IPv6 allocation plan, security, and 6-to-4 conversion

Sun Feb 1 19:10:00 UTC 2015

* William Herrin

> T-Mobile uses something called 464XLAT. Don't let the "translation"
> part fool you: it's a tunnel. IPv4 in one side, IPv4 out the other.

464XLAT is not a tunnel. Protocol translation is substantially
different from tunneling. With tunneling, the original layer-3 header
is kept intact as it is encapsulated inside another layer-3 header.
With translation, the original layer-3 header is removed and replaced
with another layer-3 header.

They come with a different set of trade-offs, such as:

- Protocol translation may be lossy (e.g., exotic IPv4 options may not
  survive the translation to IPv6 and would therefore not reappear
  after translation back to IPv4). Tunneling, OTOH, is not lossy.

- Tunneling moves the original layer-4 header into another
  encapsulation layer, so e.g. an ACL attempting to match an IPv6 HTTP
  packet using something like "next-header tcp, dst port 80" will not
  work. With translation, it will.

> Kabel Deutschland uses something called "Dual Stack Lite." It's also a
> tunnel: the Kabel-owned CPE encapsulates the customer's IPv4 packets
> within IPv6 and delivers them to the Kabel's IPv4 carrier NAT box.

Yep. DS-Lite is indeed tunneling.

> So sure, if you don't mind dissembling a little bit you can say that
> they moved their "infrastructure" to IPv6-only. In my mind, tunnelling
> IPv4 over IPv6 where it both enters and exits the carrier's area of
> control as an IPv4 packet doesn't count as "IPv6-only."

I guess we disagree about the definitions, then.

In my view, a dual-stack network is one where IPv4 and IPv6 are running
side-by-side like "ships in the night" with no fate sharing. You might
be running two different IGP protocols (like OSPFv2 and OSPFv3) and a
duplicated set of iBGP sessions. ACLs and the like must exist both for
IPv4 and IPv6. And so on. If you turn off one protocol, and the other
one keeps on running just like before. 

This is in contrast with a single-stack network; turn off that single
stack, and nothing works. That doesn't mean that cannot simultaneously
transport other layer-3 protocols across that single-stack network;
just that there is a clear distinction between which is the main
layer-3 protocol and others being transported across it.

You might very well simultaneously transport IPv6, AppleTalk, and
IPX/SPX across an IPv4-only network - but that doesn't mean that the
network is "quad-stack" - IMHO, it's still single-stack IPv4.

> On Fri, Jan 30, 2015 at 11:44 AM, Tore Anderson <tore at fud.no> wrote:
> > If everyone could just dual-stack their networks, they
> > might as well single-stack them on IPv4 instead; there would be no
> > point whatsoever in transitioning to IPv6 for anyone.
> 
> What do you mean "if"? Carrier NAT means we *can* single-stack on IPv4
> for the next 20 to 30 years, if we're so inclined.

I suppose that's true - if you ignore that a number of other folks are
deploying IPv6 to deal with their IPv4 exhaustion, and that products
and services are being put to market that recommends the use of IPv6
connectivity above NATed IPv4 (e.g., Xbox One).

So much earlier than 30 years from now you'll be wanting to have IPv6
in your network anyway, and once you come to that realisation you might
also realise that operating a dual-stack network for those 30 years is
not going to be any fun at all due to the increased complexity it
causes. Especially if the IPv4 part of that dual-stack network is in
itself getting increasingly complex due to more and more NAT being
added to deal with growth.

So IMHO dual-stack is a bad recommendation, or at least it is rather
shortsighted. If you're in a position to do single-stack IPv6-only with
IPv4 as a service (like T-Mobile USA or Kabel Deutschland), you'll end
up with a much simpler network that it'll be much easier to maintain
over the years. This also facilitates the use of IPv4 address sharing
solutions like lw4o6 and MAP, whose stateless nature makes them vastly
superior to traditional stateful Carrier Grade NAT44 boxes.

YMMV, of course.

Tore