Networking #773
furkansahin
started this conversation in
Show and tell
Networking
#773
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Ubicloud Networking Stack Documentation
Let’s explore Ubicloud's networking configuration. While the core of our discussion revolves around the dataplane setup, we aim to provide a comprehensive overview of our network's architecture. Here in the following diagram, you see a simplified version of our networking setup for a host. Each yellow box represents an interface.
Features Overview:
1. Network Blueprint
Key Components:
NAT Using nftables:
DHCP via Dnsmasq:
IPsec Integration:
2. Public IPv4 Configuration on Host
Each host is provisioned with a /27 public IPv4 subnet. We can pick any size subnet, /27 is what we go for, for now. That subnet is already routed to our host at the provider level. Activating an IP for a VM involves:
Essentially, the public IPv4 acts as a guide for picking the right namespace. From there, nftables and the private IPv4 networking stack take charge.
3. Ephemeral Public IPv6 Configuration
Our ephemeral /64 IPv6 blocks, given by service providers, are further segmented to /79 blocks to assign VMs their public IPv6 addresses. Consider this, the host has a 2a01:4f8:10a:128b::/64 prefix attached, the VM is decided to have Prefix: 2a01:4f8:10a:128b:aaaa::/79
4. Private IPv4 Configuration
The cornerstone of private IPv4 networking is a chosen /26 private subnet. The intricacies of this configuration play out within the VM and its respective namespace. It remains shielded externally due to our reliance on IPsec tunnels.
For instance, subnet is chosen to be 10.0.0.64/26 with a VM IP of 10.0.0.100/32
5. Private IPv6 Configuration
The process mirrors its IPv4 counterpart. Using a hypothetical /64 block, and picking a random /79 block per VM. Such as; fd1c:a0f1:cccc:bbbb:aaaa::/79:
6. Private Networking via IPsec
The backbone of our private networking? IPsec tunnels. They capture, assess, and manage traffic via IP xfrm policies/states. Here's how:
Outgoing Policy:
Incoming Policy:
We perform rekeying of the tunnels every 24 hours in a 0 disruption way.
Beta Was this translation helpful? Give feedback.
All reactions