Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
391392393394395396397398399400
387
DNS64 function
A DNS client in an IPv6 network cannot communicate with a DNS server in an IPv4 network because
their address formats are different. The DNS64 function of AFT can solve this issue.
When an IPv6 host sends an AAAA (IPv6) DNS query to an IPv4 DNS server, the destination IPv6
address is translated from the IPv4 address of the DNS server.
Upon receiving the AAAA DNS query, the AFT translates the IPv6 source and destination addresses to
IPv4 addresses as described in "Communication initiated by an IPv6 host."
T
he AFT transl
ates the AAAA DNS query into a type A (IPv4) DNS query and sends the translated AAAA
request and the translated type A request to the DNS server.
Upon receiving the reply from the DNS server, the AFT translates the IPv4 source and destination
addresses into IPv6 addresses based on the recorded address mappings.
If the AFT receives a type A DNS reply, it examines the resolved IPv4 address. If the IPv4 address matches
the AFT policy for 4to6 source address translation, it translates the address into an IPv6 address by using
the DNS64 prefix referenced by the policy. If not, the AFT translates the address by using the first
configured DNS64 prefix. Then, the AFT translates the type A DNS reply into an AAAA DNS reply and
sends it to the IPv6 host.
If the AFT receives an AAAA DNS reply, it sends it directly to the IPv6 host.
After receiving the DNS reply, the IPv6 host uses the translated IPv6 address to communicate with the
IPv4 host as described in "Communication initiated by an IPv6 host."
AFT limitations
The request and response packets of a session must be processed by the same AFT.
AFT cannot translate some information, such as the Option field in the IPv4 packet header.
AFT and IPsec are mutually exclusive, and thus end-to-end security cannot be provided.
AFT cannot process IPv4 and ICMPv6 fragments.
AFT supports ICMP, DNS, FTP, and protocols that employ the network layer protocol but have no
address information in the protocol messages.
Protocols and standards
draft-ietf-behave-v6v4-xlate-stateful-11
draft-xli-behave-ivi-07
AFT configuration task list
When communication is initiated by an IPv6 host
Task Remarks
Enabling AFT Required.
Configuring a DNS64 prefix Required.