Datatek IPv6 Transformer User Manual User Manual
Page 20
S E C T I O N 2
O V E R V I E W
20
Address Resolution
In the normal course of sending and receiving packets with IPv6 endpoints, the legacy host is
working only with IPv4 addresses, most likely with addresses that have come from the pool.
These IPv4 addresses may or may not be in the same subnetwork as the host. Addresses within
the subnetwork are reached after a suitable ARP exchange, while addresses not in the same
subnetwork should be directed toward the host interface of the transformer by means of a static
or gateway route. The gateway is configured either manually on the legacy host or automatically if
the host is configured for DHCP. When ARP is initiated by the host, the transformer replies with
its own interface address. In these two ways, all IPv4 traffic to the surrogate IPv4 addresses travels
through the transformer’s host-side interface.
Local Forwarding
Local forwarding allows expanding the Transformer to work with more than one legacy host, as
discussed above. There are some caveats, however, to their use that must be mentioned. The
locally forwarded endpoints do not support SLAAC, nor do they support the IPv4 pass-through
mode. The locally forwarded endpoints can receive addresses from the DHCPv4 server, as will
be detailed in a later section. None of these DHCP leases will appear on the DHCP leases screen,
however. In addition, Diagnostics will not function properly for these endpoints.
Internet Protocol Security (IPsec)
The Transformer can be configured to provide IPsec protection on behalf of an IPv4 legacy
device and locally forwarded IPv4 endpoints. The secured path lies between the Transformer and
the remote host. Specifically, IPsec is terminated at the IPv6 endpoints; the IPv6 address that
represents the IPv4 legacy device and the IPv6 address of the remote host. Since the path
between the legacy host and the Transformer is not secured, they should be co-located in a
secured area.
To enable IPsec, the administrator must configure the Security Policy (SP) and may manually
configure a Security Association (SA). The SP specifies the packets that should be protected by
describing the characteristics on which to match a user packet; e.g. the IP address and port
number, and the upper layer protocol. The SA specifies how they should be protected; e.g. the
algorithms and keys to use.