Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Junos OS CGNAT Implementation Overview

    The Junos OS enables its users to implement and scale their CGNAT (Carrier-Grade Network Address Translation) solutions based on the type of services interfaces used for the implementation.

    Network Address Translation Overview for MS-DPC, MS-MPC, and MS-MIC Line Cards

    Types of NAT

    The types of Network Address Translation (NAT) supported by the Junos OS are described in the following sections:

    NAT Concept and Facilities Overview

    NAT is a mechanism for translating IP addresses. NAT provides the technology used to support a wide range of networking goals, including:

    • Concealing a set of host addresses on a private network behind a pool of public addresses.
    • Providing a security measure to protect the host addresses from direct targeting in network attacks.
    • Providing a tool set for coping with IPv4 address depletion and IPV6 transition issues.

    The Junos OS provides carrier-grade NAT (CGN) for IPv4 and IPv6 networks, and facilitates the transit of traffic between different types of networks.

    Note: The Junos OS supports a diverse set of NAT translation options. Not all types of NAT are supported on all interface types.

    • Static-source translation—Allows you to hide a private network. It features a one-to-one mapping between the original address and the translated address; the mapping is configured statically.
    • Dynamic-source translation—Includes two options: dynamic address-only source translation and Network Address Port Translation (NAPT):
      • Dynamic address-only source translation—A NAT address is picked up dynamically from a source NAT pool and the mapping from the original source address to the translated address is maintained as long as there is at least one active flow that uses this mapping. For more information, see Dynamic NAT .
      • NAPT—Both the original source address and the source port are translated. The translated address and port are picked up from the corresponding NAT pool. For more information, see NAPT .
    • Static destination translation—Allows you to make selected private servers accessible. It features a one-to-one mapping between the translated address and the destination address; the mapping is configured statically.
    • Protocol translation—Allows you to assign addresses from a pool on a static or dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries.
    • Encapsulation of IPv4 packets into IPv6 packets using softwires—Enables packets to travel over softwires to a carrier-grade NAT endpoint where they undergo source-NAT processing to hide the original source address.

    The Junos OS supports NAT functionality described in IETF RFCs and Internet drafts, as shown in “Supported NAT and SIP Standards” in Standard supported in Junos 13.2 PDF Document.

    IPv4-to-IPv4 Basic NAT

    Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another, transparent to end users. Network Address Port Translation or NAPT is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. Together, these two operations, referred to as traditional NAT, provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses.

    Traditional NAT, specified in RFC 3022, Traditional IP Network Address Translator, is fully supported by the Junos OS. In addition, NAPT is supported for source addresses.

    Basic NAT

    With Basic NAT, a block of external addresses is set aside for translating addresses of hosts in a private domain as they originate sessions to the external domain. For packets outbound from the private network, Basic NAT translates source IP addresses and related fields such as IP, TCP, UDP, and ICMP header checksums. For inbound packets, Basic NAT translates the destination IP address and the checksums listed above.

    NAPT

    Use NAPT to enable the components of the private network to share a single external address. NAPT translates the transport identifier (for example, TCP port number, UDP port number, or ICMP query ID) of the private network into a single external address. NAPT can be combined with Basic NAT to use a pool of external addresses in conjunction with port translation.

    For packets outbound from the private network, NAPT translates the source IP address, source transport identifier (TCP/UDP port or ICMP query ID), and related fields, such as IP, TCP, UDP, and ICMP header checksums. For inbound packets, NAPT translates the destination IP address, the destination transport identifier, and the IP and transport header checksums.

    Static Destination NAT

    Use static destination NAT to translate the destination address for external traffic to an address specified in a destination pool. The destination pool contains one address and no port configuration.

    For more information about static destination NAT, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.

    Twice NAT

    In Twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. The source information to be translated can be either address only or address and port. For example, you would use Twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public). In traditional NAT, only one of the addresses is translated.

    To configure Twice NAT, you must specify both a destination address and a source address for the match direction, pool or prefix, and translation type.

    You can configure application-level gateways (ALGs) for ICMP and traceroute under stateful firewall, NAT, or class-of-service (CoS) rules when Twice NAT is configured in the same service set. These ALGs cannot be applied to flows created by the Packet Gateway Control Protocol (PGCP). Twice NAT does not support other ALGs. By default, the Twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages.

    Twice NAT, specified in RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations, is fully supported by the Junos OS.

    IPv6 NAT

    IPv6-to-IPv6 NAT (NAT66), defined in Internet draft draft-mrw-behave-nat66-01, IPv6-to-IPv6 Network Address Translation (NAT66), is fully supported by the Junos OS.

