Skip to content

IPv4 to IPv6 Transition

October 26, 2014

So IPv6… we all know its been coming for so many years, and after the Word IPv6 Day last year and earlier this year where some major players went full IPv6, the time is coming where we all must learn to at the very least cope with it.

Before I researched this topic I knew very little about the inner working of IPv6, except that I knew it was a much bigger address space (2^128 compared to IPv4 with 2^32), or IPv4 is a 32 bit address space and IPv6 is a 128 bit address space.

IPv6 Brief Overview

IPv6 addresses look like this: 2001:0db8:85a3:0042:0000:8a2e:0370:7334

Ipv4 addresses look like this: 192.168.1.1

The loop back address for IPv6 is 0000:0000:0000:0000:0000:0000:0000:0001 however in IPv6 you can remove leading zeroes and consecutive sections of zero’s so this can be referenced as just ::1

Loop back address for IPv4 is 127.0.0.1

So with this basic outline, you can see there are considerable differences. This article isn’t going to go into the depth’s of IPv6 but this is a high level, if you want more info have a look at the wiki article here.

The concept is that there are so many new addresses in the IPv6 address space that every device can have a unique address, however for SME’s without Provider Independent address space (this means the end user’s company purchases their own IP addresses and route them themselves rather than getting them through the ISP) this can be a pain, and life without NAT seems scary, so this is what I will discuss further below.

Current IPv4 setup

Our current IPv4 setup at my company is having internally IPv4 ranges (e.g. 10.x.x.x) across our sites, and we have a number of public IPv4 addresses provided by our ISP that we NAT through the firewall to internal addresses for things such as external access to intranet’s, webmail and various other things.

All end user internet access from internal IP addresses is also NAT’d out via a single IP address.

IPv6/IPv4 Interoperability

NAT64

On a basic level takes your IPv4 address and encapsulates it within an IPv6 address. So our of the 128 bit IPv6 address space, the first 96bits are used to get the packet to the NAT64 gateway, and the last 32 bits are used to create mappings that allow IPv6-only hosts to contact IPv4-only resources, which allows for content retrieval and transmission back to the IPv6 client machine.

DNS64

In an IPv4 world there are A records, in an IPv6 world they are AAAA records (referred to as ‘quad-A’) and they both provide name resolution in their respective environments, but not cross IP spaces (e.g. A records can’t reference IPv6 addresses, and vice versa). DNS64 enables resolution of addresses from the IPv4 world by synthesizing AAAA records for hosts where no AAAA record is available. This is done by pairing a IPv6 prefix with the IPv4 address provided by an A-record lookup. The IPv4 address is then embedded within the last 32 bits of the IPv6 address.

Traffic sent to any addresses in the IPv6 prefix is then routed to the NAT64 device, which is essentially deconstructed to produce the IPv4 address and mapped across to it providing seamless communication for the IPv6 client device. The NAT64 gateway is then relaying the data between the IPv6 and IPv6 connections.

Your ISP is likely already providing NAT64/DNS64 or their ISP, but these are in play so that you can get to public IPv6 addresses out there.

Changing your company to IPv6

1. In my current setup and probably the same for a lot of SME’s and others, is that I have public IP addresses and these are NAT’d to internal IPv4 addresses. So my first question on migration, is how does this work in a IPv6 world.

Originally, the answer was that there wouldn’t be the concept of an internal and an external IPv6 range, there are enough addresses for everything to have their own public address.

This had 2 main problems:

  1. Multi-homed environments, where you have 2 internet connections basically and both give you 2 seperate IP ranges that you can use. With IPv4 NAT you just needed to do a simple firewall change to make the transition between different connections, in IPv6 world you would need to re-IP every single device on your network.
  2. If you wanted to change ISP, you would need to re-IP everything in your environment.

So eventually the Internet Engineering Task Force (IETF) gave in and we got Network Prefix Translation (NPTv6). This simply rewrites an IPv6 prefix from one to another, such as 2001:db8:cafe::/48 using NPTv6 it would allow you to change it to 2001:db8:fea7::/48. You would then advertise that IP to both ISP’s to provide multi homing.

This does seem to fix those problems, although the other possible way of solving them is getting your own Provider Independent address space but then you need to mess around with your own routing etc.

2. Also in my current setup, all end user internet traffic goes out of the firewall NAT’d under a single public IP address.

In an IPv6 world every computer has its own public IP address essentially, so this mechanism is no longer possible.

However some have security concerns about having each device having a publicly routable IP and your reliant on just firewalls for security. What’s interesting to remember is this is how it used to be in the IPv4 world pre-2001 when NAT was invented as a sticky plaster way to give us more IP addresses. There is one main thing to reduce security concerns, IPv6 Privacy Extensions.

As from the RFC:

Privacy extensions add a random time-limited factor to the host part
of an IPv6 address and will make it very hard for an external element
to keep correlating the IPv6 address to a specific host on the inside
network

Well that’s a general overview of what I know so far, but its a headache although I’m not half as concerned about it as I was before. In summary though, its quite a while until we will need to do anything. I’m still unsure what individual companies will need to do ….

References

http://www.worldipv6launch.org/

http://en.wikipedia.org/wiki/IPv6

http://en.wikipedia.org/wiki/Provider-independent_address_space

http://en.wikipedia.org/wiki/NAT64

http://en.wikipedia.org/wiki/IPv6_transition_mechanisms

http://blog.ioshints.info/2011/12/we-just-might-need-nat66.html (brief, slightly complex but interesting)

http://www.howfunky.com/2012/02/ipv6-to-ipv6-network-prefix-translation.html (good overview)

http://networkingnerd.net/2011/12/01/whats-the-point-of-nat66/ (quite biased towards large enterprise perspective, but still interesting)

http://blogs.cisco.com/borderless/why-would-anyone-need-an-ipv6-to-ipv6-network-prefix-translator/ (complex blog, but really really good and contradicts the above blog post)

http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/ (overview, take with pinch of salt!)

http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_stateless_nat64_xe.html (Its Cisco, its complex, detailed, but very good)

http://tools.ietf.org/html/rfc4864 (this addresses local network protection for IPv6)

http://networkingnerd.net/2012/04/02/ipv6-nat-and-the-sme-a-response/ (great article about IPv6, NAT and the SME, really helped my understanding)

Mark

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: