挺像,但是两者技术上可没什么必然联系。VxLAN是一种MACinUDP的隧道. NvGRE NvGRE(Network virtualization GRE,RFC draft)是微软搞出来的数据中心虚拟化技术,是一种MACinGRE隧道。它对传统的GRE报头进行了改造,增加了24位的VSID字段标识租户,而FlowID可用来做ECMP。由于去掉了GRE报头中的Checksum字段,因此NvGRE不支持校验和检验。NvGRE封装以太网帧,外层的报头可以为IPv4也可以为IPv6 https://www.sdnlab.com/nv-subject/

Linux中的虚拟网络设施

标准设备 Bridge: A Linux bridge behaves like a network switch. It forwards packets between interfaces that are connected to it. It’s usually used for forwarding packets on routers, on gateways, or between VMs and network namespaces on a host. It also supports STP, VLAN filter, and multicast snooping. TUN: TUN (network Tunnel) devices work at the IP level or layer three level of the network stack and are usually point-to-point connections.

Linux Bridge

Some things worth noting in br_add_if: Only ethernet like devices can be added to bridge, as bridge is a layer 2 device. Bridges cannot be added to a bridge. New interface is set to promiscuous mode: dev_set_promiscuity(dev, 1) https://goyalankit.com/blog/linux-bridge

Kernel Bypass Networking

RDMA (Remote Direct Memory Access), TOE (TCP Offload Engine), and OpenOnload. More recently, DPDK (Data Plane Development Kit) has been used in some applications to bypass the kernel, and then there are new emerging initiatives such as FD.io (Fast Data Input Output) based on VPP (Vector Packet Processing). More will likely emerge in the future. Technologies like RDMA and TOE create a parallel stack in the kernel and solve the first problem (namely, the “kernel is too slow”) while OpenOnload, DPDK and FD.