2010-03-02

NAT is evil

OK, "NAT is evil" is probably my catch phrase and I have put it on t-shirts and coasters and all sorts.

But WTF - I am today accessing IPv4-only internet hosts via NAT from IPv6. We finally got totd (Trick or treat daemon) working and I finally got the basics of our carrier grade IPv6/4 NAT gateway working in the FireBrick FB6000.

TOTD basically acts as a DNS proxy that answers AAAA (IPv6) queries when the host only has IPv4 by mapping the answer to a specific block of IPv6 space (2001:8b0:6464:: in this case).

The FireBrick FB6000 does the clever IPv4/6 session tracking and mapping.

I have yet to sort traceroutes, but pings work. Traceroutes will be hard as it means mapping all of the ICMP and ICMPv6 code/types. And we still have to fully handle fragments. But we do have a TCP MRU fixup so that basically everything just works. And over the next few days we expect full ICMP support and MTU and fragment issues resolved.

It's on the A&A status page, but anyone can try as we have not actually locked it down. It will be locked down at the first sign of abuse, don't worry. DNS 2001:8b0:6464::1 and 2001:8b0:6464::2 and you are surfing an IPv6-only internet.

I mean, just, well, WOW!!!
at

12 comments:

  1. RevKTuesday, 2 March 2010 at 19:46:00 GMT

    Ha, http://inetcore.com/project/ipv4ec/en-us/index.html is IPv4 only it seems.

    ReplyDelete
  2. Simon FarnsworthTuesday, 2 March 2010 at 20:39:00 GMT

    Of course that counter's IPv4-only; IPv6 users need not care about it :)

    ReplyDelete
  3. AnonymousTuesday, 2 March 2010 at 22:28:00 GMT

    Pity OSX ipv6 support is so bad.

    Treating A records as equal priority to AAAA records.. against RFCs but arguable if both are equally valid ways to reach a site.

    Doing the above when ipv4 is switched off, leading to random loss of connectivity. Epic fail.

    ReplyDelete
  4. 1Tuesday, 2 March 2010 at 23:01:00 GMT

    Well.. that is quite impressive :D

    ReplyDelete
  5. AnonymousWednesday, 3 March 2010 at 09:32:00 GMT

    I can't wait for every last IPv4 address to be allocated! That will force people to switch, and then we can get the other benefits of IPv6.

    What do you think will happen in practice, though? What kind of service will consumer ISPs offer, if they can't even give everyone a dynamically allocated IPv4 address? Will they give them an IPv6 address instead, and do something like your totd service? Will they give everyone a 10.* address and do IPv4 NAT? Will they give them both, and do NAT for IPv4 with direct routing for IPv6? They're in a pretty bad situation because, whatever they do, their clients' systems will break in some way.

    For hosting, I suppose we will end up deploying some kind of reverse proxy. The actual hosting machines will run IPv6 only. Meanwhile, IPv4 visitors will get to these websites through a dual-stack reverse proxy.

    As you run an ISP, I would be very interested to know your prediction.

    ReplyDelete
  6. RevKWednesday, 3 March 2010 at 14:36:00 GMT

    Oooh, predictions. Tricky things. Not sure yet. I think hosting has to get IPv6 soon. What will you do when you want to host a web server or mail server and the hosting company says they have no IPv4's?

    We now have kit that can do static mapping, so IPv4+port to IPv6 address.

    ReplyDelete
  7. AnonymousThursday, 4 March 2010 at 10:58:00 GMT

    A hosting company could run a single reverse proxy on behalf of all of their customers. Their customers would run their sites on IPv6-only servers, and the reverse proxy would allow IPv4-only browsers to get access. That would allow a large number of independent websites to be served with a single IPv4 address. It would even work with SSL if you assume that all browsers support the server name extension (which they don't, but something is going to break whatever you do).

    ReplyDelete
  8. Chaz6Sunday, 7 March 2010 at 14:01:00 GMT

    How about posting some traffic statistics from the gateway?

    ReplyDelete
  9. AnonymousWednesday, 25 August 2010 at 15:19:00 BST

    Should this still work? I tried it on a server of my own but I see the following on that server:

    Proto Recv-Q Send-Q Local Address Foreign Address Stat
    e
    tcp 0 0 131.211.84.188:80 90.155.53.9:50937 SYN_
    RECV

    other port 80 traffic (from the wider ipv4 internet) to that server works nicely.

    Anyway, pending (and pending.. and pending..) an IPv6 upgrade here it would be nice to be able to experiment with totd.

    ReplyDelete
  10. Send Flower PakistanWednesday, 20 November 2013 at 10:49:00 GMT

    What a nice blog...I am really very impressed to read this..Thanks to admin for posting this nice blog....WOW!!!!!

    ReplyDelete
  11. UnknownSaturday, 29 October 2016 at 02:49:00 BST

    why that 2001:8b0:6464::1 dns not work now?

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Subscribe to: Post Comments (Atom)

Fencing

Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...

  • It's official, ADSL works over wet string
    Broadband services are a wonderful innovation of our time, using multiple frequency  bands  (hence the name) to carry signals over wires (us...
  • Air conditioning at home (planning permission!)
    For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
  • EICAR test QR
    It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...