A Complete Analysis of IPv6 Transition Technology

The IPv6 wave is coming

With the rapid development of emerging industries such as mobile Internet, Internet of Things, and Industry 4.0, the number of terminals connected to the network is growing exponentially. From traditional PCs and mobile phones to the ubiquitous Internet of Things terminals in the future, all need to access the Internet through IP addresses. It is estimated that by 2020, there will be 50 billion devices online worldwide, and the number of addresses required is more than ten times the total number of IPv4 addresses. At present, all IPv4 addresses have been allocated, and the problem of address shortage is very serious.

[[248629]]

After more than 20 years of development, IPv6 has become a very mature technology. With more addresses, smaller routing tables, better security and other advantages, IPv6 can effectively solve the problems currently faced by IPv4.

On November 26, 2017, the General Office of the CPC Central Committee and the General Office of the State Council jointly issued the Action Plan for Promoting Large-Scale Deployment of Internet Protocol Version 6 (IPv6) (hereinafter referred to as the Action Plan). The Action Plan requires that within 5 to 10 years, an independent technology system and industrial ecology for the next generation Internet will be formed, the world's largest IPv6 commercial application network will be built, the next generation Internet will be deeply integrated and applied in various fields of the economy and society, and it will become an important leading force in the development of the next generation Internet in the world. The wave of IPv6 has truly arrived.

Introduction to IPv6 Transition Technology

Since IPv6 itself is not compatible with IPv4, large-scale deployment of IPv6 still faces many challenges. The currently feasible solution is to use transition technology to gradually evolve IPv4 to IPv6. There are currently three main transition technologies:

1. Two-wire technology

Dual stack diagram

Dual stack technology refers to the simultaneous running of IPv4 and IPv6 protocol stacks between various terminal application systems, operation support systems and network nodes (both have the same hardware platform), thereby achieving information exchange with IPv4 or IPv6 nodes respectively.

Nodes with IPv4/IPv6 dual protocol stacks are called dual stack nodes. These nodes can send and receive both IPv4 and IPv6 packets. They can use IPv4 to communicate with IPv4 nodes, or directly use IPv6 to communicate with IPv6 nodes. Dual stack nodes contain both IPv4 and IPv6 network layers, but the use of transport layer protocols (such as TCP and UDP) is still single.

Dual stack protocol model

Dual-stack nodes can run in the following three modes, flexibly enabling/disabling IPv4/IPv6 functions:

• Enable their IPv4 stack and disable their IPv6 stack, behaving as IPv4 nodes.
• Enable their IPv6 stack and disable their IPv4 stack, behaving as IPv6 nodes.
• Enable dual stack and enable both IPv4 and IPv6 protocols.

The working principle of the dual stack mode can be simply described as:

• If the destination address is an IPv4 address, use the IPv4 address;
• If the destination address is an IPv6 address, the IPv6 address is used. When using an IPv6 address, encapsulation may be required.

Dual stack technology is the basis of all transition technologies. It supports flexible activation or deactivation of the IPv4/IPv6 functions of nodes and can effectively transition to a pure IPv6 environment. However, it requires all nodes to support dual stack, which increases the difficulty of transformation and deployment.

2. Tunnel technology

Tunnel technology diagram

The tunnel technology based on IPv4 tunnel to transmit IPv6 data packets is to encapsulate IPv6 packets in IPv4 packets, so that IPv6 protocol packets can communicate across IPv4 networks. Therefore, isolated IPv6 networks can communicate with each other through IPv6 tunnel technology using existing IPv4 networks without making any modifications or upgrades to the existing IPv4 networks. IPv6 tunnels can be configured between border routers or between border routers and hosts, but the nodes at both ends of the tunnel must support both IPv4 and IPv6 protocol stacks.

