carrier grade nat
DESCRIPTION
Carrier Grade NATTRANSCRIPT
-
5/24/2018 Carrier Grade NAT
1/111
2010 Cisco and/or its affiliates. All rights reserved. 1
Carrier-Grade NATIPv4 Exhaust and IPv6 Transition in Internet
Josef Ungerman
Cisco, CCIE#6167
-
5/24/2018 Carrier Grade NAT
2/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
-
5/24/2018 Carrier Grade NAT
3/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
RIR Pool
IANA Pool
Feb 3, 2011
*
Feb 6, 2012
-
5/24/2018 Carrier Grade NAT
4/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
-
5/24/2018 Carrier Grade NAT
5/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Mar 23, 2011:$11.25 per IPv4
http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html
Need for SIDR (SecureInter-Domain Routing)
Distributed database andRPKI infrastructure forverifying PREFIX origin ASwith RIR
http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html -
5/24/2018 Carrier Grade NAT
6/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Internet v6 Content
YouTube goes IPv6- DE-CIX: 30x increase
Google is 1/10th ofInternet
Netflix Video surpassesp2p in US (29.7%)
NIX.CZWorld IPv6 Day (June 8, 2011)NIC.CZcca 70.000 domains with AAAA
-
5/24/2018 Carrier Grade NAT
7/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
What was it?A single day (24 hrs) where major content providers advertised a AAAA DNSrecord for their production service (e.g. www.cisco.com, www.facebook.com);coordinated by the Internet Society
Who participated?
Google, Facebook, Yahoo!,Akamai, Cisco, Limelight Networkswere among434 participants that offered content from their main websites over IPv6 for a24-hour "test drive. Cross-industry community effort:http://www.worldipv6day.org/participants/index.html
Why do this?
Demonstrates commercial viability of IPv6Helps identify areas of improvement in IPv6 functionality
What happened? Nothing!
Only isolated issues reported
>3% of v6 traffic is v6-enabled countries like France
http://www.cisco.com/http://www.facebook.com/http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://www.yahoo.com/http://www.akamai.com/ipv6http://www.limelightnetworks.com/http://www.worldipv6day.org/participants/index.htmlhttp://www.worldipv6day.org/participants/index.htmlhttp://www.limelightnetworks.com/http://www.akamai.com/ipv6http://www.yahoo.com/http://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.facebook.com/http://www.cisco.com/ -
5/24/2018 Carrier Grade NAT
8/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Example: Y!2.2M users served over IPv6, 10 support calls
Example: Akamai8M requests during W6D
Example: AAAA to everyone (incl. 2.5M FB-Connect websites)
-
5/24/2018 Carrier Grade NAT
9/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
What is it?www.worldipv6launch.org ; coordinated by the Internet Society
W6L: Turn it on, leave it on.
Since 6/6/12, IPv6 becomes part of a regular business!
Who will turn on IPv6 AAAA forever?Google, Facebook, Yahoo!,Akamai, Microsoft
CPE vendorsCisco, D-Link
Practical support: http://www.internetsociety.org/deploy360/
V6 World Congress, Feb 2012Motto links to W6L: Open The Floodgates
http://www.worldipv6launch.org/http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://www.yahoo.com/http://www.akamai.com/ipv6http://www.internetsociety.org/deploy360/http://www.internetsociety.org/deploy360/http://www.internetsociety.org/deploy360/http://www.internetsociety.org/deploy360/http://www.akamai.com/ipv6http://www.yahoo.com/http://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.worldipv6launch.org/ -
5/24/2018 Carrier Grade NAT
10/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
strategy alignment example
-
5/24/2018 Carrier Grade NAT
11/111Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 11
National IPv6 Strategies
Compliance: U.S. FederalMandate, IPv6 task force
Next Generation Internet(CNGI) project in Chinaand Japan
European CommissionRecommendation
IPv6
IPv4 Address space completion
Public or Private Space
Limiting network expansionand putting at risk businesscontinuity
Introducing Operationalchallenges
Infrastructure Evolution
Next generation Networkarchitecture require IPv6
DOCSIS 3.0,Quad Play Mobile SP
Networks in Motion
Networked Sensors, i.e.: AIRS
IPv6 in Client Software
IPv6 on in Microsoft Vista
Sensor Networks Apple's Back to My Mac
v6 over v4 OTT tunnelproviders
-
5/24/2018 Carrier Grade NAT
12/111 2011 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 12
AreCharacteristic Reason Example
Infrequent Use Maintaining NAT bindingsfor rare occurrence eventsis inefficient
Earthquake WarningserviceNTT IPv6
Smoke detectors: 6LoWPAN
UniversalConnectivity
Reachability of devices inthe home
Dozensof IPv6 Tunnelbrokers = unconstrained
Peer-to-peerGreen Network A PC with many networked
applications sends manykeep-alives. Each needspower across network.
