I spent a WEEK with out IPv4 to grasp IPv6 transition mechanisms :: apalrd’s adventures
The time has come to speak about one thing uncomfortable to lots of you. You’ve been utilizing legacy strategies for a lot too lengthy. It’s time to maneuver to IPv6.
However, after all, there’s much more to IPv6 than ‘simply’ switching every thing over. A whole lot of methods on this planet nonetheless haven’t adopted it after almost 25 years, and though software program help is just about a requirement lately, that doesn’t imply it’s broadly enabled. There are additionally nonetheless lots of misconceptions from community directors who’re frightened of or don’t correctly perceive IPv6, and I need to deal with all of that.
However, for me to explain to you the very best setup in your networks going ahead, I want to grasp for myself how the entire IPv6 transition mechanisms and behaviors work. To know the place transition mechanisms fail, I’m spending a completely week with solely IPv6 and reporting on what works and doesn’t.
Firstly of this, I’d like to utterly stress that the NAT you already know and hate was not imagined when the Web Protocol was created, and in some ways has launched an enormous quantity of headache in routing. It’s best to cease considering of NAT as a safety mechanism and consider it because the emergency deal with exhaustion prevention that it’s. Likewise, CG-NAT is a dire emergency deal with exhaustion prevention mechnism that no one actually needs to deploy until they completely should. Don’t blame your supplier after they deploy CG-NAT, embrace IPv6 and international routing as an alternative.
The most important hurdle to implementing IPv6 by yourself isn’t normally ISP help, router help, or shopper help. It’s the psychological thought course of behind un-learning the legacy strategies of community design. With IPv6, we aren’t simply copying the errors of IPv4 and including a wider deal with area, we’re going again to how the web protocol was meant to behave earlier than we began working out of addresses, eliminating community deal with translation, and usually including a stronger deal with correct subnet design and routing.
So, listed here are just a few fast notes that may are essential in understanding IPv6:
- Addresses are 128 bits lengthy and written as 8 four-letter hex blocks separated by colons (i.e.
fd69:beef:cafe:feed:face:6969:0420:0001
) - Main zeros might be omitted (i.e.
0420
can turn out to be420
, however not42
) - Teams of zeros might be omitted with two colons, however solely as soon as in an deal with (i.e.
2000:1::1
, however not2000::1::1
as that’s ambiguous) - Community prefixes are (just about) all the time 64 bits lengthy, with a 64-bit shopper suffix, utilizing CIDR notation (i.e.
2000::/3
) - All addresses ought to be handled as if they’re globally distinctive, even when they’re solely inside our group
- You might be inspired to have as many addresses as you need on a single interface, for various functions or scopes
- Equally, we will have a number of routers promoting prefixes on the identical layer 2 area, and that is additionally inspired
- We now not have to centrally assign addresses through DHCP, since nodes can now assign themselves addresses within the huge 64-bit native shopper area
- Since every thing is globally routable and distinctive, we have now no have to do community deal with translation or port forwarding
A query I get time and again after I convey up IPv6 is ‘what benefits does this convey to my dwelling lab community’. So, listed here are some causes it is best to begin utilizing IPv6 inside your personal community:
- In case you are behind carrier-grade NAT on IPv4, your IPv6 connectivity will nonetheless be globally routable and may obtain incoming connections corresponding to VPNs or sport servers. I’ve discovered that I can host servers on a cell hotspot utilizing IPv6
- Peer-to-peer communications corresponding to gaming normally must take care of NAT traversal, however with IPv6 that is now not a difficulty, particularly for a number of players utilizing the identical connection
- IPSec VPN is broadly used however usually performs poorly because it struggles to traverse NAT, so like gaming this isn’t a difficulty with IPv6
- Since we all the time have a link-local deal with, we don’t have to assign addresses in any respect on point-to-point hyperlinks or remoted networks
- If you wish to host providers, you don’t want to make use of totally different ports or a reverse proxy to separate visitors out of the only port on the singlular WAN deal with
- This similar benefit applies to single servers, the place you possibly can assign a number of addresses for various providers, doubtlessly utilizing the identical port
The first strategies of transition are Twin-Stack, SIIT, NAT64, and 464XLAT, every of which will increase in complexity and has totally different benefits.
Twin Stack⌗
Typically, you’ll find yourself deploying dual-stack networks. With this setup, each IPv4 and IPv6 are fully deployed throughout all the community. Assets are accessible through one or the opposite IP model, all community segments have to be assigned each an IPv4 and IPv6 subnet, and all routers will need to have routing tables for each IPv4 and IPv6. Shoppers might select to entry any useful resource through both IP model, doubtless receiving each A and AAAA data for locations. As you possibly can see, that is manageable for dwelling networks of just one router however typically is troublesome to scale. Nonetheless, it’s the best technique to deploy IPv6 in your house community or small group.
