SRX Services Gateway
SRX Services Gateway

Packet with IPv6 source & IPv4 destination (in Juniper documentation)

[ Edited ]
‎01-14-2019 08:40 AM

Anyone know how a packet could have an IPv6 source address and an IPv4 destination address?  The example at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ipv6-nat.html#jd0e880 thinks it is possible:

 

[edit security nat]
source {
  pool myipv4 {
    address {
      203.0.113.2/32 to 203.0.113.5/32;
    }
  }
  rule-set myipv4_rs {
    from interface ge-0/0/1.0;
    to interface ge-0/0/2.0;
    rule ipv4_rule {
      match {
        source-address 2001:db8::/96;
        destination-address 10.1.1.15/30;
      }
      then {
        source-nat {
          pool {
            myipv4;
          }
        }
      }
    }
  }
}

 

Thanks.

 

 

 

2 REPLIES 2
SRX Services Gateway
Solution
Accepted by topic author atinglin
‎01-15-2019 06:52 AM

Re: Packet with IPv6 source & IPv4 destination (in Juniper documentation)

‎01-14-2019 08:15 PM

Hello

 

Good catch. Traffic on the wire can never be a mix of IPv4 and IPv6. However the snippet provided here is purely an internal processing/flow logic on the SRX firewalls.

 

> The example given below is that of a NAT64 - which is IPv6 to IPv4 NAT

> So to achive this both source and destination v6 addresses need to be translated to v4

> As part of the SRX flow processing Dest-NAT happens first

> Therefore the destination gets translated to v4 while source is yet a v6

> Subsequently there is a security policy and source nat lookup 

> The snippet you have provided is for creating a source NAT policy while the destination was already translated in the earlier step

> This is where you would see this funny looking combo of source v6 and destination v4

> Here is a link to explain the flow processing on the SRX: https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

 

I hope this answers your query. Regards,

 

Vikas

JTAC-CFTS

SRX Services Gateway

Re: Packet with IPv6 source & IPv4 destination (in Juniper documentation)

‎01-14-2019 10:09 PM

Hi Atinglin,

 

Because IPv4 migration to IPv6 needs to be transparent and smooth, several ways of communication between IPv4 and IPv6 hosts have been developed; you can even have IPv4 addresses inside IPv6 headers for this same purpose:

 

   http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm 

 

The document you are checking is for one of those solutions that were developed and its called NAT-PT, where you perform NAT operations between IPv4 and IPv6. As the document states "IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address allocation and protocol translation between IPv4 and IPv6 addressed network devices.". Check the "IPv6 NAT PT Overview" section, if you havent, for a better understanding:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ipv6-nat.html#id-ipv6-na...

 

I hope the above info helps Smiley Wink

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!