Bad IPv6 Approaches

IPv6, , , , , , , , , , ,

I just got a few emails from an administrator of a medium-sized company, asking some IPv6 questions. They want to use IPv6 to reach the Internet, using two ISPs, while remaining IPv4-only on their internal networks. For whatever reason, they came across three different ideas that were almost completely wrong, speaking of a sound IPv6 design. But why? Maybe because IPv4 thinking is a bigger problem than we ever thought? Or because admins rely on firewall vendors (like Fortinet) that suggest completely wrong network approaches?

Let’s dig into some misconceptions concerning IPv6:

Starting Point

A medium network, only clients trying to reach the Internet, no publicly accessible servers. Two independent ISPs, offering full dual-stack, that is: public IPv4 addresses as well as two /56 prefixes for IPv6, one from each ISP. No own AS nor own IPv6 addresses, hence two different GUA /56 ranges. A FortiGate offering SDWAN technologies for redundancy and load sharing.

First (bad) idea: Staying on IPv4-only internally, using NAT for outgoing IPv6

Their first approach was to stay on IPv4-only addresses internally while using NAT46 to reach the public internet. Interesting. I never came across this idea. In theory, this is a nice approach, since you don’t have to do anything on your client-side while the router/firewall does some kind of NAT, as always, and leads to a public IPv6 connectivity. I’m not even sure, whether or not you could configure this kind of NAT46 on modern devices?

Anyway, this is not as it’s meant to be. The only valid approach is to use IPv6 on your clients! By doing that, you get IPv6 connections seamlessly from your client up to the server while omitting any unnecessary intermediary network features. NAT, in any case, has several drawbacks, such as costs (latency, session table) and complexity (in both configuration and troubleshooting).

Second (bad) idea: Using NAT66 rather than NPTv6

Now, since they want to use only one address space internally (rather than two from both ISPs), they need some kind of NAT to translate the internal addresses to the external ones, separated by ISP. Unluckily, rather than using NPTv6, which is exactly made to solve this problem, they tried to use NAT66, which has no use case at all. Honestly, why was NAT66 even made?

Everything related to IP addressing on the Internet should be unique and addressable. Yes, for this kind of SOHO, you need NAT. But please stay on NPTv6 for this. Why? Because it only translates the network portion of your IPv6 addresses to another network portion, while keeping the host portion as well as the upper-layer protocol numbers (TCP/UDP) the same. This makes it stateless, which requires less load on the router. There is no need to use NAT66, which translates the *whole* address to another, sometimes even set up with port address translation, which really makes absolutely no sense given the sheer number of IPv6 addresses. And no, NAT has nothing to do with security.

Third (bad) idea: Using ULA addresses

Of course, they have to use *some* address space internally. They came up with Unique Local Addresses (ULAs). Isn’t this the counterpart to the well-known RFC 1918 addresses for IPv4? No, it isn’t!

ULAs are not routable outside your internal networks. And they are not meant to be translated in order to reach the Internet. Even worse: In dual-stack scenarios, IPv6 ULAs are *less* preferred than IPv4 addresses, RFC 6724. That is: IPv6 won’t be used at all when ULAs are in place.

There are some more drawbacks of using ULAs:

  • Though ULAs include a pseudo-random 40-bit global ID, if organizations don’t generate them properly, there’s a risk of collision during mergers, VPNs, or peering scenarios. Just the same as with RFC 1918 addresses for IPv4 which we all want to solve with IPv6.
  • If ULAs and global unicast addresses (GUAs) are used together, routing and troubleshooting become more complex.
  • ULAs are often perceived like IPv4 private addresses (e.g., 192.168.x.x), but they do not provide security at all. Relying on ULAs without proper security controls (like firewalls) can lead to exposure if misconfigured.
Use ULAs only when truly necessary. For most enterprise and production environments, relying on properly planned and secured global unicast addresses (GUAs) offers better long-term scalability, visibility, and interoperability.

What would be a better IPv6 address selection for this SOHO situation? Either relying on one of the ISPs addresses (and NPT-ing them to the other ISP in case of a failure), or, even better, getting some own IPv6 prefixes through a sponsoring LIR or the like.

Why? Why? Why?

How do such false ideas come about when every book/article/lecture/podcast on IPv6 says exactly the opposite? One answer came from the admin himself:

If I add a policy on a FortiGate, NAT is preselected; hence, I thought, this is the way to go.

