ipv6_NatPTforIPv6_Mai2003

8/3/2019 ipv6_NatPTforIPv6_Mai2003

1/22

1 2003, Cisco Systems, Inc. All rights reserved.NAT-PT, 5/03

Cisco IOS NAT-PT for IPv6

Benoit Lourdelet

Cisco IOS Technical Marketing


2/22


IPv6-IPv4 Translation Mechanisms

Specified by IETF NGTrans WG

http://www.ietf.org/html.charters/ngtrans-charter.html

NAT-PT (RFC 2766)

TCP-UDP Relay (RFC 3142)

BIS (Bump-In-the-Stack) (RFC 2767)

BIA (Bump-In-the-API) (RFC 3338)

DSTM (Dual Stack Transition Mechanism)

SOCKS-based Gateway (RFC 3089)


3/22


Basic Concept of NAT

NAT changes the IP addresses in the IP header

MyNetwork Internet

10.6.1.20 Internet Host

NATBefore NATOutbound Packet

Before NATOutbound Packet

Src Addr10.6.1.20

Src Addr10.6.1.20

Dest AddrInternet Host

Dest Addr

Internet Host

After NATOutbound Packet

After NATOutbound Packet

Src Addr171.69.68.10

Src Addr171.69.68.10

Dest AddrInternet Host

Dest Addr

Internet Host

After NATReturn Packet

After NATReturn Packet

Src AddrInternet Host


Dest Addr10.6.1.20

Dest Addr10.6.1.20

Before NATReturn PacketBefore NAT

Return Packet



Dest Addr171.69.68.10

Dest Addr171.69.68.10


4/22


Port Address Translation (PAT) extends NAT fromone-to-one to many-to-one by associating the

source port with each flow

PAT

MyNetwork

10.6.1.20

10.6.1.6Before PAT

Outbound Packet

Before PAT

Outbound Packet

Dest PortAny Port

Dest Addr10.6.1.6

Dest Addr10.6.1.6

Src Port1506

Src Port1506

Dest AddrHost 2

After PAT

Outbound Packet

After PAT

Outbound Packet

Dest PortAny PortDest PortAny Port

Src Addr171.69.68.10

Src Addr171.69.68.10

SRC Port1506

SRC Port1506

Dest AddrHost 2

Dest AddrHost 2

After PATOutbound Packet

After PATOutbound Packet

Dest PortAny PortDest PortAny Port

Src Addr171.69.68.10

Src Addr171.69.68.10

SRC Port2031

SRC Port2031

Dest AddrHost 1

Dest AddrHost 1

Before PATOutbound Packet


Dest PortAny Port

Src Addr10.6.1.6

Src Addr10.6.1.6

Src Port2031

Src Port2031

Dest AddrHost 1

Internet

Basic Concept of Port AddressTranslation


5/22


PAT

MyNetwork

10.6.1.20

10.6.1.6Before PAT

Outbound PacketBefore PAT

Outbound Packet

Dest PortAny Port

Dest Addr10.6.1.6

Dest Addr10.6.1.6

Src Port1506

Src Port1506

Dest AddrHost 2



Dest PortAny Port

Src Addr10.6.1.6

Src Addr10.6.1.6

Src Port2031

Src Port2031

Dest AddrHost 1

Internet

Before PATReturn Packet

Before PATReturn Packet

Dest Addr171.69.68.10Dest Addr

171.69.68.10

Dest Port1506

Dest Port1506

Src AddrHost 2

Src AddrHost 2

Src PortAny PortSrc PortAny Port

Basic Concept of PAT (Cont)

PAT extends NAT from one-to-one to many-to-one by associating the source port with each flow


6/22


Network Address Translation -Protocol Translation for IPv6

NAT-PT allows native IPv6 hosts and

applications to communicate with nativeIPv4 hosts and applications, and viceversa

Easy-to-use transition and co-existencesolution


7/22


NAT-PT Concept

NAT-PTIPv4

InterfaceIPv4

Interface

ipv6 nat prefixIPv4 Host IPv6 Host

IPv6Interface

IPv6Interface

172.16.1.1 2001:0420:1987:0:2E0:B0FF:FE6A:412C

PREFIX is a 96-bit field that allows routing backto the NAT-PT device


8/22


NAT-PTIPv4

InterfaceIPv4

Interface

IPv4 Host IPv6 Host

IPv6Interface

IPv6Interface

172.16.1.12001:0420:1987:0:2E0:B0FF:FE6A:412C

Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412C

Dst: PREFIX::1

12

Src: 172.17.1.1

Dst: 172.16.1.1

3

Src: 172.16.1.1Dst: 172.17.1.1

Src: PREFIX::1

Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C

4

NAT-PT Packet Flow


9/22


NAT-PT supported since Cisco IOS SoftwareRelease 12.2(13)T

IP Header and address translation

Support for ICMP and DNS embeddedtranslation

Auto-aliasing of NAT-PT IPv4 Pool Addresses

Future developments will add more ALG support

1st implementation does not support FTP ALG

Cisco IOS NAT-PT Features


10/22


Stateless IP ICMP Translation (SIIT)

