1 SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode Tore Anderson Redpill Linpro AS RIPE 91, Honolulu, November 2014
2 An IPv6 data centre The IPv6 Internet IPv6 data centre infrastructure
3 An IPv6 data centre with SIIT-DC The IPv6 Internet The IPv4 Internet SIIT-DC gateway(s) IPv6 data centre infrastructure
4 So how does it work? IPv4 packets are statelessly translated to IPv6 and vice versa by the SIIT-DC GWs [RFC 6145] The end user's IPv4 source address is 1:1 mapped into a 96-bit IPv6 prefix [RFC 6052] The service's IPv4 destination address is rewritten according to a 1:1 IPv4:IPv6 mapping configured in the SIIT-DC gateways IPv /0 IPv6-mapped IPv4 64:ff9b:: /96 IPv6 ::/0 (not to scale)
5 Route: 64:ff9b::/96 The IPv4 Internet IPv6-only data centre :db8::1 An IPv6 /96 prefix is assigned as the translation prefix representing the IPv4 internet and routed to the SIIT-DC gateways
6 Route: /24 Route: 64:ff9b::/ The IPv4 Internet IPv6-only data centre 2001:db8::1 An IPv6 /96 prefix is assigned as the translation prefix representing the IPv4 internet and routed to the SIIT-DC gateways A pool of IPv4 service addresses is assigned and routed to the SIIT-DC gateway
7 Route: /24 SIIT-DC gateway configuration: Map :db8::1 Translation prefix: 64:ff9b::/96 Route: 64:ff9b::/96 The IPv4 Internet IPv6-only data centre :db8::1 The SIIT-DC gateway is configured with static IPv4 mappings for each IPv6 service The IPv6 /96 prefix is configured as a default rule (used if no static map match) IPv4 (IN A) records are added to DNS
8 Route: /24 SIIT-DC gateway configuration: Map :db8::1 Translation prefix: 64:ff9b::/96 Route: 64:ff9b::/96 SRC: DST: HTTP GET /foo [...] The IPv4 Internet IPv6-only data centre :db8::1 The client looks up the service's IPv4 address in DNS, and connects to it like it would with any other IPv4 address The IPv4 packet is routed to the SIIT-DC gateway's IPv4 interface
9 Route: /24 SIIT-DC gateway configuration: Map :db8::1 Translation prefix: 64:ff9b::/96 Route: 64:ff9b::/96 SRC: DST: HTTP GET /foo [...] SRC: 64:ff9b:: DST: 2001:db8::1 HTTP GET /foo [...] The IPv4 Internet IPv6-only data centre :db8::1 The SIIT-DC gateway translates the packet to IPv6 DST address is rewritten according to static map SRC address gets the /96 prefix prepended (as it does not match any static maps) Layer 4 payload is copied verbatim
10 Route: /24 SIIT-DC gateway configuration: Map :db8::1 Translation prefix: 64:ff9b::/96 Route: 64:ff9b::/96 SRC: DST: HTTP GET /foo [...] SRC: 64:ff9b:: DST: 2001:db8::1 HTTP GET /foo [...] The IPv4 Internet IPv6-only data centre SRC: 2001:db8::1 DST: 64:ff9b:: HTTP 200 OK [...] :db8::1 The server (or load balancer) responds to the packet just as it would with any other IPv6 packet The server / LB requires no SIIT-DC support or awareness The original IPv4 source address is not lost Response packet is routed back to the SIIT-DC GW
11 Route: /24 SIIT-DC gateway configuration: Map :db8::1 Translation prefix: 64:ff9b::/96 Route: 64:ff9b::/96 SRC: DST: HTTP GET /foo [...] SRC: 64:ff9b:: DST: 2001:db8::1 HTTP GET /foo [...] The IPv4 Internet IPv6-only data centre SRC: DST: HTTP 200 OK [...] SRC: 2001:db8::1 DST: 64:ff9b:: HTTP 200 OK [...] :db8::1 The SIIT-DC gateway translates back to IPv4: SRC address according to static mapping rule DST address doesn't match any static map, so it only gets the /96 prefix stripped Response packet is routed back to client
12 Rationale for the static mapping When using RFC 6052 mapping for SRC and DST: Servers/applications/LBs must be set up with special IPv4-mapped IPv6 addresses (in addition to their primary IPv6 address) These must be routed as /128s throughout the IPv6 network and cannot be aggregated Must be treated specially in ACLs, monitoring, debugging, etc. Distributes complexity relating to IPv4 backwards compat across the IPv6 network and applications «Dual-stack lite» - separate treatment of IPv4 and IPv6 When using static mappings for DST address: All complexity contained within a small number of SIIT-DC GWs Server admins do not make any config changes to get an IPv4 frontend («can I have an external IPv4 address for 2001:db8::1?»)
13 Application requirements If the application does work through NAT44, it will likely work with SIIT-DC as well e.g., HTTP and HTTPS If the application does not work through NAT44, it will likely not work with single-translation SIIT-DC e.g., FTP (uses IP literals in Layer 7 payload) The servers' OS and application stacks must fully support IPv6 Dual translation to the rescue...
14 Supporting IPv4-only applications A Host Agent reverses the SIIT-DC Gateway's translations before passing data to the application Application handles IPv4 traffic on an IPv4 socket Very similar to the CLAT component in 464XLAT End-to-end IPv4 address transparency; referrals work IPv4-only end user The IPv4 Internet SIIT-DC Gateway IPv6-only data centre network SIIT-DC Host Agent IPv6-only server FTP & FTP+TLS daemon software SRC: DST: SRC: 64:ff9b:: DST: 2001:db8::1 SRC: DST:
15 The TODO list Static mappings are not checksum neutral (ref. RFC6052 section 4.1) [Andrew Yourtchenko] Fragment Identification may be (partially) lost during translation [Andrew Yourtchenko] Hairpinning between IPv4-only apps/nodes behind SIIT-DC Host Agents [Andrew Yourtchenko] Improve (or remove) text regarding migration from dual-stack using DNS round robin [Andrew Yourtchenko]
16 TODO: SIIT-DC Proxy [Ray Hunter] A SIIT-DC Host Agent running in a CPE device Allows for supporting IPv4-only devices Or IPv6-capable OS-es w/o Host Agent support, which runs IPv4-only/NAT-unfriendly apps/software The proxy could potentially bridge native IPv6 traffic «Bump In The Wire» for IPv4 traffic IPv4-only end user The IPv4 Internet SRC: DST: SIIT-DC Gateway IPv6-only data centre network SRC: 64:ff9b:: DST: 2001:db8::1 SIIT-DC Proxy.9 IPv4 island /30 SRC: DST: IPv4-only server.10
17 There's even running code TAYGA for Linux (open source) Cisco ASR1K Requires IOS XE v3.10 Brocade ServerIron ADX (not tested by me) F5 BIG-IP LTM (not tested by me) https://github.com/toreanderson/clatd SIIT-DC Host Agent for Linux (uses TAYGA)
18 Questions for the WG Name? SIIT-DC derives from SIIT (RFC 6145) But people seem to think of it as «Stateless NAT46» or «Stateless NAT64» (both of which are available) On the other hand, «NAT» is usually associated with port rewriting and stateful tracking, which is not done Anyone interested in being a co-author? Is it ready for WG adoption?
19 Questions & discussion! Thank you for listening! Further reading: RFC IPv6 Addressing of IPv4/IPv6 Translators RFC IP/ICMP Translation Algorithm draft-anderson-v6ops-siit-dc - Stateless IP/ICMP Translation in IPv6 Data Centre Environments draft-anderson-v6ops-siit-dc-2xlat SIIT-DC: Dual Translation Mode - My personal home page (contact info, social media links, slides from this and earlier talks) - My employer and sponsor of this project Note: IPv4 traffic to both of the above URLs is routed through a SIIT-DC gateway (eating my own dog food)
Accessing the WAN Chapter 7 Objectives 2 Configure DHCP in an Enterprise branch network. DHCP features and benefits Differences between BOOTP and DHCP DHCP operation: and configuring, verifying, and troubleshooting
Web Application Hosting Cloud Architecture Executive Overview This paper describes vendor neutral best practices for hosting web applications using cloud computing. The architectural elements described
NEFSIS TRAINING SERIES Nefsis Dedicated Server version 5.2.0.XXX (DRAFT Document) Requirements and Implementation Guide (Rev5-113009) REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER Nefsis
Implementation, Simulation of Linux Virtual Server in ns-2 CMPT 885 Special Topics: High Performance Networks Project Final Report Yuzhuang Hu firstname.lastname@example.org ABSTRACT LVS(Linux Virtual Server) provides
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
PREPARING AN IP6 ADDRESS PLAN MANUAL PREPARING AN IP6 ADDRESS PLAN MANUAL ersion 2, 18 September 2013 CONTENTS 1. Introduction... 3 1.1. For Whom is this Document Intended?... 3 2. Structure of IPv6 Addresses...
