Dns64 function, Aft limitations, Protocols and standards – H3C Technologies H3C SecPath F1000-E User Manual

Page 77

Advertising
background image

65

DNS64 function

A DNS client in an IPv6 network cannot communicate with a DNS server in an IPv4 network because

their address formats are different. The DNS64 function of AFT can solve this issue.
When an IPv6 host sends an AAAA (IPv6) DNS query to an IPv4 DNS server, the destination IPv6
address is translated from the IPv4 address of the DNS server.
Upon receiving the AAAA DNS query, the AFT translates the IPv6 source and destination addresses to

IPv4 addresses as described in "

Communication initiated by an IPv6 host

."

The AFT translates the AAAA DNS query into a type A (IPv4) DNS query and sends the original AAAA

request and the translated type A request to the DNS server.
Upon receiving the reply from the DNS server, the AFT translates the IPv4 source and destination

addresses into IPv6 addresses based on the recorded address mappings.
If the AFT receives a type A DNS reply, it examines the resolved IPv4 address. If the IPv4 address matches

the AFT policy for 4to6 source address translation, it translates the address into an IPv6 address by using
the DNS64 prefix referenced by the policy. If not, the AFT translates the address by using the first

configured DNS64 prefix. Then, the AFT translates the type A DNS reply into an AAAA DNS reply and

sends it to the IPv6 host.
If the AFT receives an AAAA DNS reply, it directly sends it to the IPv6 host.
After receiving the DNS reply, the IPv6 host uses the translated IPv6 address to communicate with the

IPv4 host as described in "

Communication initiated by an IPv6 host

."

AFT limitations

AFT has the following limitations:

The request and response packets of a session must be processed by the same AFT.

AFT cannot translate some information, such as the Option field in the IPv4 packet header.

AFT cannot provide end-to-end security.

AFT cannot process IPv4 and ICMPv6 fragments.

Currently, AFT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS),

File Transfer Protocol (FTP), and protocols that employ the network layer protocol but have no
address information in the protocol messages.

AFT is not suitable for some scenarios. For example, if an IPv6 host attempts to communicate with another

IPv6 host over an IPv4 network, tunneling is preferred.

Protocols and standards

draft-ietf-behave-v6v4-xlate-stateful-11

draft-xli-behave-ivi-07

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals