SlideShare a Scribd company logo
NAT64 and DNS64 in 30 seconds minutes Ivan Pepelnjak (ip@nil.com)NIL Data Communications
IPv6 adoption theory: the “famous” S-curve Who caresabout IPv4? IPv6 adoption [%] IPv6 pilots Time [years]
IPv6 adoption: the “ivory-tower” beliefs Who caresabout IPv4? IPv6 adoption [%] IPv6 pilots Time [years] Ecstatic earlyadopters Few years of dual-stack migration IPv4 addressexhaustion
IPv6 adoption: the unpleasant reality IPv6 adoption [%] IPv6-onlyclients? NAT and RFC 1918 IPv6 pilots Time [years] Early adopters 15 yearswasted IPv4 addressexhaustion
Options Facts: In 2 years some clients will not get public IPv4 addresses These clients will have to reach IPv4 content Options: CGN (large-scale NAT44) NAT444 (CGN + CPE NAT44) DS-Lite (NAT44 + 4-over-6 tunnel) A+P (DS-Lite with preconfigured port ranges) NAT64
NAT options: IPv4 only CPE CPE RFC1918 NAT44 IPv4 ProviderPrivate IPv4 Internet IPv4 Internet IPv4 Internet CGN/LSN NAT44 IPv4 RFC1918 LSN CGN/LSN NAT444 RFC1918 LSN
NAT options: IPv6 + IPv4 CPE B4 CPE DS-Lite RFC1918 AFTR IPv4 Internet IPv4 Internet IPv4 Internet IPv6 IPv6 IPv6 A+P RFC1918 AFTR NAT 64 NAT64
NAT is bad ... Is it really? Facts: Any NAT is worse than end-to-end Internet Dual NAT is worse than NAT (scrap NAT444) NAT with ALG is really bad (scrap NAT-PT, see RFC 4966) NAT is OK for outbound client-server sessions NAT + STUN/TURN works for peer-to-peer sessions We need some NAT to survive past IPv4 address exhaustion Personal opinion: NAT64 or DS-Lite/A+P are reasonable options
NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG Academic “we will bring world peace” approach DS-Lite = NAT44 over IPv6 Well-known solution (and problems) Large-scale NAT64 = limited scope IPv6 client to IPv4 server NAT46 is useless What went wrong with NAT-PT Who caresabout IPv4?
IPv4 IPv6 NAT64 topology DNS64 IPv6 + IPv4 NAT64 An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers
DNS64 in action Q: AAAA for example.com Q: AAAA for example.com R: name error Q: A for example.com R: example.com (A) = 192.0.2.33 DNS64 translation for WKP R: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33
DNS64 in action (end-to-end IPv6) Q: AAAA for example.com Q: AAAA for example.com R: example.com (AAAA)=  64:FF9B::192.0.2.33 R: example.com (AAAA)=  64:FF9B::192.0.2.33 Native IPv6 communication w/o NAT64
NAT64 in action TCP SYN S=C-v6 D=WKP-v6 Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry TCP SYN S=NP-v4 D=S-v4 TCP ACK S=S-v4 D=NP-v4 Translate NP-v4 + port into C-v6 TCP ACK S=WKP-v6 D=C-v6
NAT64: dirty details NAT64 prefix Any /32, /40, /48, /56, /64 or /96 prefix WKP = 64:FF9B::/96 Recommendation: use /64 for NSP Stateful NAT64 Very similar to PAT (stateful NAT44) Individual TCP and UDP sessions + ICMP replies are translated Source IPv6 address + port number used in lookup Stateless NAT64 Each IPv6 address is translated into one IPv4 address Only ICMP packets and IP headers are translated Limited use: IPv6 only servers
NAT64 versus DS-Lite NAT64 IPv6 to IPv4 NAT Native transport DNS 64 = DNS ALG No CPE or network modifications IPv6-only hosts NAT64 largely unknown DS-Lite IPv4 to IPv4 NAT 4over6 Tunnel No DNS(SEC) interaction Requires CPE support Does not need host IPv6(not even dual-stack) NAT44 well tested
NAT64 in enterprise networks NSP = 2002:FF9B::/96 IPv6 IPv6 + IPv4 www.example.com	A	192.0.2.33 			AAAA	2002:FF9B::192.0.2.33 Use NAT64 to make IPv4-only servers available to IPv6 clients Static entries in DNZ zone; DNS64 is not needed
Implementations Open-source:Ecdysis Microsoft: Forefront UAG DirectAccess Cisco:CGv6 Ericsson: field trials NAT64 is also (sort-of) part of NAT-PT
Conclusions We are not prepared for IPv4 address exhaustion We will not survive without NAT Best options: NAT64 or DS-Lite/A+P Push NAT64 – it promotes IPv6 clients NAT64 is not NAT-PT 6-to-4 only DNS ALG not in the forwarding path NAT64 also solves legacy server problems
NAT64 and DNS64 in 30 minutes

