Cisco IOS unterstützt NAT-PT seit Version 12.2(13)T und bietet auch einen DNS-ALG, so dass auch dynamisches bidirektionales NAT-PT möglich ist.
Das Testnetzwerk ist in diesem Versuch möglichst einfach gehalten, um mögliche Fehlerquellen im Routing zu vermeiden und wirklich nur das NAT-PT untersuchen zu können (Abb. 8.1).
Die Netzwerk-Konfiguration der Knoten im Subnetz A wird manuell vorgenommen. Wichtig ist der Standard-Gateway (10.0.1.2) und der Nameserver (10.0.1.30). Im Subnetz B vergibt der Cisco per Autokonfiguration Adressen aus dem Netz fec1::/64.
Der Domino LAN-Analyzer wird für diesen Test nicht benötigt, die Analyse des Netzverkehrs erfolgt direkt auf den Linux-PCs mit Hilfe von Ethereal.
NAT-PT kann statisch oder dynamisch aufgesetzt werden. Statisch bedeutet, dass für jeden Host ein NAT-Eintrag vorgenommen werden muss. Dieses Verfahren erfordert viel administrativen Aufwand und ist darum eher anfällig für Fehler.
Für beide Arten muss zuerst das NAT-PT auf den beiden Interfaces eingeschaltet werden:
R5(config)#interface f0/0 R5(config-if)#ipv6 nat
R5(config)#interface f0/1 R5(config-if)#ipv6 nat
Auf dem Interface f0/1 darf nur IPv6 und auf dem Interface f0/0 nur IPv4 eingeschaltet sein. Zusätzlich müssen die Anschlüsse über geeignete IP-Adressen verfügen. Dem Router muss nun noch mitgeteilt werden, welche IPv6-Adressen zu welchen IPv4-Adressen gehören.
R5(config)#ipv6 nat v6v4 source fec1::201:2ff:fe87:179c 10.0.99.100 R5(config)#ipv6 nat v4v6 source 10.0.1.31 fec3::1 R5(config)#ipv6 nat prefix fec3::/96
Jetzt kann der Host im IPv6-Netz mit der IP-Adresse fec1::201:2ff:fe87:179c vom IPv4-Netz aus bequem mit der IP-Adresse 10.0.99.100 angesprochen werden und umgekehrt kann der IPv4-Host mit der IP 10.0.1.31 im IPv6-Netz unter der Adresse fec3::1 erreicht werden. Um die statische Zuordnung wieder zu löschen, muss den Befehlen no vorangestellt werden.
Interessanter ist die dynamische Variante von NAT-PT, sie wird deshalb hier ausführlicher beschrieben und die Verbindungsaufnahme einer TCP-Session detailliert analysiert.
Dynamisches NAT-PT ist etwas komplizierter zu konfigurieren. Folgende Schritte sind erforderlich:
R5(config)#ipv6 nat v6v4 pool v4pool 10.0.99.100 10.0.99.200 prefix-length 24
R5(config)#ipv6 access-list v6list R5(config-ipv6-acl)#permit ipv6 FEC1::/64 anyIn diesem Beispiel wird allen Hosts den Zugriff erlaubt.
R5(config)#ipv6 nat v6v4 source list v6list pool v4pool
R5(config)#ipv6 nat v4v6 source 10.0.99.100 FEC1::201:2FF:FE87:179C
Die verwendete Beispielkonfiguration ist Anhang C.2.6 zu entnehmen.
Auf dem Linux PC 1 wird zusätzlich eine DNS-Serversoftware benötigt. Bei Debian wird mit maradns ein einfach einzurichtender DNS-Server mitgeliefert, er wird mit apt-get install maradns installiert. Es müssen folgende Konfigurationsschritte vorgenommen werden:
bind_address = "10.0.1.30" csv1["ipv6.local."] = "db.ipv6.local"
# SOA record Sipv6.local.|86400|ipv6.local.|hm@ipv6.local.|2003100701|7200|3600|604800|1800 # NS record Nipv6.local.|86400|ns1.ipv6.local. # A record for NS Ans1.ipv6.local.|86400|10.0.1.30 # A record for www.ipv6.local Awww.ipv6.local.|86400|10.0.1.31 # PTR record for www.ipv6.local P31.1.0.10.in-addr.arpa.|86400|www.ipv6.local.Der A-Record dient dazu, dass der Name www.ipv6.local auf die IPv4-Adresse 10.0.1.31 aufgelöst wird. Der PTR-Record ist der Reverse-Eintrag, das heisst eine Anfrage auf 10.0.1.31 liefert den Namen www.ipv6.local.
