On Jul 8, 2015, at 12:53 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Hypothetically, I want to build an internal network that runs just IPv6 and apply stateless ACLs at redundant external connections.
How do users access the current v4 address space?
There are two short answers: (1) they don't (2) they use NAT64 (RFC 6146/6147) translation https://tools.ietf.org/html/rfc6052 6052 IPv6 Addressing of IPv4/IPv6 Translators. C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, X. Li. October 2010. (Format: TXT=41849 bytes) (Updates RFC4291) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6052) https://tools.ietf.org/html/rfc6146 6146 Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. M. Bagnulo, P. Matthews, I. van Beijnum. April 2011. (Format: TXT=107954 bytes) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6146) https://tools.ietf.org/html/rfc6147 6147 DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers. M. Bagnulo, A. Sullivan, P. Matthews, I. van Beijnum. April 2011. (Format: TXT=75103 bytes) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6147) https://tools.ietf.org/html/rfc6877 6877 464XLAT: Combination of Stateful and Stateless Translation. M. Mawatari, M. Kawashima, C. Byrne. April 2013. (Format: TXT=31382 bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC6877) With NAT64, a translator advertises a 96 bit prefix into the IPv6-only network as defined in RFC 6052, and attracts traffic destined to an address within it (which has an IPv4 address jammed into the last 32 bits) to the translator. The DNS translator, when asked for a AAAA record, either has one or doesn't; if it doesn't have one, it concocts a AAAA record from said prefix and the IPv4 address and returns that. The translator extracts the IPv4 address from the destination address, and does a stateful mapping of the IPv6 source address similar to present NAT44 solutions. There are several products on the market.