NPTv6 Overview

NPTv6는하나의 IPv6 prefix 를 another IPv6 prefix로stateless translation을 한다 NAT66가 Stateful은 주소가 변환된 Port나 Session을 계속 track 하지만 NPTv6는 Stateless이다.

한정된 IPv4 주소로 NAT 가 사설 IP와 공용 IP를 변환하는 것이며, 또한 non-routable IPv4 addresses 를 globally-routable IPv4 addresses로 변환시킨다.

IPV6는 주소가 한정되지 않아서 주소변환이 필요가 없지만 주소변환을 해야하는 이유가 있는데 그것은 IPv6 주소를 Firewall에서 변환을 해야하기 때문이다

NPTv6는IPv6 주소에서 prefix portion를 변환하지만, host portion이나 application port numbers는 변환하지 않는다. host portion은 단순복사를 하므로 firewall 양쪽에서 항상 같은 값을 가지며 패킷헤더를 보면 알수 있다.

NPTv6는 Security 를 지원하지 않는다.으며 Support for NPTv6 Unique Local AddressesReasons to Use NPTv6

Platform Support for NPTv6를 지원하는 Platform은 PA-7000 Series, PA-5000 Series, PA-4000 Series, PA-3060 firewall, PA-3050 firewall, and PA-2000 Series. Platforms supported with no ability to have hardware perform a session look-up: PA-3020 firewall, PA 500 firewall, PA-200 firewall, and VM-Series.

Unique Local Addresses

Unique Local IPv6 Unicast Addresses는 unique local addresses (ULAs)를 정의하며, 이것이IPv6 unicast addresses. 이 주소는 IPV6에서 IPV4의 사설 주소와 같은 기능을 하며 따라서 외부로 라우팅이 되지 않는다.

하나의 ULA는 globally unique하지만, globally routable하지는 않다. 이주소는 내부 로칼에서만 사용되는 주소이다.

공인주소가 많지만NPTv6를 사용해야 하는 이유는:

Prevents asymmetrical routing —

Asymmetric routing는 만일 Provider가 공인주소가 아닌 독립주소 스페이스를 사용하고 (/48, for example) 이것이 is multiple data centers에서 global Internet으로 광고가 되는 경우를 말한다. 이런 경우 NPTv6를 사용하면 Provider가 사용하는 주소를 Global INternet으로 광고할 수가 있다.

즉 다른말로 하면 사설 주소로 사용하는 ULI를 공인주소로 변환시켜 인턴넷으로 보낸다.

NPTv6 가 동작하는 방식은

When you configure a policy for NPTv6, the Palo Alto Networks firewall performs a static, one-to-one IPv6 translation in both directions. The translation is based on the algorithm described in RFC 6296.

In one use case, the firewall performing NPTv6 is located between an internal network and an external network (such as the Internet) that uses globally routable prefixes. When datagrams are going in the outbound direction, the internal source prefix is replaced with the external prefix; this is known as source translation.

In another use case, when datagrams are going in the inbound direction, the destination prefix is replaced with the internal prefix (known as destination translation). The figure below illustrates destination translation and a characteristic of NPTv6: only the prefix portion of an IPv6 address is translated. The host portion of the address is not translated and remains the same on either side of the firewall. In the figure below, the host identifier is 111::55 on both sides of the firewall.

It is important to understand that NPTv6 does not provide security. While you are planning your NPTv6 NAT policies, remember also to configure security policies in each direction.

A NAT or NPTv6 policy rule cannot have both the Source Address and the Translated Address set to Any.

In an environment where you want IPv6 prefix translation, three firewall features work together: NPTv6 NAT policies, security policies, and NDP Proxy.

The firewall does not translate the following:

 Addresses that the firewall has in its Neighbor Discovery (ND) cache. The subnet 0xFFFF (in accordance with RFC 6296, Appendix B). IP multicast addresses. IPv6 addresses with a prefix length of /31 or shorter. Link-local addresses. If the firewall is operating in virtual wire mode, there are no IP addresses to translate, and the firewall does not translate link-local addresses. Addresses for TCP sessions that authenticate peers using the TCP Authentication Option (RFC 5925).

When using NPTv6, performance for fast path traffic is impacted because NPTv6 is performed in the slow path.

NPTv6 will work with IPSec IPv6 only if the firewall is originating and terminating the tunnel. Transit IPSec traffic would fail because the source and/or destination IPv6 address would be modified. A NAT traversal technique that encapsulates the packet would allow IPSec IPv6 to work with NPTv6.

Checksum-Neutral Mapping Bi-Directional TranslationNPTv6 Applied to a Specific Service

Checksum-Neutral Mapping

The NPTv6 mapping translations that the firewall performs are checksum-neutral, meaning that "... they result in IP headers that will generate the same IPv6 pseudo-header checksum when the checksum is calculated using the standard Internet checksum algorithm [ RFC 1071 ]." See RFC 6296, Section 2.6, for more information about checksum-neutral mapping.

If you are using NPTv6 to perform destination NAT, you can provide the internal IPv6 address and the external prefix/prefix length of the firewall interface in the syntax of the test nptv6 CLI command. The CLI responds with the checksum-neutral, public IPv6 address to use in your NPTv6 configuration to reach that destination.

Bi-Directional Translation

When you Create an NPTv6 Policy, the Bi-directional check box in the Translated Packet tab provides a convenient way for you to have the firewall create a corresponding NAT or NPTv6 translation in the opposite direction of the translation you configured. By default, Bi-directional translation is disabled.

If you enable Bi-directional translation, it is very important to make sure you have security policies in place to control the traffic in both directions. Without such policies, the Bi-directional feature will allow packets to be automatically translated in both directions, which you might not want.

NPTv6 Applied to a Specific Service

The Palo Alto Networks implementation of NPTv6 offers the ability to filter packets to limit which packets are subject to translation. Keep in mind that NPTv6 does not perform port translation. There is no concept of Dynamic IP and Port (DIPP) translation because NPTv6 translates IPv6 prefixes only. However, you can specify that only packets for a certain service port undergo NPTv6 translation. To do so, Create an NPTv6 Policy that specifies a Service in the Original Packet.