Set Up the VM-Series Firewall in AWS Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054
Release Version 3 The 2X Software Server Based Computing Guide Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless
Loadbalancer.org Appliance Setup v5.9 This document covers the basic steps required to setup the Loadbalancer.org appliances. Please pay careful attention to the section on the ARP problem for your real
Linux Virtual Server for Scalable Network Services Wensong Zhang National Laboratory for Parallel & Distributed Processing Changsha, Hunan 410073, China email@example.com, http://www.linuxvirtualserver.org/
Iomega EZ Media and Backup Center User Guide Table of Contents Setting up Your Device... 1 Setup Overview... 1 Set up My Iomega StorCenter If It's Not Discovered... 2 Discovering with Iomega Storage Manager...
High Availability Low Dollar Load Balancing Simon Karpen System Architect, VoiceThread firstname.lastname@example.org Via Karpen Internet Systems email@example.com These slides are licensed under the
SYMANTEC ADVANCED THREAT RESEARCH The Teredo Protocol: Tunneling Past Network Security and Other Security Implications Dr. James Hoagland Principal Security Researcher Symantec Advanced Threat Research
RSA Authentication Manager 8.1 Planning Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks
Active-Active Servers and Connection Synchronisation for LVS Horms (Simon Horman) firstname.lastname@example.org VA Linux Systems Japan, K.K. www.valinux.co.jp with assistance from NTT Comware Corporation www.nttcom.co.jp
VoIP communication AX210 IP Telephone System User Manual 1 AX210 Menu Getting Started... 3 Introduction... 4 Packing list... 5 Specification... 5 Hardware setup... 6 First Login to Wizard... 7 Extension...
Transport and Security Specification 15 July 2015 Version: 5.9 Contents Overview 3 Standard network requirements 3 Source and Destination Ports 3 Configuring the Connection Wizard 4 Private Bloomberg Network
1 TABLE OF CONTENTS... 2 ABOUT THIS USER S GUIDE... 4 INTRODUCTION... 4 PACKAGE CONTENTS... 5 SYSTEM REQUIREMENTS... 5 FEATURES AND BENEFITS... 6 HARDWARE OVERVIEW... 7 FRONT VIEW... 7 REAR VIEW (CONNECTIONS)...
Voipswitch Manual for version 340 and higher by Gabriel Georgescu 1 OVERVIEW 3 SOFTSWITCH 4 REQUIREMENTS. 10 PROGRAM INSTALLATION. 10 LAUNCHING THE MAIN APPLICATION VOIPSWITCH 12 GATEWAYS 18 GK/REGISTRAR
VoIP communication Deploying the PBX220 IP Telephone System Technical Manual PBX220 1 Menu Getting Started... 4 Introduction... 5 Packing list... 6 Specification... 6 Hardware Setup... 7 First Login to
BEC 6300VNL GigaConnect 4G/LTE VoIP Wireless Broadband Router User Manual Version release: v1.07 Last revised: November, 2014 TABLE OF CONTENTS CHAPTER 1: INTRODUCTION... 1 INTRODUCTION TO YOUR ROUTER...
Red Hat Cluster Suite Overview Red Hat Cluster Suite for Red Hat Enterprise Linux 5.2 Cluster_Suite_Overview ISBN: N/A Publication date: May 2008 Red Hat Cluster Suite Overview Red Hat Cluster Suite Overview
Deployment Scenarios Sun Cobalt Summary The Sun Cobalt is a network-based appliance for managing a large number of remote servers and for deploying services to these servers. A control station is deployed