I just got a few emails from an administrator of a medium-sized company, asking some IPv6 questions. They want to use IPv6 to reach the Internet, using two ISPs, while remaining IPv4-only on their internal networks. For whatever reason, they came across three different ideas that were almost completely wrong, speaking of a sound IPv6 design. But why? Maybe because IPv4 thinking is a bigger problem than we ever thought? Or because admins rely on firewall vendors (like Fortinet) that suggest completely wrong network approaches?
Let’s dig into some misconceptions concerning IPv6:
Starting Point
A medium network, only clients trying to reach the Internet, no publicly accessible servers. Two independent ISPs, offering full dual-stack, that is: public IPv4 addresses as well as two /56 prefixes for IPv6, one from each ISP. No own AS nor own IPv6 addresses, hence two different GUA /56 ranges. A FortiGate offering SDWAN technologies for redundancy and load sharing.
First (bad) idea: Staying on IPv4-only internally, using NAT for outgoing IPv6
Their first approach was to stay on IPv4-only addresses internally while using NAT46 to reach the public internet. Interesting. I never came across this idea. In theory, this is a nice approach, since you don’t have to do anything on your client-side while the router/firewall does some kind of NAT, as always, and leads to a public IPv6 connectivity. I’m not even sure, whether or not you could configure this kind of NAT46 on modern devices?
Anyway, this is not as it’s meant to be. The only valid approach is to use IPv6 on your clients! By doing that, you get IPv6 connections seamlessly from your client up to the server while omitting any unnecessary intermediary network features. NAT, in any case, has several drawbacks, such as costs (latency, session table) and complexity (in both configuration and troubleshooting).
Second (bad) idea: Using NAT66 rather than NPTv6
Now, since they want to use only one address space internally (rather than two from both ISPs), they need some kind of NAT to translate the internal addresses to the external ones, separated by ISP. Unluckily, rather than using NPTv6, which is exactly made to solve this problem, they tried to use NAT66, which has no use case at all. Honestly, why was NAT66 even made?
Everything related to IP addressing on the Internet should be unique and addressable. Yes, for this kind of SOHO, you need NAT. But please stay on NPTv6 for this. Why? Because it only translates the network portion of your IPv6 addresses to another network portion, while keeping the host portion as well as the upper-layer protocol numbers (TCP/UDP) the same. This makes it stateless, which requires less load on the router. There is no need to use NAT66, which translates the *whole* address to another, sometimes even set up with port address translation, which really makes absolutely no sense given the sheer number of IPv6 addresses. And no, NAT has nothing to do with security.
Third (bad) idea: Using ULA addresses
Of course, they have to use *some* address space internally. They came up with Unique Local Addresses (ULAs). Isn’t this the counterpart to the well-known RFC 1918 addresses for IPv4? No, it isn’t!
ULAs are not routable outside your internal networks. And they are not meant to be translated in order to reach the Internet. Even worse: In dual-stack scenarios, IPv6 ULAs are *less* preferred than IPv4 addresses, RFC 6724. That is: IPv6 won’t be used at all when ULAs are in place.
There are some more drawbacks of using ULAs:
- Though ULAs include a pseudo-random 40-bit global ID, if organizations don’t generate them properly, there’s a risk of collision during mergers, VPNs, or peering scenarios. Just the same as with RFC 1918 addresses for IPv4 which we all want to solve with IPv6.
- If ULAs and global unicast addresses (GUAs) are used together, routing and troubleshooting become more complex.
- ULAs are often perceived like IPv4 private addresses (e.g., 192.168.x.x), but they do not provide security at all. Relying on ULAs without proper security controls (like firewalls) can lead to exposure if misconfigured.
What would be a better IPv6 address selection for this SOHO situation? Either relying on one of the ISPs addresses (and NPT-ing them to the other ISP in case of a failure), or, even better, getting some own IPv6 prefixes through a sponsoring LIR or the like.
Why? Why? Why?
How do such false ideas come about when every book/article/lecture/podcast on IPv6 says exactly the opposite? One answer came from the admin himself:
Wow, this is, of course, a bummer. An inadequate product leads uninformed customers down the wrong path. This is really bad. Fortinet, why are you doing this?
Finally, googling for “private IPv6 addresses” still leads to many uncorrected posts, stating that ULAs are the solution, e.g. here, even under the “Cisco” keyword. This is terrifying. They aren’t! ULAs are for *local* stuff only, hence the name. They are not meant to be routed/NATted to the Internet at all. Don’t treat them like that.
What can we/I do?
Education! :) And talking to people, before they start using IPv6 on their own behalf. Hopefully, this blog will play its part.
Any other opinions? For sure. Please write some comments below. 👍🏻
Soli Deo Gloria!