cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3189
Views
0
Helpful
1
Replies

IPv6 NAT

S891
Level 2
Level 2

Hello guys,

I was wondering what are the options available for IPv6 to IPv6 NAT (nat66). It looks like it is not very common practice so there is not much information available. I am interested in setting up a nat pool to hide internal ipv6 addresses.

 

The reason for nat pool is that it still keeps the internal address anonymous. I have read a few things about NPTv6 but it seems like it does not allow for nat pool. I guess there are other options available for nat66 other than nptv6. 

 

I also want to know if it is feasible and scalable to use ULA for internal network and do NAT66 for going out. 

 

I also noticed that NPTv6 has a hardware limitation. It is only supported on CSR, ISR and ASR platforms. Is this also true for nat66? 

 

cheers !!

1 Reply 1

Phillip Remaker
Cisco Employee
Cisco Employee

With IPv6 Privacy Addressing, the ongoing changing of IPv6 addresses (interface ID) maintains privacy by periodically shifting the Interface ID, so you already have privacy, without need to use NAT.

 

NPTv6 just changes the network prefix, keeping the interface ID intact on both sides. This is a low-resoruce, stateless form of NAT. Regardagless, that should not be needed here.

 

Before you look in to NAT66 for ":anonymity" and "privacy" you should unpack what the need behind the need is. What is the use case you are defending against? You may find that NAT does not provide the anonymity that you imagine it does.

 

NPTv6 is designed for VERY high volume traffic (service provider) so needs hardware support. NAT6 has no such restriction, but it is resource intensive.

 

What you are proposing is not the best practice for IPv6 networks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: