IPv6: Adjust subnet prefix used for NAT64.

This commit does several things related to the NAT64 prefix, as specified
by the NAT64_V4_SUBNET_PREFIX environment variable. This prefix is for a
/16 subnet.

First, we want the prefix to be within one of the two private network
ranges (172.16.0.0/12 or 10.0.0.0/8).

Second, to accommodate that, the NAT64_V4_SUBNET_PREFIX will be two octets,
instead of one. The default, if not specified, will be 172.18, to avoid
docker usage of that private network.

Third, the code will range check the prefix, to ensure that it is within
range, based on the private network selected. 172.16 to 172.31 or 10.0 to
10.253 values are allowed.

Fourth, the cluster ID is added to the prefix, so that a unique subnet is
used for each cluster. This affects the allowable values for the prefix.

For 172.16.0.0/12, the prefix plus cluster ID must be from 172.16 to
172.31. For 10.0.0.0/8, the prefix plus cluster ID must be from 10.0 to
10.253. So, for example, if the default 172.18 is used, then cluster IDs
can be from 0 to 13.

Another side effect of this change is w.r.t. legacy mode, where the user
specifies (only) the DIND_LABEL. In that case, a cluster ID is generated,
and we now will use numbers from 1..13 to help keep the values within the
range for the V4 mapping prefix (using 13 instead of 15 as the default
prefix is 172.18).

If the user wants to use the legacy DIND_LABEL, but have a larger range
for cluster IDs, they can set the NAT64_V4_SUBNET_PREFIX to the 10.0.0.0/8
subnet and/or explicitly set the CLUSTER_ID.

For the multicluster IPv6 CI test, it creates a cluster using the default
cluster ID (0), one with cluster ID specified (20), and legacy mode with q
cluster ID generated between 1..13. Since the default prefix is 172.18, the
second cluster will create a prefix (172.18 + 20 = 172.38) that is outside
the 172.16.0.0/12 private network and will be rejected. To avoid this, we'll
use a base prefix of 10.100. That will use 10.100 for the first cluster,
10.120 for the second cluster, and a random value of 10.101 to 10.113 for
the third cluster. This avoids any conflict, and ensures that the prefix is
within the 10.0.0.0/8 private network.

Fixes Issue: kubernetes-retired#220

.circleci/config.yml

@@ -441,6 +441,11 @@ jobs:
     environment:
       <<: *env
       IP_MODE: ipv6
+      # Ensure no collisions for NAT64 V4 mapping subnet prefix. First cluster will use 10.100,
+      # second will use 10.120 (cluster ID 20), and third will use random value from 10.101 to
+      # 10.113 (using legacy DIND_LABEL w/o cluster ID, causes random offet from 1..13 to be
+      # added to base prefix.
+      NAT64_V4_SUBNET_PREFIX: "10.100"
       DIND_IMAGE: mirantis/kubeadm-dind-cluster:v1.11
     <<: *test_multiple_clusters
 

README.md

@@ -200,7 +200,7 @@ export EMBBEDDED_CONFIG=y
 export DNS64_PREFIX=fd00:77:64:ff9b::
 export DIND_SUBNET=fd00:77::
 export SERVICE_CIDR=fd00:77:30::/110
-export NAT64_V4_SUBNET_PREFIX=172
+export NAT64_V4_SUBNET_PREFIX=172.20
 ```
 
 NOTE: The DNS64 and NAT64 containers that are created on the host, persist
@@ -214,11 +214,14 @@ NOTE: At this time, there is not isolation between clusters. Nodes on one cluste
 can ping nodes on another cluster (appears to be isolation iptables rules, instead
 of ip6tables rules).
 
-NOTE: The IPv4 mapping subnet used by NAT64, will have the cluster ID embedded in
-the prefix. When customizing, specify only the first octet of the subnet prefix,
-and the cluster ID will be added as the second prefix (zero, for single cluster).
-For example, if CLUSTER_ID="50", the default NAT64_V4_SUBNET_PREFIX will be
-"172.50", forming a subnet 172.50.0.0/16.
+NOTE: The IPv4 mapping subnet used by NAT64, can be overridden from the default of
+172.18.0.0/16, by specifying the first two octets in NAT64_V4_SUBNET_PREFIX (you
+cannot change the size). This prefix must be within the 10.0.0.0/8 or 172.16.0.0/12
+private network ranges. Be aware, that, in a multi-cluster setup, the cluster ID,
+which defaults to zero, will be added to the second octet of the prefix. You must
+ensure that the resulting prefix is still within the private network's range. For
+example, if CLUSTER_ID="10", the default NAT64_V4_SUBNET_PREFIX will be
+"172.28", forming a subnet 172.28.0.0/16.
 
 NOTE: If you use `kube-router` for networking, IPv6 is not supported, as of
 July 2018.
@@ -310,23 +313,31 @@ addresses.
 
 For IPv4, the cluster ID will be used as the third octet of the management address
 (whether default or user specified). For example, with cluster ID "10", the default
-management network CIDR will be 10.192.10.0/24. For Ipv6, the cluster ID will be
+management network CIDR will be 10.192.10.0/24. For IPv6, the cluster ID will be
 placed as the hextet before the double colon, for the management CIDR. For example,
 a management ntwork CIDR of fd00:20::/64 will become fd00:20:2::/64, for a cluster
 ID of '2'.
 
+NOTE: The cluster ID can be limited in some cases. For IPv6 mode, the cluster ID is
+also used in the NAT64 prefix, and that prifix must be within one of the RFC-1918
+private network ranges. If the 172.16.0.0/12 private network is used, the cluster ID
+cannot be more than 15 (and less, if a higher base prefix is specified by the
+NAT64_V4_SUBNET_PREFIX, like the default 172.18, which would allow cluster IDs up to
+13).
+
 Note: If the MGMT_CIDR (or legacy DIND_SUBNET/DIND_SUBNET_SIZE) environment variables
 are set for the management network, they must be able to accommodate the cluster ID
 injection.
 
 In addition to the management network, the resource names will have the suffix
 "-cluster-#", where # is the CLUSTER_ID. The context for kubectl will be "dind-cluster-#".
 
-For legacy support (or if a user wants a custom cluster name), if DIND_LABEL is set,
-then resources will have the suffix "-{DIND_LABEL}-#", with the number set to the cluster
-ID. If no cluster ID is specified, as would be for backwards-compatibility, or it is zero,
-the resource names will just use the DIND_LABEL, and a pseudo-random number from 1..254
-will be used for the management network.
+For legacy support (or if a user wants a custom cluster name), setting the DIND_LABEL
+will create a resource suffix "-{DIND_LABEL}-#", where # is the cluster ID. If no
+cluster ID is specified, as would be for backwards-compatibility, or it is zero, the
+resource names will just use the DIND_LABEL, and a pseudo-random number from 1..13 will
