IPv6-Only Network with NAT64/464XLAT

IPv4 addresses are running out. ARIN exhausted its free pool in September 2015. RIPE followed in November 2019. The remaining addresses are either hoarded by large organizations or traded on a secondary market at $30-50 per address. Meanwhile, mobile carriers — facing explosive device growth — needed a path forward that didn’t depend on buying more IPv4 space.

The answer was IPv6-only networks with NAT64 as the bridge. Instead of running dual-stack (maintaining both IPv4 and IPv6 in parallel, with all the operational complexity that entails), carriers like T-Mobile, Reliance Jio, and SK Telecom went IPv6-only internally and used NAT64 to translate when talking to the IPv4 internet. The internal network simplifies dramatically: one address family, one set of firewall rules, one routing table.

But IPv6-only breaks things. Legacy apps with hardcoded IPv4 addresses, protocols that embed IPs in payloads, VPN clients that assume IPv4 — all of these fail. 464XLAT solves the last mile by adding CLAT (Customer-side translator) on the device itself. This is how it all fits together.

What Breaks on IPv6-Only

NAT64 with DNS64 handles the common case — apps that resolve hostnames via DNS. But several categories of traffic break on an IPv6-only network, and understanding them explains why CLAT exists.

Hardcoded IPv4 literals. Any app that connects directly to an IP address (not a hostname) bypasses DNS64 entirely. Game clients, IoT firmware, and legacy enterprise software are common offenders. CLAT intercepts these IPv4 packets at the device level and translates them to IPv6 before they hit the network.

Protocols that embed addresses in payloads. SIP (VoIP) and FTP active mode put IP addresses inside the application-layer data. A NAT64 gateway translates packet headers but not payloads, so these protocols see stale IPv4 addresses and fail. Application-level gateways (ALGs) can help, but they add complexity and often lag behind protocol updates.

VPNs and peer-to-peer. IPsec and WireGuard tunnels typically expect an IPv4 inner address. Peer-to-peer apps that exchange IP addresses out-of-band (WebRTC ICE candidates, BitTorrent) also struggle. The CLAT’s virtual IPv4 interface solves most VPN scenarios; P2P generally requires dual-stack or protocol-level IPv6 support.

Practical Deployment

Home lab and small networks. Tayga and Jool are the two main open-source NAT64 implementations for Linux. Tayga is simpler (userspace, TUN-based); Jool is faster (kernel module, supports stateful and stateless modes). Pair either with a DNS64-capable resolver like BIND or Unbound, and you have a working IPv6-only network with IPv4 internet access.

Mobile carriers at scale. T-Mobile’s IPv6-only deployment covers hundreds of millions of devices. Android has included CLAT since version 4.3 (2013), and iOS uses its own implementation transparently. The network-side NAT64 runs on carrier-grade hardware with stateful tracking of millions of simultaneous translations.

Enterprise. Organizations with large IPv4 allocations face increasing costs as addresses appreciate. Migrating internal networks to IPv6-only with NAT64 at the edge eliminates the need for internal IPv4 addressing. The operational savings — one address plan, one set of ACLs, no NAT44 — often justify the migration effort within a year.