Secure64. Use cases for DNS64/NAT64



Similar documents
IPv6 and DNS. Secure64

IPv6 and DNS. Secure64

464XLAT: Breaking Free of IPv4. T-Mobile.com NANOG 61 June 2014

464XLAT: Breaking Free of IPv4. APRICOT 2014

IPV6 DEPLOYMENT GUIDELINES FOR. ARRIS Group, Inc.

IPv6-only hosts in a dual stack environnment

VDE Tagung Mobilkommunikation 2014, Osnabruck

DEPLOYMENT GUIDE Version 1.4. Configuring IP Address Sharing in a Large Scale Network: DNS64/NAT64

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Use Domain Name System and IP Version 6

Challenges in NetFlow based Event Logging

Real World IPv6 Migration Solutions. Asoka De Saram Sr. Director of Systems Engineering, A10 Networks

IPv6 The Big Picture. Rob Evans, Janet

EXPEDITING ACCESS TO V6 SERVICES: GETTING WEB CONTENT AVAILABLE OVER IPV6 QUICKLY AND AT LOW COST

464XLAT in mobile networks

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

Using LISP for Secure Hybrid Cloud Extension

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

IPv6 TRANSITION TECHNOLOGIES

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

IPv6, Perspective from small to medium ISP

Transition to IPv6 in Service Providers

THE ADOPTION OF IPv6 *

SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode

IPv6 Troubleshooting for Helpdesks

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Advanced IPv6 Design and Deployment for

IPV6 SERVICES DEPLOYMENT

Development of an IPv6 Honeypot

Linux as an IPv6 dual stack Firewall

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

IPv6-Only. Now? Sites. Deutscher IPv6 Kongress June 6/7, 2013 Fr ankfur t /Ger many. Holger.Zuleger@hznet.de

Deploying IPv6 at Scale As an ISP. Clinton Work Member of the TELUS team October 2015

APNIC IPv6 Deployment

LAN TCP/IP and DHCP Setup

SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres. Tore Anderson Redpill Linpro AS RIPE69, London, November 2014

Securing the Transition Mechanisms

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

21.4 Network Address Translation (NAT) NAT concept

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

IPv6 deployment status & Migration Strategy

NAT Tutorial. Dan Wing, IETF78, Maastricht July 25, 2010

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Matt Ryanczak Network Operations Manager

NetSpective Global Proxy Configuration Guide

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Discovering IPv6 with Wireshark. presented by Rolf Leutert

Transition to IPv6 for Managed Service Providers: Meet Customer Requirements for IP Addressing

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Introduction. What is Unbound and what is DNSSEC. Installation. Manual for Unbound on Windows. W.C.A. Wijngaards, NLnet Labs, October 2010

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls und IPv6 worauf Sie achten müssen!

IPv4/IPv6 Transition Using DNS64/NAT64: Deployment Issues

VMware vcloud Air Networking Guide

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Source-Connect Network Configuration Last updated May 2009

IPv6 Tunneling Over IPV4

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Updates to Understanding IPv6

IPv6.marceln.org.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Configuring Windows Server 2008 Network Infrastructure

Microsoft Present and Future

CGN Deployment with MPLS/VPNs

Application-layer protocols

IPv6 Deployment Strategies

Basic IPv6 WAN and LAN Configuration

IPv6 Fundamentals: A Straightforward Approach

How to connect your new virtual machine to the Internet

DNS Resolving using nslookup

Operational Problems in IPv6: Fallback and DNS issues

Network Address Translation (NAT) Adapted from Tannenbaum s Computer Network Ch.5.6; computer.howstuffworks.com/nat1.htm; Comer s TCP/IP vol.1 Ch.

