2010-03-02

NAT is evil

OK, "NAT is evil" is probably my catch phrase and I have put it on t-shirts and coasters and all sorts.

But WTF - I am today accessing IPv4-only internet hosts via NAT from IPv6. We finally got totd (Trick or treat daemon) working and I finally got the basics of our carrier grade IPv6/4 NAT gateway working in the FireBrick FB6000.

TOTD basically acts as a DNS proxy that answers AAAA (IPv6) queries when the host only has IPv4 by mapping the answer to a specific block of IPv6 space (2001:8b0:6464:: in this case).

The FireBrick FB6000 does the clever IPv4/6 session tracking and mapping.

I have yet to sort traceroutes, but pings work. Traceroutes will be hard as it means mapping all of the ICMP and ICMPv6 code/types. And we still have to fully handle fragments. But we do have a TCP MRU fixup so that basically everything just works. And over the next few days we expect full ICMP support and MTU and fragment issues resolved.

It's on the A&A status page, but anyone can try as we have not actually locked it down. It will be locked down at the first sign of abuse, don't worry. DNS 2001:8b0:6464::1 and 2001:8b0:6464::2 and you are surfing an IPv6-only internet.

I mean, just, well, WOW!!!

12 comments:

  1. Ha, http://inetcore.com/project/ipv4ec/en-us/index.html is IPv4 only it seems.

    ReplyDelete
  2. Of course that counter's IPv4-only; IPv6 users need not care about it :)

    ReplyDelete
  3. Pity OSX ipv6 support is so bad.

    Treating A records as equal priority to AAAA records.. against RFCs but arguable if both are equally valid ways to reach a site.

    Doing the above when ipv4 is switched off, leading to random loss of connectivity. Epic fail.

    ReplyDelete
  4. Well.. that is quite impressive :D

    ReplyDelete
  5. I can't wait for every last IPv4 address to be allocated! That will force people to switch, and then we can get the other benefits of IPv6.

    What do you think will happen in practice, though? What kind of service will consumer ISPs offer, if they can't even give everyone a dynamically allocated IPv4 address? Will they give them an IPv6 address instead, and do something like your totd service? Will they give everyone a 10.* address and do IPv4 NAT? Will they give them both, and do NAT for IPv4 with direct routing for IPv6? They're in a pretty bad situation because, whatever they do, their clients' systems will break in some way.

    For hosting, I suppose we will end up deploying some kind of reverse proxy. The actual hosting machines will run IPv6 only. Meanwhile, IPv4 visitors will get to these websites through a dual-stack reverse proxy.

    As you run an ISP, I would be very interested to know your prediction.

    ReplyDelete
  6. Oooh, predictions. Tricky things. Not sure yet. I think hosting has to get IPv6 soon. What will you do when you want to host a web server or mail server and the hosting company says they have no IPv4's?

    We now have kit that can do static mapping, so IPv4+port to IPv6 address.

    ReplyDelete
  7. A hosting company could run a single reverse proxy on behalf of all of their customers. Their customers would run their sites on IPv6-only servers, and the reverse proxy would allow IPv4-only browsers to get access. That would allow a large number of independent websites to be served with a single IPv4 address. It would even work with SSL if you assume that all browsers support the server name extension (which they don't, but something is going to break whatever you do).

    ReplyDelete
  8. How about posting some traffic statistics from the gateway?

    ReplyDelete
  9. Should this still work? I tried it on a server of my own but I see the following on that server:

    Proto Recv-Q Send-Q Local Address Foreign Address Stat
    e
    tcp 0 0 131.211.84.188:80 90.155.53.9:50937 SYN_
    RECV

    other port 80 traffic (from the wider ipv4 internet) to that server works nicely.

    Anyway, pending (and pending.. and pending..) an IPv6 upgrade here it would be nice to be able to experiment with totd.

    ReplyDelete
  10. What a nice blog...I am really very impressed to read this..Thanks to admin for posting this nice blog....WOW!!!!!

    ReplyDelete
  11. why that 2001:8b0:6464::1 dns not work now?

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Missing unix/linux/posix file open option

What I would like is a file open option for "create replacement file". The idea is that this makes a new inode in the same mount p...