• Save
NAT64 and DNS64 in 30 minutes
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

NAT64 and DNS64 in 30 minutes

on

  • 66,363 views

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

Statistics

Views

Total Views
66,363
Views on SlideShare
56,680
Embed Views
9,683

Actions

Likes
37
Downloads
0
Comments
5

61 Embeds 9,683

http://blog.ioshints.info 6951
http://blog.ipspace.net 1231
http://www.slideshare.net 344
http://ccna-labs.blogspot.com 337
http://ipv6.net 177
http://ccna-labs.blogspot.pt 129
http://www.kernelchina.org 78
http://www.weebly.com 62
http://ccna-labs.blogspot.in 53
http://doc.alea-soluciones.com 28
http://ccna-labs.blogspot.co.uk 26
http://www.linkedin.com 26
http://ainterne.weebly.com 19
http://translate.googleusercontent.com 18
http://d2stech.wordpress.com 16
http://ccna-labs.blogspot.sk 15
http://ccna-labs.blogspot.ca 15
http://ccna-labs.blogspot.com.br 14
http://ccna-labs.blogspot.com.ar 11
https://www.linkedin.com 9
http://ccna-labs.blogspot.fr 9
http://ccna-labs.blogspot.ro 9
http://ccna-labs.blogspot.nl 8
http://ccna-labs.blogspot.gr 8
http://ccna-labs.blogspot.it 8
http://ccna-labs.blogspot.com.au 6
http://ccna-labs.blogspot.mx 6
http://ccna-labs.blogspot.de 6
http://ccna-labs.blogspot.com.es 5
http://www.slashdocs.com 4
http://static.slidesharecdn.com 4
http://ccna-labs.blogspot.be 4
http://blog.naver.com 3
http://ccna-labs.blogspot.ch 3
http://workspace.hantechnology.com.sg 3
http://ccna-labs.blogspot.fi 3
http://ccna-labs.blogspot.hk 3
http://ccna-labs.blogspot.cz 3
http://ccna-labs.blogspot.tw 2
http://paper.li 2
http://webcache.googleusercontent.com 2
http://131.253.14.250 2
http://ccna-labs.blogspot.ie 2
http://feeds.feedburner.com 2
http://box.moresi.com 1
http://www.docshut.com 1
http://ipspace-staging.blogspot.com 1
http://127.0.0.1:8795 1
http://www.hanrss.com 1
https://d2stech.wordpress.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • clear and easy to follow
    Are you sure you want to
    Your message goes here
    Processing…
  • MUY BIEN
    Are you sure you want to
    Your message goes here
    Processing…
  • As of BIND 9.8.0, ISC's BIND 9 product is an open source DNS64 solution. http://www.isc.org/ for more.
    Are you sure you want to
    Your message goes here
    Processing…
  • It's really good, explicit and easy to understand!
    Are you sure you want to
    Your message goes here
    Processing…
  • realy helpful, thanks
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

NAT64 and DNS64 in 30 minutes Presentation Transcript

  • 1. NAT64 and DNS64 in 30 seconds minutes
    Ivan Pepelnjak (ip@nil.com)NIL Data Communications
  • 2. IPv6 adoption theory: the “famous” S-curve
    Who caresabout IPv4?
    IPv6 adoption [%]
    IPv6 pilots
    Time [years]
  • 3. IPv6 adoption: the “ivory-tower” beliefs
    Who caresabout IPv4?
    IPv6 adoption [%]
    IPv6 pilots
    Time [years]
    Ecstatic earlyadopters
    Few years of dual-stack migration
    IPv4 addressexhaustion
  • 4. IPv6 adoption: the unpleasant reality
    IPv6 adoption [%]
    IPv6-onlyclients?
    NAT and RFC 1918
    IPv6 pilots
    Time [years]
    Early adopters
    15 yearswasted
    IPv4 addressexhaustion
  • 5. Options
    Facts:
    In 2 years some clients will not get public IPv4 addresses
    These clients will have to reach IPv4 content
    Options:
    CGN (large-scale NAT44)
    NAT444 (CGN + CPE NAT44)
    DS-Lite (NAT44 + 4-over-6 tunnel)
    A+P (DS-Lite with preconfigured port ranges)
    NAT64
  • 6. NAT options: IPv4 only
    CPE
    CPE
    RFC1918
    NAT44
    IPv4 ProviderPrivate
    IPv4 Internet
    IPv4 Internet
    IPv4 Internet
    CGN/LSN
    NAT44
    IPv4 RFC1918
    LSN
    CGN/LSN
    NAT444
    RFC1918
    LSN
  • 7. NAT options: IPv6 + IPv4
    CPE
    B4
    CPE
    DS-Lite
    RFC1918
    AFTR
    IPv4 Internet
    IPv4 Internet
    IPv4 Internet
    IPv6
    IPv6
    IPv6
    A+P
    RFC1918
    AFTR
    NAT 64
    NAT64
  • 8. NAT is bad ... Is it really?
    Facts:
    Any NAT is worse than end-to-end Internet
    Dual NAT is worse than NAT (scrap NAT444)
    NAT with ALG is really bad (scrap NAT-PT, see RFC 4966)
    NAT is OK for outbound client-server sessions
    NAT + STUN/TURN works for peer-to-peer sessions
    We need some NAT to survive past IPv4 address exhaustion
    Personal opinion:
    NAT64 or DS-Lite/A+P are reasonable options
  • 9. NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG
    Academic “we will bring world peace” approach
    DS-Lite = NAT44 over IPv6
    Well-known solution (and problems)
    Large-scale
    NAT64 = limited scope
    IPv6 client to IPv4 server
    NAT46 is useless
    What went wrong with NAT-PT
    Who caresabout IPv4?
  • 10. IPv4
    IPv6
    NAT64 topology
    DNS64
    IPv6 + IPv4
    NAT64
    An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses
    DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client
    NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers
  • 11. DNS64 in action
    Q: AAAA for example.com
    Q: AAAA for example.com
    R: name error
    Q: A for example.com
    R: example.com (A) =
    192.0.2.33
    DNS64 translation for WKP
    R: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33
  • 12. DNS64 in action (end-to-end IPv6)
    Q: AAAA for example.com
    Q: AAAA for example.com
    R: example.com (AAAA)=
    64:FF9B::192.0.2.33
    R: example.com (AAAA)=
    64:FF9B::192.0.2.33
    Native IPv6 communication w/o NAT64
  • 13. NAT64 in action
    TCP SYN S=C-v6 D=WKP-v6
    Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry
    TCP SYN S=NP-v4 D=S-v4
    TCP ACK S=S-v4 D=NP-v4
    Translate NP-v4 + port into C-v6
    TCP ACK S=WKP-v6 D=C-v6
  • 14. NAT64: dirty details
    NAT64 prefix
    Any /32, /40, /48, /56, /64 or /96 prefix
    WKP = 64:FF9B::/96
    Recommendation: use /64 for NSP
    Stateful NAT64
    Very similar to PAT (stateful NAT44)
    Individual TCP and UDP sessions + ICMP replies are translated
    Source IPv6 address + port number used in lookup
    Stateless NAT64
    Each IPv6 address is translated into one IPv4 address
    Only ICMP packets and IP headers are translated
    Limited use: IPv6 only servers
  • 15. NAT64 versus DS-Lite
    NAT64
    IPv6 to IPv4 NAT
    Native transport
    DNS 64 = DNS ALG
    No CPE or network modifications
    IPv6-only hosts
    NAT64 largely unknown
    DS-Lite
    IPv4 to IPv4 NAT
    4over6 Tunnel
    No DNS(SEC) interaction
    Requires CPE support
    Does not need host IPv6(not even dual-stack)
    NAT44 well tested
  • 16. NAT64 in enterprise networks
    NSP = 2002:FF9B::/96
    IPv6
    IPv6 + IPv4
    www.example.com A 192.0.2.33
    AAAA 2002:FF9B::192.0.2.33
    Use NAT64 to make IPv4-only servers available to IPv6 clients
    Static entries in DNZ zone; DNS64 is not needed
  • 17. Implementations
    Open-source:Ecdysis
    Microsoft: Forefront UAG DirectAccess
    Cisco:CGv6
    Ericsson: field trials
    NAT64 is also (sort-of) part of NAT-PT
  • 18. Conclusions
    We are not prepared for IPv4 address exhaustion
    We will not survive without NAT
    Best options: NAT64 or DS-Lite/A+P
    Push NAT64 – it promotes IPv6 clients
    NAT64 is not NAT-PT
    6-to-4 only
    DNS ALG not in the forwarding path
    NAT64 also solves legacy server problems