How to build an IPv6-only internal network?

Fred Baker (fred) fred at cisco.com
Wed Jul 8 20:23:58 UTC 2015 

> On Jul 8, 2015, at 12:53 PM, Cryptographrix <cryptographrix at gmail.com> wrote:
> 
> Hypothetically, I want to build an internal network that runs just IPv6 and
> apply stateless ACLs at redundant external connections.
> 
> How do users access the current v4 address space?

There are two short answers:

(1) they don't
(2) they use NAT64 (RFC 6146/6147) translation

https://tools.ietf.org/html/rfc6052
6052 IPv6 Addressing of IPv4/IPv6 Translators. C. Bao, C. Huitema, M.
     Bagnulo, M. Boucadair, X. Li. October 2010. (Format: TXT=41849
     bytes) (Updates RFC4291) (Status: PROPOSED STANDARD) (DOI:
     10.17487/RFC6052)

https://tools.ietf.org/html/rfc6146
6146 Stateful NAT64: Network Address and Protocol Translation from IPv6
     Clients to IPv4 Servers. M. Bagnulo, P. Matthews, I. van Beijnum.
     April 2011. (Format: TXT=107954 bytes) (Status: PROPOSED STANDARD)
     (DOI: 10.17487/RFC6146)

https://tools.ietf.org/html/rfc6147
6147 DNS64: DNS Extensions for Network Address Translation from IPv6
     Clients to IPv4 Servers. M. Bagnulo, A. Sullivan, P. Matthews, I.
     van Beijnum. April 2011. (Format: TXT=75103 bytes) (Status: PROPOSED
     STANDARD) (DOI: 10.17487/RFC6147)

https://tools.ietf.org/html/rfc6877
6877 464XLAT: Combination of Stateful and Stateless Translation. M.
     Mawatari, M. Kawashima, C. Byrne. April 2013. (Format: TXT=31382
     bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC6877)

With NAT64, a translator advertises a 96 bit prefix into the IPv6-only network as defined in RFC 6052, and attracts traffic destined to an address within it (which has an IPv4 address jammed into the last 32 bits) to the translator. The DNS translator, when asked for a AAAA record, either has one or doesn't; if it doesn't have one, it concocts a AAAA record from said prefix and the IPv4 address and returns that. The translator extracts the IPv4 address from the destination address, and does a stateful mapping of the IPv6 source address similar to present NAT44 solutions.

There are several products on the market.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150708/7b496160/attachment.sig>

More information about the NANOG mailing list