NATTED - A Field Report

March 14, 2016 (at 1:45 p.m.) in Day 1 Track 1

When introducing IPv6 in a network segment today, this is most often done with a dual stack approach. Continuing to use IPv4 in addition to IPv6 in this segment ensures that communication with other IPv4-only segments is still possible. But this approach has several drawbacks such as: Network administrators won't set up new IPv4 segments, but rather just 'add' IPv6 to the existing segment, security staff has to maintain two firewall rule sets and the number of routes doubles.

One way around this could be NAT64 / NAT46. Applied on the border of segments, it enables network devices in IPv4-only segments to talk to devices in the IPv6 segments. Sure, this requires additional configuration on the borders but this effort is much smaller than operating an entire segment dual stack configured. Using this approach one could simply set up an entirely new network segment IPv6-only, thus using all the advantages the huge IPv6 space offer. In addition, in the future when IPv4 is switched off, none of the devices in the segment needs adaptation, but only the border device.

To gain practical experiences with this approach we assumed our management networks to be IPv6 only (in fact they are dual stack) and configured required NAT64 /46 rules on the border device (Juniper SRX240 HA cluster) to ensure connectivity to the other IPv4-only segments. In the talk we explain this approach in detail, report about our experiences and summarizes pros and cons of it.

Gabriel Müller

During his studies in electrical engineering at ETH Zurich Gabriel Mueller specialized on networks and network security. He works as a senior consultant at AWK Group, assisting clients in the public and private sectors as project manager and expert in the network area. In his role as a network administrator at AWK, he regularly gathers practical experience in the company's network.

Past talks

IPv6 Business Conference 2011:

Swiss IPv6 Council (2013): Monitoring of the dual stack environment at AWK Group

Heise IPv6 Congress 2014: Monitoring einer Dualstack Umgebung