Large Scale NAT64
Because of the imminent exhaustion of IPv4 addresses, ISPs have started transitioning to IPv6 infrastructure. But during the transition, ISPs must continue to support IPv4 along with IPv6, because most of the public Internet still uses IPv4. Large scale NAT64 is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv6-only subscribers to the IPv4 Internet. DNS64 is a solution for enabling discovery of IPv4-only domains by IPv6-only clients. DNS64 is used with large scale NAT64 to enable seamless communication between IPv6-only clients and IPv4-only servers.
A Citrix ADC appliance implements large scale NAT64 and DNS64 and is compliant with RFCs 6145, 6146, 6147, 6052, 3022, 2373, 2765, and 2464.
Architecture
The NAT64 architecture of an ISP using a Citrix ADC appliance consists of IPv6 subscribers accessing the IPv4 Internet through a Citrix ADC appliance deployed in the ISP’s core network. IPv6 subscribers are connected to the ISP core network through the ISP’s IPv6-only access network.
The large scale NAT64 functionality of a Citrix ADC appliance enables communication between IPv6 clients and IPv4 servers through IPv6-to-IPv4 packet translation, and vice versa, while maintaining session information on the Citrix ADC appliance.Citrix ADC DNS64 functionality represents IPv4-only domains to IPv6-subscribers by synthesizing DNS AAAA records for IPv4-only domains and sending them to the subscribers.
Large scale NAT64 has two main components: NAT64 prefix and NAT IPv4 pool. DNS64 has one main component, DNS64 prefix, which has the same value as NAT64 prefix.
Upon receiving an AAAA request from an IPv6-only subscriber for a domain name that is hosted on an IPv4-only web server on the Internet, the Citrix ADC DNS64 functionality synthesizes an AAAA record for the domain name and sends it to the subscriber. The AAAA record is synthesized by concatenating the DNS64 prefix (which is set to the NAT64 prefix) and the actual IPv4 address of the domain name.
The subscriber now has an IPv6 destination address that corresponds to the desired domain name. The subscriber sends the request to the synthesized IPv6 address. Upon receiving the IPv6 request, the large scale Citrix ADC NAT64 functionality translates the IPv6 request packet to an IPv4 request packet. Large scale NAT64 sets the IPv4 request’s destination address to the IPv4 address, which is extracted from the IPv6 request’s destination address by stripping the NAT64 prefix from the IPv6 address. The destination port is retained from the IPv6 request. Large Scale NAT64 also sets the source IP address:source port of the IPv4 packet to the NAT IP address:NAT port selected from the configured NAT pool.
The appliance maintains a record of all active sessions that use the large scale NAT64 functionality. These sessions are called large scale NAT64 sessions. The appliance also maintains the mappings between subscriber IPv6 address and port, and NAT IPv4 address and port, for each large scale NAT64 session. These mappings are called large scale NAT64 mappings. From large scale NAT64 session entries and large scale NAT64 mapping entries, the Citrix ADC appliance recognizes a response packet (received from the Internet) as belonging to a particular NAT64 session.
When the appliance receives an IPv4 response packet belonging to a particular NAT64 session, it uses the information stored in the NAT64 session to translate the IPv4 packet into an IPv6 packet, and then sends the IPv6 response packet to the subscriber.
Example: Traffic Flow of NAT64 and DNS64 Deployment
Consider an example of a large scale NAT64 and DNS64 deployment consisting of Citrix ADC appliance NS-1 and two local DNS servers, DNS-1 and DNS-2, in an ISP’s core network, and IPv6 subscriber SUB-1. SUB-1 is connected to NS-1 through the ISP’s IPv6 access network. NS-1 includes large scale NAT64 and DNS64 configurations for enabling the communication between IPv6 subscriber SUB-1 and IPv4 hosts (internal and external).
Large scale NAT64 configuration includes a NAT64 prefix (2001:DB8:300::/96) and NAT IPv4 pool for translation of IPv6 requests to IPv4 requests and IPv4 responses to IPv6 responses.
DNS64 configuration includes a DNS load balancing virtual server LBVS-DNS64-1 (2001:DB8:9999::99) and a DNS64 prefix (2001:DB8:300::/96). LBVS-DNS64-1 represents local DNS server DNS-1 and DNS-2 to ISP’s subscribers. The DNS64 prefix, which has the same value as the NAT64 prefix, is used for synthesizing DNS AAAA records from DNS A records received from DNS servers DNS-1 and DNS-2. NS-1 responds with a synthesized AAAA record to SUB-1 for a DNS request to resolve an IPv4 host.
DNS64 Traffic Flow
Traffic flows between IPv6 subscriber SUB-1 and site www.example.com
, which resides on an IPv4-only web server on the Internet, as follows:
- IPv6 subscriber SUB-1 sends a DNS AAAA request for
www.example.com
to its designated DNS server (2001:DB8:9999::99). - DNS load balancing virtual server LBVS-DNS64-1 (2001:DB8:9999::99) on Citrix ADC appliance NS1 receives the AAAA request. LBVS-DNS64-1’s load balancing algorithm selects DNS server DNS-1 and forwards the AAAA request to it.
