6/1/12

NAT-PT - Documentation

Search
Web tomicki.net

What'sinthebackground?

Home

LatestUpdates

Papers

Projects

Photos

AboutMe

NATPTDocumentation
Home|Installation(PDF)|Documentation(PDF)|BuildinganIPv6Router|Download
"Soon,wewillbeenteringthetrueageofbroadbandnetworks,atimewhenelectronicproductswillbelinkerdbyhighspeed,highcapacitynetworks.Withtheseadvances willcomeIPv6(InternetProtocolVersion6),whichwillassignauniqueIPaddresstoeverythingfromTVsandPCstotelephoneandAVproducts.Distinguishingindividual devicesovernetworkswillbecomepossibleasaresult.",SonyAnnualReport2001

Tableofcontents
Operations Prerequisites Configurationdetails Examplesetupscenario Memoryusage Security Advancedfeatures Staticinboundmappings Dynamicinboundmappings SingleNICoperations ApplicationLevelGateways FileTransferProtocol DomainNameSystem Troubleshooting

Operations
NATPTworksbycapturing,translatingandsendingpacketsfromtheIPv6totheIPv4network(andvice versa).ThedestinationIPv4addressfortheoutdoingpacketisdeterminedbythelastfourbytesofthedestinationin theIPv6packetreceived.Lookatthediagrambelow.AuseronPC1,aninternalIPv6onlyhostopensanInternet browserandstartsbygoingtowww.google.com.Hiscomputerfirstperformsaquerytoit'sDNSserver.

NATPTcapturesthepacketandcreatesanewbindingbetweentheIPv6addressofPC1andoneoftheIPv4 addressesithasinitspool,andtranslatesthepacket.NATPTseesaDNSqueryandtranslatestheAAAArequest toanArequest.FinallyitfindsarouteforthenewlycreatedIPv4packetandqueuesittotheappropriateoutbound interface.

tomicki.net/naptd.docs.php

1/16

6/1/12

NAT-PT - Documentation

TheDNSserverreceivesthequeryandsendsareply.

NATPTcapturesthetrafficandfindsatheIPv6addressforthemapping.ItalsoseestheDNSAresource recordsandtranslatesthemtoAAAArecords.Itdoesthisbyaddingaspecial'NATPTprefix'(configuredthrough 'naptdconfmaker',default2000:ffff::)tothebeginningoftheIPv4address.Finallyitfindsarouteforthenewly createdIPv6packetandqueuesittotheappropriateoutboundinterface.

FromherePC1initiatesaconnectiontowww.google.com.

NATPTcapturesthepacketandcreatesanewbindingbetweentheIPv6addressofPC1andoneoftheIPv4

tomicki.net/naptd.docs.php

2/16

6/1/12

NAT-PT - Documentation

addressesithasinitspool,translatesthepacket,findstheroute,and...etc.

Google'swebserverrepliestotheinitialSYNpacket.

NATPTcapturesthetrafficandfindsatheIPv6addressforthemapping.Finallyitfindsarouteforthenewly createdIPv6packetandqueuesittotheappropriateoutboundinterface.

TheabovesummarizesthebasicsofhowIPv6onlyandIPv4onlyhostscommunicate.Therestofthe connectionoccursinthesameway.NATPTmaintainsthree"translation"pools,oneforTCP,oneforUDPandone forICMP.BydefaultTCPtranslationstimeoutafter5minutesfromthetimeRSTorFINpacketwascaptured,orafter 24hoursofinnactivity.UDPtranslationsexpireafter1hour,andICMPafter30seconds.

Prerequisites
NATPTrequiresbothiptablesandip6tablestoworkproperly.ThisiscausedbythefactthatNATPTrunsin userspace.Thishastwoimportantsideeffect:
1.TCPResets. AfterapacketistranslatedfromIPv6andsenttotheIPv4sidebyusingtheIPv4addressoftheoutboundinterfaceastheglobalIPv4addressfor

tomicki.net/naptd.docs.php

3/16

6/1/12

NAT-PT - Documentation
thetranslation,thekerneldoesnotnotethisconnectionasoriginatedbytherouter(despitethefactthatapacketcontainingtherouter'sIPv4 addresswassent).WhenareplyisreceivedfromtheIPv4sideandthereisnofirewallrunningontherouter,thekernelafterseeingthatthe packet'sdestinationistherouter,look'sinit'sconnectiontabletryingtofindtheapplicationthatthispacketbelongsto.Uponrealizingthatthereis nosuchapplicationthedefault,RFCdefinedbehavioristosentaTCPRST(Reset)packettothesourcehost.Ifthishappenstheconnectionswill bedroppedbytheremoteIPv4serverandallcommunicationbetweeninandtheinternalIPv6hostwillbebroken. 2.RouteUnreachable/InvalidRouting TheIPv6hostsseetheIPv4worldasasinglevirtualIPv6network.ItiscreatedbytakingtheNATPTprefix(bydefault:2000:ffff::)andsettingthe IPv4addressofeachhostasthelast4octets.Thisnetworkispurelyvirtualanddoesn'treallyexist.Allthetraffictothisnetworkmustberoutedto theNATPTbox,whichinturnscapturesitandperformsthenecessarytranslations.Thefactthatweareroutingtoanonexistantnetwork(excuse meforthisoxymoron)causesasmallproblem.Whentherouterperformsroutinganddoesn'tfindaroutetoourvirtualnetwork,itattemptstosend aICMPDestinationUnreachable(RouteUnreachable)packettothesendinghost.Thismustbeprevented.Iftherouterhasadefaultroutetoany IPv6destination,thepacketsdestinatedforourvirtualnetworkwouldbesenttotheglobalIPv6cloud.Thiswouldn'tdisruptourNATPToperations, butsendingpacketswithannonexistantdestinationintotheglobalIPv6cloudishighlyundesireableandshouldbepreventedwhenever possible.

Wemustcompensatefortheseshortcomingsbyusingafirewall.Thefirstproblemcanbecorrectedbyusing iptables.IfyouhaveadefaultDROPpolicyonallincomingpacketsyoushouldbeOK.Youriptablesrulesshould havesomethingsimilartotheexamplebelow.

AINPUTilojACCEPT AINPUTmstatestateESTABLISHED,RELATEDjACCEPT AINPUTmstatestateNEWmtcpptcpdport22jACCEPT AINPUTjDROP

Tosolvethesecondproblem,wemustuseip6tables.WecaneitherfilteroutgoingICMPv6Destination Unreachablepackets,orfilterpacketsdestinatedforourvirtualIPv6networkintheFORWARDchain.Thefirst mechanismshouldbeusedifyourrouterhasnodefaultrouteforIPv6packets.

ip6tablesAOUTPUTpicmpv6icmpv6type1jDROP

IfyournetworkdoeshaveconnectivitytotheglobalIPv6cloudandthereforeyourrouterhasadefaultIPv6 path,youmustthesecondoption.TheexamplebelowusesthedefaultNATPTprefix(2000:ffff::),ifyouareusinga nondefaultprefix,adjusttheexampletoreflectyourconfiguration.

ip6tablesAFORWARDd2000:ffff::jDROP

Configurationdetails
ThissectionexplainsindetaileachstepoftheNATPTconfigurationprocess.TheNATPTtranslatorshould beconfiguredusingatheprogram'naptdconfmaker'includedwithNATPTdaemonitself.Bydefaultnaptdwill readtheconfigurationfile/etc/naptd.conf,butanalternateconfigurationfilecanbesuppliedbyusingthec parameter.
naptdc/usr/local/etc/naptd.conf

Let'slookatthestepsoftheconfigurationprocess: 1. Doyouwanttocreateanewconfiguration?[Y/n] Thisreallydoesn'trequiremuchexplanation.Ifyoudowanttocreateanewconfigurationfilewecontinue,if youdon't,theprogramterminates. 2. DoyouwantIPv4addressesfromtheoutsideinterfacestobeautomaticallyusedaspartoftheNAT pool?[Y/n] Ifyouanswernoskipthenextquestioninthisdocumentation.IfyouansweryesthenNATPTwillusethe IPv4addressesfromtheoutsideinterfaceswhentranslatingpackets.Ifyouhavemultipleoutsideinterfaces thismaybeundesirable,asthereisnoassurancethatafterapacketistranslateditwillleavetheinterface whoseIPaddressitcarries.Inotherwords,thetranslationmechanismisindependentfromtherouting mechanism.Inasituationliketheonebelowthiscouldcauseaproblem.In99.9%ofothercasesthereshould

tomicki.net/naptd.docs.php

4/16

6/1/12

NAT-PT - Documentation

benoproblem.

Ifyournetworktopologyresemblestheoneabove,youcanstillusetheIPaddressoftheoutsideinterfaceon thesideoftheglobalIPv4cloud.YoucandothisbyenteringitaIPpoolrangecontainingonlyoneIP,thisis explainedinmoredetailbelow. 3. DoyouwanttoconfigureadditionaladdressaspartofyourNATpool?[y/N] YouarealreadygoingtousetheIPv4addressesfromtheoutsideinterfacesofyourNATPT,butyoucanstill configuremoreIPaddressestobeused. 4. YouneedtocreateapublicIPv4addresspool.Enterthepool'sstartingIP. AtthispointyouneedtospecifytheIPpoolsthatwillbeusedfortranslations.EnterthestartingIPfollowedby returnandtheendingIP(inclusively).IfthisrangeistocontainasingleIP,justpressreturnwhenaskedfor theendingIP.Thesecondstepistoconfiguretheportrangesforthispool.Bydefaultthefirstportthatwillbe usedwillbe1500andthelast65000.Youcansimplyacceptthesevaluesbypressingreturnorspecifyyour own.YoucancreateasmanyIPpoolsasyouwish,makesurethoughthattheydonotoverlap,asNATPT willnotcheckthesepoolsforoverlaps. 5. DoyouwanttocreateapoolofpublicIPv4addressesthatwillallowincomingconnectionstobe dynamicallymappedtoappropriateIPv6addresses?[y/N] Answeringyes,willallowyoutocreateIPrangesthatwillbeusedbyNATPTfordynamicinbound connectionmapping.YouneedtospecifythestartingandendingIPaddressesoftheIPranges,andyouare freetocreateasmanyoftheserangesasyouwant.TheserangesshouldnotoverlapasNATPTwillnot checkforanyoverlapsandsimplyacceptthevaluesyougiveit.Findoutmoreaboutdynamicinbound connection. 6. DoyouwanttocreatestaticmappingsofpublicIPv4addressesthatwillallowincomingconnections toreachIPv6hosts?[y/N] Ifyouansweryes,youwillbeabletocreatestaticmappingsbetweenIPv4andIPv6addresses.Youwillneed tospecifytheIPv4addressfirst,followedbytheIPv6address.Youcancreateasmanystaticmappingsas youlike.Findoutmoreaboutstaticinboundmappings. 7. Enterthenameofthefirstinside(IPv6)interfacethatyouwantNATPTtolistenon.interface(eth0eth1 sit0): NATPTneedstoknowwhichinterfacesyouwishtospecifyasinside(IPv6)andwhichasoutside(IPv4).The configurationmakerwilllistallinterfacesitfindsonyoursystemexcludinglo.Youenteranyinterfacename, butmakesurethatsuchaninterfaceexistsorwillexistwhenyou'llrunNATPT,becausethereisnoerror

