1

Imagine a ipv4 setup like this, only on a much larger scale:

10.0.0.1 = Nat Router
10.0.0.2 = Business Server A
10.0.0.3 = Business Server B
10.0.0.4 = Workstation A
10.0.0.5 = Workstation B
10.0.0.6 = Workstation C

The workstations access the Servers with their IP address, easy. The workstations and servers access the router through the nat router, easy.

Now, move to ipv6. No more nat. You have something like this:

xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0001 = firewall
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0002 = Business Server A
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0003 = Business Server B
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0004 = Workstation A
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0005 = Workstation B
xxxx:xxxx:xxxx:yyyy:yyyy:yyyy:yyyy:0006 = Workstation C

I understand that for the prefix, this is provided by your ISP. If you are using these to access your servers inside your location, and the prefix changes, you lose access (until you fix it). Or, assume that your modem or ISP is down for some reason and you lose the prefix because it can't hand it out. Or, maybe you watch to quickly switch to a backup ISP with a CradlePoint or similar.

With ipv4, the ISP doesn't really matter, your internal devices never see your ISP provided addresses. You can fairly easily switch ISP in a moment by just swapping a cable around.

With ipv6, at least the way I understand it, without NAT now the ISP controls your internal IP addresses. Outside addresses changing might not be a big deal, but internal addresses changing would cause a large mess.

Many companies today use the solution to simply stay with IPv4.

What is the IPv6 solution to this scenario? I know that NAT=bad in lots of cases, but in this scenario, it literally keeps the internal network running.

JMain
  • 15
  • 2
  • 2
    Your business contract with the ISP should provide for a fixed IPv6 prefix (there are more than enough IPv6 addresses for that) that can be delegated to the various networks you need to use internally. Changing IPv6 addresses is normally limited to residential connections to keep the users within the residential contract that prohibits running servers to the public Internet. – Ron Maupin Sep 28 '20 at 20:28
  • 1
    Request your own block of IPv6 space [directly from ARIN](https://www.arin.net/resources/guide/ipv6/first_request/#enduser) assuming that's the relevant authority for your region.. and have your providers route it. –  Sep 28 '20 at 20:35
  • 1
    A whole lot of interesting and useful information can be found in the answers to [Switch to IPv6 and get rid of NAT? Are you kidding?](https://serverfault.com/q/184524/126632) and the related questions linked from it. – Michael Hampton Sep 28 '20 at 20:38
  • @RonMaupin Yes, until your ISP is down and you failover to a CradlePoint ... at which point fixed prefix's are no longer fixed. – JMain Sep 28 '20 at 21:59
  • @yoonix That's a really expensive alternative to nat. It's things like this that scare small businesses away from migrating to ipv6. Anything can be solved with lots of $$$. Or, it can be solved by not migrating. So, ipv4 sticks around for another 10-15 years. – JMain Sep 28 '20 at 22:00
  • Then you need provider-independent addressing from your RIR, and you need your ISP(s) to agree to advertise that from your network, meaning you need BGP between you and the providers. That is the same for IPv4 if you are using public IPv4 addressing as many businesses do. – Ron Maupin Sep 28 '20 at 22:01
  • 1
    "_That's a really expensive alternative to nat._" Not really, and it allows you to change ISPs at any time as you take your addressing with you. Most companies I know that convert to IPv6 end up doing that at some point, especially after changing to a different ISP. It greatly simplifies things to own your own addressing, and it is not really expensive. – Ron Maupin Sep 28 '20 at 22:04

1 Answers1

1

You can use Unique Local Addresses in addition to your global IPv6 addresses to provide connectivity within your internal network.

You simply pick a random ULA prefix (it must be random; don't try to use fd00:: or something you pulled out of your head; visit a ULA generator web page) and begin assigning subnets, starting from the edge and going inward, the same as you would for global subnets.

Note that ULA addresses cannot reach the global Internet or vice versa. The global addresses are still required for global connectivity. But purely internal communications can use the ULA addresses forever.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Ok, that seems reasonable for internal access. The remaining issue now is if you access internal servers from outside, I guess you could use DDNS on the GUA IP and it would simply work? Would using DDNS on GUA be the preferred solution to external access? – JMain Sep 28 '20 at 22:03
  • 2
    @JMain Yes, you can do DDNS. Better if you get your ISP to stop changing your prefix. They should not be doing that on a business connection, ever. – Michael Hampton Sep 28 '20 at 22:13