News Profile Code Photography Looking Glass Projects System Statistics Uncategorized
Present Location: News >> Blog >> Ecdysis NAT64/DNS64

Blog
> Ecdysis NAT64/DNS64
Posted by prox, from Charlotte, on January 01, 2011 at 12:29 local (server) time

I normally don't play around with such silliness, but this morning I figured I should try out the NAT64/DNS64 implementation by Ecdysis.  NAT64 is a simple way for IPv6-only clients to access IPv4 systems.  It's done with a combination of AAAA record synthesis and NAT.  For a review of the IPv6 transition mechanisms, see my prior blog entry.

So, I downloaded and booted their Linux live CD (basically a modified Fedora disc) in VMware Workstation, and set it up to use 2001:48c8:1:12f::/96.  It started Unbound and loaded nf_nat64 into the kernel with some address parameters.  I then pointed a static route to the VM and injected 2001:48c8:1:12f::/64 (eh, not like I was going to use the rest of the /64 for anything else) into BGP.  A couple DIGs verified that DNS64 was indeed working:

% dig @red slashdot.org. AAAA

; <<>> DiG 9.7.2-P3 <<>> @red slashdot.org. AAAA
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29892
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;slashdot.org.           IN   AAAA

;; ANSWER SECTION:
slashdot.org.       3600 IN   AAAA 2001:48c8:1:12f::d822:b52d

;; Query time: 733 msec
;; SERVER: 2001:48c8:1:105:250:56ff:fe1a:afaf#53(2001:48c8:1:105:250:56ff:fe1a:afaf)
;; WHEN: Sat Jan  1 12:15:13 2011
;; MSG SIZE  rcvd: 58

Slashdot is, at first glance, a bad example, because one would think that being a tech. news site, they'd actually publish an official AAAA record and be accessible by IPv6.  The truth is, they're even lagging behind CNN, so with such things, so the example is valid.

Anyway, it seems to work!

% telnet 2001:48c8:1:12f::d822:b52d 80
Trying 2001:48c8:1:12f::d822:b52d...
Connected to 2001:48c8:1:12f::d822:b52d.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: slashdot.org
Connection: close

HTTP/1.1 200 OK
Server: Apache/1.3.42 (Unix) mod_perl/1.31
SLASH_LOG_DATA: shtml
X-Powered-By: Slash 2.005001305
X-Fry: These new hands are great. I'm gonna break them in tonight.
X-XRDS-Location: http://slashdot.org/slashdot.xrds
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
Content-Length: 146625
Date: Sat, 01 Jan 2011 17:17:27 GMT
X-Varnish: 1317912096 1317911450
Age: 47
Connection: close

Connection closed by foreign host.

And after adding a default route to the Ecdysis VM and poking a few holes in my PF rules, NAT64 works off-net, too.  The traceroutes are a little ridiculous, though:

core1.nyc1.he.net> traceroute ipv6 2001:48c8:1:12f::d822:b52d

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms   <1 ms   <1 ms 2001:504:1::a502:9791:1
  2     5 ms   <1 ms   <1 ms 0.ae1.tsr1.lga5.us.voxel.net [2001:48c8::822]
  3    <1 ms   <1 ms   <1 ms 0.ae2.csr2.lga6.us.voxel.net [2001:48c8::82e]
  4    <1 ms   <1 ms   <1 ms em0.dax.prolixium.net [2001:48c8:1:2::2]
  5    34 ms   41 ms   33 ms si3.starfire.prolixium.net [2001:48c8:1:1ff::1a]
  6    32 ms   36 ms   33 ms red.prolixium.com [2001:48c8:1:105:250:56ff:fe1a:afaf]
  7    34 ms   40 ms   33 ms 2001:48c8:1:12f::a03:5fe
  8    38 ms   42 ms   50 ms 2001:48c8:1:12f::a03:fd02
  9    57 ms   50 ms   48 ms 2001:48c8:1:12f::ac9:4001
 10    59 ms   56 ms   45 ms 2001:48c8:1:12f::184a:fe34
 11    56 ms   50 ms   50 ms 2001:48c8:1:12f::185d:4017
 12    55 ms   49 ms   54 ms 2001:48c8:1:12f::426d:652
 13    56 ms   60 ms   52 ms 2001:48c8:1:12f::426d:6ab
 14    58 ms   48 ms   50 ms 2001:48c8:1:12f::43b:c15
 15    56 ms   49 ms   54 ms 2001:48c8:1:12f::445:9608
 16   144 ms   50 ms   49 ms 2001:48c8:1:12f::d0aa:1751
 17    56 ms   51 ms   55 ms 2001:48c8:1:12f::cc46:c802
 18   110 ms   96 ms   89 ms 2001:48c8:1:12f::cc46:c4f2
 19    87 ms   80 ms   92 ms 2001:48c8:1:12f::cc46:c37a
 20   105 ms   87 ms   89 ms 2001:48c8:1:12f::4025:cfce
 21   105 ms   88 ms  113 ms 2001:48c8:1:12f::401b:a0c6
 22   106 ms   88 ms   87 ms 2001:48c8:1:12f::d822:b52d

The last 32 bits of the IPv6 address of each hop equates to the IPv4 address.  For example, if you take hop 17 and translate it, something meaningful is displayed:

% ping -c1 0xcc46c802  
PING 0xcc46c802 (204.70.200.2) 56(84) bytes of data.
64 bytes from 204.70.200.2: icmp_req=1 ttl=246 time=31.9 ms

--- 0xcc46c802 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 31.946/31.946/31.946/0.000 ms
% host 204.70.200.2   
2.200.70.204.in-addr.arpa domain name pointer cr2-te-0-0-0-0.atlanta.savvis.net.

After playing with this for awhile, it suddenly stopped working, though:

Ecdysis Panic

Oh well, they've got some bugs to fix in nf_nat64, I suppose.

Anyway, except for that panic, the Ecdysis software seems to work pretty well.  It'll be nice once it starts to be included in the package systems of major Linux distributions.

Oh, and.. Happy New Year!

> Add Comment

New comments are currently disabled for this entry.

XHTML 1.0 ValidCSS ValidRSS 2.0Powered by FreeBSDIPv4 This HTML for this page was generated in 0.001 seconds.