From 1b4843aa0256c99ebb01dbb22d02deb37ce2e70f Mon Sep 17 00:00:00 2001 From: Johann Wagner Date: Mon, 12 Aug 2024 18:10:39 +0200 Subject: [PATCH] Added documentation for NAT64 prefix rewriting --- docs/nat64.md | 21 +++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 22 insertions(+) create mode 100644 docs/nat64.md diff --git a/docs/nat64.md b/docs/nat64.md new file mode 100644 index 000000000..9edd4afbb --- /dev/null +++ b/docs/nat64.md @@ -0,0 +1,21 @@ +Configure NAT64 DNS Records +======================================= + +Some NAT64 configurations are entirely handled outside the Kubernetes cluster, therefore Kubernetes does not know anything about the associated IPv4 addresses. ExternalDNS should also be able to create A records for those cases. +Therefore, we can configure `nat64-networks`, which **must** be a /96 network. You can also specify multiple `nat64-networks` for more complex setups. +This creates an additional A record with a NAT64-translated IPv4 address for each AAAA record pointing to an IPv6 address within the given `nat64-networks`. + +This can be configured with the following flag passed to the operator binary. You can also pass multiple `nat64-networks` by using a comma as seperator. +```sh +--nat64-networks="2001:db8:96::/96" +``` + + +## Setup Example + +We use an external NAT64 resolver and SIIT (Stateless IP/ICMP Translation). Therefore, our nodes only have IPv6 IP adresses but can reach IPv4 addresses *and* can be reached via IPv4. +Outgoing connections are a classic NAT64 setup, where all IPv6 addresses gets translated to a small pool of IPv4 addresses. +Incoming connnections are mapped on a different IPv4 pool, e.g. `198.51.100.0/24`, which can get translated one-to-one to IPv6 addresses. We dedicate a `/96` network for this, for example `2001:db8:96::/96`, so `198.51.100.0/24` can translated to `2001:db8:96::c633:6400/120`. Note: `/120` IPv6 network has exactly as many IP addresses as `/24` IPv4 network. + +Therefore, the `/96` network can be configured as `nat64-networks`. This means, that `2001:0DB8:96::198.51.100.10` or `2001:db8:96::c633:640a` can be translated to `198.51.100.10`. +Any source can point a record to an IPv6 address within the given `nat64-networks`, for example `2001:db8:96::c633:640a`. This creates by default an AAAA record and - if `nat64-networks` is configured - also an A record with `198.51.100.10` as target. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 82d55858c..8a022c8d2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -31,6 +31,7 @@ nav: - Advanced Topics: - Initial Design: docs/initial-design.md - TTL: docs/ttl.md + - NAT64: docs/nat64.md - MultiTarget: docs/proposal/multi-target.md - Contributing: - Kubernetes Contributions: CONTRIBUTING.md