Accessing IPv4-only Nodes from an IPv6-only Network

Wayland

Getting from here to there

by Craig Miller

The Transition to IPv6 has been long, and slow. We have reached a stage where many networks are dual-stack, supporting both IPv4 and IPv6. But dual-stack is not the end game. The final picture is to just support IPv6, making everything easy again with only one set of firewall rules, one set of routing tables, one set of everything.

The Real World

But in the real world, IPv4 is going to be with us for a long time. There will be inexpensive devices, such as IoT which will be IPv4-only.

So how do we transition to IPv6-only, which will make everything easier to managed (only having one set of things to manage) and still have a small number of IPv4-only devices on the network?

IPv4 aaS

The answer to this real world problem is to support IPv4-as-a-Service (IPv4aaS). Create islands, or corners of IPv4 support where you need it, while running the bulk of the network as IPv6-only.

But there is no compatibility between IPv4 and IPv6, so how is this done? Through Transition Technologies such as 464XLAT (v4 to v6 to v4 Translation Technology).

NAT64, the v6 gateway to the v4 Internet

Before digging into IPv4aaS, let's review NAT64 transition technique. If you have setup a IPv6-only network without NAT64, then you have discovered that while you can get to many things on the internet, there is much you can't access. Sadly, there are many web sites which are still IPv4-only. Almost all of the Canadian Government's web sites fall in this category.

So there is a need to access both IPv4 and dual-stack web sites on your IPv6-only network. A NAT64 will translate your IPv6 packets to IPv4. It works in conjuction with DNS64, a special server which translates IPv4 addresses to synthesized IPv6 addresses.

Simple NAT64/DNS64 Network

Host N6 will make a DNS Query for Host N4 from the DNS64 server. A synthesized IPv6 address of 64:ff9b::c000:201. Host N6 will use this address as the destination address sending the packet to the NAT64 (router). The NAT64 device will look at the last 32 bits of the IPv6 address and convert it to a 32bit IPv4 address (C0 00 02 01 = 192.0.2.1), where the packet will be sent on the IPv4 network to host N4.

The reverse path works similar to NAT44, where the NAT64 box maintains a table, and translations/forwards an IPv6 packet to Host N6.

Create an IPv4 Island on your IPv6-only network

What if you want to manage an IPv4-only device from your IPv6-only network?

Using a small OpenWrt router, it is possible to create a small dual-stack island network.

Island Network

OpenWrt 19.07.x supports jool a really useful v4<-->v6 translation tool. Using OpenWrt defaults, it will automatically extend your IPv6 network using DHCPv6-PD, assigning a prefix and by default DHCP4 will also be enabled on the br-lan ports. But IPv4 won't be able to go anywhere, for now.

Install Jool on OpenWrt IPv4 island router

Use the web GUI or CLI to install jool

opkg update
opkg install kmod-jool jool-tools

Using your own IPv6 Address plan, add the following to /etc/rc.local above the last line. If the br-lan already has Prefix Delegation, then I recommend using that prefix, and add another Quibble of 4444 to make it easily recognized as a IPv4 network. The version of jool is newer in OpenWrt 21.02.x, and therefore the syntax is a little different.

For OpenWrt 19.07.x

# jool rev nat64 conf
modprobe jool
jool -6 2001:db8:8011:fda4:4444::/96 --force

For OpenWrt 21.02.x

# jool rev nat64 conf
modprobe jool
jool instance add "default" --netfilter --pool6 2001:db8:8011:fda4:4444::/96 --force
# display instance created
jool instance display

After editing /etc/rc.local, Reboot the router, or just run rc.local

sh /etc/rc.local

Access a IPv4-only host on the Island Network

Now any IPv4-only device is accessible from your IPv6-only network. Let's start with ping. For a device with the IPv4 address of 192.168.38.109, I just prepend the prefix that was placed in the rc.local

From my IPv6-only network:

$ ping 2001:db8:8011:fda4:4444::192.168.38.109
PING 2001:db8:8011:fda4:4444::192.168.38.109(2001:db8:8011:fda4:4444:0:c0a8:266d) 56 data bytes
64 bytes from 2001:db8:8011:fda4:4444:0:c0a8:266d: icmp_seq=1 ttl=63 time=3.04 ms
64 bytes from 2001:db8:8011:fda4:4444:0:c0a8:266d: icmp_seq=2 ttl=63 time=10.3 ms
64 bytes from 2001:db8:8011:fda4:4444:0:c0a8:266d: icmp_seq=3 ttl=63 time=10.5 ms
^C
--- 2001:db8:8011:fda4:4444::192.168.38.109 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.044/7.926/10.463/3.454 ms

Note that ping will convert the odd looking IPv6 address (with a dotted decimal last 32 bits) to a more common hexadecimal IPv6 address.

