IPv6 - A Real-World deployment for Mobiles
APRICOT 2018 – February 2018
Telstra Unrestricted Copyright Telstra© Instructional Slide Introduction
Jeff Schmidt- Technology Team Manager, Telstra Wireless Network Engineering Manager responsible for Wireless IPv6 deployment and Wireless Mobile IP Edge/Core Architecture Agenda
1. Why IPv6? 2. Business and Technical considerations 3. Network Architectures 4. Addressing and Subnetting 5. Deployment Model 6. Our Experience 7. Q&A Why IPv6? Why IPv6?
Traffic growth and device per person Network readiness for new technologies: • Internet-of-Things • VoLTE/IMS • ViLTE • Management and Backhaul IPv4 public/private address depletion Reduction in network inefficiencies IPv6 Global Traffic
Source - https://www.google.com/intl/en/ipv6/statistics.html Business and Technical Considerations Business and Technical Considerations
Depleting public and private IPv4 address range Business and Technical Considerations
10.0.0.0 10.0.0.0
Non-interworking private IPv4 address ranges duplicated between domains, that now require interworking 10.0.0.0 10.0.0.0 Business and Technical Considerations
$ NAT Continual investment to extend IPv4 resources vs IPv6 or to future proof our network $ IoT Business and Technical Considerations
As IPv4 addresses deplete, it will be more expensive to extend IPv4 resources
Dual-Stack is an effective transition technology but does not solve the IPv4 depletion problem
Introducing IPv6: - Reduced dependency on NAT - Remove the need for regionalisation - Pushes applications to move to IPv6 Network Architectures IPv6 Implementation NAT/PAT 44 Centralised CGN Private IPv4 to Public IPv4
Backhaul Internet
EPG CGNAT BR
Region 1 IP Core / Edge Region 2
Backhaul Internet
EPG CGNAT BR
NAT/PAT 64 Public IPv6 to Public IPv4 • CGN performs NAT/PAT 44 and NAT/PAT 64 PAT substantially reduces Public and Private IPv4 address demand, but does not prevent IPv4 address depletion. IPv6 Implementation Traffic Flow
NAT64 Public IPv6 to Public IPv4 IPv6 IPv4 Public Internet
Carrier Network Radio Network (IPv4 + IPv6) (IPv4 transport) IPv6 Public Internet EPG IBR
Single – Bearer IPv6 only user plane Native IPv6 Running multiple APNs
IPv6 DNS64 APN
IPv6
IPv4v6 APN Radio Network Carrier Network Internet
IPv4v6 eNodeB IPv4 IBR APN NAT44 / NAT64
DNS-DS
IPv4
GGSN/EPG
Create multiple real APNs that supports IPv4, IPv6, and IPv4v6 individually Running a Single APN
IPv6
IPv4v6 APN Radio Network Carrier Network Internet
IPv4v6 eNodeB IBR NAT44 / NAT64
DNS-DS
IPv4
GGSN/EPG
Create a single real APN that supports both DS and SS NAT44/64 Translation Stateful firewall
Untrust to Trust IPv6 Implementation Block all traffic originating from internet Security Trust to Untrust Allow all traffic
IPv6 IPv4 Public Internet
Carrier Network Radio Network (IPv4 + IPv6) (IPv4 transport) IPv6 Public Internet EPG CGNAT BR
Firewall Application APN ACL IPv6 Native Stateful firewall Advertise only handset ranges to Carrier Network Untrust to Trust Block traffic with IP ranges not Block all traffic originating from configured on the EPG Internet
Trust to Untrust Allow all traffic originating from IPv6 handset ranges only Allow DNS traffic Block all infrastructure ranges Block all VoLTE ranges Security
As the CGNAT service is removed from the network wireless devices will be exposed to unsolicited traffic from the Internet ie native IPv6 Wireless customers are more sensitive billing anomalies due to unsolicited traffic A simple firewall service blocking unsolicited traffic is required The same firewall service will ensure wireless core infrastructure is unreachable from the internet Infrastructure Cloud IPv6
Core Network Internet Provider MPLS
PE BR
DC Gateway L3 Fabric EVPN
ToR
vCGN vEPC How much traffic will use IPv6? 464XLAT Architecture for Mobiles
IPv6 Internet
2001:db8:ca7e::d007 User Equipment / Mobile Phone
IPv6 PLAT Carrier Core IPv4 Internet (NAT64) IPv4 CLAT Function 198.51.100.1 CLAT> PLAT> IPv4 host address for XLATE (clat4) IPv4 pool [192.0.0.4/32] [192.0.2.1 – 192.0.2.100] IPv6 host address for XLATE PLAT-Side XLATE IPv6 Prefix [2001:db8:aaaa::464/128 [2001:db8:bbbb::/96] PLAT-Side XLATE IPv6 Prefix [2001:db8:bbbb::/96]
IPv4 SRC IPv6 SRC IPv4 SRC 192.0.0.4 2001:db8:aaaa::464 192.0.2.1 IPv4 DST IPv6 DST IPv4 DST Stateless Stateful 198.51.100.1 2001:db8:bbbb::198.51.100.1 198.51.100.1 NAT64 NAT64 [RFC6145] [RFC6146] Addressing and Subnetting Addressing and Subnetting 3GPP currently dictates each UE to receive a /64
Future releases may require a /60 with DHCP-PD for single APN tethering
4x /44 per APN per EPG = 4M prefixes
You will probably also need a similar range for VoLTE APNs
KEY: make sure it is a structured subnetting schema so it is consistent nationally and across the entire organisation. Addressing and Subnetting
Infrastructure Addressing:
/64 per VLAN – Keep it simple!
