NPTv6

NPTv6 (Network Prefix Translation) according to RFC 6296 allows the translation of one IPv6 prefix to another IPv6 prefix. The translation is 1:1, in that an address from prefix A is mapped to an address from prefix B. Only the prefix part is mapped, the host part is retained. This method thus works "stateless". NPTv6 cannot be used to mask an entire network behind a single address, as with IPv4.

Application scenarios for NPTv6 are, for example, VPNs or networks with dynamic prefixes that should be reachable whatever the public address. If the provider assigns a dynamic prefix, the prefix usually changes every time a connection is established. This is not desirable if certain resources require fixed IP addresses. With NPTv6, addresses from the (private) ULA range fd00::/8 are then assigned to the clients in the network and an NPTv6 rule maps these addresses to the provider prefix.

Another use case is a load balancer scenario with several Internet providers, with each provider assigning its own prefix. With NPTv6, addresses from the ULA range fd00::/8 are assigned to the clients in the network and a number of NPTv6 rules map these addresses to the provider prefixes.

NPTv6 guarantees checksum neutrality, i.e. the converted IPv6 address is changed so that the checksum in the IPv6 packet does not have to be adjusted. Therefore, an address X is not converted exactly 1:1 to address Y, but 16 bits must be encoded in the address for checksum neutrality during conversion.

The position of the 16 bits depends on the prefixes that are to be converted. For prefixes longer than 48 bits, e.g. /56 or /60, part of the interface identifier is also changed during mapping due to checksum neutrality (16 bits). This affects access from outside to internal stations in the LAN. Only with prefixes that are 48 bits or shorter, e.g. /48 or /40, can the 16 bits be encoded in the prefix.

For dynamic prefixes, the 16 bits change with each new prefix assignment. External access to the internal network is therefore only possible with a static provider prefix, since the entire address changes when the 16 bits are changed.

External access to stations in the LAN is therefore only possible without problems with a static /48 provider prefix due to the unchanging IPv6 addresses of the internal station after conversion by the router.

A possible solution for access from the outside with NPTv6 with dynamic prefixes and prefixes longer than /48, is the use of a DynDNS client directly on the station in the LAN, which does not insert its address itself in the update URL, but the provider registers the received IP address.

Important: The IPv6 firewall must be enabled for NPTv6.

The configuration in LANconfig is done under Firewall/QoS > IPv6 Rules > NPTv6.

Interface name
Name of the network or the peer on which NPTv6 is to be performed. If a prefix is to be mapped for a dynamic provider prefix, the name of the Internet connection or peer has to be configured here, e.g. INTERNET.
Source prefix
Source network prefix, e.g. an explicit prefix fd00::/64.
Mapped prefix
Prefix that the source prefix is mapped to. Here you can configure either an explicit prefix such as 2001:db8::/32, or the placeholder :: with the appropriate prefix length in the case that the provider assigns a dynamic prefix.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo