[c-nsp] IPv6 static NAT (PAT)

[Brandon Applegate]

Hi,

I'm trying to figure out the (NAT/PAT) mechanics of assigning a customer 
ipv6 only.  I know I don't have to worry about this today, but I tend to 
jump to the worst case scenario first and work backwards.

(FYI - I am talking about datacenter / dedicated access only - i.e. no 
residential at all)

In the ipv4 world, if I have a single (static) IP assigned, I can do all 
kinds of PAT (send port 80 to 192.168.1.10, send port 25 to 192.168.1.11, 
etc).  Aside from 'nat is evil' issue, I personally view this as fairly 
efficient and a good conservation of resources (ipv4 addresses that is). 
Of course this has to fit your network needs, and for many folks I would 
say it does.

However, to provide reachability from an ipv4 only client to an ipv6 only 
'server', parts of this design break down.

Assume I have an ipv6 only customer, but they have a web server that they 
need to have reachable from the ipv4-only clients during the great 
transition.  I can take a single ipv4 address from what I have left, 
charge them some fee for using it, and static NATPT this to their 
webserver ipv6 address.  However, now if they also have a mail server that 
they need reachable in the same manner, I have to use another ipv4 address 
and NATPT that through likewise.  I had assumed that I could PAT the ipv4, 
thereby using only one ipv4 address but sending each port to a different 
ipv6 address.  Or even doing ipv6 PAT on an ASA for example.  From what I 
can find, there is no ipv6 'PAT' functionality in either ASA code or IOS.

>From the customers perspective, this is a waste of the $fee for the IP, 
since I only need a few ports to get me through during the transition.  I 
don't need N unique ipv4 address.  Not to mention that this is a waste of 
the providers addresses, which are of course under duress.  It would be 
nice, and a very engineering centric view to say 'if you want reachability 
to my ipv6 server, you need to complain to YOUR ISP to get you ipv6 
access'.  This would also accelerate ipv6 growth.  However, I have a 
feeling that the PHBs wouldn't find this acceptable if a single business 
partner/customer stuck on ipv4 only couldn't reach one of their services.

I guess an ugly hack would be to have a middle layer, using rfc1918 ipv4. 
The outermost layer would do ipv4-ipv4 PAT, sending a single ipv4 address 
+ ports to unique rfc1918.  These rfc1918s would then NATPT to the real 
ipv6.

Is there any way to do this without an extra 'fixer' nat box ?

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."