Ipv4 Exhaustion: NAT and Transition to Ipv6 for Service Providers

BRKSPG-2602

IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers

Rajiv Asati, Distinguished Engineer, Cisco Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKSPG-2602

Caution: New road may be needed

• Any service provider that has exhausted its IPv4 address pool, will not only have to deploy/offer IPv6, but also employ IPv4 sharing. This is because chunk of content may be reachable only via IPv4 internet, even though majority is available via IPv6 internet.

• This session discusses few mechanisms such as MAP-T/E, 464XLAT, DS-Lite and CGN 64/44 etc. that facilitate IPv4 sharing with and without IPv6. It contrasts stateful and stateless translation techniques as well. • 6rd is included for reference as well.

• This session is intended for Service Providers.

Source: https://www.akamai.com/ Source: https://www.google.com/

• Goal of Transition Technologies

• Overview of Transition Technologies • Single-Stack • Dual Stack – Impact ( & Happy Eyeballs) • IPv4 Address Sharing - Impact • CGN 44, DS-Lite, 6rd, MAP • CGN 64 for IPv6-only

• Conclusion Recommended Approach for IPv6 Dual-Stack Deployment (per IETF RFC 4213)

IPv4+IPv6 Hosts (Dual Stack) • Dual-Stack to the hosts * • Hosts: Windows, OSX, iOS, Android, Linux etc. • Routers: IOS, XR, NXOS etc.

IPv4+IPv6 Network

IPv4 and/or IPv6 Destinations

* RFC7755 now suggests Single-stack IPv6 for DC

BRKSPG-2602 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Recommended Approach for IPv6 Dual-Stack Deployment (per IETF RFC 4213), since 2005 ~90% of Desktop hosts and ~99% of Mobile hosts • Dual-Stack to the hosts * support Dual-Stack • Hosts: Windows, OSX, iOS, Android, Linux etc. • Routers: IOS, XR, NXOS etc. Source – Mobile Operating System, Statistica, Jan 2017

Source – Desktop Operating System, Netmarketshare, Jan’14-Dec’16

IPv4+IPv6 Hosts (Dual Stack) • Dual-Stack to the hosts * • Hosts: Windows, OSX, iOS, Android, Linux etc. • Routers: IOS, XR, NXOS etc.

IPv4+IPv6 Network • But note… • IPv4 exhaustion is underway • Every host can NOT be assigned a public IPv4 address • Two protocol stacks to be managed in network 

IPv4 and/or IPv6 Destinations

* RFC7755 now suggests Single-stack IPv6 for DC

• The ISP Impact: • Lack of IPv4 addresses for users • Harder to grow the business

• The User Impact (explicit or implicit): • IP reputation (more on this later) • IPv4 address sharing • Breaks applications • Complicates operating servers • Limits UDP/TCP ports per user • IPv6 enabled services are catching up

• How do we migrate from IPv4 to IPv6? • Short term1: can’t enable IPv6 immediately, need more IPv4 (or share IPv4) • Short term2: enable IPv6 immediately, need more IPv4 (or share IPv4) • Long term: simple network, single protocol – IPv6

• What does this really mean? • IPv6 to co-exist with IPv4 • IPv4 address sharing to become wide-spread • IPv6 to interoperate with IPv4 Transition technologies pave the way to move from IPv4 to IPv6

• Goal of Transition Technologies

• Overview of Transition Technologies • Single-Stack • Dual Stack – Impact ( & Happy Eyeballs) • IPv4 Address Sharing - Impact • CGN 44, DS-Lite, 6rd, MAP • CGN 64 for IPv6-only

• Conclusion Towards IPv6 …with or without IPv4 Transition Technologies in One Slide

This is This is where where we are: we have to Mostly  ? be: IPv4 & Address Mostly Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGN DualDual CGN CGN CGN CGN have to StackStack 44 44 44* 64 be: Mostly  ? MAP IPv4 & + + + + 6rd IPv6 Dual (Dual- DS- Single Address Stack Stack) Lite -Stack Mostly Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

Options Arbitrary IP CPE LAN CPE WAN Tunnel or In-network Extra CPE addressing of IPv4 or IPv6 IPv4 or IPv6 Translate? “State”? features? CPE? 0 Single-Stack IPv4 IPv4 -NA- -NA- Yes No 1 Dual-Stack IPv4 + IPv6 IPv4+IPv6 -NA- -NA- Yes No** 2 Single-Stack IPv4 IPv4 Translate Yes (CGN44) Yes No 3 Dual-Stack IPv4 + IPv6 IPv4+IPv6 Translate Yes (CGN44) Yes No** 4 DS-Lite IPv4 + IPv6 IPv6 Both Yes (CGN44) Yes Yes 5 6rd IPv4 + IPv6 IPv4 Tunnel No No Yes 6 6rd + CGN IPv4 + IPv6 IPv4 Both Yes (CGN44) No Yes 7 MAP IPv4 + IPv6 IPv6 Either No Yes* Yes 8 Single-Stack IPv6 IPv6 Translate Yes (CGN64) Yes Yes|No * Allows both arbitrary and algorithmic mapping ** Changes needed if IPv6 is not supported by existing CPE

• Goal of Transition Technologies

• Overview of Transition Technologies • Single-Stack IPv4 – Obtain more IPv4 • Dual Stack – Impact ( & Happy Eyeballs) • IPv4 Address Sharing - Impact • Single-Stack IPv4 – CGN 44, 6rd • Single-Stack IPv6 – DS-Lite, MAP • Single-Stack IPv6 – CGN 64

• Conclusion 0. Obtain IPv4 Addresses Host/CPE gets just IPv4 prefixes

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGNCGN Dual CGN 44 CGN CGN have to Stack 44 * 64 Mostly + MAP be: + + + IPv4 & 6rd Dual (Dual6rd- DS- Single Address Stack Stack) Lite -Stack Mostly Run-out IPv6;

• Obtain IPv4 addresses from Regional Internet Registry (RIRs) or open market • RIR: May Not have any left.  • Open market: USD $10-$15 per IPv4 address

• IPv6, well, is optional

• ADVANTAGES: • No CGN, no address sharing, no operational changes • No need to press for IPv6 deployment

• DISADVANTAGES : • If business growing, delaying the inevitable • Geo-location needs to be updated (mileage varies) • No IPv6 deployed • Reputation might be bad

• Goal of Transition Technologies

• Overview of Transition Technologies • Single-Stack IPv4 – Obtain more IPv4 • Dual Stack – Impact ( & Happy Eyeballs) • IPv4 Address Sharing - Impact • CGN 44, DS-Lite, 6rd, MAP • Single-Stack IPv6 & CGN 64

• Conclusion 1. Dual-Stack Host/CPE gets both IPv4 and IPv6 prefixes

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGNCGN DualDual CGN 44 CGN CGN have to Stack Stack 44 * 64 Mostly + MAP be: + + + IPv4 & 6rd 6rd IPv6 Dual (Dual- DS- Single Address Stack Stack) Lite -Stack Mostly Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

• Reality: More and more IPv4 address sharing (NAT, MAP) • Covered in co-existence section later on.

• Hosts should prefer IPv6 to IPv4 • Generally necessary • Without this preference, IPv4 would persist until IPv4 is turned off

IPv6 Road • But what if IPv6 is broken? Overloaded??? • IPv6 peering is down ... • Tunnel is down ... • (Microsoft IPv6 NCSI is down....)

• Dual-stack client connecting to dual-stack server

• IPv6 is preferred by default (RFC6724)

• If IPv6 is slower, then users blame IPv6 and may disable IPv6! 

• IPv6 better not be slower than IPv4 • Who can guarantee that ! 

• What if IPv6 is broken altogether?

• What if IPv6 is broken to few websites?

Unhappy user 

Note: Slight Preference is given to IPv6 connection

Happy user 

• Users are happy • Aimed initially at web browsing • Web browsing is the most common application • Fast response even if IPv6 (or IPv4) path is down

• Network administrators are happy • Users no longer trying to disable IPv6 • Reduces IPv4 usage (reduces load on CGN)

• Content providers are happy Source: http://seclists.org/nanog/2016/Jun/809 • Improved geolocation and DoS visibility with IPv6

• Google Chrome and Mozilla Firefox: Yes  • Utilizes long-established 250-300ms ‘backup’ thread • Follows getaddrinfo() address preference

• Apple Safari, iOS*, OSX* : Yes  RFC6555 • DNS AAAA sent before A query on the wire Compliant • If AAAA reply comes first, then v6 SYN sent immediately • If A reply comes before 25ms of AAA reply, then v4 SYN sent • Else, Heuristics based Address selection algorithm is applied

• Microsoft Windows OS and Internet Explorer : NO  • Not even something like happy eyeballs

• Cisco WebEx : Yes 

* http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html • Cisco AnyConnect: No  * https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html

• Goal of Transition Technologies

• Conclusion IPv4 Address Sharing .

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGN CGN DualDual CGN CGN CGN have to 44 StackStack 44 * 64 Mostly MAP be: + IPv4 & + + + 6rd IPv6 Dual DS- Single Address Stack (Dual- Lite -Stack Mostly Stack) Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

Image source: Jason Fesler, Yahoo!

• Reputation based on IPv4 address • Shared IP address = shared suffering

• Workaround: Distinguish subscribers (sharing IP address, or not sharing) • draft-ietf-intarea-nat-reveal-analysis • draft-wing-nat-reveal-option • Server logs currently only contain IPv4 address • Servers logs need to include source port number, recommended by RFC6302

• Best Solution – have users and content providers use IPv6!

• Affects NATs, as everyone knows • NAT44 (CGN44): a big NAT operated by an ISP (“carrier”), enterprise, or University • NAT444 (subscriber’s NAT44 + ISP’s CGN44) • NAT64 (CGN64) • DS-Lite (called “AFTR” = Modified CGN44)

• Also affects non-CGN architectures! • MAP (Mapped Address and Port) • Conceptually, a CGN with (some) fixed ports • Address + Port, SD-NAT, Deterministic NAT

• Goal of Transition Technologies

• Conclusion Carrier Grade NAT (CGN) .

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

• Carrier Grade Network Address Translation • Address and Port Translator (NAPT), really • Like the common residential NAT (Linksys, etc.) • Using RFC5389 terminology: Mapping independent non filtering (EIM and EIF)

• Bigger (e.g. large scale)

• Port Logging (e.g. syslog, netflow v9)

• Per-user port limit

• Shared IPv4 space : 100.64.0.0/10 instead of private IPv4 space is an option

Stateful NAT function inside SP network

• Nicknamed NAT444 = NAT44 in home, NAT44 in ISP

• Advantages: 1. Very well known technology 2. No dependency on CPE router

• Disadvantages: 1. Logging 2. Port Forwarding 3. Certain Applications may NOT sufficiently work e.g. RFC7021 4. ALG, Logging 5. Network/Routing Design Headache See BRKSPG-3334 from 6. IPv4 address sharing efficiency CiscoLive2014 for more details 7. Any application hardcoding a specific port# may not work without UPnPv2+PCP

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGN CGN DualDual CGN CGN CGN have to 44 StackStack 44 44 64 Mostly MAP be: + IPv4 & + + + 6rd IPv6 Dual DS- Single Address Stack (Dual- Lite -Stack Mostly Stack) Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

• ALG = Application awareness inside the NAT: • modify IP addresses and ports in application payload • creates NAT mapping

• Each application requires a separate ALG • FTP, SIP, RTSP, RealAudio, …

• ALG needs to understand application nuances

• ALG requires: • Un-encrypted signaling (!!) • Restricted network topology

• Summary: ALG prevents application evolution and introduces bugs

• FTP Passive Mode • ICE (RFC5245) and STUN (RFC5389) • Intelligence in endpoint • Useful for offer/answer protocols (SIP, XMPP) • Successful applications have to work everywhere • RTSPv1 abandoned on the desktop • effectively replaced with Flash over HTTP, and • Coffee shop, home, work, hotel, airport, 3G soon HTML5 • RTSPv2 has ICE-like solution • Skype does its own NAT traversal • Linksys disabled SIP ALGs around 2006 • Because of bugs and incompatibilities with SIP endpoints

• Debugging / Troubleshooting Problems •SIP from vendor X works, but vendor Y breaks: 1. Vendor Y violated standard? 2. Vendor X has special sauce?? 3. ALG is broken??? Meanwhile: • Delays unhappy •Months for vendor turn-around for patches users •Months for SP testing/qualification/upgrade window

• ALG can break competitor’s over-the-top application (e.g., SIP, streaming video) •Regulators frown on interference See BRKSPG-3334 from CiscoLive2014 for more details

BRKSPG-2602 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Supported on ASR9K, CGN ASR1K, CRS Logging Source Port Ranges Reference 42.5TB over 60 days for 200K subscribers, 72K flows/second • Stateful NAT requires logging (NAT44, NAT64, DS-Lite…) (each syslog comprised • NAT mappings are temporary (similar to DHCP addresses) private source IP:port, public source IP:port, • Logging each NAT mapping creates large logs! protocol, and timestamp, resulting in ~100B in • Bulk port allocation (BPA) reduces logging, at the expense ASCII). See note below. of reduced efficiency of IPv4 address sharing   • Bulk size of N ports, logs reduced by 1/N • Acceptable compromise !!! See BRKSPG-3334 from • Recommended CiscoLive2014 for more details

• Server Log combined with CGN log identifies subscribers • Timestamp (new) • Source IP address, source port (new), destination IP address, destination port • RFC6302 • Some servers don’t enable source port logging, or don’t have good timestamp • Note that majority support logging source port, but don’t do so by default, see RFC7768 and draft-daveor-cgn-logging • Tempting to log destination IP (and port) at CGN • Consider privacy and legal issues • Incompatible with bulk port allocation, increases logging costs • Not recommended See BRKSPG-3334 from CiscoLive2014 for more details

• Use Bulk Port Allocation

• Limit number of users sharing an IPv4 address as much as possible*

• Monitor KPIs e.g. # of outbound SSH connections with a threshold

• Log NAT connections

•

* Tricky because you would want higher sharing ratio, given IPv4 shortage

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGNCGN DualDual CGN 44 CGN CGN have to StackStack 44 44 64 Mostly + MAP be: + + + IPv4 & 6rd 6rd IPv6 Dual (Dual- DS- Single Address Stack Stack) Lite -Stack Mostly Run-out IPv6;

Note: DS-Lite requires CGN

Stateful NAT 44 function (on routers) inside SP network

• Requires IPv6 access network

• Tunnels subscriber IPv4 traffic to a CGN device

• Uses Carrier-Grade NAT (CGN)

• Requires CPE router support

• RFC6333

• MTU – Watch out !!

• Advantages: • Leverages IPv6 in the network

• Disadvantages: • Dependency on CPE router • NAT disabled on CPE router • Content Caching function may break • DPI function may break • QoS function may break • All disadvantages of CGN also apply

Obtain IPv4 Addresses

IPv4 IPv4 Address Sharing

IPv4 CGN Dual 6rd Dual Stack Address + Stack MAP Run-Out CGN Lite 6rd IPv6

BRKSPG-2602 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Supported on ASR9K, 6rd - IPv6 over (Public) IPv4 ASR1K, CRS Reference IPv6 Moves out to Subscribers IPv6-over-IPv4 tunnels

Native Dual- Stack at Home

Stateless Tunneling function (on routers) inside SP network

BRKSPG-2602 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Supported on ASR9K, 6rd + CGN = IPv6 over (Private) IPv4 ASR1K, CRS Reference IPv6 Moves out to Subscribers IPv6-over-IPv4 tunnels Private IPv4 move into SP*

Stateless Tunneling function (on routers)

Stateful NAT function (on routers) inside SP network*

* Assuming RFC1918 usage

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGNCGN DualDual CGN 44 CGN CGN have to StackStack 44 * 64 Mostly + MAP be: + + + IPv4 & 6rd 6rd IPv6 Dual (Dual- DS- Single Address Stack Stack) Lite -Stack Mostly Run-out IPv6;

See BRKSPG-3820 from CiscoLive2014 for more details

• Allows sharing of IPv4 address across an IPv6 WAN network • Each CPE gets a shared IPv4 address with a unique TCP/UDP port-range via “rules” • All or part of IPv4 address can be derived from the assigned IPv6 prefix (allows for route summarization) • Need to allocate UDP/TCP port range(s) to each CPE

• Stateless Border Relays in SP network • Can be implemented in hardware (superior performance) • Can use anycast, can have asymmetric routing • No single point of failure, no need for high availability hardware

IPv4-over-IPv6

Stateless Tunneling function (on routers)

- No Stateful CGN-

Native IPv6

Stateless 64 translation function (on routers)

- No Stateful CGN -

• MAP has two flavors (both standardized): • MAP-T : RFC7599 • MAP-E : RFC7597

• Advantages: • Leverages IPv6 in the network • No CGN inside SP network • No need for NAT Logging (DHCP logging as usual) • No need for ALGs • No need for Stateful NAT64/DNS64

• Disadvantages: • Dependency on CPE router • Any application hardcoding any port# might not work without UPnPv2 support

• Goal of Transition Technologies

• Overview of Transition Technologies • Single-Stack IPv4 – Obtain more IPv4 • Dual Stack – Impact ( & Happy Eyeballs) • IPv4 Address Sharing - Impact • Single-Stack IPv4 – CGN 44, 6rd Try V6-only WiFi: • Single-Stack IPv6 – DS-Lite, MAP SSID: CL-NAT64 • Single-Stack IPv6 – CGN 64 WPA2-PSK: cl-nat64

• Conclusion 5GHz only While Client-side apps (mobile or desktop) got IPv6-only support, Server- side still need to catch up…  e.g. Apple FaceTime, iMessage, iCloud, etc.

Hence, the short- term need for NAT64… As of June 26th, 2017

IPv4 Reachability IPv6 Reachability bash-3.2$ ping www.apple.com bash-3.2$ ping6 www.apple.com PING e6858.dsce9.akamaiedge.net (104.112.153.131): 56 data bytes PING6(56=40+8+8 bytes) 2601:2c7:4000: --> 2001:559:19:1286::1aca 64 bytes from 104.112.153.131: icmp_seq=0 ttl=57 time=32.063 ms 16 bytes from 2001:559:19:1286::1aca, icmp_seq=0 hlim=61 time=11.470 ms ^C ^C bash-3.2$ bash-3.2$ bash-3.2$ ping init.ess.apple.com bash-3.2$ ping6 init.ess.apple.com PING a239.da1.akamai.net (23.205.120.82): 56 data bytes ping6: getaddrinfo -- nodename nor servname provided, or not known 64 bytes from 23.205.120.82: icmp_seq=0 ttl=60 time=21.653 ms bash-3.2$ ^C bash-3.2$ bash-3.2$ ping www.icloud.com bash-3.2$ ping6 www.icloud.com PING e4478.a.akamaiedge.net (23.206.217.193): 56 data bytes ping6: getaddrinfo -- nodename nor servname provided, or not known 64 bytes from 23.206.217.193: icmp_seq=0 ttl=55 time=33.031 ms bash-3.2$ bash-3.2$ ping configuration.apple.com bash-3.2$ ping6 configuration.apple.com PING e5153.e9.akamaiedge.net (104.113.5.216): 56 data bytes ping6: getaddrinfo -- nodename nor servname provided, or not known 64 bytes from 104.113.5.216: icmp_seq=0 ttl=57 time=37.035 ms bash-3.2$ ^C bash-3.2 IPv6-Only Networks with CGN 64 .

This is Obtain More IPv4 Addresses This is where IPv4 Share IPv4 Addresses where we are: we CGNCGN DualDual CGN 44 CGN CGN have to StackStack 44 * 64 Mostly + MAP be: + + + IPv4 & 6rd 6rd IPv6 Dual (Dual- DS- Single Address Stack Stack) Lite -Stack Mostly Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite

Stateless or Stateful NAT64 function (on routers)

Host can be IPv6 Header IPv4 Header assigned with any Src Addr 2001:db8:abcd:2::1 Src 203.0.113.1 IPv6 address (no Addr DestAddr 2001:DB8:ABCD:<92.0.2.1> Dest 92.0.2.1 particular format) Addr

NAT64 IPv6 IPv4 Endpoint 92.0.2.1 NAT IPv6 2001:DB8:ABCD::/64 (203.0/24) StatefulLSN64 Endpoint announced in announced in IPv6 Routing domain IPv4 Routing domain 2001:db8:abcd:2::1 • NAT keeps binding state between inner IPv6 address and outer IPv4+port

• DNS64 needed

•Application dependent/ALGs may be required

Host must be IPv6 Header IPv4 Header assigned an “IPv4 Src Addr 2001:db8:<203.0.114.1>:: Src 203.0.114.1 Translatable” IPv6 Addr DestAddr 2001:DB8::<92.0.2.1>:: Dest 92.0.2.1 address Addr