+be used for the cluster ID to be applied to the management network, and in case of IPv6,
+the NAT64 V4 mapping subnet prefix (hence the limitation).
 
 Example usage:
 

dind-cluster.sh

@@ -233,6 +233,37 @@ function dind::make-ip-from-cidr {
   fi
 }
 
+# dind::add-cluster-id-and-validate-nat64-prefix will modify the IPv4 mapping
+# subnet prefix, by adding the cluster ID (default 0) to the second octet.
+# It will produce an error, if the prefix is not in the 10.0.0.0/8 or
+# 172.16.0.0/12 private networks.
+function dind::add-cluster-id-and-validate-nat64-prefix {
+  local parts
+  IFS="." read -a parts <<<${NAT64_V4_SUBNET_PREFIX}
+  if [[ ${#parts[@]} -ne 2 ]]; then
+    echo "ERROR! NAT64_V4_SUBNET_PREFIX must be two octets (have '${NAT64_V4_SUBNET_PREFIX}')"
+    exit 1
+  fi
+  (( parts[1]+=${CLUSTER_ID} ))
+  NAT64_V4_SUBNET_PREFIX="${parts[0]}.${parts[1]}"
+  echo "Added cluster ID offset (${CLUSTER_ID}) to NAT64_V4_SUBNET_PREFIX giving prefix '${NAT64_V4_SUBNET_PREFIX}'"
+  if [[ ${parts[0]} -eq 10 ]]; then
+    if [[ ${parts[1]} > 253 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is too large for 10.0.0.0/8 private net"
+      exit 1
+    fi
+  elif [[ ${parts[0]} -eq 172 ]]; then
+    if [[ ${parts[1]} -lt 16 || ${parts[1]} -gt 31 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is outside of range for 172.16.0.0/12 private net"
+      exit 1
+    fi
+  else
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is not in 10.0.0.0/8 or 172.16.0.0/12 private networks"
+      exit 1
+  fi
+  echo "Using NAT64 V4 mapping network prefix: ${NAT64_V4_SUBNET_PREFIX}"
+}
+
 
 # START OF PROCESSING...
 
@@ -253,7 +284,14 @@ fi
 # using the new method, but want custom names), the resourse name will have the
 # suffix "-#" with the cluster ID. If no cluster ID is specified (for backward
 # compatibility), then the resource name will be just the DIND_LABEL, and a pseudo-
-# random number used for the cluster ID to be used in the management subnet creation.
+# random number from 1..13 will be generated for the cluster ID to be used in
+# management network. The range is limited, because, in IPv6 mode, the cluster ID
+# is used in the NAT64 V4 subnet prefix, which must be in a private network.
+# The default is 172.18, so the cluster ID cannot be larger than 13 to guarantee
+# a valid value.
+#
+# To get around that limitation, you can set the cluster ID, in addition to the
+# DIND_LABEL, and optionally, change the NAT64_V4_SUBNET_PREFIX value.
 #
 DEFAULT_DIND_LABEL='mirantis.kubeadm_dind_cluster_runtime'
 if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
@@ -268,11 +306,11 @@ if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
     fi
   fi
 else  # Legacy DIND_LABEL set for multi-cluster
-  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..254, but don't use in resource names
-    CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"
+  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..13, but don't use in resource names
+    CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"
   else
     if [[ ${CLUSTER_ID} = "0" ]]; then
-      CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
+      CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
     else
       DIND_LABEL="${DIND_LABEL}-${CLUSTER_ID}"
     fi
@@ -344,7 +382,8 @@ if [[ ${IP_MODE} == "ipv6" ]]; then
   DNS64_PREFIX_CIDR="${DNS64_PREFIX}/${DNS64_PREFIX_SIZE}"
 
   LOCAL_NAT64_SERVER="$( dind::make-ip-from-cidr ${mgmt_net_cidrs[0]} 0x200 )"
-  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172}.${CLUSTER_ID}"
+  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172.18}"
