Quantcast

Does pf support NPT (RFC6296) ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Does pf support NPT (RFC6296) ?

athompso
I still haven't found this answer anywhere...

Does OpenBSD (more specifically, pf(4), I guess) support RFC 6296,
IPv6-to-IPv6 Network Prefix Translation?  Looks like FreeBSD can do it,
but I can't tell if that's something they added to their own pf fork, or
if I'm just missing something in the OpenBSD docs.

I know I can do NAT66, but I don't think it's feasible to emulate NPT
using NAT66 rules.

Thanks,
-Adam

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does pf support NPT (RFC6296) ?

Stuart Henderson
On 2017-05-15, Adam Thompson <[hidden email]> wrote:
> I still haven't found this answer anywhere...
>
> Does OpenBSD (more specifically, pf(4), I guess) support RFC 6296,
> IPv6-to-IPv6 Network Prefix Translation?  Looks like FreeBSD can do it,
> but I can't tell if that's something they added to their own pf fork, or
> if I'm just missing something in the OpenBSD docs.
>
> I know I can do NAT66, but I don't think it's feasible to emulate NPT
> using NAT66 rules.

No, NPT is different and can't be emulated by anything that
OpenBSD's PF currently does.

The closest it can get is NAT with bitmask and "static-port", but
1) that's stateful, and 2) it doesn't do the "checksum neutral"
modification that NPT uses (NPT doesn't replace just the network
prefix; it also adjusts the host part of the address in a
complementary manner so that the IPv6 checksum doesn't change).


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does pf support NPT (RFC6296) ?

athompso
> > I know I can do NAT66, but I don't think it's feasible to emulate NPT
> > using NAT66 rules.
>
> No, NPT is different and can't be emulated by anything that OpenBSD's
> PF currently does.

Shoot.  I was really hoping pfSense managed it through some feature that predated FreeBSD's pf(4) import, but that I had merely overlooked.  That sucks, right now.
 
> The closest it can get is NAT with bitmask and "static-port", but
> 1) that's stateful, and 2) it doesn't do the "checksum neutral"
> modification that NPT uses (NPT doesn't replace just the network prefix;
> it also adjusts the host part of the address in a complementary manner
> so that the IPv6 checksum doesn't change).

Ah, thank you for that explanation - I wasn't clear on what the manipulations were supposed to accomplish.

In my unfortunate scenario, NAT66 would probably work just as well, assuming my intuition about how IPv4 NAT/SNAT/PNAT works in pf(4) extends to the IPv6 world.  An HTTP proxy would also work, I suppose, but would require more configuration on the inner hosts.

All I need is a way to give ULA-addressed hosts a way *out* to reach, e.g. DNS, NTP, mirrors, probably various CDNs - all the maintenance traffic a modern (non-OpenBSD) host generates by itself.  As I write this, I'm starting to wonder if NAT66 isn't the better solution anyway since it's (kind-of) inherently unidirectional.

Oh, and in case anyone's wondering - this is all because a) VMware NSX 6.0 supports IPv6, but neglects to include any form of NAT or NPT or outbound proxy; and b) OVH, even in their private cloud offering (which is where the VMware NSX 6.0 comes in!), will not route public IP address space to a VLAN behind my firewall... which works for IPv4 ("just use NAT!"), but not so well for IPv6.  And I need IPv6 on the protected hosts.  *sigh*  If anyone reading this thinks they can see a better way around this pair of problems, please let me know.

-Adam

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does pf support NPT (RFC6296) ?

Stuart Henderson
On 2017/05/16 21:27, Adam Thompson wrote:
> > > I know I can do NAT66, but I don't think it's feasible to emulate NPT
> > > using NAT66 rules.
> >
> > No, NPT is different and can't be emulated by anything that OpenBSD's
> > PF currently does.
>
> Shoot.  I was really hoping pfSense managed it through some feature that predated FreeBSD's pf(4) import, but that I had merely overlooked.  That sucks, right now.

From a quick look it doesn't look like PFSense does RFC 6296 either.

For example https://forum.pfsense.org/index.php?topic=115575.0 talks about
binat rules. And https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6
describes it as mapping 2001:xxx:yyy::5 to 2001:aaa:bbb::5, so this is
exactly the same as you can do with nat-to (or binat-to) and bitmask.
Something like

pass in on lan inet6 from lan:network nat-to 2001:db8::/48 bitmask

For this, your upstream will need to route the prefix (in this example
2001:db8::/48) to the external address of your PF box, because you
won't be answering NDP requests (IPv6 analogue of ARP) for the whole
/48 worth of addresses. This is the normal case for an ISP providing
v6 service to a customer who has more than a single /64, but I have
no idea if this is the case with the OVH setup.

To be honest it feels to me like 6296 is a bodge to do this with
equipment that is too weak to maintain state..

> > The closest it can get is NAT with bitmask and "static-port", but
> > 1) that's stateful, and 2) it doesn't do the "checksum neutral"
> > modification that NPT uses (NPT doesn't replace just the network prefix;
> > it also adjusts the host part of the address in a complementary manner
> > so that the IPv6 checksum doesn't change).
>
> Ah, thank you for that explanation - I wasn't clear on what the
> manipulations were supposed to accomplish.
>
> In my unfortunate scenario, NAT66 would probably work just as well,
> assuming my intuition about how IPv4 NAT/SNAT/PNAT works in pf(4)
> extends to the IPv6 world. An HTTP proxy would also work, I suppose,
> but would require more configuration on the inner hosts.
>
> All I need is a way to give ULA-addressed hosts a way *out* to reach,
> e.g. DNS, NTP, mirrors, probably various CDNs - all the maintenance
> traffic a modern (non-OpenBSD) host generates by itself. As I write
> this, I'm starting to wonder if NAT66 isn't the better solution anyway
> since it's (kind-of) inherently unidirectional.
>
> Oh, and in case anyone's wondering - this is all because a) VMware
> NSX 6.0 supports IPv6, but neglects to include any form of NAT or NPT
> or outbound proxy; and b) OVH, even in their private cloud offering
> (which is where the VMware NSX 6.0 comes in!), will not route public
> IP address space to a VLAN behind my firewall... which works for IPv4
> ("just use NAT!"), but not so well for IPv6. And I need IPv6 on the
> protected hosts. *sigh* If anyone reading this thinks they can see a
> better way around this pair of problems, please let me know.

It doesn't sound like you need RFC 6296 or even any kind of NPT for
this, simply natting to a single address fits these requirements.
Personally I'd try the bitmask nat first, if it works with their
setup then all is good, if not then you have an easy fallback.

Loading...