NAT64

1
NAT64

• marcelo bagnulo, Philip Matthews, Iljitsch van
  Beijnum
• IETF 72 - Dublin

2
Application scenario
NAT64
IPv6 Only host
IPv4 Only Host

• Communications initiated by the v6-only host
• Compatible with ICE
• No support for communications initiated by the v4
  only side without previous action from the v6
  side (i.e. No support for v6 only servers, beyond
  the creation of static mappings)
• No changes required in any host for basic
  functionality
• Supports communications initiated using the FQDN
  (of the v4 node) using DNS64

3
Overview
DNS64
DNS
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
4
Overview
DNS64
DNS
AAAA RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
5
Overview
DNS64
enpty
DNS
AAAA RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
6
Overview
DNS64
DNS
A RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
7
Overview
DNS64
IP4
DNS
A RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
8
Overview
DNS64
Synthetizes AAAA RR as Pref/96IPv4
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
9
Overview
DNS64
DNS
v4
NAT64
AAAA RR PrefIP4
IPT
H4 IP4
v6
H6 IP6
10
Overview
DNS64
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
Src IP6,s Dest PrefIP4,d
11
Overview
DNS64
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
IP6,slt-gtT,t
12
Overview
DNS64
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
Src T,t Dest IP4,d
13
Comparison with NATPT (RFC2766)

• NAT64 only supports v6 initiated communications
• NATPT supports both v4 and v6 initiated,
  requiring a set of cumbersome techniques
• NAT64 and DNS64 are completelly decoupled
• No relation between the NAT64 state and the
  synthetic RR
• DNS64 preserves DNS semantics, DNS responses are
  valid irrespectivly of the path used by data
  packets
• NAT64 allows to preffer native connectivity over
  translated connectivity
• NAT64 is compatible with DNSSec
• NAT64 supports some modes of IPSec
• NAT64 is fully specified, compatible with behave
  requirements

14
A couple of design questions
15
What prefix to use to map v4 addresses in v6 land?

• Option 1 Local prefix
• We use a prefix /96 obtained from the sites
  block
• Differnet prefixes for different nat64 boxes in
  the same site
• Option 2 global prefix
• Candidates
• V4mapped prefix
• V4compatible prefix
• A new global prefix assigned by IANA

16
Implication 1 global translated addresses

• If we use a global prefix, we have a globally
  unique RR that represent translated addresses
• Less problems with DNS, DNSSec
• No need to configure the local prefix in DNS64

17
Implication 2 communication with dual stack

• Local Prefix Translated addresses are
  represented as one of the sites address
• Need other means to distinguish them EDNS0
  option
• Only upgraded dual stack can use it apps that
  break with nats may break

DNS
DNS64
v4
AAAA RR PrefIP4 EDNS0
NAT64
IPT
H4 IP4
v6
H6 IP6
18
Implication 2 Communications with dual stack

• Global prefix
• V4mapped prefix
• Automatically less preferred due to rfc3484
  policy
• Windows vista, Macos, Linux, dont use it on the
  wire
• V4 compatible prefix
• Automatcially less preferred compared to native
  v6, but more preferred than v4 (represented as v4
  mapped)
• Windows vista, macos, linux send packets to this
  prefix
• Other global prefix from IANA
• More rpeferred than v4
• Longest prefix match rule in rfc3484 could help
  (if not deprecated)

19
Implication 3 routing fluctuations

• Failure in intra site routing fluctuations

DNS
DNS64
NAT64_2
v4
H4 IP4
v6
H6 IP6
NAT64_1
20
Implication 3 routing fluctuations

• Failure in intra site routing fluctuations

DNS
DNS64
NAT64_2
v4
H4 IP4
v6
H6 IP6
NAT64_1
21
Implication 3 routing fluctuations

• Failure in intra site routing fluctuations

DNS
DNS64
NAT64_2
v4
H4 IP4
v6
H6 IP6
NAT64_1
22
Endpoint independence vs. Higher utilization of
v4 addresses

• Endpoint independence requires mappings are
  (srcIP6,srcp)lt-gt(T,t)
• Address and port dependent mapping are
  (srcIP6,srcp,dstIP6,dstp)lt-gt(T,t,dstIP4,dstp)
• Can we afford endpoint independence in v6?