Home IPv6 Transition: Dual-Stack, NAT64, DNS64, 6to4, ISATAP, IPv6 Addressing Plan และ Migration Strategy IPv6 Transition: Dual-Stack, NAT64, DNS64, 6to4, ISATAP, IPv6 Addressing Plan และ Migration Strategy
IPv6 Transition: Dual-Stack, NAT64, DNS64, 6to4, ISATAP, IPv6 Addressing Plan และ Migration Strategy
IPv6 Transition เป็นกระบวนการย้ายจาก IPv4 สู่ IPv6 อย่างราบรื่น Dual-Stack รัน IPv4 และ IPv6 พร้อมกัน, NAT64 แปลง IPv6 เป็น IPv4, DNS64 สร้าง synthetic AAAA records, 6to4 และ ISATAP เป็น tunneling mechanisms, IPv6 Addressing Plan วางแผน address scheme และ Migration Strategy วางกลยุทธ์การย้ายทั้งองค์กร
IPv4 addresses หมดแล้วจริงๆ : IANA แจก /8 สุดท้ายปี 2011, APNIC (Asia) หมดปี 2011, RIPE (Europe) หมดปี 2012, ARIN (Americas) หมดปี 2015 ปัจจุบัน: ซื้อ IPv4 ใน secondary market ราคา $50-60 ต่อ IP (vs ฟรีสำหรับ IPv6) Google traffic: 45%+ เป็น IPv6 แล้ว, mobile carriers ส่วนใหญ่ใช้ IPv6 เป็นหลัก องค์กรที่ไม่วางแผน IPv6 จะเจอปัญหา: NAT complexity, ซื้อ IPv4 แพงขึ้นทุกปี, ไม่ compatible กับ IPv6-only services
IPv6 vs IPv4
Feature
IPv4
IPv6
Address Size
32-bit (4.3 billion addresses)
128-bit (340 undecillion addresses)
Address Format
192.168.1.1 (dotted decimal)
2001:db8::1 (hexadecimal, colon-separated)
NAT
Required (private + public NAT)
Not needed — every device gets global address
Header
Variable length, 12+ fields
Fixed 40 bytes, 8 fields (simpler, faster processing)
Broadcast
Yes (broadcast storms possible)
No broadcast — multicast and anycast instead
Auto-Config
DHCP required
SLAAC (Stateless Address Auto-Configuration) built-in
IPsec
Optional
Mandatory in standard (though not always enforced)
Transition Mechanisms
Mechanism
Type
How
Use Case
Dual-Stack
Coexistence
Run IPv4 and IPv6 simultaneously on all devices
Recommended — gradual migration, both protocols work
NAT64
Translation
Translate IPv6 packets to IPv4 (stateful NAT)
IPv6-only clients accessing IPv4-only servers
DNS64
Translation
Synthesize AAAA records for IPv4-only domains
Works with NAT64 — client queries DNS64 → gets synthetic IPv6 → NAT64 translates
464XLAT
Translation
CLAT (client-side NAT46) + PLAT (provider NAT64)
Mobile carriers — IPv6-only network + 464XLAT for IPv4 apps
6to4
Tunneling
Encapsulate IPv6 in IPv4 (automatic tunnels)
Deprecated — unreliable, security issues
6in4 / GRE
Tunneling
Manual tunnel: IPv6 packets inside IPv4 tunnel
Site-to-site when underlay is IPv4-only
ISATAP
Tunneling
Intra-site automatic tunnel addressing
Deprecated — was used for enterprise internal transition
IPv6 Addressing Plan
Level
Allocation
Example
ISP Allocation
/32 from RIR (Regional Internet Registry)
2001:db8::/32 (ISP’s total allocation)
Per Site
/48 per site (standard recommendation)
2001:db8:0001::/48 = Site Bangkok
Per VLAN/Subnet
/64 per VLAN (required for SLAAC)
2001:db8:0001:000a::/64 = VLAN 10 at Bangkok
Point-to-Point
/127 for router links (RFC 6164)
2001:db8:0001:ffff::/127 = router P2P link
Loopback
/128 per router loopback
2001:db8:0001::1/128 = router loopback
Infrastructure
Reserve specific /48 or /56 for infrastructure
2001:db8:00ff::/48 = management/infrastructure
Migration Strategy
Phase
Action
Duration
1. Assessment
Inventory: which devices/apps support IPv6? Identify gaps (legacy systems, IoT)
1-3 months
2. Planning
IPv6 addressing plan, dual-stack design, training, budget, timeline
1-2 months
3. Lab Testing
Test dual-stack on lab network, verify applications, test security policies
1-2 months
4. Core First
Enable IPv6 on core/backbone routers, WAN links, DNS servers
1-3 months
5. Distribution/Access
Enable dual-stack on distribution switches, access layer, DHCP/SLAAC
3-6 months
6. Services
Enable IPv6 on web servers, email, DNS, load balancers, firewalls
3-6 months
7. IPv6-Preferred
Make IPv6 primary, IPv4 as fallback — monitor and optimize
Ongoing
IPv6 Security Considerations
Risk
Description
Mitigation
Rogue RA
Attacker sends fake Router Advertisement → redirect traffic
RA Guard on switches, SEND (Secure Neighbor Discovery)
IPv6 Tunnels
6to4/Teredo tunnels bypass IPv4 firewall (IPv6 inside IPv4)
Block protocol 41, block Teredo (UDP 3544) at firewall
Dual-Stack Exposure
IPv6 enabled but no firewall rules → open to attack via IPv6
Mirror all IPv4 firewall rules to IPv6, audit both stacks
NDP Spoofing
Like ARP spoofing but for IPv6 Neighbor Discovery
NDP inspection, dynamic IPv6 snooping on switches
Extension Headers
IPv6 extension headers can be used to evade IDS/firewall
Inspect extension headers, block unusual combinations
ทิ้งท้าย: IPv6 Transition = Not If, But When and How
IPv6 Transition Why: IPv4 exhausted ($50-60/IP in secondary market), 45%+ Google traffic is IPv6, mobile carriers IPv6-first Mechanisms: dual-stack (recommended), NAT64/DNS64 (IPv6-only to IPv4), 464XLAT (mobile), tunneling (deprecated) Addressing: /48 per site, /64 per VLAN (required for SLAAC), /127 P2P, /128 loopback — plan for summarization Migration: assess → plan → lab test → core first → distribution/access → services → IPv6-preferred Security: RA Guard, block tunnels (6to4/Teredo), mirror firewall rules to IPv6, NDP inspection Key: every organization needs an IPv6 plan — dual-stack migration is safest, start from core and work outward
อ่านเพิ่มเติมเกี่ยวกับ Network Documentation Topology Diagram IP Addressing Plan และ Network High Availability HSRP VRRP GLBP Redundancy ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
