IPv6
is coming. It will be here soon. Just how soon for you I can’t say, but I am sure for some organisations no matter when it happens, it will be too soon.
What do you need to do? There are a number of things. The first would be to start planning. One of the parts of the plan will be to decide on an addressing strategy. One plan I have heard for this is “I will just replicate the network addressing I have by mapping all my IPv4 addresses into the IPv6 space and do everything the way I do now, including NAT. How hard can it be?”
Well like most things it’s not that simple. Your IPv6 addressing strategy is likely to be a bit more complex than that. In particular, NAT has complications. Historically, in the IPv4 world, NAT has been used for three main purposes;
- Overcome the depletion of addresses (or address amplification) – hide the internals of the network (Security by obscurity) – Provide for service provider independence (or network portability)
NAT was so successful because it served its purpose well. It did allow us to avoid or postpone issues with address depletion, and provide a level of security, but NAT was not without its problems. NAT breaks the fundamental premise on which the internet was built. This is that every device is able to connect transparently with every other device.
Many applications have needed “fix-ups” to allow them to cater for NAT, in particular applications which embed IP address information in other parts of the IP frame in addition to the address block. Two well-known applications in this class include SIP and DNS, but there are others.
There is no doubt that some sort of NAT to allow IPv6 devices to communicate with IPv4 hosts is needed. But the issues above may still be apparent. Rather than a NAT64 it may be that a better solution is an Application Level Gateway or ALG, which would be application specific and application aware. The need for such an approach would need to be considered for each of an organisation’s critical applications.
The use of NAT to translate IPv6 addresses, is more problematic . The IETF is actively discouraging the use of NAT in the IPv6 space, specifically NAT66 which would translate outside IPv6 addresses to different IPv6 addresses inside. There is discussion in the internet community about what may be required, and there have been several IETF documents submitted, but there are no active drafts. This means that while NAT66 may come at some stage, there is no current standard which vendors could use for guidance, so any NAT66 products will be proprietary. In addition to that any new applications may still break when faced with NAT66 and fix-ups will be required.
So, NAT will have a place. But when you are planning for your new IPv6 addressing scheme, don’t assume that you can just build a complete analogue of your existing IPv4 addressing structure. You will need to carefully consider your carrier and your security strategies. It may be that you need use different measures to meet your needs in the new IPv6 world.
Just one more reason to start planning early.