Production-scale NAT64

Wed Aug 26 04:49:53 UTC 2015

* William Herrin

> On Thu, Aug 20, 2015 at 1:22 PM, Ca By <cb.list6 at gmail.com> wrote:
> > On Thu, Aug 20, 2015 at 9:36 AM, William Herrin <bill at herrin.us> wrote:  
> >> Seriously though, if you want to run a v6-only network and still
> >> support access to IPv4 Internet resources, consider 464XLAT or
> >> DS-Lite.
> >
> > NAT64 is a required component of 464XLAT.
> 
> Sort of, technically, but not really.

Yes really. See below.

> 464XLAT does not require DNS64 and provides client software with an
> IPv4 interface. IPv4 software that has no idea IPv6 exists sends IPv4
> packets which get translated to IPv6 packets. Those packets are routed
> to the carrier NAT box which then translates these specially crafted
> IPv6 packets back to IPv4 packets.

What do you think the «carrier NAT box» in 464XLAT is, exactly?

No need to guess, we can check the 464XLAT specification:

http://tools.ietf.org/html/rfc6877#section-2

>  PLAT:   PLAT is provider-side translator (XLAT) that complies with
>          [RFC6146].  It translates N:1 global IPv6 addresses to global
>          IPv4 addresses, and vice versa.

Let's check that reference:

http://tools.ietf.org/html/rfc6146#section-1

>  This document specifies stateful NAT64, a mechanism for IPv4-IPv6
>  transition and IPv4-IPv6 coexistence.

Lo and behold! Your 464XLAT «carrier NAT box» (a.k.a. «PLAT») *is* a
NAT64 box. Thus, if you intend to deploy 464XLAT in production, you'll
going to need a production scale NAT64 implementation.

To answer the Jawaid's original question, I'm very happy with Jool
(http://jool.mx) for my NAT64 (and SIIT) needs, which is a open-source
Linux-based software solution. It has no problems handling several Gb/s
of traffic using a couple of years old x86 server without any tuning,
so if the capacity required is moderate this might be a cost-effective
alternative to a dedicated boxes from the one of the router/network
appliance vendors.

Tore