Solved

IPV4 to IPV^ translation or proxy solution

Posted on 2011-03-01
9
1,088 Views
Last Modified: 2012-08-14
I have the need for several hundred publicly facing ssl enabled virtual servers which provide software services to clients. I know that getting a class C from my provider is a no go from the start so I am wondering if there is a way to convert 1 or 2 public ipv4 addresses using a proxy or some other translation software in my dmz to redirect.  Almost a host header type solution where I could resolve via authoritative dns records the ipv6 address locally from the incoming ipv4 which would be used to get the traffic to the dmz.  Each virtual machine has multiple self contained services ( email,mysql,line of bus software) and due to regulatory requirements I need to be able to be able separate the clients into discrete environments.

Thanks for any thoughts possible solutions
Chris Clanton
0
Comment
Question by:cclanton
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35014455
I use reverse proxy to resolve the same IP using different headers into different discrete back end servers. e.g.
abc.com and def.com all resolve to the same IPv4 address.
The request go to the reverse proxy, which look at the http header. it redirect abc.com to 10.1.1.1 and def.com to 10.2.1.1 etc.

Will this help?
0
 

Author Comment

by:cclanton
ID: 35017194
Let me make sure I have my noodle wrapped around this.I have 200 unique ipv6 addresses that  have virtual servers running. I advertise the single ipv4 address to the world it is propogated through remote dns's, when a remote user types in abc.domain.com or smtp.domain.com  the users dns resolves to my public ipv4 address whichin turn  transports them to my proxy which in turn inspects the request which I assume still has the abc.domain.com imbedded within, the proxy translates the address based upon the unique header information ( which I am assuming is still available within the packet) and targets the coresponding ipv6 address allowing full port access to the ipv6 based machine ( ie port 25,443,80 etc ) on a ipv4 network.
Am I understanding this correctly because it seems that it would make ipv4 to ipv6 pretty simple if all the assumptions I am making are correct.

Thanks for any insights
Chris Clanton
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 250 total points
ID: 35020250
I would honestly stay away from a proxy solution and utilize NAT-PT for IPv4 to IPv6 protocol translations. It will in the long run, be a  much better solution in the end. I have seen companies invest in many hours of proxy implmentations only to go back to the drawing board and go with a NAT-PT solution.

If using Cisco:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057020

0
 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 250 total points
ID: 35021189

If I understand correctly, Chris only have a limited number of IPv4 addresses, less than the number of hosts he need. Static NAT-PT usually have 1 to 1 mapping for the same protocol (e.g. http). e.g. If Chris need to run 200 web servers but he only have 10 IPv4 addresses, NAT-PT is not going to help.

Yes, for http traffic, the reverse proxy is able to examine the packet and find out the URL header. I use if for many customers with good results and never need to go back to the drawing board with a NAT-PT solution.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 24

Expert Comment

by:rfc1180
ID: 35021365
> If Chris need to run 200 web servers but he only have 10 IPv4 addresses, NAT-PT is not going to help.

Correct, he would need a named based SSL Solution:

>Almost a host header type solution where I could resolve via authoritative dns records the ipv6 address locally from the incoming ipv4 which would be used to get the traffic to the dmz.

there is a named based solution for SSL on some platforms and depending on other several factors:

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

Billy
0
 

Author Comment

by:cclanton
ID: 35021581
The comment about the limited number of ipv4 addrees's is correct so I cant use a one to one mapping looked at the apache solution and could not really tell if this is just a solution for ssl web traffic or could I have ports available for  ftp,smtp,http,https. Also looked at the cisco implementation which looks interesting.

So I guess my question should really be refined to is there a solution that would allow the ipv4 world to get to my public ipv6 adress's that host a virtual server having access to all standard ports.

Thanks
Chris Clanton
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35023263
If we know nothing about the application, there is no way to "allow the ipv4 world to get to my public ipv6 adress's that host a virtual server having access to all standard ports". The key here is "access to all standard ports". Any trick to map fewer IP addresses to more IP addresses I know either take advantage of port mapping, or know something about the application (e.g. http) which can do some form of mapping or redirection.
0
 

Author Comment

by:cclanton
ID: 35029138
I control both sides of the application so based upon the the above information I am thinking that I need to implement ipv6 on the client end to circumvent all the weirdness associated with ipv4 to ipv6 translation.
Thanks for the input
Chris Clanton
0
 

Author Closing Comment

by:cclanton
ID: 35029175
The real solution was niether as each contributor elaborated of the limitations of both solutions, This made the apprpriate solution apparent.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VLANs Design 7 54
Isolating a VM 1 72
Windows Server 2012 -- how much space and single vs multi-servers? 14 108
cisco nexus experiance 2 30
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now