IETF Logo Mail Archive

Re: [v6ops] FYI: Microsoft's latest on CLAT

Tore Anderson <tore@fud.no> Sun, 10 March 2024 10:23 UTC

Return-Path: <tore@fud.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 555E7C14F60C; Sun, 10 Mar 2024 03:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCFVv-0YcO-Z; Sun, 10 Mar 2024 03:23:24 -0700 (PDT)
Received: from mail.fud.no (mail.fud.no [IPv6:2a02:c0:2f0:de01:f816:3eff:fede:dc6a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EC91C14F5F4; Sun, 10 Mar 2024 03:23:21 -0700 (PDT)
Received: from vpn.i.bitbit.net ([2a02:c0:2:6:18:59ff:fe38:da0d]:49540 helo=[IPV6:2a02:c0:2:7::2]) by mail.fud.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <tore@fud.no>) id 1rjGKs-0008IW-Es; Sun, 10 Mar 2024 11:23:18 +0100
Message-ID: <1113ad66-424a-4c49-bbab-713916fe357a@fud.no>
Date: Sun, 10 Mar 2024 11:23:18 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Ole Trøan <otroan=40employees.org@dmarc.ietf.org>, Jen Linkova <furry13@gmail.com>
Cc: v6ops@ietf.org, Tommy Jensen <Jensen.Thomas@microsoft.com>
References: <CAFU7BAQsnionnO_VZoxAnqAKad_cuQbyHzFKK4XMai_Hw8-Kyg@mail.gmail.com> <56FFAFE7-94B4-47BD-9139-1A1FA83FB472@employees.org>
Content-Language: en-GB, nn-NO
From: Tore Anderson <tore@fud.no>
In-Reply-To: <56FFAFE7-94B4-47BD-9139-1A1FA83FB472@employees.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/JEhS-V79QqFt5-RaiyG-aj_HCMw>
Subject: Re: [v6ops] FYI: Microsoft's latest on CLAT
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2024 10:23:25 -0000

On 09/03/24 08:58, Ole Trøan wrote:
> Could stateful XLAT be made to work on a host with a single address? Yes. Would using a single address lead to interoperability problems? No.
> I.e. it’s an implementation choice.

Indeed. On Linux this can be easily done today, by assigning a locally 
significant IPv6 address (e.g., ULA) to the CLAT function, and then 
running the packets through Netfilter's stateful IPv6 NAT function prior 
to forwarding to the external network.

This works just fine on any IPv6 network, unlike the dual address 
approach. It also means NDP interaction is not an issue to worry about, 
so it is actually easier to implement than the dual address approach too 
(in my opinion, anyway).

I can also imagine a single-address in-kernel CLAT that achieves the 
same more elegantly by integrating directly with the socket layer, e.g., 
by ensuring that an outbound TCP/UDP connection assigned 192.0.2.1:portX 
claims [2001:db8::1]:portX automatically, and where return traffic 
destined for [2001:db8::1]:portX will be directed to the CLAT function 
for IPv6→IPv4 translation. [2001:db8::1]:portY may be used by a regular 
native IPv6 socket simultaneously.

Tore

v2.23.0 | Report a Bug | By Email