Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Keep calm-and-try-v6only

69 visualizaciones

Publicado el

The presentation is about v6-only network deployments using NAT64+DNS64 and not necessarily suggests eliminating dual stack.

The major focus of the talk is to discuss about the value of v6-only deployments and an example of a simple deployment using jool and bind9 on ubuntu server.

Publicado en: Internet
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Keep calm-and-try-v6only

  1. 1. Md. Abdul Awal email@awal.pro KEEP CALM AND TRY V6ONLY
  2. 2. Have you tried our v6only SSID here?
  3. 3. Let’s do some quick checks
  4. 4. More checks • v6-only host can SSH to v4-only machine: $ ssh awal@64:ff9b::192.168.51.160 awal@64:ff9b::192.168.51.160's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-87-generic x86_64) Last login: Thu Apr 11 16:12:24 2019 from 192.168.34.49 $
  5. 5. What is an IPv6-Only network? • Not dual-stack • Users get only IPv6 network parameters (i.e. Address, Prefix, Gateway and DNS) • local gateway routes only IPv6, no IPv4 • Most routers and infrastructure have only IPv6 addresses • IPv4 is offered to users as a service, over IPv6 • Protocol translations required for IPv4 only destinations
  6. 6. Why going v6-only? • Operational Simplicity - Single stack infrastructure • Avoids doing redundant tasks: - 2x ACLs / firewall rules - 2x monitoring targets - 2x places where errors can occur • Doing NAT that actually gets smaller day by day (NAT64) - Solving current IPv4 issues - Getting rid of expensive CGNAT • Enhanced security - Reduction of attack surface
  7. 7. Building blocks • Address distribution - SLAAC/DHCPv6 • NAT64 (RFC 6144-6146) - Supported by OEMs - Server based tools: Jool, Tayga etc. • DNS64 (RFC 6147) - Included in Bind9 - Google public DNS64 • Support of IPv6 at end-user device - No additional configuration is required
  8. 8. Topology consideration (It’s not a mandatory in-line thing) Router Router Router (SLAAC) NAT64 + DNS64 NAT64 Router DHCPv6 DNS64 v6+v4 v6 Internet Internet v6+v4 v6 v4 v6 v6 v6 v6 v6 v6
  9. 9. Tools used for our v6only network • One box did it all - Ubuntu Server 16.04 LTS • Address distribution - SLAAC with RADVD • NAT64 - Jool 4.0.0 - NAT64 prefix: 64:ff9b::/96 • DNS64 - Bind9 • Wireless AP - MikroTik v6+v4 v6 Ubuntu Server with radvd, jool and bind9 Internet
  10. 10. Interface config (Ubuntu 16.04) • /etc/network/interface # Dual-stack WAN Interface auto enp1s0 iface enp1s0 inet static address 192.168.1.254 netmask 255.255.254.0 gateway 192.168.0.1 iface enp1s0 inet6 static autoconf 0 accept_ra 0 address 2400:ca00:3000:10::2 netmask 64 gateway 2400:ca00:3000:10::1 # IPv6-only LAN Interface auto enp2s0 iface enp2s0 inet6 static address 2400:ca00:3000:15::1 netmask 64
  11. 11. GW config (radvd + routing) • /etc/radvd.conf interface enp2s0 { MinRtrAdvInterval 3; MaxRtrAdvInterval 4; AdvSendAdvert on; AdvManagedFlag off; prefix 2400:ca00:3000:15::/64 { AdvValidLifetime 14300; AdvPreferredLifetime 14200; }; RDNSS 2400:ca00:3000:15::1 { }; }; • Eanble routing sysctl -w net.ipv4.conf.all.forwarding=1 sysctl -w net.ipv6.conf.all.forwarding=1
  12. 12. NAT64 config (jool-4.0.0) • Start jool: /sbin/modprobe jool • Map IPv6 pool with defined instance: jool instance add "nat64" --iptables --pool6 64:ff9b::/96 • Add mangle rules: ip6tables -t mangle -A PREROUTING –d 64:ff9b::/96 -j JOOL --instance "nat64" iptables -t mangle -A PREROUTING –d 192.168.1.254 -p tcp --dport 1126:65535 -j JOOL --instance "nat64” iptables -t mangle -A PREROUTING -d 192.168.1.254 -p udp --dport 1126:65535 -j JOOL --instance "nat64” iptables -t mangle -A PREROUTING -d 192.168.1.154 -p icmp -j JOOL --instance "nat64"
  13. 13. DNS64 config (bind9) • /etc/bind/named.conf.options options { ... ... listen-on-v6 { any; }; allow-query {2400:ca00:3000::/48; }; recursion yes; dns64 64:ff9b::/96 { clients { any; }; mapped { any; }; exclude {0::/3; 2001:db8::/32;}; }; };
  14. 14. NAT64 tuning options • Limit local port ranges to add more ports to translation: echo 1025 1125 > /proc/sys/net/ipv4/ip_local_port_range • MTU, Fragmentation and PMTUD issue: echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing
  15. 15. QUESTIONS?
  16. 16. Md. Abdul Awal email@awal.pro KEEP CALM AND TRY V6ONLY

×