[AfrIPv6-Discuss] NAT64 for Dual Stacking!

Mark Elkins mje at posix.co.za
Fri May 13 13:51:53 UTC 2016 

Fabian, I'm wondering if you are not intentionally making things
difficult for yourself by introducing NAT64?

I think that you are at a University? - so maybe you do want complicated
- or a separate IPv6 network - in which case ignore the rest of this e-mail.

However:
From a Customers prospective, they usually do not care whether they are
on IPv4 or IPV6 (or both) - as long as the Internet "works".
IPv4 is going to be around for a while - so don't even think about
switching that off yet - unless its for some experiment. You should not
need IPv6 only either - we have quite a few IPv4 addresses left in
AFRINIC (and there is always (Uhg) NAT).
So, when I introduced IPv6 at my ISP, I took the idea that everything
that exists with an IPv4 address should also have an equivalent IPv6
address.

I started with my Cisco Routers - and my core. Interconnection and
Peering lines were "dual stacked" - rather the Routers were. There is
also nothing wrong with tunnels - if your upstream can not do IPv6 yet.
Hurricane Electric will accept a tunnel end point and allow BGP so you
can use your own network addresses.

I then enabled IPv6 on core systems such as Mail, Web and DNS servers -
making sure that all services could run on both protocols. All support
machines were also dual-stacked. This way - we could see that everything
pretty much worked as usual. Systems were also modified to allow for
longer IPv6 addresses in the DNS, Apache configs, Logs - etc
DNS was configured to listen on IPv6 (which we initially forgot). All
management systems were extended to include IPv6 addresses.
Lastly - IPv6 was pushed out to a few customers.

My idea was to make sure everything was available on both address
schemes. In addition, I also had an IPv6 only machine - so I could test
for connectivity, being pretty sure that IPv4 only machines could see
everything necessary. I still have some manageable switches that do IPv4
only :-(
I've been purchasing IPv6 capable printers for a few years now and most
access points (wifi access) have been reloaded with firmware that does
IPv6 as well. There are some odd and/or old machines that may never do
IPv6. They'll eventually die and be replaced.


I know in the early days of IPv6, some people designed a separate IPv6
network but I believe most simply dual-stack now.

For addresses, if a machine has a static address (Nameserver, Web/Mail
server, Router - etc) - I try and keep addresses simple and guessable.
I have 160.124.0.0/16 and 2001:42a0::/32

My main server is on 160.124.48.1/24 - so I made the IPv6
2001:42a0:1000:48::1/64

The odd '1000' gives the geographical region that the "48" network
exists in, otherwise it pretty much a 1:1 match.
This works for me just fine - but then I was fortunate enough to start
out with a big chunk of IPv4 address space.

Try and not make things more complicated than necessary.

On 13/05/2016 10:01, John Hay wrote:
> Hi Fabian,
> 
> Our approach was to deploy dual stack, so every router, server and host
> have an IPv6 and an IPv4 address. So if something wants to communicate
> with another device that have an IPv6 address, it will use its IPv6
> address as the source. If it wants to communicate with a device that
> have an IPv4 address, it will use its IPv4 address as the source. If it
> wants to communicate with a device that have both IPv6 and IPv4
> addresses, it depends on the OS what is preferred.
> 
> That way we do not need NAT64. We will phase out IPv4 when it is not
> needed anymore for internet or local communication.
> 
> Regards
> 
> John
> 
> 
> On 13 May 2016 at 09:35, Fabian Jr <afabbie at hotmail.com
> <mailto:afabbie at hotmail.com>> wrote:
> 
>     thanks Noah
> 
>      
>      
>     /Arbogast Fabian,/
>     /cell:+255-78-447-8387 <tel:%2B255-78-447-8387>/
> 
> 
>     ------------------------------------------------------------------------
>     Date: Fri, 13 May 2016 10:00:37 +0300
>     From: noah at neo.co.tz <mailto:noah at neo.co.tz>
>     To: afripv6-discuss at afrinic.net <mailto:afripv6-discuss at afrinic.net>
>     Subject: Re: [AfrIPv6-Discuss] NAT64 for Dual Stacking!
> 
>     Hi Fabian,
> 
>     The Cisco ASR boxes support what you seek to implement. You can
>     check out the ASR1K if you have the budget.
> 
>     The Juniper MX series do support what you seek to implement.
> 
>     You may find this article fundamentally interesting...
> 
>     https://supportforums.cisco.com/document/112121/ipv6-stateful-nat64-configuration-example
> 
>     Cheers,
> 
>     Noah
> 
>     On Fri, May 13, 2016 at 7:44 AM, Fabian Jr <afabbie at hotmail.com
>     <mailto:afabbie at hotmail.com>> wrote:
> 
>         Folks…
> 
>         We are looking into way we can gradually deploy IPv6 in our network…
> 
>         Already we have it running and we have one Test Machine……. The
>         challenge we are facing is that from that machine with IPv6 and
>         from other Machines with IPv4 we can’t communicate in either
>         direction..
> 
>         IPv6 Machine just communicate with IPv6 only machines like wise
>         IPv4 Machines just communicate with IPv4 machines ….
> 
>         A work around is to do NAT64 between the two subnets….
> 
>         It seems the hardware (Cisco 2921 router with IOS Version 15.0)
>         can’t do NAT64……..
> 
>         From the internet it seems NAT64 runs on IOS-XE and IOS-CGSE
>         which are Hardware dependent……..seems that we can’t upgrade IOS
>         Version 15.0 to any the two which supports NAT64.
> 
>         Before committing any expenses to acquire new router we want to
>         reach out to the community for comments and advises….
> 
>         Pls. review and advise.
> 
>         Thank you…
> 
>          
>          
>         /Arbogast Fabian,/
>         /cell:+255-78-447-8387/
> 
>         _______________________________________________
>         AfrIPv6-Discuss mailing list
>         AfrIPv6-Discuss at afrinic.net <mailto:AfrIPv6-Discuss at afrinic.net>
>         https://lists.afrinic.net/mailman/listinfo/afripv6-discuss
> 
> 
> 
> 
>     -- 
>     *./noah*
> 
>     _______________________________________________ AfrIPv6-Discuss
>     mailing list AfrIPv6-Discuss at afrinic.net
>     <mailto:AfrIPv6-Discuss at afrinic.net>
>     https://lists.afrinic.net/mailman/listinfo/afripv6-discuss
> 
>     _______________________________________________
>     AfrIPv6-Discuss mailing list
>     AfrIPv6-Discuss at afrinic.net <mailto:AfrIPv6-Discuss at afrinic.net>
>     https://lists.afrinic.net/mailman/listinfo/afripv6-discuss
> 
> 
> 
> 
> _______________________________________________
> AfrIPv6-Discuss mailing list
> AfrIPv6-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/afripv6-discuss
> 

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.afrinic.net/pipermail/afripv6-discuss/attachments/20160513/8e4610bc/attachment.p7s>

More information about the AfrIPv6-Discuss mailing list