[j-nsp] For info: NAT64 on M7i using adaptive services
Phil Mayers
p.mayers at imperial.ac.uk
Tue Nov 29 12:06:49 EST 2011
All,
Some time ago, I asked whether this was possible. tl;dr - it is, and
mostly works with a few caveats.
The config I used was basically the same as that in the "Configuring
Stateful NAT64 for Handling IPv4 Address Depletion" document from
Juniper, but with one important change (that document assumes an MX 3D
router - maybe the unvarnished config works there).
In that document, they give an interface config like so:
ge-1/3/0 {
description "IPv6 only domain";
unit 0 {
family inet;
family inet6 {
service {
input {
service-set nat64;
}
output {
service-set nat64;
}
}
address 2001:db8::x/112;
}
}
}
This did NOT work until I actually added an IPv4 address under "family
inet" i.e.
set interface ge-1/3/0 unit 0 family inet address ....
Without an actual IPv4 address, the M7i simply didn't work, and it very
much did NOT give any useful logging or diagnostics - it just failed in
weird ways, with weird log messages.
With this config, the NAT64 worked just fine. I then provisioned a 2nd
NAT64 prefix, out of our local /48, and used a firewall filter that
basically said this:
1. from local addresses -> 64:FF9B::/96 permit
2. from ::/0 -> 2001:db8:site::/96 permit
...and on IPv6 day we published a AAAA record for one of our IPv4-only
webservers of the form:
wwwX.imperial.ac.uk. IN AAAA 2001:db8:site::155.198.x.y
...and inbound IPv6 traffic to that address came via the NAT64 function
on the M7i.
This *mostly* worked, but we did have a few problems.
Firstly, we had problems with users whose IPv6 MTU was <1500. The NAT64
function on the M7i (at least for JunOS 10.4R1.9, the version we ran at
the time) does NOT appear to correctly translate the ICMPv6 messages
into ICMPv4 required for PMTUd to work. The reverse direction (ICMPv4
must-frag -> ICMPv6 must-frag) did appear to work, but we didn't test
extensively.
We worked around this with TCP MSS clamping further into the network,
but it was not very satisfactory.
Secondly, we saw problems where source IP/port combinations were re-used
from the pool very quickly, and these re-used ports were then refused by
the webserver with a TCP RST.
We ameliorated this by moving to:
services {
nat {
pool POOL {
address y.y.y.0/24;
port {
automatic {
random-allocation;
}
}
}
}
}
...which seemed to reduce the problem to a very, very tiny level.
I am assuming this 2nd issue would not show up with a "real" NAT64
deployment where IPv6 clients talk to a very diverse set of IPv4 hosts
through the NAT64. But if your IPv6 clients are talking to a small
number of (or singular!) host(s) via the NAT64, the fact that ports are
recycled quicker than TIME_WAIT seems to cause problems for some IP stacks.
I did intend to investigate this further at some point, but it's looking
unlikely I'll find the time now.
Finally, a note on throughput - the built-in services thingy on the M7i
can do about 800Mbit/sec which is documented, but it's worth noting that
I benchmarked >2000 sessions/sec ramp rate, and IIRC at this point the
ASM CPU was not fully loaded. I also benchmarked >20k sessions, and
again RAM was not fully loaded. So it's a respectable (if not huge)
performance from such an old platform.
Hopefully this information is useful to someone.
Cheers,
Phil
More information about the juniper-nsp
mailing list