Maximizing IPv4 Utilization with IPv6-Only Data Centers and SIIT-DC
Few network environments are better suited to single-stack operation as data centers. Dual-stack operation with IPv4 and IPv6 running in parallel only causes an increased complexity and administrative overhead. There is very little reason to want to maintain two sets of ACLs, two addressing plans, two troubleshooting procedures, and so forth, when one is enough.
When designing a data center network, the question then becomes: IPv4 or IPv6?
There are advantages to both. For IPv4, the most important advantage is that essentially all applications support it, even legacy and unmaintained ones. On the other hand, globally unique IPv4 addresses are scarce and expensive. The natural workaround is to use private (RFC 1918) addresses instead. However, this is not without disadvantages of its own, particularly that it requires the introduction of stateful NAT devices in the network to translate between the global IPv4 Internet on the outside, and the private addresses used on the inside.
Another disadvantage is obviously that it is not particularly future-proof, as the global Internet slowly but steadily is migrating to IPv6.
So how about building an IPv6-only data center network instead? If there are no legacy IPv4-only applications to worry about, IPv6 is a sound choice. IPv6 addresses are plentiful and easy to come by, and are well supported by most modern operating systems and applications. If one starts out with IPv6, there will be no complicated IP version migration projects to lose sleep over in the future.
The only remaining thing to consider is how to enable IPv4-only end users on the Internet to access the services and applications hosted in the IPv6-only data center. One particularly neat way to do so is to use SIIT-DC – SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Center Environments (RFC 7755). SIIT-DC performs a stateless packet-by-packet conversion from IPv4 to IPv6 and vice versa, leaving the payload (typically TCP) intact. SIIT-DC provides the «glue» that makes it possible for an IPv4-only end user to communicate with an IPv6-only server.
A SIIT-DC translator contains a table with IPv4 and IPv6 address pairs, for example:
…and so on.
When the SIIT-DC translator receives an IPv4 packet destined for one of the IPv4 addresses in the table, it will remove the IPv4 header and replace it with an IPv6 header where the destination address is swapped according to the table. The source address of the IPv6 header will be the original IPv4 address of the end user, with a special 96-bit IPv6 prefix prepended.
This special prefix could be drawn from the data center operator’s own address pool, or use one of the special-use prefixes set aside in RFC 6052 and RFC 8215, such as 64:ff9b:1::/96.
For example: the IPv4 end user 203.0.113.123 wants to open www.example.org, which has a DNS IN A record of 198.51.100.1. The resulting TCP SYN packet is routed to a SIIT-DC translator, which translates it into an IPv6 packet with source address 64:ff9b:1::203.0.113.123 (64:ff9b:1::cb00:717b) and destination address 2001:db8:abcd::42.
The translated packet is forwarded to the IPv6 network, responded to normally by the web server, and routed back to a SIIT-DC translator, which performs the reverse translation. Connection established!
(What about IPv6-capable end users, though? They will of course instead connect directly to 2001:db8:abcd::42 according to www.example.org’s IN AAAA DNS record, bypassing the SIIT-DC translation system completely.)
Since SIIT-DC is stateless, there is no requirement that the IPv4→IPv6 translation is handled by the same device as the reverse IPv6→IPv4 translation. As long as they are all configured with the same IPv4/IPv6 translation table and 96-bit prefix, any number of them can be involved. They do not even have to be located in the same data center or network – there is no reason why one could not offer SIIT-DC as a service to other organizations across the public Internet.
Finally, SIIT-DC allows for maximum utilization of the available IPv4 addresses. You might have noticed that the example translation table started with a «.0» address – that was no mistake. SIIT-DC can use every single address assigned to it, there is no overhead caused by network and broadcast addresses and so on. Considering how scarce public IPv4 addresses are nowadays, it is important to make the most of the public IPv4 addresses one has access to.
If you are planning on building a data center in the future, I hope you will consider making it an IPv6-only one, and that SIIT-DC will be able to help you accomplish this.
If you would like to play around with SIIT-DC, a good place to start is by downloading Jool, an open-source implementation for Linux developed at NIC México and Tecnológico de Monterrey.
*Tore Anderson is a senior network architect at Norwegian cloud provider Redpill Linpro. He has long taken a special interest in IPv6 and data center networking, subjects he has authored several RFCs about.