Categories
Deploy360 Improving Technical Security IPv6

NAT64Check Version 2 is launched!

With the New Year comes the launch of NAT64Check version 2 from the Internet Society. The first version of NAT64Check was introduced a couple of years ago and has proved very popular and successful, so for the past year we’ve been working on a number of enhancements in response to feedback and requests. And we’re very happy to be able to make the new version available as we welcome in 2019.

NAT64Check is a tool developed by the Internet Society in collaboration with Stichting IPv6 NederlandGo6, SJM Steffann, Internetbureau Max and Simply Understand. This allows you to enter the URL of a particular website, and then run tests over IPv4, IPv6 and NAT64 in order to check whether the website is actually reachable in each case, whether identical web pages are returned, and whether all the resources such as images, stylesheets and scripts load correctly. It also compares responsiveness using the different protocols, therefore  allowing network and system administrators to easily identify anything is ‘broken’, to pinpoint where any non-IPv6 compatible elements need to be fixed.

The original version of NAT64Check though, ran on two separate servers at Go6 and the IPv6 Lab which each had a limited view of the Internet from a topological perspective, and did not allow results to be easily aggregated. This was because it was put together quickly as a proof-of-concept using scripting tools, but its popularity encouraged us to develop something that was more scalable and adaptable for the future.

Version 2 therefore introduces a distributed concept that allows for different test locations, and indeed allows people to easily install their own test instances. However, results can be aggregated from any or all of these test locations and queried via a central web interface. Other improvements include better error detection and feedback when problems are experienced with particular sites, and as well as extendability for additional tests.

The new modular based design is based around three core elements. Marvin is a module based on Chromium that can run as separate instances on servers in different geographical locations for testing services over IPv4, IPv6 and NAT64. Trillian is a module that can collect, compare and output these test results based on different user profiles, whilst the Zaphod module undertakes the aggregation and provides the centralised web interface. Students of “The Hitchhiker’s Guide to the Galaxy” will of course recognise from where the codenames were derived!

The tool is very easy to use – simply go to https://www.nat64check.org, type the URL you wish to check into the box at the top of the page, and the result should be returned within a few seconds. It’s simple and easy, and will help you identify what needs to be done to make your website accessible with IPv6.

We’re also calling out for volunteers to help improve the usefulness of this tool by installing their own test instances. This requires a KVM, a VM running Ubuntu 18.04, a login, sudoers file, separate IPv4 and IPv6 addresses and a static /64 routed to the VM.

Deploy360 also wants to help you deploy IPv6, so please take a look at our Start Here page to learn more.

Acknowledgements

NAT64Check was developed by our colleague Jan Žorž, Sander Steffann, Corinne Pritchard, Max Dammers, and Musa Stephen Honlue.

Categories
Deploy360 Growing the Internet IPv6

Deploy360 @ ENOG 14

Our colleague Jan Žorž from the Deploy360 team will be presenting at the 14th Eurasia Network Operators Groups (ENOG 14) on 9-10 October 2017 in Minsk, Belarus. This is being preceded by workshops on Best Practices in IPv6 BGP and DNSSEC Operations.

Jan will be talking about his real life experiences with NAT64/DNS64 and will be demonstrating the NAT64check tool on Monday evening (17.00-18.15). Following after his talk is a BoF on the Internet-of-Things (18.30-19.30), which is also sure to include discussions about the importance of IPv6 to scale the expected many billions of devices in future.

We’d also like to highlight the Cloudflare update on IPv6, DNS, DNSSEC, CA certs from Martin Levy (Cloudflare) on the Tuesday (10.00-11.30), who seems to be managing to cover just about all the Deploy360 topics in one talk. And for routing security, Kirill Malevanov, (Selectel) will be discussing his experiences of IPv4 prefix hijacking.

More Information

Categories
Deploy360 Events IPv6

Talking NAT64Check at DKNOG in Copenhagen

Tomorrow (16 March) from 13:45 – 14:30 CET (UTC+1), at the Danish Network Operators’ Group (DKNOG) in Copenhagen, I’ll talk about our experiments on NAT64 and DNS64 in the Go6lab and also about NAT64Check. Watch live via DKNOG’s live stream page at https://dknog7.dknog.dk/main-room-webstream/.

As many mobile operators are moving to IPv6-only, which is incompatible with IPv4 on the wire, it’s necessary to employ transition mechanisms such as 464XLAT or NAT64. The Go6lab NAT64/DNS64 test bed was established so that operators, service providers, and hardware and software vendors can see how their solutions work in these environments. This has already generated significant interest; instructions on how to participate are available on the Go6lab website.

NAT64check allows websites to be checked for consistency over IPv4, IPv6-only, and NAT64, and to compare responsiveness using the different protocols. This allows network and system administrators to easily identify if anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6-compatible elements to be fixed. For example, even if a web server is not running IPv6 (why not?), hard coded IPv4 addresses can cause NAT64 to fail.

During the talk I’ll share some insight and discuss issues that I found while testing NAT64/DNS64 technology in real life scenarios and use cases.

If you are at DKNOG, I’m more than happy to chat and discuss all this new technology that makes the Internet such a great place!