IPv6 and NAT

Christian Stredicke
CEO of Vodia Networks

One of the core goals of IPv6 was to get rid of the unfortunate network address translation (NAT) which was introduced with IPv4 and the foreseeable lack of IPv4 addresses for every connected device. Especially for SIP NAT was a disaster that caused so much trouble that SIP almost did not make it into the real world.

While there are plenty of IPv6 addresses, it does not mean that NAT will be completely a matter of the past. I was a little shocked when I saw discussions about NAT for IPV6. What I thought would be completely useless seems to be picked up by firewall manufacturers as a must-have feature for their next generation firewall products. But on a second thought, at the end of the day what should be achieved here is that devices in the private network should be accessible from the outside only for connections that they have actually initiated. For SIP clients, that is perfectly okay. Actually I even believe that running a SIP IPv6 client behind a NAT for IPv6 with snom ONE would be working perfectly fine. I could not try it out; but looking at the mechanisms it should be working fine: SIP packets that are using TCP or TLS are connection oriented anyway. SIP UDP packets are usually tagged with received parameters, so that the responses find their way back without any issues. RTP packets are also automatically sent back where they come from; I don’t see a reason why that should not work with IPv6.

The only problem with NAT and IPv6 that I see are servers that run in the LAN. We know that problem well from IPv4. However the good news is that it will be relatively simple to get this working perfectly. All that is needed is that the firewall makes an exception for that device in the LAN, so that packets are forwarded to the PBX server. This will even work well with remote workers.

A well designed firewall will be great for IPv6 and SIP. Companies will not lose any feature that they had with IPv4. Instead, they will have finally the opportunity to expose exactly those servers and services they want to (which includes SIP) while keeping the clients protected from the public Internet.