Doing more than Ping

OpenWrt default includes forwarding pings, but if you want to do more, you will need to open some ports on the firewall. The web GUI works well, or you can add the following to the /etc/config/firewall file, which will forward port 22 (ssh) and 80 (web) to the br-lan.

config rule
    option dest_port '22 80'
    option src 'wan'
    option name 'ext_mgmt_fwd'
    option family 'ipv6'
    option target 'ACCEPT'
    option dest 'lan'
    list proto 'tcp'

Accessing the Internet from the Island Network

Unfortunately, the version of Jool is too old (on OpenWrt 19.07.x) to implement CLAT (Customer-side Translator), which provides a method to move IPv4 across an IPv6-only network.

Imagine you have an IPv4-only IoT device which also has local management. As we saw, we can get access to that device from our IPv6-only network. But the IoT device may get Software updates from the internet. For that the Network Island router must also implement CLAT.

Background 464XLAT

A method to move IPv4 across an IPv6 is called 464XLAT, which means take IPv4 move it across IPv6-only network, and then put it on the IPv4 Internet. This allows poorly written, or legacy applications which include IPv4 literals embedded in them to get access to the Internet, across a IPv6-only network.

464XLAT has two parts 1. CLAT - the client side, that take a IPv4 packet and encloses it in IPv6 to cross the IPv6-only netowrk 2. PLAT - the Provider side (or Internet side) which receives the special IPv6 packet, and puts the datagram back into a IPv4 packet for transport onto the IPv4 Internet.

Island Network

Together the two parts are known as 464XLAT

Fortunately, our NAT64 server can also serve the function of PLAT. So that part is done.

Implementing CLAT on OpenWrt for the Island Network

Fortunately, CLAT for OpenWrt has been around for several years using another OpenWrt package: 464xlat. Install the package on your island router* like any other software:

opkg install 464xlat

After the install is complete, reboot the router, which will create a WAN6_4 interface.

If you are using the Well Known Prefix (WKP) for NAT64 (64:ff9b::/96 RFC 6052), then you are done! CLAT is configured, and up and running.

To prove that the IPv4 Internet is accessible from your IPv4 island network, ssh to a device on the island network, and start a ping to Cloudflare's server 1.1.1.1

Iot$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=57 time=31.117 ms
64 bytes from 1.1.1.1: seq=1 ttl=57 time=31.959 ms
64 bytes from 1.1.1.1: seq=2 ttl=57 time=31.608 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 31.117/31.561/31.959 ms

1. Hands On - Examining XLAN464 at work: ping cra.ca

Download the following packaet captures, and open in Wireshark. The packet captures consist of 3 packets on the LAN, and after Network Translation 3 packets on the WAN. * IPv4-only Net * IPv6-only Net * v4 access from IPv6-only

NOTE: PCAP files are in two parts, the first set of packets are the input to the NAT device, and the second set of packets (in the same PCAP file) are the output of the NAT device

Discuss the following: * In IPv4-only what are Source and Destination addresses? * In IPv6-only what are Source and Destination addresses? * What is the relationship between the v4 & v6-only source and destination addresses? * Why can't the NAT64 also map IPv4 packets to IPv6, and out to the Internet? What is needed for this function?












Supporting Legacy devices is easy

Wayland

Create an IPv4 Island Network

Most IPv4-only devices are not high bandwidth, which means a small OpenWrt router such as the GL-iNET Mango can do the job.

Leveraging your existing IPv6-only network, and NAT64/DNS64 services you already have, means you are already 1/2 way to supporting 464XLAT. Creating legacy island networks which can be managed from your IPv6-only network removes the last hurdle to move to IPv6-only everywhere.

By using existing software, jool 464xlat, on Openwrt, it is easy to create IPv4-only islands to support legacy devices in your IPv6-only network!


* The new version of OpenWrt, 21.02, will be out in a couple of months, and the newer version of jool will handle both the IPv6->IPv4 access, and CLAT functionality. The package 464xlat will no longer be needed.


12 March 2021
Updated 19 April 2021 for NetSIG
Updated 30 December 2021 - added jool commands for OpenWrt 21.02.x