Ok so everyone has heard of ipv6 and the great number of routable adresses it brings to the table. But come on I dont want to deal with two version of IP. People should just run pure ipv6 network at home like cell phone carrier do. Yes but what if ? what if the service you want to connect to is only available through ipv4 ? Let’s take a look !
France is number one
To start talking about ipv6 we need a but of context. More than 30 years after its first RFC the internet still doesn’t use ipv6 by default everywhere and many services are only routable with ipv4. Client-side is a little bit better but not that much. I am french and I am really proud of my country on this subject. According to Google we are the most ipv6-enabled country in the world. This is a great pride as a french citizen and networking loving person.
Every ISP I have used here always provided ipv6 prefixes for subcribers with subnet delegation easily configured. This is really useful if like me you want to selfhost at home. The way it just simply works to give ip addresses per service and use it to contact them. While you still need to set firewall rules, it feels really good to have devices or VM with a real ip to show.
Why would you want such a thing ?
You are on the blog of someone that lives and breath computer science. Why wouldn’t I try and test having the latest IP version available and see how the rest of the internet handles it ? Removing NAT also allows you to gain a little bit of latency and have a better time exposing your services. This is just too good to pass.
What do we need ?
Having only ipv6 connectivy we will still need to be able to contact ipv4 only hosts. This could prove to be challenging except for the fact that when ipv6 was designed people thought about this exact situation. We should be pretty safe with the next two technologies that, once combined together, will allow you contact ipv4 hosts with only an ipv6.
DNS64
The concept of DNS64 is simple. Because ipv6 has so many addresses available you can fit the entire ipv4 addressable space in a single /96 ipv6 prefix. RFC 6052 define the prefix to use as 64:ff9b::/96. Working back from there we can describe every ipv4 address as an ipv6 address.
Now what ?
Now we can be a good DNS resolver for the client asking us answers or…we can put there a tiny little small lie. If the resolver find an ipv6 for the host it simply send it to our client. Because we are using ipv6 we can connect directly everything is fine. If there is no ipv6 it will try to solve the A record corresponding to the ipv4 address for the host. With it we can now synthesize the RFC ipv6 address and send it back to the client.
We can now always answer ipv6 ip to our clients. Of course if there is neither AAAA or A records for the host we simply answer there is not host with NXDOMAIN.
NAT64
NAT64 is well, as the name suggest, a NAT from ipv6 to ipv4. The server running it has both ipv6 and ipv4 connectivity and make the junction between the two. It lives at the edge of both networks and allow a host holding only an ipv6 to contact another host only reachable via ipv4. It does so by listenning on his interface for the aforementionned ipv6 prefix. Then it substracts the ipv6 prefix and rewrite the packet to be an ipv4 packet using the address obtained from this clever operation. Now if we route the traffic from 64:ff9b::/96 to one of its interface it will be able to route it correctly to its ipv4 host.
Example
Let’s say we have a host with ipv6 only. In the config of our host we will setup the DNS resolver to be this DNS64 so that if it tries to resolve any domain name the DNS64 can interfere. The
For example pinging the domain name benoit-dardelet.fr yield this public ip when I am writing this article 35.185.44.232. If there was no AAAA record this could result in the DNS64 answering 64:ff9b::23b9:2ce8 to your request. This is because 35.185.44.232 in decimal is in fact 23b9:2ce8 in hexadecimal. Your computer would then try to contact this ip and the packets would be routed to the NAT64 instance. The NAT would then seamlessly rewrite the source ip to be its own public ipv4 and the destination to be 35.185.44.232. Your computer would be fooled and everyone would be happy !
Limitations
Of course it comes with limitations, mainly two :
- if you are using software that have a hardcoded dependency on ipv4
- you have to use a specific DNS resolver for it to work
- you need to use DNS for everything
Both can be annoying, Steam client for example has a reputation to not update or even launch without ipv4 connectivity. Some client might try to use different DNS resolver than the one given by DHCP. For those reason it is way more useful to use this tech when you are in total control of your infrastructure.