-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Differing IPv4 pools based on clients IPv6 source address #115
Comments
I think one particularly nice way to implement this is to let IPTables do the matching part, and then communicate the selected IPv4 pool to Jool by marking packets. So in order to implement what I described in my original message, something like this would be required:
While matching on layer 3 addresses probably isn't too difficult to do inside Jool either, IPTables can match on a ton of different things, so by outsourcing the matching to IPTables you gain a lot of flexibility for free. |
Say I'm interested in not polluting the mark, because it's an all-purpose field the operator might want to use for something else. A long time ago, somebody asked me to correlate pool4 addresses and pool6 prefixes. As in... "If IPv6 client writes towards prefix X, then use pool4 address x. If IPv6 client writes towards prefix Y, then use pool4 address y." If Jool did this, would this also solve your problem? You'd iptables/block messages from A going to one prefix, and messages from B going to the other prefix. Currently, having multiple prefixes doesn't have much of a point as far as I can tell. |
Hmm. I don't like that solution much, because it causes significant operational overhead. It would mean that the two IPv6 clients must be provisioned with a different set of DNS64 servers (one with prefix X and one with prefix Y). Standard/common firewall/ACL entries (for example "allow clients to query Google Public DNS") must be duplicated (one rule for X::8.8.8.8 and one for Y::8.8.8.8), and so on. What I'd really like to be able to do is to select the source IPv4 address/prefix/pool entry based on the clients IPv6 source address/prefix, and somehow ascertain that that IPv6 source address/prefix has exclusive usage of that particular source IPv4 address/prefix/pool. That said, your suggestion would of course solve the problem as it is really the equivalent of setting up two independent NAT64 instances in the network. But then again, nothing is stopping me from doing that today (except for the operational overhead). |
Related: https://tools.ietf.org/html/rfc7422 Because I'm working on adding port ranges to pool4 anyway, it looks like it will be simple to address this issue (as proposed, using the mark) in milestone 3.4.0. This way I can avoid some duplicate work, I think. Tentatively moving to milestone 3.4.0. |
…ow 61001), found a bug in the implementation of #115.
One piece of customer feedback I've gotten from running a NAT64 in a data centre environment, is that it is desired to select differing IPv4 source addresses based on the client's IPv6 source address. This is to facilitate the use of IPv4-based ACLs in front of external services on the Internet. For example, if I have a client A using
2001:db8:a::/64
and B using2001:db8:b::/64
(and so on for client C, D, ...), A might want to tell some external IPv4-only service to allow access from IPv4 source address192.0.2.1
. However, at the same time they do not want B (or any others) to gain access to the external IPv4-only service address. So if I could express this using iptables-ish syntax, what I would like to accomplish is something like this:So customer A would have exclusive use of
192.0.2.1
while all other NAT64 users would be mapped to another address (192.0.2.2
). That way, A can feel free to ask external services to allow access from192.0.2.1
, and be certain that doing so does not give third parties access as well.I hope that explanation made sense...
I don't believe I can accomplish this with Jool, at least I could not figure out how. So there's a feature request you might want to consider, if I'm lucky. :-)
The text was updated successfully, but these errors were encountered: