NAT-PT is totally broken in late IOS releases

When the current variant of IPv6 was selected 15 years ago, seamless integration with IPv4 was a big deal, resulting in NAT-PT architecture. NAT-PT tried to solve too many problems and (as I pointed out in my IPv6 Deployment workshop), while the 6to4 NAT is manageable, the 4to6 NAT is horrific (NAT64 and DNS64 are more reasonable; more about them in an upcoming post).

NAT between IPv4 and IPv6 hosts is just one of the topics covered in the Enterprise IPv6 Deployment workshop. You can attend an online version of the workshop or we can organize a dedicated event for your team.

To make matters worse, the NAT-PT implemented in Cisco IOS is totally broken due to removal of fast switching support in IOS release 12.4(20)T and numerous other releases. As I wrote a year and a half ago, removing fast switching will bite us eventually … and so it does when you try to use NAT-PT.

NAT-PT was never working in CEF switching path; CEF switching punted packets that had to be translated to fast switching. With fast switching gone, the punted packets land in a digital black hole. To make NAT-PT work, you have to disable IPv4 and IPv6 CEF globally. Do I need to spell out how that affects the router’s performance?

5 comments:

  1. It looks like using dynamips for NAT-PT...
    I've never had any dreams about using NAT-PT. I think it is the ultimate crutch.
  2. As much as I agree that NAT64 stinks and NAT46 is total pain in the ass I don't see reason for disabling both IPv4 and IPv6 CEFs. In scenarios where we have one interface as IPv6-only and other one as IPv4-only you have disable IPv6 CEF because it will drop all packets due to no route to ::/0. Disabling IPv4 CEF is not necessary in this scenario (tested on 15.0M, working fine). Also if you have IPv6 connection to your ISP and want to make backward compatibility with IPv4 networks disabling IPv6 CEF is not necessary. Of course NAT-PT will be process switched but all traffic that can be handled by CEF will be processed this way.

    I made quick test in scenario with IPv6-only (ipv6ip tunnel) and IPv4-only (hardware) interfaces. With disabled IPv6 I got about 4Mbit throughput and 70% of CPU usage. Disabling IPv4 CEF had no inpact on traffic.
  3. What should small ISP do? Throw away Cisco 7200/7600 platforms and buy an ASR1000?
    How much IPv6 transition will cost?
    In IOS routers you can disable v4v6 dynamic NAT-PT. It is so hard for Cisco remove DNS-ALG from NAT-PT and add DNS64? Why NAT64 is supported only with IOS-XR?
    How much money hardware vendors could get for selling new hardware for IPv6?
    From a different point of view we could be forced to upgrade our hardware because of CPU power limitations in not IOS-XR platforms. What do you think?
  4. Let's be honest. 7200 and 7600 are old platforms and it's been obvious for a few years that Cisco tries to extend their lifetime as long as possible. They are still part of mainstream and SP IOS images, but things happen somewhat faster in the XE world.
  5. Thankyou very much for you answer Ivan, but, let's say that I use NATPT-DNSALG-NAT46=NAT64 in my 7200 platform. I can setup a DNS64 server (for example with bind) because it is unrelated to NAT. If I'm correct on this I have a working NAT64 platform. Uhmmm, yes, but, without CEF ... So, my only hope is that Cisco will add support for CEF in future IOS releases (I check the 15.1 IOS but I'm unable to find any reference to it). I hope that NAT-PT RFC will be rewritten and supported.


    Thankyou
    Gianrico
Add comment
Sidebar