Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Md. Abdul Awal
email@awal.pro
KEEP
CALM
AND
TRY
V6ONLY
Have you tried
our v6only
SSID here?
Let’s do some
quick checks
More checks
• v6-only	host	can	SSH	to	v4-only	machine:
$ ssh awal@64:ff9b::192.168.51.160
awal@64:ff9b::192.168.51.160's p...
What is an
IPv6-Only
network?
• Not	dual-stack
• Users	get	only	IPv6	network	
parameters	(i.e.	Address,	Prefix,	
Gateway	a...
Why going
v6-only?
• Operational	Simplicity
- Single	stack	infrastructure
• Avoids	doing	redundant	tasks:
- 2x		ACLs	/	fir...
Building blocks
• Address	distribution
- SLAAC/DHCPv6
• NAT64	(RFC	6144-6146)
- Supported	by	OEMs
- Server	based	tools:	Jo...
Topology
consideration
(It’s not a mandatory
in-line thing) Router
Router
Router
(SLAAC)
NAT64
+
DNS64
NAT64
Router
DHCPv6...
Tools used for
our v6only
network
• One	box	did	it	all
- Ubuntu	Server	16.04	LTS
• Address	distribution
- SLAAC	with	RADVD...
Interface config
(Ubuntu 16.04)
• /etc/network/interface	
# Dual-stack WAN Interface
auto enp1s0
iface enp1s0 inet static
...
GW config
(radvd + routing)
• /etc/radvd.conf
interface enp2s0
{
MinRtrAdvInterval 3;
MaxRtrAdvInterval 4;
AdvSendAdvert o...
NAT64 config
(jool-4.0.0)
• Start	jool:
/sbin/modprobe jool
• Map	IPv6	pool	with	defined	instance:
jool instance add "nat6...
DNS64 config
(bind9)
• /etc/bind/named.conf.options
options {
...
...
listen-on-v6 { any; };
allow-query {2400:ca00:3000::...
NAT64 tuning
options
• Limit	local	port	ranges	to	add	more	ports	to	
translation:
echo 1025 1125 >
/proc/sys/net/ipv4/ip_l...
QUESTIONS?
Md. Abdul Awal
email@awal.pro
KEEP
CALM
AND
TRY
V6ONLY
Upcoming SlideShare
Loading in …5
×

Keep calm-and-try-v6only

64 views

Published on

The presentation is about v6-only network deployments using NAT64+DNS64 and not necessarily suggests eliminating dual stack.

The major focus of the talk is to discuss about the value of v6-only deployments and an example of a simple deployment using jool and bind9 on ubuntu server.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Keep calm-and-try-v6only

  1. 1. Md. Abdul Awal email@awal.pro KEEP CALM AND TRY V6ONLY
  2. 2. Have you tried our v6only SSID here?
  3. 3. Let’s do some quick checks
  4. 4. More checks • v6-only host can SSH to v4-only machine: $ ssh awal@64:ff9b::192.168.51.160 awal@64:ff9b::192.168.51.160's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-87-generic x86_64) Last login: Thu Apr 11 16:12:24 2019 from 192.168.34.49 $
  5. 5. What is an IPv6-Only network? • Not dual-stack • Users get only IPv6 network parameters (i.e. Address, Prefix, Gateway and DNS) • local gateway routes only IPv6, no IPv4 • Most routers and infrastructure have only IPv6 addresses • IPv4 is offered to users as a service, over IPv6 • Protocol translations required for IPv4 only destinations
  6. 6. Why going v6-only? • Operational Simplicity - Single stack infrastructure • Avoids doing redundant tasks: - 2x ACLs / firewall rules - 2x monitoring targets - 2x places where errors can occur • Doing NAT that actually gets smaller day by day (NAT64) - Solving current IPv4 issues - Getting rid of expensive CGNAT • Enhanced security - Reduction of attack surface
  7. 7. Building blocks • Address distribution - SLAAC/DHCPv6 • NAT64 (RFC 6144-6146) - Supported by OEMs - Server based tools: Jool, Tayga etc. • DNS64 (RFC 6147) - Included in Bind9 - Google public DNS64 • Support of IPv6 at end-user device - No additional configuration is required
  8. 8. Topology consideration (It’s not a mandatory in-line thing) Router Router Router (SLAAC) NAT64 + DNS64 NAT64 Router DHCPv6 DNS64 v6+v4 v6 Internet Internet v6+v4 v6 v4 v6 v6 v6 v6 v6 v6
  9. 9. Tools used for our v6only network • One box did it all - Ubuntu Server 16.04 LTS • Address distribution - SLAAC with RADVD • NAT64 - Jool 4.0.0 - NAT64 prefix: 64:ff9b::/96 • DNS64 - Bind9 • Wireless AP - MikroTik v6+v4 v6 Ubuntu Server with radvd, jool and bind9 Internet
  10. 10. Interface config (Ubuntu 16.04) • /etc/network/interface # Dual-stack WAN Interface auto enp1s0 iface enp1s0 inet static address 192.168.1.254 netmask 255.255.254.0 gateway 192.168.0.1 iface enp1s0 inet6 static autoconf 0 accept_ra 0 address 2400:ca00:3000:10::2 netmask 64 gateway 2400:ca00:3000:10::1 # IPv6-only LAN Interface auto enp2s0 iface enp2s0 inet6 static address 2400:ca00:3000:15::1 netmask 64
  11. 11. GW config (radvd + routing) • /etc/radvd.conf interface enp2s0 { MinRtrAdvInterval 3; MaxRtrAdvInterval 4; AdvSendAdvert on; AdvManagedFlag off; prefix 2400:ca00:3000:15::/64 { AdvValidLifetime 14300; AdvPreferredLifetime 14200; }; RDNSS 2400:ca00:3000:15::1 { }; }; • Eanble routing sysctl -w net.ipv4.conf.all.forwarding=1 sysctl -w net.ipv6.conf.all.forwarding=1
  12. 12. NAT64 config (jool-4.0.0) • Start jool: /sbin/modprobe jool • Map IPv6 pool with defined instance: jool instance add "nat64" --iptables --pool6 64:ff9b::/96 • Add mangle rules: ip6tables -t mangle -A PREROUTING –d 64:ff9b::/96 -j JOOL --instance "nat64" iptables -t mangle -A PREROUTING –d 192.168.1.254 -p tcp --dport 1126:65535 -j JOOL --instance "nat64” iptables -t mangle -A PREROUTING -d 192.168.1.254 -p udp --dport 1126:65535 -j JOOL --instance "nat64” iptables -t mangle -A PREROUTING -d 192.168.1.154 -p icmp -j JOOL --instance "nat64"
  13. 13. DNS64 config (bind9) • /etc/bind/named.conf.options options { ... ... listen-on-v6 { any; }; allow-query {2400:ca00:3000::/48; }; recursion yes; dns64 64:ff9b::/96 { clients { any; }; mapped { any; }; exclude {0::/3; 2001:db8::/32;}; }; };
  14. 14. NAT64 tuning options • Limit local port ranges to add more ports to translation: echo 1025 1125 > /proc/sys/net/ipv4/ip_local_port_range • MTU, Fragmentation and PMTUD issue: echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing
  15. 15. QUESTIONS?
  16. 16. Md. Abdul Awal email@awal.pro KEEP CALM AND TRY V6ONLY

×