IPv6 Network Prefix Translation (NPT66)ΒΆ

VPF can perform prefix translation for IPv6, which allows having a local prefix mapped to a different external prefix of the same size. This is known as Network Prefix Translation for IPv6 to IPv6, or NPT66 for short. NPT66 translates the addresses as described in RFC 6296, which does not translate the prefixes 1:1. The translation is made according to specific mathmatical rules which allow the packet IP header checksums to remain valid without being recalculated.

See also

Read RFC 6296 for details on how the NPT66 algorithm calculates the translated addresses.

NPT66 requires the external network be routed to TNSR from upstream, and both the internal and external prefix must be identical in size.

This example maps an internal LAN IPv6 prefix of 2001:db8:2:120::/64 to an external WAN IPv6 prefix of 2001:db8:10:10::/64.

NPT66 operates similar to 1:1 NAT for IPv4, but works with IPv6 prefixes instead of IPv4 subnets or addresses. Like 1:1 NAT, NPT66 requires separate inbound and outbound rules. However, if there is no need to allow inbound connections, the inbound rule can be omitted.

tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# rule 80
tnsr(config-vpf-nat-rule)# description NPT66 Outbound
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# algorithm npt66
tnsr(config-vpf-nat-rule)# from ipv6-prefix 2001:db8:2:120::/64
tnsr(config-vpf-nat-rule)# nat-prefix 2001:db8:10:10::/64
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# rule 81
tnsr(config-vpf-nat-rule)# description NPT66 Inbound
tnsr(config-vpf-nat-rule)# direction in
tnsr(config-vpf-nat-rule)# algorithm npt66
tnsr(config-vpf-nat-rule)# to ipv6-prefix 2001:db8:10:10::/64
tnsr(config-vpf-nat-rule)# nat-prefix 2001:db8:2:120::/64
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit

As with other types of NAT, VPF filter rules must also pass packets as needed based on these addresses.

With these rules in place, if an internal host has an IPv6 address of 2001:db8:2:120::1, any IPv6 communication from that host through WAN is translated to the checksum-neutral calculated address in the external prefix, e.g. 2001:db8:10:10:2::1.