[AusNOG] Data retention compliant NAT64 or equivalent

Philip Loenneker Philip.Loenneker at tasmanet.com.au
Mon May 7 13:30:48 EST 2018


Hi all,

I had someone ask me where I got to with this, so thought I would reply on here for everyone's benefit.

There are some nice technologies around to support IPv6-only to the CPE... however they all rely heavily on the CPE supporting that technology. Ok that's not quite true - but if customers have any IPv4 only devices, then it becomes true. If we choose one technology that works with one product, it could lock us and our customers in to only using devices from that manufacturer, or in some cases even a specific model. I'm hesitant to make that commitment. As an ISP customer, I know I would be annoyed if I was locked in to particular CPE's and their potentially limited feature sets. 

At this point I'm leaning towards NAT444/CGNAT simply because it should work with every router out there. The fact that we can get it working without needing any additional hardware is also a big tick. But I'm only one member in a team, and this will be discussed broader within the team, so we'll see where we end up. Regardless, we'll be providing IPv6 to hopefully avoid some of the issues customers may have due to not having a public IPv4 address.

I'm still interested in hearing any suggestions others may have - we're still in the planning stages so we have some flexibility.

Thanks again to everyone who provided advice and suggestions.

Regards,
Philip Loenneker | Network Engineer | TasmaNet
40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
P: 1300 792 711
philip.loenneker at tasmanet.com.au
www.tasmanet.com.au

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Philip Loenneker
Sent: Tuesday, 17 April 2018 9:05 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Data retention compliant NAT64 or equivalent

[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]

Thanks Mark and everyone else that replied directly. I received a lot of useful information and suggestions and information.

I didn't articulate it very well, but my main concern is the data retention requirements. There are quite a few different technologies available to achieve what we need, some I prefer from a technical point of view, however not many of them would allow us to identify the pre-NAT and post-NAT IP/port details of a session to allow us to meet our DR obligations. I suspect that having a suitable audit trail on the connections will define the technology we end up going with more than anything else.

It looks like NAT444 (CGNAT) generally has more logging available than NAT64 solutions, including collecting the data via Netflow for some vendors.

Regards,
Philip Loenneker | Network Engineer | TasmaNet
40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
P: 1300 792 711
philip.loenneker at tasmanet.com.au
www.tasmanet.com.au

-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Monday, 16 April 2018 4:23 PM
To: Philip Loenneker <Philip.Loenneker at tasmanet.com.au>
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Data retention compliant NAT64 or equivalent

Look at MAP-T (RFC 7599) and MAP-E (RFC 7597) if you wish to reduce the amount of logging your need to do.

They don’t require DNS64 so they don’t break DNSSEC.

MAP-T can be used with NAT64 if you have already deployed DNS64/NAT64.

Mark

> On 16 Apr 2018, at 3:21 pm, Philip Loenneker <Philip.Loenneke at tasmanet.com.au> wrote:
>
> Hi all,
>
> Due to ever-decreasing IPv4, I’ve been investigating the possibility of providing IPv6-only Internet connections for customers. There are 2 key issues:
>       • Client devices that are IPv4-only
>       • Internet resources that are IPv4-only
>
> For the client-side issue, I’m following up with our CPE vendor to see if 464XLAT or similar is available. I’ll be labbing it up in the near future, but am hoping they can save me some time. Failing that, we may need to resort to CGNAT, but I’m hoping to avoid it.
>
> For the Internet-side issue, I’m looking into options such as NAT64 (DNS64 is available on our resolvers, just not enabled). Some common options I’ve found include:
> Jool.mx - seems like a well-used option, last updated in January this year. Doesn’t appear to have good logging for NAT translations, might be possible with full debug logs but that is noisy.
> Tayga - looks like it hasn’t had an update since 2011, and may not support current Linux kernel versions. Couldn’t find information on what logging is available.
> Palo Alto PAN-OS - appears to have NAT64 functionality since 2013 and have regular updates. Lots of logging available. Commercial product (not that that is a show stopper).
> Wrapsix – claims to be one of the fastest implementations, last update around 5 months ago. Only supports a single IPv4 address – I suspect that won’t handle the load for us.
> Ecdysis – looks like it hasn’t had an update since 2014, however claims to be included in OpenBSD 5.1+ core release.
> Various hardware, including Juniper, Cisco. I was disappointed to not find anything on Cumulus or Open Network Linux.
>
> Most of the information related to implementing this kind of thing is international, which means they don’t care about Australia-specific things like Data Retention.
>
> I’m wondering if anyone out there has any tips on NAT64 or similar products that do or do not allow you to collect the necessary information for Data Retention. I appreciate any thoughts, on or off list.
>
> Regards,
> Philip Loenneker | Network Engineer | TasmaNet
> 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
> P: 1300 792 711
> philip.loenneker at tasmanet.com.au
> www.tasmanet.com.au
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list