[181918] in North American Network Operators' Group
Re: How to build an IPv6-only internal network?
daemon@ATHENA.MIT.EDU (Fred Baker (fred))
Thu Jul 9 03:43:56 2015
X-Original-To: nanog@nanog.org
From: "Fred Baker (fred)" <fred@cisco.com>
To: Cryptographrix <cryptographrix@gmail.com>
Date: Wed, 8 Jul 2015 20:23:58 +0000
In-Reply-To: <CAPPYGuwRqOUuTymLA0vGKq=otnPQx-nPKwkNLpK=tJ1KukCJBQ@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_0E3C6AB5-4170-4734-A91B-5A02ED8F37E1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
> On Jul 8, 2015, at 12:53 PM, Cryptographrix <cryptographrix@gmail.com> =
wrote:
>=20
> Hypothetically, I want to build an internal network that runs just =
IPv6 and
> apply stateless ACLs at redundant external connections.
>=20
> How do users access the current v4 address space?
There are two short answers:
(1) they don't
(2) they use NAT64 (RFC 6146/6147) translation
https://tools.ietf.org/html/rfc6052
6052 IPv6 Addressing of IPv4/IPv6 Translators. C. Bao, C. Huitema, M.
Bagnulo, M. Boucadair, X. Li. October 2010. (Format: TXT=3D41849
bytes) (Updates RFC4291) (Status: PROPOSED STANDARD) (DOI:
10.17487/RFC6052)
https://tools.ietf.org/html/rfc6146
6146 Stateful NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers. M. Bagnulo, P. Matthews, I. van Beijnum.
April 2011. (Format: TXT=3D107954 bytes) (Status: PROPOSED =
STANDARD)
(DOI: 10.17487/RFC6146)
https://tools.ietf.org/html/rfc6147
6147 DNS64: DNS Extensions for Network Address Translation from IPv6
Clients to IPv4 Servers. M. Bagnulo, A. Sullivan, P. Matthews, I.
van Beijnum. April 2011. (Format: TXT=3D75103 bytes) (Status: =
PROPOSED
STANDARD) (DOI: 10.17487/RFC6147)
https://tools.ietf.org/html/rfc6877
6877 464XLAT: Combination of Stateful and Stateless Translation. M.
Mawatari, M. Kawashima, C. Byrne. April 2013. (Format: TXT=3D31382
bytes) (Status: INFORMATIONAL) (DOI: 10.17487/RFC6877)
With NAT64, a translator advertises a 96 bit prefix into the IPv6-only =
network as defined in RFC 6052, and attracts traffic destined to an =
address within it (which has an IPv4 address jammed into the last 32 =
bits) to the translator. The DNS translator, when asked for a AAAA =
record, either has one or doesn't; if it doesn't have one, it concocts a =
AAAA record from said prefix and the IPv4 address and returns that. The =
translator extracts the IPv4 address from the destination address, and =
does a stateful mapping of the IPv6 source address similar to present =
NAT44 solutions.
There are several products on the market.
--Apple-Mail=_0E3C6AB5-4170-4734-A91B-5A02ED8F37E1
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIVAwUBVZ2G3EayAOS/EQ8MAQLI4RAAsCJf2BHkzuviJuwhNPVBJOhlT03QHcJn
a7p6witr8q5yddRx2ro+HDeWGf5x+h9V1X8f16tX8TMrG64OvK3oiel4wspPenRb
L5dwMWXlEkDRUoGv/m9nhbXFcgunTmvKAQwRhSfBIEy9A8NuSVRBS69h/IGlXl6w
/hFr1i6UFH6pvVzF8E8Ovkmp4bQ728ZxlNM66nxDcqvtKiYmgYuK3DFRd8R8kJF+
hvOjq//rl8BKHXygd7lCs7TM7y4jUoOyFaxDW9PClxuMG+BT3vG49/3HdB2NJgQx
/9XighkZXksEO+RVUrmWC+6ugbqAkQLNXLc2ZI4kMcQ990NXfzvHrlxjNhoXQnk0
Q38QJ7OQoNo7J20XQIVJOGr2j+lgsCNRrGxxTXBrwhQCd43kBD9In8qxO7lLI9bI
s2kcuz5TFgpcta6thbD7W7BJ4RRFY8aorTaETqsUWaCVWjR9u2zkq7NQGTw7c/Mb
osMCbq1VdKrBY5uDBg4e+nSGTpItFaIz08GCLpHkvrE+vk1QllLease8jrrfTCrc
yMfl1OWRXU6HHParXtI5GQBb9MxZfU5r3h8pCdBZAKbzvCNQ/j3RlM/VHzjFJuPJ
cjwRsIjCAdtcR3DPip/uxR009ixY0422fgvzxVbniIxNZU5y9IxfRNr4PyJ1MoVW
GepgA5Ifeu0=
=yi+1
-----END PGP SIGNATURE-----
--Apple-Mail=_0E3C6AB5-4170-4734-A91B-5A02ED8F37E1--
