[AusNOG] Data retention compliant NAT64 or equivalent
Philip Loenneker
Philip.Loenneker at tasmanet.com.au
Tue Apr 17 09:05:03 EST 2018
Thanks Mark and everyone else that replied directly. I received a lot of useful information and suggestions and information.
I didn't articulate it very well, but my main concern is the data retention requirements. There are quite a few different technologies available to achieve what we need, some I prefer from a technical point of view, however not many of them would allow us to identify the pre-NAT and post-NAT IP/port details of a session to allow us to meet our DR obligations. I suspect that having a suitable audit trail on the connections will define the technology we end up going with more than anything else.
It looks like NAT444 (CGNAT) generally has more logging available than NAT64 solutions, including collecting the data via Netflow for some vendors.
Regards,
Philip Loenneker | Network Engineer | TasmaNet
40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
P: 1300 792 711
philip.loenneker at tasmanet.com.au
www.tasmanet.com.au
-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Monday, 16 April 2018 4:23 PM
To: Philip Loenneker <Philip.Loenneker at tasmanet.com.au>
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Data retention compliant NAT64 or equivalent
Look at MAP-T (RFC 7599) and MAP-E (RFC 7597) if you wish to reduce the amount of logging your need to do.
They don’t require DNS64 so they don’t break DNSSEC.
MAP-T can be used with NAT64 if you have already deployed DNS64/NAT64.
Mark
> On 16 Apr 2018, at 3:21 pm, Philip Loenneker <Philip.Loenneke at tasmanet.com.au> wrote:
>
> Hi all,
>
> Due to ever-decreasing IPv4, I’ve been investigating the possibility of providing IPv6-only Internet connections for customers. There are 2 key issues:
> • Client devices that are IPv4-only
> • Internet resources that are IPv4-only
>
> For the client-side issue, I’m following up with our CPE vendor to see if 464XLAT or similar is available. I’ll be labbing it up in the near future, but am hoping they can save me some time. Failing that, we may need to resort to CGNAT, but I’m hoping to avoid it.
>
> For the Internet-side issue, I’m looking into options such as NAT64 (DNS64 is available on our resolvers, just not enabled). Some common options I’ve found include:
> Jool.mx - seems like a well-used option, last updated in January this year. Doesn’t appear to have good logging for NAT translations, might be possible with full debug logs but that is noisy.
> Tayga - looks like it hasn’t had an update since 2011, and may not support current Linux kernel versions. Couldn’t find information on what logging is available.
> Palo Alto PAN-OS - appears to have NAT64 functionality since 2013 and have regular updates. Lots of logging available. Commercial product (not that that is a show stopper).
> Wrapsix – claims to be one of the fastest implementations, last update around 5 months ago. Only supports a single IPv4 address – I suspect that won’t handle the load for us.
> Ecdysis – looks like it hasn’t had an update since 2014, however claims to be included in OpenBSD 5.1+ core release.
> Various hardware, including Juniper, Cisco. I was disappointed to not find anything on Cumulus or Open Network Linux.
>
> Most of the information related to implementing this kind of thing is international, which means they don’t care about Australia-specific things like Data Retention.
>
> I’m wondering if anyone out there has any tips on NAT64 or similar products that do or do not allow you to collect the necessary information for Data Retention. I appreciate any thoughts, on or off list.
>
> Regards,
> Philip Loenneker | Network Engineer | TasmaNet
> 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
> P: 1300 792 711
> philip.loenneker at tasmanet.com.au
> www.tasmanet.com.au
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list