BSDCan2010 - Final Release

BSDCan 2010
The Technical BSD Conference

Jean-Philippe Dionne
Day Talks - 1 - 2010-05-13
Room DMS 1140
Start time 14:30
Duration 01:00
ID 197
Event type Lecture
Track System Administration
Language used for presentation English


Implementation in OpenBSD PF

The Ecdysis project's goal is to develop open-source implementations of an IPv4/IPv6 gateway that run on open-source operating systems such as the various BSD flavours and Linux. The gateway is comprised of two distinct modules: the DNS64 and the NAT64. The DNS64 module was developed by modifying two open-source DNS servers: Bind and Unbound. The NAT64 module was developed by modifying pf (the firewall and NAT code in the OpenBSD kernel, which is used also in other BSD variants) and Netfilter (the firewall and NAT code in the Linux kernel). As part of the development process, stand-alone implementations of DNS64 and NAT64 were developed for experimentation purposes. They have also been made available under open-source licenses in the hope that others will find them useful in their own experimentation endeavours. The project is funded by the NLnet Foundation and Viagénie.

IPv4 and IPv6 networks are “incompatible.” The IETF recommendation has usually been to rely on dual-stack deployment: have both networks coexist until IPv6 takes over IPv4. However, IPv6 growth has been much slower than anticipated. Therefore, new IPv6-only deployments face an interesting challenge, that of communicating with the predominantly IPv4-only rest of the world. A similar problem is encountered when legacy IPv4-only devices need to reach the IPv6 Internet. Translation between IPv4 and IPv6 is one framework engineered within the IETF as a solution to the problem of IPv6 transition.

This talk will focus on aspects of interest to the BSD community: • An overview of the DNS64 and NAT64 protocols. • An overview of the DNS64 implementations in Bind and Unbound. • A detailed analysis of the kernel-space NAT64 implementation in pf. • A discussion of operational and deployment issues, as well as lessons learned while running NAT64.