Stateless IP/ICMP Translation⌗
When you’d prefer to keep away from duplicating routing tables and your whole routing configuration, you possibly can transition absolutely to IPv6, and statelessly translate between IPv4 and IPv6 on the fringe of your community. This technique is named ‘Stateless IP/ICMP Translation’ and is most suited to purposes the place every system which must entry the general public IPv4 web has a public IPv4 deal with, corresponding to datacenters. This fashion, the IPv4 public addresses might be statelessly translated 1:1 to IPv6 locations and relayed to IPv6-only servers, permitting the datacenter to function absolutely IPv6 internally whereas nonetheless offering entry to public IPv4 shoppers. Nonetheless, this technique doesn’t carry out conventional supply NAT / masquarade as would usually be utilized in IPv4 networks.
One other mechanism is NAT64. This operates equally to ’legacy’ IPv4 NAT, in that we have now a pool of addresses which we’re masquarading behind a single public deal with. Nonetheless, in our case, the deal with pool is IPv6 and the general public deal with is IPv4. So, the NAT64 server takes requests from native IPv6 shoppers with the vacation spot IPv4 deal with encoded into the vacation spot IPv6 deal with (presumably utilizing the well-known prefix 64:ff9b::/96
and including the 32-bit IPv4 on the top). It then performs each protocol, deal with, and port translation as it will in IPv4 NAT, and outgoing connections depart the NAT64 server showing as a traditional community behind a single public IPv4. The draw back to that is that shoppers have to know that they need to be connecting to IPv4 locations. Like conventional NAT, it is a stateful transition and imposes the NAT64 gateway as a possible choke level on the community (because the NAT service all the time has been).
The most typical mechanism used alongside NAT64 is DNS64. On this transition mechansim, the DNS sever is conscious that it’s serving an IPv6-only community and the prefix in use for NAT64 translation. If a DNS server encounters a question which has no AAAA report however does have a sound A report, it’ll synthesize an AAAA report by combining the A report with the NAT64 prefix. Now, any shopper software program which makes use of DNS will mechanically connect with the NAT64 gateway for entry to the IPV4 web through IPv6.
464XLAT⌗
Along with DNS64, the ultimate mechanism which might be deployed in a NAT64 community is named ‘464XLAT’. Conceptually it’s almost similar to a mixture of NAT64 on the community degree and SIIT on the particular person system degree (4->6 1:1 adopted by 6->4 NAT), though totally different terminology is commonly used as a result of totally different organizations which developed this. The NAT64 server on the fringe of the community normally performs shopper NAT or CG-NAT, and is named the ‘PLAT’ (Supplier facet transLATor). Every shopper then runs its personal ‘CLAT’ (Shopper facet transLATor), which self-assigns an IPv4 deal with in its networking stack in addition to an IPv6 deal with to speak with the PLAT. Shopper purposes which ship packets utilizing IPv4 see the CLAT’s IPv4 because the default IPv4 route, and the CLAT then performs stateless 4->6 translation. This removes or reduces the necessity for DNS64, imposes comparable community necessities for a NAT64 gateway, and permits suitable shoppers to carry out IPv4->IPv6 translation in the event that they want direct IPv4 communication. That is normally the strategy used inside ISP networks, as their NAT64/PLAT entity would already be required as a CG-NAT gateway they usually can implement the CLAT service on their modem/gateway to offer the looks of end-to-end IPv4 to shoppers with no downsides.
On our personal networks, utilizing 464XLAT is usually restricted by shopper software program help. iOS and macOS each have native CLAT features which can mechanically activate, however older variations of macOS and primarily each different OS at the moment in use don’t mechanically perform. That mentioned, it’s attainable to deploy each 464XLAT and DNS64 on the identical community simply, so shoppers with out native 464XLAT help will fall again on DNS64 and solely have points with IPv4 literals in sure peer-to-peer software program.
A abstract of the teachings I discovered in my week with out IPv4:
- IPv6 is totally prepared for prime-time and has been for awhile
- About half of the websites I depend on help IPv6 natively, so there must be extra strain on web site admins and CDNs to help IPv6 natively
- There appears to be a scarcity of drive (judging by discussion board posts) to allow IPv6 on web providers by admins, both as a result of they don’t care to, or it’s extra work to handle a public IPv4 and public IPv6 presence
- Networks ought to be designed IPv6-first as an alternative of IPv4-first, and this design method largely solves a lot of the main points
- NAT64 ought to substitute conventional NAT in community architectures and is actually a drop-in alternative pending higher software program help by routers
- DNS64 alone is a principally usable transition mechanism and might be ’sufficient’ for public Wifi or different well-managed networks the place you already know what providers are essential to you or don’t thoughts peer-to-peer IPv4 addresses failing
- 464XLAT is an answer with no user-visible downsides and is the best way ISP networks ought to be deployed going ahead, mixed with CG-NAT
- Apple has glorious IPv6 help on their gadgets, absolutely supporting computerized configuration of 464XLAT on gadgets with NAT64, and general a superb angle to forcing IPv6 help from builders
- Different working methods are little bit of hit and miss