Ipv6 + Ipv4 Dual Stack App Ipv4 + Ipv6 Edge Ipv4 And/Or Ipv4 Edge Core

Cisco Expo 2012

Jak nasadit a rozvíjet IPv6 nejen v sítích SP

SP2 / L2 Jiří Chaloupka – Cisco

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 2 • Why IPv6 • Goal of Transition Technologies • IPv4 What next? • Overview of Transition Technologies • CGNv6 NAT44/NAT64 • Summary

IANA Pool

RIR Pool

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 4 . The ISP problem: Users need the IPv4 Internet . The user problem: Problem? Shared IPv4 address space At some point, services will work better using IPv6

But…..

CiscoCisco Expo Expo BRKSPG- © 2012 Cisco© 2011© and/or2011 Cisco Cisco and/or its and/or itsaffiliates. affiliates. its affiliates. All All rights All rights rights reserved. reserved. reserved.Cisco Public Cisco Public 55 2067 Hiroshi Esaki: www2.jp.apan.net/meetings/kaohsiung2009/presentations/ipv6/esaki.ppt

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 6 Hiroshi Esaki: www2.jp.apan.net/meetings/kaohsiung2009/presentations/ipv6/esaki.ppt

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 7 Hiroshi Esaki: www2.jp.apan.net/meetings/kaohsiung2009/presentations/ipv6/esaki.ppt

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 8 • Long term: simple network, single protocol – IPv6 • Short term: world won’t switch simultaneously

• So: IPv6 needs to interoperate with IPv4

IPv4 IPv4 Address Sharing Solutions (e.g., CGN) IPv4 Address Run-Out 6rd Dual + Stack CGN Lite IPv6 6rd Dual Stack

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 10 . Dual Stack (in devices/hosts and networks) IPv4 and IPv6 operate in tandem over shared or dedicated links Applications Dual IPv4 IPv4 Shared Stack Aware Links IPv6 IPv6 IPv6 IPv6

IPv4 IPv4

. Tunnelling over IPv4 or MPLS Dedicated Links IPv6 confined to the edge of the IPv4 / MPLS core IPv6 IPv4/MPLS IPv4/MPLS IPv6

Tunnel • IPv6 Only IPv6 is the only protocol operating in the network IPv6 IPv6 IPv6

• 6to4 Protocol Translation (BEHAVE IETF Working Group) Allow IPv6-only devices to communicate with IPv4-only devices

. Why can’t today’s broadband user just access IPv6 Internet?

NMS/Addressing AAA/DHCP • IPv6 Parameters • DHCPv6

IPv6 IPv4 L2

RG Access Node DSLAM, etc BNG

User RG Access Node Aggregation Aggregation Core • OS v6 Stack • IPv6 LAN • DHCPv6 snooping • ICMPv6 snooping • IPv6 Stack • IPv6 Routing • IPv6 WAN • ICMPv6 snooping • IPv6 NMS • IPv6 PE/VPE • MPLS 6PE/6VPE • IPv6 Routing • IPv6 NMS • IPv6 NMS • IPv6 NMS • IPv6 Security

. Key problem with native v6: Access Node (DSLAM, FTTX switch), CPE (new box needed), sometimes BRAS/GGSN (no dual-stack sessions) . Tunneling IPv6 over existing PPPoE (dual-stack pppoe) or IPv4 infrastructure (6RD) provides a transition solution with minimal number of “touch points” © 2010 Cisco and/or its affiliates. All rights reserved. 12 IPv6 + IPv4 Dual Stack App IPv4 + IPv6 Edge IPv4 and/or IPv4 edge Core

CE PE P P PE CE IPv4

IPv6 IPv4/IPv6 IPv4 configured interface IPv4 Core IPv6

Some or all interfaces in cloud dual configured IPv6 configured interface . All P + PE routers are capable of IPv4+IPv6 support

. Two IGPs supporting IPv4 and IPv6

. Memory considerations for larger routing tables

. Native IPv6 multicast support

. All IPv6 traffic routed in global space

. Good for content distribution and global services (Internet)

IPv4 DNS IPv4 Server IPv6

IPv6 www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1 2001:db8:1::1

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 14 I get AAAA, I have IPv6 configured locally (SLAAC). But what if IPv6 network is broken?

