Dual-Stack Networking: Running IPv4 and IPv6 Together

What is Dual-Stack Networking#

Dual-stack means running both IPv4 and IPv6 simultaneously on the same network infrastructure. Every device gets an IPv4 address and an IPv6 address. Applications automatically select which protocol to use based on availability and preference.

This is the recommended transition approach for most organizations. You don't need a migration weekend or service cutover. IPv4 continues working while you enable IPv6 incrementally. Existing clients see no disruption. IPv6-capable clients get native connectivity. You migrate at your own pace.

Real-world adoption reflects this. According to Google's statistics, over 40% of users access their services via IPv6. Most major networks—mobile carriers, cloud providers, content delivery networks—run dual-stack today. It's no longer experimental. It's production standard.

How Dual-Stack Works#

On a dual-stack network, each interface carries two network stacks. A server might have 192.0.2.10 for IPv4 and 2001:db8::10 for IPv6. Both addresses work independently. Traffic can flow over either protocol depending on what the client and server negotiate.

┌──────────────────────────────────────┐
│      Application (curl, browser)    │
│      Uses DNS to find addresses      │
├──────────────────────────────────────┤
│        TCP/UDP (Agnostic)            │
├───────────────────┬──────────────────┤
│   IPv4 Stack      │   IPv6 Stack     │
│   192.0.2.10      │   2001:db8::10   │
│   Routes via gw1  │   Routes via gw2 │
└───────────────────┴──────────────────┘
         │                   │
    IPv4 Network        IPv6 Network

The network layer maintains separate routing tables. IPv4 packets follow IPv4 routes. IPv6 packets follow IPv6 routes. They don't interfere with each other.

Application Behavior: Happy Eyeballs#

Applications don't manually choose between protocols. The operating system handles protocol selection using an algorithm called "Happy Eyeballs" (RFC 8305). Understanding this helps debug connection issues.

The process:

1. Application requests connection to example.com
2. DNS returns both A (IPv4) and AAAA (IPv6) records
3. OS attempts IPv6 connection first
4. After 50-250ms delay (varies by implementation), OS starts IPv4 connection in parallel
5. Whichever connection completes first wins
6. Result cached for subsequent connections

This ensures users get the fastest available connection without waiting for timeouts. IPv6 gets preference, but broken IPv6 won't cause user-visible delays beyond a fraction of a second.

Test this behavior using our Ping tool against dual-stack destinations. Compare IPv4 and IPv6 response times.

DNS Returns Both Record Types#

In dual-stack, DNS servers publish both A and AAAA records for the same hostname:

$ dig example.com A +short
192.0.2.10

This queries for the IPv4 address record.

$ dig example.com AAAA +short
2001:db8::10

Clients query for both types (or use DNS64 synthesis in IPv6-only networks). The resolver returns whatever records exist. If only A exists, the client uses IPv4. If both exist, Happy Eyeballs decides.

Configuration Examples#

Dual-stack configuration is straightforward on modern systems. Most support automatic configuration via SLAAC (Stateless Address Autoconfiguration) or DHCPv6.

Linux: Netplan (Ubuntu)#

Modern Ubuntu uses Netplan for network configuration. Edit /etc/netplan/01-netcfg.yaml:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: true
      dhcp6: true
      accept-ra: true

The key settings:

• dhcp4: true - Obtain IPv4 via DHCP
• dhcp6: true - Obtain IPv6 via DHCPv6
• accept-ra: true - Accept Router Advertisements for SLAAC

Apply the configuration:

sudo netplan apply

This activates the new network configuration without requiring a reboot.

Verify both protocols:

ip addr show eth0
# Look for both "inet" (IPv4) and "inet6" (IPv6) addresses

Linux: NetworkManager (Fedora, RHEL, CentOS)#

Using NetworkManager's command-line interface:

# Enable both protocols on your connection
nmcli connection modify "Wired connection 1" ipv4.method auto
nmcli connection modify "Wired connection 1" ipv6.method auto

These commands configure automatic address assignment for both protocols.

# Apply changes
nmcli connection up "Wired connection 1"
 
# Verify configuration
nmcli device show eth0

For static dual-stack configuration:

# Configure static IPv4 and IPv6
nmcli connection modify "Wired connection 1" \
  ipv4.method manual \
  ipv4.addresses 192.0.2.10/24 \
  ipv4.gateway 192.0.2.1 \
  ipv6.method manual \
  ipv6.addresses 2001:db8::10/64 \
  ipv6.gateway 2001:db8::1
 
nmcli connection up "Wired connection 1"

This sets static addresses and gateways for both address families.

Windows 10/11#

Windows enables dual-stack by default. To verify or reconfigure:

GUI Method:

1. Press Win + R, type ncpa.cpl, hit Enter
2. Right-click network adapter → Properties
3. Verify both protocols are checked:
   • Internet Protocol Version 4 (TCP/IPv4)
   • Internet Protocol Version 6 (TCP/IPv6)
4. Configure each protocol's properties as needed

PowerShell Method:

# Check current configuration
Get-NetIPAddress -InterfaceAlias "Ethernet"

This displays all IP addresses assigned to the interface.

# Enable automatic configuration for both protocols
Set-NetIPInterface -InterfaceAlias "Ethernet" -Dhcp Enabled
Set-NetIPInterface -InterfaceAlias "Ethernet" -AddressFamily IPv6 -Dhcp Enabled

Or configure static addresses:

New-NetIPAddress -InterfaceAlias "Ethernet" `
  -IPAddress 192.0.2.10 -PrefixLength 24 -DefaultGateway 192.0.2.1
 
New-NetIPAddress -InterfaceAlias "Ethernet" `
  -IPAddress 2001:db8::10 -PrefixLength 64 -DefaultGateway 2001:db8::1

These commands assign static addresses for both IPv4 and IPv6.

# Verify
Get-NetIPAddress -InterfaceAlias "Ethernet"
Get-NetRoute -InterfaceAlias "Ethernet"

Linux Router with radvd#

To configure a Linux system as a dual-stack router, enable forwarding and run Router Advertisement daemon.

Enable IP forwarding:

# Temporary
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1

These commands enable packet forwarding in the kernel.

# Permanent
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Install and configure radvd:

sudo apt install radvd  # Ubuntu/Debian
# or
sudo dnf install radvd  # Fedora/RHEL

This installs the Router Advertisement daemon for IPv6.

Edit /etc/radvd.conf:

interface eth0
{
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
 
    prefix 2001:db8::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
    };
 
    RDNSS 2001:4860:4860::8888 2001:4860:4860::8844
    {
    };
};

This configuration advertises the network prefix and DNS servers to LAN clients.

Start the service:

sudo systemctl enable radvd
sudo systemctl start radvd

Clients on the eth0 network will now receive Router Advertisements and configure IPv6 addresses automatically via SLAAC.

Cisco IOS Router#

Configure dual-stack on a Cisco router:

! Enable IPv6 routing
ipv6 unicast-routing
 
! Configure WAN interface (dual-stack)
interface GigabitEthernet0/0
 description WAN
 ip address dhcp
 ipv6 address autoconfig
 ipv6 enable
 no shutdown
 
! Configure LAN interface (dual-stack)
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.1.1 255.255.255.0
 ipv6 address 2001:db8:1::1/64
 ipv6 enable
 ipv6 nd prefix 2001:db8:1::/64
 ipv6 nd ra interval 10
 no shutdown
 
! Configure default routes
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ipv6 route ::/0 GigabitEthernet0/0
 
! Verify configuration
show ip interface brief
show ipv6 interface brief

Address Selection Rules#

When a dual-stack client connects to a dual-stack server, how does it choose which protocol to use? RFC 6724 defines the source and destination address selection algorithm.

Default Preference Order#

The algorithm evaluates addresses based on these rules (simplified):

1. Prefer same scope - Link-local to link-local, global to global
2. Prefer matching address family - If source is IPv6, prefer IPv6 destination
3. Prefer higher precedence - IPv6 has higher default precedence than IPv4
4. Prefer native transport - Avoid tunneling if possible
5. Prefer smaller scope - Prefer more specific routes
6. Use longest matching prefix - More specific routes win

By default, IPv6 gets preference over IPv4. This is intentional—it encourages IPv6 adoption and provides better performance (no NAT overhead).

Why IPv6 Usually Wins#

Given a dual-stack client and dual-stack server:

Client has:   192.0.2.100 and 2001:db8::100
Server has:   192.0.2.10 and 2001:db8::10
DNS returns:  A 192.0.2.10, AAAA 2001:db8::10

The selection algorithm:

1. Both addresses have global scope → tie
2. Client has both IPv4 and IPv6 source addresses → tie
3. IPv6 precedence (::ffff:0:0/96 = 35, ::/0 = 40) > IPv4 precedence (::ffff:0:0/96 = 35) → IPv6 wins

Result: Connection uses IPv6 unless IPv6 connectivity is broken.

Policy Table Configuration#

You can modify the default behavior by editing the policy table. This is rarely needed, but useful for specific requirements.

Linux (Glibc):

Edit /etc/gai.conf (address selection policy):

# Prefer IPv4 over IPv6 (not recommended)
precedence ::ffff:0:0/96  100
precedence ::/0            50

This configuration changes the preference order to favor IPv4.

Windows:

# Show current policy table
Get-NetIPv6Protocol | Format-List
 
# Prefer IPv4 (not recommended)
Set-NetIPv6Protocol -PreferredProtocol IPv4
 
# Reset to default (prefer IPv6)
Set-NetIPv6Protocol -PreferredProtocol IPv6

When IPv4 Gets Preferred#

IPv4 gets selected in these scenarios:

1. No IPv6 connectivity - If IPv6 routing is broken, Happy Eyeballs falls back to IPv4
2. 6to4 or Teredo - Tunneled IPv6 has lower precedence than native IPv4
3. Explicit application choice - Application forces IPv4 (bad practice but happens)
4. Modified policy table - Admin manually changed preference order

Most issues labeled "IPv4 preferred" are actually broken IPv6 connectivity triggering fallback.

DNS Considerations#

Dual-stack DNS configuration is critical. Misconfigured DNS causes connection delays, failures, or unexpected protocol selection.

Publishing Both Record Types#

For every dual-stack service, publish both A and AAAA records:

example.com.    300    IN    A        192.0.2.10
example.com.    300    IN    AAAA     2001:db8::10

Don't publish AAAA if IPv6 isn't working. Clients will try IPv6 first, fail, then fall back to IPv4 after a delay. This creates a poor user experience.

Resolution Order#

Modern DNS resolvers query A and AAAA simultaneously or with minimal delay. The resolver returns both types, and the client's OS performs address selection.

Some older or misconfigured resolvers query sequentially (A first, then AAAA). This adds latency but doesn't break functionality.

What Happens When One Protocol Fails#

If IPv6 is reachable but the service doesn't respond on IPv6:

1. Client tries IPv6 connection
2. Connection times out or gets refused
3. Happy Eyeballs tries IPv4 in parallel or after short delay
4. IPv4 connection succeeds

Total delay: typically 50-250ms plus connection timeout (1-3 seconds in worst case). Noticeable but not catastrophic.

The better solution: fix IPv6 connectivity or remove AAAA records until IPv6 works.

TTL Alignment#

Set the same TTL for A and AAAA records. Mismatched TTLs cause inconsistent caching and weird client behavior.

# Good
example.com.    300    IN    A        192.0.2.10
example.com.    300    IN    AAAA     2001:db8::10
 
# Bad - mismatched TTLs
example.com.    300    IN    A        192.0.2.10
example.com.    3600   IN    AAAA     2001:db8::10

If you need to change IP addresses, lower TTL on both records beforehand. Wait for old TTL to expire, then change IPs and restore normal TTL.

Common Issues and Solutions#

Detailed Troubleshooting: Slow Connections#

Most dual-stack complaints involve "slow" connections. This usually means broken IPv6 triggering fallback delays.

Diagnose:

# Test IPv4 only
curl -4 -w "Time: %{time_total}s\n" -o /dev/null -s https://example.com

This forces the connection to use only IPv4.

# Test IPv6 only
curl -6 -w "Time: %{time_total}s\n" -o /dev/null -s https://example.com

This forces the connection to use only IPv6.

# Test default (dual-stack)
curl -w "Time: %{time_total}s\n" -o /dev/null -s https://example.com

If -6 fails or times out, but -4 succeeds, and default shows delays, you have broken IPv6.

Fix options:

1. Fix IPv6 - Preferred solution. Debug routing, firewall rules, or ISP connectivity.
2. Remove AAAA records - Temporary workaround. Service becomes IPv4-only until you fix IPv6.
3. Don't disable IPv6 on servers - This breaks things and hides the real problem.

Monitoring Dual-Stack Networks#

You can't manage what you don't measure. Dual-stack networks require monitoring both protocols independently.

Testing Both Protocols#

Test connectivity separately to identify which protocol fails:

# Ping over IPv4
ping -4 google.com
 
# Ping over IPv6
ping -6 google.com

These commands verify basic connectivity for each protocol.

# Traceroute over IPv4
traceroute -4 google.com
 
# Traceroute over IPv6
traceroute -6 google.com

Traceroute shows the network path for each protocol.

# Curl using specific protocol
curl -4 https://example.com
curl -6 https://example.com

Build these tests into monitoring scripts. Alert when one protocol fails even if the other works.

Metrics to Track#

Monitor these dual-stack specific metrics:

1. Protocol distribution - Percentage of traffic using IPv4 vs IPv6
2. Connection success rate - Per protocol, track failed connections
3. Response time - Compare IPv4 and IPv6 latency
4. BGP prefixes - Ensure both IPv4 and IPv6 routes are advertised
5. DNS query ratio - Track A vs AAAA query rates
6. ICMPv6 error rates - Spikes indicate routing or MTU issues

Trending these metrics over time shows adoption progress and highlights problems before they affect users.

Alerting on Protocol Failures#

Create separate alerts for each protocol:

• IPv4 default gateway unreachable
• IPv6 default gateway unreachable
• AAAA record published but IPv6 service unreachable
• Spike in IPv6 connection timeouts
• Asymmetric routing (traffic sent via IPv6, returned via IPv4)

Don't rely on generic "service down" alerts. You need protocol-specific visibility.

Tools for Testing#

Use these tools to verify dual-stack operation:

• ping6.net tools - Test IPv4 and IPv6 connectivity from different perspectives
• curl with -4/-6 flags - Force protocol selection for HTTP(S) testing
• dig +short A/AAAA - Verify DNS returns both record types
• tcpdump/wireshark - Capture and analyze protocol-specific traffic
• mtr -4 / mtr -6 - Continuous traceroute showing path differences

Our Ping tool and Traceroute tool support forcing IPv4 or IPv6, making dual-stack testing straightforward.

Security Considerations#

Dual-stack expands your attack surface. Both protocols need equivalent security policies.

Firewall Rules for Both Protocols#

The most common dual-stack security mistake: forgetting to configure IPv6 firewall rules. Admins spend years building IPv4 ACLs, then enable IPv6 with no filtering. Attackers love this.

Apply the same security policy to both protocols:

If your IPv4 policy is:

DENY all inbound except:
  - TCP 22 (SSH) from management network
  - TCP 443 (HTTPS) from anywhere
  - ICMP echo-request (ping)

Your IPv6 policy must be:

DENY all inbound except:
  - TCP 22 (SSH) from management network
  - TCP 443 (HTTPS) from anywhere
  - ICMPv6 types 1,2,3,4,128,129 (essential types)
  - ICMPv6 types 133-137 (Neighbor Discovery, local only)

Tools like ip6tables, nftables, or commercial firewalls support dual-stack. Configure both address families.

Common Mistake: Securing IPv4 but Forgetting IPv6#

Organizations enable IPv6 for compliance or testing, then forget it's active. Attackers scan IPv6 ranges looking for unfiltered hosts.

Example scenario:

1. Admin configures restrictive IPv4 firewall, only HTTPS exposed
2. IPv6 gets enabled on router for "future readiness"
3. Server gets IPv6 address via SLAAC
4. No IPv6 firewall rules configured
5. Attacker scans 2001:db8::/64, finds exposed SSH, databases, internal services

Prevention:

• Audit IPv6 firewall rules same as IPv4
• Default deny on both protocols
• Test with IPv6-only scanning tools
• Monitor for unexpected IPv6 connections

Privacy Extensions for Clients#

SLAAC generates addresses using the interface's MAC address (EUI-64 format). This creates a stable, trackable identifier across networks—a privacy problem for mobile clients.

Privacy extensions (RFC 4941) generate random temporary addresses that rotate periodically. Clients use temporary addresses for outbound connections while maintaining a stable address for incoming connections.

Enable privacy extensions:

Linux:

# Check status (2 = prefer temporary addresses)
sysctl net.ipv6.conf.all.use_tempaddr

A value of 2 means privacy extensions are enabled and preferred.

# Enable
sudo sysctl -w net.ipv6.conf.all.use_tempaddr=2
 
# Make permanent
echo "net.ipv6.conf.all.use_tempaddr = 2" | sudo tee -a /etc/sysctl.conf

Windows:

Privacy extensions are enabled by default on Windows 7 and later. Verify:

netsh interface ipv6 show privacy

macOS:

Enabled by default. No configuration needed.

Important: Don't enable privacy extensions on servers. Temporary addresses break DNS, monitoring, and firewall rules. Use them on client devices only.

When to Consider IPv6-Only#

Dual-stack is a transition strategy, not the end goal. Eventually, networks move to IPv6-only, simplifying operations and eliminating IPv4 address scarcity.

Mobile Carriers Already Use IPv6-Only#

Major mobile carriers (T-Mobile USA, Reliance Jio, EE UK) run IPv6-only core networks. They use 464XLAT (NAT64 + CLAT) to provide IPv4 connectivity when needed.

Users don't notice. Their phones have IPv6 addresses, and legacy IPv4-only apps work transparently through translation.

NAT64/DNS64 for IPv4 Access#

IPv6-only networks access IPv4 services using NAT64 and DNS64:

1. Client queries DNS for IPv4-only service
2. DNS64 synthesizes AAAA record using NAT64 prefix: 64:ff9b::192.0.2.10
3. Client sends IPv6 traffic to synthesized address
4. NAT64 gateway translates to IPv4, forwards to service
5. Responses translated back to IPv6

This allows IPv6-only clients to reach the remaining IPv4 Internet without running dual-stack.

When to deploy IPv6-only:

• Mobile networks (already standard)
• New data center builds (avoid IPv4 entirely)
• Greenfield deployments with no legacy requirements
• Organizations with full control over clients and applications

When to keep dual-stack:

• Existing enterprise networks (IPv4 dependencies take years to eliminate)
• Networks with legacy hardware/software
• Environments where you don't control all clients
• Internet-facing services (dual-stack maximizes reachability)

Simplification Benefits#

Running one protocol instead of two reduces:

• Routing table size (one table instead of two)
• Firewall complexity (one policy instead of two)
• IP address management overhead
• Monitoring and alerting complexity

But these benefits only materialize after eliminating IPv4 entirely. Dual-stack is more complex than IPv4-only or IPv6-only, but it's the only practical migration path for most networks.

Related Articles#

• IPv6 Migration Strategies - Choose the right migration approach for your network
• How to Enable IPv6 - Step-by-step configuration for Windows, macOS, Linux, and routers
• IPv6 Troubleshooting - Diagnose and fix dual-stack connectivity issues

Frequently Asked Questions#

# Linux/macOS
netstat -tuln | grep -E '(tcp|udp)'
 
# Windows PowerShell
Get-NetTCPConnection | Select-Object LocalAddress,RemoteAddress
 
# Or use tcpdump to see actual packets
sudo tcpdump -n -i eth0 'ip6 or ip'