[j-nsp] MS-DPC, Nat between IPv6 and IPv4.

[Peter Krupl]

Hi Group,

We recently purchased some MX240's for our network. Initially the
where supposed to be used as MPLS PE routers. And for DHCP + PPPoE
subscriber termination. We are relying on netflow, for traffic accounting
so we also got the MS-DPC's for that purpose.

But the MS-DPC offers much more than netflow :).

Today we have several IPv4 MPLS based VPN's, for our customers. So what 
i wanted to achieve was to map each VPN's private address space, to a common
IPv6 address space for management purposes.

As an example the customer VRF's could be mapped as shown below:
Vrf A 172.16.0.0/12 to 2a01:3a0:3333:0:0:2:ac10::/108
Vrf B 172.16.0.0/12 to 2a01:3a0:3333:0:0:3:ac10::/108

The management stations are all located on an IPv6 network, and should be 
presented with the same IPv4 addresses in each VRF. 
Junipers documentation calls NAT which translates both source and destination "Twice NAT".

Twice nat between IPv4 and IPv6 works, with one exception. When a TCP session is closed,
the MS-DPC tears down the flow in the statefull firewall too early. I seems like he session is
terminated when the first FIN packet is seen in either direction. That's a bug for sure, and I 
hope Juniper will fix it. But for SNMP, ICMP, and syslog im still OK. 

The second issue I have is that the IPv4 source pool for the management stations should be the
same I each customer VRF for two reasons. I think that this should be possible, as long as the source
is within different VRF's

1. Same source, means all CE devices have the same configuration for management.
2. To make sure that there is no addressing conflict within the customer vrf's I want to use public IP's,
allocating different IP's to each VRf would be a waste of IPv4 addresses



Med venlig hilsen / Kind Regards
Peter Krupl

Netværksspecialist
Teknik
Direkte +45 3525 4752
Kundeservice +45 7026 2300
Fax +45 7026 2301
Stationsparken 25 . 2600 Glostrup . Danmark . siminn.dk