More Related Content

What's hot

Juniper mpls best practice part 1
Juniper mpls best practice   part 1Juniper mpls best practice   part 1
Juniper mpls best practice part 1
Febrian ‎
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
Jignesh H. Bhalsod
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
MohamedJafar5
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - Basic
Ericsson
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
sarasanandam
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
ShortestPathFirst
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
NetProtocol Xpert
 
PLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin Wang
PLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin WangPLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin Wang
PLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin Wang
PROIDEA
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
kriz5
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
Woo Hyung Choi
 
VXLAN
VXLANVXLAN
VXLAN
SAliyev1
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF Fundamental
Reza Farahani
 
Bgp
BgpBgp
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
Ali Layth
 
Bgp tutorial for ISP
Bgp tutorial for ISPBgp tutorial for ISP
Bgp tutorial for ISP
Wahyu Nasution
 
EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)
Netwax Lab
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
Faelix Ltd
 
Nitin jain CV - Packet Core/EPC, Virtualization/Cloud
Nitin jain CV - Packet Core/EPC, Virtualization/CloudNitin jain CV - Packet Core/EPC, Virtualization/Cloud
Nitin jain CV - Packet Core/EPC, Virtualization/Cloud
Nitin Jain
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Bruno Teixeira
 
SRv6 study
SRv6 studySRv6 study
SRv6 study
Hiro Mura
 

What's hot (20)

Juniper mpls best practice part 1
Juniper mpls best practice   part 1Juniper mpls best practice   part 1
Juniper mpls best practice part 1
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
 
MPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - BasicMPLS Deployment Chapter 1 - Basic
MPLS Deployment Chapter 1 - Basic
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
 
PLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin Wang
PLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin WangPLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin Wang
PLNOG16: IP/MPLS for Fixed and Mobile Convergence, Kevin Wang
 
Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorial
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
VXLAN
VXLANVXLAN
VXLAN
 
OSPF Fundamental
OSPF FundamentalOSPF Fundamental
OSPF Fundamental
 
Bgp
BgpBgp
Bgp
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
 
Bgp tutorial for ISP
Bgp tutorial for ISPBgp tutorial for ISP
Bgp tutorial for ISP
 
EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
Nitin jain CV - Packet Core/EPC, Virtualization/Cloud
Nitin jain CV - Packet Core/EPC, Virtualization/CloudNitin jain CV - Packet Core/EPC, Virtualization/Cloud
Nitin jain CV - Packet Core/EPC, Virtualization/Cloud
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
 
SRv6 study
SRv6 studySRv6 study
SRv6 study
 

Similar to NAT64 and DNS64 in 30 minutes

IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition Strategies
APNIC
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition Techniques
APNIC
 
IPV6 by Philip Smith
IPV6 by Philip SmithIPV6 by Philip Smith
IPV6 by Philip Smith
MyNOG
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
APNIC
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack Environments
Shannon McFarland
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
Rishu Mehra
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
technext1
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
PROIDEA
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
Ivan Pepelnjak
 
Ipv6
Ipv6Ipv6
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 
IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]
IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]
IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]
APNIC
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime
 
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...Dan York - Presentation at Emerging Communications Conference & Awards (eComm...
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...
eCommConf
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-E
Akira Nakagawa
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
APNIC
 
IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networks
APNIC
 

Similar to NAT64 and DNS64 in 30 minutes (20)

IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition Strategies
 
IPv6 Transition Techniques
IPv6 Transition TechniquesIPv6 Transition Techniques
IPv6 Transition Techniques
 
IPV6 by Philip Smith
IPV6 by Philip SmithIPV6 by Philip Smith
IPV6 by Philip Smith
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack Environments
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
Get Ready For Ipv6
Get Ready For Ipv6Get Ready For Ipv6
Get Ready For Ipv6
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
Ipv6
Ipv6Ipv6
Ipv6
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]
IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]
IPv6 Transition Strategies Tutorial, by Philip Smith [APNIC 38]
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
 
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...Dan York - Presentation at Emerging Communications Conference & Awards (eComm...
Dan York - Presentation at Emerging Communications Conference & Awards (eComm...
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-E
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networks
 

Recently uploaded

QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 

Recently uploaded (20)

QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 

NAT64 and DNS64 in 30 minutes

  • 1. NAT64 and DNS64 in 30 seconds minutes Ivan Pepelnjak (ip@nil.com)NIL Data Communications
  • 2. IPv6 adoption theory: the “famous” S-curve Who caresabout IPv4? IPv6 adoption [%] IPv6 pilots Time [years]
  • 3. IPv6 adoption: the “ivory-tower” beliefs Who caresabout IPv4? IPv6 adoption [%] IPv6 pilots Time [years] Ecstatic earlyadopters Few years of dual-stack migration IPv4 addressexhaustion
  • 4. IPv6 adoption: the unpleasant reality IPv6 adoption [%] IPv6-onlyclients? NAT and RFC 1918 IPv6 pilots Time [years] Early adopters 15 yearswasted IPv4 addressexhaustion
  • 5. Options Facts: In 2 years some clients will not get public IPv4 addresses These clients will have to reach IPv4 content Options: CGN (large-scale NAT44) NAT444 (CGN + CPE NAT44) DS-Lite (NAT44 + 4-over-6 tunnel) A+P (DS-Lite with preconfigured port ranges) NAT64
  • 6. NAT options: IPv4 only CPE CPE RFC1918 NAT44 IPv4 ProviderPrivate IPv4 Internet IPv4 Internet IPv4 Internet CGN/LSN NAT44 IPv4 RFC1918 LSN CGN/LSN NAT444 RFC1918 LSN
  • 7. NAT options: IPv6 + IPv4 CPE B4 CPE DS-Lite RFC1918 AFTR IPv4 Internet IPv4 Internet IPv4 Internet IPv6 IPv6 IPv6 A+P RFC1918 AFTR NAT 64 NAT64
  • 8. NAT is bad ... Is it really? Facts: Any NAT is worse than end-to-end Internet Dual NAT is worse than NAT (scrap NAT444) NAT with ALG is really bad (scrap NAT-PT, see RFC 4966) NAT is OK for outbound client-server sessions NAT + STUN/TURN works for peer-to-peer sessions We need some NAT to survive past IPv4 address exhaustion Personal opinion: NAT64 or DS-Lite/A+P are reasonable options
  • 9. NAT-PT (RFC 2766) = NAT64 + NAT46 + DNS ALG Academic “we will bring world peace” approach DS-Lite = NAT44 over IPv6 Well-known solution (and problems) Large-scale NAT64 = limited scope IPv6 client to IPv4 server NAT46 is useless What went wrong with NAT-PT Who caresabout IPv4?
  • 10. IPv4 IPv6 NAT64 topology DNS64 IPv6 + IPv4 NAT64 An IPv6 prefix (well-known or network-specific) is dedicated to mapped IPv4 addresses DNS64 converts A records into AAAA records using NAT64 prefix, serves A and AAAA records to the client NAT64 router advertises NAT64 prefix into IPv6 network to attract traffic toward IPv4 servers
  • 11. DNS64 in action Q: AAAA for example.com Q: AAAA for example.com R: name error Q: A for example.com R: example.com (A) = 192.0.2.33 DNS64 translation for WKP R: example.com (AAAA)= 64:FF9B::192.0.2.33example.com (A) = 192.0.2.33
  • 12. DNS64 in action (end-to-end IPv6) Q: AAAA for example.com Q: AAAA for example.com R: example.com (AAAA)= 64:FF9B::192.0.2.33 R: example.com (AAAA)= 64:FF9B::192.0.2.33 Native IPv6 communication w/o NAT64
  • 13. NAT64 in action TCP SYN S=C-v6 D=WKP-v6 Translate WKP-v6 into IPv4Pick free IPv4 addr/port from poolBuild NAT session entry TCP SYN S=NP-v4 D=S-v4 TCP ACK S=S-v4 D=NP-v4 Translate NP-v4 + port into C-v6 TCP ACK S=WKP-v6 D=C-v6
  • 14. NAT64: dirty details NAT64 prefix Any /32, /40, /48, /56, /64 or /96 prefix WKP = 64:FF9B::/96 Recommendation: use /64 for NSP Stateful NAT64 Very similar to PAT (stateful NAT44) Individual TCP and UDP sessions + ICMP replies are translated Source IPv6 address + port number used in lookup Stateless NAT64 Each IPv6 address is translated into one IPv4 address Only ICMP packets and IP headers are translated Limited use: IPv6 only servers
  • 15. NAT64 versus DS-Lite NAT64 IPv6 to IPv4 NAT Native transport DNS 64 = DNS ALG No CPE or network modifications IPv6-only hosts NAT64 largely unknown DS-Lite IPv4 to IPv4 NAT 4over6 Tunnel No DNS(SEC) interaction Requires CPE support Does not need host IPv6(not even dual-stack) NAT44 well tested
  • 16. NAT64 in enterprise networks NSP = 2002:FF9B::/96 IPv6 IPv6 + IPv4 www.example.com A 192.0.2.33 AAAA 2002:FF9B::192.0.2.33 Use NAT64 to make IPv4-only servers available to IPv6 clients Static entries in DNZ zone; DNS64 is not needed
  • 17. Implementations Open-source:Ecdysis Microsoft: Forefront UAG DirectAccess Cisco:CGv6 Ericsson: field trials NAT64 is also (sort-of) part of NAT-PT
  • 18. Conclusions We are not prepared for IPv4 address exhaustion We will not survive without NAT Best options: NAT64 or DS-Lite/A+P Push NAT64 – it promotes IPv6 clients NAT64 is not NAT-PT 6-to-4 only DNS ALG not in the forwarding path NAT64 also solves legacy server problems