Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Keep calm-and-try-v6only

33 views

Published on

The presentation is about v6-only network deployments using NAT64+DNS64 and not necessarily suggests eliminating dual stack.

The major focus of the talk is to discuss about the value of v6-only deployments and an example of a simple deployment using jool and bind9 on ubuntu server.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Keep calm-and-try-v6only

  1. 1. Md. Abdul Awal email@awal.pro KEEP CALM AND TRY V6ONLY
  2. 2. Have you tried our v6only SSID here?
  3. 3. Let’s do some quick checks
  4. 4. More checks • v6-only host can SSH to v4-only machine: $ ssh awal@64:ff9b::192.168.51.160 awal@64:ff9b::192.168.51.160's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-87-generic x86_64) Last login: Thu Apr 11 16:12:24 2019 from 192.168.34.49 $
  5. 5. What is an IPv6-Only network? • Not dual-stack • Users get only IPv6 network parameters (i.e. Address, Prefix, Gateway and DNS) • local gateway routes only IPv6, no IPv4 • Most routers and infrastructure have only IPv6 addresses • IPv4 is offered to users as a service, over IPv6 • Protocol translations required for IPv4 only destinations
  6. 6. Why going v6-only? • Operational Simplicity - Single stack infrastructure • Avoids doing redundant tasks: - 2x ACLs / firewall rules - 2x monitoring targets - 2x places where errors can occur • Doing NAT that actually gets smaller day by day (NAT64) - Solving current IPv4 issues - Getting rid of expensive CGNAT • Enhanced security - Reduction of attack surface
  7. 7. Building blocks • Address distribution - SLAAC/DHCPv6 • NAT64 (RFC 6144-6146) - Supported by OEMs - Server based tools: Jool, Tayga etc. • DNS64 (RFC 6147) - Included in Bind9 - Google public DNS64 • Support of IPv6 at end-user device - No additional configuration is required
  8. 8. Topology consideration (It’s not a mandatory in-line thing) Router Router Router (SLAAC) NAT64 + DNS64 NAT64 Router DHCPv6 DNS64 v6+v4 v6 Internet Internet v6+v4 v6 v4 v6 v6 v6 v6 v6 v6
  9. 9. Tools used for our v6only network • One box did it all - Ubuntu Server 16.04 LTS • Address distribution - SLAAC with RADVD • NAT64 - Jool 4.0.0 - NAT64 prefix: 64:ff9b::/96 • DNS64 - Bind9 • Wireless AP - MikroTik v6+v4 v6 Ubuntu Server with radvd, jool and bind9 Internet
  10. 10. Interface config (Ubuntu 16.04) • /etc/network/interface # Dual-stack WAN Interface auto enp1s0 iface enp1s0 inet static address 192.168.1.254 netmask 255.255.254.0 gateway 192.168.0.1 iface enp1s0 inet6 static autoconf 0 accept_ra 0 address 2400:ca00:3000:10::2 netmask 64 gateway 2400:ca00:3000:10::1 # IPv6-only LAN Interface auto enp2s0 iface enp2s0 inet6 static address 2400:ca00:3000:15::1 netmask 64
  11. 11. GW config (radvd + routing) • /etc/radvd.conf interface enp2s0 { MinRtrAdvInterval 3; MaxRtrAdvInterval 4; AdvSendAdvert on; AdvManagedFlag off; prefix 2400:ca00:3000:15::/64 { AdvValidLifetime 14300; AdvPreferredLifetime 14200; }; RDNSS 2400:ca00:3000:15::1 { }; }; • Eanble routing sysctl -w net.ipv4.conf.all.forwarding=1 sysctl -w net.ipv6.conf.all.forwarding=1
  12. 12. NAT64 config (jool-4.0.0) • Start jool: /sbin/modprobe jool • Map IPv6 pool with defined instance: jool instance add "nat64" --iptables --pool6 64:ff9b::/96 • Add mangle rules: ip6tables -t mangle -A PREROUTING –d 64:ff9b::/96 -j JOOL --instance "nat64" iptables -t mangle -A PREROUTING –d 192.168.1.254 -p tcp --dport 1126:65535 -j JOOL --instance "nat64” iptables -t mangle -A PREROUTING -d 192.168.1.254 -p udp --dport 1126:65535 -j JOOL --instance "nat64” iptables -t mangle -A PREROUTING -d 192.168.1.154 -p icmp -j JOOL --instance "nat64"
  13. 13. DNS64 config (bind9) • /etc/bind/named.conf.options options { ... ... listen-on-v6 { any; }; allow-query {2400:ca00:3000::/48; }; recursion yes; dns64 64:ff9b::/96 { clients { any; }; mapped { any; }; exclude {0::/3; 2001:db8::/32;}; }; };
  14. 14. NAT64 tuning options • Limit local port ranges to add more ports to translation: echo 1025 1125 > /proc/sys/net/ipv4/ip_local_port_range • MTU, Fragmentation and PMTUD issue: echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing
  15. 15. QUESTIONS?
  16. 16. Md. Abdul Awal email@awal.pro KEEP CALM AND TRY V6ONLY

×