Presentation is loading. Please wait.

Presentation is loading. Please wait.

A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT

Published byDuane Pitts Modified over 6 years ago

Similar presentations

Presentation on theme: "A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT"— Presentation transcript:

1 A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT
RUNNING IPV6-ONLY SERVERS IN MS A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT Tore Anderson Redpill Linpro AS, Managed Services RL Gathering, Sunne, September 2015

2 Motivation for IPv6-only
Limited availability of public IPv4 addresses ~80% used today, can't get more from RIPE NCC Private RFC1918 is a band-aid only No real support for NAT44 in our infrastructure Might overlap with customers' VPN ranges We do want to deliver IPv6 to our customers Facebook: IPv6 is ~15% faster than IPv4 Soon mandated by Norwegian government Dual stack (IPv4 + IPv6) means dual work, dual complexity, dual monitoring, dual firewall rules, etc. Single stack preferred (even IPv4-only...)

3 DNS64 + NAT64 Provides every IPv6(-only) node in our network with outbound access to the IPv4 Internet DNS64 synthesises IPv6 IN AAAA records for IPv4- only hostnames that have IN A records only The closest NAT64 gateway receives packets destined for the DNS64-synthesised addresses, then performs stateful NAPT to a shared pool of public IPv4 addresses baseconfig::dns will automatically provision DNS64 resolvers to nodes without IPv4 addresses Demo time!

4 464XLAT A CLAT agent creates a virtual network interface with a private IPv4 address on an IPv6-only host Provides outbound access to the IPv4 Internet Works around legacy soft- and wetware that are using IPv4-only (AF_INET) APIs, commands, etc. IPv4 packets are translated locally to IPv6, then routed to the closest NAT64 gateway where they are translated back to IPv4 Demo time!

5 SIIT-DC Provides an IPv6-only node/service/application in our network with an public IPv4 personality / front- end reachable from the IPv4 Internet Our SIIT-DC Border Relay nodes perform stateless IPv4<->IPv6 translation An 1:1 IPv4:IPv6 mapping is configured in Hiera for each IPv6 service made reachable through SIIT-DC SIIT-DC BRs in all our data centres - anycast provides High Availability and optimal routing Client's source IPv4 source address is mapped into IPv6, no loss of information occurs Demo time!

6 SIIT-DC-2XLAT Similar to 464XLAT, only that it works in concert with SIIT-DC instead of NAT64 Supports bi-directional traffic, fully stateless Provides a virtual IPv4 interface with a public IPv4 address on the IPv6-only node No address translation end-to-end Allows IPv4-only applications/services/humans to successfully use IPv4-only AF_INET sockets, commands, and so on Demo time!

7 Firewall rules / ACLs NAT64 uses translation prefix 2a02:c0::64:0:0:0/64 SIIT-DC uses translation prefix 2a02:c0::46:0:0:0/64 IPv4 address embedded in last 32 bits, e.g.: = 2a02:c0::64:0: (NAT64) = 2a02:c0::46:0: (SIIT-DC) IPv6 prefix length = IPv4_prefix_length: /24 = 2a02:c0::64:0: /120 (NAT64) PFW ingressfilter6 example (allows DNS towards Google via NAT64): -p udp --dport 53 -d 2a02:c0::64:0: j ACCEPT PFW egressfilter6 example (allows IPv4 SSH from RL MS via SIIT-DC): -p tcp --dport 22 -s 2a02:c0::46:0: /122 -j ACCEPT Protip: PFW uses DNS64 servers when resolving hostnames

8 Summary We're ready for IPv6-only production environments!
One missing piece: Kickoff (PXE-boot/network install) Workaround: Use RFC1918 for that, but disable IPv4 after installation (in /etc/network/interfaces or /etc/sysconfig/network-scripts/ifcfg-*) Puppet module for clatd (host agent for 464XLAT/SIIT-DC-2XLAT) is coming Questions?

Download ppt "A quick introduction to: DNS64, NAT64, 464XLAT, SIIT-DC, SIIT-DC-2XLAT"

Similar presentations

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
IPv4/IPv6 Translation: Framework Li, Bao, and Baker.

IPv4/IPv6 Translation: Framework Li, Bao, and Baker.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker 2008-11-17.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
資 管 Lee Lesson 11 Coexistence and Migration. 資 管 Lee Lesson Objectives Coexistence and migration overview Coexistence mechanisms ◦ Dual Stack ◦ Tunneling.

資 管 Lee Lesson 11 Coexistence and Migration. 資 管 Lee Lesson Objectives Coexistence and migration overview Coexistence mechanisms ◦ Dual Stack ◦ Tunneling.
Network Address Translation

Network Address Translation
CSE 8343 Group 3 Advanced OS Inter Operability Between IPv4 and IPv6 Team Members Aman Preet Singh Rohit Singh Nipun Aggarwal Chirag Shah Eugene Novak.

CSE 8343 Group 3 Advanced OS Inter Operability Between IPv4 and IPv6 Team Members Aman Preet Singh Rohit Singh Nipun Aggarwal Chirag Shah Eugene Novak.
Coexistence and Migration

Coexistence and Migration
Implementing IP Addressing Services Accessing the WAN – Chapter 7.

Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang 20150920 1.

Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
IPv6 and IPv4 Coexistence Wednesday, October 07, 2015 IPv6 and IPv4 Coexistence Motorola’s Views for Migration and Co-existence of 3GPP2 Networks to Support.

IPv6 and IPv4 Coexistence Wednesday, October 07, 2015 IPv6 and IPv4 Coexistence Motorola’s Views for Migration and Co-existence of 3GPP2 Networks to Support.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Similar presentations

Ads by Google