Skype for iPhone drainsbatteriesfrom application viadata plane keep-alive
Scalable/GreenData Center
Persistent client/servertransport connection is
needed to keep NAT open
Facebook IM long polling
High bitRate+NAT
Smaller SP margin per bitfor AFT vs competitorswithout that cost
Netflix On-DemandsupportsIPv6.
Google 1/10thInternet traffic
FCB Internet: Faster, Cleaner, Better.
-
5/24/2018 Carrier Grade NAT
13/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
All IPv6IPv4 Private IP 6 over 4 4 + 6 4 over 6
= IPv4 = Private IP = IPv6
CGN (NAT44) Dual Stack
DS-Lite
6PE, 6rd,
MIP, PPP
NAT64, 4rd,
dIVI/MAP-T
Preserve
Prepare
Prosper
Dual-stack variationsCGNv4 needed anyway.
-
5/24/2018 Carrier Grade NAT
14/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
-
5/24/2018 Carrier Grade NAT
15/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)
-
5/24/2018 Carrier Grade NAT
16/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Public IPv4 Deployment
Public IPv4 addresses used in Transport Network
Public IPv4 addresses used on Handset for Service access
Declining Adoption
-
5/24/2018 Carrier Grade NAT
17/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
NAT44
NAT44Central Large Scale NAT44
Limited IPv4 life extension
SP operates non overlapping private address space
UE obtains a IPv4 address from the private SP address space
CGN/CGv6 performs NAT(P)44 with high scalability
Many UEs are serviced by fewer Public IP-Address on LSNDynamically reuses available pool of Public IP-address/port bindings
PGWeNB
IPv4 IPv4
private IPv4 private IPv4
IPv4Public
public I Pv4
CGN/CGv6
SGW
Large Scale NAT44
O(10G) throughputO(20M) bindingsSome subscriber awareness
NAT
Private I Pv4 Addressassigned to UE
Public I Pv4 Address/port assigned by CGN
IPv4user plane with
3GPP defined tunneling:- GTP- PMIP/GRE- IPsec
v4Core Network:- native IPv4
v4 user plane:
- Native IPv4 forwardingto/from CGN
Evolution of current NAT solutions~70% of all mobile operatorsleverage NAT44
Many deployments implementNAT44 on Enterprise-ClassFirewalls:Scale & throughput challenges
-
5/24/2018 Carrier Grade NAT
18/111Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 18
Multiple customers multiplexed behind an SP
managed NAT device (a Large Scale NAT)LSN44 multiplexes several customers onto thesame public IPv4 address
Each customer has unique private IPv4 address
NAT44 can be deployed as centralized or distributed function.
CPE based NAT44 + LSN44 = NAT444 solution
NAT44
AAA
BRASAccessNode
HomeGateway
IPv4Internet
NAT44
IPv4-Private
NAT
CGN
IPv4-Private
-
5/24/2018 Carrier Grade NAT
19/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Most of Broadband users are behind NAT today!
NAT
First described in 1991 (draft-tsuchiya-addrtrans), RFC1631
1:1 translation: Does not
conserve IPv4 addressesPer-flow stateless
Todays primary use is inside ofenterprise networks
Connect overlapping RFC1918
address space
Note: NAT66 is stateful orstateless, but it is not NAPT
NAPT
Described in 2001 (RFC3022)
1:N translation
Conserves IPv4 addresses
Allows multiple hosts to share oneIPv4 address
Only TCP, UDP, and ICMP
Connection has to be initiated frominside
Per-flow stateful
Commonly used in home gatewaysand enterprise NAT
When say NAT, they typically mean NAPT
NAT44 is used to differentiate IPv4-IPv4 NAPT fromAddress Family Translation, typically referred to as NAT64 and NAT46
-
5/24/2018 Carrier Grade NAT
20/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)
-
5/24/2018 Carrier Grade NAT
21/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
CGN = IP Address Sharing
Inherent issuesdraft-ford-shared-addressing-issues
Servers must log also source port numbers
Shared IP address = shared suffering
Blacklisting, spam,
Tracking and Law Enforcement
draft-ietf-intarea-server-logging-recommendations
Requesting specific portsNot everyone can get port 80
Geo-Location issues (get me the nearest ATM) Complicates inbound access to media
Keepalivespower consumption, mobile battery drain
Adds transport cost [$/Gbps]
http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04 -
5/24/2018 Carrier Grade NAT
22/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
ALG (Application Layer Gateway). L3 L4 L7
Fixup for applications that have problems with
Firewall (and Symmetric NAT)No Inbound connections (media, p2p,)
No problem with Full Cone NAT (ALG not needed)
Fixups for NAT-unaware applications
Applications that embed the IP-address in the payload or use itas user identity (did the developers respect the OSI model?)
Old applications, Enterprise-oriented applications
NoALGs for many applications
Encrypted or Integrity-protected protocols
eg. SIP over TLS, HTTPS://1.2.3.4 (with IPv4 addressliteral),
Modern Internet Apps work fine through NAT/FW
Why the world uses Skype and not SIP?
m/c=10.1.1.1/1234
m/c=161.44.1.1/5678
Internet
FW/NAT withSIP ALG
-
5/24/2018 Carrier Grade NAT
23/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Operational headache
Undefined performance impact, numerous DoS attack vectors
Different application versions need different ALGs
Extensions, deviations eg. Microsoft NetMeeting different from Polycom H.323
ALGs from different vendors behave differently, tough upgrades
In case of a bugwhich vendor is guilty? How long will it take to get a fix?
Regulatory issues
ISPs cant sniff/modify Over The Top applications data using ALGs
eg. break location awareness in Vonage emergency calls
eg. break RTSP media streaming from NetFlix or Amazon
ALG interference with NAT traversal techniques SIP ICE, RTSP mmusic,
ALGs work fine in the closed Enterprise IT environment,but are ALGs desirable in Internet?
Are there any NAT-unaware Internet apps yet?
-
5/24/2018 Carrier Grade NAT
24/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
iTunes
Windows Live
Messenger
GoogleMaps
PlaystationNetwork
GoogleTalk
Temporary exceptions (old protocols)RTSPv1 (m.youtube.com) or MS PPTP
iPhoneAppStore
-
5/24/2018 Carrier Grade NAT
25/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Firewalling behavior
Often implemented on Firewalls, CPE routers
User-A
User-B
User-C
NAT/PAT
Insidelocal
Insideglobal
Outsidelocal
Outsideglobal
192.168.1.1:5000
140.0.0.1:6000
150.0.0.1:6000
150.0.0.1:6000
Translates src-ip and src-port192.168.1.1:5000 140.0.0.1:6000
User-A sends packets to User-B
PAT device generates PATentry such as below.
150.0.0.1/24
160.0.0.1/24
192.168.1.1/24NAT POOL 140.0.0.1/24
User-B is only translated to go into inside network.
User-C can not reach User-A.
Symmetric NAT is
To: 140.0.0.1:6000
To: 140.0.0.1:6000
Symmetric NAT
-
5/24/2018 Carrier Grade NAT
26/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Full cone NAT
Free NAT traversal requires Full cone NAT.
Full cone NAT is mentioned in RFC3489 Section-5.
What is Full cone NAT?.
User-A
User-B
NAT/PAT
Insidelocal Insideglobal Outsidelocal Outsideglobal
192.168.1.1:5000
140.0.0.1:6000
any any
Translates src-ip and src-port192.168.1.1:5000 140.0.0.1:6000
User-A sends packets to User-B
PAT device generates PATentry such as below.
150.0.0.1/24
160.0.0.1/24
192.168.1.1/24NAT POOL 140.0.0.1/24
Not only User-B but also User-C can reach to User-A
Full cone NAT is User-C
To: 140.0.0.1:6000
Match all !!
To: 140.0.0.1:6000
-
5/24/2018 Carrier Grade NAT
27/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
X:100
Y:200
A:1000 B:2000
B:2001
Endpoint Independent Address Dependent Address and port Dependent
A:1000 B:2000
B:2001
A:1000 B:2000
B:2001
IP Addres: Port Number
Inside Outside Dst
X:100 Y:200 -
Inside Outside Dst
X:100 Y:200 A:1000
X:100 Y:300 B:2000
X:100 Y:400 B:2001
Inside Outside Dst
X:100 Y:200 A:any
X:100 Y:300 B:any
Y:200 Y:300 Y:200 Y:300 Y:400
X:100 X:100
-
5/24/2018 Carrier Grade NAT
28/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Endpoint Independent Address Dependent Address and Port Dependent
IP Addres: Port Number
Inside Outside from
X:100 Y:200 -
Inside Outside from
X:100 Y:200 A
Inside Outside from
X:100 Y:200 A:1000
X:100
Y:200
A:1000 B:2000A:1001
X:100
Y:200
A:1000 B:2000A:1001
X:100
Y:200
A:1000 B:2000A:1001
-
5/24/2018 Carrier Grade NAT
29/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Filteringbehavior Independent Address
DependentAddress:PortDependent
Mapp
ing
Independent
Address
DependentAddress:PortDependent
RestrictedCGN
IOS Router
Full Cone NAT Address RestrictedNAT
Port RestrictedNAT
Symmetric NAT
LinksysWRT610N
IOS Router(enable-sym-port)
Classic STUN : simple traversal of UDP through NAT(RFC3489)now : Session Traversal Utilities for NAT(RFC5389)
-
5/24/2018 Carrier Grade NAT
30/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
FTP PASV, data connection always to server
ICE, STUN, TURN
NAT EIM/EIFIntelligence in endpoint
Useful for offer/answer protocols
(SIP, XMPP, probably more)Standardized in MMUSIC and BEHAVE
RTSPv1, effectively replaced with Flash over HTTP
RTSPv2, ICE-like solution
Skype, encrypted and does its own NAT traversal
Port 80/443 apps
STUN: Session Traversal Util ities for NAT RFC 5389ICE: Interactive Connectivity Establishment RFC 5245TURN: Traversal Using Relays around NAT RFC 5766
-
5/24/2018 Carrier Grade NAT
31/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
with EIM/EIF (Full Cone NAT)
Requirement: Endpoint Independence on ALG/fixups, Maximum application transparency
Use Case Example: This is for Session Traversal Utilities for NAT (STUN, ICE) and isused by P2P apps to advertise themselves such that others can contact from outside-in
* source: RFC4787, RFC5382, RFC5508
NATNAT
STUN Server
1) User-A connectsto STUN Server
1) User-B connectsto STUN Server
2) STUN Serv returns
User-As translated (src -ip, src-port) to User-B
2) STUN Serv returns
User-Bs translated (src-ip, src-port) to User-A
3) User-A and User-Bcan communicatewith each otherdirectly.
-
5/24/2018 Carrier Grade NAT
32/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Session Traversal Utilities for NAT RFC 5389
Request/response protocol, used by:
STUN itself (to learn IP address)
ICE (for connectivity checks)
TURN (to configure TURN server)
The response contains IP address and port of request
Runs over UDP (typical) or TCP, port 3478
Think http://whatismyip.com
http://whatismyip.com/http://whatismyip.com/ -
5/24/2018 Carrier Grade NAT
33/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Interactive Connectivity Establishment RFC 5245
Procedure for Optimizing Media Flows
Defines SDP syntax to indicate candidate addresses
Uses STUN messages for connectivity checks
Sent to RTP peer, using same ports as RTP
First best path wins
Basic steps:
1. Gather all my IP addresses
2. Send them to my peer3. Do connectivity checks
EXAMPLES
Google chat (XMPP)
Microsoft MSN (SIP inside of XML)
Yahoo (SIP)
Counterpath softphone (SIP)
-
5/24/2018 Carrier Grade NAT
34/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Traversal Using Relays around NAT RFC 5766
Media Relay Protocol and Media Relay Server
Only used when:
Bothendpoints are behind Address and Port-Dependent FilteringNATs (rare, about 25% of NATs), or
One endpoint doesnt implement ICE, and is behind a Address andPort-Dependent Filtering NAT
-
5/24/2018 Carrier Grade NAT
35/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
New IP Infrastructure ElementSeparate Infrastructural Necessity from Services (firewalling, etc.)
No ALGs, no firewalling behavior
Focus on:
Transparencykeep just the necessary, endpoint independence
Scale & Performanceminimal cost
Securitylogging, port limits
IPv6 preparationNAT64, 6RD, etc.
IETF BEHAVE working group
Behavior Engineering for Hindrance Avoidance
IETF target is to promote IPv6, not to prolong IPv4 forever
-
5/24/2018 Carrier Grade NAT
36/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
RFC4787 (July 2007)
A CGN is defined by constrained behavior:
NAT Behavior Compliance (RFC4787, RFC5382, RFC5508)
Endpoint Independent Mapping and Filtering (Full Cone NAT)
Paired IP address pooling behavior
Port Parity preservation for UDP
Hairpinning behavior
Static Port Forwarding (PCP)
Current ALGs: RTSPv1, sometimes PPTP
Management
Port Limit per subscriber
Mapping RefreshNAT logging
Redundancy (Intra-box Active/Standby, Inter-box Active/Active)
-
5/24/2018 Carrier Grade NAT
37/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Paired (recommended) : use the sameexternal IP address mapping for allsessions associated with the sameinternal IP address
Some peer to peer applications dontnegotiate the IP address for multiplesessions (eg. apps that are not able tonegotiate the IP address for RTP andRTCP separately)
X:102
A:202
Inside
Outside
Inside Outside
X:100 A:200
X:101 A:201
X:102 A:202Y:100 B:200
Y:101 B:201
Y:102 B:202
X:101
X:100
A:201A:200
Y:102
B:201
Y:100
Y:101
B:202B:200
-
5/24/2018 Carrier Grade NAT
38/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Use Case: Allow communicationsbetween two endpoints behind thesame NAT when they are tryingeach other's external IP addresses
Inside
Outside Inside OutsideX:100 A:200
Y:100 B:200
X:100
A:200
Y:100
B:200
Notation X:100 IPv4 address:Port *
*TCP/UDP port or Query ID for ICMP
-
5/24/2018 Carrier Grade NAT
39/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Requirement: Ability to configure, a fixed private (internal) IPaddress:port associated with a particular subscriber while CGNallocates a free public IP address:port
Future: PCP (Port Control Protocol) for users
Delegate port numbers to requesting applications/hosts to avoid requirement for ALGs
draft-ietf-pcp-base
Option 1:Handset/Hostwith PCP Client
Option 2:
PCP Client,UPnP IGD proxy;NAT-PMP proxy
PCP Server
NAT-PMP
UPnP IGD
Option 2:PCP client
on CPE
PCP
http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12 -
5/24/2018 Carrier Grade NAT
40/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
No Port Overloading
A NAT must not have a "Port assignment" behavior of "Portoverloading( i.e. use port preservation even in the case of collision).Most applications will fail if this is used.
Port Parity Preservation
An even port will be mapped to an even port, and an odd port will bemapped to an odd port. This behavior respects the [RFC3550] rulethat RTP use even ports, and RTCP use odd ports.
Port Limit Per Subscriber
Configurable port limit per subscriber for the system (includes TCP,UDP and ICMP). NAT SecurityDoS attack/virus exhaust prevention.
* source: RFC4787, RFC5382
-
5/24/2018 Carrier Grade NAT
41/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Example: GoogleMaps with Max 30 ConnectionsExample/Slides Courtesy of NTT, See Also:Hiroshi Esaki: www2.jp.apan.net/meetings/kaohsiung2009/presentations/ipv6/esaki.ppt
-
5/24/2018 Carrier Grade NAT
42/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
-
5/24/2018 Carrier Grade NAT
43/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
-
5/24/2018 Carrier Grade NAT
44/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
-
5/24/2018 Carrier Grade NAT
45/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
-
5/24/2018 Carrier Grade NAT
46/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Courtesy of NTT, see also Hiroshi Esaki:
www2.jp.apan.net/meetings/kaohsiung209/presentations/ipv6/esaki.ppt
See also An Experimental Study of Home Gateway Characteristics
https://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdf
Source:Application behaviors in in terms of port/session consumptions on NAThttp://opensourceaplusp.weebly.com/experiments-results.html
https://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdf -
5/24/2018 Carrier Grade NAT
47/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
IOS XR: per CGN instance, default is 100service cgn CGN1
portlimit 300
RP/0/RP0/CPU0:R#show cgn demo stat sum
Statistics summary of cgn: 'demo'
Number of active translations: 86971
Translations create rate: 0
Translations delete rate: 0Inside to outside forward rate: 101
Outside to inside forward rate: 4
Inside to outside drops port limit exceeded: 5
Inside to outside drops system limit reached: 0
Inside to outside drops resource depletion: 0
Outside to inside drops no translation entry: 6216513
Pool address totally free: 507
Pool address used: 69
XR: When Port limit is exceeded, the Pktis dropped and an ICMP with Type3:
Destination Unreachable, Code13:Communication Administratively
Prohibited is returned to the Sender
Classic IOS: per box, default is none, ASR1K since 3.4S
ip nat translation max-entries all-host 300
-
5/24/2018 Carrier Grade NAT
48/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
NAT Session Setup Rate [sps]sessions per second
Average # of New Sessions per User, during peak hours
Huge load during a failover scenarios or after a power blackout
Failing to cope with SPS = huge TCP delays, timeouts/retransmissions
Session limit per user
Maximum # of Concurrent Sessions per User
AJAX-based applications with tens/hundreds of TCP sessions
Eg. Relaunching Firefox with Tabs opens hundreds of sessions
Maximum Number of Sessions per CGN
Average # of Concurrent Sessions per User, during peak hours
UDP must not expire in less than 2 minutes (RFC4787)
UDP/TCP timers for Initializing and Established sessions should be configurable
-
5/24/2018 Carrier Grade NAT
49/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
L (Low-scale) Scenario3G mobile users, smart-phones
M (Medium-scale) ScenarioADSL subscribers, PC users with 3G/4G dongles,Tablets, WiFi and top smart-phone users
H (High-scale) Scenarioheavy Broadband users, Internet sharing
100K BB users = up to 100Ksps and 10Mcs during peak hour!
-
5/24/2018 Carrier Grade NAT
50/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Type Default ValueICMP 60 sec
UDP init 30 sec
UDP active 120 sec
TCP Init 120 sec
TCP active 30 min
*) Default Refresh Direction is Bidirectional (configurable to OutBound only)
timeout:86,400 seconds (24 hours)
udp-timeout:300 seconds (5 minutes)
dns-timeout:60 seconds (1 minute)tcp-timeout:86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout:60 seconds (1 minute)
pptp-timeout:86,400 seconds (24 hours)
syn-timeout:60 seconds (1 minute)
IOS XR
IOS XE (ASR1000)
-
5/24/2018 Carrier Grade NAT
51/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
High Availability scenarios
Intra-chassis, Inter-chassis
Active/Standby, Active/Active
Stateful or statelessMillions of short-lived Layer-4 session
Stateful sync makes no sense for suchephemeral state (memory & CPU)eg.
ASR1000 does not sync http
Stateless redundancy
1Msps = 100K active users (10Mcs) are up in 10s minimal loss
Load-sharing = simple ECMP routing
Best Practice: Simple Non-Revertive 1:1 Warm Standby
-
5/24/2018 Carrier Grade NAT
52/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Data Retention Law compliance, user trackability
Who posted a content to a server on Tue at 8:09:10pm? Global IP:portCGN Log Private IP:portMSISDN
Directive 2006/24/EC - Data Retention
Logging Format
Must be fast and efficient (binary format) Syslogvery chatty, inefficient ASCII encoding
1 Msps = cca 176 Mbps, 14.7 Kpps
Netflow v9 or IPFIX
21B add-event, 11B delete-event
Compare to ASCII syslog (113B for add-event)!
Up to 68 add-events per 1500B export packet
Dynamic, template-based format
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML -
5/24/2018 Carrier Grade NAT
53/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Field ID Attribute Value
234 Incoming VRF ID 32 bit ID
235 Outgoing VRF ID 32 bit ID
8 Source IP Address IPv4 Address
225 Translated Source IP
Address
IPv4 Address
7 Source Port 16 bit port
227 Translated Source Port 16 bit port
4 Protocol 8bit value
Delete EventTemplate 257(11B)
Field ID Attribute Value
234 Incoming VRF ID 32 bit ID
8 Source IP Address IPv4 Address
7 Source Port 16 bit port
4 Protocol 8bit value
Add EventTemplate 256(21B)
Tip: IsarFlowtested CGN NFv9 Collector
-
5/24/2018 Carrier Grade NAT
54/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Collector Performance100K users, average and peak
Reality check: 100K CGN users would consume 3.5TB storage per year(compressed, fully SQL searchable data)
E-Shop: 4TB disk, 300 Euro
Storage Capacityincludes per-day user behavior
No need to bother with logging reduction
-
5/24/2018 Carrier Grade NAT
55/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
and data analytics
Destination Based LoggingKeep and log destination IP:port
Just like in a Symmetric NAT/Firewall, but still keep EIM/EIF
Usage
Servers that do not log port (Apache default)
Data Analytics (Full Netflow like info)
Per-user functions (Firewall, LI, AAA) still
must be done on private IP (before NAT).
-
5/24/2018 Carrier Grade NAT
56/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Field ID Attribute Value
234 Incoming VRF ID 32 bit ID
235 Outgoing VRF ID 32 bit ID
8 Source IP Address IPv4 Address
225 Translated Source IP Address IPv4 Address
7 Source Port 16 bit port
227 Translated Source Port 16 bit port
12 Destination Address IPv4 Address
11 Destination Port 16 bit port
4 Protocol 8 bit valueNAT44: Add Event, Template 271 (27B) Delete Event, Template 272 (17B)
NAT64: Add Event, Template 260 (47B)
Delete Event, Template 261 (37B)
Add EventTemplate 271(27B)
Tip: IsarFlowtested CGN NFv9 Collector
-
5/24/2018 Carrier Grade NAT
57/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Syslog (ASCII) cannot really log at full speed
Example (RFC5424 compliant):
1 2011 May 31 10:30:45 192.168.2.3 - - NAT44[UserbasedA - 10.1.32.45 INVRFA100.1.1.2812544 12671]
Huge load (compare 113 or 250 B for syslog and 21 B for Netflow v9)
Both Syslog and Netflow are UDP, but syslog misses the sequence #
Solution: Bulk port range allocation
Pre-allocates a port-set per user (eg. 512 ports)
PROS: Log size reduction (is it a problem in today?)
CONS: breaks randomization (port guessing attacks), cannot log the destination
SDNAT (Staleless Deterministic NAT), aka. Algorithmic NAT
No logging at all, but
Unrealistic requirements (eg. control of host stack and A+P routing changes)
-
5/24/2018 Carrier Grade NAT
58/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Normal non-bulk port allocation is random
Random ports, prefer IP address with at least 1/3 rdfree ports
The first 1024 ports are reserved (never allocated)
Paired pooling behavior and port parity preservation during allocation
Problem: bulk port alloc may break TCP port randomization
Algorithms in host stacks preventing guessing for TCP hijacking
Implementation
When subscriber creates first connection, N contiguous outside ports are pre-allocated (additional connections N will use one of the pre-allocated ports).