# dig @10.0.1.30 www.ipv6.local ; <<>> DiG 9.2.1 <<>> @10.0.1.30 www.ipv6.local ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10094 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.ipv6.local. IN A ;; ANSWER SECTION: www.ipv6.local. 86400 IN A 10.0.1.31 ;; AUTHORITY SECTION: ipv6.local. 86400 IN NS ns1.ipv6.local. ;; ADDITIONAL SECTION: ns1.ipv6.local. 86400 IN A 10.0.1.30 ;; Query time: 1 msec ;; SERVER: 10.0.1.30#53(10.0.1.30) ;; WHEN: Tue Oct 7 09:54:37 2003 ;; MSG SIZE rcvd: 82
In Abbildung 8.2 ist schematisch dargestellt, wie über den NAT-PT-Gateway eine TCP-Verbindung aufgebaut wird. Zunächst findet eine DNS-Anfrage statt, die dann den Eintrag des Hosts 10.0.1.31 in die NAT-PT-Umsetzungstabelle auf dem Gateway bewirkt. Anschliessend kann die TCP-Verbindung hergestellt werden.
Der DNS-ALG auf dem Gateway schreibt die DNS-Anfragen und -Antworten so um, dass aus AAAA-Records auf der IPv6-Seite entsprechende A-Records auf der IPv4-Seite werden und umgekehrt. Auch bei Reverse-Einträgen (PTR-Records) wird das Adressformat umgewandelt. Ausserdem wird die TTL der Antworten auf Null gesetzt, um sicherzustellen, dass der IPv6-Client bei jedem weiteren Verbindungsaufbau zuerst einen DNS-Request absetzt.
Domain Name System (query) Transaction ID: 0x6f04 Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries www.ipv6.local: type AAAA, class inet Name: www.ipv6.local Type: IPv6 address Class: inet
Domain Name System (query) Transaction ID: 0x6f04 Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries www.ipv6.local: type AAAA, class inet Name: www.ipv6.local Type: IPv6 address Class: inet
Domain Name System (response) Transaction ID: 0x6f04 Flags: 0x8400 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... ..0. .... = Answer auth.: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 0 Authority RRs: 1 Additional RRs: 0 Queries www.ipv6.local: type AAAA, class inet Name: www.ipv6.local Type: IPv6 address Class: inet Authoritative nameservers ipv6.local: type SOA, class inet, mname ipv6.local Name: ipv6.local Type: Start of zone of authority Class: inet Time to live: 1 day Data length: 35 Primary name server: ipv6.local Responsible authority's mailbox: hostmaster.ipv6.local Serial number: 19770616 Refresh interval: 2 hours Retry interval: 1 hour Expiration limit: 7 days Minimum TTL: 30 minutes
Domain Name System (query) Transaction ID: 0x6f04 Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries www.ipv6.local: type A, class inet Name: www.ipv6.local Type: Host address Class: inet
Domain Name System (response) Transaction ID: 0x6f04 Flags: 0x8400 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... ..0. .... = Answer auth.: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 1 Additional RRs: 1 Queries www.ipv6.local: type A, class inet Name: www.ipv6.local Type: Host address Class: inet Answers www.ipv6.local: type A, class inet, addr 10.0.1.31 Name: www.ipv6.local Type: Host address Class: inet \textbf{Time to live: 1 day} Data length: 4 Addr: 10.0.1.31 Authoritative nameservers ipv6.local: type NS, class inet, ns ns1.ipv6.local Name: ipv6.local Type: Authoritative name server Class: inet \texttt{Time to live: 1 day} Data length: 6 Name server: ns1.ipv6.local Additional records ns1.ipv6.local: type A, class inet, addr 10.0.1.30 Name: ns1.ipv6.local Type: Host address Class: inet \texttt{Time to live: 1 day} Data length: 4 Addr: 10.0.1.30
