Month: October 2025

Posted on

Sixgate: Technical Overview of the IPv4-to-IPv6 Gateway Mechanism

Last time, we introduced Sixgate as a simple way for IPv4-only clients to automatically reach IPv6-only servers. The idea is to let server operators drop IPv4 entirely — except for a single gateway — while still remaining accessible to legacy clients. It’s a bridge, not a wall.

This post explains how Sixgate works in practice: how clients discover the gateway, how packets are encapsulated, and how responses are routed — all without requiring session state.

This page as published is version 0.1. If I make a substantive edit I will update the version.

🔧 Core Components

Sixgate relies on four key elements:

  1. SRV Records in Reverse DNS Zones
  2. UDP-Based IPv6 Packet Encapsulation
  3. Gateway Forwarding with Embedded IPv4 Identity
  4. Stateless Response Routing

1. Gateway Discovery via SRV Records

When a client receives an IPv6 address from DNS but cannot connect due to lack of IPv6 support, it performs a fallback SRV query to discover a gateway.

SRV Query Format

The query uses the reverse-nibble format of the IPv6 address, similar to ip6.arpa, but requests a service record:

_sixgate._udp.<addr>.ip6.arpa

For example, for IPv6 address 2001:db8::1, the query becomes:

_sixgate._udp.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa

The SRV record returns:

  • Target: IPv4-accessible hostname of the gateway. (For example, gw.example.com)
  • Port: The UDP port listening for Sixgate packets on that IPv4 host. (For example, 2820)

The client then performs an A record lookup to resolve the IPv4 address of the gateway.

2. UDP Encapsulation of IPv6 Packets

The client constructs a standard IPv6 packet as if it had native connectivity. It then wraps this packet in a UDP payload and sends it to the gateway’s IPv4 address and designated port.

  • Outer Layer: IPv4 + UDP
  • Payload: Raw IPv6 packet (including headers and data)

This is similar to Teredo’s encapsulation model but reversed in direction and purpose.

3. Gateway Forwarding with Embedded IPv4 Identity

Upon receiving the UDP packet, the gateway:

  • Extracts the IPv6 packet from the payload.
  • Rewrites the source IPv6 address to one of its own — embedding the client’s IPv4 address and UDP port into the lower 48 bits.
  • Forwards the packet to the target IPv6-only server.

This rewriting is necessary because the original client has no routable IPv6 address. By embedding the client’s identity into the source address, the gateway enables stateless response routing and preserves visibility for server-side analysis.

Encoding Format

Assuming the gateway controls a /48 prefix (2001:db8:abcd::/48), it constructs 2001:db8:abcd::xxxx:yyyy:zzzz where:

  • xxxx:yyyy encodes the client’s IPv4 address (192.0.2.1c000:0201)
  • zzzz encodes the client’s UDP port (decimal 28200b04 in hex)

This allows the gateway to reconstruct the client’s IPv4 address and UDP port from the destination address of the server’s response and encapsulate the response to send it back, all without maintaining a session table. The server will see one of the gateway’s unique IPv6 source address and may (if it knows which range of IPv6 addresses belongs to the gateway) extract the embedded IPv4 identity for logging, rate limiting, or application-layer logic.

This stateless design is the default behavior for Sixgate. It simplifies implementation, improves scalability, and ensures that the server can still perform meaningful analysis of client identity.

🧱 Deployment Realities

  • IPv4 Address Requirement: Each IPv6-only cluster must maintain a single IPv4 address for the gateway. This is far lighter than full dual-stack hosting.
  • DNS Availability: DNS must remain reachable over IPv4 to resolve both the original AAAA record and the SRV fallback.
  • Firewall Traversal: Clients must be able to send outbound UDP packets to arbitrary destinations and receive UDP responses from the gateway.

