This will be a quick post with NO Topology added this time, so tomorrow I can hopefully jump right into the security section of route starting with ACL’s! So I will list off the terminology for methods, the up and downs of using them, and how they stack up against other methods.
- One important thing to note, the best strategy of migrating is start at the edge and work your way to the core of the network, whether its stacking / tunneling / translating.
Speaking of Stacking, Dual-Stack is the first method to discuss
Dual-Stacking is when you are running IPv4 and IPv6 simultaneously across your entire network, making both v4 to v4 connections and v6 to v6 connections across all devices, however most networks right now will lack the capability to run IPv6.
It would require a lot of money to purchase high end IPv6 compatible hardware and software, so it is a great but not completely viable option for most networks at this time.
It works like a VPN that a tunnel is actually built and torn down when not needed for traffic to flow, however instead of encapsulating the traffic to encrypt it, IPv6 packets are encapsulated in an IPv4 addressed packet to traverse IPv4 domains to reach “IPv6 Islands” which is a fancy term for IPv6 networks.
The IPv6 prefix for this type of network is 2002 and carries a /32 mask on the address. Easy way to this of it a 6-to-4 prefix is it being R2’s loopback.
One issue is you would need to use Dual-Stacking with this method as well, or IPv6 hosts won’t be able to communicate with IPv4 hosts on IPv4 based services.
NAT64 / NAT6-to-4
Not traditional NAT (obviously), this translates IPv6 to IPv4 traffic, and it comes in two flavors, stateless and stateful:
- Stateless NAT64 embeds an IPv4 address directly into an IPv6 address, resulting in a one to one mapping of the IPv6 to IPv4 addresses. The concern is with Stateless is running out of IPv4 embedded addresses to put in the IPv6 address, the whole reason we are migrating to IPv6 in the first place.
- Stateful mode doesn’t use up IPv4 addresses as quickly, since it allows multiple IPv6 addresses to use a single IPv4 address, making it a MUCH larger pool to draw from
This has largely replaced an old migration method called NAT-PT (NAT-Protocol Translation) because of NAT-PT’s integrated use of DNS, where as NAT64 keeps NAT64 and DNS64 functions completely separate which we like.
NPTv6 (Not to be confused with NAT64) / NAT-PT
This is used to translate from IPv4 to IPv6 addresses on “IPv6 Islands” or networks using only IPv6, then translate them back, meaning it is NOT any of the tunnel mentioned above where packets are being encapsulated / decapsulated.
It sounds like when the source prefix arrives at the device or is leaving a device, instead of using the outside interfaces IPv6 prefix, it changes it to another if perhaps a downstream router has the original address black-listed or something (Why it is a special use tool).
It is stateless only, and cannot perform PAT type overload on outgoing packets which is what makes so special use as well.
OK, I SURVIVED THROUGH THE IPV6 SECTION!!!
Time to delve into Security topics for awhile and get back to labbing!