tomicki.net/naptd.docs.php

5/16

6/1/12

NAT-PT - Documentation

checkingperformedhere.Afterenteringthefirstinterface,you'llbegiventhechoicetoenteranother.Youcan enterasmanyinterfacesasyoulike. 8. Enterthenameofthefirstoutside(IPv4)interfacethatyouwantNATPTtolistenon. Inthispromtyoumustspecifytheoutside(IPv4)interfacesthatNATPTwilluse.Thesameconditionsapply hereastospecifyinginside(IPv6)interfaces.YoucanusethesameinterfaceforbothIPv4andIPv6,makingit possibletorunNATPTonarouterwithonlyonenetworkinterface.IfyoudoseethesectionsingleNIC operations. 9. EntertheTCPtranslationtimeoutinseconds[86400]: HereyoucansetupthenumberofsecondsofinactivitythataTCPtranslationwilltimeoutafter.Thedefaultis 86400seconds(24hours),howeverwheneveraRSTorFINpacketiscoughttheconnectionwillbetimedout 5minuteslater.Youcansimplyhitreturntoacceptthedefaultvalue. 10. EntertheUDPtranslationtimeoutinseconds[3600]: HereyoucansetupthenumberofsecondsofinactivitythataUDPtranslationwilltimeoutafter.Thedefaultis 3600seconds(1hour).Youcansimplyhitreturntoacceptthedefaultvalue. 11. EntertheICMPtranslationtimeoutinseconds[30]: HereyoucansetupthenumberofsecondsofinactivitythataICMPtranslationwilltimeoutafter.Thedefaultis 30seconds.Youcansimplyhitreturntoacceptthedefaultvalue. 12. EntertheIPv6prefixthatwillbeusedasthedestinationforthatshouldbetranslated.prefix [2000:ffff::]: HereyoumustenteranIPv6networkprefixthatyouwillindicatepacketsthatmustbetranslated.Thedefault valueshouldworkforeverybody,butyoumaywishtousepartofyouIPv6blockasanIPv6prefix,justtobe safe.IprefertousethelastavailablenetworkfrommyblockforNATPTpurposes.Ifyouhaveablocklike 2001:468:181:f100::/56,thiswouldbe2001:468:181:f1ff::.AlsorememberthatifyouareusingtheDNSproxy totd,youshouldadjustit'sprefixtowhateveryousetitheretobe. 13. PleaseentertheIPv4addressoftheDNSserveryouarecurrentlyusing.IPv4DNSserver: EntertheIPv4addressoftheDNSserveryouarecurrentlyusingandtheconfigurationprogramwillreturnthe IPv6addressthatyoushoulduse.ThisisnewaddressisdeterminedbasedontheNATPTprefixandthe IPv4addressofyourDNSserver.Thispartoftheconfigurationisn'tmandatorybutwillmakeiteasierforyou tocalculatethetranslatedIPv6addressforyourDNSserverifyouplantouseNATPT'sbuildinDNS translator.Youcanalsousethescriptbelow. Prefix: IPv4DNSserver: IPv6DNSserver:
Convert
2000:ffff::

14. ThankyouforchoosingAtagaasyouIPv4/IPv6NATPTsolution.Setupisnowcomplete.Type'naptd' tostartNATPT. Congratulations,yourdone!

Examplesetupscenario
LetslookattwoexamplesetupscenarioswhereNATPTcouldbeused.Inthefirstwearelookingtodeployan IPv6onlycorporatenetworkinwhichwewanttotakeadvantageofIPSectoencryptallinternaltraffic.Mostofyour trafficwillbeisolatedwithinthev6domain,butwestillneedtoprovideawayforouremployeestocommunicate

tomicki.net/naptd.docs.php

6/16

6/1/12

NAT-PT - Documentation

withtherestoftheworld.

