Learn
Benefits of IPv6

IPv6 Proxy

An IPv6 proxy is a standard IPv6 transition technology deployed to interconnect IPv4 and IPv6 networks, allowing communication between networks running both versions of the protocol. An IPv6 proxy, however, is somewhat different from other transition technologies in that it does not directly map IPv4 to IPv6 addresses and vice versa, nor does it tunnel one protocol within the other. To understand how it works, it is necessary first to understand the functionality of proxies.

A proxy is a device that acts as an intermediary between a client requesting a resource and the server providing that resource. Both client and server communicate directly with the proxy rather than with each other because the proxy is transparently relaying their messages. This gives the proxy full control over such communication sessions, enabling it to perform various security and accessibility-related operations.

Another of the operations that a proxy can provide is the interconnection of IPv4 and IPv6 networks, which is exactly what we mean when talking about an IPv6 proxy server.

Executive summary

Understanding proxy servers A proxy server acts as an intermediary device for communication between two hosts for the purpose of having complete control over that communication.
IPv6 proxy operation An IPv6 proxy server can interconnect IPv4 and IPv6 networks and perform other proxy functions.
Methods of implementing IPv6 proxies An IPv6 proxy can be a purpose-built appliance, a software-based server, deployed on the cloud, or provided as a cloud-based service.
Benefits of IPv6 proxies IPv6 proxies perform additional security and filtering functions in addition to connecting IPv4 and IPv6 networks.
Example use cases for IPv6 proxies IPv6 proxies are used on the edges of enterprise networks, within ISPs, or between ISPs.

What is a proxy server?

A proxy server is a device that acts as an intermediary (“middleman”) between two communicating network devices, typically a client and a server. The client directs its request toward the proxy server, which relays that request to the intended destination on behalf of the client. Upon making the request, the proxy server is able to provide additional benefits to the transaction, including filtering, security, client anonymity, and even traffic monitoring. 

The following diagram illustrates this functionality clearly:

Communication between the PC and the time server is achieved via the proxy server (source)

How does a proxy server function?

In the example above, when the proxy receives the request from the PC, the received packets are decapsulated up to the Application Layer. The proxy server then re-encapsulates the request using its own Transport Layer ports, IP address, and MAC address and sends it out to the time server on behalf of the PC. The time server receives the request and responds to the proxy server. At this point, the time server believes that the proxy server is the requester, thus ensuring the anonymity of the PC. The proxy server then relays the time server’s response to the PC, completing the transaction.

The fact that the packet is being decapsulated up to the application layer is important because it makes the request seem as if it originated at the proxy server. If it was a router rather than a proxy server, decapsulation (and re-encapsulation) would occur only up to Layer 3.

The following diagram shows the process of encapsulation and decapsulation in more detail (we’re using IPv4 addresses for illustration, but the same principle applies to IPv6):

Detail of encapsulation and decapsulation of communications using a proxy server

Notice how the proxy server replaces the source IP address of the PC (47.2.2.1) with its own (25.7.7.3) when it sends the message, making it impossible for the time server to “know” anything about the PC or any part of the network behind the proxy server. From the point of view of the time server, it is only the proxy server making the request.

The proxy server maintains a mapping of the original requester, the PC, and the request that has been sent out. Any response will be automatically decapsulated once again to the Application Layer and re-encapsulated and sent back to the PC, making the two-way communication process complete.

IPv6 proxy server

An IPv6 proxy server performs the same functions as any other proxy server but adds the ability to interconnect an IPv6 network with an IPv4 network. This operation is relatively trivial since the proxy server decapsulates the original request and re-encapsulates it into a new IP packet. During each re-encapsulation process, the appropriate version of the IP protocol can be used.

This ability to interconnect an IPv6 network with an IPv4 network, translating IP addresses between versions, and delivering routing services is typically performed by a device called an IPv6 gateway. An IPv6 proxy performs the same function but with the added benefits of the capabilities delivered by a proxy server.