+  dind::add-cluster-id-and-validate-nat64-prefix
 else
   dns_server="${REMOTE_DNS64_V4SERVER}"
 fi

fixed/dind-cluster-stable.sh

@@ -233,6 +233,37 @@ function dind::make-ip-from-cidr {
   fi
 }
 
+# dind::add-cluster-id-and-validate-nat64-prefix will modify the IPv4 mapping
+# subnet prefix, by adding the cluster ID (default 0) to the second octet.
+# It will produce an error, if the prefix is not in the 10.0.0.0/8 or
+# 172.16.0.0/12 private networks.
+function dind::add-cluster-id-and-validate-nat64-prefix {
+  local parts
+  IFS="." read -a parts <<<${NAT64_V4_SUBNET_PREFIX}
+  if [[ ${#parts[@]} -ne 2 ]]; then
+    echo "ERROR! NAT64_V4_SUBNET_PREFIX must be two octets (have '${NAT64_V4_SUBNET_PREFIX}')"
+    exit 1
+  fi
+  (( parts[1]+=${CLUSTER_ID} ))
+  NAT64_V4_SUBNET_PREFIX="${parts[0]}.${parts[1]}"
+  echo "Added cluster ID offset (${CLUSTER_ID}) to NAT64_V4_SUBNET_PREFIX giving prefix '${NAT64_V4_SUBNET_PREFIX}'"
+  if [[ ${parts[0]} -eq 10 ]]; then
+    if [[ ${parts[1]} > 253 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is too large for 10.0.0.0/8 private net"
+      exit 1
+    fi
+  elif [[ ${parts[0]} -eq 172 ]]; then
+    if [[ ${parts[1]} -lt 16 || ${parts[1]} -gt 31 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is outside of range for 172.16.0.0/12 private net"
+      exit 1
+    fi
+  else
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is not in 10.0.0.0/8 or 172.16.0.0/12 private networks"
+      exit 1
+  fi
+  echo "Using NAT64 V4 mapping network prefix: ${NAT64_V4_SUBNET_PREFIX}"
+}
+
 
 # START OF PROCESSING...
 
@@ -253,7 +284,14 @@ fi
 # using the new method, but want custom names), the resourse name will have the
 # suffix "-#" with the cluster ID. If no cluster ID is specified (for backward
 # compatibility), then the resource name will be just the DIND_LABEL, and a pseudo-
-# random number used for the cluster ID to be used in the management subnet creation.
+# random number from 1..13 will be generated for the cluster ID to be used in
+# management network. The range is limited, because, in IPv6 mode, the cluster ID
+# is used in the NAT64 V4 subnet prefix, which must be in a private network.
+# The default is 172.18, so the cluster ID cannot be larger than 13 to guarantee
+# a valid value.
+#
+# To get around that limitation, you can set the cluster ID, in addition to the
+# DIND_LABEL, and optionally, change the NAT64_V4_SUBNET_PREFIX value.
 #
 DEFAULT_DIND_LABEL='mirantis.kubeadm_dind_cluster_runtime'
 if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
@@ -268,11 +306,11 @@ if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
     fi
   fi
 else  # Legacy DIND_LABEL set for multi-cluster
-  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..254, but don't use in resource names
-    CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"
+  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..13, but don't use in resource names
+    CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"
   else
     if [[ ${CLUSTER_ID} = "0" ]]; then
-      CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
+      CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
     else
       DIND_LABEL="${DIND_LABEL}-${CLUSTER_ID}"
     fi
@@ -344,7 +382,8 @@ if [[ ${IP_MODE} == "ipv6" ]]; then
   DNS64_PREFIX_CIDR="${DNS64_PREFIX}/${DNS64_PREFIX_SIZE}"
 
   LOCAL_NAT64_SERVER="$( dind::make-ip-from-cidr ${mgmt_net_cidrs[0]} 0x200 )"
-  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172}.${CLUSTER_ID}"
+  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172.18}"
+  dind::add-cluster-id-and-validate-nat64-prefix
 else
