Using NAT64 in front of IPv6-only servers

Tore Anderson tore.anderson at redpill-linpro.com
Fri Apr 1 10:04:40 CEST 2011


Hi Gert,

* Gert Doering

> But it's similar to another approach we've been considering, which
> is "only dual-stack the load-balancers in front of the server farm,
> and single-stack the servers".  Dual-stacking the whole platform
> doesn't bring benefits but brings double work - as you said.

Indeed. That's the approach we took when retro-fitting IPv6 capability
to the existing IPv4-only platforms - the dual-stack topology ends at
the public access point - in some cases that's a load balancer, in some
cases a web cache, and in some cases a simple web server. All backend
networks for database and application server traffic remains IPv4-only
and I have no intention on using energy on changing that.

The approach works very well btw.

> Using a NAT64 here could have the advantage of "not having to 
> configure the IPv4 addresses on the load balancers" - and being 
> available for applications that do not already have load balancers
> in front of them.

Yep. For us it would also mean less dual-stack, because our load
balancers are usually found close to the servers (deeper in the
network), while such a NAT64 system could be at the very border of the
data centre.

> Since you're using the NAT64 in the "inverse direction", you're 
> effectively nullifying the benefits of "you get automatic mappings 
> for everything you want to reach" (as the IPv4 space can be embedded 
> in the IPv6 /96) - so it's "just" a destination-NAT that happens to 
> be able to d-NAT into the other address family, and source-NAT v4->v6
> while at it.

Precisely. That it operates in a stateless per-packet manner is
crucially important, I do not under any circumstance want a stateful
device between the public service entry point and the internet.

That said, an the v6-only servers would probably also have access to a
traditional NAT64/DNS64 system so that it could acquire security updates
and such from the vendors' servers. But that would have to be a
completely independent system with a different NAT64 prefix because it
has to be a stateful device.

> But you'd still have to configure NAT mappings for every single 
> application (or at least for every single IPv6-address that you want 
> to make visible)...

Yep. But I think overall the amount of work would be way less than
running dual-stack anyway. With dual-stack I would need to configure a
IPv4 packet filter for every single application, for example.

Now I'll go have a look at the Facebook presentation - thanks for the
pointer, Martin!

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27


More information about the ipv6-ops mailing list