[AusNOG] Data retention compliant NAT64 or equivalent

Mark Andrews marka at isc.org
Mon Apr 16 16:22:39 EST 2018 

Look at MAP-T (RFC 7599) and MAP-E (RFC 7597) if you wish to reduce the amount of logging your need to do.

They don’t require DNS64 so they don’t break DNSSEC.

MAP-T can be used with NAT64 if you have already deployed DNS64/NAT64.

Mark

> On 16 Apr 2018, at 3:21 pm, Philip Loenneker <Philip.Loenneke at tasmanet.com.au> wrote:
> 
> Hi all,
>  
> Due to ever-decreasing IPv4, I’ve been investigating the possibility of providing IPv6-only Internet connections for customers. There are 2 key issues:
> 	• Client devices that are IPv4-only
> 	• Internet resources that are IPv4-only
>  
> For the client-side issue, I’m following up with our CPE vendor to see if 464XLAT or similar is available. I’ll be labbing it up in the near future, but am hoping they can save me some time. Failing that, we may need to resort to CGNAT, but I’m hoping to avoid it.
>  
> For the Internet-side issue, I’m looking into options such as NAT64 (DNS64 is available on our resolvers, just not enabled). Some common options I’ve found include:
> Jool.mx - seems like a well-used option, last updated in January this year. Doesn’t appear to have good logging for NAT translations, might be possible with full debug logs but that is noisy.
> Tayga - looks like it hasn’t had an update since 2011, and may not support current Linux kernel versions. Couldn’t find information on what logging is available.
> Palo Alto PAN-OS - appears to have NAT64 functionality since 2013 and have regular updates. Lots of logging available. Commercial product (not that that is a show stopper).
> Wrapsix – claims to be one of the fastest implementations, last update around 5 months ago. Only supports a single IPv4 address – I suspect that won’t handle the load for us.
> Ecdysis – looks like it hasn’t had an update since 2014, however claims to be included in OpenBSD 5.1+ core release.
> Various hardware, including Juniper, Cisco. I was disappointed to not find anything on Cumulus or Open Network Linux.
>  
> Most of the information related to implementing this kind of thing is international, which means they don’t care about Australia-specific things like Data Retention.
>  
> I’m wondering if anyone out there has any tips on NAT64 or similar products that do or do not allow you to collect the necessary information for Data Retention. I appreciate any thoughts, on or off list.
>  
> Regards,
> Philip Loenneker | Network Engineer | TasmaNet
> 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
> P: 1300 792 711
> philip.loenneker at tasmanet.com.au
> www.tasmanet.com.au
>  
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the AusNOG mailing list