- DNS-1 returns an empty record or an error message, because there is no AAAA record available for
www.example.com
. - Because the DNS64 option is enabled on LBVS-DNS64-1 and the AAAA request from CL1 matches the condition specified in DNS64-Policy-1, NS1 sends a DNS A request to DNS-1 for the IPv4 address of
www.example.com
. - DNS-1 responds with the A record of 192.0.2.60 for
www.example.com
. - DNS64 module on NS1 synthesizes an AAAA record for
www.example.com
by concatenating the DNS64 Prefix (2001:DB8:300::/96) associated with LBVS-DNS64-1, and IPv4 address (192.0.2.60) forwww.example.com
= 2001:DB8:300::192.0.2.60 - NS1 sends the synthesized AAAA record to IPv6 client CL1. NS1 also caches the A record into its memory. NS1 uses the cached A record to synthesize AAAA records for subsequent AAAA requests.
NAT64 Traffic Flow
-
IPv6 subscriber SUB-1 sends a request to 2001:DB8:5001:30
www.example.com
. The IPv6 packet has:- Source IP address = 2001:DB8:5001:30
- Source port = 2552
- Destination IP address = 2001:DB8:300::192.0.2.60
- Destination port = 80
-
IPv6 subscriber SUB-1 sends a request to 2001:DB8:5001:30
www.example.com
. The IPv6 packet has:- Source IP address = 2001:DB8:5001:30
- Source port = 2552
- Destination IP address = 2001:DB8:300::192.0.2.60
- Destination port = 80
-
When NS-1 receives the IPv6 packet, the large scale NAT64 module creates a translated IPv4 request packet with:
- Source IP address = One of the IPv4 addresses available in the configured NAT pool (203.0.113.61)
- Source port = One of ports available with the allocated NAT IPv4 address (3002)
- Destination IP address = IPv4 address extracted from the IPv6 request’s destination address by stripping the NAT64 prefix (2001:DB8:300::/96) from the IPv6 address (192.0.2.60)
- Destination port = IPv6 request’s destination port (80)
-
The large scale NAT64 module also creates mapping and session entries for this large scale NAT64 flow. The session and mapping entries include the following information:
- Source IP address of the IPv6 packet = 2001:DB8:5001:30
- Source port of the IPv6 packet = 2552
- NAT IP address = 203.0.113.61
- NAT port = 3002
- NS-1 sends the resulting IPv4 packet to its destination on the Internet.
-
Upon receiving the request packet, the server for
www.example.com
processes the packet and sends a response packet to NS-1. The IPv4 response packet has:- Source IP address = 192.0.2.60
- Source port = 80
- Destination IP address = 203.0.113.61
- Destination port = 3002
-
Upon receiving the IPv4 response packet, NS-1 examines the large scale NAT64 mapping and session entries and finds that the IPv4 response packet belongs to a large scale NAT64 session. The large scale NAT64 module creates a translated IPv6 response packet:
- Source IP address = 2001:DB8:300::192.0.2.60
- Source port = 80
- Destination IP address = 2001:DB8:5001:30
- Destination port = 2552
-
NS-1 sends the translated IPv6 response to client SUB-1.
Large Scale NAT64 features Supported on Citrix ADC appliances
Large scale NAT64 on a Citrix ADC appliance supports the standard LSN feature set. For more information on these LSN features, see LSN Architecture.
Following are some of the large scale NAT64 features supported on Citrix ADC appliances:
- ALGs. Support of application Layer Gateway (ALG) for SIP, RTSP, FTP, ICMP, and TFTP protocols.
- Deterministic/Fixed NAT. Support for pre-allocation of blocks of ports to subscribers to minimize logging.
- Mapping. Support of Endpoint-independent mapping (EIM), Address-dependent mapping (ADM), and Address-Port dependent mapping (APDM).
- Filtering. Support of Endpoint-Independent Filtering (EIF), Address-Dependent Filtering (ADF), and Address-Port-Dependent Filtering (APDF).
- Quotas. Configurable limits on number of ports, sessions per subscriber, and sessions per LSN group.
- Static Mapping. Support for manually defining a large scale NAT64 mapping.
- Hairpin Flow. Support for communication between subscribers or internal hosts using NAT IP addresses.
- 464XLAT connections. Support for communication between IPv4-only applications on IPv6 subscriber hosts and IPv4 hosts on the Internet through IPv6 network.
- Variable length NAT64 and DNS64 prefixes. The Citrix ADC appliance supports defining NAT64 and DNS64 prefixes of lengths of 32, 40, 48, 56, 64, and 96.
- Multiple NAT64 and DNS64 prefix. The Citrix ADC appliance supports multiple NAT64 and DNS64 prefixes.
- LSN Clients. Support for specifying or identifying subscribers for large scale NAT64 by using IPv6 prefixes and extended ACL6 rules.
- Logging. Support for logging NAT64 sessions for law enforcement. In addition, the following are also supported for logging.
- Reliable SYSLOG. Support for sending SYSLOG messages over TCP to external log servers for a more reliable transport mechanism.
- Load balancing of log servers. Support for load balancing of external log servers for preventing storage of redundant log messages.
- Minimal Logging. Deterministic LSN configurations or Dynamic LSN configurations with port block significantly reduce the large scale NAT64 log volume.
- Logging MSISDN information. Support for including subscribers’ MSISDN information in large scale NAT64 logs to identify and track subscriber activity over the Internet.