Network Migration Gateway
The Network Migration Gateway (NMG) is a capability of the .vantronix Firewall Operating System (.vtFOS) that is introduced with the FW.48 release on March 1st, 2011.

The current infrastructure of the Internet is based on its underlying TCP/IP protocol suite – the Internet Protocol version 4. The IPv4 protocol uses a 32bit address space, which limits the Internet to a possible maximum of 4,294,967,296 (232) unique addresses, for connected systems, servers or routers. The next-generation protocol IPv6 introduces extended functionality and a 128bit address space, or 340,282,366,920,938,463,463,374,607,431,768,211,456 (2128) unique addresses.

  • IPv4 addresses exhausted - In February 2011, the Internet Assigned Numbers Authority (IANA) announced the exhaustion of the primary IPv4 address pool. The rapid growth of global Internet users and an increasing need for unique IP addresses exhausted the address space about 30 years after the standardization of IPv4 in 1981.

  • IPv6 for compliance - Some governments started to require IPv6 compliance for any new systems connected to their networks. For example, the US Government requires IPv6 since Mid-2010 with their USGv6 standard by the National Institute of Standards and Technology (NIST). It is sometimes even required to run IPv6-only systems that prevent “dual-stack” use of IPv4 and IPv6 in parallel.

Many businesses are facing the problem of migrating their networks and solutions to IPv6. Many legacy systems don’t even support IPv6 and cannot be replaced or upgraded in the next number of years. A significant investment is required to upgrade all systems, products and solutions to IPv6 but it is required to meet the compliance criteria and to drive the future business.

So it is either IPv4 or IPv6 but what about interconnecting both “worlds”? The NMG combines and extends the .vantronix IPv6 Gateway with the transparent IP security option, improved usability, flexibility and superior performance. It is a technology to connect legacy IPv4 clouds to latest generation IPv6 networks, state-of-the-art IPv6 networks to the traditional IPv4 Internet, and to provide dynamic protection with the IKEv2 IP security mechanism.

The existing .vantronix IPv6/IPv4 Gateway this functionality with a relay for TCP and DNS, but the new NMG is providing an improved translation mechanism for all IP protocols. It is now based on PF, the Packet Filter that is driving the .vantronix stateful firewall and policy-based routing engine. The new IP security option dynamically protects unprotected IP traffic with IPSec and IKEv2.

Application Delivery - Application Delivery Controllers (ADC) or Load Balancers typically run in front of public web sites to terminate the Internet traffic and to distribute it to a pool of internal application servers. The Network Migration Gateway allows to add IPv6 compatibility to IPv4-only server pools by using it on .vantronix load balancers. The NMG is accepting IPv6 on a public IP address and distributing it to IPv4-only servers internally that do not have to be touched or updated for IPv6.

Bump-in-the-Wire - A Bump-in-the-Wire is a gateway that is transparently running in front of a legacy system. It typically is a 1:1 network migration solution where a dedicated gateway is bundled with a single legacy system. This solution is typically used for operating highly specialized IPv4-connected systems, machines, or medical equipment in restricted or even classified IPv6-only networks. A BitW can also transparently protect the IP traffic with IKEv2 IPsec.

IPv6 NAT and Firewall - The .vantronix Network Migration Gateway is part of a routing firewall solution that supports unlimited stateful firewalling for IPv4 and IPv6. Network address translation (NAT) is a very common way to connect local to global IPv4 networks, but was extended to be the key technology for NAT46, NAT64 and IPv6-to-IPv6 NAT66. And yes, we do think that NAT is important for IPv6-only as well.