BRKSPG-2300 Service Provider IPv6 Deployment
BRKSPG-2300
Roberta Maglione, Technical Solutions Architect Abstract This session focuses on SP IPv6 deployment techniques which will help network designers and administrators understand IPv6 operation and implementation options for native IPv4 and MPLS core environments. This session will also shed light on how to offer IPv4 as a service over an IPv6-only network using technologies like MAP, DS-lite, 464xlat. Attendees must have a solid foundation of IPv6 basics (Protocol, Addressing, Routing), MPLS.
3 Agenda
• Introduction
• IPv4/IPv6 Transition and Co-existence
• IPv6 in Core and Access Networks
• IPv4 in IPv6 Centric networks
• What’s next?
• Conclusion
4 Introduction
IPv4 Run out
5 Introduction RIR Projected Exhaustion Remaining Addresses Date in RIR Pool (/8s)
APNIC 19-Apr-2011 (actual) 0.6079
RIPE NCC 14-Sep-2012 (actual) 0.9394 LACNIC 10-Jun-2014 (actual) 0.1067 ARIN 24 Sep-2015 (actual) AFRINIC 11-Jan-2019 1.6947
IPv4 Run out
5 No IPv4 addresses = Business Impact
•The Internet Money Machine • IPv4 Internet so far * • Feeds on IP addresses (commodity) for growth
•Internet IP addresses • No more IPv4 prefixes left (at IANA) • SPs/ISPs would run out of IPv4 prefixes sooner or later • IPv4 NAT and/or IPv6 to the rescue…?
No IPv4 addresses = No end to end No end to end = Poor content experience
Poor content experience = Revenue at risk 7 Supported on ASR9K, CGN: Carrier Grade NAT ASR1K, CRS
Private IPv4 Moves into SP
Stateful NAT function inside SP network
8 CGN: Not a recommended option!
• Advantages: 1. Very well known technology 2. No dependency on CPE router
• Disadvantages: 1. Port Forwarding 2. Certain Applications may not work, ALG required 3. Logging 4. Network/Routing Design Headache 5. IPv4 address sharing efficiency and IP reputation
9 What's the solution? Go IPv6, Of course
10 Go IPv6!
• Facebook News Feeds Load 20-40% Faster Over IPv6 • “Want to read your Facebook News Feed faster? Ask your Internet Service Provider (ISP) if you can get IPv6!” https://www.youtube.com/watch?v=An7s25FSK0U&feature=youtu. be&t=19m Source: Paul Saab, Facebook
• IPv6 Support For All iOS 9 Apps • “Because IPv6 support is so critical to ensuring your applications work across the world for every customer, we are making it an AppStore submission requirement, starting with iOS 9.” Sebastien Marineau, VP of Core OS, Apple http://www.internetsociety.org/deploy360/blog/2015/06/apple-will- require-ipv6-support-for-all-ios-9-apps/
11 Agenda
• Introduction
• IPv4/IPv6 Transition and Co-existence
• IPv6 in Core and Access Networks
• IPv4 in IPv6 Centric networks
• What’s next?
• Conclusion
12 IPv4/IPv6 transition: the Journey
IPv4 IPv6 Internet Internet
IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core
Core BR BR 6↔4 NAT v6 + v4 MAP,464xlat IPv4 Access 6rd, L2TP over Access over IPv6 Access Network Network v4 v6
PE
NAT CE CE CE CE Subscriber Subscriber Subscriber Subscriber Subscriber Network Network Network Network Network
Carrier Grade NAT IPv6 Rapid Deployment Native IPv6-Only Access Network IPv6-Only Subscriber Preserve PrepareDual Stack Prosper
13 For more info see: http://www.cisco.com/go/cgv6 Let’s start from the Core network
• Many ways to deliver IPv6 services to end users •Most important is end-to-end IPv6 traffic forwarding • Many service providers have already deployed MPLS in their IPv4 core/backbone for various reasons
• MPLS can be used to facilitate IPv6 introduction in the core: •IPv6 Provider Edge Router (6PE) over MPLS •IPv6 VPN Provider Edge (6VPE) over MPLS
14 IPv6 over MPLS (6PE) - RFC 4798
iBGP (MBGP) Sessions 2001:DB8:: v6 v6 2003:1::
145.95.0.0 v4 v6 2001:CAFE:: 6PE 6PE P Dual Stack IPv4-IPv6 Routers P Dual Stack IPv4-IPv6 Routers P P 2001:F00D:: v6 CE 6PE IPv4 6PE MPLS 192.76.10.0 v4 CE v4 192.254.10.0 CE • IPv6 global connectivity over and IPv4-MPLS core • Transitioning mechanism for providing unicast IP • PEs are updated to support dual stack/6PE • IPv6 reachability exchanged among 6PEs via iBGP (MBGP) • IPv6 packets transported from 6PE to 6PE inside MPLS
15 6PE Forwarding IPv6 Forwarding and Label Imposition: . 6PE-1 receives an IPv6 packet . Lookup is done on IPv6 prefix . Result is: Label binded by MP-BGP to 2001:F00D:: Label1 binded by LDP/IGPv4 to the IPv4 2001:DB8:: address of BGP next hop (6PE-2)
6PE-1 2001:F00D:: IPv6 Packet to 2001:F00D::1
6PE-2 LDP/v4 MP-BGP IPv6 Label1 to Packet 6PE-2 Label
P1 P2
16 6VPE over MPLS - RFC 4659
v4 and v6 VPN iBGP (MBGP) Sessions VPN BLUE v4 and v6 VPN VPN BLUE
VPN YELLOW v6 Only 6VPE 6VPE
v4 and v6 VPN VPN BLUE v6 Only 6VPE 6VPE v6 Only VPN YELLOW VPN YELLOW MPLS VPNs
• 6VPE ~ IPv6 + BGP-MPLS + IPv4VPN + 6PE • MP-BGP VPNv6 address-family: • Cisco 6VPE (RFC4659) • AFI “IPv6” (2), SAFI “VPN” (128) • VPNv6 address: • VPN IPv6 MP_REACH_NLRI • Address including the 64 bits • With VPNv6 next-hop (192bits) route distinguisher and the and NLRI in the form of
17 Let’s move to the Access Network IPv4 IPv6 Internet Internet
IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core
Core BR BR 6↔4 NAT v6 + v4 MAP,464xlat IPv4 Access over Access over IPv6 Access
Network 6rd Network v4 v6
PE IPv6 IPv4
NAT CE CE Subscriber Subscriber Subscriber Subscriber Subscriber Network Network Network Network Network
Carrier Grade NAT IPv6 Rapid Deployment Native Dual Stack IPv6-Only Access Network IPv6-Only Subscriber Preserve Prepare Prosper
18 For more info see: http://www.cisco.com/go/cgv6 Supported on ASR9K, 6 Rapid Deployment (6rd):IPv6 over IPv4 ASR1K, CRS IPv6 Moves out to Subscribers IPv6-over-IPv4 tunnels Native Dual- Stack at Home
Border Relay (BR) Stateless Tunneling function (on routers) inside SP network
19 IPv6 Rapid Deployment (6rd) Overview • 6rd is a tunnelling method specified in RFC 5969 • Superset of 6to4 tunnelling [RFC3056] • 6rd utilises an SP's own IPv6 address prefix - avoids well-known prefix (2002::/16)
• Method of incrementally deploying IPv6 to end sites in an SP network • SP access and aggregation infrastructure remains IPv4 • End site is provided a dual stack service • Access/Aggregation between SP and end sites looks like multipoint network
• End sites share a common IPv6 prefix allocated by SP
• 6rd primarily supports IPv6 deployment to: • a customer site (residential gateway) • an individual IPv6 host acting as a CE
20 Supported on ASR9K, 6rd + CGN: IPv6 over IPv4 ASR1K, CRS
IPv6 Moves out to Subscribers IPv6-over-IPv4 tunnels Private IPv4 move into SP*
Stateless Tunneling function (on routers)
Stateful NAT function (on routers) inside SP network*
21 * Assuming RFC1918 usage IPv6 over PPPoE Broadband Forum TR-187: IPv6 for PPP Broadband Access Customer Access Aggregation Edge Core IP/MPLS Customer 1
Customer 2 BNG
DHCPv6-PD
IPv4 and IPv6 IPv4 only Access and Aggregation IPv4 and IPv6 IPv6 carried over PPP • Native Dual-Stack IPv4/IPv6 service on RG LAN side • NO changes in existing Access/Aggregation Infrastructure • IPCPv6 used for Link-Local address IPCP: IP Control Protocol NCP: Network Control Protocol • DHCPv6-PD is used to delegate a prefix for the Home Network RG: Residential Gateway
22 IPv6 over Ethernet (IPv6oE) Broadband Forum TR-177: IPv6 in the Context of TR-101
Access Node BNG
Customer 1 1:1 VLANs • No change to Access Node 1:1 VLANs Customer 2 • Line-identifier used for 1:1 VLAN mapping= (S-TAG, C- DHCPv6-PD TAG)
Access Node BNG
Customer 1 N:1 VLANs N:1 VLANs • It requires changes to Access Node: Lightweight Customer 2 DHCPv6 Relay Agent, RA DHCPv6-PD snooping , etc.
DHCPv6-PD is used in both cases to delegate an IPv6 prefix to the home network 23 The transition to IPv6 in Cable Networks BRKSPG-2061
DHCP, TFTP DNS Access model 1 SNMP
CPE1 CM1bridge Access model 2 CMTS
CPE2 CE router CM2 bridge Access model 3
CPE3 CM router Customer MSO Intranet Internet DOCSIS 3.0 specifies IPv6 reference architecture 24 Agenda
• Introduction
• IPv4/IPv6 Migration and Co-existence
• IPv6 in Core and Access Networks
• IPv4 in IPv6 Centric networks
• What’s next?
• Conclusion
25 Let’s continue the journey towards an IPv6 only network
IPv4 IPv6 Internet Internet
IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core
Core BR BR 6↔4 NAT v6 + v4 MAP,464xlat IPv4 Access over Access over IPv6 Access
Network 6rd Network v4 v6
PE IPv6 IPv4
NAT CE CE Subscriber Subscriber Subscriber Subscriber Subscriber Network Network Network Network Network
Carrier Grade NAT IPv6 Rapid Deployment Native Dual Stack IPv6-Only Access Network IPv6-Only Subscriber Preserve Prepare Prosper
26 For more info see: http://www.cisco.com/go/cgv6 IP address sharing: Stateless vs Stateful
• Providing an IPv4 service is still expected, but… • Find spare IPv4 • Use IPv4 address sharing • Without drastically changing the economics of your IP network, while working alongside IPv6. • The choices for such address sharing solutions: • Stateful – dynamic state • Stateless – no dynamic state Choice of IP address sharing solution = Business Impact
27 What is stateless? (in the context of this presentation)
• Stateless = No dynamic state created/induced by traffic
• Stateless does NOT mean configuration-less
• Some examples of Stateless/Stateful
Stateless Stateful IP Router & IP Forwarding Firewall, NAPT44, SBC MAP and 6rd Border Relay DS-Lite AFTR, Xlat464 PLAT
• Stateless characteristic provides for better scaling, performance & flexibility network design and equipment
28 Characteristics of Stateful forwarding Need to maintain TCP State Machine + Timers + • Processing Scale Dynamic IP for Millions of sessions
Need to inspect and act on TCP, DHCP, FTP at • Performance XGigabit speed
CGN1 - Me: I • Redundancy have the Got a packet dynamic state • Redundant system requires state for X. Who synchronization across all nodes. do I send it to? X • Or elaborate routing/load balancing setups
CGN2 - Not me: I don’t have the state 29 Characteristics of Stateless forwarding
I’m just forwarding IP packets with a fixed • Processing Scale – No dynamic state. transformation • Stateless systems scale out not up I’m forwarding IP without • Performance – No protocols to inspect at tracking protocol state wire rate • Eg: No Tracking TCP, DHCP
• Redundancy – No state to synchronize Me: I have no Got a packet state between devices for X. Who do I send it • No elaborate routing/load balancing setups to? X required
Me too: I have
no state 30 Stateless vs. Stateful – Operational benefits
• “Stateless” is deemed better for a lot of operational reasons • better scaling, better performance, flexible network design and better cost- effectiveness
• Stateless avoids logging, CGN blades/appliances • Besides issues of RFC6269
• Stateless allows direct user- user e.g. optimal traffic forwarding, as/if needed
31 Supported on ASR9K, DS-Lite: IPv4 over IPv6 Access RFC 6333 ASR1K, CRS
IPv4-over-IPv6 AFTR: Address Private IPv4 tunnels Family Transition IPv6 Router
Private IPv4 IPv4 IPv6 IPv6 IPv6 IPv6- AFTR IPv6 Stateful NAT only function (on
Private IPv4 routers) inside IPv6IPv6 SP network
B4: Basic Bridging Subscribers Providers Internet BroadBand
32 DS-Lite
• Advantages: • Leverages IPv6 in the network
• Disadvantages: • All disadvantages of CGN also apply • It’s a Stateful Technology • Dependency on CPE router • NAT disabled on CPE router • DPI function may break • QoS function may break
33 Lightweight 4 over 6” – RFC 7596 Stateful: Dynamic per subscriber IPv4 + port route + subscriber IPv6 Private IPv4 address IPv6
Private IPv4 IPv4 IPv6 IPv6 IPv6 IPv6-only AFTR IPv6
Private IPv4 IPv6IPv6
Subscribers Providers Internet
34 Lightweight 4 over 6
• Advantages: • Leverages IPv6 in the network • NAT is back on the CPE • No need for Logging
• Disadvantages: • It’s per-subscriber Stateful • Dependency on CPE router • DPI function may break • QoS function may break
35 Supported on ASR9K, MAP (Mapping of Address and Port) ASR1K, CRS
• Allows sharing of IPv4 address across an IPv6 network • Each shared IPv4 end-point gets a unique TCP/UDP port-range via “rules” • All or part of IPv4 address can be derived from IPv6 prefix (allows for route summarization) • Need to allocate fixed bulk of UDP/TCP ports to each user
• Stateless Border Relays (BR) in SP network • Can be implemented in hardware (superior performance) • Can use anycast, can have asymmetric routing • No single point of failure, no need for high availability hardware
36 Supported on ASR9K, MAP Common Architecture ASR1K, CRS • MAP has two deployment modes: Encapsulation Mode (MAP-E) Translation Mode (MAP-T)
CE BR CE BR
37 MAP-E : Stateless 464 Encapsulation
IPv4-over-IPv6 tunneling
Border Relay (BR)
Stateless Tunneling function (on routers)
- No CGN-
38 MAP-T : Stateless 464 Translation
Native IPv6
Border Relay (BR)
Stateless 64 translation function (on routers) - No CGN -
39 MAP
• Advantages: • Leverages IPv6 in the network • It’s a Stateless Technology • No CGN inside SP network • No need for Logging • No need for ALGs • Disadvantages: • Dependency on CPE router
40 MAP @IETF and @BBF
MAP-Encapsulation MAP-E - Defines Stateless IPv4 in IPv6 Encapsulation based transport RFC 7597 using MAP algorithm - Based on IPinIP, 6rd Deployment choice: MAP-Translation MAP-T or MAP-E MAP-T - Defines Stateless NAT64 based transport using MAP algorithm RFC 7599 - Based on NAT64 divi
MAP DHCPv6 MAP DHCP Common RFC RFC 7598 Defines DHCPv6 Option for configuring MAP CE
• TR-242i2 “IPv6 Transition Mechanisms for Broadband Networks” • TR-069 extensions are for MAP CE functions
41 MAP: Easy 1-2-3
① IPv6 to IPv4+Port Mapping
② Stateless Border Relay
③ Packet Flow and Forwarding
42 1 - MAP: IPv6 → IPv4 + Port Mapping
IPv6 Delegated Prefix (e.g., /56)
Size = 42 bits (provisioned) 56-42 = 14 2001:0DB8:00 /42 01010101 111000 Subnet-ID Interface ID
0 Mapping Domain Prefix 42 “EA Bits” /56 64 (fixed)
28=256 IPv4 addresses 24 bits (eg provisioned on CE) 32-24 = 8 6 (fixed) 14-8 = 6 10-6 = 4 26=64 port sets + 130.67.1 /24 01010101 > 0 111000 XXXX per IPv4 Address 0 IPv4 Prefix 24 32 0 6 12 16 IPv4 Suffix Port Set ID 2(6+8) ≈ 16,384 subscribers
+ Ports 0-1023 skipped, IPv4 Address Port each CPE gets 130.67.1.85/32 216/26 - 24 = 1008 ports per subscriber
43 MAP Addressing Calculators
http://6lab.cisco.com/map/MAP.php https://itunes.apple.com/gb/app/cisco-map- calculator/id561121079?mt=8 https://play.google.com/store/apps/details?id=map.calculator
44 For Your 1- MAP: IPv6 → IPv4 + Port Mapping Reference IPv6 Delegated Prefix (e.g. /56) Rule IPv6 Prefix EA bits = IPv4 Suffix + PSID
Rule IPv4 Prefix a PSID m Sharing ratio 2^6 • Rule IPv6 Prefix: IPv6 prefix assigned for a mapping rule • Rule IPv4 prefix: IPv4 prefix assigned for a mapping rule • Embedded Address (EA) bits: IPv4 prefix/address and a port-set identifier embedded in the IPv6 Prefix (IPv4 Suffix+PSID) • Sharing ratio: number of users that share the same IPv4 address • Port-set ID (PSID): algorithmically identifies a set of ports • PSID offset (a): bits of offset for PSID in order to excluded well-known ports • m: remaining bits of the port representation, used by the MAP algorithm
45 2- Stateless Border Relays • Handle traffic to/from a given MAP domain • Reachable via anycast prefix, “built-in” load-balancing • Configured with MAP rules • Define how IPv4+port are mapped to/from IPv6 • Can be processed inline with normal IP traffic
46 3- Packet Flow and Forwarding
MAP MAP IPv4 + IPv6 Ingress IPv4 Traffic IPv4 + IPv6 Egress IPv4 Traffic IPv4 + IPv6 CE Native IPv6 Infrastructure BR
• IPv4 follows IPv6 routing within a domain (traffic destined to another subscriber does not traverse the BR) • Forwarding is handled either by double translation (MAP-T) or encapsulation (MAP-E)
47 3- Packet Flow and Forwarding: MAP-T
Index f = Port NAT44 range 5000-5999 MAP BR +46 IPv6 IPv4-Public IPv4-Private NAT +IPv6 Customer + IPv6 IPv6 prefix= 2001:beef:[1.1.1.1.f] MAP BR Prefix = 2002:beef:/64
IPv4 TCP 192.168.0.1 8.8.8.8 1444 80 NAT44 IPv4 TCP 1.1.1.1 8.8.8.8 5000 80 NAT46
IPv6 TCP NAT64 2001:beef:<1.1.1.1.f> 2002:beef:<8.8.8.8> 5000 80
IPv4 TCP 1.1.1.1 8.8.8.8 5000 80
48 ③ Packet Flow and Forwarding 3- Packet Flow and Forwarding: MAP-E Index f = Port NAT44 range 5000-5999 MAP BR +46 IPv6 IPv4-Public IPv4-Private NAT +IPv6 Customer + IPv6 IPv6 prefix= 2001:beef:[1.1.1.1.f] MAP BR Address = 2002:beef::1/64
IPv4 TCP 192.168.0.1 8.8.8.8 1444 80 NAT44 IPv4 TCP 1.1.1.1 8.8.8.8 5000 80 IPv4 in IPv6 Encapsulation
IPv6 IPv4 TCP 2001:beef:<1.1.1.1.f> 2002:beef::1 1.1.1.1 8.8.8.8 5000 80 De-encapsulation
IPv4 TCP 1.1.1.1 8.8.8.8 5000 80
49 MAP Control Plane – Configuration Parameters
• CE and PE must have the following parameters per MAP “domain”: • Rule IPv6 Prefix • Rule IPv4 Prefix • Sharing Ratio Unique per MAP Domain • Number of Contiguous Ports • Mode (Translation or Encapsulation) • BR Prefix or BR Address
• These parameters are encoded in “MAP Domain Rules”
50 MAP Control Plane
• CEs need to dynamically learn MAP parameters after/while obtaining its IPv6 prefix (PD) • Two Options: 1. DHCPv6 : RFC 7598 2. TR-069 : Broadband Forum
• BRs need to be provisioned with MAP-domain(s) and relevant parameters • Cisco CLI • Netconf/Restconf + Yang*
*Roadmap item
51 MAP Control Plane – DHCPv6 CE Supported on CNR
DHCPv6 Server BR ProvisioningIPv4 Host CPE IPv6 IPv4-Public
Host Acquires regular private IPv4 address
RFC 7598 DHCP Solicit or Info-Req with MAP ORO MAP Option: CPE Acquires DHCP Advertise or Info Resps with MAP Option Conveys Mapping Rule (IPv4 DHCP Parameters prefix) and BR address/prefix incl PD and MAP
MAP CE: Configures NAT44 and IPv6 MAP interface as per received MAP Rules
IPv4 Traffic IPv6 Traffic
52 For Your Reference MAP Control Plane – TR 69 CE Provisioning IPv6 PE (BNG, PGW) TR069 DHCP DHCPv6 Relay Server (ACS) CPE Router Server • A custom data-model (parameters and IP-STB MAP CE objects) is defined to convey MAP IPv6 IPv6 IPv6 IPv6 + IPv4 provisioning information to CPE CPE Router got IPv6 Address and IPv6 RA w/O,M Router IPv6 Prefix DHCPv6 SOLICIT (& REQUEST) for IA_NA and IA_PD DHCPv6 ADVERTISE (& REPLY) • After bootup, CPE Router communicates with ACS to get MAP provisioning information SSL/TLS Connection CPE router gets HTTP/SOAP TR069 MAP info from Close • Includes its IPv6 prefix in the message ACS (CPE Pull)
• ACS fetches the MAP provisioning STB has nothing information using CPE Router’s IPv6 to do with MAP prefix as a key • ACS is aware of CPE router’s IPv6 prefix SSL/TLS Connection ACS pushes new HTTP/SOAP TR069 MAP config Close • ACS is configured with MAP (ACS Push) provisioning information • MAP-domains etc.
53 IPv6 Traffic CSR - Cell Site Router SR – Service Router BR – Backbone Router Case Study: Fixed/Mobile ISP BNG – Broadband Network Gateway Backend WPC ~4 CSRs per Access Ring EPC Mobile AAA Portal WLC MME Packet ~4 Access Rings per U-PE pair Policy Quota WLC S/PGWS/PGW MME . . . Core CSR ISG
~2 U-PE pairs per Pre-Agg SR CSR ~10 Pre-Agg rings per PE/BNG pair BR CSR
WiFi AP U-PE BNG BR U-PE Core Pre-Aggregation Aggregation IP/MPLS IP/MPLS IP/MPLS BR BR U-PE PE IBR U-PE PE BNG CSR Internet Peering Points WiFi AP CE OLT Residential PONCE CPE PON OLT Residential Residential Residential CPE Business CPE CPE CE 54 Fixed/Mobile ISP - MAP Domain per BNG
City A MAP-domain # 1 IBRs - planned to serve 65K CPEs with 1K MAP-domain-3 MAP-domain-1 MAP-domain-4 IPv4 addresses = sharing ratio 64 BR - 1024 ports per user MAP-domain-3 IPv4 Prefix for the BNG = /22 BNG1 BNG2 BNG1 BNG3 PGW1 IPv6 Prefix for the BNG = /40 (with a per CPE DHCP-PD = /56) OLT OLT OLT OLT OLT eNBs OLTOLT OLT OLT OLT OLT Expansion Plan allows two such MAP- CPE CPE CPE CPE domains per BNG/PE. 128K CPEs using 2K IPv4 addresses
55 Let’s continue the journey towards an IPv6 only network
IPv4 IPv6 Internet Internet
IPv4 Core Dual Stack Core Dual Stack Dual Stack Core Dual Stack Core
Core BR BR 6↔4 NAT v6 + v4 MAP,464xlat IPv4 Access over Access over IPv6 Access
Network 6rd Network v4 v6
PE IPv6 IPv4
NAT CE CE Subscriber Subscriber Subscriber Subscriber Subscriber Network Network Network Network Network
Carrier Grade NAT IPv6 Rapid Deployment Native Dual Stack IPv6-Only Access Network IPv6-Only Subscriber Preserve Prepare Prosper
56 For more info see: http://www.cisco.com/go/cgv6 NAT64 Introduction
IPv6 IPv6-only clients DNS64
IPv6
IPv4
Protocol Translator (NAT64)
Network Internet (Dual Stack) An IPv6 only network (Dual Stack)
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676278.html
57 Supported on ASR9K, NAT64 ASR1K, CRS IPv6-only devices Stateless or Stateful NAT64 function (on routers)
NAT64
IPv4-only devices
58 NAT64 – Stateful vs. Stateless Stateful Stateless
• 1:N translation • 1:1 translation • “NAPT” • “NAT” • TCP, UDP, ICMP • Any protocol • Shares IPv4 addresses • No IPv4 address savings
59 NAT64 Stateless – RFC6145
Host with IPv6 Header IPv4 Header “IPv4 Src Addr 2001:db8:<203.0.113.1> Src 203.0.113.1 Translatable” Addr DestAddr 2001:DB8:ABCD:<92.0.2.1> Dest 92.0.2.1 IPv6 address Addr
NAT64 IPv6 IPv4 Endpoint
NAT 92.0.2.1 IPv6 2001:DB8:ABCD:: StatelessStateless IPv4 address Endpoint announced in LSN64 Pool Announced (203.0/24) 2001:db8:<203.0.113.1> IPv6 Routing • NAT keeps no binding state
• IPv6 <-> IPv4 mapping computed algorithmically
• Application dependent ALGs might be required 60 NAT64 Stateful – RFC 6146
IPv6 Header IPv4 Header
Src Addr 2001:db8:abcd:2::1 Src 203.0.113.1 Any IPv6 Addr DestAddr 2001:DB8:ABCD:<92.0.2.1> Dest 92.0.2.1 address Addr
NAT64 IPv6 IPv4 Endpoint 92.0.2.1 NAT 2001:DB8:ABCD:: IPv4 address IPv6 StatefulLSN64 Endpoint announced in pool IPv6 IGP Announced (203.0/24) 2001:db8:abcd:2::1 • NAT keeps binding state between inner IPv6 address and outer IPv4+port
• Application dependent/ALGs may be required
61 Network Address Translation 64 (NAT64) Domain Name System 64 (DNS64)
Internet DNS64
DNS64 Prefix: IPv6-Only Host 2001:db8:cafe::/96 AAAA? AAAA?
Empty Answer A?
192.0.2.1 2001:db8:cafe:: c000:0201
62 Domain Name System 64 (DNS64) – RFC 6147
. Tricks the IPv6 hosts into thinking that the IPv4 destination as an IPv6 address, by synthesizing AAAA resource records from A resource records DNS64: Synthesizing AAAA Resource Record example.com IPv4 Addr “A” Resource Record 192.0.2.1
Stateful 2001:db8:cafe::/96 NAT64 Prefix (Perf64::/96)
DNS64 Synthesized Note: 192.0.2.1 is represented as “AAAA” Resource Record c0000201 in hexadecimal format
2001:db8:cafe::/96 192.0.2.1 2001:db8:cafe:: 192.0.2.1
2001:db8:cafe:: c0000201 63 For Your Network Address Translation 64 (NAT64) Reference NAT64 Packet Flow
IPv4 Header IPv6 Header Src 203.0.113.1 Src 2001:db8:cafe:3::2 Addr 2 Addr Dest IPv4 Address Dest Perf64::/96 IPv4 Addr Addr Addr
3 1 Host
IPv4 4 NAT64 NAT64 6 IPv6 Server Farm 2001:db8:cafe:3::2/64 IPv4 Header IPv6 Header Example.com Src IPv4 Address 6:4 Src Perf64::/96 IPv4 Addr Addr Addr IPv4-Only Network Dest 203.0.113.1 Dest 2001:db8:cafe:3::2 IPv6-Only Network 192.0.2.0/24 Addr 5 Addr 2001:db8:cafe::/48 NAT64 Translations: tcp 192.0.2.1:80 [2001:db8:cafe::c000:0201]:80 203.0.113.1:1024 [2001:db8:cafe:3::2]:9187
64 DNS64 – Watch out
• Works for applications that do DNS • Doesn’t work for applications that don’t queries do DNS queries or use IP address •http://www.example.com literals •IMAP, connecting to XMPP servers, etc. • http://1.2.3.4 • SIP, RTSP, H.323, XMPP peer to peer, etc. • Works with DNSSEC • Doesn’t work well if Application-level proxy for IP address literals (HTTP proxy) is used • Learn NAT64’s prefix, draft-ietf-behave- nat64-discovery-heuristic
• NAT46/BIH (Bump In the Host), RFC6535
• 464XLAT (RFC6877)
65 464XLAT and the 15%
• 15% of free applications break with IPv6 native or break with NAT64
• 464 translation helps many of the “15%” • “464” = Handset does IPv4 to IPv6 translation (NAT46), network does NAT64 • http://tools.ietf.org/html/rfc6877
Same architecture & compatible with MAP-T
66 464XLAT = Stateless + Stateful Translation (RFC6877) CLAT: is Customer-side translator (XLAT). It algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa IPv6 PLAT: is Provider-side translator (XLAT). It translates N:1 global IPv6 addresses to global IPv4 addresses, and vice versa
IPv6-only IPv6-only IPv4-only App IPv6 Internet
IPv4- only App IPv4-only
NAT46 NAT46 (CLAT)
(CLAT) IP IP Ports 123 123 465 3324 321 654 ...... 657 321 325 245 657 187 IPv4 Internet NAT64 (PLAT) Internet Subscriber SP Network Content Provider 67 Disclaimer: Cisco supports almost all of the options : CGN44, 6rd Solution Approaches – Comparison BR, DS-Lite AFTR, MAP BR etc.