Configuring NTP. Information about NTP. NTP Overview. Send document comments to CHAPTER

Chapter 12 Supporting Network Address Translation (NAT)

Ecdysis: Open-Source DNS64 and NAT64

TR-296 IPv6 Transition Mechanisms Test Plan

An Introduction to the Domain Name System

Basic DNS Course. Module 1. DNS Theory. Ron Aitchison ZYTRAX, Inc. Page 1 of 24

ATIS Open Web Alliance. Jim McEachern Senior Technology Consultant ATIS

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

ProCurve Networking IPv6 The Next Generation of Networking

Planning the transition to IPv6

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

World IPv6 Day. Lorenzo Colitti

Site to Site VPN s between two networks with the same IP Address scheme.

IPv6 Troubleshooting for Residential ISP Helpdesks

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

Proxy Server, Network Address Translator, Firewall. Proxy Server

Transcription:

Secure64 Use cases for DNS64/NAT64

Agenda / About Me VP of Sales and Customer Solutions at Secure64 Software Corp. Director and founder of the TXv6TF Personal blog at IPv4depletion.com 1

IPv4 Depletion Global IANA pool depleted in Feb-2011 Feb 2013 April 2011

IPv6 Deployment Deployment is minimal, Texas Universities: 1/107 www.tamu.edu 2606:aa00:3:202::6 Texas Corporations: 0/30 softlayer.com 2607:f0d0:1000:11:1::4 Texas Counties: 2/233 www.angelinacounty.net. 2620:0:50e0:3::31 www.co.kerr.tx.us 2001:470:1f11:bcd:21e:c9ff:feaf:68c8 But on the other hand, Large content providers (Google, Yahoo!, etc) are committed to the world IPv6 launch day. 25% of all DNS lookups have the potential to go over IPv6, mainly because of Godaddy IPv6 compliant organizations reported peaks of 68% IPv6 traffic during the world IPv6 day in 2011. 3

About Secure64 DNS Manager DNS Authority DNS Signer DNS Cache SourceT Micro OS

Supporting IPv6 in DNS IPv4 only network Necessary Intermediate Steps IPv6 only network Features to help migrate away from IPv4 Features to help migrate to Dual Stack AAAA resource records Function over IPv6 transport Handle IPv6 specific issues Most DNS implementations have only addressed these two Time

Transition Mechanisms Native/Dual Stack Dual Stack NAT64/DNS64 Translate DOCSIS 3.0 3GPP IVI DNS 6to4 A+P Teredo 6RD Tunnel v4 in v6 DS-LITE LISP ISATAP Tunnel v6 in v4

What is NAT64/DNS64 Transition mechanism to IPv6 Defined in RFC 6146 and RFC 6147 Two components, DNS server and NAT gateway. Utilizes DNS to lie to the client, saying that everything has an AAAA record. Multiple use cases. Use Case I (Service Providers) Allow IPv6 only clients to communicate with IPv4 only servers Use Case II (Content providers) Enable IPv6 for IPv4 only servers without dual stacking each server. The reason we can do NAT64 is that the IPv6 address space is larger than the IPv4 address space. 7

IPv6 and DNS Some common misunderstandings and pitfalls about v6 and DNS: The network protocol (v4 or v6) is not linked to the record type (A or AAAA) that can be looked up. The network protocol (v4 or v6) used between the client and the recursive DNS is not related to the network protocol used between the recursive DNS and the authoritative DNS. If there is an outgoing v6 interface, then the DNS system will start to use it. 8

x2 load on DNS getaddrinfo() A AAAA

Dual Stack Issues Brokenness A painful long timeout before the user reverts back to IPv4 Happy eyeballs implemented in Firefox and Chrome Filter-AAAA implemented in some DNS servers Does not appear to be a large problem. No complaints during world IPv6 day reported. 10

NAT64 / DNS64 Solution V6 only network DNS64 ` NAT64 Secure64 DNS cache: dns64-prefix list: 2001:db8:1::/96 2001:db8:2::/96 2001:db8:3::/96

NAT64 / DNS64 Under The Hood Client DNS64 Authoritative DNS www.ipv4only.com ` Q AAAA? Q AAAA? EMPTY Q A? R = 2001:db8:101::c000:201 NAT64 R = 192.0.2.1 Webserver 2001:db8:101::c000:201 192.0.2.1 2001:db8:101::c000:201 192.0.2.1

Use Case I, NAT64 / DNS64 for Service Providers Only viable approach if you don t have enough IPv4 addresses for dual stack DNS64/NAT64 does not break anything. But badly programmed applications/websites might not work. User experience with NAT64 is (almost) the same as NAT44 and better than NAT444 We had some issues with NAT44 back in the days too. But we managed to work around those Passive FTP IPSEC over UDP Peer to Peer 13

NAT64/CGN and Logging To the v6 internet To the v4 internet ` v6 NAT64 v4 Each user will create gigabytes of logs Only packets to the v4 internet have to be logged Maximizing the native v6 traffic minimizes the logs Make sure your DNS64 server returns all native domains without using PREF64 translation. Logging - As a content provider, make sure to turn on v6 so that your visitors don t have get all their sessions logged. 14

Use case 1.5 The Future of NAT64/DNS64 How do we handle broken applications and websites? draft-ietf-behave-nat64-discovery-heuristic-07.txt draft-ietf-v6ops-464xlat-01 ` Dual v6 v4 CLAT PLAT 15

DNS64 Functionality Options Sticky clients Make sure a client goes to the same IPv4 server during the session. Mixed deployments using views The same DNS server must be able to handle different types of networks and different NAT64 gateways. Load balancing via DNS Coarse load balancing of NAT64 gateways High availability Take one NAT64 gateway out of rotation if it becomes unavailable. 16

Configuring for DNS64/NAT64 DNS is now a network technology: Who manages the DNS64? Do we need to teach our network operators Unix? How do we monitor the solution? So let s manage it like we manage our other network devices: [view@secure64]#> enable sysadmin [sysadmin@secure64]#> route default 10.10.5.1 [sysadmin@secure64]#> route default 2001:DB8:1:5::1 [sysadmin@secure64]#> route sym [sysadmin@secure64]#> ifconfig eth1 10.10.5.2 255.255.255.0 [sysadmin@secure64]#> ifconfig eth2 2001:DB8:1:5::2/64 [sysadmin@secure64]#> activate [sysadmin@secure64]#> save [sysadmin@secure64]#> show config [view@secure64]#> enable cachednsadmin [cachednsadmin@secure64]# edit cache.conf interface: 10.10.5.2 interface: 2001:DB8:1:5::2 outgoing-interface: 10.10.5.2 outgoing-interface: 2001:DB8:1:5::2 access-control: 0.0.0.0/0 allow access-control: ::0/0 allow dns64-prefix: 64:ff9b::/96 <CTRL-X to save and exit> [cachednsadmin@secure64]# stop cachedns [cachednsadmin@secure64]# start cachedns

DNS64 Everybody Will Need It 100% Dual stack DNS64 IPv4 10% 0% IPv6 Time

Use case II, NAT64 / DNS64 for Hosting Providers Client DNS64 enabled Authoritative DNS ` www.ipv6site.com Q AAAA? R = 2001:db8:101::c000:201 NAT64 Webserver 2001:db8:101::c000:201 192.0.2.1 2001:db8:101::c000:201 192.0.2.1

Use case II, NAT64 / DNS64 for Hosting Providers Simple way of providing a large number of externally reachable servers with IPv6 connectivity Just add DNS records point to the NAT64 device www.example.com A 192.0.2.1 www.example.com AAAA 2001:db8:101::c000:201 Does not prevent IPv4 depletion 20

Conclusions The migration to IPv6 will increase the load on DNS servers Dual stack is the IETF recommended transition mechanism but not the only one. Consider alternatives such as DNS64/NAT64 Some applications are broken and can t work over NAT64/DNS64 There are many small pitfalls with DNS64/NAT64 Additional resources http://www.secure64.com/transition-to-ipv6 Stephan.lagerholm@secure64.com Visit our booth here at the summit

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information