HP VPN Firewall Appliances VPN Configuration Guide
385
Stateful AFT is used only when the source IPv6 address of an IPv6 packet is translated into an IPv4
address and the source IPv6 address is not an IVI address. Otherwise, stateless AFT is used.
Stateful AFT can also perform port address translation (PAT) to translate both addresses and
TCP/UDP port numbers. This method can translate multiple IPv6 addresses into one IPv4 address.
It distinguishes the IPv6 addresses by port number.
AFT operation
The address translation process for communication initiated by an IPv6 host is different from that for
communication initiated by an IPv4 host.
Communication initiated by an IPv6 host
Figure 302 shows the AFT process when communication is initiated by an IPv6 host.
Figure 302 Communication initiated by an IPv6 host
AFT operates as follows:
1. Determines whether address translation is needed. Upon receiving a packet from an IPv6 host, the
AFT checks whether the prefix of the destination IPv6 address is a predefined DNS64 prefix. If yes,
the packet is destined to an IPv4 host and address translation is needed.
2. Translates the source IP address. If the source IPv6 address of the packet matches the IVI format, the
AFT uses the IPv4 address embedded in the source IPv6 address as the translated source IPv4
address of the packet. If not, the AFT translates the source IPv6 address into an IPv4 address based
on the 6to4 AFT policy.
3. Translates the destination IP address. The AFT extracts the embedded IPv4 address from the
destination IPv6 address based on the length of the DNS64 prefix and uses the IPv4 address as the
translated destination IPv4 address.
4. Forwards the packet and records the mapping. The AFT performs protocol translation such as
changing the IPv6 header to the IPv4 header, forwards the packet, and records the IPv4-IPv6
mappings.