NAT64 IPv6 IPv4 Endpoint 92.0.2.1 NAT IPv6 2001:DB8:ABCD::/64 (203.0/24) StatelessLSN64 Endpoint announced in announced in IPv6 Routing domain IPv4 Routing domain 2001:db8:<203.0.114.1>:: • No NAT binding state; IPv6 <-> IPv4 mapping computed algorithmically

• DNS64 needed

• Application dependent ALGs might be required

Stateful Stateless

• 1:N translation • 1:1 translation • “NAPT” • “NAT” • TCP, UDP, ICMP • Any protocol • Shares IPv4 addresses • No IPv4 address savings • Just like dual-stack • MAP however does save IPv4 addresses by combining NAT46 with NAT44

Note : IPv6-only DC using Stateless 64 : RFC7755

BRKSPG-2602 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 NAT64 DNS64 is important • NAT64 translator is useful only if the traffic can come to it • IP addresses of IPv6 packets must be formulated accordingly

• DNS64 provides conversion of an IPv4 address into an IPv6 address • AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g. 2001:DB8:ABCD::) Internet DNS64 NAT64

IPv6-only AAAA? Endpoint AAAA?

Empty answer (sent simultaneously) A?

92.0.2.1 2001:DB8:ABCD::92.0.2.1

• Works for applications that do DNS • Doesn’t work for applications that don’t queries do DNS queries or use IP address •http://www.example.com literals •IMAP, connecting to XMPP servers, etc. • http://1.2.3.4 • SIP, RTSP, H.323, XMPP peer to peer, etc. • Works with DNSSEC (note [1]) • Doesn’t work well if Application-level proxy for IP address literals (HTTP proxy) is used • Learn NAT64’s prefix, RFC 7050

• NAT46/BIH (Bump In the Host), RFC6535

• 464XLAT (RFC6877)

[1] https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/

BRKSPG-2602 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 464XLAT = Stateless + Stateful Better Together  Note: The RFC6877 usefulness of XLAT may • Some applications may break with IPv6-only (and NAT64) continue to subside, given • Skype, among other interesting applications (more listed here*) apple mandate for apps to work with • 464 translation helps most of those IPv4-only applications IPv6-only since • Endpoint does “Stateless NAT46”, network does “Stateful NAT64” only for IPv4 traffic 2016, as well as Cloud Providers • 464 supported _only_ by Android OS; enabling IPv6-only support • Benefit: Network can Provide IPv6-only connectivity to Endpoints without worrying about any IPv4-only apps IPv6 Internet IPv6-only Stateless Network Stateful NAT46 IPv4 Internet NAT64 Endpoint

IPv4 Covered in this 1. IPv6 Network Internet presentation

2. IPv4 IPv6 Network Internet Covered in BRKSPG- 2602 from 3. IPv6 IPv4 2014** Internet Network

4. IPv4 IPv6 Needed (a) if IPv6-only content existed, or Network Internet (b) IPv4-only LAN with IPv6-only WAN * * Verizon stops giving out static IPv4 WAN address(es) in 2017

5. IPv6 IPv4 Network Network

6. IPv4 IPv6 Network Network

• Goal of Transition Technologies

• Conclusion Conclusion Whatever you do …. Drive Carefully…

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKSPG-2602

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

• BRKSEC-3200 - Advanced IPv6 Security Threats and Mitigation – 30 Jan. 14:15 Try V6-only WiFi: • BRKIP6-2616 - Beyond Dual-Stack: Using IPv6 like you’ve never imagined – 30 Jan. 16:45 SSID: CL-NAT64 • BRKRST-3304 - Hitchhiker's Guide to Troubleshooting IPv6 - Advanced – 31 Jan. 9:00 WPA2-PSK: cl-nat64

• BRKSPG-2602 - IPv4 Exhaustion: NAT and Transition to IPv6 for SPs – 31 Jan. 9:00

• BRKIP6-2301 - Enterprise IPv6 Deployment – 31 Jan. 11:30 5GHz only

• LABSPG-3122 - Advanced IPv6 Routing and services lab – 31 Jan 14:00 & 1 Feb. 14:00

• BRKCOL-2020 - IPv6 in Enterprise Unified Communications Networks – 31 Jan. 16:30

• BRKCOC-2388 - Inside Cisco IT: A Tale of Two Protocols – 2 Feb. 9:00

• BRKIP6-2002 - IPv6 for the World of IoT – 2 Feb. 11:30