How to build an IPv6-only internal network?
Hypothetically, I want to build an internal network that runs just IPv6 and apply stateless ACLs at redundant external connections. How do users access the current v4 address space?
On Jul 8, 2015, at 12:53 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Hypothetically, I want to build an internal network that runs just IPv6 and apply stateless ACLs at redundant external connections.
How do users access the current v4 address space?
There are two short answers: (1) they don't (2) they use NAT64 (RFC 6146/6147) translation https://tools.ietf.org/html/rfc6052 6052 IPv6 Addressing of IPv4/IPv6 Translators. C. Bao, C. Huitema, M. Bagnulo, M. Boucadair, X. Li. October 2010. (Format: TXT=41849 bytes) (Updates RFC4291) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6052) https://tools.ietf.org/html/rfc6146 6146 Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers. M. Bagnulo, P. Matthews, I. van Beijnum. April 2011. (Format: TXT=107954 bytes) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6146) https://tools.ietf.org/html/rfc6147 6147 DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers. M. Bagnulo, A. Sullivan, P. Matthews, I. van Beijnum. April 2011. (Format: TXT=75103 bytes) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC6147) https://tools.ietf.org/html/rfc6877 6877 464XLAT: Combination of Stateful and Stateless Translation. M. Mawatari, M. Kawashima, C. Byrne. April 2013. (Format: TXT=31382 bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC6877) With NAT64, a translator advertises a 96 bit prefix into the IPv6-only network as defined in RFC 6052, and attracts traffic destined to an address within it (which has an IPv4 address jammed into the last 32 bits) to the translator. The DNS translator, when asked for a AAAA record, either has one or doesn't; if it doesn't have one, it concocts a AAAA record from said prefix and the IPv4 address and returns that. The translator extracts the IPv4 address from the destination address, and does a stateful mapping of the IPv6 source address similar to present NAT44 solutions. There are several products on the market.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/Jul/15 22:23, Fred Baker (fred) wrote:
(2) they use NAT64 (RFC 6146/6147) translation
The only issue with NAT64 is that you still need some IPv4 space. If you can't get any anymore, despite all the millions of $$ in your bank, then we'll see massively overlayed NAT, and perhaps service providers selling "Quadruple Overlay NAT as a Service" :-\. Mark. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJVnltZAAoJEGcZuYTeKm+GtyIP/3Eo9pPRW2dRYt67s2xx2fMI 2Oia8efH3ZEBrFOgSHBsBmmxeewP+CGcmosQ8uSFSXCKLLKDCl996wVPu9dmKTGO WORwzoy8EmUeuAKLsxd/CGHes1ExUijfFBf27hz0CA+qmRcINdh45RhQKLUb2EWs iNj6yF8OSRe9tZAk+caNbLJA5EDpq7XAYGIBv3z4wtW/Dr+DGbUJMsrTjzVEEFCS N81cXQep4risY58JLBmBlY7RuiK9xRqTtmwlK0KQeEPF05NK8xo5Nxi02fjF7TSF ZsMvHaLKFWtjwC5L+MJwVswgOEKaleFyi1QsICdEQnXdW6MObA/COdnI3VIOgJ1c bhjBmTN8PuXc3zrV+iIBctg241it7NPbf+dlRzQ5xm+pn6M3AymoLk+i6xpj/NSx D3nIpGmuZSiXs+PkpYXYU4C9SKib6sKOLX9/Nu5fo4oY4t/mJtpon439NAFpxPAI I5fEYFpXdIRop6KelT3b91auqwjVNUbqZxq9HbF7Sq/PJ0xkT0ivsKem/6xBdsNK dQeo8sqkmo97pQ+6qLjaGEw3C0XT1y8skXq0Y1hZZvGHvouVWgqLg+xwthu2qKfi JOLk7GWIkYj9gwMYUmKXFmOayjBCh/fWPXLxiVpSDss23asIARFRfSvG4XhjVUfI JplyKrXhqK4MTxK3wLz4 =1mCX -----END PGP SIGNATURE-----
Over the years, I’ve had pretty good success with the IVI package. RFC 6219 lays out how it works and some folks experiences with v6-only networks. manning bmanning@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 8July2015Wednesday, at 12:53, Cryptographrix <cryptographrix@gmail.com> wrote:
Hypothetically, I want to build an internal network that runs just IPv6 and apply stateless ACLs at redundant external connections.
How do users access the current v4 address space?
participants (4)
-
Cryptographrix
-
Fred Baker (fred)
-
manning
-
Mark Tinka