Wow, this is, of course, a bummer. An inadequate product leads uninformed customers down the wrong path. This is really bad. Fortinet, why are you doing this?

Another answer may be IPv4 thinking in general: Private IPv4 addresses and NATs are the standard everywhere – and since only the addresses change, everything else stays the same, right? Well, unfortunately fortunately, not. Neither private addresses nor NATs are good by themselves. They solve problems within the IPv4 scarcity, but we don’t need them anymore with IPv6. That’s the big deal!

Finally, googling for “private IPv6 addresses” still leads to many uncorrected posts, stating that ULAs are the solution, e.g. here, even under the “Cisco” keyword. This is terrifying. They aren’t! ULAs are for *local* stuff only, hence the name. They are not meant to be routed/NATted to the Internet at all. Don’t treat them like that.

What can we/I do?

Education! :) And talking to people, before they start using IPv6 on their own behalf. Hopefully, this blog will play its part.

Any other opinions? For sure. Please write some comments below. 👍🏻

Soli Deo Gloria!

Photo by Nik on Unsplash.

6 thoughts on “Bad IPv6 Approaches

  1. Fun fact, the fortigate nat checkbox troubled one of my customers as well. Uneducated and not knowing-what-they-do, they left the nat checkbox in place after setting up an ipsec tunnel security rule for site to site communication.
    The result?
    Traffic from the subsidiary coming over the tunnel now originated on the main data center firewall, e.g. in wireshark it looked like the DC firewall is trying to print stuff on the print server. Yaay!

    Reply

  2. HI, there!

    For solution #1, note that you’ll normally have state anyway, because it is extremely likely that even if the middlebox doesn’t do NAT, you want it to operate as a firewall that only allows outgoing connections.

    RE Solution #2, some like NAT66 because:
    * It paralells ipv4, and everyone is too busy to learn something new, that it’s not very related to their business.
    * If you have NAT66, you get the diode firewall by default. — yes, you could also do NPT and *firewalling* (but see the previous bullet)
    * Some like the addresses to be masqueraded, and for each address not to be easily mapped to the device that is using it. (yes, you could do RFC8981… but see the first bullet)

    RE Solution #3:
    Address spaces requires time and money. So yes, it’s doable for some organizations, but not for others. Then “relying on one ISPs address space and NPTing the other” means e.g. that you still have to deal with RFC8978. — something they would avoid with ULAs + NPT.

    My note here is:
    * For a lot of organizations, IPv6 is not in the top 10 of the problems they have. As such, do not expect them to spent a lot of time learning about IPv6 internals, or learning about best approaches to do things.

    * And in the same light, where making IPv6 robust has been (or should have been a priority to us (or the IETF), we still have things such as RFC8978 or https://www.ietf.org/archive/id/draft-gont-v6ops-multi-ipv6-02.html .
    i.e. we (IETF) haven’t done a great job in our area, either.

    Cheers!

    Reply

  3. You could make option one work, but it would require a DNS46 in the network.

    The funny thing is you list three bad options, but no good ones. No fault of yours of course, since there really isn’t one.

    Reply

    1. Well, to my mind, I am listing at least some “not so bad” options:
      1) staying on IPv4-only –> use IPv6 on your clients
      2) NAT66 –> NPTv6, or even better –> no NAT at all
      3) ULAs –> GUAs

      ;)

      Reply

  4. NPTv6 or/and NAT66 is not required if you have your own IPv6 Prefixes and ASN.
    ULA and NPTv6 is useless if you have Dual-Stack, because any IPv4 address (Private or Public) will be preferred over IPv6 ULA for outgoing connections.

    So, to summarize – everyone MUST get it’s own ASN and IPv6 prefixes!!

    Reply

    1. True, but then if everyone did that global routing would not scale.
      A lot of work on this in the routing working group in the IRTF, culminating with ILNP.
      https://datatracker.ietf.org/doc/rfc6227/

      I have a plan to write more about these shortcomings with IPv6 in my blog series:
      https://ipv6.hanazo.no/posts/ipv6-missed-opportunities-1/

      But you are right, the only pragmatically available answer right now is ASN with PI or NAT. For the latter you are ironically better off running with 3fff::/20 or 2001:db8::/32 instead of ULA.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *