Network address translation 6-to-4 (NAT64, RFC 6146) is a transition technology that can be used, in conjunction with DNS64 (domain name system 6-to-4, RFC 6147), to replace NAT44 in dual-stack networks, and allowing support of IPv6 only devices.
Dual stack is a common deployment solution for adding IPv6 for both consumer and corporate networks, although IPv6-only is becoming more common, with the typical guidance being "IPv6-Only Where You Can, Dual-Stack Where You Must"
Even if you are still stuck in dual stack, it still makes sense to use some of the IPv4 as a Service technologies, such as NAT64 and DNS64, which have the upside of allowing you to support IPv6 only devices, and no downside. As an additional benefit, you also get valuable experience in IPv6 systems.
The cost is that you need to have infrastructure that supports NAT64, either provided by your ISP, or from your own networking equipment/router. This is not as much an issue for DNS64, as public DNS64 is available, e.g. Google.
If your network supports it, look at implementing NAT64 + DNS64 today; if it does not, contact your equipment provider to find out when they will support this important technology for IPv6.
Using NAT64 to access IPv4 only sites
IPv6 has well developed co-existence technology for interoperating with IPv4 only sites, including NAT64 network address and protocol translation.
Many networks when using legacy IPv4 will be using a private address range, with no direct connection to IPv4 servers; this means that NAT44 is usually already being used. The following network diagrams are based on local networks using private address ranges, which is almost always the case. If you are using public IPv4 addresses in your network, the solution still works, just that IPv4 connections will be end-to-end (instead of NAT44).
Configuring your dual stack network with DNS64 and NAT64, to allow IPv6 only devices, will simply mean that dual stack devices will use NAT64 instead of NAT44.
NAT64 connectivity to IPv4 only servers
This first diagram shows the network connection paths for IPv6 only, dual stack, and IPv4 only devices accessing an IPv4 only server, using either NAT64 or NAT44.
The IPv4 only server address is resolved using DNS64 such as Google Public DNS64. For an IPv4 only server this returns the synthetic DNS64 IPv6 address (AAAA record) along with the IPv4 address (A record).
Example: Querying for v4.ipv6-test.com will return AAAA 64:ff9b::334b:4e67 and 51.75.78.103.
As shown in the diagram at the start of this article, with NAT64 + DNS64, to connect to and IPv4 only server:
- IPv6 only and dual stack devices will use NAT64 to connect to the server.
- IPv4 only devices will use NAT44 to connect to the server.
Connectivity to dual stack servers
For comparison, connectivity to dual stack and IPv6 only servers continues to work the same as it does in a dual stack network without NAT64 + DNS64.
Dual stack servers will continue to return their real AAAA and A addresses (if an AAAA address already exists the DNS64 does not generate anything).
This means, to connect to dual stack server:
- IPv6 only and dual stack devices will connect directly to the server using IPv6 end-to-end.
- IPv4 only devices will use NAT44 to connect to the server, connecting to the IPv4 address.
Connectivity to IPv6 only servers
IPv6 only servers will continue to return only their real AAAA (DNS64 does not generate anything); they do not have an IPv4 address.
This means, for an IPv6 only server:
- IPv6 only and dual stack devices will connect directly to the server using IPv6 end-to-end.
- IPv4 only devices have no way to connect (no different than plain dual stack).
To expose an IPv6 only server to an IPv4 only device would need something like a proxy server to be set up inbetween, allowing the IPv4 only device make IPv4 connections to the proxy, and the proxy then making IPv6 connections to the server.
Comparison without NAT64
NAT64 may not be available, in which case IPv6 only devices will not be able to use it to connect to IPv4 only servers.
Most dual stack networks do not have NAT64 + DNS64; if you are not able to deploy NAT64, then to connect to IPv4 only servers:
- IPv6 only devices cannot connect
- Dual stack and IPv4 only devices will use NAT44 to connect to the server.
Note that dual stack servers still need to use NAT to connect to the server, only NAT44 instead of NAT64. IPv4 only devices always need to use NAT.
Next steps
Ask your ISP if they provide a NAT64 service, or check if your router or other networking hardware support NAT64.
If they do, learn how to set up NAT64 + DNS64 and deploy it to your network.
Adding NAT64 + DNS64 to your dual stack network provides only benefits, allowing IPv6 only devices to connect to IPv4 servers, and providing valuable experience with IPv6 networks.
There are no downsides, with connectivity to IPv6 and dual stack servers remaining the same. Dual stack server connections to IPv4 servers will change from NAT44 to NAT64, but have to use NAT either way. IPv4 devices always need to use NAT.
If your networking equipment does not support NAT64 (and your ISP does not provide it as a service), then you should contact your equipment provider and ask when the feature will be available. While currently optional, as IPv6 deployment expands it will become necessary as a key technology for IPv6 only networks, so the sooner your equipment supports it, and you can become familiar with it, the better.