Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4729
Views
0
Helpful
2
Replies

IPV4 NAT to IPV6 For Internet Access

Go to solution
DamianRC
Level 1
Level 1

‎10-03-2016 03:13 PM - edited ‎03-01-2019 05:51 PM

Advanced Thanks. 

New Internet transports are incoming. 

IPV4 and 6 addresses are available for use. 

A notion exists that any V4 address assigned to us may have been used elsewhere and is, thus, a potential security risk (I'm having difficulties understanding this fear. Please feel free to comment either way).

It's been asked if it's possible to NAT the private address range to a carrier provided V6 public address. 

Nothing I've read so far suggests that this is possible. 

If someone knows otherwise, I welcome your input. 

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
James Leinweber
Level 4
Level 4

‎10-14-2016 03:25 PM

IPV4 and 6 addresses are available for use. 

Yup.  v6 is over 50% of LTE4 cell data traffic in the US, over 40% of Belgium's backbone traffic, tends to perform better than v4 for mobile devices, etc.  It's real.  We're in the dual-internet interregnum, where not all clients can talk to all servers, until the v6 transition is completed about 15 years from now.

 ... any V4 address assigned to us may have been used elsewhere and is, thus, a potential security risk

Since IPv4 address space is generally exhausted worldwide, most ISP's are moving to "carrier grade NAT" where clients are sharing global scope IP's at an upstream NAT.  The internet reputation of such a middlebox is going to trend downward to the most infected / badly behaved client behind it, which is invariably going to be a botnet zombie.  This may incur collateral damage to protocols used by perfectly well-behaved clients that also share the CGN gateway.

Meanwhile, you can't get new IPv4 subnets from the regional internet registrys, so your only effective source of additional IP space is to pay for a transfer from someone else.  The transferred subnet was probably previously in use, and thus may be on blacklists for e-mail spamming or have blackhole routes at backbone ISP's.  It might also have previously housed attractive nuisance services such as banking or betting which are still being frequently DDOSd due to miscreant inertia.  This could take time and effort to clean up.

Recycled IPv4 addresses which are actually working for you aren't particularly higher risk than archaic original issue addresses from a security point of view; that's controlled by the quality of the endpoint software primarily, not by mere reputation.

[is it] possible to NAT the private address range to a carrier provided V6 public address

Sort of.  The usual problem is a v6-only client (say, an LTE4 cellphone) is trying to reach a v4-only service (say, a typical corporate web site).  This requires 6-->4 translation; for which this week the preferred mechanism seems to be "464xlat".  The client gets two v6 /64 prefixes, v6-only transport, and a private v4 address which is tunneled over the secondary prefix to a carrier grade DNS64/NAT64 middlebox.

The opposite problem of a v4-only client trying to reach v6-only server is usually moot; usually you dual-stack the client instead, and there aren't many v6-only services yet, though that will change.

The IETF demoted RFC-2766 NAT-PT for v4-to-v6 translation to historic status, meaning it's not recommended for use on the general internet, in RFC-4966.  In addition to all of the usual NAT problems, NAT-PT doesn't work at ISP scale due to the impossibility of getting the DNS46 TTL values right.  If you were only trying translate a small subnet from a single organization, say a v4 /24, you might be able to find software which did it, but this is the wrong path to take.

If the problem is that the client doesn't support dual-stack v4+v6, upgrade to something manufactured in this century; even windows XP can be dual-stacked if you offer it DNS over v4.

If the problem is that the ISP is only offering v6-transport, tunnel the v4 traffic across that v6 moat to a dual-stack gateway.

-- Jim Leinweber, WI State Lab of Hygiene

View solution in original post

0 Helpful
2 Replies 2

Go to solution
James Leinweber
Level 4
Level 4

‎10-14-2016 03:25 PM

IPV4 and 6 addresses are available for use. 

Yup.  v6 is over 50% of LTE4 cell data traffic in the US, over 40% of Belgium's backbone traffic, tends to perform better than v4 for mobile devices, etc.  It's real.  We're in the dual-internet interregnum, where not all clients can talk to all servers, until the v6 transition is completed about 15 years from now.

 ... any V4 address assigned to us may have been used elsewhere and is, thus, a potential security risk

Since IPv4 address space is generally exhausted worldwide, most ISP's are moving to "carrier grade NAT" where clients are sharing global scope IP's at an upstream NAT.  The internet reputation of such a middlebox is going to trend downward to the most infected / badly behaved client behind it, which is invariably going to be a botnet zombie.  This may incur collateral damage to protocols used by perfectly well-behaved clients that also share the CGN gateway.

Meanwhile, you can't get new IPv4 subnets from the regional internet registrys, so your only effective source of additional IP space is to pay for a transfer from someone else.  The transferred subnet was probably previously in use, and thus may be on blacklists for e-mail spamming or have blackhole routes at backbone ISP's.  It might also have previously housed attractive nuisance services such as banking or betting which are still being frequently DDOSd due to miscreant inertia.  This could take time and effort to clean up.

Recycled IPv4 addresses which are actually working for you aren't particularly higher risk than archaic original issue addresses from a security point of view; that's controlled by the quality of the endpoint software primarily, not by mere reputation.

[is it] possible to NAT the private address range to a carrier provided V6 public address

Sort of.  The usual problem is a v6-only client (say, an LTE4 cellphone) is trying to reach a v4-only service (say, a typical corporate web site).  This requires 6-->4 translation; for which this week the preferred mechanism seems to be "464xlat".  The client gets two v6 /64 prefixes, v6-only transport, and a private v4 address which is tunneled over the secondary prefix to a carrier grade DNS64/NAT64 middlebox.

The opposite problem of a v4-only client trying to reach v6-only server is usually moot; usually you dual-stack the client instead, and there aren't many v6-only services yet, though that will change.

The IETF demoted RFC-2766 NAT-PT for v4-to-v6 translation to historic status, meaning it's not recommended for use on the general internet, in RFC-4966.  In addition to all of the usual NAT problems, NAT-PT doesn't work at ISP scale due to the impossibility of getting the DNS46 TTL values right.  If you were only trying translate a small subnet from a single organization, say a v4 /24, you might be able to find software which did it, but this is the wrong path to take.

If the problem is that the client doesn't support dual-stack v4+v6, upgrade to something manufactured in this century; even windows XP can be dual-stacked if you offer it DNS over v4.

If the problem is that the ISP is only offering v6-transport, tunnel the v4 traffic across that v6 moat to a dual-stack gateway.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

Go to solution
DamianRC
Level 1
Level 1
In response to James Leinweber

‎10-19-2016 11:33 AM

Tremendous post.

Thank you!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card