Technical Support Go To Carrier Announcements
  • 中文
  • English
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection
Home Search Center Intelligent Model Selection IP Encyclopedia
Login
IP Encyclopedia > NAT66

What Is NAT66?

IPv6-to-IPv6 Network Address Translation (NAT66) translates an IPv6 address prefix into another IPv6 address prefix. This technology enables IPv6 private network users to access the IPv6 public network and obtain resources while protecting their privacy and security.

Contents

Why Do We Need NAT66?

NAT Evolution

Due to the explosive growth of interconnected devices around the world, the IPv4 address space is insufficient to meet current and future requirements. NAT was introduced to solve this problem. However, with the development of Internet Protocol Version 6 (IPv6) technologies and government initiatives to actively promote IPv6 applications, IPv4 is gradually being replaced by IPv6.

With the upgrade of the IP network, NAT is evolving continuously. The following table describes different phases of NAT evolution.

Table 1-1 NAT Evolution

Technology Name

Technical Principle

Core Value

Traditional NAT

Changes the source IP address and port number of network data packets to implement communication between internal private networks and external public networks.

Solves the IPv4 address shortage problem.

NAT444

Used on an Internet service provider (ISP) network to map a public IPv4 address to multiple private IPv4 addresses.
  • Solves the IPv4 address shortage problem: Multiple users can share one public IPv4 address.
  • Improves security: The internal network can be hidden so that external networks cannot directly access devices on the internal network.

Dual-Stack Lite (DS-Lite)

Used to allow users with private IPv4 addresses to traverse the IPv6 network so that they can access the IPv4 public network based on IPv4 over IPv6 tunnels.
  • Achieves IPv6 and IPv4 interworking: IPv4 networks can communicate with each other over IPv6 networks.
  • Reduces OPEX: Carriers do not need to construct or maintain dual-stack networks.

NAT64

Helps new IPv6 single-stack users on the IPv6-dominant network traverse the IPv6 network to access residual IPv4 services.
  • Underpins IPv6 and IPv4 interworking.
  • Improves security: NAT64 prevents external attacks and malicious access to protect network confidentiality and integrity.

The core value of NAT is to solve the problem of insufficient IPv4 addresses and to improve security. As IPv6 is widely used, how does NAT evolve? And when IPv6 private network users access the public network, how does NAT protect user privacy?

NAT66 is introduced to protect the privacy of IPv6 private network users and save IPv6 addresses as well as simplifying configurations for network providers.

What Are the Core Values of NAT66?

When IPv6 private network users directly access the external IPv6 network to use external IPv6 public network resources, they may inadvertently expose their information. In addition, IPv6 addresses of private users are dynamically allocated. Direct communication with the external network involves complex configuration and is difficult to maintain. In this case, NAT66 emerges to meet users' requirements for security and network providers' requirements for simplified configuration. The technical values of NAT66 are as follows:

  • Privacy and security protection for private IPv6 users

    NAT66 can translate private IPv6 addresses into public IPv6 addresses. Specifically, when an IPv6 private network user accesses the IPv6 public network to obtain resources, NAT66 can translate the source address of the user into a public address. In this manner, the source address of the IPv6 private network user is protected from being disclosed even if the translated public address is attacked. In addition, NAT66 can filter traffic based on IP addresses, UDP destination port numbers, and TCP destination port numbers. The characteristics of the traffic that is considered as attack traffic are added to NAT66 blacklist. And NAT66 then filters the traffic in the blacklist to defend against attacks.

  • Simplified configuration

    Because NAT66 devices are deployed at the network edge, there is no need to modify the IP address configuration on private devices when the public address prefixes allocated to IPv6 private network users change. Instead, only the NAT66 configuration on the gateway needs to be modified. This simplifies the configuration and significantly reduces IPv6 network maintenance and management costs.

How Does NAT66 Work?

After learning the core values of NAT66, how does NAT66 work?

NAT66 Translation Modes

NAT66 has two translation modes: IPv6-to-IPv6 Network Prefix Translation (NPTv6) and static NAT66. The following table lists the differences between the two modes.

Table 1-2 Two NAT66 translation modes

Translation Mode

IPv6 Address Prefix

Interface ID

Applicable Scenario

NPTv6

After NAT66 is performed on the source IPv6 address, the IPv6 network prefix is replaced by a new network prefix.

According to the RFC, the offset value of the prefix change is added to the interface ID.

This mode applies to scenarios that involve many IPv6 addresses and that are not sensitive to the translated IP addresses.

Static NAT66

Unchanged.

This mode applies to scenarios that are sensitive to translated IP addresses.

The two NAT66 translation modes are similar but the difference is that NPTv6 adds the offset value of the prefix change to the interface ID.

NAT66 Translation Principles

The following figure shows the working principle of NAT66, which applies to both NPTv6 and static NAT66.

NAT66 working principle
NAT66 working principle
When an IPv6 private network user attempts to obtain IPv6 public network resources, the NAT66 device performs the following operations:
  1. After receiving a packet from the host on the intranet, the NAT66 device matches the packet with the ACL traffic diversion policy and directs the packet to the service board.
  2. Based on the source IPv6 address of the packet, the service board searches for the prefix mapping configured in the NAT66 instance and performs NAT66. The translated address varies according to the NAT66 translation mode (NPTv6 or static NAT66). When NPTv6 is used, the configured extranet prefix replaces the prefix of the source address. According to the RFC, the offset value of the prefix change is added to the interface ID to complete the conversion of the IPv6 interface ID. When static NAT66 is used, the prefix of the source address is replaced with the configured extranet prefix, a session entry is generated, and then the packet is forwarded to the public network.
  3. After receiving a packet from the web server, the NAT66 device searches the sessions for the entry generated in Step 2. The device then translates the destination address of the packet accordingly, and forwards the packet to the intranet host.

Application of IPv6 Private Network Users Accessing the Public Network Through NAT66

NAT66 is mainly used in scenarios where IPv6 private network users access IPv6 public network resources. On the network shown in the following figure, NAT66 is deployed on the core router (CR) or service router (SR) and triggered by traffic to allocate a public IPv6 address to the user. The address prefix of an IPv6 private network user is 2001:db8:1::1. To hide the user address and protect privacy, a NAT66 device can be used to translate the IPv6 address prefix used by the private network user into 2001:db8:2::1.

Networking diagram for IPv6 private network users to access the public network through NAT66
Networking diagram for IPv6 private network users to access the public network through NAT66

References
1NAT66 Feature Description (NE40E)
2NAT66 Configuration (NE40E)
Related Topics
About This Topic
  • Author: Guo Yuhan
  • Updated on: 2023-12-13
  • Views: 1564
  • Average rating:
Contents
Share link to

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.