Solved

IPV4 to IPV^ translation or proxy solution

Posted on 2011-03-01
9
1,095 Views
Last Modified: 2012-08-14
I have the need for several hundred publicly facing ssl enabled virtual servers which provide software services to clients. I know that getting a class C from my provider is a no go from the start so I am wondering if there is a way to convert 1 or 2 public ipv4 addresses using a proxy or some other translation software in my dmz to redirect.  Almost a host header type solution where I could resolve via authoritative dns records the ipv6 address locally from the incoming ipv4 which would be used to get the traffic to the dmz.  Each virtual machine has multiple self contained services ( email,mysql,line of bus software) and due to regulatory requirements I need to be able to be able separate the clients into discrete environments.

Thanks for any thoughts possible solutions
Chris Clanton
0
Comment
Question by:cclanton
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35014455
I use reverse proxy to resolve the same IP using different headers into different discrete back end servers. e.g.
abc.com and def.com all resolve to the same IPv4 address.
The request go to the reverse proxy, which look at the http header. it redirect abc.com to 10.1.1.1 and def.com to 10.2.1.1 etc.

Will this help?
0
 

Author Comment

by:cclanton
ID: 35017194
Let me make sure I have my noodle wrapped around this.I have 200 unique ipv6 addresses that  have virtual servers running. I advertise the single ipv4 address to the world it is propogated through remote dns's, when a remote user types in abc.domain.com or smtp.domain.com  the users dns resolves to my public ipv4 address whichin turn  transports them to my proxy which in turn inspects the request which I assume still has the abc.domain.com imbedded within, the proxy translates the address based upon the unique header information ( which I am assuming is still available within the packet) and targets the coresponding ipv6 address allowing full port access to the ipv6 based machine ( ie port 25,443,80 etc ) on a ipv4 network.
Am I understanding this correctly because it seems that it would make ipv4 to ipv6 pretty simple if all the assumptions I am making are correct.

Thanks for any insights
Chris Clanton
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 250 total points
ID: 35020250
I would honestly stay away from a proxy solution and utilize NAT-PT for IPv4 to IPv6 protocol translations. It will in the long run, be a  much better solution in the end. I have seen companies invest in many hours of proxy implmentations only to go back to the drawing board and go with a NAT-PT solution.

If using Cisco:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057020

0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 250 total points
ID: 35021189

If I understand correctly, Chris only have a limited number of IPv4 addresses, less than the number of hosts he need. Static NAT-PT usually have 1 to 1 mapping for the same protocol (e.g. http). e.g. If Chris need to run 200 web servers but he only have 10 IPv4 addresses, NAT-PT is not going to help.

Yes, for http traffic, the reverse proxy is able to examine the packet and find out the URL header. I use if for many customers with good results and never need to go back to the drawing board with a NAT-PT solution.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35021365
> If Chris need to run 200 web servers but he only have 10 IPv4 addresses, NAT-PT is not going to help.

Correct, he would need a named based SSL Solution:

>Almost a host header type solution where I could resolve via authoritative dns records the ipv6 address locally from the incoming ipv4 which would be used to get the traffic to the dmz.

there is a named based solution for SSL on some platforms and depending on other several factors:

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

Billy
0
 

Author Comment

by:cclanton
ID: 35021581
The comment about the limited number of ipv4 addrees's is correct so I cant use a one to one mapping looked at the apache solution and could not really tell if this is just a solution for ssl web traffic or could I have ports available for  ftp,smtp,http,https. Also looked at the cisco implementation which looks interesting.

So I guess my question should really be refined to is there a solution that would allow the ipv4 world to get to my public ipv6 adress's that host a virtual server having access to all standard ports.

Thanks
Chris Clanton
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35023263
If we know nothing about the application, there is no way to "allow the ipv4 world to get to my public ipv6 adress's that host a virtual server having access to all standard ports". The key here is "access to all standard ports". Any trick to map fewer IP addresses to more IP addresses I know either take advantage of port mapping, or know something about the application (e.g. http) which can do some form of mapping or redirection.
0
 

Author Comment

by:cclanton
ID: 35029138
I control both sides of the application so based upon the the above information I am thinking that I need to implement ipv6 on the client end to circumvent all the weirdness associated with ipv4 to ipv6 translation.
Thanks for the input
Chris Clanton
0
 

Author Closing Comment

by:cclanton
ID: 35029175
The real solution was niether as each contributor elaborated of the limitations of both solutions, This made the apprpriate solution apparent.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question