• Save
NAT64 and DNS64 in 30 minutes
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

NAT64 and DNS64 in 30 minutes

  • 66,997 views
Uploaded on

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • clear and easy to follow
    Are you sure you want to
    Your message goes here
  • MUY BIEN
    Are you sure you want to
    Your message goes here
  • As of BIND 9.8.0, ISC's BIND 9 product is an open source DNS64 solution. http://www.isc.org/ for more.
    Are you sure you want to
    Your message goes here
  • It's really good, explicit and easy to understand!
    Are you sure you want to
    Your message goes here
  • realy helpful, thanks
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
66,997
On Slideshare
57,263
From Embeds
9,734
Number of Embeds
62

Actions

Shares
Downloads
0
Comments
5
Likes
38

Embeds 9,734

http://blog.ioshints.info 6,951
http://blog.ipspace.net 1,275
http://www.slideshare.net 344
http://ccna-labs.blogspot.com 338
http://ipv6.net 180
http://ccna-labs.blogspot.pt 129
http://www.kernelchina.org 80
http://www.weebly.com 62
http://ccna-labs.blogspot.in 53
http://doc.alea-soluciones.com 28
http://www.linkedin.com 26
http://ccna-labs.blogspot.co.uk 26
http://ainterne.weebly.com 19
http://translate.googleusercontent.com 18
http://d2stech.wordpress.com 16
http://ccna-labs.blogspot.sk 15
http://ccna-labs.blogspot.ca 15
http://ccna-labs.blogspot.com.br 14
http://ccna-labs.blogspot.com.ar 11
https://www.linkedin.com 9
http://ccna-labs.blogspot.fr 9
http://ccna-labs.blogspot.ro 9
http://ccna-labs.blogspot.it 8
http://ccna-labs.blogspot.gr 8
http://ccna-labs.blogspot.nl 8
http://ccna-labs.blogspot.com.au 6
http://ccna-labs.blogspot.mx 6
http://ccna-labs.blogspot.de 6
http://ccna-labs.blogspot.com.es 5
http://static.slidesharecdn.com 4
http://ccna-labs.blogspot.be 4
http://www.slashdocs.com 4
http://ccna-labs.blogspot.cz 3
http://workspace.hantechnology.com.sg 3
http://ccna-labs.blogspot.ch 3
http://blog.naver.com 3
http://ccna-labs.blogspot.hk 3
http://ccna-labs.blogspot.fi 3
http://paper.li 2
http://webcache.googleusercontent.com 2
http://ccna-labs.blogspot.tw 2
http://feeds.feedburner.com 2
http://131.253.14.250 2
http://ccna-labs.blogspot.ie 2
http://cc.bingj.com 1
https://d2stech.wordpress.com 1
http://box.moresi.com 1
http://www.hanrss.com 1
http://www.docshut.com 1
http://127.0.0.1:8795 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. NAT64 and DNS64 in 30 seconds minutes
    Ivan Pepelnjak (ip@nil.com)NIL Data Communications
  • 2. IPv6 adoption theory: the “famous” S-curve
    Who caresabout IPv4?
    IPv6 adoption [%]
    IPv6 pilots
    Time [years]
  • 3. IPv6 adoption: the “ivory-tower” beliefs
    Who caresabout IPv4?
    IPv6 adoption [%]
    IPv6 pilots
    Time [years]
    Ecstatic earlyadopters
    Few years of dual-stack migration
    IPv4 addressexhaustion
  • 4. IPv6 adoption: the unpleasant reality
    IPv6 adoption [%]
    IPv6-onlyclients?
    NAT and RFC 1918
    IPv6 pilots
    Time [years]
    Early adopters
    15 yearswasted
    IPv4 addressexhaustion
  • 5. Options
    Facts:
    In 2 years some clients will not get public IPv4 addresses
    These clients will have to reach IPv4 content
    Options:
    CGN (large-scale NAT44)
    NAT444 (CGN + CPE NAT44)
    DS-Lite (NAT44 + 4-over-6 tunnel)
    A+P (DS-Lite with preconfigured port ranges)
    NAT64
  • 6. NAT options: IPv4 only
    CPE
    CPE
    RFC1918
    NAT44
    IPv4 ProviderPrivate
    IPv4 Internet
    IPv4 Internet
    IPv4 Internet
    CGN/LSN
    NAT44
    IPv4 RFC1918
    LSN
    CGN/LSN
    NAT444
    RFC1918
