How to build an IPv6-only internal network?

Cryptographrix · July 8, 2015, 7:53pm

Hypothetically, I want to build an internal network that runs just IPv6 and
apply stateless ACLs at redundant external connections.

How do users access the current v4 address space?

Baker_Fred · July 8, 2015, 8:23pm

There are two short answers:

(1) they don't
(2) they use NAT64 (RFC 6146/6147) translation

https://tools.ietf.org/html/rfc6052
6052 IPv6 Addressing of IPv4/IPv6 Translators. C. Bao, C. Huitema, M.
     Bagnulo, M. Boucadair, X. Li. October 2010. (Format: TXT=41849
     bytes) (Updates RFC4291) (Status: PROPOSED STANDARD) (DOI:
     10.17487/RFC6052)

https://tools.ietf.org/html/rfc6146
6146 Stateful NAT64: Network Address and Protocol Translation from IPv6
     Clients to IPv4 Servers. M. Bagnulo, P. Matthews, I. van Beijnum.
     April 2011. (Format: TXT=107954 bytes) (Status: PROPOSED STANDARD)
     (DOI: 10.17487/RFC6146)

https://tools.ietf.org/html/rfc6147
6147 DNS64: DNS Extensions for Network Address Translation from IPv6
     Clients to IPv4 Servers. M. Bagnulo, A. Sullivan, P. Matthews, I.
     van Beijnum. April 2011. (Format: TXT=75103 bytes) (Status: PROPOSED
     STANDARD) (DOI: 10.17487/RFC6147)

https://tools.ietf.org/html/rfc6877
6877 464XLAT: Combination of Stateful and Stateless Translation. M.
Mawatari, M. Kawashima, C. Byrne. April 2013. (Format: TXT=31382
bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC6877)

With NAT64, a translator advertises a 96 bit prefix into the IPv6-only network as defined in RFC 6052, and attracts traffic destined to an address within it (which has an IPv4 address jammed into the last 32 bits) to the translator. The DNS translator, when asked for a AAAA record, either has one or doesn't; if it doesn't have one, it concocts a AAAA record from said prefix and the IPv4 address and returns that. The translator extracts the IPv4 address from the destination address, and does a stateful mapping of the IPv6 source address similar to present NAT44 solutions.

There are several products on the market.

Bill_Manning1 · July 8, 2015, 9:11pm

Over the years, I’ve had pretty good success with the IVI package.

RFC 6219 lays out how it works and some folks experiences with v6-only networks.

manning
bmanning@karoshi.com
PO Box 12317
Marina del Rey, CA 90295
310.322.8102

Mark_Tinka1 · July 9, 2015, 11:30am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256