Understanding NPTv6 translation

This article explains how NPTv6 translates the IPv6 address prefix and its working in the background.

This article does not focus on configuration and limitation related information.

For configuration and support-related information on NPTv6, please click here

About Network Prefix Translation (NPT)

NPT stands for Network Prefix Translation.

IPv6-to-IPv6 Network Prefix Translation (NPTv6) performs a stateless, static translation of one IPv6 prefix to another IPv6 prefix thereby allowing private Unique Local Addresses (ULA) to be able to access the Internet, by translating it to Global Routable Addresses

NPTv6 does not do a port translation, hence, the ports remain the same for incoming and outgoing packets.

Details

Transport layer protocols (such as TCP or UDP) uses IP pseudo-header to calculate the checksum in transport layer headers.

Since NPTv6 does not perform any port translation and are Checksum-Neutral, there is no need to rewrite transport layer headers.

Checksum-Neutral means that translation would result in IP headers that will generate the same IPv6 pseudo-header checksum as it was before translation.

Hence, any changes that are made during translation of the IPv6 prefix are offset by changes to other parts of the IPv6 address such as subnet ID or Interface Identifier (IID), etc. to keep the IPv6 pseudo-header checksum same.

The first 48 bits of IPv6 address are routing prefix, the next 16 bits are subnet ID and the remaining 64 bits are interface ID (IID).

Example

- Suppose we have an internal ULA address as fd00:192:168:1::100/128
- To be able to access Internet, this internal prefix needs to be translated to external prefix 2620:c4:d000:b531::/64

Note: IPv6 address after translation would not be 2620:c4:d000:b531::100/64 as translated IPv6 address has to be made checksum-neutral.

Following is the procedure to calculate checksum-neutral translated IPv6 address:

- Translated address required would be a /64 prefix
- Hence, we take 64 bit prefix from the internal ULA address which is, fd00:192:168:1
- We calculate 1's complement checksum of this 64 bit prefix which comes out to be 0x0004
- Now, we calculate 1's complement checksum of 64 bit prefix of external address which is, 2620:c4:d000:b531
- This comes out to be, 0x53e9
- Now subtract 0x0004 from 0x53e9 which comes out to be 0x53e5
- Now, check for 1st non-0xFFFF 16 bit word starting from bits 64..79, 80...95 and so on
- In our example, this is 0x0000 which is bit 64..79
- Add 0x0000 to 0x53e5 and this would be our new 64..79 bit in translated IP address to make it checksum neutral
- Hence, checksum neutral translated IPv6 address would be 2620:c4:d000:b531:53e5::100/128

So in this example, changes in the prefix while translating IPv6 address were offset by changes in IID part of the address to make it checksum-neutral

This could be verified using the the CLI command on the firewall as follows:

For more details on various scenarios and calculating checksum-neutral IP, please refer to RFC 6296 - Section 3