How to build an IPv6-only internal network?

Hypothetically, I want to build an internal network that runs just IPv6 and
apply stateless ACLs at redundant external connections.

How do users access the current v4 address space?

There are two short answers:

(1) they don't
(2) they use NAT64 (RFC 6146/6147) translation
6052 IPv6 Addressing of IPv4/IPv6 Translators. C. Bao, C. Huitema, M.
     Bagnulo, M. Boucadair, X. Li. October 2010. (Format: TXT=41849
     bytes) (Updates RFC4291) (Status: PROPOSED STANDARD) (DOI:
6146 Stateful NAT64: Network Address and Protocol Translation from IPv6
     Clients to IPv4 Servers. M. Bagnulo, P. Matthews, I. van Beijnum.
     April 2011. (Format: TXT=107954 bytes) (Status: PROPOSED STANDARD)
     (DOI: 10.17487/RFC6146)
6147 DNS64: DNS Extensions for Network Address Translation from IPv6
     Clients to IPv4 Servers. M. Bagnulo, A. Sullivan, P. Matthews, I.
     van Beijnum. April 2011. (Format: TXT=75103 bytes) (Status: PROPOSED
     STANDARD) (DOI: 10.17487/RFC6147)
6877 464XLAT: Combination of Stateful and Stateless Translation. M.
     Mawatari, M. Kawashima, C. Byrne. April 2013. (Format: TXT=31382
     bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC6877)

With NAT64, a translator advertises a 96 bit prefix into the IPv6-only network as defined in RFC 6052, and attracts traffic destined to an address within it (which has an IPv4 address jammed into the last 32 bits) to the translator. The DNS translator, when asked for a AAAA record, either has one or doesn't; if it doesn't have one, it concocts a AAAA record from said prefix and the IPv4 address and returns that. The translator extracts the IPv4 address from the destination address, and does a stateful mapping of the IPv6 source address similar to present NAT44 solutions.

There are several products on the market.

Over the years, I’ve had pretty good success with the IVI package.

RFC 6219 lays out how it works and some folks experiences with v6-only networks.

PO Box 12317
Marina del Rey, CA 90295

Hash: SHA256