Does pf support NPT (RFC6296) ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Does pf support NPT (RFC6296) ?

athompso
I still haven't found this answer anywhere...

Does OpenBSD (more specifically, pf(4), I guess) support RFC 6296,
IPv6-to-IPv6 Network Prefix Translation?  Looks like FreeBSD can do it,
but I can't tell if that's something they added to their own pf fork, or
if I'm just missing something in the OpenBSD docs.

I know I can do NAT66, but I don't think it's feasible to emulate NPT
using NAT66 rules.

Thanks,
-Adam

Reply | Threaded
Open this post in threaded view
|

Re: Does pf support NPT (RFC6296) ?

Stuart Henderson
On 2017-05-15, Adam Thompson <[hidden email]> wrote:
> I still haven't found this answer anywhere...
>
> Does OpenBSD (more specifically, pf(4), I guess) support RFC 6296,
> IPv6-to-IPv6 Network Prefix Translation?  Looks like FreeBSD can do it,
> but I can't tell if that's something they added to their own pf fork, or
> if I'm just missing something in the OpenBSD docs.
>
> I know I can do NAT66, but I don't think it's feasible to emulate NPT
> using NAT66 rules.

No, NPT is different and can't be emulated by anything that
OpenBSD's PF currently does.

The closest it can get is NAT with bitmask and "static-port", but
1) that's stateful, and 2) it doesn't do the "checksum neutral"
modification that NPT uses (NPT doesn't replace just the network
prefix; it also adjusts the host part of the address in a
complementary manner so that the IPv6 checksum doesn't change).


Reply | Threaded
Open this post in threaded view
|

Re: Does pf support NPT (RFC6296) ?

athompso
> > I know I can do NAT66, but I don't think it's feasible to emulate NPT
> > using NAT66 rules.
>
> No, NPT is different and can't be emulated by anything that OpenBSD's
> PF currently does.

Shoot.  I was really hoping pfSense managed it through some feature that predated FreeBSD's pf(4) import, but that I had merely overlooked.  That sucks, right now.
 
> The closest it can get is NAT with bitmask and "static-port", but
> 1) that's stateful, and 2) it doesn't do the "checksum neutral"
> modification that NPT uses (NPT doesn't replace just the network prefix;
> it also adjusts the host part of the address in a complementary manner
> so that the IPv6 checksum doesn't change).

Ah, thank you for that explanation - I wasn't clear on what the manipulations were supposed to accomplish.

In my unfortunate scenario, NAT66 would probably work just as well, assuming my intuition about how IPv4 NAT/SNAT/PNAT works in pf(4) extends to the IPv6 world.  An HTTP proxy would also work, I suppose, but would require more configuration on the inner hosts.

All I need is a way to give ULA-addressed hosts a way *out* to reach, e.g. DNS, NTP, mirrors, probably various CDNs - all the maintenance traffic a modern (non-OpenBSD) host generates by itself.  As I write this, I'm starting to wonder if NAT66 isn't the better solution anyway since it's (kind-of) inherently unidirectional.

Oh, and in case anyone's wondering - this is all because a) VMware NSX 6.0 supports IPv6, but neglects to include any form of NAT or NPT or outbound proxy; and b) OVH, even in their private cloud offering (which is where the VMware NSX 6.0 comes in!), will not route public IP address space to a VLAN behind my firewall... which works for IPv4 ("just use NAT!"), but not so well for IPv6.  And I need IPv6 on the protected hosts.  *sigh*  If anyone reading this thinks they can see a better way around this pair of problems, please let me know.

-Adam

Reply | Threaded
Open this post in threaded view
|

Re: Does pf support NPT (RFC6296) ?

Stuart Henderson
On 2017/05/16 21:27, Adam Thompson wrote:
> > > I know I can do NAT66, but I don't think it's feasible to emulate NPT
> > > using NAT66 rules.
> >
> > No, NPT is different and can't be emulated by anything that OpenBSD's
> > PF currently does.
>
> Shoot.  I was really hoping pfSense managed it through some feature that predated FreeBSD's pf(4) import, but that I had merely overlooked.  That sucks, right now.

From a quick look it doesn't look like PFSense does RFC 6296 either.

For example https://forum.pfsense.org/index.php?topic=115575.0 talks about
binat rules. And https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6
describes it as mapping 2001:xxx:yyy::5 to 2001:aaa:bbb::5, so this is
exactly the same as you can do with nat-to (or binat-to) and bitmask.
Something like

pass in on lan inet6 from lan:network nat-to 2001:db8::/48 bitmask

For this, your upstream will need to route the prefix (in this example
2001:db8::/48) to the external address of your PF box, because you
won't be answering NDP requests (IPv6 analogue of ARP) for the whole
/48 worth of addresses. This is the normal case for an ISP providing
v6 service to a customer who has more than a single /64, but I have
no idea if this is the case with the OVH setup.

To be honest it feels to me like 6296 is a bodge to do this with
equipment that is too weak to maintain state..

> > The closest it can get is NAT with bitmask and "static-port", but
> > 1) that's stateful, and 2) it doesn't do the "checksum neutral"
> > modification that NPT uses (NPT doesn't replace just the network prefix;
> > it also adjusts the host part of the address in a complementary manner
> > so that the IPv6 checksum doesn't change).
>
> Ah, thank you for that explanation - I wasn't clear on what the
> manipulations were supposed to accomplish.
>
> In my unfortunate scenario, NAT66 would probably work just as well,
> assuming my intuition about how IPv4 NAT/SNAT/PNAT works in pf(4)
> extends to the IPv6 world. An HTTP proxy would also work, I suppose,
> but would require more configuration on the inner hosts.
>
> All I need is a way to give ULA-addressed hosts a way *out* to reach,
> e.g. DNS, NTP, mirrors, probably various CDNs - all the maintenance
> traffic a modern (non-OpenBSD) host generates by itself. As I write
> this, I'm starting to wonder if NAT66 isn't the better solution anyway
> since it's (kind-of) inherently unidirectional.
>
> Oh, and in case anyone's wondering - this is all because a) VMware
> NSX 6.0 supports IPv6, but neglects to include any form of NAT or NPT
> or outbound proxy; and b) OVH, even in their private cloud offering
> (which is where the VMware NSX 6.0 comes in!), will not route public
> IP address space to a VLAN behind my firewall... which works for IPv4
> ("just use NAT!"), but not so well for IPv6. And I need IPv6 on the
> protected hosts. *sigh* If anyone reading this thinks they can see a
> better way around this pair of problems, please let me know.

It doesn't sound like you need RFC 6296 or even any kind of NPT for
this, simply natting to a single address fits these requirements.
Personally I'd try the bitmask nat first, if it works with their
setup then all is good, if not then you have an easy fallback.