   dns_server="${REMOTE_DNS64_V4SERVER}"
 fi

fixed/dind-cluster-v1.10.sh

@@ -233,6 +233,37 @@ function dind::make-ip-from-cidr {
   fi
 }
 
+# dind::add-cluster-id-and-validate-nat64-prefix will modify the IPv4 mapping
+# subnet prefix, by adding the cluster ID (default 0) to the second octet.
+# It will produce an error, if the prefix is not in the 10.0.0.0/8 or
+# 172.16.0.0/12 private networks.
+function dind::add-cluster-id-and-validate-nat64-prefix {
+  local parts
+  IFS="." read -a parts <<<${NAT64_V4_SUBNET_PREFIX}
+  if [[ ${#parts[@]} -ne 2 ]]; then
+    echo "ERROR! NAT64_V4_SUBNET_PREFIX must be two octets (have '${NAT64_V4_SUBNET_PREFIX}')"
+    exit 1
+  fi
+  (( parts[1]+=${CLUSTER_ID} ))
+  NAT64_V4_SUBNET_PREFIX="${parts[0]}.${parts[1]}"
+  echo "Added cluster ID offset (${CLUSTER_ID}) to NAT64_V4_SUBNET_PREFIX giving prefix '${NAT64_V4_SUBNET_PREFIX}'"
+  if [[ ${parts[0]} -eq 10 ]]; then
+    if [[ ${parts[1]} > 253 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is too large for 10.0.0.0/8 private net"
+      exit 1
+    fi
+  elif [[ ${parts[0]} -eq 172 ]]; then
+    if [[ ${parts[1]} -lt 16 || ${parts[1]} -gt 31 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is outside of range for 172.16.0.0/12 private net"
+      exit 1
+    fi
+  else
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is not in 10.0.0.0/8 or 172.16.0.0/12 private networks"
+      exit 1
+  fi
+  echo "Using NAT64 V4 mapping network prefix: ${NAT64_V4_SUBNET_PREFIX}"
+}
+
 
 # START OF PROCESSING...
 
@@ -253,7 +284,14 @@ fi
 # using the new method, but want custom names), the resourse name will have the
 # suffix "-#" with the cluster ID. If no cluster ID is specified (for backward
 # compatibility), then the resource name will be just the DIND_LABEL, and a pseudo-
-# random number used for the cluster ID to be used in the management subnet creation.
+# random number from 1..13 will be generated for the cluster ID to be used in
+# management network. The range is limited, because, in IPv6 mode, the cluster ID
+# is used in the NAT64 V4 subnet prefix, which must be in a private network.
+# The default is 172.18, so the cluster ID cannot be larger than 13 to guarantee
+# a valid value.
+#
+# To get around that limitation, you can set the cluster ID, in addition to the
+# DIND_LABEL, and optionally, change the NAT64_V4_SUBNET_PREFIX value.
 #
 DEFAULT_DIND_LABEL='mirantis.kubeadm_dind_cluster_runtime'
 if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
@@ -268,11 +306,11 @@ if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
     fi
   fi
 else  # Legacy DIND_LABEL set for multi-cluster
-  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..254, but don't use in resource names
-    CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"
+  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..13, but don't use in resource names
+    CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"
   else
     if [[ ${CLUSTER_ID} = "0" ]]; then
-      CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
+      CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
     else
       DIND_LABEL="${DIND_LABEL}-${CLUSTER_ID}"
     fi
@@ -344,7 +382,8 @@ if [[ ${IP_MODE} == "ipv6" ]]; then
   DNS64_PREFIX_CIDR="${DNS64_PREFIX}/${DNS64_PREFIX_SIZE}"
 
   LOCAL_NAT64_SERVER="$( dind::make-ip-from-cidr ${mgmt_net_cidrs[0]} 0x200 )"
-  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172}.${CLUSTER_ID}"
+  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172.18}"
+  dind::add-cluster-id-and-validate-nat64-prefix
 else
   dns_server="${REMOTE_DNS64_V4SERVER}"
 fi

fixed/dind-cluster-v1.11.sh