Benefits and case studies

The following sections describe some of the benefits that IPv6 proxies deliver that may be the deal-maker in choosing a technology for IPv6 transition purposes. Some examples of IPv6 proxy implementations follow as well.

Benefits of an IPv6 proxy server

The operation of a proxy server provides several benefits and advantages:

  • It provides anonymity to the client.
  • Filtering services can be employed at the proxy server, thus controlling the content and network destinations to which clients have access.
  • Encryption and authentication can be implemented between the client and the proxy server. This provides the ability to allow access only to authorized clients and to maintain the confidentiality of transactions between the client and the proxy server.
  • The proxy server acts as a protective barrier between the client and potential attackers.

An IPv6 proxy server adds to these valuable features of proxy servers by enabling the capability of interconnecting multiple IPv6 and IPv4 networks. This can be done without modifying any other network configuration beyond routing the appropriate traffic and requests to the proxy server. 

Where does an IPv6 proxy server reside?

There are many network design options when using a proxy server. Typically, it is placed near the edge of an enterprise network to enable complete control over the communication of internal hosts with the Internet; features such as content filtering, client anonymity, and security can be ensured for all internal hosts of the enterprise. For ISPs, carrier-grade proxy servers can deliver similar services between the ISP’s network and its connections to other ISPs, or they can be placed between two portions of an ISP’s network that require proxy server services.

When applied with IPv6, the location of the proxy server must obviously be between the IPv4 and IPv6 networks that the server is intended to interconnect. This may indeed be at the edge of an enterprise network, but it may also be on the edge of an ISP’s network or within it, providing interconnectivity between networks leveraging IPv4 and IPv6.

Implementation examples

The following scenarios describe some of the ways that an IPv6 proxy server can be used.

IPv6 proxy on the edge of an IPv6 enterprise network

In this scenario, the internal enterprise network uses IPv6 addresses and connects to an ISP that currently provides connectivity via IPv4. The use of a proxy server allows for the interconnection of the internal IPv6 network with the ISP’s IPv4 network while also delivering security, anonymity, and filtering services for the internal hosts. This is a common scenario, especially for enterprises that want to be IPv6-ready in anticipation of their ISPs’ eventual adoption of the new protocol.

IPv6 proxy interconnecting two regions of an ISP network

In this case, an ISP is in the process of migrating its network to IPv6. They’re doing it in stages and require a method of communication between the IPv4 and IPv6 sections of their network. At the same time, they need to filter specific traffic between these two sections of the network and thus have employed a carrier-grade IPv6 proxy device.

IPv6 proxy server interconnecting two different ISPs

In this scenario, an ISP has fully migrated to IPv6, but one of the neighboring ISPs to which it is interconnected is still using IPv4. The ISP has installed an IPv6 proxy to perform the interconnection between these networks. The added advantage is that the ISP’s internal network remains a black box to the neighboring ISPs. All the addresses of the hosts on this side of the proxy server remain hidden, at least from the ISPs that connect via the proxy server.

Method of implementation

An IPv6 proxy can be deployed in several ways. One way is the use of an appliance, such as a purpose-built network device that has the proxy as well as the IPv6-related features available. Alternatively, an IPv6 proxy can be implemented in software and can thus reside on a physical server.  There are a multitude of projects on GitHub and other open source software repositories that are available for those desiring to use or further develop such a service.

Nevertheless, the most popular option is to use a cloud-based IPv6 proxy server, which is either set up by your IT administrator or can be purchased as a service from an IPv6 proxy provider. Typically these two choices are the most cost-effective, flexible, and versatile options.

Conclusion

Proxy servers are powerful network devices that deliver a rich set of security, anonymity, filtering, and monitoring services that can be very useful for enterprises and ISPs alike. Adding the capability of serving IPv6 networks allows a proxy server to also act as an IPv6 gateway, interconnecting IPv4 and IPv6 networks effectively and almost seamlessly. The combination of interconnection as well as proxy services makes IPv6 proxies a very attractive IPv6 transition technology.