Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NAT64 and DNS64 in 30 minutes

87,561 views

Published on

The presentation describes NAT solutions addressing the imminent IPv4 address exhaustion and some details of NAT64/DNS64 solution.

Published in: Technology

NAT64 and DNS64 in 30 minutes

  1. 1. NAT64 and DNS64 in 30 seconds minutes<br />Ivan Pepelnjak (ip@nil.com)NIL Data Communications<br />
  2. 2. IPv6 adoption theory: the “famous” S-curve<br />Who caresabout IPv4?<br />IPv6 adoption [%]<br />IPv6 pilots<br />Time [years]<br />
  3. 3. IPv6 adoption: the “ivory-tower” beliefs<br />Who caresabout IPv4?<br />IPv6 adoption [%]<br />IPv6 pilots<br />Time [years]<br />Ecstatic earlyadopters<br />Few years of dual-stack migration<br />IPv4 addressexhaustion<br />
  4. 4. IPv6 adoption: the unpleasant reality<br />IPv6 adoption [%]<br />IPv6-onlyclients?<br />NAT and RFC 1918<br />IPv6 pilots<br />Time [years]<br />Early adopters<br />15 yearswasted<br />IPv4 addressexhaustion<br />
  5. 5. Options<br />Facts:<br />In 2 years some clients will not get public IPv4 addresses<br />These clients will have to reach IPv4 content<br />Options:<br />CGN (large-scale NAT44)<br />NAT444 (CGN + CPE NAT44)<br />DS-Lite (NAT44 + 4-over-6 tunnel)<br />A+P (DS-Lite with preconfigured port ranges)<br />NAT64<br />
  6. 6. NAT options: IPv4 only<br />CPE<br />CPE<br />RFC1918<br />NAT44<br />IPv4 ProviderPrivate<br />IPv4 Internet<br />IPv4 Internet<br />IPv4 Internet<br />CGN/LSN<br />NAT44<br />IPv4 RFC1918<br />LSN<br />CGN/LSN<br />NAT444<br />RFC1918<br />LSN<br />
  7. 7. NAT options: IPv6 + IPv4<br />CPE<br />B4<br />CPE<br />DS-Lite<br />RFC1918<br />AFTR<br />IPv4 Internet<br />IPv4 Internet<br />IPv4 Internet<br />IPv6<br />IPv6<br />IPv6<br />A+P<br />RFC1918<br />AFTR<br />NAT 64<br />NAT64<br />
  8. 8. NAT is bad ... Is it really?<br />Facts:<br />Any NAT is worse than end-to-end Internet<br />Dual NAT is worse than NAT (scrap NAT444)<br />NAT with ALG is really bad (scrap NAT-PT, see RFC 4966)<br />NAT is OK for outbound client-server sessions<br />NAT + STUN/TURN works for peer-to-peer sessions<br />We need some NAT to survive past IPv4 address exhaustion<br />Personal opinion:<br />NAT64 or DS-Lite/A+P are reasonable options<br />
  9. 9. NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG<br />Academic “we will bring world peace” approach<br />DS-Lite = NAT44 over IPv6<br />Well-known solution (and problems)<br />Large-scale<br />NAT64 = limited scope<br />IPv6 client to IPv4 server<br />NAT46 is useless<br />What went wrong with NAT-PT<br />Who caresabout IPv4?<br />
  10. 10. IPv4<br />IPv6<br />NAT64 topology<br />DNS64<br />IPv6 + IPv4<br />NAT64<br />An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses<br />DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client<br />NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers<br />
  11. 11. DNS64 in action<br />Q: AAAA for example.com<br />Q: AAAA for example.com<br />R: name error<br />Q: A for example.com<br />R: example.com (A) =<br />192.0.2.33<br />DNS64 translation for WKP<br />R: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33<br />
  12. 12. DNS64 in action (end-to-end IPv6)<br />Q: AAAA for example.com<br />Q: AAAA for example.com<br />R: example.com (AAAA)= <br />64:FF9B::192.0.2.33<br />R: example.com (AAAA)= <br />64:FF9B::192.0.2.33<br />Native IPv6 communication w/o NAT64<br />
  13. 13. NAT64 in action<br />TCP SYN S=C-v6 D=WKP-v6<br />Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry<br />TCP SYN S=NP-v4 D=S-v4<br />TCP ACK S=S-v4 D=NP-v4<br />Translate NP-v4 + port into C-v6<br />TCP ACK S=WKP-v6 D=C-v6<br />
  14. 14. NAT64: dirty details<br />NAT64 prefix<br />Any /32, /40, /48, /56, /64 or /96 prefix<br />WKP = 64:FF9B::/96<br />Recommendation: use /64 for NSP<br />Stateful NAT64<br />Very similar to PAT (stateful NAT44)<br />Individual TCP and UDP sessions + ICMP replies are translated<br />Source IPv6 address + port number used in lookup<br />Stateless NAT64<br />Each IPv6 address is translated into one IPv4 address<br />Only ICMP packets and IP headers are translated<br />Limited use: IPv6 only servers <br />
  15. 15. NAT64 versus DS-Lite<br />NAT64<br />IPv6 to IPv4 NAT<br />Native transport<br />DNS 64 = DNS ALG<br />No CPE or network modifications<br />IPv6-only hosts<br />NAT64 largely unknown<br />DS-Lite<br />IPv4 to IPv4 NAT<br />4over6 Tunnel<br />No DNS(SEC) interaction<br />Requires CPE support<br />Does not need host IPv6(not even dual-stack)<br />NAT44 well tested<br />
  16. 16. NAT64 in enterprise networks<br />NSP = 2002:FF9B::/96<br />IPv6<br />IPv6 + IPv4<br />www.example.com A 192.0.2.33<br /> AAAA 2002:FF9B::192.0.2.33<br />Use NAT64 to make IPv4-only servers available to IPv6 clients<br />Static entries in DNZ zone; DNS64 is not needed<br />
  17. 17. Implementations<br />Open-source:Ecdysis<br />Microsoft: Forefront UAG DirectAccess<br />Cisco:CGv6<br />Ericsson: field trials<br />NAT64 is also (sort-of) part of NAT-PT<br />
  18. 18. Conclusions<br />We are not prepared for IPv4 address exhaustion<br />We will not survive without NAT<br />Best options: NAT64 or DS-Lite/A+P<br />Push NAT64 – it promotes IPv6 clients<br />NAT64 is not NAT-PT<br />6-to-4 only<br />DNS ALG not in the forwarding path<br />NAT64 also solves legacy server problems<br />

×