CNFs NAT64¶
Overview¶
Cloud-Native Network Functions (CNFs) NAT64 provides the ability to process IPv6 to IPv4 application traffic, specifically between IPv6 only clients and IPv4 only servers. To provide NAT64, the Service Proxy Traffic Management Microkernel (TMM) Proxy Pod first translates DNS queries using the well-known NAT64 64:ff9b:: prefix, by converting the IPv4 response into an IPv6 hexidecimal format, and appending the result to the host portion of the well-known NAT64 prefix. The TMM Proxy Pod then uses NAT to translate connections to 64:ff9b::/96 destinations, proxying the IPv6 client addresses and IPv4 application addresses.
Connection example¶
When the IPv6 only client requires a connection to IPv4 only server www.64test.com, the TMM Proxy Pod first performs a DNS query, and converts the response 40.40.40.1 to hex value 28282801. The hex conversion is appended to the host portion of the well-known NAT64 prefix as 64:ff9b::2828:2801. When the IPv6 client connects to 64:ff9b::2828:2801 through the TMM Proxy Pod, the network packet is sent to destination 40.40.40.1, and connections between the endpoints continue to flow through the TMM Proxy Pod for the life of the connection
Required CNFs CRs¶
NAT64 requires CNFs Custom Resources (CRs) installed in this order:
- The F5BigDnsApp specifies a DNS listener used to translate and convert DNS queries.
- The F5BigNatPolicy specifies the IPv4 and IPv6 translation addresses.
- The optional F5BigFwPolicy filters subscriber connections by IP address.
- The optional F5BigLogProfile sends connection events to remote logging servers.
- The F5BigContextSecure processes and load balances subscriber connections.
This document describes, and guides you through the DNS64 CR implementation.
Requirements¶
Ensure you have:
- Installed the BIG-IP Controller.
- Installed the dSSM Database for F5BigNatPolicy configurations.
- A Linux based workstation.
Installation¶
Use this installation procedure to configure the TMM Proxy Pod for NAT64 functionality.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "hsl-pool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "cnf-syslog" format: "rfc5424" protocol: "udp" pool: "hsl-pool"
Install the F5BigLogHslpub CR:
kubectl apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: The example F5BigLogProfile CR captures NAT events such as connection start and end, and firewall events such as packet match and drop. Copy and paste the CR nto a YAML file:
Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "cnf-logs" nat: enabled: true logSubscriberID: true publisher: "cnf-hsl-pub" inbound: start: mode: "enabled" end: mode: "enabled" quotaExceeded: mode: "enabled" errors: mode: "enabled" firewall: enabled: true network: publisher: "cnf-hsl-pub" events: aclMatchAccept: true aclMatchDrop: true tcpEvents: true translationFields: true
Install the F5BigLogProfile CR:
kubectl apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
The example F5BigDnsApp CR receives DNS queries on IP 2002::10:20:2:10, and sends the query to 10.30.2.220 for resolution. IPv4 only responses are converted and appended to the NAT64 well-known prefix 64:ff9b::. Copy and paste the example CR into a YAML file:
Note: The F5BigDnsApp CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigDnsApp metadata: name: "cnf-dns-64" namespace: "cnf-gateway" spec: destination: ipv6Address: "2002::10:20:2:10" port: 53 snat: type: "automap" dns: dns64Mode: "secondary" dns64Prefix: "64:ff9b::" dns64AdditionalSectionRewrite: "v4-only" ipProtocol: "udp" udp: pool: members: - address: "10.30.2.220" port: 53
Install the F5BigDnsApp CR:
kubectl apply -f cnf-dns-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:
I0202 12:00:00.12345 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Dns", F5Dns cnf-gateway/cnf-dns-64 was added/updated
The example F5BigNatPolicy CR NATs subscriber connections sourced from IPv6 prefix 2002::10:20:2:0/112, and destined to the IPv6 prefix 64:ff9b::0/96. Subscribers source IP addresses will NAT to an IPv6 address within the 10.200.2.1-10.200.2.11 range, and be sent to the server’s IPv4 address. Copy and paste the CR into a YAML file:
Note: The F5BigNatPolicy CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigNatPolicy metadata: name: "cnf-nat-64" namespace: "cnf-gateway" spec: sourceTranslation: - name: "trans-64" type: "dynamic-pat" addresses: - "10.200.2.1-10.200.2.11" port: "8000-8500" routeAdvertisement: true icmpEcho: true proxyArp: true rule: - name: rule-ip64 ipProtocol: any source: addresses: - "2002::10:20:2:0/112" destination: addresses: - "64:ff9b::0/96" sourceTranslation: "trans-64"
Install the F5BigNatPolicy CR:
kubectl apply -f cnf-nat-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigNatPolicy CR was added/updated:
I0202 12:00:00.12345 1 event.go:282 Event(v1.ObjectReference{Kind:"F5NatPolicy", NatPolicy cnf-gateway/cnf-nat-64 was added/updated
Optional: The example F5BigFwPolicy allows connections only from the IPv6 prefix 2002::10:20:2:0/112. Copy and past the CR into a YAML file:
Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "cnf-fw-64" namespace: "cnf-gateway" spec: rule: - name: allow-10-20 action: "accept" logging: true ipProtocol: any source: addresses: - "2002::10:20:2:0/112" - name: drop-all action: "drop" logging: true ipProtocol: any source: addresses: - "::/0"
Install the F5BigFwPolicy CR:
kubectl apply -f cnf-fw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-64 was added/updated
The F5BigContextSecure CR listens for connections destined to the 64:ff9b::0/96 prefix on service port 80, and processes application traffic by referencing the installed CRs. Copy and paste the CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-64-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "::/0" destinationPort: 80 firewallEnforcedPolicy: "cnf-fw-64" natPolicy: "cnf-nat-64" logProfile: "cnf-log-profile" ipProtocol: "any" profile: "fastL4"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-64-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-64-context was added/updated
Continue to the Traffic statistics section after testing the application.
Traffic statistics¶
If you have installed the TMM Debug container, use the following steps to gather traffic processing statistics for the F5BigNatPolicy, F5BigFwPolicy and F5BigContextSecure CRs.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify F5BigNatPolicy connection statistics:
tmctl -d blade fw_nat_rule_stat
context_type context_name rule_name --------- --------------------------------------- -------------------------- virtual cnf-cnf-context-secure-SecureContext_vs 10-20-subnet-natpolicyrule micro_rules counter last_hit_time action ----------- ------- ------------- ------ 1 8 1643836695 0
tmctl -d blade fw_nat_trans_stat -s type,name,translation_requests
type name translation_requests ------------ ----------- -------------------- fw_src_trans transparent 8 fw_dst_trans transparent 8 fw_src_trans automap 0
Verify the F5BigNatPolicy client IP address mappings:
lsndb list all
Client Connections ----------------------------------------------------------- 0 client with 0 connection found. LSN Persistence Entries Client Translation ----------------------------------------------------------- 10.20.2.220:52110 10.200.2.8:8265 10.20.2.220 10.200.2.8 2 persist entries found. LSN port block allocations Client Port block ---------------------------------------------------------- 0 port block entries found. LSN Inbound Mapping Entries Translation Client ---------------------------------------------------------- 10.200.2.8:8265 10.20.2.220:52110 10.200.2.7:8397 10.20.2.220:52106
Verify the F5BigFwPolicy statistics:
tmctl -d blade fw_rule_stat -s rule_name,counter,last_hit_time,action
rule_name counter last_hit_time action -------------------------- ------- ------------- ------ allow-4-firewallpolicyrule 1 1646355700 2 allow-6-firewallpolicyrule 1 1646355702 2 drop-4-firewallpolicyrule 0 0 0 drop-6-firewallpolicyrule 0 0 0
Verify the F5BigDnsApp DNS Profile statistics:
tmctl -d blade profile_dns_stat -s name,queries,responses
name queries responses ---------------------------------- ------- --------- cnf-gateway-cnf-dns-64-profile_dns 20 20
Verify the F5BigContextSecure, and F5BigDnsApp virtual server statistics:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns -------------------------------------- -------------------- cnf-gateway-ipv64-vip-SecureContext_vs 15 cnf-gateway-dns-64-virtual_server 20
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.