IPv6 NAT64 power and limitations

When discussing IPv6 matters, you can often hear “… and there we put some sort of NAT translation to connect IPv4 to IPv6”. Many heard that NAT64 is a way to go, but we need to remember that in its nature NAT64 is not symmetric.

It does matter which domain initiates the connection: v4 or v6? Do you want to implement stateless of stateful NAT64?

Stateful NAT64 has a number of advantages, and its closest match in IPv4 world is Port Address Translation: it works dynamically one way, but needs pre-existing state entry the other way. Important thing to understand is that, because v6 address is four times longer than v4, the whole v4 Internet space can fit within a single v6 host address. So when v4 addresses are translated into v6, they are prepended with predefined NAT64 prefix.

Starting from DNS name resolution:

  • When v6 source tries to connect to v4 server, the DNS AAAA record is constructed on the fly by DNS64 server based on existing DNS A entry.
  • When v4 source tries to connect to v6 destination, it will rely on static pre-configured DNS A record.

And then traffic translation:

  • When v6 source tries to connect to v4 destination, it is done by dynamic removal of NAT64 network prefix. Important: packets not matching NAT64 prefix are forwarded without modification.
  • When v4 source tries to connect to v6 destination, it is done by addition of static NAT64 prefix. Important: packets not matching any existing translation states are dropped without regret.

See the difference?

Although NAT64/DNS64 can work both ways, it was made for v6 hosts connecting to v4 services. This of course impacts the scalability of its deployments.


Alex Mavrin, CCIE #7846

Visit http://www.apteriks.com and use FREE ONLINE tools for network professionals.

.

References:
[1] Cisco NAT64 Technology: Connecting IPv6 and IPv4 Networks
[2] RFC6146: Stateful NAT64
[3] RFC6052: IPv6 Addressing of IPv4/IPv6 Translators

Advertisements

3 comments

  1. Paul Snoep · · Reply

    There are better ways of connecting compared through nat. Nowadays, ful ipv6 ranges are available, so why not use the full stack?

    1. Hi, Paul,
      Can you please clarify?

  2. Charles · · Reply

    Because not all hosts/servers in the internet are configured with IPv6 yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: