F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

401

402

403

404

405

406

407

408

409

410

394

4. Forwards the packet and records the mappings. The AFT performs protocol translation such as

changing the IPv4 header to the IPv6 header, forwards the packet, and records the IPv4-IPv6

mappings.

5. Translate and forwards the response packet. Upon receiving a response from the IPv6 host, the

AFT replaces the IPv6 addresses in the packet header with IPv4 addresses based on the recorded

address mappings and forwards the packet to the IPv4 host.

To view the address mappings, use the display session table command. For more information about this

command, see Security Configuration Guide.

284BDNS64 function

A DNS client in an IPv6 network cannot communicate with a DNS server in an IPv4 network because

their address formats are different. The DNS64 function of AFT can solve this issue.

When an IPv6 host sends an AAAA (IPv6) DNS query to an IPv4 DNS server, the destination IPv6

address is translated from the IPv4 address of the DNS server.

Upon receiving the AAAA DNS query, the AFT translates the IPv6 source and destination addresses to

IPv4 addresses as described in "

1018HCommunication initiated by an IPv6 host."

The AFT translates the AAAA DNS query into a type A (IPv4) DNS query and sends the translated AAAA

request and the translated type A request to the DNS server.

Upon receiving the reply from the DNS server, the AFT translates the IPv4 source and destination

addresses into IPv6 addresses based on the recorded address mappings.

If the AFT receives a type A DNS reply, it examines the resolved IPv4 address. If the IPv4 address matches

the AFT policy for 4to6 source address translation, it translates the address into an IPv6 address by using

the DNS64 prefix referenced by the policy. If not, the AFT translates the address by using the first

configured DNS64 prefix. Then, the AFT translates the type A DNS reply into an AAAA DNS reply and

sends it to the IPv6 host.

If the AFT receives an AAAA DNS reply, it sends it directly to the IPv6 host.

After receiving the DNS reply, the IPv6 host uses the translated IPv6 address to communicate with the

IPv4 host as described in "

1019HCommunication initiated by an IPv6 host."

285BAFT limitations

• The request and response packets of a session must be processed by the same AFT.

• AFT cannot translate some information, such as the Option field in the IPv4 packet header.

• AFT and IPsec are mutually exclusive, and thus end-to-end security cannot be provided.

• AFT cannot process IPv4 and ICMPv6 fragments.

• AFT supports ICMP, DNS, FTP, and protocols that employ the network layer protocol but have no

address information in the protocol messages.

286BProtocols and standards

• draft-ietf-behave-v6v4-xlate-stateful-11

• draft-xli-behave-ivi-07