Table of contents
IPv4/IPv6 Translation directly converts an address from IPv4 to IPv6 or IPv6 to IPv4.
This allows, for an example, an IPv6-only host to communicate with an IPv4-only server through the Internet. Another use case is when an IPv6-only host in the campus or branch wants to communicate with a IPv4-only server in the data center.
What happens during translation is that an entire packet from one address family becomes the payload inside the packet from the another address family. This is called encapsulation. Translation can happen at the IP, transport, and application layers.
Translation can happen in the operating system of the source and destination nodes.Translations can also be done at a device between the IPv6 node and the IPv4-only node. Such devices include routers, load balancers and firewalls.
Pro Tip: The protocol header and the protocol payload could go through changes during the conversion. For example, the IPv6 flow label would be lost when translating to IPv4.
There are many transition technologies to choose from based on the organization's technical and business needs. It’s important to consider long-terms goals and the level of support that’s offered with the various choices.
NAT64 is usually deployed with DNS64. This is a very common solution.
NAT64 with DNS64
DNS64 can use two types of records for name resolution:
- IPv4 uses an A record
- IPv6 uses an AAAA record...called a “Quad-A record”
Let’s suppose an IPv6-only host within our organization wants to connect to an external web site that is IPv4 only.
The user types www.BuyIt.com in their web browser and the host then requests an IPv6 address from the DNS64 server for www.BuyIt.com. Since www.BuyIt.com only has an IPv4-only server, when DNS64 checks both its A record (IPv4) and its AAAA record, it only has the A record so it only knows of an IPv4 address.
DNS64 will then create an IPv6 address from the IPv4 address that will only be used privately within the organization. This IPv6 address for www.BuyIt.com is then sent to the internal host.
The host then attempts to reach the web site with the IPv6 address it received from the DNS server. Since the host knows that it doesn’t live in the organizations network, it is sent to the default gateway which is running NAT64.
NAT64 will then translate (by encapsulating) the IPv6 address into an IPv4 address and then send it to the Internet through an IPv4 connection with the ISP.
There are two methods that NAT64 can use for the translation – Stateful and Stateless.
Stateful NAT64 means that there is a state table with port mappings between IPv4/IPv6 addresses. Many internal IPv6 addresses can be converted into the same public IPv4 address. Each traffic flow, however, will be assigned a different port number.
When NAT64 receives traffic from the public Internet, it will look to the stateful table to ensure that the traffic flow was initiated from within the organization.
If the flow was initiated from within the organization, it will remove the IPv4 address from the packet header(s) and replace it with the private IPv6 address for the internal host that initiated the flow.
If there is no mapping in the table, NAT64 will know that the flow did not originate from within the organization and the packet(s) will be dropped. In this way, NAT64 acts like a stateful firewall.
Stateful NAT64 is much more common that Stateless NAT64. Some reasons for its increased popularity is that it’s useful with troubleshooting, monitoring and enhances security.