[Jool-list] JOOL in a multitenant service provider environment

Alberto Leiva ydahhrk at gmail.com
Tue Dec 15 15:43:06 CST 2020 

Hi

I thought I might mention links to the relevant documentation, in case they
have been missed:

> My question: is there a way to run multiple Jool instances on the same
host?  The Linux kernel itself supports multiple routing tables.  Is Jool
capable of installing multiple NAT64/SIIT rules that go to different
address spaces?

Not sure exactly how you're setting things up, but if your translator is an
SIIT, chances are you only need one instance, and you just need to add each
customer network as an entry to the Explicit Address Mappings Table: [0]
Otherwise you can indeed set up multiple Jool instances and match their
traffic with iptables: [1]

[0] https://jool.mx/en/usr-flags-eamt.html
[1] https://jool.mx/en/usr-flags-instance.html

On Tue, Dec 15, 2020 at 3:11 AM Stefan Brudny via Jool-list <
jool-list at nic.mx> wrote:

> Hi,
>
> Let's focus on use case.
>
> I am guessing using ipv6 and single address space is an approach to
> overcome limitation of a monitoring tool. If so, I'd suggest:
>
> * use single ipv6 /48 for all customers. You are not assigning networks,
> so RIPE doesn't bound you this time. Your monitoring tool may assign any
> subnet, /96 is fine, for a customer. Jool doesn't need to be aware of that
> assignment, it's business side, except constructing entries in name spaces.
> * use network namespace for each customer translation.
> * stateful NAT64 could be used to embed the customer traffic in a namespace
> * be ready to master routing in namespaces: what is planned to connect the
> customers networks? Vlan, gre, openvpn, wireguard?
> * do you foresee any services to be exposed (incoming)? If so, some extra
> DNAT rules are going to be necessary in each namespace. If monitoring tool
> uses only outgoing, eg Snmp polling, then this is not needed. Beware, this
> is always tempting to start with one direction, but application grows and
> using zabbix and / or syslog would change requirements.
>
> For me such config works fine.
> Br, Stefan
>
> On Tue, 15 Dec 2020, 09:51 JORDI PALET MARTINEZ via Jool-list, <
> jool-list at nic.mx> wrote:
>
>> Are you serious about the /96 per customer? Maybe I'm missing the
>> context, but you should provide a /48 to each customer! See RIPE-690.
>>
>> If I'm getting it correctly, for the multiple instances, you could use
>> namespaces?
>>
>> Regards,
>> Jordi
>> @jordipalet
>>
>>
>>
>> El 15/12/20 1:00, "Jool-list en nombre de Art Cancro via Jool-list" <
>> jool-list-bounces at nic.mx en nombre de jool-list at nic.mx> escribió:
>>
>>     Hello Jool developers and community.  First of all, THANK YOU for
>> providing this excellent tool.  Using the .deb packages I was able to make
>> it work on the very first try.
>>
>>     We are looking at the possibility of installing Jool in a service
>> provider environment, to monitor and manage each of our customer IPv4
>> environments using a single IPv6 network.  We would assign each customer a
>> /96 prefix and then the final 32-bits would be their IPv4 networks.  Since
>> many customers will have overlapping private IPv4 space, this would allow
>> us to manage them all at the same time without conflict.  This would
>> require a Jool instance at the edge of every customer network.
>>
>>     My question: is there a way to run multiple Jool instances on the
>> same host?  The Linux kernel itself supports multiple routing tables.  Is
>> Jool capable of installing multiple NAT64/SIIT rules that go to different
>> address spaces?
>>
>>     Thank you for your consideration, and thank you again for providing
>> such a useful tool.
>>     _______________________________________________
>>     Jool-list mailing list
>>     Jool-list at nic.mx
>>     https://mail-lists.nic.mx/listas/listinfo/jool-list
>>
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>>
>>
>> _______________________________________________
>> Jool-list mailing list
>> Jool-list at nic.mx
>> https://mail-lists.nic.mx/listas/listinfo/jool-list
>>
> _______________________________________________
> Jool-list mailing list
> Jool-list at nic.mx
> https://mail-lists.nic.mx/listas/listinfo/jool-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20201215/f61c1879/attachment.htm>

More information about the Jool-list mailing list