🧪 Prototype and Standardization

Sixgate can be prototyped as:

  • A browser extension or OS-level library
  • A reference gateway daemon
  • An experimental IETF draft defining SRV usage and encapsulation format

🌉 Summary

Sixgate offers a practical, decentralized way to let IPv6 stand alone — without leaving anyone behind. By shifting compatibility to the edge and leveraging DNS for discovery, it enables graceful IPv6-only deployments while preserving access for legacy clients.

If you’re interested in implementing or extending Sixgate, I’d love to collaborate. Let’s build the bridge and let IPv6 finally stand on its own.

Coming soon: We’ll explore Sixgate’s security considerations — including abuse prevention, spoofing risks, and how gateway operators can balance openness with protection. If Sixgate is to be deployed in the wild, it must be safe as well as simple.

Credits
🦉 Written and published by me, Bill P. Godfrey.
✍️ Editorial assistance from Echoquill, my robotic assistant.

Posted on

Sixgate – IPv6 Without Leaving Anyone Behind

The internet is slowly, stubbornly moving toward IPv6. Server operators are increasingly comfortable deploying services on IPv6-only infrastructure, but there’s a catch. Many clients still live in IPv4-only environments, especially those served by legacy ISPs or locked into older hardware. This creates a frustrating asymmetry. Any website going IPv6-only will risk cutting off a portion of their audience.

We’ve been here before. Windows XP did not support SNI and website operators had to dedicate a full IPv4 address to each secure domain. Until XP faded out, many sites avoided HTTPS entirely. IPv6 faces a similar hesitation. Operators won’t go IPv6-only while legacy clients remain stranded.

IPv6 was meant to free us from the confines of IPv4, yet ISPs happy to maintain the status quo are holding everyone back.

Sixgate is a proposal to change that.

Before we dig deeper, I am painfully aware that the idea seems a little obvious. I can’t help the feeling that this must have been thought of already but there’s some problem which is why I can’t find any discussion of it. Maybe I am the first to think of this. I humbly await comments telling me exactly how wrong I am.

🌉 What Is Sixgate?

Sixgate is a lightweight mechanism that allows IPv4-only clients to reach IPv6-only servers without requiring IPv4 infrastructure. It works by letting clients automatically discover and use a gateway operated by the server network to tunnel IPv6 packets over IPv4.

Here’s how Sixgate bridges the gap:

  1. The client attempts to connect to a website and receives only an IPv6 address from DNS. The client knows that it cannot connect, either due to a missing IPv6 configuration or a previously failed attempt.
  2. The client performs a second DNS query, asking for a special SRV record associated with the IPv6 address, published in the same zone as reverse DNS for that IP address.
  3. The SRV record returns an IPv4-accessible gateway, operated by the website’s network.
  4. The client wraps its IPv6 packet in a UDP envelope and sends it to the gateway.
  5. The gateway unwraps the packet, rewrites the source address to its own IPv6 identity and forwards it to the server.
  6. Responses follow the same path in reverse, allowing the IPv4-only client to communicate seamlessly with the IPv6-only service.

🛠 Practical Realities

Even an IPv6-only cluster will need a single IPv4 address to operate the gateway. That’s a small concession. Far less costly than maintaining IPv4 across all services. The gateway becomes a focused point of compatibility, not a sprawling legacy burden. The gateway itself need not be part of the server farm it supports, but should be close to the same network path that normal IPv6 traffic takes.

Additionally, DNS itself must remain reachable over IPv4, at least for the foreseeable future. Clients need to resolve both the original IPv6 address and the SRV record for the gateway. Fortunately, DNS infrastructure is already deeply entrenched in IPv4, and this proposal doesn’t require any changes to that foundation.

“Ulysses, Ulysses, soaring through all the galaxies. In search of Earth, flying into the night.”

🚀 Why Sixgate Matters

The beauty of Sixgate is that it shifts the burden away from ISPs and toward software. Updating an operating system or browser to support this fall-back logic is vastly easier than convincing hundreds of ISPs to overhaul their networks. Software updates can be rolled out in weeks. ISP transitions take years — sometimes decades.

By giving server operators a graceful way to drop IPv4, we accelerate the transition without leaving legacy clients behind. It’s a bridge, not a wall.

🔭 What Comes Next?

This is a sketch — but it’s one that could be prototyped quickly. A browser extension, a client library, or even a reference implementation could demonstrate its viability. From there, it could be standardized, adopted, and quietly become part of the internet’s connective tissue.

If you’re a server operator dreaming of an IPv6-only future, this might be your missing piece. And if you’re a protocol designer or systems thinker, I’d love to hear your thoughts.

Let’s build the bridge — and let IPv6 finally stand on its own.

Part 1½. Answering the question of why we need this when IPv6-over-IPv4 tunnel services already exist. (Added after I had already written part 2.)

Part Two. For those curious about how Sixgate works under the hood — from SRV record discovery to stateless response routing.

Credits:
📸 “Snow Scot” by Peeja. (With permission.)
🤖 Microsoft Copilot for rubber-ducking and help refining my text.

Posted on

Rufus – An Adventure in Downloading

I needed to make a bootable USB. Simple task, right? My aging Windows 10 machine couldn’t upgrade to 11 and Ubuntu seemed like the obvious next step.

Downloading Rufus, the tiny tool everyone recommends, turned out to be less of a utility and more of a trust exercise. Between misleading ads, ambiguous signatures and the creeping dread of running an EXE as administrator, I found myself wondering how something so basic became so fraught?

Click Here to regret everything…

Here’s what I saw when I browsed to rufus.ie:

“Her weapons were her crystal eyes, making every man mad.”

I’ve redacted the name of the product being advertised. This isn’t really about them and they may very well be legitimate advertisers. Point is, I have no idea if they’re dodgy or not. I’m here to download the Rufus app thanks very much. I’m fortunate enough to have been around long enough to recognise an ad but I wonder how someone else who might be following instructions to “Download Rufus from rufus.ie” would cope.

Wading through the ads, I found the link that probably had the EXE I actually wanted. Hovering my pointer over the link had a reasonable looking URL. I clicked…

“She’s got it! Yeah baby, she’s got it!”

At some point during my clicking around, two EXEs were deposited in my “Downloads” folder. It looked like the same EXE but one had “(1)” on the end, so I had probably downloaded it twice. I right-clicked the file and looked for the expected digital signature: Akeo Consulting.

Even now, am I quite certain that this “Akeo Consulting” is the right one? Could one of those dodgy-looking advertisers formed their own company that’s also called Akeo Consulting but in a different place, in order to get a legitimate digital signature onto their own EXE? And this is an executable I’d need to run as administrator, with no restrictions.

At the end of the day, I am complaining about something someone is doing for free. I can already hear the comments that I’m “free to build my own”. I know how much it costs to run a website, especially one that’s probably experiencing a sudden spike in traffic while people find they need to move from Windows 10.

I’m not blaming this project, I’m blaming society. If the Rufus Project had to choose between accepting advertiser money to keep the lights on or shutting down, I’m not going to tell them they should have chosen the latter option. But if this is where we are as a society, we’ve made a mistake along the way.

Credits:
🔨 The Rufus Project, for their (at the end of the day) very useful app.
🤖 Microsoft Copilot for spelling/grammar checking, reviews and rubber-ducking.

Posted on

The UKIP Effect – How to Win by Not Winning

UKIP, the British political party, is a failure.

Since their launch in the 90s, their peak of power was two members of parliament but now have none. Their most prominent party leader, who you might reasonably expect to be the most successful, ran for election to parliament a total of seven times and won none of them. (He was since elected as an MP in 2024, long after leaving his leadership post.)

And yet, the UK is not a member of the European Union anymore. I hurts my remoaner Euro-enthusiast heart to admit it, but far from being a failure, they might be the most successful political party ever!

How did it happen?

“They sailed away for a year and a day, to the land where the bong-tree grows.”

