The document discusses NAT64 and DNS64 as solutions to address IPv4 address exhaustion and facilitate IPv6 adoption. It explores various options for implementing NAT and highlights the advantages and limitations of NAT64 compared to other techniques, such as DS-Lite. The author suggests that NAT64 is preferable for allowing IPv6 clients to access legacy IPv4 servers while acknowledging the challenges of providing universal access in the transition period.

1. NAT64 and DNS64 in 30 seconds minutesIvan Pepelnjak (ip@nil.com)NIL Data Communications

2. IPv6 adoption theory: the “famous” S-curveWho caresabout IPv4?IPv6 adoption [%]IPv6 pilotsTime [years]

3. IPv6 adoption: the “ivory-tower” beliefsWho caresabout IPv4?IPv6 adoption [%]IPv6 pilotsTime [years]Ecstatic earlyadoptersFew years of dual-stack migrationIPv4 addressexhaustion

4. IPv6 adoption: the unpleasant realityIPv6 adoption [%]IPv6-onlyclients?NAT and RFC 1918IPv6 pilotsTime [years]Early adopters15 yearswastedIPv4 addressexhaustion

5. OptionsFacts:In 2 years some clients will not get public IPv4 addressesThese clients will have to reach IPv4 contentOptions:CGN (large-scale NAT44)NAT444 (CGN + CPE NAT44)DS-Lite (NAT44 + 4-over-6 tunnel)A+P (DS-Lite with preconfigured port ranges)NAT64

6. NAT options: IPv4 onlyCPECPERFC1918NAT44IPv4 ProviderPrivateIPv4 InternetIPv4 InternetIPv4 InternetCGN/LSNNAT44IPv4 RFC1918LSNCGN/LSNNAT444RFC1918LSN

7. NAT options: IPv6 + IPv4CPEB4CPEDS-LiteRFC1918AFTRIPv4 InternetIPv4 InternetIPv4 InternetIPv6IPv6IPv6A+PRFC1918AFTRNAT 64NAT64

8. NAT is bad ... Is it really?Facts:Any NAT is worse than end-to-end InternetDual NAT is worse than NAT (scrap NAT444)NAT with ALG is really bad (scrap NAT-PT, see RFC 4966)NAT is OK for outbound client-server sessionsNAT + STUN/TURN works for peer-to-peer sessionsWe need some NAT to survive past IPv4 address exhaustionPersonal opinion:NAT64 or DS-Lite/A+P are reasonable options

9. NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALGAcademic “we will bring world peace” approachDS-Lite = NAT44 over IPv6Well-known solution (and problems)Large-scaleNAT64 = limited scopeIPv6 client to IPv4 serverNAT46 is uselessWhat went wrong with NAT-PTWho caresabout IPv4?

10. IPv4IPv6NAT64 topologyDNS64IPv6 + IPv4NAT64An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addressesDNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the clientNAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers

11. DNS64 in actionQ: AAAA for example.comQ: AAAA for example.comR: name errorQ: A for example.comR: example.com (A) =192.0.2.33DNS64 translation for WKPR: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33

12. DNS64 in action (end-to-end IPv6)Q: AAAA for example.comQ: AAAA for example.comR: example.com (AAAA)= 64:FF9B::192.0.2.33R: example.com (AAAA)= 64:FF9B::192.0.2.33Native IPv6 communication w/o NAT64

13. NAT64 in actionTCP SYN S=C-v6 D=WKP-v6Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entryTCP SYN S=NP-v4 D=S-v4TCP ACK S=S-v4 D=NP-v4Translate NP-v4 + port into C-v6TCP ACK S=WKP-v6 D=C-v6

14. NAT64: dirty detailsNAT64 prefixAny /32, /40, /48, /56, /64 or /96 prefixWKP = 64:FF9B::/96Recommendation: use /64 for NSPStateful NAT64Very similar to PAT (stateful NAT44)Individual TCP and UDP sessions + ICMP replies are translatedSource IPv6 address + port number used in lookupStateless NAT64Each IPv6 address is translated into one IPv4 addressOnly ICMP packets and IP headers are translatedLimited use: IPv6 only servers

15. NAT64 versus DS-LiteNAT64IPv6 to IPv4 NATNative transportDNS 64 = DNS ALGNo CPE or network modificationsIPv6-only hostsNAT64 largely unknownDS-LiteIPv4 to IPv4 NAT4over6 TunnelNo DNS(SEC) interactionRequires CPE supportDoes not need host IPv6(not even dual-stack)NAT44 well tested

16. NAT64 in enterprise networksNSP = 2002:FF9B::/96IPv6IPv6 + IPv4www.example.com A 192.0.2.33 AAAA 2002:FF9B::192.0.2.33Use NAT64 to make IPv4-only servers available to IPv6 clientsStatic entries in DNZ zone; DNS64 is not needed

17. ImplementationsOpen-source:EcdysisMicrosoft: Forefront UAG DirectAccessCisco:CGv6Ericsson: field trialsNAT64 is also (sort-of) part of NAT-PT

18. ConclusionsWe are not prepared for IPv4 address exhaustionWe will not survive without NATBest options: NAT64 or DS-Lite/A+PPush NAT64 – it promotes IPv6 clientsNAT64 is not NAT-PT6-to-4 onlyDNS ALG not in the forwarding pathNAT64 also solves legacy server problems