A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT

Slides:



Advertisements
Similar presentations
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
IPv6 Victor T. Norman.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Enabling IPv6 in Corporate Intranet Networks
IPv4/IPv6 Translation: Framework Li, Bao, and Baker.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
資 管 Lee Lesson 11 Coexistence and Migration. 資 管 Lee Lesson Objectives Coexistence and migration overview Coexistence mechanisms ◦ Dual Stack ◦ Tunneling.
Network Address Translation
CSE 8343 Group 3 Advanced OS Inter Operability Between IPv4 and IPv6 Team Members Aman Preet Singh Rohit Singh Nipun Aggarwal Chirag Shah Eugene Novak.
Coexistence and Migration
Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
IPv6 and IPv4 Coexistence Wednesday, October 07, 2015 IPv6 and IPv4 Coexistence Motorola’s Views for Migration and Co-existence of 3GPP2 Networks to Support.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
CERN IT Department CH-1211 Genève 23 Switzerland t IPv6 Deployment Project 2 April 2012
1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.
CCNP Network Route IPV-6 Part-I IPV6 Addressing: IPV-4 is 32-BIT, IPV-6 is 128-BIT IPV-6 are divided into 8 groups. Each is 4 Hex characters. Each group.
IPv6/IPv4 XLATE Trial Service for sharing IPv4 address Japan Internet Exchange Co., Ltd. Masataka MAWATARI.
Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.
Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
IPv6 An Overview of Internet Protocol Version 6 Network Management Justin Houk May 3, 2010.
17/10/031 Euronetlab – Implementation of Teredo
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
Configuring NAT. Configuring Static NAT There are two basic tasks to perform when configuring static NAT translations: Create the mapping between the.
CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)
SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres
PRODUCTS CONSULTING APPLICATION MANAGEMENT IT OPERATIONS SUPPORT TRAINING Project IPv6 only Tore Anderson CG Security and Networking Redpill Linpro RL.
Objective: To understand IPv6 implementation in the Intranet and Internet.
Single-stack IPv6-only data center deployments
IPv4 shortage and CERN 15 January 2013
Chapter 05 Exam Review CCNA Discovery 01 – Computer and Network Fundamentals Presented by: Phillip Place Cisco Academy Instructor Lake Michigan College.
Instructor Materials Chapter 7: IP Addressing
Instructor Materials Chapter 8: DHCP
Top-Down Network Design Chapter Six Designing Models for Addressing and Naming Copyright 2010 Cisco Press & Priscilla Oppenheimer.
NAT (Network Address Translation)
Suva Fiji, July 2017 Arth Paulite
Internet ProtoCOL Version 6 I/II
Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016
IPv6 Deployment: Business Cases and Development Options
Deploying IPv6 in days: Tore Anderson
Implementing TCP/IP.
Network Address Translation
Chongfeng. Xie(Presenter), Qiong Sun, Qi He, Cathy Zhou
Configuring CPE for IPv6 Transition Mechanisms
Running Multiple PLATs in 464XLAT
SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres
SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres
Chapter 10: DHCP Routing & Switching Chapter 10: DHCP
SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres
Stateless Source Address Mapping for ICMPv6 Packets
SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres
LESSON 3.3_A Networking Fundamentals Understand IPv6 Part 1.
Windows Azure Virtual Network Basics
Lecture#5 IPV6 Addressing
Copyright © 2006 Juniper Networks
Implementing IP Addressing Services
CIS 82 Routing Protocols and Concepts Chapter 11 NAT
By - Ricardo Sanchez, Ken Wolters and William Hibbard
Implementing IP Addressing Services
Lecture#5 :IPV6 Adressing
Chapter 11: Network Address Translation for IPv4
Module 12 Network Configuration
IPv4 Issues The Need for IPv6 IPv6 is designed to be the successor.
Presentation transcript:

A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT RUNNING IPV6-ONLY SERVERS IN MS A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT Tore Anderson tore@redpill-linpro.com Redpill Linpro AS, Managed Services RL Gathering, Sunne, September 2015

Motivation for IPv6-only Limited availability of public IPv4 addresses ~80% used today, can't get more from RIPE NCC Private RFC1918 is a band-aid only No real support for NAT44 in our infrastructure Might overlap with customers' VPN ranges We do want to deliver IPv6 to our customers Facebook: IPv6 is ~15% faster than IPv4 Soon mandated by Norwegian government Dual stack (IPv4 + IPv6) means dual work, dual complexity, dual monitoring, dual firewall rules, etc. Single stack preferred (even IPv4-only...)

DNS64 + NAT64 Provides every IPv6(-only) node in our network with outbound access to the IPv4 Internet DNS64 synthesises IPv6 IN AAAA records for IPv4- only hostnames that have IN A records only The closest NAT64 gateway receives packets destined for the DNS64-synthesised addresses, then performs stateful NAPT to a shared pool of public IPv4 addresses baseconfig::dns will automatically provision DNS64 resolvers to nodes without IPv4 addresses Demo time!

464XLAT A CLAT agent creates a virtual network interface with a private IPv4 address on an IPv6-only host Provides outbound access to the IPv4 Internet Works around legacy soft- and wetware that are using IPv4-only (AF_INET) APIs, commands, etc. IPv4 packets are translated locally to IPv6, then routed to the closest NAT64 gateway where they are translated back to IPv4 Demo time!

SIIT-DC Provides an IPv6-only node/service/application in our network with an public IPv4 personality / front- end reachable from the IPv4 Internet Our SIIT-DC Border Relay nodes perform stateless IPv4<->IPv6 translation An 1:1 IPv4:IPv6 mapping is configured in Hiera for each IPv6 service made reachable through SIIT-DC SIIT-DC BRs in all our data centres - anycast provides High Availability and optimal routing Client's source IPv4 source address is mapped into IPv6, no loss of information occurs Demo time!

SIIT-DC-2XLAT Similar to 464XLAT, only that it works in concert with SIIT-DC instead of NAT64 Supports bi-directional traffic, fully stateless Provides a virtual IPv4 interface with a public IPv4 address on the IPv6-only node No address translation end-to-end Allows IPv4-only applications/services/humans to successfully use IPv4-only AF_INET sockets, commands, and so on Demo time!

Firewall rules / ACLs NAT64 uses translation prefix 2a02:c0::64:0:0:0/64 SIIT-DC uses translation prefix 2a02:c0::46:0:0:0/64 IPv4 address embedded in last 32 bits, e.g.: 192.0.2.1 = 2a02:c0::64:0:192.0.2.1 (NAT64) 192.0.2.2 = 2a02:c0::46:0:192.0.2.2 (SIIT-DC) IPv6 prefix length = 128 - 32 + IPv4_prefix_length: 192.0.2.0/24 = 2a02:c0::64:0:192.0.2.0/120 (NAT64) PFW ingressfilter6 example (allows DNS towards Google via NAT64): -p udp --dport 53 -d 2a02:c0::64:0:8.8.8.8 -j ACCEPT PFW egressfilter6 example (allows IPv4 SSH from RL MS via SIIT-DC): -p tcp --dport 22 -s 2a02:c0::46:0:87.238.42.0/122 -j ACCEPT Protip: PFW uses DNS64 servers when resolving hostnames

Summary We're ready for IPv6-only production environments! One missing piece: Kickoff (PXE-boot/network install) Workaround: Use RFC1918 for that, but disable IPv4 after installation (in /etc/network/interfaces or /etc/sysconfig/network-scripts/ifcfg-*) Puppet module for clatd (host agent for 464XLAT/SIIT-DC-2XLAT) is coming https://github.com/toreanderson/clatd https://wiki.redpill-linpro.com/SIIT_and_NAT64 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.