Behavior of a typical Web- Browser

draft-ietf-v6ops-happy-eyeballs CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 15 http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html Happy Eyeballs – improving end user experience

Implementations: • Firefox 10 • Chrome (last stable) • OSX 10.7 “Lion” • getaddrinfo() • Safari • iPhone iOS 4.3.1 draft-ietf-v6ops-happy-eyeballs http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 16 . Tunnelling encapsulates an IPv6 packet into an IPv4 packet Host to Router, Router to Router, Router to Host, or Host to Host . Manually configured tunnels Manual Tunnel (RFC 2893) IPv6 over GRE (RFC 2473) . Semi-automated tunnels Tunnel broker (RFC 3053) . Automatic tunnels 6to4 (RFC 3056) ISATAP (RFC 5214) Dynamic Multipoint VPN 6rd (RFC5969) LISP (IETF Working Group & Internet Draft)

Customer IPv6 Network IPv4 Access Network Provider IPv6 Network 200.15.15.1 200.11.11.1 2001:db8:a:b::1/64 2001:db8:a:b::2/64 IPv4 Access Network PE PE IPv6 Manual Tunnel IPv6 CE CE P P Dual Stack . One of the first transition mechanisms developed for IPv6 Static P2P tunnel, IP protocol type = 41, no additional header, NAT breaks . Terminates on dual stack end points IPv4 end point address must be routable IPv6 prefix configured on tunnel interface . Difficult to scale and manage For link few sites in fixed long term topology Use across IPv4 access network to reach IPv6 Provider

IPv6 Network IPv4 Backbone Network IPv6 Network 200.15.15.1 (e0/0) 200.11.11.1 (e0/0) 2001:db8:a:b::1/64 2001:db8:a:b::2/64 IPv4 Backbone Network PE PE IPv6 GRE Tunnel IPv6 CE CE P P

. Similar to Manual Tunnel (RFC 2893) But can transport non IP packets Hence can be used to support ISIS across the tunnel . GRE header uses 0x86DD to identify IPv6 payload

. Similar scale and management issues . L2TPv3 is another tunnelling option

CiscoCisco Expo Expo BRKSPG- © 2012 Cisco© 2011© and/or2011 Cisco Cisco and/or its and/or itsaffiliates. affiliates. its affiliates. All All rights All rights rights reserved. reserved. reserved.Cisco Public Cisco Public1919 2067 . Intra Site Automatic Tunnel Addressing Protocol Tunnel from a dual stack HOST PC to an IPv6 gateway . Operates within single administrative domain Primarily for Corporate and Academic networks . Creates a virtual IPv6 link over an IPv4 backbone IPv4 network treated as an NBMA link layer Routers provide ISATAP service DNS may hold potential router list or ISATAP gateways . ISATAP does not currently support multicast

. NAT is not supported

Dual Stack Host (IPv4 Mode) IPv4 Enterprise Network IPv6 Network

192.168.2.1 192.168.4.1 IPv4 Corporate 2001:db8:face:2::5efe:c0a8:0401 Network PE PE IPv6 ISATAP Tunnel Networ DNS k ISATAP Query “ISATAP” ISATAP P P Host Router Reply “192.168.4.1” Router Solicitation Encaps in IPv4 IPv4 192.168.2.1 Source: 192.168.4.1 IPv4 Dest: fe80::5efe:c0a8:0201 IPv6 fe80::5efe:c0a8:0401 Source: IPv6 Dest: EncapsRequest: in IPv4 ISATAP Prefix? Router Advertisement IPv4 192.168.2.1 Source: 192.168.4.1 IPv4 Dest: fe80::5efe:c0a8:0401 IPv6 fe80::5efe:c0a8:0201 Source: IPv6 Dest:

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates.Reply: All rights All rights reserved. reserved.2001:db8:face:2/64 Cisco Public 21 IPv6 IPv6 IPv4 IPv6 Packet Packet Header Packet

Dual Stack Host IPv4 Enterprise Network IPv6 Network

192.168.2.1 192.168.4.1 IPv4 Corporate 2001:db8:face:2::5efe:c0a8:040 Network 1 PE PE IPv6 ISATAP Tunnel Networ k ISATAP P P ISATAP Host Router Address Value Address Value IPv4: 192.168.2.1 IPv4: 192.168.4.1 IPv6 Link-Local: fe80::5efe:c0a8:0201 IPv6 Link-Local: fe80::5efe:c0a8:0401 IPv6 Global: 2001:db8:face::5efe:c0a8:020 IPv6 Global: 2001:db8:face::5efe:c0a8:040 1 1

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 22 . 6rd is a tunnelling method specified in RFC 5969 6rd utilises an SP's own IPv6 address prefix - avoids well-known prefix (2002::/16) . Method of incrementally deploying IPv6 to end sites in an SP network SP access and aggregation infrastructure remains IPv4 End site is provided a dual stack service Access/Aggregation between SP and end sites looks like multipoint network . End sites share a common IPv6 prefix allocated by SP

6rd IPv6 End Site IPv4 Access Network IPv6 Internet

Service Provider IPv6 IPv6 6rd Tunnel 2001:db8:0f01 2001:db8:0f01

PE P P CE Tunnel 6rd Border between 6rd Relay/CPE Relay IPv6 CPEs Tunnels 2001:db8:0d01

. Native dual-stack IP service to the end site . Simple, stateless, automatic IPv6-in-IPv4 encap and decap functions . IPv6 traffic automatically follows IPv4 Routing (IPv4 address used as tunnel endpoint) . BRs placed at IPv6 edge, addressed via anycast for load-balancing and resiliency

IPv4 + IPv6 IPv4 + IPv6 IPv4 + IPv6 Core / 6rd Border CE Relays Internet

IPv4

IF 6rd IPv6 Prefix THEN Encap in IPv4 with Positive Match embedded address

Dest = Inside 6rd Domain 2001:100 8101:0101 Interface ID

ELSE (6rd IPv6 Prefix ENCAP with BR IPv4 Negative Match) Anycast Address

IPv6 Dest = Outside 6rd Domain “Not 2001:100…” Interface ID

© 2010 Cisco and/or its affiliates. All rights reserved. 25 . IPv6 over MPLS Pseudowires Transparent to service provider . IPv6 over IPv4 tunnels over MPLS (Manual Tunnels) PE must be IPv6 aware, core remains IPv4 . IPv6 Transit using MPLS 6PE PE must be IPv6 aware, core remains IPv4 . IPv6 VPN using MPLS 6VPE PE provide VPN services for IPv6, core remains IPv4 . No LDPv6 available as yet Core control plane must be MPLS+LDP using IPv4 IGP . Previous solutions discussed can also work over MPLS ISATAP, Manual Tunnels, GRE, 6 to 4, 6rd

IPv6 Network MPLS IPv4 Backbone IPv6 Network

CE3 6PE3 P P 6PE4 CE IPv6 4 IPv6

200.10.10.1 IPv4 200.11.11.1 MPLS IPv6 IPv6

CE1 6PE1 P P 6PE2 CE2 2001:db8:f iBGP 2001:db8:c 00d:: exchange IPv6 afe:: . 6PEs must support dual stack IPv4+IPv6 (acts as normal IPv4 PE) . IPv6 packets transported from 6PE to 6PE over Label Switch Path . IPv6 addresses exist in global table of PE routers only IPv6 addresses exchanged between 6PE using MP-BGP session . Core uses IPv4 control plane (LDPv4, TEv4, IGPv4, MP-BGP) . Benefits from MPLS features such as FRR, TE

IPv6/IPv4 Network MPLS IPv4 Backbone IPv6/IPv4 Network

10.1.1.0/24 10.1.2.0/24 2001:db8:beef:1::/64 P 2001:db8:beef:2::/64 200.10.10.1 P 200.11.11.1

IPv4 IPv4 VRF VRF IPv4 IPv6 MPLS IPv6 CE1 6VPE1 6VPE2 CE2

172.16.1.0.0/30 P P 172.16.3.0/30 2001:db8:cafe:1::/64 2001:db8:cafe:3::/64 . 6VPE uses existing IPv4 MPLS infrastructure to provide IPv6 VPN . Core uses IPv4 control plane (LDPv4, TEv4, IGPv4) . PEs must support dual stack IPv4+IPv6 . Offers same architectural features as MPLS-VPN for IPv4 RTs, VRFs, RDs are appended to IPv6 to form VPNv6 address MP-BGP distributed both VPN address families BGP NH uses IPv4 to IPv6 mapped address format ::ffff:A.B.C.D . VRF can contain both VPNv4 and VPNv6 routes

IPv6/IPv4 Network MPLS IPv4 Backbone IPv6/IPv4 Network

10.1.1.0/24 10.1.2.0/24 2001:db8:beef:1::/64 P 2001:db8:beef:2::/64 200.10.10.1 P 200.11.11.1

IPv4 IPv4 VRF VRF IPv4 IPv6 MPLS IPv6 CE1 6VPE1 6VPE2 CE2

172.16.1.0.0/30 P P 172.16.3.0/30 2001:db8:cafe:1::/64 2001:db8:cafe:3::/64

. For VPN customers, IPv6 VPN service is exactly as IPv4 VPN service

. 6PE is “like VPN” but prefixes are in global table, 6VPE is true VPN . 6VPE enables services such as IPv6 VPN Access

Public Public IPv4 IPv6 Internet Internet

IP NGN Backbone (6PE, 6vPE, Dual-Stack)

v4/6 v4/6 Backbone Network Backbone

DS-Lite 4V6 NAT64 CGN CGN/6rd CGN CGN Stateless Stateful

IPv4-only IPv4-only Dual-Stack IPv6-only IPv6-only IPv6-only (BB, Mobile) (BB) (BB, Mobile, (BB) (BB) (BB, mobile, Enterprise*) Enterprise*)

Access Network Access IPv4 Address IPv4 Address IPv4 Address IPv4 Address IPv4 Address IPv4 Address Sharing Sharing Sharing Sharing Sharing Sharing

v4 v4/6 v4 v4/6

v4 v4 v4 v4/6 V4/6 v4/6 v6 v6 Customer IP Customer

. Support continued use of IPv4 after address exhaustion Solutions: Carrier Grade NAT (Millions NAT44, NAT444) This is a short to medium term solution . Deliver interoperable IPv6 services Objective: Upgrade to IPv6 whilst co-existing with IPv4 Solutions: Dual-Stack, 6PE/6VPE, Translation (AFT)

. NAPT – Network Address and Port Translation “NAT” is often spoken/written instead of “NAPT” . NAT44 – NA(P)T from IPv4 to IPv4 (router in your home)

. NAT64 – NA(P)T from IPv6 to IPv4 . NAT46 – NA(P)T from IPv4 to IPv6

. NAT66 – NAT from IPv6 to IPv6

. CGN – Carrier Grade NAT, operated by an ISP . NAT444 – a system of subscriber’s NAT44 and ISP’s CGN

CiscoCisco Expo Expo BRKSPG- © 2012 Cisco© 2011© and/or2011 Cisco Cisco and/or its and/or itsaffiliates. affiliates. its affiliates. All All rights All rights rights reserved. reserved. reserved.Cisco Public Cisco Public3232 2067 . CGSE - engine for massive Cisco CGv6 deployments 20+ million active translations 100s of thousands of subscribers 1+ million connections per second 20Gb/s of throughput per CGSE

CGN (NAT44/NAT64/6rd) also supported on Cisco ASR1k Cisco CGSE

. ASR1k Cisco CGv6 deployments Assumes ESP40 and RP2 2+ million active translations 200k sessions per second Cisco CRS 40G system throughput

. ISM supports 10 Gbps aggregate bandwidth . 20M NAT44 Translations (today) . 15M NAT64 Translations (planned) . 1M sps

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 34 Stateless Stateful 1:1 translation N:1 translation NAT NAPT Any Protocol TCP, UDP, ICMP Helps ensure end-to-end address Uses address overloading; hence lacks transparency and scalability end-to-end address transparency No state or bindings created on the State or bindings created on every translation unique translation Session can be initiated from either side Session must be initiated from IPv6 side Requires IPv4-translatable IPv6 address No requirement for the characteristics of assignment (mandatory requirement) IPv6 address assignment Requires either manual or Domain Host Capability to choose any mode of IPv6 Configuration Protocol Version 6 address assignment: manual, DHCPv6, (DHCPv6)-based address assignment or stateless address auto-configuration for IPv6 hosts (SLAAC) No IPv4 address savings (Just like NAT) Saves IPv4 addresses

IPv6

IPv4

Protoc ol Transl ator (NAT6 Network4) Internet (Dual An IPv6 only network (Dual Stack) Stack)

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. c11-676278.htmlCisco Public 36 . Synthesises AAAA records when AAAA are not present in the DNS With IPv6 prefix of NAT64 translator IPv6-only DNS host 64 Intern et

AAAA? AAAA?

(sent Empty answer simultaneously) A? 192.0.2.1 2001:db8:6464::192.0.2.1

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 37 . Works for applications that do DNS queries http://www.example.com Well over 80% of applications. . Breaks for applications that don’t do DNS queries http://1.2.3.4 SIP, RTSP, H.323, etc. – IP address literals . Solutions: Application-level proxy for IP address literals (HTTP proxy)

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 38 CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 39 CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 40 IPv6 IPv6-only clients DNS64

IPv6

IPv4

Protoc ol Transl ator (NAT6 Network4) Internet (Dual An IPv6 only network (Dual Stack) Stack)

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_

100Gb 100Gb

Expo LAN

• CGv6: Translation (NAT44, NAT64),

NAT64G0/6/3/0 • 20+ million active translations Inside Outside • 1+ million connections per second

T0/1/0/0 T0/2/0/0 • 20Gb/s of throughput per CGSE

VRF NAT44 Global • Above performance with Netflow v9 enabled

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 43 Future, no rough consensus in IETF yet Stateful NAT44 port-restricted Stateless + v6 encaps Relay IPv4-Only Private NATe IPv6 + IPv4 IPv6 IPv4-Public IPv6 IPv6 Gateway CPE (IPv6) BR 4RD (draft-despres-softwire-4rd-u) – header mapping from 4 to 6 (with fragment hdr) MAP-E (draft-mdt-softwire-map-encapsulation) – tunneling 4 over 6 . Keep NAT44 on CPE where it is today, just adds port restriction to tackle the v4 exhaust . Avoids central stateful CGN

No NAT, Stateful v6 tunneling NAT44 IPv4-Only Private IPv6 + IPv4 IPv6 IPv4-Public IPv6 IPv6 CPE Gateway CGN44 (B4) (IPv6) (AFTR) DS-Lite (draft-ietf-softwire-dual-stack-lite) – it is available today (CRS/ASR9K, some CPE’s) . Removes NAT44 from CPE where it is today, and moves it to central CGN . Dumb tunneling, no user-to-user v4 traffic (everything must go to central AFTR) © 2010 Cisco and/or its affiliates. All rights reserved. 44 • In general ALGs should be avoided on SP-operated IPv4 Address Sharing Vehicles. Why? Different application versions need different ALG’s ALG’s from different vendors behave differently, tough upgrades In case of a bug – which vendor is guilty? How long will it take to get a fix? • ALG support on CGN ActiveFTP – although vast majority use passive (e.g. measured 1% of ftp.cisco.com users employ active) . ALGs work fine in the closed Enterprise IT environment, but are ALGs desirable in Internet?

Playstation Network

Windows Live iPhone Messenger App Store Google Talk Temporary exceptions (old protocols) – RTSPv1 (m.youtube.com) or MS PPTP

• Firewalling behavior • Often implemented on Firewalls, CPE routers…

③ PAT device generates PAT entry such as below.

Inside Inside Outside Outside local global local global

192.168.1.1 140.0.0.1 150.0.0.1 150.0.0.1 :5000 :6000 :6000 :6000 ① User-B User-A sends packets to User-B 150.0.0.1/24 ○ To: 140.0.0.1:6000

To: 140.0.0.1:6000 User-A NAT/PAT × NAT POOL 140.0.0.1/24 192.168.1.1/24 ② Translates src-ip and src-port Symmetric NAT is …192.168.1.1:5000 → 140.0.0.1:6000 • User-B is only translated to go into inside network. User-C 160.0.0.1/24 • User-C can not reach User-A.

• Free NAT traversal requires “Full cone NAT”. • Full cone NAT is mentioned in RFC3489 Section-5. • What is “Full cone NAT”?.

③ PAT device generates PAT Match all !! entry such as below. Inside Inside Outside Outside local global local global

192.168.1.1 140.0.0.1 any any :5000 ① :6000 User-B User-A sends packets to User-B 150.0.0.1/24 ○ To: 140.0.0.1:6000

○ To: 140.0.0.1:6000 User-A NAT/PAT NAT POOL 140.0.0.1/24 192.168.1.1/24 ② Translates src-ip and src-port Full cone NAT is … 192.168.1.1:5000 → 140.0.0.1:6000 User-C • Not only User-B but also User-C can reach to User-A 160.0.0.1/24

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 48 Endpoint Independent Address Dependent Address and port Dependent

A:1000 B:2000 A:1000 B:2000 A:1000 B:2000 B:2001 B:2001 B:2001

Y:200 Y:200 Y:300 Y:200 Y:300 Y:400

Inside Outside Dst Inside Outside Dst Inside Outside Dst X:100 Y:200 A:1000 X:100 Y:200 - X:100 Y:200 A:any X:100 Y:300 B:2000 X:100 Y:300 B:any X:100 Y:400 B:2001

X:100 X:100 X:100

IP Addres: Port Number

• Requirement: Endpoint Independence on ALG/fixups, Maximum application transparency

2) STUN Serv returns 2) STUN Serv returns User-B’s translated (src- User-A’s translated (src- ip, src-port) to User-A ip, src-port) to User-B STUN Server

3) User-A and User-B NAT can communicate NAT with each other directly.

1) User-A connects 1) User-B connects to STUN Server to STUN Server * source: RFC4787, RFC5382, RFC5508

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 50 • New IP Infrastructure Element Separate “Infrastructural Necessity” from Services (firewalling, etc.) No ALG’s, no firewalling behavior

• Focus on: Transparency – keep just the necessary, endpoint independence Scale & Performance – minimal cost IPv6 preparation – NAT64, 6RD, etc.

• IETF BEHAVE working group Behavior Engineering for Hindrance Avoidance  IETF target is to promote IPv6, not to prolong IPv4 forever

• Destination Based Logging Keep and log destination IP:port

Usage . Servers that do not log port (Apache default) . Data Analytics (Full Netflow like info)

Add Event Field ID Attribute Value Template 271 234 Incoming VRF ID 32 bit ID (27B) 235 Outgoing VRF ID 32 bit ID 8 Source IP Address IPv4 Address 225 Translated Source IP Address IPv4 Address 7 Source Port 16 bit port 227 Translated Source Port 16 bit port 12 Destination Address IPv4 Address 11 Destination Port 16 bit port 4 Protocol 8 bit value NAT44: • Add Event, Template 271 (27B) • Delete Event, Template 272 (17B) NAT64: • Add Event, Template 260 (47B) • Delete Event, Template 261 (37B) CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 53 . Implementation • When subscriber creates first connection, N contiguous outside ports are pre- allocated (additional connections ≤ N will use one of the pre-allocated ports). • Bulk-allocation message is logged for the port-range, bulk-delete logged if no more sessions in this range.

. Problem: bulk port allocation may break TCP port randomization

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 54 The “One-Stack” View Being asked to go here next Where we are right now

Dual-Stack • One Network. Dual-Stack Lite • One Network. • Addresses Run-Out • SP-class XLAT and enables IPv6 is IPv6 transition connectivity vehicle for 6-4 and over IPv4 infra 4-6-4 cases

Stateful NAT64 Stateless 6rd • Two Networks!! CGN • Big CGN in IPv6 NAT64/DIVI network.

Stateless Cost/Complexity Operations Deployment & • IPv6 can’t talk to IPv4 4o6/4RD

IPv4 Majority IP in IPv6 Operator Network

• IPv4 exhaust  business continuity

• CGN role and definition

• CGN performance – SPS, # of sessions, logging

• Dual-stack in Mobile and Wireline networks

• NAT64 – Avoiding Dual-Stack

CiscoCisco Expo Expo © 2011© 2011 Cisco Cisco and/or and/or its affiliates. its affiliates. All rights All rights reserved. reserved. Cisco Public 56 • Twitter www.twitter.com/CiscoCZ • Talk2Cisco www.talk2cisco.cz/dotazy • SMS 721 994 600

• Zveme Vás na Ptali jste se… v sále LEO 1.den 17:45 – 18:30 2.den 16:30 – 17:00

Prosíme, ohodnoťte tuto přednášku.