OK, "NAT is evil" is probably my catch phrase and I have put it on t-shirts and coasters and all sorts.
But WTF - I am today accessing IPv4-only internet hosts via NAT from IPv6. We finally got totd (Trick or treat daemon) working and I finally got the basics of our carrier grade IPv6/4 NAT gateway working in the FireBrick FB6000.
TOTD basically acts as a DNS proxy that answers AAAA (IPv6) queries when the host only has IPv4 by mapping the answer to a specific block of IPv6 space (2001:8b0:6464:: in this case).
The FireBrick FB6000 does the clever IPv4/6 session tracking and mapping.
I have yet to sort traceroutes, but pings work. Traceroutes will be hard as it means mapping all of the ICMP and ICMPv6 code/types. And we still have to fully handle fragments. But we do have a TCP MRU fixup so that basically everything just works. And over the next few days we expect full ICMP support and MTU and fragment issues resolved.
It's on the A&A status page, but anyone can try as we have not actually locked it down. It will be locked down at the first sign of abuse, don't worry. DNS 2001:8b0:6464::1 and 2001:8b0:6464::2 and you are surfing an IPv6-only internet.
I mean, just, well, WOW!!!
2010-03-02
Subscribe to:
Post Comments (Atom)
Deliveries from China
I have PCBs made in China (well Hong Kong). This is all my many small PCB projects (not FireBrick). I would rather use UK suppliers but I am...
-
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...
-
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
-
It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...
Ha, http://inetcore.com/project/ipv4ec/en-us/index.html is IPv4 only it seems.
ReplyDeleteOf course that counter's IPv4-only; IPv6 users need not care about it :)
ReplyDeletePity OSX ipv6 support is so bad.
ReplyDeleteTreating A records as equal priority to AAAA records.. against RFCs but arguable if both are equally valid ways to reach a site.
Doing the above when ipv4 is switched off, leading to random loss of connectivity. Epic fail.
Well.. that is quite impressive :D
ReplyDeleteI can't wait for every last IPv4 address to be allocated! That will force people to switch, and then we can get the other benefits of IPv6.
ReplyDeleteWhat do you think will happen in practice, though? What kind of service will consumer ISPs offer, if they can't even give everyone a dynamically allocated IPv4 address? Will they give them an IPv6 address instead, and do something like your totd service? Will they give everyone a 10.* address and do IPv4 NAT? Will they give them both, and do NAT for IPv4 with direct routing for IPv6? They're in a pretty bad situation because, whatever they do, their clients' systems will break in some way.
For hosting, I suppose we will end up deploying some kind of reverse proxy. The actual hosting machines will run IPv6 only. Meanwhile, IPv4 visitors will get to these websites through a dual-stack reverse proxy.
As you run an ISP, I would be very interested to know your prediction.
Oooh, predictions. Tricky things. Not sure yet. I think hosting has to get IPv6 soon. What will you do when you want to host a web server or mail server and the hosting company says they have no IPv4's?
ReplyDeleteWe now have kit that can do static mapping, so IPv4+port to IPv6 address.
A hosting company could run a single reverse proxy on behalf of all of their customers. Their customers would run their sites on IPv6-only servers, and the reverse proxy would allow IPv4-only browsers to get access. That would allow a large number of independent websites to be served with a single IPv4 address. It would even work with SSL if you assume that all browsers support the server name extension (which they don't, but something is going to break whatever you do).
ReplyDeleteHow about posting some traffic statistics from the gateway?
ReplyDeleteShould this still work? I tried it on a server of my own but I see the following on that server:
ReplyDeleteProto Recv-Q Send-Q Local Address Foreign Address Stat
e
tcp 0 0 131.211.84.188:80 90.155.53.9:50937 SYN_
RECV
other port 80 traffic (from the wider ipv4 internet) to that server works nicely.
Anyway, pending (and pending.. and pending..) an IPv6 upgrade here it would be nice to be able to experiment with totd.
What a nice blog...I am really very impressed to read this..Thanks to admin for posting this nice blog....WOW!!!!!
ReplyDeletewhy that 2001:8b0:6464::1 dns not work now?
ReplyDeleteIll have to look in to that.
Delete