Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
401402403404405406407408409410
392
Stateless AFT uses DNS64 or IVI prefixes for address translation. The mappings between IPv4 and
IPv6 addresses are fixed because the IPv4 address is embedded in the IPv6 address.
Stateful AFT
Stateful AFT dynamically creates and maintains mappings between IPv4 addresses and IPv6
addresses.
It translates the source IPv6 address of an IPv6 packet into an IPv4 address according to a
configured 6to4 AFT policy. The mappings between IPv4 addresses and IPv6 addresses are not
fixed.
Stateful AFT is used only when the source IPv6 address of an IPv6 packet is translated into an IPv4
address and the source IPv6 address is not an IVI address. Otherwise, stateless AFT is used.
Stateful AFT can also perform port address translation (PAT) to translate both addresses and
TCP/UDP port numbers. This method can translate multiple IPv6 addresses into one IPv4 address.
It distinguishes the IPv6 addresses by port number.
283BAFT operation
The address translation process for communication initiated by an IPv6 host is different from that for
communication initiated by an IPv4 host.
586BCommunication initiated by an IPv6 host
1016HFigure 300 shows the AFT process when communication is initiated by an IPv6 host.
Figure 300 Communication initiated by an IPv6 host
AFT operates as follows:
1. Determines whether address translation is needed. Upon receiving a packet from an IPv6 host, the
AFT checks whether the prefix of the destination IPv6 address is a predefined DNS64 prefix. If yes,
the packet is destined to an IPv4 host and address translation is needed.
2. Translates the source IP address. If the source IPv6 address of the packet matches the IVI format, the
AFT uses the IPv4 address embedded in the source IPv6 address as the translated source IPv4