IntheabovewehavetwoIPv6onlynetworks,onedualstacknetworkandtworouters(onerunningdualstack andNATPTandthesecondonebeingIPv6only).TheNATPTmachineshownonthisdiagramcanactasan IPv4router,anIPv6routerandaIPv4/IPv6translatorallatthesametime.ItperformsIPv4routingbetweenthe globalIPv4cloudandthedualstacknetwork.ItperformsIPv6routingbetweenthedualstacknetworkandtheIPv6 onlynetworks.FinallyitperformsstatefullIPv4/IPv6translationsbetweentheIPv6onlynetworksandtheIPv4 globalcloud.ThehostsontheIPv6onlynetworksshoulduseNATPT'sbuiltinDNStranslator,whilethedual stackhostscancontinuetousetheiroldIPv4DNSserver. Thesecondscenarioisabitmorecomplexandprobablyisabetterreflectionsoftodayscomplexnetwork environment.Itshowsmultiplenetwork,someofthemIPv4only,someIPv6onlyandsomedualstacked.

InthisscenarioanorganizationwantstomigratetoIPv6,butneedstostillbeabletocommunicatewiththerest oftheIPv4onlyworld.Thisscenarioisdifferentfromthepreviousonebythefactthatinthiscasetheorganization hasanativeortunneledIPv6connectionprovidedbyhisISP.Inthiscase,theDNSproxydaemontotdshouldbe

tomicki.net/naptd.docs.php

7/16

6/1/12

NAT-PT - Documentation

used.TheNATPTmachineperformsIPv6routingandIPv4/IPv6translations.IfaninternalIPv6onlyhosttriesto communicatewithanIPv6enabledhost,theconnectionwillberoutedthroughIPv6andcommunicationwill happenthroughtheIPv4cloudinaIPv6inIPv4tunnel.Otherwise,iftheremotehostusesonlyIPv4,NATPTwill translatetheconnection. ThesetupscenarioshoulddeterminehowDNSqueriesareresolved.Usethetablebelowforreference. Scenario DualStack IPv6only+ tunneled/native IPv6 connectivity IPv6only,no IPv6 connectivity available DNSResolution UsearegularDNSserver.IfaremotehosthasanIPv6addressitwillbeprefered,otherwise IPv4willbeused. UsetheDNSproxydaemontotd.IfaremotehosthasanIPv6addressitwillbeused, otherwisetheIPv4addresswillbetranslatedusingtheNATPTprefix(remembertheNATPT prefixandtheprefixconfiguredwithtotdmustbethesame).

UseNATPT'sbuiltinDNStranslator.Theremotehost'saddresswillalwaysbetranslated usingtheNATPTprefix.

Memoryusage
NATPTdoesn'tputanysignificantstrainonarouter'smemory.Afterinitializingitshoulduseabout1.1MBof sharedmemory.Thisamountwillincreaseby48bytespertranslationcreated.Aftercreating30,000translations, thisincreasesmemoryusagebyabout1.3MB.OthersourceofmemoryusageincludefreeIP+portpairthatcanbe usedfortranslations.Eachofthesetakesup8bytes.Thiscanquicklybecomealargeamountofmemoryiffor exampleyourNATpoolconsistsof254IPsand63500portsperIP.Thiswouldtotalover123MBofmemory. HoweverNATPTmaintainsseparatefreeIP+portpairspereachtransportlayerprotocol.Thisbringsthememory usageuptoover369MB(123MB*3protocolsTCP,UDP,ICMP).However,NATPTusesadynamicmechanism thatallocatesIP+portpairsonlywhenthepoolsareexhausted.InthiswaythememoryusedbytheIP+portpairis insignificantlysmall.

Security
Securityisabigconcernintodayscomputerworld.NATPTmitigatesmostsecurityrisksbyrunningby droppingrootprivileagessoonafterstartup.SecuringNATPTreallycomesdowntosecuringtheconfigurationfile thatituses,becausethecurrentmechanismusedtoreadtheconfigurationfilecanbeexploitediftheconfiguration fileistamperedwith(thiswillbechangedinfuturereleases).Theconfigurationfileshouldbeonlyreadablebyroot andonlymodifiedusingthenaptdconfmakerprogram.IfaremoteattackermodifiestheconfigurationfilethatNAT PTuses,thenhemustalreadyhavegainedrootprivileages.WhileNATPTisrunningitneedstohavereadaccess tothefollowingfiles:
/proc/net/ipv6_route /proc/net/route

IfyouarerunningSELinuxmakesurethattheyarereadablebyNATPT. OneDOSattackscenariothatcanbeattemptediscreatingthousandsofhalfopenTCPconnectionstoexhaust thefreeIP+portpool.Inthisscenariotheattackermustbeononeoftheinternal(IPv6)networkstomaketheattack feasible.Ifyoueverexperiencethis(checkNATPT'slogfile)youcanmodifytheTCPtranslationtimeout.Referto configurationdetailsformoreinformation. FinallythereisthecaseofApplicationLevelGatewaysthatareloadedduringNATPTsstartup.Onepossible scenariowouldbeforanattackertocreateALGthatwouldbedesignedtocrashNATPT,thuscausingadenialof serviceattack.Inordertomitigatethisattack,NATPTplugindirectory(/usr/lib/naptd/plugins)mustbeonlyreadable andwriteablebyroot.

tomicki.net/naptd.docs.php

8/16

6/1/12

NAT-PT - Documentation

Advancedfeatures
NATPTemploysnumberofadvancedfeaturesincludingstaticanddynamicinboundmappings,andsingle NICoperations.Youdon'tneedtoknowtheseinordertouseNATPTinasimplesetupscenario.However,these featurescanbeveryhelpfulinspecificsituations.

Staticinboundmappings
UndernormalcircumstancesNATPTallowsnewconnectionstobeestablishedonfromtheinsideofthe network(IPv6side).Insuchasituation,thesourceIPv6addressandportaretranslatedandreplacedwithaIP+port pair.Dependingonyournetworktopology,itmightbenecessarytoallowremoteconnectionstobeestablishedto certaininternalhosts.Ifyouarerunningapublicwebormailserveryouwillneedawaytoallowremotehoststo connecttoyourserver.Thiscanbedoneusingstaticinboundmappingswhichcanbeconfiguredusingnaptd confmaker.WhenastaticconnectioniscreatedNATPTwillestablishamappingbetweenapublicIPv4address andanIPv6addressandwillperformstatelesstranslationbetweentheseaddresses. Whenusingstaticmappingsthecommunicationbetweenthehostslookslikethefollowing.

NATPTfindsthestaticmappingandtranslatesthepacket.

tomicki.net/naptd.docs.php

9/16

6/1/12

NAT-PT - Documentation

TheserverrespondstotheTCPSYNpacket.

NATPTfindsthestaticmappingandtranslatesthepacket.

tomicki.net/naptd.docs.php

10/16

6/1/12

NAT-PT - Documentation

Dynamicinboundmappings
Analternativetousingstaticinboundmappingsistheuseofdynamicones.Thiscanbeespeciallyhelpful whenyouhavealargenumberofserversthatneedtobegloballyreachablefromIPv4onlyclients.Theway dynamicinboundmappingsworkisthatNATPTcreatesinboundmappingsbasedonDNSinformation.Youuse naptdconfmakertofirstcreateanIPv4addressrangethatNATPTwillattempttocreatedynamicmappingson. YouthenupdateyourDNSinformationsothateveryhostnameinyourzonehasbothitsIPv6addressanditsold IPv4address. WhenanIPv4onlyclientattemptstocontactoneofyourservers,NATPTfirstlooksforainboundmappingfor thegivendestinationIPv4address.Ifitcan'tfindit,butthedestinationIPv4addressbelongstothedynamic inboundmappingsrange,NATPTwillattempttocreateamappingusingDNS.Thishappensinthefollowing steps. FirstNATPTcapturesapacketwithadestinationbelonginginthedynamicinboundmappingsrange.

tomicki.net/naptd.docs.php

11/16

6/1/12

NAT-PT - Documentation

NATPTattemptstoperformareverseDNSresolutiononthepacket'sdestination.Thisishandeledbya separatethreadwhileallotherpacketsarebeingcontinouslytranslated.

TheDNSserverrespondswiththedestination'sFQDN.

tomicki.net/naptd.docs.php

12/16

6/1/12

NAT-PT - Documentation

NATPTperformsaAAAAlookupontheFQDN.

TheDNSserverreturntheAAAArecord.

tomicki.net/naptd.docs.php

13/16

6/1/12

NAT-PT - Documentation

NATPTcreatesamappingbetweenthereturnedIPv6addressandthepacket'soriginalIPv4destination,it thentranslatesthepacketandsendsittoitsdestination.

SingleNICoperations

tomicki.net/naptd.docs.php

14/16

6/1/12

NAT-PT - Documentation

InordertomakethetransitiontoIPv6easier,NATPThasbeendesignedbytorunoncommodityhardware andwithminimumsystemrequirements.Oneofitsfeaturesistheabilitytoruncorrectlyonasystemthathasonly oneNetworkInterfaceCard(NIC).InordertohaveNATPTuseasingleNIC,simplyspecifythesameinterfaceas boththeinsideandoutsideofyourNAT.AslongasyourmachinehasroutestobothIPv4andIPv6network, everythingshouldworkfine.AsingleNICsetupisshowbelow.

ApplicationLevelGateways
Undernormalcircumstances,NATPTislimitedtotranslatingIPheadersandtransportlayerheader.Insome cases,thismaynotbesufficienttoensurefullendtoendtransparentcommunications,becausemanyprotocols carryIPandportinformationintheirpacket'spayload,thereforecreatinganeedfordeeppacketinspectionand translation.NATPTimplementssuchfunctionalitybyusingapluginbasedsystemofApplicationLevelGateway (ALGs)thatextendit'sfunctionalitytoincorporatedeeppacketinspectionandtranslation.Thecurrentreleaseof NATPT(v.0.4.2)isshippedwithtwosuchplugins,designedtotranslatetheFTPandDNSprotocols.NATPTwill open/usr/lib/naptd/pluginsatstartupandattempttoloadanyALGitfindsthere.Inthefuturenewpluginswillbe addedtoNATPTbycopyingthemtotheplugindirectoryandsimplyrestartingNATPT.

FileTransferProtocol
ThisALGworksonthebasisofinspectingandtranslatingcertainFTPresponsecodesandcommands.Italso keepstrackandtranslatesTCPsequencenumbersandacknoledgementnumbers,becausethepacketpayload's sizechangeswhencrossingtheIPv4/IPv6boundry.Thefollowingtranslationsoccur: IPv4Side 150 227 PASV IPv6Side 150 229 EPSV

ThisisanearlyimplementationoftheFTPplugin,andmaynotworkcorrectlyinallpossiblescenarios,ithas beenconfirmedtoworkinmostcases.

DomainNameSystem
TheDNSALGworksonlywithUDPDNSconnectionsasofnow.ThiswillchangetoincludeTCPbasedDNS connectionsinthefuture.ThisALGworksbyinspecingandtranslatingqueriesandresourcerecords(RR).Itwill

tomicki.net/naptd.docs.php

15/16

6/1/12

NAT-PT - Documentation

translateaAAAArequestintoanArequestandlatermaptheresultstoAAAARRandtranslatethequerytypeback toAAAA.ThisALGisstillsubjecttochange.

Troubleshooting
Iftheabovedocumentationdoesnotansweryourquestions,emailme.

"Riskythingsarenotinthemselvesriskyifyouunderstandthemandcontrolthem.Ifyoudoitrandomlyandyouaresloppyaboutit,itcanbevery risky." Lastupdate:Saturday,04thDecember,2010 Copyright20012012byLukaszTomicki

tomicki.net/naptd.docs.php

16/16