Mostly IPv6, But IPv4 Is Necessary

Why mostly?

Networks can provide both IPv4 and IPv6 services over the same links. To do so, a network and devices need both an IPv4 and an IPv6 network stack. This is known as dual stack operations. But dual stack can never be a solution to IPv4 scarcity because, while it deploys IPv6, it requires IPv4. There are only 4.3 billion IPv4 addresses and over 8 billion people on Earth. IPv4 is a scarce resource, so internet engineers developed IPv6. IPv6 is very similar to IPv4 but vastly bigger.

Nonetheless, there are networks and services without IPv6 connections to the internet. And anyone providing internet access needs to provide access to these IPv4-only sites.

IPv6 Mostly gives your users both IPv4 and IPv6 access. It minimizes the amount of IPv4 address space you need, which is cost effective. And it provides a solid service in most situations. It is great for networks that cannot control the devices or applications used by users.

Until IPv6 is a default, some IPv4 is necessary. That’s why there are websites tracking major web services without IPv6.

IPv6 Mostly lets devices use IPv6 whenever possible. For web traffic, IPv6 is prioritized using a protocol called Happy Eyeballs. When it is not possible, there is a path that supports IPv4. But because IPv4 addresses are more expensive, they are only used when required.

How it works

There are two key features in an IPv6 Mostly network: NAT64 and 464XLAT. They are technologies for connecting devices on IPv6 networks with IPv4-only communication partners, like a website or a video conference connection.

NAT64 is used when a DNS name is IPv4-only. 464XLAT is used where there is no DNS name.

NAT64 is similar to the IPv4 NAT systems that we are all familiar with. The key difference is that IPv4 NAT just rewrites the address fields in the IPv4 packet header. On the way out it replaces the internal address with a gateway address, and on the way back it replaces the gateway address with the internal address.

NAT64 has to do more than that as IPv4 and IPv6 packet headers have different structures. For instance, IPv4 packets have a Packet ID field which numbers the packets. IPv6, in contrast, has an explicit flow label field. So NAT64 is really taking the data section of the IPv4 packet and putting it in a new IPv6 packet, instead of just adjusting the contents of fields in a packet header.

Simplified IPv4 data packet rewritten to simplified IPv6 data packet for NAT64

While an IPv4 NAT can do a one-to-one address mapping, that is never possible with NAT64. A single IPv6 subnet is 32-times larger than the whole IPv4 space. So, NAT64 devices must either use an algorithm to map IPv4 and IPv6 addresses, or must hold state in memory for active sessions. So, NAT64 is similar to IPv4 NAT’s Port Address Translation or NAT Overload.

NAT64 works with DNS64. When the DNS64 system is asked for the IP address of an IPv4-only service it responds with an IPv6 address. The IPv4 address of the destination is embedded in the IPv6 address. The NAT64 uses this encoding so that it knows how to write the IPv4 packet headers, inserting the correct IPv4 destination address.

NAT64 was standardized in 2011.

But as NAT64 relies on DNS it won’t work for services that embed IPv4 addresses in communications. These are typically peer-to-peer protocols that don’t rely on a client-server relationship. WebRTC, the protocol used for video conferencing, is one example of this. But IPv4-only and IPv6-only devices cannot be directly connected. They need an intermediary.

464XLAT is the tool that fills this gap. It has two parts: the customer side translator is called a CLAT and the provider side translator is called a PLAT. The CLAT often exists on a device, like a phone. macOS has one that is activated by default when two conditions are met. Not all popular devices have native support. Microsoft has committed to developing a CLAT for Windows – but it doesn’t have it yet.

But enterprise networking devices offer CLATs and popular open source router software, OpenWRT has had CLAT support since 2018.

Limitations: DNSSEC for IPv4-only

There is a limitation. NAT64 works by creating a special DNS answer that offers an IPv6 address instead of the IPv4 address offered by the actual service. This works as long as the DNS record for the IPv4-only service is not signed with DNSSEC, or the client does not try to validate a DNSSEC signature.

DNSSEC is a technology that lets clients check the answer they get has not been changed by someone not authorized by the service owner. It does this by signing the answer with a digital certificate.

If the DNS record is signed with DNSSEC and the client tries to validate the answer from the DNS64, it will get an error. This is because the digital signature will be for the original answer and not the rewritten answer provided by the DNS.

A rewritten DNS answer that was signed with DNSSEC will fail validation checks

The Internet Society measures DNSSEC validation rate of just over one-third. DNSSEC is a theoretical problem in IPv6 Mostly but the low takeup means it’s unlikely to be a problem in most situations.

Example of Success

RIPE meetings are held twice a year. They bring about 800 people from all over the world to a conference center for a week and they have been running IPv6 Mostly for a while.

It’s a challenging environment. The meeting organizers don’t have control over the devices connected to the network. And the attendees are heavy users, often bringing multiple personal and work devices.

Despite these challenges, IPv6 Mostly has been pretty successful. The main issue seen at RIPE 89 in November 2024 was associated with VPNs. The VPN client tried to connect to an IPv4 address. This was achieved via the CLAT. But as soon as the connection was established, the client killed the IPv6 connection.

IPv6 – and a /24 of IPv4

Anyone building a new network should consider IPv6 Mostly as a cost efficient approach to providing access to the whole internet. IPv6 is plentiful and inexpensive. For instance, ARIN’s lowest fee tier provides a /40 of IPv6 and up to three ASNs for under $300 a year. That includes their registration fees for a /24 – 256 IPv4 addresses. But its waiting list for IPv4 space takes almost two years – and they can’t guarantee how long it will take.

A faster approach to getting IPv4 is to lease or buy. If you are undecided about which approach to take, try this IPv4 Calculator.

IPv6 Mostly is not hard and can be done with free, open source or commercial tools. But getting help from someone who’s done it before lowers the pressure. We’ve brokered over 5,400 transactions, so we know how to make things go smoothly for everyone. And we can connect you with any technical expertise you need for your implementation.

Contact Us

Blog Directory

A listing of thoughts and reflections on the IPv4 industry and marketplace.

News & Insights

Reports, announcements and industry news.

Checklists

Buyer Checklist

A step-by-step guide to our marketplace and transferring addresses.

Seller Checklist

A straightforward guide to the procedure.