    Application-level gateway (ALG) Suppport

    The Junos OS supports a number of ALGs. You can use NAT rules to filter incoming traffic based on ALGS. For more information, see Network Address Translation Rules Overview

    NAT-PT with DNS ALG

    NAT-PT and Domain Name System (DNS) ALG are used to facilitate communication between IPv6 hosts and IPv4 hosts. Using a pool of IPv4 addresses, NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. RFC 2766, Network Address Translation - Protocol Translation (NAT-PT), recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes, and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes.

    DNS is a distributed hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. The DNS ALG is an application-specific agent that allows an IPv6 node to communicate with an IPv4 node and vice versa.

    When DNS ALG is employed with NAT-PT, the DNS ALG translates IPv6 addresses in DNS queries and responses to the corresponding IPv4 addresses and vice versa. IPv4 name-to-address mappings are held in the DNS with “A” queries. IPv6 name-to-address mappings are held in the DNS with “AAAA” queries.

    Note: For IPv6 DNS queries, use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.

    Dynamic NAT

    Dynamic NAT flow is shown in Figure 1.

    Figure 1: Dynamic NAT Flow

    Dynamic NAT Flow

    With dynamic NAT, you can map a private IP address (source) to a public IP address drawing from a pool of registered (public) IP addresses. NAT addresses from the pool are assigned dynamically. Assigning addresses dynamically also allows a few public IP addresses to be used by several private hosts, in contrast with an equal-sized pool required by source static NAT.

    For more information about dynamic address translation, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.

    Stateful NAT64

    Stateful NAT64 flow is shown in Figure 2.

    Figure 2: Stateful NAT64 Flow

    Stateful NAT64 Flow

    Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP, several IPv6-only clients can share the same public IPv4 server address. To allow sharing of the IPv4 server address, NAT64 translates incoming IPv6 packets into IPv4 (and vice versa).

    When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server. DNS64 is out of scope of this document because it is normally implemented as an enhancement to currently deployed DNS servers.

    Stateful NAT64, specified in RFC 6146, Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers, is fully supported by the Junos OS.

    Inline Network Address Translation Overview for MPC Types 1, 2, and 3

    Inline network address translation (NAT) uses the capabilites of the Modular Port Concentrator (MPC) line card, eliminating the need for a MultiServices Dense Port Concentrator (MS-DPC) for NAT. Consequently, you can achieve line-rate, low-latency address translations (up to 120 Gbps per slot). The current implementation provides:

    • 1:1 static address mapping
    • Bidirectional mapping - source NAT for outbound traffic and destination NAT for inbound traffic
    • No limit on number of flows
    • Support for Source, destination, and twice NAT, as shown in Figure 3

      Note: Inline NAT generally only the basic-nat44 translation type, and implements destination NAT and twice NAT by applying NAT at the egress interface or to back-to-back, as shown in the following figure.

    Figure 3: Supported Inline NAT Types

    Supported Inline
NAT Types

    To configure inline NAT, you define your service interface as type si- (service-inline) interface. You must also reserve adequate bandwidth for the inline interface. This enables you to configure both interface or next-hop service-sets used for NAT. The si- interface serves as a “virtual service PIC”.

    Note: Only static source NAT is be supported. Port translation and dynamic NAT are not supported. An MS-DPC or MS-PIC will still be needed for any stateful-firewall processing.

    CGNAT Implementations Feature Comparison for Junos Address Aware by Type of Interface Card

    Table 1 summarizes feature differences between the Junos OS carrier-grade NAT implementations

    Table 1: CGNAT Implementation—Feature Comparison by Platform

    Feature

    MS-DPC

    MS-100

    MS-400

    MS-500

    MS-MPC

    MS-MIC

    MPC Types 1, 2, 3

    Inline NAT

     

    Static Source NAT

    yes

    yes

    yes

    DynamicSource NAT - Address Only

    yes

    yes

    no

    Dynamic Source NAT - NAPT Port Translation with Secured Port Block Allocation

    yes

    yes

    no

    Dynamic Source NAT - NAPT Port Translation with Deterministic Port Port Block Allocation

    yes

    yes

    no

    Static Destination NAT

    yes

    yes

    yes

    Note: Destination NAT can be implemented indirectly. See Inline Network Address Translation Overview for MPC Types 1, 2, and 3

    Twice NAT

    yes

    no

    yes

    Note: Twice NAT can be implemented indirectly. See Inline Network Address Translation Overview for MPC Types 1, 2, and 3

    NAPT - Preserve Parity and Port

    yes

    no

    no

    NAPT - EIM/EIF/APP

    yes

    yes

    no

    NAT64

    yes

    yes

    no

    NAT64 with APP/EIM/EIF

    no

    yes

    no

    DS-Lite

    yes

    no

    no

    6rd

    yes

    no

    no

    Overload Pool/Overlap Address Across NAT Pool

    yes

    no

    no

    Port Control Protocol

    yes

    no

    no

    CGN-PIC

    yes

    no

    no

    AMS Support

    no

    yes

    no

    Table 2 summarizes availability of translation types by type of interface card.

