Network Address Translation, Protocol Translation IPv4/IPv6Home | Installation (PDF) | Documentation (PDF) | Building an IPv6 Router | Download
New Version (0.4) Now Available!
NAT-PT (codename Ataga) is a loose implementation of RFC 2766 as specified by the IETF. It runs on the GNU/Linux operating system and is designed to be easy to setup and robust enough to make the transition to IPv6 networks a reality. NAT-PT was designed so that it can be run on low-end, commodity hardware. It can even work on a system with only one NIC! Jump to the installation section to find out how easily you can migrate your network to IPv6!
NAT-PT should be installed on a boundary router situated between an IPv6 and IPv4 network. NAT-PT will perform statefull packet translation between internal (IPv6) hosts any external IPv4 hosts. NAT-PT needs to be started by root, drops root privileges after initialization, but needs read access to the /proc filesystem as long as it's running. Refer to the documentation for the specific files that it needs access to (this may be necessary if you are running SELinux).
NAT-PT runs in userspace, capturing and translating packets between the IPv6 and IPv4 networks (and vice-versa). NAT-PT performs uses the Address Resolution Protocol (ARP) and Neighboor Discovery (ND) on the IPv4 and IPv6 sides respectively. It also participates in dynamic routing (if any) for both IPv6 and IPv4.
Other NAT-PTs cannot normally translate IP address carried inside packet payloads (like FTP and DNS protocols do). This problem is solved with Application Level Gateways (ALGs) that are implemented in NAT-PT as loadable plugins. Currently NAT-PT comes with FTP and DNS modules, but further modules will be written as needed and can be easily added to an existing NAT-PT installation.
NAT-PT has been tested and is confirmed to work transparently with the following protocols. If a protocol isn't listed, this doesn't mean it doesn't work with NAT-PT, but rather that no testing has been performed.
- HTTP - web browsing, streaming over HTTP, Windows Update - all work perfectly.
NAT-PT does have a number of limitations that in certain scenarios may make it an unacceptable transition mechanism.
Breaking of the end-to-end model
As any NAT, NAT-PT introduces a single point of failure and brakes the end-to-end model of the Internet. However if you are already running NAT (as almost every network today does), you are already exposed to it's limitations.
Ethernet networks only!
NAT-PT is a userspace implementation and needs to craft each individual packet starting from the Data-Link layer. The current implementation is limited to translating packets between two ethernet networks. Luckily, almost all end-user networks deployed today are based on ethernet.
If a packet is received that is too large to be transmitted on the outbound network NAT-PT will send a ICMP/ICMPv6 Message Too Big packet back to the sender requesting him to adjust the size of his packets. However, if fragmentation occurs on an intermediary router somewhere along the path of the IPv4 datagrams, NAT-PT will not be able to reconstruct such packets and will silently discard them. Fortunately, IPv6 by default doesn't use fragments, and in most cases IPv4 host fragment their data prior to transmission to fit into their link MTU.
- iptables - needed to prevent TCP connection resets by the kernel.
- ip6tables - needed to prevent routing errors.
- syslog - used to logging various messages.
"Never interfere with an enemy while he's in the process of destroying himself."
Last update: Saturday, 05th May, 2012
Copyright © 2001-2013 by Lukasz Tomicki