@@ -233,6 +233,37 @@ function dind::make-ip-from-cidr {
   fi
 }
 
+# dind::add-cluster-id-and-validate-nat64-prefix will modify the IPv4 mapping
+# subnet prefix, by adding the cluster ID (default 0) to the second octet.
+# It will produce an error, if the prefix is not in the 10.0.0.0/8 or
+# 172.16.0.0/12 private networks.
+function dind::add-cluster-id-and-validate-nat64-prefix {
+  local parts
+  IFS="." read -a parts <<<${NAT64_V4_SUBNET_PREFIX}
+  if [[ ${#parts[@]} -ne 2 ]]; then
+    echo "ERROR! NAT64_V4_SUBNET_PREFIX must be two octets (have '${NAT64_V4_SUBNET_PREFIX}')"
+    exit 1
+  fi
+  (( parts[1]+=${CLUSTER_ID} ))
+  NAT64_V4_SUBNET_PREFIX="${parts[0]}.${parts[1]}"
+  echo "Added cluster ID offset (${CLUSTER_ID}) to NAT64_V4_SUBNET_PREFIX giving prefix '${NAT64_V4_SUBNET_PREFIX}'"
+  if [[ ${parts[0]} -eq 10 ]]; then
+    if [[ ${parts[1]} > 253 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is too large for 10.0.0.0/8 private net"
+      exit 1
+    fi
+  elif [[ ${parts[0]} -eq 172 ]]; then
+    if [[ ${parts[1]} -lt 16 || ${parts[1]} -gt 31 ]]; then
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is outside of range for 172.16.0.0/12 private net"
+      exit 1
+    fi
+  else
+      echo "ERROR! NAT64_V4_SUBNET_PREFIX is not in 10.0.0.0/8 or 172.16.0.0/12 private networks"
+      exit 1
+  fi
+  echo "Using NAT64 V4 mapping network prefix: ${NAT64_V4_SUBNET_PREFIX}"
+}
+
 
 # START OF PROCESSING...
 
@@ -253,7 +284,14 @@ fi
 # using the new method, but want custom names), the resourse name will have the
 # suffix "-#" with the cluster ID. If no cluster ID is specified (for backward
 # compatibility), then the resource name will be just the DIND_LABEL, and a pseudo-
-# random number used for the cluster ID to be used in the management subnet creation.
+# random number from 1..13 will be generated for the cluster ID to be used in
+# management network. The range is limited, because, in IPv6 mode, the cluster ID
+# is used in the NAT64 V4 subnet prefix, which must be in a private network.
+# The default is 172.18, so the cluster ID cannot be larger than 13 to guarantee
+# a valid value.
+#
+# To get around that limitation, you can set the cluster ID, in addition to the
+# DIND_LABEL, and optionally, change the NAT64_V4_SUBNET_PREFIX value.
 #
 DEFAULT_DIND_LABEL='mirantis.kubeadm_dind_cluster_runtime'
 if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
@@ -268,11 +306,11 @@ if [[ -z ${DIND_LABEL+x} ]]; then  # No legacy DIND_LABEL set
     fi
   fi
 else  # Legacy DIND_LABEL set for multi-cluster
-  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..254, but don't use in resource names
-    CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"
+  if [[ -z ${CLUSTER_ID+x} ]]; then  # No cluster ID set, make one from 1..13, but don't use in resource names
+    CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"
   else
     if [[ ${CLUSTER_ID} = "0" ]]; then
-      CLUSTER_ID="$(( ($RANDOM % 253) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
+      CLUSTER_ID="$(( ($RANDOM % 12) + 1 ))"  # Force a pseudo-random cluster for additional legacy cluster
     else
       DIND_LABEL="${DIND_LABEL}-${CLUSTER_ID}"
     fi
@@ -344,7 +382,8 @@ if [[ ${IP_MODE} == "ipv6" ]]; then
   DNS64_PREFIX_CIDR="${DNS64_PREFIX}/${DNS64_PREFIX_SIZE}"
 
   LOCAL_NAT64_SERVER="$( dind::make-ip-from-cidr ${mgmt_net_cidrs[0]} 0x200 )"
-  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172}.${CLUSTER_ID}"
+  NAT64_V4_SUBNET_PREFIX="${NAT64_V4_SUBNET_PREFIX:-172.18}"
+  dind::add-cluster-id-and-validate-nat64-prefix
 else
   dns_server="${REMOTE_DNS64_V4SERVER}"
 fi