Tunneling, CGN and 6RD

Stefan Kollar Consulting Systems Engineer CCIE #10668 [email protected]

 IPv6 tunnels  IPv6 CGN  6RD introduction  6RD deployment  Perform basic 6RD troubleshooting  DEMO

6to4 IPv6 Internet . Stateless 6-over-4 encap IPv4 Internet using WK 2002::/16 prefix 6rd . Public IPv4 only LNS BR . Asymmetric routing problem 6rd

. Stateless 6-over-4 encap Public/ Public Public/ Private using SP IPv6 prefix IPv4 Private IPv4 IPv4 . Works over public/private IPv4

. RFC5969 6to4 6rd LAC Softwires H/S . RFC5571; uses L2TPv2/IPv4 infra v4 v4/6 v4 v4/6 v4 v4/6

IPv4 Internet Softwires H/S . RFC5571; leverages DS-Lite . L2TPv2/IPv6 infra AFTR CGN+ Dual-Stack Lite 4ov6 4rd LNS TC . 4over6 tunnels terminate in . CGN NAT44 on AFTR . Stateful IPv4 address sharing 4rd IPv6 IPv6 IPv6 . Stateless IPv4-over-IPv6 . tunnel encap/decap

. Can do stateless IPv4 LAC B4 4rd . address sharing by allocating . per-CPE port ranges . CPE does NAT44+4rd encap/decap v4 V4/6 v4 V4/6 v4 V4/6 . draft-despres-intarea-4rd-xx

CGN IPv4 4 Softwire 4over6 NAT44 Internet B4 AFTR IPv6 4 Access Network IPv6 6 Internet

Not deployable due to lack of IPv6-only access network(s) and missing B4 elements Solves same problem(s) as CGN + 6rd which is deployable right now using existing IETF standards and multi-vendor equipment AFTR coverage limited to IPv6-only reachability to remote B4 elements

Customer Network CPE 1. CGN IPv4 4 NAT44 Internet 6rd 6rd Tunnel 6rd 2. 2. IPv4 4 Access Network XLAT 6 1:1/ IPv6 N:1 Internet 6 IPv6 3.

1. CGN NAT44 to address IPv4 Run-Out  same IPv4 access network 1.

2. 6rd for IPv6 access to IPv6 Internet  same IPv4 access network 2.

3. Controlled deployment of native IPv6 hosts/apps plus NAT64 (XLAT) 3.

(1.) CGN NAT44 to address IPv4 Address Run-Out . Deployed and is foundation for future SP-class translation solutions (including NAT64) (2.) 6rd for IPv6 subscriber access to native IPv6 Internet (3.) for native IPv6 interworking with IPv4 . Stateless XLAT (1:1) for controlled deployments available now (supported already in ASR1k – IOS XE 3.2) . Stateful XLAT (N:1) NAT64/DNS64 available in 2H2011 Why Stateful XLAT (NAT64) ? Performs IPv4 address sharing Based on IETF BEHAVE WG standards Compliments and completes standards-based XLAT portfolio

NAT binding records

1) Preferably Netflow9 (or its standardized successor IPFIX) with format (11) 2) Syslog - consume more resources (e.g. CPU, bandwidth, memory) , less scalable and lower throughput

Why Stateful XLAT (NAT64) ? PCP protocol enables home network subscribers to create a port forwarding entry on the CGN

https://datatracker.ietf.org/wg/pcp/

 IPv6 Rapid Deployment  Defined in draft-ietf-softwire-ipv6-6rd-10.txt and was approved on May 20, 2010, by the IESG for publication as a standards track RFC (RFC5969)  Mechanism for Service Providers to deliver IPv6 via their IPv4 network  6rd firstly deployed in Free Telecom and is fully supported by Google

 Why not 6to4 6to4 service is "over the top" - operating without the SP really controlling who uses the service and who doesn't. IPv6 community to try and kill/deprecate 6to4

 Use SP’s own IPv6 address prefix instead of 2002::/16  Operational domain is limited to the SP’s network and is under its direct control  Not all 32 bits from the IPv4 destination address be carried in the IPv6 payload header

 6RD SP Prefix – The IPv6 prefix selected by the SP for the given 6RD deployment  6RD Delegated Prefix – The IPv6 prefix derived from the SP prefix and the IPv4 address bits . Used by the CE for hosts within its site.

0-32 bits 0-32 bits 64 bits

SP Prefix IPv4 Address Bits Subnet ID Interface ID

6RD delegate prefix Users Address Space

IPv4 Destination Address 16 bits 8 bits 8 bits

Ipv4 Common IPv4 Address Ipv4 common Prefix Bits Suffix

© 2006 Cisco Systems, Inc. All rights reserved. 13 6RD Prefix Delegation SP v6 Prefix: 2001:B000::/32 IPv4 Common Prefix: 10.1.0.0/16 IPv4 Common Suffix: 0.0.0.1/8 CE1 SP IPv4 Network Site 1 10.1.1.1 BR IPv6 Internet CE2

Site 2 10.1.4.1 10.1.2.1 CE3 6RD CE LAN Site 3 10.1.3.1 Multipoint Tunnel

SP Prefix 2001:B000::/32 V4 Common Prefix 10.1.0.0/16 V4 Common Suffix 0.0.0.1/8 CE1: Delegated 6RD prefix 2001:B000:0100::/40 CE2: Delegated 6RD prefix 2001:B000:0200::/40 BR: Delegated 6RD prefix 2001:B000:0400::/40 CE1 (V4) tunnel transport source 10.1.1.1 CE2 (V4) tunnel transport source 10.1.2.1 BR (V4) tunnel transport source 10.1.4.1

 For packets received on 6RD tunnel interface

• IPv4 tunnel source must match the configured IPv4 common prefix and suffix.

• IPv4 source address must match the IPv4 address embedded in the IPv6 source address for packets received from CEs.

 Packets not matching this criteria are dropped

 6RD Tunnel Mode  Service Provider IPv6 Prefix  Common IPv4 prefix and suffix

interface Tunnel0 ipv6 address 2001:B000:200::1/124 tunnel source GigabitEthernet1/1/7 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:B000::/32 tunnel 6rd ipv4 prefix-len 16 suffix-len 8 interface GigabitEthernet1/1/7 ip address 100.1.2.1 255.255.255.0

router(config-if)# tunnel 6rd br

. Optional CLI configured when router is used as CE . Skip security check for packets with the configured IPv4 address as their source IPv4 address.

ipv6 general-prefix 6rd tunnel

. Used to define an IPv6 general-prefix computed from a 6rd tunnel interface asr1k(config)#ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0 *May 23 11:12:05.644: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state asr1k(config)# asr1k(config)#do sh run int tun 0 Building configuration...

Current configuration : 40 bytes ! interface Tunnel0 no ip address end asr1k(config)#

Loopbacks(/32) 6RD-BR Anycast Routing

6RD-BR 10.11.12.13 6RD-BR 10.11.12.13 6RD-CE IPv4 access network ! vlan 10 interface Tunnel0 FE0 no ip address 6RD-CE no ip redirects (CPE) ipv6 enable ! tunnel source FastEthernet0 interface Loopback0 tunnel mode ipv6ip 6rd ip address 10.11.12.13 255.255.255.255 tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:1000::/32 ! tunnel 6rd br 10.11.12.13 interface Tunnel0 ! no ip address interface FastEthernet0 no ip redirects ip address dhcp ipv6 address DELEGATED_PREFIX duplex auto 2001:1000::/128 anycast speed auto tunnel source Loopback0 ! tunnel mode ipv6ip 6rd interface Vlan10 tunnel 6rd ipv4 prefix-len 8 no ip address tunnel 6rd prefix 2001:1000::/32 ipv6 address DELEGATED_PREFIX ! 2001:1000::/64 eui-64 ipv6 route 2001:1000::/32 Tunnel0 ! ! ipv6 route 2001:1000::/32 Tunnel0 ipv6 route ::/0 Tunnel0 2001:1000:B0C:D00::

tunnel 6rd ipv4 prefix-len 8 (32-8) tunnel 6rd prefix 2011:1000::/32

show ipv6 interface tunnel show tunnel 6rd tunnel show tunnel 6rd destination tunnel show tunnel 6rd prefix tunnel

asr1k#sh ipv6 int tun 0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A0B:C0D No Virtual link-local address(es): General-prefix in use for addressing Global unicast address(es): 2001:1000:B0C:D00::, subnet is 2001:1000:B0C:D00::/128 [ANY] Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:0 FF02::1:FF0B:C0D MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent Post_Encap features: Tunnel 6RD ND DAD is not supported ND reachable time is 30000 milliseconds (using 30000) ND RAs are suppressed (periodic) Hosts use stateless autoconfig for addresses. asr1k#

© 2006 Cisco Systems, Inc. All rights reserved. 24 Sample IOS Show Command output 6RD Border Relay Router asr1k#sh tunnel 6rd tunnel 0 Interface Tunnel0: Tunnel Source: 10.11.12.13 6RD: Operational, V6 Prefix: 2001:1000::/32 V4 Prefix, Length: 8, Value: 10.0.0.0 V4 Suffix, Length: 0, Value: 0.0.0.0 General Prefix: 2001:1000:B0C:D00::/56

6RD Customer Edge - CPE isr1812#sh tunnel 6rd tunnel 0 Interface Tunnel0: Tunnel Source: 10.10.20.2 6RD: Operational, V6 Prefix: 2001:1000::/32 V4 Prefix, Length: 8, Value: 10.0.0.0 V4 Suffix, Length: 0, Value: 0.0.0.0 Border Relay address: 10.11.12.13 General Prefix: 2001:1000:A14:200::/56

routerasr1k#sh tunnel 6rd destination 2001:1000:B0C:D00:: tunnel 0 Interface: Tunnel0 6RD Prefix: 2001:1000:B0C:D00:: Destination: 10.11.12.13

asr1k#sh tunnel 6rd prefix 10.10.20.2 tunnel 0 Interface: Tunnel0 Destination: 10.10.20.2 6RD Prefix: 2001:1000:A14:200::

router# show platform hardware qfp active statistics drop ------Global Drop Stats Packets Octets ------TunnelDecapSecChkFail 5 690

router# show interfaces tunnel 0 stats Tunnel0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 0 0 0 0 Distributed cache 100 11200 100 13200 Total 100 11200 100 13200

IOS 15.1(3)T for 800, 1800, 1900, 2800, 2900, 3800, 3900, 7200

IOS XE Release 3.1S Series for ASR 1K

IOS 15.1(3)S 7600 (come ~ July 2011)

IOS-XR 3.9.3 CGSE (CGNv6) blade in CRS

6RD on CPE : Linksys Pirelli and many other CPE vendors