Hi all, I had someone ask me where I got to with this, so thought I would reply on here for everyone's benefit.
There are some nice technologies around to support IPv6-only to the CPE... however they all rely heavily on the CPE supporting that technology. Ok that's not quite true - but if customers have any IPv4 only devices, then it becomes true. If we choose one technology that works with one product, it could lock us and our customers in to only using devices from that manufacturer, or in some cases even a specific model. I'm hesitant to make that commitment. As an ISP customer, I know I would be annoyed if I was locked in to particular CPE's and their potentially limited feature sets. At this point I'm leaning towards NAT444/CGNAT simply because it should work with every router out there. The fact that we can get it working without needing any additional hardware is also a big tick. But I'm only one member in a team, and this will be discussed broader within the team, so we'll see where we end up. Regardless, we'll be providing IPv6 to hopefully avoid some of the issues customers may have due to not having a public IPv4 address. I'm still interested in hearing any suggestions others may have - we're still in the planning stages so we have some flexibility. Thanks again to everyone who provided advice and suggestions. Regards, Philip Loenneker | Network Engineer | TasmaNet 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia P: 1300 792 711 philip.loenne...@tasmanet.com.au www.tasmanet.com.au -----Original Message----- From: AusNOG [mailto:ausnog-boun...@lists.ausnog.net] On Behalf Of Philip Loenneker Sent: Tuesday, 17 April 2018 9:05 AM To: ausnog@lists.ausnog.net Subject: Re: [AusNOG] Data retention compliant NAT64 or equivalent [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing] Thanks Mark and everyone else that replied directly. I received a lot of useful information and suggestions and information. I didn't articulate it very well, but my main concern is the data retention requirements. There are quite a few different technologies available to achieve what we need, some I prefer from a technical point of view, however not many of them would allow us to identify the pre-NAT and post-NAT IP/port details of a session to allow us to meet our DR obligations. I suspect that having a suitable audit trail on the connections will define the technology we end up going with more than anything else. It looks like NAT444 (CGNAT) generally has more logging available than NAT64 solutions, including collecting the data via Netflow for some vendors. Regards, Philip Loenneker | Network Engineer | TasmaNet 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia P: 1300 792 711 philip.loenne...@tasmanet.com.au www.tasmanet.com.au -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: Monday, 16 April 2018 4:23 PM To: Philip Loenneker <philip.loenne...@tasmanet.com.au> Cc: ausnog@lists.ausnog.net Subject: Re: [AusNOG] Data retention compliant NAT64 or equivalent Look at MAP-T (RFC 7599) and MAP-E (RFC 7597) if you wish to reduce the amount of logging your need to do. They don’t require DNS64 so they don’t break DNSSEC. MAP-T can be used with NAT64 if you have already deployed DNS64/NAT64. Mark > On 16 Apr 2018, at 3:21 pm, Philip Loenneker > <philip.loenn...@tasmanet.com.au> wrote: > > Hi all, > > Due to ever-decreasing IPv4, I’ve been investigating the possibility of > providing IPv6-only Internet connections for customers. There are 2 key > issues: > • Client devices that are IPv4-only > • Internet resources that are IPv4-only > > For the client-side issue, I’m following up with our CPE vendor to see if > 464XLAT or similar is available. I’ll be labbing it up in the near future, > but am hoping they can save me some time. Failing that, we may need to resort > to CGNAT, but I’m hoping to avoid it. > > For the Internet-side issue, I’m looking into options such as NAT64 (DNS64 is > available on our resolvers, just not enabled). Some common options I’ve found > include: > Jool.mx - seems like a well-used option, last updated in January this year. > Doesn’t appear to have good logging for NAT translations, might be possible > with full debug logs but that is noisy. > Tayga - looks like it hasn’t had an update since 2011, and may not support > current Linux kernel versions. Couldn’t find information on what logging is > available. > Palo Alto PAN-OS - appears to have NAT64 functionality since 2013 and have > regular updates. Lots of logging available. Commercial product (not that that > is a show stopper). > Wrapsix – claims to be one of the fastest implementations, last update around > 5 months ago. Only supports a single IPv4 address – I suspect that won’t > handle the load for us. > Ecdysis – looks like it hasn’t had an update since 2014, however claims to be > included in OpenBSD 5.1+ core release. > Various hardware, including Juniper, Cisco. I was disappointed to not find > anything on Cumulus or Open Network Linux. > > Most of the information related to implementing this kind of thing is > international, which means they don’t care about Australia-specific things > like Data Retention. > > I’m wondering if anyone out there has any tips on NAT64 or similar products > that do or do not allow you to collect the necessary information for Data > Retention. I appreciate any thoughts, on or off list. > > Regards, > Philip Loenneker | Network Engineer | TasmaNet > 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia > P: 1300 792 711 > philip.loenne...@tasmanet.com.au > www.tasmanet.com.au > > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog _______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
