HP VPN Firewall Appliances VPN Configuration Guide
384
Figure 300 DNS64 prefix is added to an IPv4 address to translate it into an IPv6 address
When an IPv4 packet is sent from an IPv4 host to an IPv6 host, AFT translates its source IPv4 address to
an IPv6 address by adding a DNS64 prefix.
When an IPv6 host sends a packet to an IPv4 host, the destination IPv6 address is formed by adding the
DNS64 prefix to the IPv4 address of the IPv4 host. When the AFT receives such a packet, it extracts the
IPv4 address from the IPv6 destination address so that the packet can be forwarded to the IPv4 host.
IVI prefix and IVI address
An IVI prefix is a 32-bit IPv6 address prefix. An IVI address comprises an IVI prefix and an IPv4 address,
with bits 32 to 39 set to all 1s, as shown in Figure 301.
Figure 301 IVI address format
If the source IPv6 address of an IPv6 packet sent from an IPv6 host to an IPv4 host is in the IVI address
format, AFT translates the source IPv6 address to the IPv4 address contained in the source IPv6 address.
For an IPv4 packet sent from an IPv4 host to an IPv6 host, AFT translates its destination IPv4 address to
an IPv6 address by adding an IVI prefix to the IPv4 address.
An IVI address is an IPv6 address that is actually used by an IPv6 host. However, an IPv6 address with
a DNS64 prefix is merely a translated IPv6 version of an IPv4 address and is not used by any host.
AFT modes
AFT can be stateless or stateful:
• Stateless AFT
Stateless AFT uses DNS64 or IVI prefixes for address translation. The mappings between IPv4 and
IPv6 addresses are fixed because the IPv4 address is embedded in the IPv6 address.
• Stateful AFT
Stateful AFT dynamically creates and maintains mappings between IPv4 addresses and IPv6
addresses.
It translates the source IPv6 address of an IPv6 packet into an IPv4 address according to a
configured 6to4 AFT policy. The mappings between IPv4 addresses and IPv6 addresses are not
fixed.