++ipv4 islands with jool article

This commit is contained in:
Nico Schottelius 2020-12-15 09:16:46 +01:00
parent eca91cd4c3
commit f1bd6b8c59
4 changed files with 93 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

BIN
assets/u/image/ipv4-nat.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 37 KiB

View file

@ -0,0 +1,93 @@
_hidden: no
---
_discoverable: yes
---
pub_date: 2020-12-15
---
title: Managing IPv4 islands with Jool
---
abstract: How jool allows us to enable IPv4 islands
---
body:
## Introduction
At ungleich we are using [Jool](https://www.jool.mx/) in a
variety of scenarios with NAT64 or SIIT. The main use of jool
in our infrastructure is to enable IPv6 only
hosts to communicate with the IPv4 Internet.
However today we want to show you a different use case of jool:
Enabling IPv4 islands to communicate with the IPv6 Internet.
For this we will focus on using Jool on
[OpenWrt](https://openwrt.org), because this is a platform that you
can also easily use in your networks or even at home.
## The general problem to solve
The literally biggest problem to solve when connecting the two
different worlds is that the IPv6 space is significantly bigger. This
is a problem, because we cannot achieve a 1:1 mapping from the IPv4
world, but we can do a 1:1 mapping from the IPv6 world:
![](/u/image/ipv4-ipv6-nat-asymmetric.png)
## Making IPv4 islands reachable
Assume that you are mostly running IPv6 only networks. And you happen
to have some hosts, which, for whatever reason, cannot be switched to
IPv6. We can use a stateful NAT64 to map "the whole IPv6 Internet" to
192.0.2.1 as follows:
![](/u/image/ipv4-only-island-ipv6-reachable.png)
This works pretty similar to regular NAT that you are used from
home. If we compare it visually, it is even more clear:
![](/u/image/ipv4-nat.png)
Let's have a look at this in an OpenWrt context:
* The LAN network is usually 192.168.1.0/24
* The router's IPv4 address is usually 192.168.1.1
* In this example we routed 2a0a:e5c1:18f::/48 to the router
* 192.168.1.0/24 has 8 bits for the hosts (32-24=8)
* We choose 2a0a:e5c1:18f:b00::/120 to map the IPv4 island (128-120=8)
* We use the OpenWrt's standard address to masquerade/squash the IPv6 Internet
First we will create an "IPv4 pool":
```
root@vigir2:~# jool -4 -a 192.168.1.1
root@vigir2:~# jool -4
+------------+-------+--------------------+-----------------+-------------+
| Mark | Proto | Max iterations | Address | Ports |
+------------+-------+--------------------+-----------------+-------------+
| 0 | TCP | 1024 ( auto) | 192.168.1.1 | 1-65535 |
+------------+-------+--------------------+-----------------+-------------+
| 0 | UDP | 1024 ( auto) | 192.168.1.1 | 1-65535 |
+------------+-------+--------------------+-----------------+-------------+
| 0 | ICMP | 1024 ( auto) | 192.168.1.1 | 0-65535 |
+------------+-------+--------------------+-----------------+-------------+
(Fetched 3 samples.)
```
This allows jool to map IPv6 addresses stateful to 192.168.1.1 and
basically allows incoming IPv6 traffic. What is left now is to
configure the mapping from IPv6 to IPv4. For this we use the pool6
argument of jool:
```
jool -6 2a0a:e5c1:18f:b00::/96
```
Note that we cheated here. We did not only map
2a0a:e5c1:18f:b00::/120, but we did actually map the whole IPv4
range. The advantage of this is that we do not need to care which
networks are used on the IPv4 island. Any IPv4 address inside the LAN
segment is now reachable. If you want to reach the IP address
192.168.1.42, you can ping as **2a0a:e5c1:18f:b00::192.168.1.42**. As
a matter of fact, while writing this article, the sample network is up and
running and you should be able to **ping
2a0a:e5c1:18f:b00::192.168.1.1** from the IPv6 Internet.