ON THIS PAGE
Junos Address Aware Network Addressing Overview
Junos Address Aware Network Addressing provides Network Address Translation (NAT) functionality for translating IP addresses. This is particularly important because the Internet Assigned Numbers Authority (IANA) allocated the last large block of IPv4 addresses in early 2011.
This topic includes the following sections:
Benefits of NAT
NAT supports a wide range of networking goals, including:
Concealing a set of host addresses on a private network behind a pool of public addresses to protect the host addresses from direct targeting in network attacks and to avoid IPv4 address exhaustion
Providing the tools to transition to IPv6 based on business requirements and to ensure uninterrupted subscriber and service growth
Providing IPv4–IPv6 coexistence
NAT Concept and Facilities Overview
Junos Address Aware Network Addressing provides carrier-grade NAT (CGN) for IPv4 and IPv6 networks, and facilitates the transit of traffic between different types of networks.
Junos Address Aware Network Addressing supports a diverse set of NAT translation options:
Static-source translation—Allows you to hide a private network. It features a one-to-one mapping between the original address and the translated address; the mapping is configured statically. For more information, see Basic NAT .
Deterministic NAPT—Eliminates the need for address translation logging by ensuring that the original source IPv4 or IPv6 address and port always map to the same post-NAT IPv4 address and port range.
Dynamic-source translation— Includes two options: dynamic address-only source translation and Network Address Port Translation (NAPT):
Dynamic address-only source translation— mdash;A NAT address is picked up dynamically from a source NAT pool and the mapping from the original source address to the translated address is maintained as long as there is at least one active flow that uses this mapping. For more information, see Dynamic NAT .
NAPT—Both the original source address and the source port are translated. The translated address and port are picked up from the corresponding NAT pool. For more information, see NAPT .
Static destination translation—Allows you to make selected private servers accessible. It features a one-to-one mapping between the translated address and the destination address; the mapping is configured statically. For more information, see Static Destination NAT .
Protocol translation—Allows you to assign addresses from a pool on a static or dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. For more information, see Configuring NAT-PT, NAT-PT with DNS ALG, and Stateful NAT64 .
Encapsulation of IPv4 packets into IPv6 packets using softwires—Enables packets to travel over softwires to a carrier-grade NAT endpoint where they undergo source-NAT processing to hide the original source address. For more information, see Tunneling Services for IPv4-to-IPv6 Transition Overview.
Not all types of NAT are supported on all interface types. See Carrier-Grade NAT Feature Comparison for Junos Address Aware by Type of Interface Card, which lists features available on supported interfaces.
IPv4-to-IPv4 Basic NAT
Basic Network Address Translation or Basic NAT is a method by which IP addresses are mapped from one group to another, transparent to end users. Network Address Port Translation or NAPT is a method by which many network addresses and their TCP/UDP ports are translated into a single network address and its TCP/UDP ports. Together, these two operations, referred to as traditional NAT, provide a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses.
Traditional NAT, specified in RFC 3022, Traditional IP Network Address Translator, is fully supported by Junos Address Aware Network Addressing. In addition, NAPT is supported for source addresses.
With Basic NAT, a block of external addresses is set aside for translating addresses of hosts in a private domain as they originate sessions to the external domain. For packets outbound from the private network, Basic NAT translates source IP addresses and related fields such as IP, TCP, UDP, and ICMP header checksums. For inbound packets, Basic NAT translates the destination IP address and the checksums listed above.
Hairpinning is supported for basic NAT.
Use NAPT to enable the components of the private network to share a single external address. NAPT translates the transport identifier (for example, TCP port number, UDP port number, or ICMP query ID) of the private network into a single external address. NAPT can be combined with Basic NAT to use a pool of external addresses in conjunction with port translation.
For packets outbound from the private network, NAPT translates the source IP address, source transport identifier (TCP/UDP port or ICMP query ID), and related fields, such as IP, TCP, UDP, and ICMP header checksums. For inbound packets, NAPT translates the destination IP address, the destination transport identifier, and the IP and transport header checksums.
On MX Series routers with MS-MICs and MS-MPCs, if you configure a NAPT44 NAT rule and the source IP address of a spoofed packet is equal to the NAT pool and the NAT rule match condition fails, the packet is continuously looped between the services PIC and the Packet Forwarding Engine. We recommend that you manually clear the session and create a filter to block NAT pool IP spoofing under such conditions.
Hairpinning is supported for NAPT.
Use deterministic NAPT44 to ensure that the original source IPv4 address and port always map to the same post-NAT IPv4 address and port range, and that the reverse mapping of a given translated external IPv4 address and port are always mapped to the same internal IP address. This eliminates the need for address translation logging. Starting in Junos OS Release 17.4R1, deterministic NAPT64 is supported on the MS-MPC and MS-MIC. Deterministic NAPT64 ensures that the original source IPv6 address and port always map to the same post-NAT IPv4 address and port range, and that the reverse mapping of a given translated external IPv4 address and port are always mapped to the same internal IPv6 address.
Static Destination NAT
Use static destination NAT to translate the destination address for external traffic to an address specified in a destination pool. The destination pool contains one address and no port configuration.
For more information about static destination NAT, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.
In Twice NAT, both the source and destination addresses are subject to translation as packets traverse the NAT router. The source information to be translated can be either address only or address and port. For example, you would use Twice NAT when you are connecting two networks in which all or some addresses in one network overlap with addresses in another network (whether the network is private or public). In traditional NAT, only one of the addresses is translated.