Domain Name System (response) Transaction ID: 0x6f04 Flags: 0x8400 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... ..0. .... = Answer auth.: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 1 Additional RRs: 1 Queries www.ipv6.local: type AAAA, class inet Name: www.ipv6.local Type: IPv6 address Class: inet Answers www.ipv6.local: type AAAA, class inet, addr fec3::a00:11f Name: www.ipv6.local Type: IPv6 address Class: inet \texttt{Time to live: 0 time} Data length: 16 Addr: fec3::a00:11f Authoritative nameservers ipv6.local: type NS, class inet, ns ns1.ipv6.local Name: ipv6.local Type: Authoritative name server Class: inet \texttt{Time to live: 0 time} Data length: 6 Name server: ns1.ipv6.local Additional records ns1.ipv6.local: type AAAA, class inet, addr fec3::1 Name: ns1.ipv6.local Type: IPv6 address Class: inet \texttt{Time to live: 0 time} Data length: 16 Addr: fec3::1
Domain Name System (query) Transaction ID: 0x6f06 Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries f.1.1.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int: type PTR, class inet Name: f.1.1.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int Type: Domain name pointer Class: inet
Domain Name System (query) Transaction ID: 0x6f06 Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries 31.1.0.10.in-addr.arpa: type PTR, class inet Name: 31.1.0.10.in-addr.arpa Type: Domain name pointer Class: inet
Domain Name System (response) Transaction ID: 0x6f06 Flags: 0x8000 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... ..0. .... = Answer auth.: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 1 Additional RRs: 1 Queries 31.1.0.10.in-addr.arpa: type PTR, class inet Name: 31.1.0.10.in-addr.arpa Type: Domain name pointer Class: inet Answers 31.1.0.10.in-addr.arpa: type PTR, class inet, ptr www.ipv6.local Name: 31.1.0.10.in-addr.arpa Type: Domain name pointer Class: inet \texttt{Time to live: 1 day} Data length: 16 Domain name: www.ipv6.local Authoritative nameservers ipv6.local: type NS, class inet, ns ns1.ipv6.local Name: ipv6.local Type: Authoritative name server Class: inet \texttt{Time to live: 1 day} Data length: 6 Name server: ns1.ipv6.local Additional records ns1.ipv6.local: type A, class inet, addr 10.0.1.30 Name: ns1.ipv6.local Type: Host address Class: inet \texttt{Time to live: 1 day} Data length: 4 Addr: 10.0.1.30
Domain Name System (response) Transaction ID: 0x6f06 Flags: 0x8000 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... ..0. .... = Answer auth.: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 1 Additional RRs: 1 Queries f.1.1.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int: type PTR, class inet Name: f.1.1.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int Type: Domain name pointer Class: inet Answers f.1.1.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int: type PTR, class inet, ptr www.ipv6.local Name: f.1.1.0.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int Type: Domain name pointer Class: inet \texttt{Time to live: 0 time} Data length: 16 Domain name: www.ipv6.local Authoritative nameservers 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int: type NS, class inet, ns ns1.ipv6.local Name: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.e.f.ip6.int Type: Authoritative name server Class: inet \texttt{Time to live: 0 time} Data length: 6 Name server: ns1.ipv6.local Additional records ns1.ipv6.local: type AAAA, class inet, addr fec3::1 Name: ns1.ipv6.local Type: IPv6 address Class: inet \texttt{Time to live: 0 time} Data length: 16 Addr: fec3::1
Die TCP-Pakete werden unverändert weitergereicht, wie an den Sequence- und Acknoledge-Nummern zu erkennen ist. Nur die TCP-Header-Checksum ist im IPv4- und im IPv6-Netz jeweils unterschiedlich, da in diese auch die IP-Source- und Destination-Adressen eingehen.
Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 40 Next header: TCP (0x06) Hop limit: 64 Source address: fec1::201:2ff:fe87:179c (fec1::201:2ff:fe87:179c) Destination address: fec3::a00:11f (fec3::a00:11f) Transmission Control Protocol, Src Port: 36810, Dst Port: 80, Seq: 3777052040, Ack: 0, Len: 0 Source port: 36810 (36810) Destination port: www (80) \textbf{Sequence number: 3777052040} Header length: 40 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 5760 \textbf{Checksum: 0x55b2 (correct)} Options: (20 bytes) Maximum segment size: 1440 bytes SACK permitted Time stamp: tsval 9308366, tsecr 0 NOP Window scale: 0 bytes
Internet Protocol, Src Addr: 10.0.99.101 (10.0.99.101), Dst Addr: www.ipv6.local (10.0.1.31) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 60 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 63 Protocol: TCP (0x06) Header checksum: 0xc338 (correct) Source: 10.0.99.101 (10.0.99.101) Destination: www.ipv6.local (10.0.1.31) Transmission Control Protocol, Src Port: 36810, Dst Port: 80, Seq: 3777052040, Ack: 0, Len: 0 Source port: 36810 (36810) Destination port: www (80) \textbf{Sequence number: 3777052040} Header length: 40 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 5760 \textbf{Checksum: 0xffca (correct)} Options: (20 bytes) Maximum segment size: 1440 bytes SACK permitted Time stamp: tsval 9308666, tsecr 0 NOP Window scale: 0 bytes
Internet Protocol, Src Addr: www.ipv6.local (10.0.1.31), Dst Addr: 10.0.99.101 (10.0.99.101) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 60 Identification: 0xd555 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xece2 (correct) Source: www.ipv6.local (10.0.1.31) Destination: 10.0.99.101 (10.0.99.101) Transmission Control Protocol, Src Port: 80, Dst Port: 36810, Seq: 2995056313, Ack: 3777052041, Len: 0 Source port: www (80) Destination port: 36810 (36810) \textbf{Sequence number: 2995056313} \textbf{Acknowledgement number: 3777052041} Header length: 40 bytes Flags: 0x0012 (SYN, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 32844 \textbf{Checksum: 0x7d37 (correct)} Options: (20 bytes) Maximum segment size: 1460 bytes NOP Window scale: 0 bytes NOP NOP Time stamp: tsval 165441672, tsecr 9308666
Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 40 Next header: TCP (0x06) Hop limit: 63 Source address: fec3::a00:11f (fec3::a00:11f) Destination address: fec1::201:2ff:fe87:179c (fec1::201:2ff:fe87:179c) Transmission Control Protocol, Src Port: 80, Dst Port: 36810, Seq: 2995056313, Ack: 3777052041, Len: 0 Source port: www (80) Destination port: 36810 (36810) \textbf{Sequence number: 2995056313} \textbf{Acknowledgement number: 3777052041} Header length: 40 bytes Flags: 0x0012 (SYN, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 32844 \textbf{Checksum: 0xd1f2 (correct)} Options: (20 bytes) Maximum segment size: 1460 bytes NOP Window scale: 0 bytes NOP NOP Time stamp: tsval 165441672, tsecr 9308666
Die aktiven NAT-PT-Translations können auf dem Router angezeigt werden:
R5#show ipv6 nat translations verbose Prot IPv4 source IPv6 source IPv4 destination IPv6 destination --- --- --- 10.0.1.30 FEC3::1 create 04:07:06, use 00:00:00, --- --- --- 10.0.1.31 FEC3::A00:11F create 02:12:29, use 02:04:47, left 21:55:12, --- 10.0.99.101 FEC1::201:2FF:FE87:179C 10.0.1.30 FEC3::1 create 02:12:29, use 02:01:13, left 21:58:46, --- 10.0.99.101 FEC1::201:2FF:FE87:179C 10.0.1.31 FEC3::A00:11F create 02:12:24, use 02:12:24, left 21:47:35, --- 10.0.99.101 FEC1::201:2FF:FE87:179C --- --- create 02:12:29, use 02:01:23, left 21:58:36,
Um sämtliche Einträge dieser Tabelle zu löschen, kann der Befehl clear ipv6 nat translation * verwendet werden.