NAT64 and DNS64 in 30 minutes


Published on

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

Published in: Technology
  • clear and easy to follow
    Are you sure you want to  Yes  No
    Your message goes here
    Are you sure you want to  Yes  No
    Your message goes here
  • As of BIND 9.8.0, ISC's BIND 9 product is an open source DNS64 solution. for more.
    Are you sure you want to  Yes  No
    Your message goes here
  • It's really good, explicit and easy to understand!
    Are you sure you want to  Yes  No
    Your message goes here
  • realy helpful, thanks
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

NAT64 and DNS64 in 30 minutes

  1. 1. NAT64 and DNS64 in 30 seconds minutes<br />Ivan Pepelnjak ( Data Communications<br />
  2. 2. IPv6 adoption theory: the “famous” S-curve<br />Who caresabout IPv4?<br />IPv6 adoption [%]<br />IPv6 pilots<br />Time [years]<br />
  3. 3. IPv6 adoption: the “ivory-tower” beliefs<br />Who caresabout IPv4?<br />IPv6 adoption [%]<br />IPv6 pilots<br />Time [years]<br />Ecstatic earlyadopters<br />Few years of dual-stack migration<br />IPv4 addressexhaustion<br />
  4. 4. IPv6 adoption: the unpleasant reality<br />IPv6 adoption [%]<br />IPv6-onlyclients?<br />NAT and RFC 1918<br />IPv6 pilots<br />Time [years]<br />Early adopters<br />15 yearswasted<br />IPv4 addressexhaustion<br />
  5. 5. Options<br />Facts:<br />In 2 years some clients will not get public IPv4 addresses<br />These clients will have to reach IPv4 content<br />Options:<br />CGN (large-scale NAT44)<br />NAT444 (CGN + CPE NAT44)<br />DS-Lite (NAT44 + 4-over-6 tunnel)<br />A+P (DS-Lite with preconfigured port ranges)<br />NAT64<br />
  6. 6. NAT options: IPv4 only<br />CPE<br />CPE<br />RFC1918<br />NAT44<br />IPv4 ProviderPrivate<br />IPv4 Internet<br />IPv4 Internet<br />IPv4 Internet<br />CGN/LSN<br />NAT44<br />IPv4 RFC1918<br />LSN<br />CGN/LSN<br />NAT444<br />RFC1918<br />LSN<br />
  7. 7. NAT options: IPv6 + IPv4<br />CPE<br />B4<br />CPE<br />DS-Lite<br />RFC1918<br />AFTR<br />IPv4 Internet<br />IPv4 Internet<br />IPv4 Internet<br />IPv6<br />IPv6<br />IPv6<br />A+P<br />RFC1918<br />AFTR<br />NAT 64<br />NAT64<br />
  8. 8. NAT is bad ... Is it really?<br />Facts:<br />Any NAT is worse than end-to-end Internet<br />Dual NAT is worse than NAT (scrap NAT444)<br />NAT with ALG is really bad (scrap NAT-PT, see RFC 4966)<br />NAT is OK for outbound client-server sessions<br />NAT + STUN/TURN works for peer-to-peer sessions<br />We need some NAT to survive past IPv4 address exhaustion<br />Personal opinion:<br />NAT64 or DS-Lite/A+P are reasonable options<br />
  9. 9. NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG<br />Academic “we will bring world peace” approach<br />DS-Lite = NAT44 over IPv6<br />Well-known solution (and problems)<br />Large-scale<br />NAT64 = limited scope<br />IPv6 client to IPv4 server<br />NAT46 is useless<br />What went wrong with NAT-PT<br />Who caresabout IPv4?<br />
  10. 10. IPv4<br />IPv6<br />NAT64 topology<br />DNS64<br />IPv6 + IPv4<br />NAT64<br />An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses<br />DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client<br />NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers<br />
  11. 11. DNS64 in action<br />Q: AAAA for<br />Q: AAAA for<br />R: name error<br />Q: A for<br />R: (A) =<br /><br />DNS64 translation for WKP<br />R: (AAAA)= (A) =<br />
  12. 12. DNS64 in action (end-to-end IPv6)<br />Q: AAAA for<br />Q: AAAA for<br />R: (AAAA)= <br />64:FF9B::<br />R: (AAAA)= <br />64:FF9B::<br />Native IPv6 communication w/o NAT64<br />
  13. 13. NAT64 in action<br />TCP SYN S=C-v6 D=WKP-v6<br />Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry<br />TCP SYN S=NP-v4 D=S-v4<br />TCP ACK S=S-v4 D=NP-v4<br />Translate NP-v4 + port into C-v6<br />TCP ACK S=WKP-v6 D=C-v6<br />
  14. 14. NAT64: dirty details<br />NAT64 prefix<br />Any /32, /40, /48, /56, /64 or /96 prefix<br />WKP = 64:FF9B::/96<br />Recommendation: use /64 for NSP<br />Stateful NAT64<br />Very similar to PAT (stateful NAT44)<br />Individual TCP and UDP sessions + ICMP replies are translated<br />Source IPv6 address + port number used in lookup<br />Stateless NAT64<br />Each IPv6 address is translated into one IPv4 address<br />Only ICMP packets and IP headers are translated<br />Limited use: IPv6 only servers <br />
  15. 15. NAT64 versus DS-Lite<br />NAT64<br />IPv6 to IPv4 NAT<br />Native transport<br />DNS 64 = DNS ALG<br />No CPE or network modifications<br />IPv6-only hosts<br />NAT64 largely unknown<br />DS-Lite<br />IPv4 to IPv4 NAT<br />4over6 Tunnel<br />No DNS(SEC) interaction<br />Requires CPE support<br />Does not need host IPv6(not even dual-stack)<br />NAT44 well tested<br />
  16. 16. NAT64 in enterprise networks<br />NSP = 2002:FF9B::/96<br />IPv6<br />IPv6 + IPv4<br /> A<br /> AAAA 2002:FF9B::<br />Use NAT64 to make IPv4-only servers available to IPv6 clients<br />Static entries in DNZ zone; DNS64 is not needed<br />
  17. 17. Implementations<br />Open-source:Ecdysis<br />Microsoft: Forefront UAG DirectAccess<br />Cisco:CGv6<br />Ericsson: field trials<br />NAT64 is also (sort-of) part of NAT-PT<br />
  18. 18. Conclusions<br />We are not prepared for IPv4 address exhaustion<br />We will not survive without NAT<br />Best options: NAT64 or DS-Lite/A+P<br />Push NAT64 – it promotes IPv6 clients<br />NAT64 is not NAT-PT<br />6-to-4 only<br />DNS ALG not in the forwarding path<br />NAT64 also solves legacy server problems<br />