Encapsulation of IPv6 Datagrams in IPv4

Implementation mechanism of IPv4/IPv6 tunnel technology:

• The tunnel entry node (encapsulation router) creates an IPv4 header for encapsulation and transmits the encapsulated packet.
• The tunnel exit node (decapsulation router) receives the encapsulated packet, reassembles the packet if necessary, removes the IPv4 header, and processes the received IPv6 packet.
• The encapsulating router may need to maintain soft state information for each tunnel record, such as parameters such as the tunnel MTU, in order to handle forwarding IPv6 packets into the tunnel.

Tunnel technology packaging diagram

IPv6 tunnel technology is divided into manual tunnel and automatic tunnel:

(1) Manual tunnel: The border device cannot automatically obtain the IPv4 address of the tunnel endpoint. The IPv4 address of the tunnel endpoint needs to be manually configured so that the message can be correctly sent to the tunnel endpoint. It is usually used for tunnels between routers. Common manual tunnel technologies are as follows:

• IPv6 over IPv4 manual tunnel
• GRE tunnel

(2) Automatic tunnel: The border device can automatically obtain the IPv4 address of the tunnel endpoint, so there is no need to manually configure the IPv4 address of the endpoint. The general practice is that the IPv6 addresses of the two interfaces of the tunnel use a special IPv6 address format with an embedded IPv4 address. In this way, the routing device can extract the IPv4 address from the destination IPv6 address in the IPv6 message. Automatic tunnels can be used between hosts or between hosts and routers. Common automatic tunnel technologies are as follows:

• 6to4
• ISATAP
• 6RD

Through tunnel technology, relying on existing IPv4 facilities, it is possible to achieve intercommunication between multiple isolated IPv6 networks by only requiring the devices at both ends of the tunnel to support dual stacks. However, the tunnel implementation configuration is relatively complex and does not support direct communication between IPv4 hosts and IPv6 hosts.

Address Protocol Translation Technology

Address translation technology diagram

1. NAT-PT conversion technology

NAT-PT (Network Address Translation-Protocol Translation): It is a combination and evolution of SIIT (Stateless IP/ICMP Translation) protocol conversion technology and dynamic address translation (NAT) technology. SIIT provides one-to-one mapping conversion between IPv4 and IPv6. NAT-PT supports many-to-one or many-to-many address conversion based on SIIT.

NAT-PT has two forms: static and dynamic.

(1) Static NAT-PT:

Static mode provides one-to-one mapping of IPv6 addresses and IPv4 addresses. For nodes in the IPv6 single-protocol network domain to access each IPv4 address in the IPv4 single-protocol network domain, they must be configured in the NAT-PT gateway. Each destination IPv4 is mapped to an IPv6 address with a predefined NAT-PT prefix in the NAT-PT gateway. In this mode, each IPv6 mapping to an IPv4 address requires a source IPv4 address. Static configuration is suitable for hosts that are often online or need to provide a stable connection.

(2) Dynamic NAT-PT:

In dynamic NAT-PT, the NAT-PT gateway announces a 96-bit address prefix to the IPv6 network, and combines it with the host's 32-bit IPv4 address as an identifier for the host in the IPv4 network. The destination address prefix of the message sent from the host in the IPv6 network to the IPv4 network is the same as the address prefix announced by NAT-PT. These messages are routed to the NAT-PT gateway, which modifies the message header, extracts the IPv4 address information, and replaces the destination address. At the same time, the NAT-PT gateway defines an IPv4 address pool, and it takes an address from the address pool to replace the source address of the IPv6 message, thereby completing the conversion from the IPv6 address to the IPv4 address. Dynamic NAT-PT supports mapping multiple IPv6 addresses to one IPv4 address, saving IPv4 address space.

NAT-PT supports mutual translation and conversion between IPv4 and IPv6 protocols, but has the following problems:

• Requests and responses belonging to the same session must be converted through the same NAT-PT device, which is more suitable for environments with a single egress device.
• The optional part of the IPv4 header cannot be converted;
• Lack of end-to-end security.

Therefore, NAT-PT is gradually being abandoned and is not recommended. The latest address protocol translation technology is NAT64.

2. NAT64 conversion technology

NAT64 is a stateful network address and protocol translation technology that generally only supports users on the IPv6 network initiating connections to access IPv4 network resources. However, NAT64 also supports manually configuring static mapping relationships to enable the IPv4 network to actively initiate connections to access the IPv6 network. Among them, NAT64 performs IPv4-IPv6 stateful address and protocol translation, and DNS64 implements domain name address resolution. The two work together and do not require any modifications on the IPv6 client or IPv4 server.

DNS64 mainly synthesizes the A record (IPv4 address) in the DNS query information into the AAAA record (IPv6 address), and returns the synthesized AAAA record user to the IPv6 side user. DNS64 also solves the defects of DNS-ALG in NAT-PT.

NAT64 and DNS64 flow chart

The process of NAT64 and DNS64 is as follows:

• The IPv6 host initiates an IPv6 domain name resolution request to the DNS64 server (the DNS address configured on the host is DNS64), and the resolved domain name is www.abc.com;
• DNS64 triggers the query of IPv6 address to DNS server;
• If the domain name can be found, the IPv6 address corresponding to the domain name will be returned. If not found, empty will be returned.
• DNS64 is triggered again to query the DNS server for the IPv4 address;
• The DNS server returns the IPv4 record of www.abc.com (192.168.1.1);
• DNS64 synthesizes the IPv6 address (64::FF9B::192.168.1.1) and returns it to the IPv6 host;
• The IPv6 host initiates an IPv6 data packet with a destination address of 64::FF9B::192.168.1.1. Since NAT64 announces the configured IPv6 prefix in the IPv6 domain, this data packet is forwarded to the NAT64 device.
• NAT64 performs address translation and protocol translation, the destination address is translated to 192.168.1.1, and the source address is translated according to the address state (3ffe:100:200:1::1)->(172.16.1.1); it is routed to the IPv4 server within the IPv4 domain;
• The IPv4 packet returns with a destination address of 172.16.1.1;
• NAT64 converts the destination address to 3ffe:100:200:1::1 based on the existing records. The source address is the IPv4 server address 64::FF9B::192.168.1.1 with an IPv6 prefix added. It is sent to the IPv6 host and the process ends.

Address protocol translation technology can achieve external support for IPv6 access by making a small modification to the existing IPv4 environment (usually replacing the egress gateway), and the deployment is simple and convenient.

3. How to choose?

The business system has high requirements for stability, and any transformation must not affect the operation of existing business. When we are doing IPv6 upgrades, we need to consider many factors when choosing among many technical solutions:

• The deployment should be convenient and the period should not be too long. How to ensure that the transformation of all business platforms is completed within the time specified by the state or regulatory authorities and that IPv6 services are provided to the outside world?
• The solution must support dual stacks and not hinder subsequent evolution to pure IPv6;
• Consider the investment cost and impact, proceed in stages, and prioritize the transformation of external systems (such as portal websites) before the transformation of internal network systems.
• Minimal impact on existing services, and existing IPv4 access is not affected;
• The versatility of the technology enables interconnection and support between products from different manufacturers;
• Without adding too much operation and maintenance burden, the maintenance work of IPv6 network can be smoothly transitioned.

4. Comparison of three technologies

Each transition technology has its own advantages and disadvantages. Considering the application scenarios and needs of the financial industry, we need to choose different transition technologies to achieve IPv6 transformation in different scenarios:

• For new business system scenarios, it is recommended to use dual-stack technology, which supports both IPv4 and IPv6, to achieve optimal transformation in one step;
• For scenarios where multiple isolated IPv6 networks are interconnected, such as the interconnection of multiple IPv6 data center regions, tunneling technology can be used to encapsulate IPv6 data into IPv4 networks for transmission, reducing deployment costs and pressure.
• For business systems that have already been launched, it is recommended to use address protocol conversion technology, which has minimal changes to the existing network, can be deployed quickly, has the lowest investment cost, and can support gradual evolution to a pure IPv6 environment in the future.