NAT64: Stateful NAT64, defined in RFC 6146, is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. It is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings.
DNS64: DNS64 is used together with NAT64 and works as an addition to the standard DNS server. When DNS64 is asked for an AAAA record (IPv6 address for a hostname) but finds (or receives from an upstream DNS) only an A record, it synthesizes the AAAA record from the A record. The first part of the synthesized AAAA record is a well-known or service provider assigned IPv6 prefix, which is also used with NAT64. The second part of the AAAA record is an IPv4 address of the IPv4 host that is found in the A record.
In this lab scenario we are simulating a mixed IPv6 transition approach using stateful and static NAT64.
Service provider network is a dual stack network which is capable of supporting IPv4 only, IPv6 only and dual stack customers. Service provider is connected to both IPv4 and IPv6 Internet backbones.
Customer network is an IPv6 only network except the CE to PE link. Customer owns a normal /48 public IPv6 prefix which is used in the entire enterprise and a small /24 IPv4 subnet which is kept at the edge device for reaching to legacy IPv4 Internet using NAT64.
Customer endpoints are IPv6 only (not dual stack) so endpoint reach to IPv6 Internet normally. For reaching to IPv4 Internet customer’s endpoints acquire the IPv6 equivalent synthesized address for IPv4 hosts from DNS64.
DNS64 is not simulated in this scenario, but we suppose that the DNS64 server performs like below:
|Hostname||IPv4 Address||IPv6 equivalent Address|
The packet sequence for reaching to an IPv4 host from an IPv6 client is as follows:
PC-3 (2001:db8:bbbb:20:2050:79ff:fe66:6800/64) sends a query to local DNS64 server for example.com which is an IPv4 only host.
DNS64 sends (proxies) the query to an upstream IPv4 DNS server and gets the IPv4 address (192.168.10.100).
DNS64 synthesizes the IPv6 equivalent address (64:ff9b::192.168.10.100) and sends it back to client PC.
Client create the IPv6 packet like below and sends it out:
|IPv6 SA: 2001:db8:bbbb:20:2050:79ff:fe66:6800|
|IPv6 DA: 64:ff9b::192.168.10.100|
The packet reaches to CE router where it needs to be translated to IPv4 packet. It’s actually more than a source or destination translation, the IPv4 packet is generated based on the IPv6 packet.
The source IPv4 address for the new packet is picked up from a NAT pool and the destination is derived from IPV6 destination address (DNS64 has already embedded IPv4 in the IPv6 address).
|IPv4 DA: 192.168.10.100|
And then the packet travels to its destination in IPv4 Internet.
It’s a dynamic stateful NAT/PAT operation which means it needs to be initiated from inside network. For inside IPv6 hosts to be reachable from outside IPv4 Internet static NAT64 needs to be configured.
hostname CE-2 ! ipv6 unicast-routing ! interface Ethernet0/0 ip address 10.0.21.2 255.255.255.0 nat64 enable ipv6 address 2001:DB8:AAAA:21::2/64 ! interface Ethernet0/1 no ip address nat64 enable ipv6 address 2001:DB8:BBBB:20::2/64 ! ip route 0.0.0.0 0.0.0.0 10.0.21.1 ip route 192.168.20.0 255.255.255.0 Null0 ! nat64 v4 pool NPOOL-PUBLIC-1 192.168.20.10 192.168.20.100 nat64 v6v4 static 2001:DB8:BBBB:20:2050:79FF:FE66:6801 192.168.20.3 nat64 v6v4 list ACL6-PUBLIC-1 pool NPOOL-PUBLIC-1 overload ! ipv6 route ::/0 2001:DB8:AAAA:21::1 ! ipv6 access-list ACL6-PUBLIC-1 permit ipv6 2001:DB8:BBBB::/48 any !
hostname PE-1 ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ipv6 address 2001:DB8:AAAA::1/128 ! interface Ethernet0/0 ip address 10.0.21.1 255.255.255.0 ipv6 address 2001:DB8:AAAA:21::1/64 ! interface Ethernet0/1 ip address 192.168.10.1 255.255.255.0 ! interface Ethernet0/2 no ip address ipv6 address 2001:DB8:CCCC:30::1/64 ! ip route 192.168.20.0 255.255.255.0 10.0.21.2 ! ipv6 route 2001:DB8:BBBB::/48 2001:DB8:AAAA:21::2 !
PC-3> ping 64:FF9B::192.168.10.100 64:FF9B::192.168.10.100 icmp6_seq=1 ttl=62 time=18.357 ms 64:FF9B::192.168.10.100 icmp6_seq=2 ttl=62 time=0.000 ms 64:FF9B::192.168.10.100 icmp6_seq=3 ttl=62 time=0.000 ms 64:FF9B::192.168.10.100 icmp6_seq=4 ttl=62 time=0.000 ms 64:FF9B::192.168.10.100 icmp6_seq=5 ttl=62 time=0.000 ms
CE-2#show nat64 translations Proto Original IPv4 Translated IPv4 Translated IPv6 Original IPv6 -------------------------------------------------------- icmp 192.168.10.100:15270 [64:FF9B::C0A8:A64]:15270 192.168.20.10:15270 [2001:DB8:BBBB:20:2050:79FF:FE66:6800]:15270 --- --- --- 192.168.20.3 2001:DB8:BBBB:20:2050:79FF:FE66:6801 Total number of translations: 2