What is NPTv6?
IPv6-to-IPv6 Network Prefix Translation (NPTv6) performs a stateless, static translation of one IPv6 prefix to another IPv6 prefix (port numbers are not changed). NPTv6 for IPv6 addresses is similar to NAT for IPv4 addresses. However, NPTv6 does not translate an entire IPv6 address; it translates only the prefix portion of the address. The host portion of the address is untranslated and therefore remains the same on either side of the firewall.
Why Would I Translate IPv6 Prefixes When IPv6 Addresses Are So Abundant?
With the limited addresses in the IPv4 space, NAT was required to translate private, non-routable IPv4 addresses to one or more globally-routable IPv4 addresses. But in the case of IPv6, the reason to translate prefixes is not due to a dearth of addresses. You might want to use NPTv6 to translate IPv6 prefixes for the following reasons:
- You can prevent the asymmetrical routing problems that result from Provider Independent addresses being advertised from multiple data centers. Asymmetric routing can occur if a Provider Independent address space (/48, for example) is advertised by multiple data centers to the global Internet. By using NPTv6, you can advertise more specific routes from regional firewalls, and the return traffic will arrive at the same firewall where the source IP address was translated by the translator.
- Private and public addresses are independent; you can change one without affecting the other. That is, you need not change the IPv6 prefixes used inside your local network if the global prefixes are changed (for example, by an ISP or as a result of merging organizations). Conversely, you can change the inside addresses at will without disrupting the addresses that are used to access services in the private network from the Internet. In either case, you update a NAT rule rather than reassign network addresses.
- You have the ability to translate Unique Local Addresses to globally routable addresses. Thus, you have the convenience of private addressing and the functionality of translated, routable addresses.
- Your IPv6 prefixes are less exposed than if you didn’t translated network prefixes. However, NPTv6 does not provide security; you must set up firewall security policies correctly in each direction to ensure that traffic is controlled as you intended.
See more information on NPTv6 in the PAN-OS 7.0 Administrator’s Guide.
[Palo Alto Networks Blog]