    Table 2: CGNAT Translation Types

    Translation Type

    MS-DPC

    MS-100

    MS-400

    MS-500

    MS-MPC

    MS-MIC

    MPC Types 1, 2, 3

    Inline NAT

     

    basic-nat44

    yes

    yes

    yes

    basic-nat66

    yes

    no

    no

    basic-nat-pt

    yes

    no

    no

    deterministic-napt44

    yes

    no

    no

    dnat-44

    yes

    yes

    no

    dynamic-nat44

    yes

    yes

    no

    napt-44

    yes

    yes

    no

    napt-66

    yes

    no

    no

    napt-pt

    yes

    no

    no

    stateful-nat64

    yes

    yes

    no

    twice-basic-nat-44

    yes

    no

    no

    twice-dynamic-nat-44

    yes

    no

    no

    twice-dynamic-napt-44

    yes

    no

    no

    ALGs Available by Default for Junos OS Address Aware NAT

    The following application-level gateways (ALGs) listed in Table 3 are supported for NAT processing on the listed platforms.

    To view the implementation details (port, protocol, and so on) for these Junos OS default applications, locate the Junos OS Default ALG Name in the table and then look up the listed name in the groups. For example, for details about TFTP, look up junos-tftp as shown.

    Tip: The Junos OS provides the junos-alg, which enables other ALGs to function by handling ALG registrations, causing slow path packets to flow through registered ALGs, and transferring ALG events to the ALG plug-ins. The junos-alg ALG is automatically available on the MS-MPC and MS-MIC platforms and does not require further configuration.

    user@host# show groups junos-defaults applications application junos-tftp
    application-protocol tftp;
    protocol udp;
    destination-port 69;

    Table 3: ALGs Available by Default

    ALG

    MS-DPC

    MS-MPC, MS-MIC

    Junos OS Default ALG Name

     

    Basic TCP ALG

    yes

    yes

    Note: Specific Junos ALGs are not supported. However, a feature called TCP tracker, available by default, performs segment ordering and retransmit and connection tracking, validations for TCP connections.

    Basic UDP ALG

    yes

    yes

    Note: TCP tracker performs limited integrity and validation checks for UDP.

    BOOTP

    yes

    no

    • junos-bootpc
    • junos-bootps

    DCE RPC Services

    yes

    yes

    • junos-dce-rpc-portmap
    • junos-dcerpc-endpoint-mapper-service
    • junos-dcerpc-msexchange-directory-nsp
    • junos-dcerpc-msexchange-directory-rfr
    • junos-dcerpc-msexchange-information-store

    DNS

    yes

    yes

    • junos-dns-tcp
    • junos-dns-udp

    FTP

    yes

    yes

    • junos-ftp

    H323

    yes

    no

    • junos-h323

    ICMP

    yes

    yes

    Note: ICMP messages are handled by default, but PING ALG support is not provided.

    • junos-icmp-all
    • junos-icmp-ping

    IIOP

    yes

    no

    • junos-iiop-java
    • junos-iiop-orbix

    IP

    yes

    The TCP tracker, available by default on these platforms, performs limited integrity and validation checks.

    • junos-ip

    NETBIOS

    yes

    no

    • junos-netbios-datagram
    • junos-netbios-name-tcp
    • junos-netbios-name-udp
    • junos-netbios-session

    NETSHOW

    yes

    no

    • junos-netshow

    PPTP

    yes

    yes

    • junos-pptp

    REALAUDIO

    yes

    no

    • junos-realaudio

    Sun RPC and RPC Port Map Services

    yes

    yes

    • junos-rpc-portmap-tcp
    • junos-rpc-portmap-udp

    RTSP

    yes

    yes

    • junos-rtsp

    SIP

    yes

    Yes

    • junos-sip

    SNMP

    yes

    No

    • junos-snmp-get
    • junos-snmp-get-next
    • junos-snmp-response junos-snmp-trap

    SQLNET

    yes

    yes

    • junos-sqlnet

    TFTP

    yes

    yes

    • junos-tftp

    Traceroute

    yes

    no

    • junos-traceroute

    Unix Remote Shell Service

    yes

    Yes

    • junos-rsh

    WINFrame

    yes

    No

    • junos-citrix-winframe
    • junos-citrix-winframe-udp

    TALK-UDP

    No

    Yes

    • junos-talk-udp

    MS RPC

    No

    Yes

    • junos-rpc-portmap-tcp
    • junos-rpc-portmap-udp
    • junos-rpc-services-tcp
    • junos-rpc-services-udp

    Modified: 2015-08-26