The presentation is about v6-only network deployments using NAT64+DNS64 and not necessarily suggests eliminating dual stack. The major focus of the talk is to discuss about the value of v6-only deployments and an example of a simple deployment using jool and bind9 on ubuntu server.

1. Md. Abdul Awal
email@awal.pro
KEEP
CALM
AND
TRY
V6ONLY

2. Have you tried
our v6only
SSID here?

3. Let’s do some
quick checks

4. More checks
• v6-only host can SSH to v4-only machine:
$ ssh awal@64:ff9b::192.168.51.160
awal@64:ff9b::192.168.51.160's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-87-generic x86_64)
Last login: Thu Apr 11 16:12:24 2019 from 192.168.34.49
$

5. What is an
IPv6-Only
network?
• Not dual-stack
• Users get only IPv6 network
parameters (i.e. Address, Prefix,
Gateway and DNS)
• local gateway routes only IPv6, no
IPv4
• Most routers and infrastructure have
only IPv6 addresses
• IPv4 is offered to users as a service,
over IPv6
• Protocol translations required for
IPv4 only destinations

6. Why going
v6-only?
• Operational Simplicity
- Single stack infrastructure
• Avoids doing redundant tasks:
- 2x ACLs / firewall rules
- 2x monitoring targets
- 2x places where errors can occur
• Doing NAT that actually gets smaller
day by day (NAT64)
- Solving current IPv4 issues
- Getting rid of expensive CGNAT
• Enhanced security
- Reduction of attack surface

7. Building blocks
• Address distribution
- SLAAC/DHCPv6
• NAT64 (RFC 6144-6146)
- Supported by OEMs
- Server based tools: Jool, Tayga etc.
• DNS64 (RFC 6147)
- Included in Bind9
- Google public DNS64
• Support of IPv6 at end-user device
- No additional configuration is required

8. Topology
consideration
(It’s not a mandatory
in-line thing) Router
Router
Router
(SLAAC)
NAT64
+
DNS64
NAT64
Router
DHCPv6
DNS64
v6+v4
v6
Internet Internet
v6+v4
v6
v4
v6
v6
v6
v6
v6 v6

9. Tools used for
our v6only
network
• One box did it all
- Ubuntu Server 16.04 LTS
• Address distribution
- SLAAC with RADVD
• NAT64
- Jool 4.0.0
- NAT64 prefix: 64:ff9b::/96
• DNS64
- Bind9
• Wireless AP
- MikroTik
v6+v4
v6
Ubuntu Server
with radvd, jool
and bind9
Internet

10. Interface config
(Ubuntu 16.04)
• /etc/network/interface
# Dual-stack WAN Interface
auto enp1s0
iface enp1s0 inet static
address 192.168.1.254
netmask 255.255.254.0
gateway 192.168.0.1
iface enp1s0 inet6 static
autoconf 0
accept_ra 0
address 2400:ca00:3000:10::2
netmask 64
gateway 2400:ca00:3000:10::1
# IPv6-only LAN Interface
auto enp2s0
iface enp2s0 inet6 static
address 2400:ca00:3000:15::1
netmask 64

11. GW config
(radvd + routing)
• /etc/radvd.conf
interface enp2s0
{
MinRtrAdvInterval 3;
MaxRtrAdvInterval 4;
AdvSendAdvert on;
AdvManagedFlag off;
prefix 2400:ca00:3000:15::/64
{
AdvValidLifetime 14300;
AdvPreferredLifetime 14200;
};
RDNSS 2400:ca00:3000:15::1 {
};
};
• Eanble routing
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1

12. NAT64 config
(jool-4.0.0)
• Start jool:
/sbin/modprobe jool
• Map IPv6 pool with defined instance:
jool instance add "nat64" --iptables
--pool6 64:ff9b::/96
• Add mangle rules:
ip6tables -t mangle -A PREROUTING
–d 64:ff9b::/96 -j JOOL --instance "nat64"
iptables -t mangle -A PREROUTING
–d 192.168.1.254 -p tcp --dport 1126:65535
-j JOOL --instance "nat64”
iptables -t mangle -A PREROUTING
-d 192.168.1.254 -p udp --dport 1126:65535
-j JOOL --instance "nat64”
iptables -t mangle -A PREROUTING
-d 192.168.1.154 -p icmp -j JOOL
--instance "nat64"

13. DNS64 config
(bind9)
• /etc/bind/named.conf.options
options {
...
...
listen-on-v6 { any; };
allow-query {2400:ca00:3000::/48; };
recursion yes;
dns64 64:ff9b::/96 {
clients { any; };
mapped { any; };
exclude {0::/3; 2001:db8::/32;};
};
};

14. NAT64 tuning
options
• Limit local port ranges to add more ports to
translation:
echo 1025 1125 >
/proc/sys/net/ipv4/ip_local_port_range
• MTU, Fragmentation and PMTUD issue:
echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing

15. QUESTIONS?

16. Md. Abdul Awal
email@awal.pro
KEEP
CALM
AND
TRY
V6ONLY