Winning Without Seats

They never governed. They never held power. They barely held seats. And yet, they bent the arc of British history.

UKIP didn’t win elections, they warped them. Like a black hole in the political field, they pulled the discourse toward Euroscepticism and toward a referendum. The mainstream parties, once content to grumble about bendy bananas, suddenly found themselves triangulating around Nigel Farage’s pint-and-flag persona. Not because they admired it, but because it worked.

And that’s the strange success. UKIP didn’t need to win, they needed to make winning impossible without addressing their cause. They became the ghost in every campaign room. The reason David Cameron promised a referendum that he never wanted to hold nor take any responsibility for.

It’s a kind of political parasitism. Infect the host, rewrite the DNA, and vanish. No seats, no legacy, no infrastructure, but plenty of impact. They proved that you don’t need to govern to change everything. You just need to haunt the system long enough that it starts to dream your dreams.

It only makes sense when you understand the machinery it exploited. In the UK, we don’t vote for a prime minister but for our local MP. The party with enough MPs forms the government. That means national sentiment is filtered through hundreds of local contests, each decided by a simple rule: whoever gets the most votes wins.

This is a system that favours blunt choices. Within each constituency, if two candidates share similar views, they risk splitting the vote and handing victory to someone neither of them agrees with. This is called the “spoiler effect”. It means that standing on principle can mean losing on numbers.

The result is that simplicity is rewarded and nuance punished. The more finely you slice a viewpoint, the less likely it is to win. UKIP thrived in this system not by winning seats, but by threatening to spoil them.

The big parties had to steal their clothes. A Conservative candidate in a marginal seat couldn’t afford to ignore UKIP’s talking points. A handful of disgruntled voters could very realistically swing the result.

Then came the Brexit referendum. It didn’t happen because UKIP demanded it, but because the Conservative Party feared what would happen if they didn’t do it. UKIP didn’t force the vote but haunted it into existence.

It’s a strange kind of democratic judo to use the system’s quirks against itself. Exploit the spoiler effect not to win, but to warp. They made their presence felt in every calculation, every campaign leaflet, every doorstep conversation.

Once the goal of leaving the EU was achieved, the party collapsed under the weight of its own irrelevance, but the effect remains. I’ll call it The UKIP Effect. A reminder that in politics, influence isn’t always measured in seats. Sometimes it’s measured in the shadows you cast.

What’s the lesson for similar small parties with large goals?

“Ever singing, marching onwards, victors in the midst of strife. Joyful music leads us sunward, the triumphant song of life.”

Spoil to Win!

The UKIP effect is not for the faint-hearted. It demands conviction so strong that you’re willing to risk empowering your ideological opponents to make your point unavoidable.

It’s a kind of political brinkmanship. You stand on the edge and yell “No Compromises!” If you do it loudly enough, consistently enough, the big parties start to twitch. Not because you’ll win but because you’ll make them lose.

For The Party of Women, The Reclaim Party and The Jeremy Corbyn People’s Front, the lesson is clear but uncomfortable. If you want to shift the narrative, you must be willing to spoil it. That means resisting tactical voting and accepting that your vote might help elect someone you oppose — you’re playing the long game. It’s about changing the menu, not choosing from it.

It only works if your core policy is sharp, singular, and resonant. UKIP had one idea, to leave the European Union. Everything else was window dressing. That clarity gave them gravitational pull. Without it, you’re just another star in the political sky.

The question for small parties is “What are we willing to lose to make our idea unavoidable?”

And maybe — just maybe — the answer is everything.

Credits:
📸 “Cats Eyes” by Ivan Phan. (Creative Commons)
📸 “Haunting Resilience” by Dr Partha Sarath Sahana. (Creative Commons)
👥 Thanks to my friends Andrew Williams and Heather McKee for their feedback.
🤖 Thanks to Microsoft Copilot for reviewing my drafts, random philosophical mischief and taking a break from destroying all humanity.
🔨 This was edited post-publication to make the introduction a little more concise.