When discussing IPv6 matters, you can often hear “… and there we put some sort of NAT translation to connect IPv4 to IPv6”. Many heard that NAT64 is a way to go, but we need to remember that in its nature NAT64 is not symmetric.
It does matter which domain initiates the connection: v4 or v6? Do you want to implement stateless of stateful NAT64?
Stateful NAT64 has a number of advantages, and its closest match in IPv4 world is Port Address Translation: it works dynamically one way, but needs pre-existing state entry the other way. Important thing to understand is that, because v6 address is four times longer than v4, the whole v4 Internet space can fit within a single v6 host address. So when v4 addresses are translated into v6, they are prepended with predefined NAT64 prefix.
Starting from DNS name resolution:
- When v6 source tries to connect to v4 server, the DNS AAAA record is constructed on the fly by DNS64 server based on existing DNS A entry.
- When v4 source tries to connect to v6 destination, it will rely on static pre-configured DNS A record.
And then traffic translation:
- When v6 source tries to connect to v4 destination, it is done by dynamic removal of NAT64 network prefix. Important: packets not matching NAT64 prefix are forwarded without modification.
- When v4 source tries to connect to v6 destination, it is done by addition of static NAT64 prefix. Important: packets not matching any existing translation states are dropped without regret.
See the difference?
Although NAT64/DNS64 can work both ways, it was made for v6 hosts connecting to v4 services. This of course impacts the scalability of its deployments.
Alex Mavrin, CCIE #7846
Visit http://www.apteriks.com and use FREE ONLINE tools for network professionals.