Configuring NAT64 Security
Before configuring Network Address Translation IPv6-to-IPv4 (NAT64) security, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration.
Usage Scenario
You can deploy the NAT64 security function to guarantee secure operations of a NAT64 device and prevent malicious attacks to the system.
Pre-configuration Tasks
Before you configure the NAT64 security function, complete the following tasks:
- Configure basic NAT64 functions.
- Configure centralized NAT64 translation.
Configuring the Limit on the Number of User-to-Network NAT64 Sessions
To prevent individual users from consuming excessive session table resources to cause connection failures of other users, enable the NAT64 session number limit function.
Context
If the number of established Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP) NAT64 sessions, or the total number of NAT64 sessions of a user exceeds a configured threshold, a device stops establishing such sessions. The limit helps prevent resource overconsumption from resulting in a failure to establish connections for other users.
Procedure
- Run system-view
The system view is displayed.
- Run nat64 instance instance-name id id
The NAT64 instance view is displayed.
- (Optional) Run nat64 session-limit enable
The NAT64 session number limit function is enabled.
The limit function is enabled for user-based NAT64 sessions by default. To enable this function, run the nat64 session-limit enable command.
- Run nat64 session-limit { icmp | tcp | udp | total } limit-number
The limit on the number of NAT64 sessions is set.
- Run commit
The configuration is committed.
Setting a Limit on the Number of NAT64 Reverse Sessions
A reverse session refers to a session initiated from the IPv4 side to the IPv6 side. If individual users consume excessive session table resources, other users may fail to establish connections. To address this problem, set a limit on the maximum number of IPv4-to-IPv6 reverse NAT64 sessions that can be established for a specific user.
Context
A NAT device checks whether the number of established Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) sessions or the total number of sessions involving the same source or destination IP address exceeds the configured threshold. Then the NAT device determines whether to restrict the initiation of new connections from the source or destination IP address. This prevents individual users from consuming excessive session table resources and causing the connection failure of other users.
Procedure
- Run system-view
The system view is displayed.
- Run nat64 instance instance-name [ id id ]
The NAT64 instance view is displayed.
- (Optional) Run nat64 reverse-session-limit
enable
The limitation on the number of NAT64 reverse sessions that can be established is enabled.
The limit function is enabled for user-based NAT64 reverse sessions by default. To enable this function, run the nat64 reverse-session-limit enable command.
- Run nat64 reverse-session-limit { icmp | tcp | udp | total } limit-number
The maximum number of NAT64 sessions that can be established is set.
- Run commit
The configuration is committed.
Setting the Rate at Which Packets Are Sent to Create a Flow for a User
A device can be configured to dynamically detect the traffic forwarding rate and limit the rate at which packets are sent to create a flow for each user.
Context
A NAT64 device with a multi-core structure allows flow construction and forwarding processes to share CPU resources. To minimize or prevent NAT64 packet loss and a CPU usage increase, the device has to maintain a proper ratio of the forwarding rate to the flow creation rate.
Procedure
- Run system-view
The system view is displayed.
- Run nat64 instance instance-name [ id id ]
The NAT64 instance view is displayed.
- (Optional) Run nat64 user-session create-rate limit enable
The limit on the rate at which packets are sent to create a user flow is set.
The limitation on the rate at which packets are sent to create a flow on a NAT64 device is enabled by default. To disable this function, run the undo ds-lite user-session create-rate limit enable command.
- Run nat64 user-session create-rate rate
The rate at which packets are sent to create a flow on a NAT64 device is set.
- Run commit
The configuration is committed.
Filtering a Port Number and a Port Range
To secure networks from virus, configure the port filter function on a CGN service board to prevent an unwanted port from being translated to a filtered port and resulting in a packet forwarding failure.
Context
The port filter function may cause the core router (CR) to discard returned packets. A NAT64 service board translates a private source port into a filtered port used to forward packets from a private network to a public network. After packets are returned from the public network to the private network, the CR finds that the packets' destination port is within a range of filtered ports and unexpectedly discards the packets, which interrupts user services.