Solutions IPv6 IPv4 ISP Gateway Home NAT Home Forwarding Forwarding (Stateless) (Stateful) Networks 1 Dual-Stack E2E Native Native Yes* Yes Dual-stack 2 6rd (v6 over v4) Tunneled Native Yes Yes Dual-stack 3 NAT64 Native Translated No -NA- Single-stack 4 DS-Lite Native Tunneled No No Dual-stack 5 MAP-T Native Translated Yes Yes Dual-stack 6 MAP-E Native Tunnel Yes Yes Dual-stack 7 LW 4o6 Native Tunnel No Yes Dual-stack 8 CGN44/4 -NA- Translated No Yes Single-stack
* But No if ISP faces IPv4 run-out and adds CGN Optimal 68 Agenda
• Introduction
• IPv4/IPv6 Transition and Co-existence
• IPv6 in Core and Access Networks
• IPv4 in IPv6 Centric networks
• What’s next?
• Conclusion
69 IPv6 Segment Routing BRKRST-3123 Stack of 128-bit Segment IDs within the IPv6 Extension Header Network Service Data
draft-ietf-spring-ipv6-use-cases draft-ieft-6man-segment-routing-header 70 IPv6-Centric In-band OAM BRKRST-2606 A trip-recorder for your traffic at line rate performance
iOAM6 domain
Add iOAM6 header Remove iOAM6header Update iOAM6 header Optional: Export IPFIX iOAM + - iOAM IPv6 Payload IPv6 iOAM Payload IPv6 iOAM Payload IPv6 Payload IPv6 Packet flow iOAM6 Extension Header
Header Proof of work data Tracing Data Edge to Edge data Agenda
• Introduction
• IPv4/IPv6 Transition and Co-existence
• IPv6 in Core and Access Networks
• IPv4 in IPv6 Centric networks
• What’s next?
• Conclusion
72 Cisco IPv6 Proven SP deployments
• IPv6 transition is global - Cisco understands the global picture • Leads REAL deployment (both fixed and mobile) • Stateless transition technologies the only way to really scale to production level: • 6rd was a big success • MAP is a similar stateless strategy • Segment Routing IPv6 is the future for IPv6 network • Fully fledged, end to end IPv6 solution and transition technologies • The only vendor with a real IPv6 centric vision
73 Learning more about IPv6 BRKRST-2616 Addressing Networking challenges with latest Innovations in IPv6 Tue 16 11:15:00
COCIP6-1013 IPv4 Address Exhaustion and IPv6 Progress across Cisco IT Tue 16 11:15:00 Walk-in Self-Paced Lab: BRKRST-2116 Intermediate - IPv6 from Intro to Intermediate Tue 16 14:15:00 LABCRS-1000 Intro IPv6 Addressing DevNet-1275 Developing Better Applications with IPv6 Tue 16 16:30:00 and Routing Lab BRKRST-2022 IPv6 Routing Protocols Update Tue 16 16:45:00 BRKSPG-2603 Intermediate - How to Securely Operate an IPv6 Network Tue 16 16:45:00 Experiment with IPv6-only WiFi: LABIPM-2007 Intermediate - IPv6 Hands on Lab Wed 17 09:00:00 SSID: CL-NAT64 CCSIP6-2006 BMW: Enterprise IPv6 adoption Wed 17 11:30:00 WPA passphrase: cl-nat64 LABSPG-7122 Advanced IPv6 Routing and services lab Wed 17 14:00:00 SLAAC + stateless DHCP BRKIP6-2100 IPv6-centric application development Wed 17 14:30:00 NAT64 included to access legacy BRKRST-2667 How to write an IPv6 Addressing Plan Wed 17 14:30:00 BRKSPG-2300 Service Provider IPv6 Deployment Wed 17 16:30:00 Don't Be Left Behind: Consumer Internet Traffic is Shifting to IPv6, Will your PNLCRS-2307 Wed 17 16:30:00 Organization Follow? Intermediate - IPv6 Planning, Deployment and Operation BRKRST-2312 Thu 18 09:00:00 Considerations BRKSPG-2061 IPv6 Deployment Best Practices for the Cable Access Network Thu 18 09:00:00 BRKCOL-2020 IPv6 in Enterprise Unified Communications Networks Thu 18 11:30:00 BRKSEC-3003 Advanced IPv6 Security in the LAN Thu 18 11:30:00 BRKRST-3123 Segment Routing for IPv6 Networks Thu 18 14:30:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation Thu 18 14:30:00 BRKRST-2301 Intermediate - Enterprise IPv6 Deployment Fri 19 09:00:00
74 Call to Action
• Visit the World of Solutions for • Cisco Campus • Walk in Labs • Technical Solution Clinics
• Meet the Engineer
• Lunch and Learn Topics
• DevNet zone related sessions
75 Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
76 Thank you
77
For Your More information / References Reference
• http://www.cisco.com/go/ipv6 • http://www.cisco.com/en/US/prod/collateral/iosswrel/p s6537/ps6553/white_paper_c11-558744-00.html • http://6lab.cisco.com • http://www.segment-routing.net/ • http://labs.apnic.net/ipv4/report.html • http://www.cisco.com/c/dam/en/us/solutions/collateral/i os-nx-os-software/enterprise-ipv6- solution/idc_ipv6_economics.pdf • https://www.google.com/intl/en/ipv6/statistics.html • https://ipv6.he.net/statistics/ • http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554
79 IPv6: The Internet Protocol for the Internet of Everything
Finish the race Redefine end-to-end Connect the unconnected “The Human IPv6 Internet” IPv6-Centric Networking Internet of 50B+ Things People + Processes + Data + Things
80 For Your MAP Control Plane Reference MAP BR (ASR9K) : MAP-T and MAP-E CLI Sample MAP-T ! service cgn CL service-type map-t MAP-T-POD1 cpe-domain ipv4 prefix 173.36.210.50/31 cpe-domain ipv6 prefix 2001:420:81:10::/60 sharing-ratio 8 contiguous-ports 1024 external-domain ipv6 prefix 2001:1::/64 !
MAP-E ! service cgn cgn1 service-type map-e cpe-domain ipv4 prefix 202.38.102.0/24 cpe-domain ipv6 prefix 2001:da8:a464::/48 sharing-ratio 8 contiguous-ports 1024 aftr-tunnel-endpoint-address 2001:da8:a464:ffff::/128 ! 81 For Your MAP Control Plane Reference MAP BR (ASR1K) : MAP-T CLI Sample MAP-T ASR1K-MAP-T-BR# ! nat64 map-t domain 1 default-mapping-rule 2001:DA8:B001:FFFF::/64 basic-mapping-rule ipv6-prefix 2001:470:E0FB::/48 ipv4-prefix 202.38.102.0/24 port-parameters share-ratio 16 start-port 1024 ! interface TenGigabitEthernet0/1/0 description To IPv4 Internet nat64 enable ! interface TenGigabitEthernet0/2/0 description To IPv6 Network nat64 enable !
82 For Your MAP Control Plane Reference MAP BR (ASR1K) : Show Command MAP-T ASR1K-MAP-T-BR#sh nat64 map-t domain 1 MAP-T Domain 1 Mode MAP-T Default-mapping-rule Ip-v6-prefix 2001:DA8:B001:FFFF::/64 Basic-mapping-rule Ip-v6-prefix 2001:470:E0FB::/48 Ip-v4-prefix 202.38.102.0/24 Port-parameters Share-ratio 16 Contiguous-ports 64 Start-port 1024 Share-ratio-bits 4 Contiguous-ports-bits 6 Port-offset-bits 6
ASR1K-MAP-T-BR#
83 For Your MAP Control Plane Reference MAP-T BR (ASR1K) : Show Command
ASR1K-MAP-T-BR#sh nat64 statistics ASR1K-MAP-T-BR#sh nat64 statistics // NAT64 Statistics Interface Statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) TenGigabitEthernet0/1/0 (IPv4 configured, IPv6 configured): Sessions found: 0 Packets translated (IPv4 -> IPv6) Sessions created: 0 Stateless: 0 Expired translations: 0 Stateful: 0 Global Stats: MAP-T: 15 Packets translated (IPv4 -> IPv6) Packets translated (IPv6 -> IPv4) Stateless: 0 Stateless: 0 Stateful: 0 Stateful: 0 MAP-T: 15 MAP-T: 0 Packets translated (IPv6 -> IPv4) Packets dropped: 20 Stateless: 0 GigabitEthernet1/2/0 (IPv4 configured, IPv6 configured): Stateful: 0 Packets translated (IPv4 -> IPv6) MAP-T: 15 Stateless: 0 Stateful: 0 ///// MAP-T: 0 Packets translated (IPv6 -> IPv4) ASR1K-MAP-T-BR# Stateless: 0 Stateful: 0 MAP-T: 15 Packets dropped: 0 Dynamic Mapping Statistics v6v4 Limit Statistics
// 84 MAP: IPv6 → IPv4 + Port Mapping
. Example of how the CPE derives its MAP IPv4 address:
IPv6 Delegated Prefix (e.g., /Y) Via DHCPv6 PD
Size = X bits (provisioned) Y - X = EA bits (a) 2001:0DB8:00 /X 01010101 111000 Subnet-ID Interface ID 0 Mapping Domain Prefix /X “EA Bits” /Y 64 (fixed) Provisioned (eg DHCP MAP option)
Z bits of IPv4 prefix Length of EA-bits, sharing ratio 130.67.1 /Z a, c 0 /Z IPv4 Prefix “EA Bits”
Z bits IPv4 prefix 32 – Z = b 4 (fixed) a - b = c 12-c 130.67.1 /Z 01010101 + > 0 111000 XXXX 32 0 6 6+c 16 0 IPv4 Prefix /Z IPv4 Suffix Port Set ID + MAP IPv4 Address Port 85 Case-Study: MAP-T Used in Smart Grid
• MAP-T used to connect IPv4 only devices (bottom) to IPv4 servers (top) via an IPv6 network.
86 Stateful NAT64 Terminology For Your Reference Terminology Definition
Well-known prefix (WKP) The IPv6 prefix 64:ff9b::/96, defined in RFC 6052, used for algorithmic mapping between address families. Prefix 64:ff9b::/96 is not a globally routable prefix and hence must not be used in scenario 3 Network-specific prefix (NSP) An IPv6 prefix assigned by an organization for use in algorithmic mapping between address families; it is usually carved out of the organization prefix and can be globally routable: for example, 2001:db8:cafe::/96 carved out of organization prefix 2001:db8:cafe::/48 IPv4-converted IPv6 addresses IPv6 addresses used to represent IPv4 nodes in an IPv6 network: for example, 2001:db8:cafe::c000:0201 using NSP or 64:ff9b::c000:0201 using WKP, both representing 192.0.2.1 (hex c000201)
87 For Your IPv6/IPv4 Translation Scenarios Reference RFC6144 - Framework for IPv4/IPv6 Translation Scenarios for IPv4/IPv6 Translation Applicability Example
Scenario 1: An IPv6 network to the Greenfield IPv6-only network wanting ISPs rolling out new services and IPv4 Internet to transparently access both IPv6 and networks for IPv6-only smart phones existing IPv4 content. Initiated from (3G, LTE etc.) IPv6 hosts and network Or , Enterprises deploying IPv6-only network
Scenario 2: The IPv4 Internet to an Servers in greenfield IPv6-only network Upcoming or existing content providers IPv6 network wanting to transparently serve both rolling out services in IPv6-only IPv4 and IPv6 users Initiated from IPv4 environment hosts and network
Scenario 3: The IPv6 Internet to an Servers in existing IPv4-only network Existing content providers migrating to IPv4 network wanting to serve IPV6 Internet users. IPv6 and thus wanting to offer services Initiated from IPv6 hosts and network to IPv6 Internet users as part of coexistence strategy
88 For Your IPv6/IPv4 Translation Scenarios Reference RFC6144 - Framework for IPv4/IPv6 Translation Scenarios for IPv4/IPv6 Translation Applicability Example
Scenario 4: An IPv4 network to the IPv6 Not a viable case in the near future; None Internet this scenario will probably occur only some time after the early stage of the IPv6/IPv4 transition
Scenario 5: An IPv6 network to an IPv4 Both an IPv4 network and an IPv6 Similar to scenario 1, catering to network network are within the same Intranet instead of Internet organization Scenario 6: An IPv4 network to an IPv6 Same as above Similar to scenario 2, catering to network intranet instead of Internet Scenario 7: The IPv6 Internet to the IPv4 Would suffer from poor throughput None Internet Scenario 8: The IPv4 Internet to the IPv6 No viable translation technique to None Internet handle unlimited IPv6 address translation 89 Configuration on Cisco ASR 1000
GE 2/3/1 GE 2/3/2 172.16.1.1/30 FD00:1::1/124 Interface Configuration: IPv4 Only Network IPv6 Only Network ! 192.0.2.0/24 2001:DB8:CAFE::/48 ipv6 unicast-routing 6:4 ! Enable IPv6 Unicast Routing interface GigabitEthernet2/3/1 description Connected to IPv4_Network NAT64 Configuration: ip address 172.16.1.1 255.255.255.252 ! nat64 enable (Enable NAT64 processing on this nat64 prefix stateful 2001:DB8:CAFE::/96 interface) nat64 v4 pool mypool 203.0.113.1 203.0.113.100 ! nat64 v6v4 list mylist pool mypool overload interface GigabitEthernet2/3/2 ipv6 access-list mylist description Connected to IPv6_Network permit ipv6 2001:DB8:CAFE::/48 any ipv6 address FD00:1::1/124 ipv6 enable (Enable IPv6 processing) ipv6 rip 1 enable nat64 enable (Enable NAT64 processing on this interface) !
90 NAT64 Translation on ASR 1000
Execute the following ping commands: NAT64 Translation:
1. Ping 2001:DB8:CAFE::0808:0808, ASR1000#show nat64 translations representing IPv4 address 8.8.8.8 from a Proto Original IPv4 Translated IPv4 IPv6 network Translated IPv6 Original IPv6 2. Ping 203.0.113.111, representing IPv6 ------address 2001:DB8:CAFE:2::1 from a IPv4 network icmp 172.0.1.7:14 [2001:DB8:CAFE::ac00:107]:14 3. Ping 2001:DB8:CAFE::101, representing 203.0.113.111:14 [2001:DB8:CAFE:2::1]:14 icmp 8.8.8.8:2 [2001:DB8:CAFE::0808:0808]:5321 IPv4 server 192.0.2.1 from a IPv6 network 203.0.113.1:2 [2001:DB8:CAFE:2::2]:5321 icmp 192.0.2.1:1 [2001:DB8:CAFE::101]:1439 203.0.113.1:1 [2001:DB8:CAFE:2::2]:1439 Total number of translations: 3 ASR1000#
91 Need for Logging
. Entries in NAT table are of temporary nature . Any Stateful protocol (NAT44, NAT64, DS-Lite) requires logging . Directive 2006/24/EC - Data Retention: EU Law . Logging preserves the mapping information between an internal and external
NAT IPv4 Internet Logging Record
Syslog Netflow
92 Candidate Protocols for Logging Netflow v9 Syslog • Two options today: Format Binary ASCII • Syslog Template based format RFC52432 • Netflow v9 Transport UDP UDP • Netflow is preferred since lighter Sequence Yes in header No • Some customers select syslog: number • existing collection infrastructure based Scalability High Need Bulk- Port- on syslog Allocation • to guarantee multi-vendor interoperability • Both NFv9 and Syslog can be configured simultaneously in a CGN system • Example of CLI on ASR1k: nat64 logging translations flow-export v9 udp destination
93