To configure Twice NAT, you must specify both a destination address and a source address for the match direction, pool or prefix, and translation type.
You can configure application-level gateways (ALGs) for ICMP and traceroute under stateful firewall, NAT, or class-of-service (CoS) rules when Twice NAT is configured in the same service set. These ALGs cannot be applied to flows created by the Packet Gateway Control Protocol (PGCP). Twice NAT does not support other ALGs. By default, the Twice NAT feature can affect IP, TCP, and UDP headers embedded in the payload of ICMP error messages.
Twice NAT, specified in RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations, is fully supported by Junos Address Aware Network Addressing.
IPv6-to-IPv6 NAT (NAT66), defined in Internet draft draft-mrw-behave-nat66-01, IPv6-to-IPv6 Network Address Translation (NAT66), is fully supported by Junos Address Aware Network Addressing.
Application-Level Gateway (ALG) Support
Junos Address Aware Network Addressing supports a number of ALGs. You can use NAT rules to filter incoming traffic based on ALGS. For more information, see Network Address Translation Rules Overview.
NAT-PT with DNS ALG
NAT-PT and Domain Name System (DNS) ALG are used to facilitate communication between IPv6 hosts and IPv4 hosts. Using a pool of IPv4 addresses, NAT-PT assigns addresses from that pool to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4 or IPv6 boundaries. Inbound and outbound sessions must traverse the same NAT-PT router so that it can track those sessions. RFC 2766, Network Address Translation - Protocol Translation (NAT-PT), recommends the use of NAT-PT for translation between IPv6-only nodes and IPv4-only nodes, and not for IPv6-to-IPv6 translation between IPv6 nodes or IPv4-to-IPv4 translation between IPv4 nodes.
DNS is a distributed hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. The DNS ALG is an application-specific agent that allows an IPv6 node to communicate with an IPv4 node and vice versa.
When DNS ALG is employed with NAT-PT, the DNS ALG translates IPv6 addresses in DNS queries and responses to the corresponding IPv4 addresses and vice versa. IPv4 name-to-address mappings are held in the DNS with “A” queries. IPv6 name-to-address mappings are held in the DNS with “AAAA” queries.
For IPv6 DNS queries, use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.
Dynamic NAT flow is shown in Figure 1.
With dynamic NAT, you can map a private IP address (source) to a public IP address drawing from a pool of registered (public) IP addresses. NAT addresses from the pool are assigned dynamically. Assigning addresses dynamically also allows a few public IP addresses to be used by several private hosts, in contrast with an equal-sized pool required by source static NAT.
For more information about dynamic address translation, see RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations.
Stateful NAT64 flow is shown in Figure 2.
Stateful NAT64 is a mechanism to move to an IPv6 network and at the same time deal with IPv4 address depletion. By allowing IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP, several IPv6-only clients can share the same public IPv4 server address. To allow sharing of the IPv4 server address, NAT64 translates incoming IPv6 packets into IPv4 (and vice versa).
When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server. DNS64 is out of scope of this document because it is normally implemented as an enhancement to currently deployed DNS servers.
Stateful NAT64, specified in RFC 6146, Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers, is fully supported by Junos Address Aware Network Addressing.
Starting in Junos OS Release 17.1R1, you can configure a 464XLAT Provider-Side Translater (PLAT). This is supported only on MS-MICs and MS-MPCs. 464XLAT provides a simple and scalable technique for an IPv4 client with a private address to connect to an IPv4 host over an IPv6 network. 464XLAT only suports IPv4 in the client-server model, so it does not support IPv4 peer-to-peer communication or inbound IPv4 connections.
A customer-side translator (CLAT), which is not a Juniper Networks product, translates the IPv4 packet to IPv6 by embedding the IPv4 source and destination addresses in IPv6 /96 prefixes, and sends the packet over an IPv6 network to the PLAT. The PLAT translates the packet to IPv4, and sends the packet to the IPv4 host over an IPv4 network (see Figure 3).
XLAT464 provides the advantages of not having to maintain an IPv4 network and not having to assign additional public IPv4 addresses.
The CLAT can reside on the end user mobile device in an IPv6-only mobile network, allowing mobile network providers to roll out IPv6 for their users and support IPv4-only applications on mobile devices (see Figure 4).
Dual-stack lite (DS-Lite) flow is shown in Figure 5.
DS-Lite employs IPv4-over-IPv6 tunnels to cross an IPv6 access network to reach a carrier-grade IPv4-IPv4 NAT. This facilitates the phased introduction of IPv6 on the Internet by providing backward compatibility with IPv4.
DS-Lite is supported on MX series routers with MS-DPCs and on M Series routers with MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS release 17.4R1, DS-Lite is supported on MX Series routers with MS-MPCs and MS-MICs.Starting in Junos OS release 19.2R1, DS-Lite is supported on MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers.
Junos Address Aware Network Addressing Line Card Support
Junos Address Aware Network Addressing technologies are available on the following line cards:
MultiServices Dense Port Concentrator (MS-DPC)
MS-100, MS-400, and MS-500 MultiServices PICS
MultiServices Modular Port Concentrator (MS-MPC) and MultiServices Modular Interface Card (MS-MIC)
Modular Port Concentrators (inline NAT).
For a listing of the specific NAT types supported on each type of card, see Carrier-Grade NAT Feature Comparison for Junos Address Aware by Type of Interface Card.