• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
NAT64 and DNS64 in 30 minutes
 

NAT64 and DNS64 in 30 minutes

on

  • 64,393 views

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

Statistics

Views

Total Views
64,393
Views on SlideShare
54,885
Embed Views
9,508

Actions

Likes
33
Downloads
0
Comments
5

60 Embeds 9,508

http://blog.ioshints.info 6951
http://blog.ipspace.net 1078
http://www.slideshare.net 344
http://ccna-labs.blogspot.com 334
http://ipv6.net 173
http://ccna-labs.blogspot.pt 129
http://www.kernelchina.org 78
http://www.weebly.com 62
http://ccna-labs.blogspot.in 53
http://doc.alea-soluciones.com 28
http://www.linkedin.com 26
http://ccna-labs.blogspot.co.uk 26
http://translate.googleusercontent.com 18
http://ainterne.weebly.com 18
http://d2stech.wordpress.com 15
http://ccna-labs.blogspot.sk 15
http://ccna-labs.blogspot.com.br 14
http://ccna-labs.blogspot.ca 11
http://ccna-labs.blogspot.com.ar 11
http://ccna-labs.blogspot.fr 9
http://ccna-labs.blogspot.ro 9
http://ccna-labs.blogspot.it 8
http://ccna-labs.blogspot.gr 8
http://ccna-labs.blogspot.nl 8
http://ccna-labs.blogspot.com.au 6
http://ccna-labs.blogspot.de 6
http://ccna-labs.blogspot.mx 6
http://ccna-labs.blogspot.com.es 5
http://www.slashdocs.com 4
http://ccna-labs.blogspot.be 4
http://static.slidesharecdn.com 4
http://blog.naver.com 3
http://ccna-labs.blogspot.fi 3
http://ccna-labs.blogspot.cz 3
http://ccna-labs.blogspot.ch 3
http://workspace.hantechnology.com.sg 3
http://ccna-labs.blogspot.hk 3
http://feeds.feedburner.com 2
http://paper.li 2
http://ccna-labs.blogspot.ie 2
http://webcache.googleusercontent.com 2
http://131.253.14.250 2
http://ccna-labs.blogspot.tw 2
http://test.ipv6.net 1
http://box.moresi.com 1
http://www.docshut.com 1
http://www.hanrss.com 1
http://ipspace-staging.blogspot.com 1
https://www.linkedin.com 1
http://127.0.0.1:8795 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 5 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • clear and easy to follow
    Are you sure you want to
    Your message goes here
    Processing…
  • MUY BIEN
    Are you sure you want to
    Your message goes here
    Processing…
  • As of BIND 9.8.0, ISC's BIND 9 product is an open source DNS64 solution. http://www.isc.org/ for more.
    Are you sure you want to
    Your message goes here
    Processing…
  • It's really good, explicit and easy to understand!
    Are you sure you want to
    Your message goes here
    Processing…
  • realy helpful, thanks
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    NAT64 and DNS64 in 30 minutes NAT64 and DNS64 in 30 minutes Presentation Transcript

    • NAT64 and DNS64 in 30 seconds minutes
      Ivan Pepelnjak (ip@nil.com)NIL Data Communications
    • IPv6 adoption theory: the “famous” S-curve
      Who caresabout IPv4?
      IPv6 adoption [%]
      IPv6 pilots
      Time [years]
    • IPv6 adoption: the “ivory-tower” beliefs
      Who caresabout IPv4?
      IPv6 adoption [%]
      IPv6 pilots
      Time [years]
      Ecstatic earlyadopters
      Few years of dual-stack migration
      IPv4 addressexhaustion
    • IPv6 adoption: the unpleasant reality
      IPv6 adoption [%]
      IPv6-onlyclients?
      NAT and RFC 1918
      IPv6 pilots
      Time [years]
      Early adopters
      15 yearswasted
      IPv4 addressexhaustion
    • Options
      Facts:
      In 2 years some clients will not get public IPv4 addresses
      These clients will have to reach IPv4 content
      Options:
      CGN (large-scale NAT44)
      NAT444 (CGN + CPE NAT44)
      DS-Lite (NAT44 + 4-over-6 tunnel)
      A+P (DS-Lite with preconfigured port ranges)
      NAT64
    • NAT options: IPv4 only
      CPE
      CPE
      RFC1918
      NAT44
      IPv4 ProviderPrivate
      IPv4 Internet
      IPv4 Internet
      IPv4 Internet
      CGN/LSN
      NAT44
      IPv4 RFC1918
      LSN
      CGN/LSN
      NAT444
      RFC1918
      LSN
    • NAT options: IPv6 + IPv4
      CPE
      B4
      CPE
      DS-Lite
      RFC1918
      AFTR
      IPv4 Internet
      IPv4 Internet
      IPv4 Internet
      IPv6
      IPv6
      IPv6
      A+P
      RFC1918
      AFTR
      NAT 64
      NAT64
    • NAT is bad ... Is it really?
      Facts:
      Any NAT is worse than end-to-end Internet
      Dual NAT is worse than NAT (scrap NAT444)
      NAT with ALG is really bad (scrap NAT-PT, see RFC 4966)
      NAT is OK for outbound client-server sessions
      NAT + STUN/TURN works for peer-to-peer sessions
      We need some NAT to survive past IPv4 address exhaustion
      Personal opinion:
      NAT64 or DS-Lite/A+P are reasonable options
    • NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG
      Academic “we will bring world peace” approach
      DS-Lite = NAT44 over IPv6
      Well-known solution (and problems)
      Large-scale
      NAT64 = limited scope
      IPv6 client to IPv4 server
      NAT46 is useless
      What went wrong with NAT-PT
      Who caresabout IPv4?
    • IPv4
      IPv6
      NAT64 topology
      DNS64
      IPv6 + IPv4
      NAT64
      An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses
      DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client
      NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers
    • DNS64 in action
      Q: AAAA for example.com
      Q: AAAA for example.com
      R: name error
      Q: A for example.com
      R: example.com (A) =
      192.0.2.33
      DNS64 translation for WKP
      R: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33
    • DNS64 in action (end-to-end IPv6)
      Q: AAAA for example.com
      Q: AAAA for example.com
      R: example.com (AAAA)=
      64:FF9B::192.0.2.33
      R: example.com (AAAA)=
      64:FF9B::192.0.2.33
      Native IPv6 communication w/o NAT64
    • NAT64 in action
      TCP SYN S=C-v6 D=WKP-v6
      Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry
      TCP SYN S=NP-v4 D=S-v4
      TCP ACK S=S-v4 D=NP-v4
      Translate NP-v4 + port into C-v6
      TCP ACK S=WKP-v6 D=C-v6
    • NAT64: dirty details
      NAT64 prefix
      Any /32, /40, /48, /56, /64 or /96 prefix
      WKP = 64:FF9B::/96
      Recommendation: use /64 for NSP
      Stateful NAT64
      Very similar to PAT (stateful NAT44)
      Individual TCP and UDP sessions + ICMP replies are translated
      Source IPv6 address + port number used in lookup
      Stateless NAT64
      Each IPv6 address is translated into one IPv4 address
      Only ICMP packets and IP headers are translated
      Limited use: IPv6 only servers
    • NAT64 versus DS-Lite
      NAT64
      IPv6 to IPv4 NAT
      Native transport
      DNS 64 = DNS ALG
      No CPE or network modifications
      IPv6-only hosts
      NAT64 largely unknown
      DS-Lite
      IPv4 to IPv4 NAT
      4over6 Tunnel
      No DNS(SEC) interaction
      Requires CPE support
      Does not need host IPv6(not even dual-stack)
      NAT44 well tested
    • NAT64 in enterprise networks
      NSP = 2002:FF9B::/96
      IPv6
      IPv6 + IPv4
      www.example.com A 192.0.2.33
      AAAA 2002:FF9B::192.0.2.33
      Use NAT64 to make IPv4-only servers available to IPv6 clients
      Static entries in DNZ zone; DNS64 is not needed
    • Implementations
      Open-source:Ecdysis
      Microsoft: Forefront UAG DirectAccess
      Cisco:CGv6
      Ericsson: field trials
      NAT64 is also (sort-of) part of NAT-PT
    • Conclusions
      We are not prepared for IPv4 address exhaustion
      We will not survive without NAT
      Best options: NAT64 or DS-Lite/A+P
      Push NAT64 – it promotes IPv6 clients
      NAT64 is not NAT-PT
      6-to-4 only
      DNS ALG not in the forwarding path
      NAT64 also solves legacy server problems