    LSN
  • 7. NAT options: IPv6 + IPv4
    CPE
    B4
    CPE
    DS-Lite
    RFC1918
    AFTR
    IPv4 Internet
    IPv4 Internet
    IPv4 Internet
    IPv6
    IPv6
    IPv6
    A+P
    RFC1918
    AFTR
    NAT 64
    NAT64
  • 8. NAT is bad ... Is it really?
    Facts:
    Any NAT is worse than end-to-end Internet
    Dual NAT is worse than NAT (scrap NAT444)
    NAT with ALG is really bad (scrap NAT-PT, see RFC 4966)
    NAT is OK for outbound client-server sessions
    NAT + STUN/TURN works for peer-to-peer sessions
    We need some NAT to survive past IPv4 address exhaustion
    Personal opinion:
    NAT64 or DS-Lite/A+P are reasonable options
  • 9. NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG
    Academic “we will bring world peace” approach
    DS-Lite = NAT44 over IPv6
    Well-known solution (and problems)
    Large-scale
    NAT64 = limited scope
    IPv6 client to IPv4 server
    NAT46 is useless
    What went wrong with NAT-PT
    Who caresabout IPv4?
  • 10. IPv4
    IPv6
    NAT64 topology
    DNS64
    IPv6 + IPv4
    NAT64
    An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses
    DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client
    NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers
  • 11. DNS64 in action
    Q: AAAA for example.com
    Q: AAAA for example.com
    R: name error
    Q: A for example.com
    R: example.com (A) =
    192.0.2.33
    DNS64 translation for WKP
    R: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33
  • 12. DNS64 in action (end-to-end IPv6)
    Q: AAAA for example.com
    Q: AAAA for example.com
    R: example.com (AAAA)=
    64:FF9B::192.0.2.33
    R: example.com (AAAA)=
    64:FF9B::192.0.2.33
    Native IPv6 communication w/o NAT64
  • 13. NAT64 in action
    TCP SYN S=C-v6 D=WKP-v6
    Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry
    TCP SYN S=NP-v4 D=S-v4
    TCP ACK S=S-v4 D=NP-v4
    Translate NP-v4 + port into C-v6
    TCP ACK S=WKP-v6 D=C-v6
  • 14. NAT64: dirty details
    NAT64 prefix
    Any /32, /40, /48, /56, /64 or /96 prefix
    WKP = 64:FF9B::/96
    Recommendation: use /64 for NSP
    Stateful NAT64
    Very similar to PAT (stateful NAT44)
    Individual TCP and UDP sessions + ICMP replies are translated
    Source IPv6 address + port number used in lookup
    Stateless NAT64
    Each IPv6 address is translated into one IPv4 address
    Only ICMP packets and IP headers are translated
    Limited use: IPv6 only servers
  • 15. NAT64 versus DS-Lite
    NAT64
    IPv6 to IPv4 NAT
    Native transport
    DNS 64 = DNS ALG
    No CPE or network modifications
    IPv6-only hosts
    NAT64 largely unknown
    DS-Lite
    IPv4 to IPv4 NAT
    4over6 Tunnel
    No DNS(SEC) interaction
    Requires CPE support
    Does not need host IPv6(not even dual-stack)
    NAT44 well tested
  • 16. NAT64 in enterprise networks
    NSP = 2002:FF9B::/96
    IPv6
    IPv6 + IPv4
    www.example.com A 192.0.2.33
    AAAA 2002:FF9B::192.0.2.33
    Use NAT64 to make IPv4-only servers available to IPv6 clients
    Static entries in DNZ zone; DNS64 is not needed
  • 17. Implementations
    Open-source:Ecdysis
    Microsoft: Forefront UAG DirectAccess
    Cisco:CGv6
    Ericsson: field trials
    NAT64 is also (sort-of) part of NAT-PT
  • 18. Conclusions
    We are not prepared for IPv4 address exhaustion
    We will not survive without NAT
    Best options: NAT64 or DS-Lite/A+P
    Push NAT64 – it promotes IPv6 clients
    NAT64 is not NAT-PT
    6-to-4 only
    DNS ALG not in the forwarding path
    NAT64 also solves legacy server problems