Ipv6 fieldIpv6 field IPv4 fieldIPv4 field ActionAction

AdjustAdjust

DSCPDSCP

Total lengthTotal length

TTLTTLHop limitHop limit CopyCopy

Payload lengthPayload length

Traffic classTraffic class

Version = 4Version = 4 OverwriteOverwriteVersion = 6Version = 6

Next headerNext header CopyCopyProtocolProtocol

Flow labelFlow label Set to 0Set to 0N/AN/A

CopyCopy


11/22


DNS Application Layer Gateway

NAT-PT

IPv4 DNS IPv6 Host

Type=AAAA Q=host.nat-pt.com

1

3

Type=A R=172.16.1.5 Type=AAAA R=2010::45

4

2

Type=A Q=host.nat-pt.com

Type=PTR Q=5.4.0...0.1.0.2.IP6.ARPA

5

Type=PTR R=host.nat-pt.com

87

Type=PTR R=host.nat-pt.com

6Type=PTR Q=5.1.16.172.in-addr-arpa


12/22


DNS ALG Address Assignment

Ethernet-2

Ethernet-1

DNS query

Host C

DNS v6

DNS v4

Host A

DNS query

TTL value in DNS Resource Record = 0


13/22


Configuring NAT-PT

Enabling NAT-PT on an interface

[no] ipv6 nat

Configure global/per interface NAT-PT prefix

[no] ipv6 nat prefix ::/96 Configuring static address mappings

[no] ipv6 nat v6v4 source

[no] ipv6 nat v4v6 source

Configuring dynamic address mappings[no] ipv6 nat v6v4 source pool

[no] ipv6 nat v6v4 pool prefix-length


14/22


Configure Translation Entry Limit

[no] ipv6 nat translation max-entries

Debug commands

debug ipv6 nat

debug ipv6 nat detailed

Configuring NAT-PT (Cont)


15/22


NAT-PT translation timeouts

Dynamic translations time out after 24 hours

[no] ipv6 nat translation timeout

Non-DNS UDP translations time out after 5 minutes

[no] ipv6 nat translation udp-timeout

DNS translations time out after 1 minute

[no] ipv6 nat translation dns-timeout

TCP translations time out after 24 hours, unless aRST or FIN is seen on the stream, in which case ittimes after 1 minute

[no] ipv6 nat translation tcp-timeout

[no] ipv6 nat translation finrst-timeout

[no] ipv6 nat translation icmp-timeout


16/22


Cisco IOS NAT-PTConfiguration Example

LAN2: 192.168.1.0/24

LAN1: 2001:2::/64

Ethernet 2

Ethernet 1NATed prefix 2010::/96

.200

interface Ethernet1

ipv6 address 2001:2::10/64

ipv6 nat

!

interface Ethernet2

ip address 192.168.1.1 255.255.255.0

ipv6 nat prefix 2010::/96

ipv6 nat

!

ipv6 nat v6v4 source 2001:2::1 192.168.2.1

ipv6 nat v4v6 source 192.168.1.200 2010::60

!

2001:2::1


17/22


LAN2: 192.168.1.0/24

LAN1: 2001:2::/64

Ethernet 2

Ethernet 1NATed prefix 2010::/96

.200

interface Ethernet1

ipv6 address 2001:2::10/64

ipv6 nat

!

interface Ethernet2

ip address 192.168.1.1 255.255.255.0

ipv6 nat prefix 2010::/96

ipv6 nat

!

ipv6 nat v4v6 source 192.168.1.100 2010::1

!

ipv6 nat v6v4 source list v6-list pool v4pool1

ipv6 nat v6v4 pool v4pool1 192.168.2.1 192.168.2.10prefix-length 24

!

ipv6 access-list v6-list

permit 2001:2::/64 any

DNS

.100

2001:2::1

Cisco IOS NAT-PT with DNS ALGConfiguration Example


18/22


LAN2: 192.168.1.0/24

LAN1: 2001:2::/64

Ethernet 2

Ethernet 1

Router1

NATed prefix 2010::/96

.200

Router1 #show ipv6 nat translations

Pro IPv4 source IPv6 source IPv6 destn IPv4 destn

--- --- --- 2010::60 192.168.1.200

--- 192.168.2.1 2001:2::1 ---

2001:2::1

Cisco IOS NAT-PT Display (1)


19/22


Router1#show ipv6 nat statistics

Total active translations: 15 (2 static, 3 dynamic;

10 extended)

NAT-PT interfaces:

Ethernet1, Ethernet2

Hits: 10 Misses: 0

Expired translations: 0

LAN2: 192.168.1.0/24

LAN1: 2001:2::/64

Ethernet 2

Ethernet 1

Router1

.200

2001:2::1

Cisco IOS NAT-PT Display (Cont)


20/22


NAT-PT points of attention

ALG per application carrying IP addresses No end-to-end security

No DNSsec

No IPsec because different address realms


21/22


NAT-PT Conclusion

Easy IPv6 / IPv4 co-existence mechanism Enable applications to cross the protocol

barrier

Share most of the benefits/constraints of

NAT

Documents

ipv6_NatPTforIPv6_Mai2003