The Stateful NAT64 feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa.

Stateful NAT64 supports Internet Control Message Protocol (ICMP), TCP, and UDP traffic. Packets that are generated in an IPv6 network and are destined for an IPv4 network are routed within the IPv6 network towards the Stateful NAT64 translator. Stateful NAT64 translates the packets and forwards them as IPv4 packets through the IPv4 network. The process is reversed for traffic that is generated by hosts connected to the IPv4 network and destined for an IPv6 receiver.

The Stateful NAT64 translation is not symmetric, because the IPv6 address space is larger than the IPv4 address space and a one-to-one address mapping is not possible. Before it can perform an IPv6 to an IPv4 translation, Stateful NAT64 requires a state that binds the IPv6 address and the TCP/UDP port to the IPv4 address. The binding state is either statically configured or dynamically created when the first packet that flows from the IPv6 network to the IPv4 network is translated. After the binding state is created, packets flowing in both directions are translated. In dynamic binding, Stateful NAT64 supports communication initiated by the IPv6-only node toward an IPv4-only node. Static binding supports communication initiated by an IPv4-only node to an IPv6-only node and vice versa. Stateful NAT64 with NAT overload or Port Address Translation (PAT) provides a 1:n mapping between IPv4 and IPv6 addresses.

When an IPv6 node initiates traffic through Stateful NAT64, and the incoming packet does not have an existing state and the following events happen:

• The source IPv6 address (and the source port) is associated with an IPv4 configured pool address (and port, based on the configuration).

• The destination IPv6 address is translated mechanically based on RFC 7915 using either the configured NAT64 stateful prefix or the Well Known Prefix (WKP).

• The packet is translated from IPv6 to IPv4 and forwarded to the IPv4 network.

When an incoming packet is stateful (if a state exists for an incoming packet), NAT64 identifies the state and uses the state to translate the packet.

A set of bits at the start of an IPv6 address is called the format prefix. Prefix length is a decimal value that specifies how many of the leftmost contiguous bits of an address comprise the prefix.

When packets flow from the IPv6 to the IPv4 direction, the IPv4 host address is derived from the destination IP address of the IPv6 packet that uses the prefix length. When packets flow from the IPv4 to the IPv6 direction, the IPv4 host address is constructed using the stateful prefix.

According to the IETF address format RFC 7915 a u-bit (bit 70) defined in the IPv6 architecture should be set to zero. For more information on the u-bit usage, see RFC 2464. The reserved octet, also called u-octet, is reserved for compatibility with the host identifier format defined in the IPv6 addressing architecture. RFC 6052 section 2.2 describes the address encoding/u-bit semantics. When constructing an IPv6 packet, the translator has to make sure that the u-bits are not tampered with and are set to the value suggested by RFC 2373. The suffix will be set to all zeros by the translator. IETF recommends that the 8 bits of the u-octet (bit range 64–71) be set to zero.

Stateful NAT64 module is capable of performing translation and forwarding in the hardware at half line-rate, by programming the relevant hardware tables with the forwarding and rewrite information.

The maximum number of bidirectional translations supported on the hardware level is 3000. Packet flows that cannot be translated in the hardware will be translated-forwarded at the software level at a reduced throughput

The packet flow of IPv4-initiated packets for stateful NAT64 is as follows:

• The destination address is routed to a NAT Virtual Interface (NVI).

  A virtual interface is created when stateful NAT64 is configured. For stateful NAT64 translation to work, all packets must get routed to the NVI. When you configure an address pool, a route is automatically added to all IPv4 addresses in the pool. This route automatically points to the NVI.

• The IPv4-initiated packet hits static or dynamic binding.

  Static address bindings are created by the stateful NAT64 translator when you configure a static rule. Dynamic address bindings are created by stateful NAT64 translator when the IPv6-to-IPv4 traffic matches a configured dynamic non-overload rule. This creates a binding between the given IPv6 address and the corresponding IPv4 address from the associated IPv4 address pool.

• A session is created based on the translation information.

All subsequent IPv4-initiated packets are translated based on the previously created session.

Stateful NAT64 supports endpoint-dependent filtering for the IPv4-to-IPv6 packet flow with PAT configuration. In a stateful NAT64 PAT configuration, the packet flow must have originated from the IPv6 realm and created the state information in NAT64 state tables. Packets from the IPv4 side that do not have a previously created state are dropped. Endpoint-independent filtering is supported with static Network Address Translation (NAT) and non-PAT configurations.

The stateful IPv6-initiated packet flow is as follows:

• The destination address is routed to a NVI.

  A virtual interface is created when stateful NAT64 is configured. A route is added to destinations that match well-known prefix (WKP) or network specific prefix (NSP) pointing to the NVI.

• A packet is considered eligible for translation when it matches a static or dynamic rule. Dynamic rule match is successful when a packet is permitted by the associated access control list. An IPv4 address and port is associated to the IPv6 destination address based on the matched rule. The IPv6 packet is translated and the IPv4 packet is formed by using the following methods:

  • Extracting the destination IPv4 address by stripping the prefix from the IPv6 address. The source address is replaced by the allocated IPv4 address (and port).

  • The rest of the fields are translated from IPv6-to-IPv4 to form a valid IPv4 packet.

• A new NAT64 translation is created in the session database and in the bind database. The pool and port databases are updated depending on the configuration. The return traffic and the subsequent traffic of the IPv6 packet flow will use this session database entry for translation.