6.5. IPv4/IPv6 Policy


Executive Summary

XSTRA keeps customer access networks on IPv4 for now to ensure maximum compatibility. We enable IPv6 at the WAN/DMZ only when we state it is necessary. We do not pre-provision IPv6 to customers; IPv6 space is allocated on request. If an IPv6-only service needs to talk to IPv4 (or vice-versa), we can provide standards-based translation at the edge. Administration fees apply for both dedicated IPv4 assignments and IPv6 allocations.



Contents


  1. Governance & Precedence
  2. Policy Stance (Plain English)
  3. Customer Tiers & Addressing
  4. WAN/DMZ Addressing & Routing
  5. Deployment Profiles
  6. Translation & Compatibility Services
  7. Security Policy (v4/v6 Parity)
  8. Operational Guardrails
  9. Rollout Phases & Ownership
  10. Support Playbooks
  11. Compliance & Logging
  12. One-Paragraph Summary (Non-Technical)

1) Governance & Precedence

If a specific product, customer, or network policy explicitly states it takes precedence, it overrides this policy. Otherwise, this document serves as the catch-all where no other policy covers the topic.

2) Policy Stance (Plain English)

  • Access LANs: IPv4-only by default (NAT44), for maximum device compatibility.
  • WAN/DMZ IPv6: Enabled only when we say it’s necessary (peering/cloud/perf/requirements).
  • No pre-provisioned IPv6: IPv6 space is allocated on request or when required—fees apply.
  • Interoperability: Edge translation available (DNS64/NAT64; 464XLAT where appropriate).
  • Fees: Administration fee applies to both dedicated IPv4 and any IPv6 allocations.

3) Customer Tiers & Addressing

Tier IPv4 IPv6 (on request) Notes / Fees
A-Class (Business/Premium) Option to secure a dedicated public IPv4 from XSTRA /56 by default; /48 for complex segmentation Administration fee applies to IPv4 and IPv6 allocation; CGNAT optional as fallback
Standard (Residential/SMB) CGNAT by default; static mapping by exception Allocated on request (usually /56) Fees apply to any IPv6 allocation; static CGNAT mapping may incur fees
Lite / IoT / Single-LAN CGNAT egress; inbound by exception only Allocated on request (commonly /64) Fees apply to IPv6 allocation; inbound exceptions may incur fees
Notes: IPv6 PD is not pre-provisioned. WAN and LAN addressing are separate; enabling v6 on WAN/DMZ does not imply enabling v6 on access LANs.

4) WAN/DMZ Addressing & Routing

  • Default: WAN is IPv4-only.
  • When WAN/DMZ IPv6 is explicitly required:
    • Obtain IPv6 /64 (or /127 for p2p) for the link.
    • If internal IPv6 is also required, allocate a PD on request (/56 default; /48 for complex/A-Class).
    • When enabled, maintain both 0.0.0.0/0 and ::/0 toward the ISP.
  • DMZ/Edges: Public-facing endpoints may be dual-stack where needed (A+AAAA); back-ends can remain IPv4.


IPv4-only WAN (Default) Dual-Stack WAN (Opt-in)
Simplest ops; no v6 routing/firewall to maintain on WAN. Required only when specifically stated (peering/cloud/perf). Apply stateful IPv6 firewall; allow essential ICMPv6.

5) Deployment Profiles

Profile When to use Key settings
A – IPv4-only access + IPv4-only WAN (Default) Baseline for most sites LANs IPv4+NAT44; WAN IPv4-only; translation/proxies available if needed
B – IPv4-only access + Dual-Stack WAN/DMZ (Opt-in) Cloud/peer/perf requires v6 at edge Enable v6 on WAN/DMZ; optional DNS64/NAT64 (+ 464XLAT) for v4-only clients hitting v6-only resources
C – Dual-Stack Access (Opt-in, by exception) Internal v6 specifically requested Allocate PD on request; /64 per VLAN; retain IPv4 or provide 464XLAT for v6-only access

6) Translation & Compatibility Services (On Request)

  • DNS64/NAT64: v6-only ↔ v4-only interoperability at the edge; HA per PoP/site as needed (fees may apply).
  • 464XLAT (CLAT on CPE): for apps using IPv4 literals on v6-only access; core provides NAT64 (fees may apply).
  • CGNAT (IPv4): Default for Standard/Lite; inbound pins by exception. A-Class can secure a dedicated IPv4 (admin fee applies).
  • Inbound v4 → v6-only services: Prefer dual-stack front ends (proxy/LB/CDN). SIIT-DC considered for DC use-cases.

7) Security Policy (v4/v6 Parity)

  • Stateful firewalls on all WAN/DMZ edges; drop unsolicited inbound; allow established/related; allow essential ICMPv6 (RA/ND/PMTUD).
  • No NAT66 in customer access designs. Use routing + PD; translation only for v6↔v4 interop.
  • BCP-38/uRPF at edges; RPKI (ROAs) + IRR for any announced v6 aggregates; DDoS controls with parity for v4/v6.
  • Telemetry: sFlow/NetFlow/IPFIX including v6; monitor ND/RA counters; record PD assignments when allocated.

8) Operational Guardrails (MUST/SHOULD/MAY)

  • MUST keep access LANs IPv4 by default; any IPv6 enablement is opt-in and documented.
  • MUST NOT reuse WAN /64 on LANs.
  • MUST NOT disable ICMPv6 on segments where v6 is enabled.
  • MUST keep parity of firewall/IDS/IPS/DDoS between v4 and v6 on segments where v6 is enabled.
  • SHOULD use /127 for router-router links where IPv6 is enabled and supported.
  • SHOULD NOT announce per-customer /64s on the DFZ; aggregate to /48 or shorter when advertising.
  • MAY allocate IPv6 PD (/56 default; /48 on request) when a business/technical need is established (fees apply).

9) Rollout Phases & Ownership

Phase Scope Owner Timing
1 – Now WAN IPv4-only by default; define approval criteria for enabling WAN/DMZ IPv6; keep translation capability available on request Core NetOps Immediate
2 – As Needed Update CPE images so IPv6 features are available but disabled by default; add CRM/order flags (IPv6 on request; dedicated IPv4 with admin fee); refresh Support KB Access/Field Ops Determined by XSTRA
3 – As Needed For sites with IPv6 enabled: expand telemetry/alerting; validate 464XLAT with key apps; publish operational exceptions NOC/SecOps Determined by XSTRA

10) Support Playbooks

  • “Why IPv6 if our LAN is IPv4?” Dual-stack at the edge can improve reach/performance to some clouds/CDNs when explicitly required. LAN remains IPv4 unless requested.
  • “We can’t reach a site from IPv4-only LAN.” If the destination is IPv6-only, offer DNS64/NAT64 at the edge or a dual-stack proxy in the DMZ (fees may apply).
  • “We need inbound IPv4 to our service.” A-Class can secure a dedicated IPv4 (admin fee). Otherwise consider CGNAT static mapping by exception or dual-stack front end.
  • “Multiple VLANs?” If IPv6 is requested, allocate PD (/56 default; /48 for complex) and assign /64 per VLAN.

11) Compliance & Logging

  • Retain NAT64/CGNAT translation logs per policy and law.
  • Record any IPv6 allocations (PD size, WAN /64 or /127) in CRM/OSS with timestamps.
  • Maintain ROAs for any announced IPv6 aggregates; keep IRR (route6/AS-SET) objects updated.

12) One-Paragraph Summary (Non-Technical)

XSTRA keeps customer access networks on IPv4 for maximum compatibility. We enable IPv6 at the WAN/DMZ only when we state it is necessary. We do not pre-provision IPv6; IPv6 is allocated on request with an administration fee. If an IPv6-only service needs to talk to IPv4 (or vice-versa), we can provide standards-based translation at the edge.

Need more help with this?
© 2021–2025 XSTRA Group Pty Ltd (Australia). All rights reserved.

Thanks for your feedback.