Private or Public – but remember to use a firewall and policies to avoid advertising the infrastructure out to the internet!
NAT is not a security feature! Deployment Model Carrier Examples SP1 SP2 / SP3 SP4 Dual-Stack SS+NAT64+DNS64+CLAT SS/DS+NAT64+DNS-HD+CLAT
1. Every carrier will have a unique set of circumstances that dictates which transition method they will use. There is no standard way of doing this. 2. You must determine which is the best method for your network.
In any method, remember to ensure you have a long-term strategy for the eventual deployment of native Single Stack IPv6! Different APNs for different purposes
Two existing APNs – one for Handsets, one for Mobile Broadband and Tethering NAT64/ 464XLAT Telstra.WAP Internet DNS64
DNS-DS/ Internet or Telstra.Internet NAT44
464XLAT + NAT64 + DNS64 for the Handset APN only
IPv6 enabled DNS for all other APNs Packet Core Configuration
HSS Configuration PDP Context id = IPv4v6 MME Configuration DAF = set EPG Configuration PDPTYPE = IPv4v6
EPG will then also have the following as a minimum within each APN: -IPv6 Handset Range -IPv4 Handset Range -2x IPv4 DNS Name Servers, 2x IPv6 DNS Name Servers UE Requirements and Settings
Android 4.3+ supports 464XLAT. We recommend using anything that is 4.4.4+ or 5.1+
Depending on your setup, either PDP selection is based on the UE or the Network.
International Roaming over IPv6 works today! But we recommend the APN Roaming Protocol to be set to IPv4 only for the next two years. Launch Considerations
• Informed Front of House and provided training, as well as Enterprise support and sales personnel • Updated internal Knowledge Base • Briefed Operations and provided training • Created moderated forum with official details on the network change • Provided direct email contact to Telstra Engineering • Contacted the technical community via mailing lists and public forums before launch Our Experience Our Experience iPad Dual-Stack Carrier Settings Significant IPv6 takeup on iPads since carrier update was made available with Dual-Stack. Update made via iOS patch. Users are not immediately aware IPv6 is available on their iPads. Transparent migration. IPv6 take up occurs when iPads are patched to the latest version Single Stack will come later this year Our Experience
Use DNS64 as a migration step from dual stack to single stack Dual stack devices without DNS64 are least impacted with a migration towards single stack as applications will continue to use IPv4 Enabling DNS64 will extend IPv6 usage for the devices and can be disabled easily if customers applications are impacted The number applications, protocols and specific implementations continues to make a migration to IPv6 single stack a challenge Check NGP / SMP behaviour Our Experience
Tethered devices to remain on DS APN for time being Ensure all internal services IPv6 enabled 464xlat – is it still required ? H323 breaks but is it required ? Corporate VPNs are a challenge due to range of solutions and specific implementations Test via test APNs Our Experience
telstra.wap - IPv6 Usage Step increases in IPv6 address usage as device types move to IPv6 ie iPad dual stack 01/07/16 01/08/16 01/09/16 01/10/16 01/11/16 01/12/16 01/01/17 01/02/17 01/03/17 01/04/17 01/05/17 01/06/17 01/07/17 01/08/17 01/09/17 01/10/17
NSW QLD SA VIC WA Total More devices built to support VoLTE on by default Our Experience
Mail services failing ie smtp IPv6 smtp packets not leaving PGW, IPv4 service works – PGW bug ? Bugs relating to IPv6 are becoming less common Our Experience
APN can control IPv4, IPv6 or dual stack services
Some wireless devices restrict the use of APNs to control access to services ie wholesale products, corporate access
Ensure device testing validates access to various differentiated services from various device types, don’t assume APN control is available through device BYO device and existing services
APN – IPv4v6, HLR/HSS – IPv4v6 Legacy devices configured with IPv4 only are not impacted New devices configured with IPv4v6 obtains both addresses and is currently growing significantly Existing devices configured with IPv6 only obtains IPv6 only
CGNAT NAT64 ALGs: ftp, sip, pptp, rtsp, h323 IPv4 vs IPv6
Some applications fail with IPv6 – even with 464XLAT. Routing issues? VPNs are a real problem – but is it a carrier problem or an application / server problem? HTTP / HTTPS works very well SSH is not a major problem IPv6 is faster in some cases – smaller BGP table, no NAT etc. Major apps work very well – especially from the major content providers Migration Strategy to get to IPv6 single stack
Device by device migration via carrier configuration Test APN, internal trials Dual stack on a single device type Turn on DNS64 Single stack on a less common device ie android device type x Tethering APN last as there less control over applications and OS running on tethered devices Customer Support
Engage the community early so they know what’s coming. They will appreciate you are still developing and they will want to be part of the journey!
We receive support email through our contact points and reply as soon as possible. Don’t keep your customers waiting
Skip the red tape – let customers engage engineering directly
Keep management happy! Report SIO and bandwidth usage! Q&A CONTACT Contact
Jeff Schmidt Technology Team Manager Telstra Wireless Network Engineering [email protected]