Bulk-allocation message is logged for the port-range, bulk-delete logged if nomore sessions in this range.
Example:bulk-port-alloc size 512
-
5/24/2018 Carrier Grade NAT
59/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Field ID Field Size234 Incoming VRF ID 4 bytes
235 Outgoing VRF ID 4 bytes
8 Incoming/Inside Source IPv4 Address 4 bytes
225 Translated Source IPv4 Address 4 bytes295 Translated Source Port Start 2 bytes
296 Translated Source Port End 2 bytes
Field ID Field Size
234 Incoming VRF ID 4 bytes
8 Incoming/Inside Source IPv4 Address 4 bytes
295 Translated Source Port Start 4 bytes
Add Event, Template 265
Delete Event, Template 266
NOTE: Bulk Port Allocation is mutually exclusive with Destination Based Logging (DBL).
-
5/24/2018 Carrier Grade NAT
60/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
PGWeNB
IPv4
private IPv4
IPv4Public
public I Pv4
SGW
NAT44
PGWeNB
IPv4 IPv4
private IPv4 private IPv4
IPv4Public
public I Pv4
CGN/CGv6
SGW
NAT
NAT44
NAT
Option 1: NAT on BNG/PGW/GGSN (per-subscriber)
Option 2: NAT on Internet Gateway (as far from subscribers as possible)
Key Benefits:Subscriber aware NAT
- per subscriber control- per subscriber accounting
Large Scale (furtherenhanced by distribution)
Highly available
(incl. geo-redundancy)Cisco ASR5000
Key Benefits:Integrated NAT for multiple
administrative domains
(operational separation)Large ScaleOverlapping private IPv4
domains (e.g. w/ VPNs)Cisco Internet Gateways:
CRS, GSR, ASR9K, ASR1K
BEST PRACTICE
On PGW put revenue-generating services (charging, firewall,)
On Internet Gateway put infrastructural functions (BGP, CGN,)
-
5/24/2018 Carrier Grade NAT
61/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
NAT Firewall
Firewall motivation is inbound filtering
ALGs are required; NAT can be used or not
CGN motivation is IPv4 exhaust solution
Maximum simplicity, transparency, massive logging
NAT44
PGWeNB
IPv4 IPv4
private IPv4 private IPv4
IPv4Public
public I Pv4
CGN/CGv6
SGW
NAT
DPI, LI, AAA, Firewalling
must be done on private address space after NAT, it would be too late (NAT hides users L3 identity) CGN is one of the last operation before packet goes to Internet
-
5/24/2018 Carrier Grade NAT
62/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
IGW
PDP,LI, DPI
IPv4
private IPv4
IPv4Public
public I Pv4
CGN,logging
Gi Firewall
Protects against overcharging for usage-billed (non flat-fee) APNs Protects against network scans waking phones from fast dormancy state (battery drain) CGN does not do help, real firewall is needed
private IPv4
Gi FW
Firewall,ALGs (no NAT)
PGW, GGSN
IGW
PDP, LI, DPI, ALGPer-PDP Firewall (no NAT)
IPv4
private IPv4
IPv4
Public
public I Pv4
CGN,logging
private IPv4
PGW, GGSN
Solution 1
Solution 2
Solution 3 IGW
PDP, LI, DPI, ALG
Per-PDP Firewall & NAT
IPv4
private IPv4
IPv4Public
public I Pv4
PGW, GGSN
NAT
NAT
NAT
BGP
-
5/24/2018 Carrier Grade NAT
63/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Current Situation
Massive growth of number of mobile datatraffic andnumber of mobile end-points
IPv4 run out: Most Operators started to
deploy NAT44
Offload NAT44 Infrastructure
IPv6 traffic bypasses NAT44
After W6L, IPv6 content and video comes
Regulation and New Standards
IPv6 will become cheaper (eg. Biggervolume quotas or no FUP for v6)
Ultimately: IPv4 space pollution IPv6Faster, Cleaner and Better Internet
-
5/24/2018 Carrier Grade NAT
64/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
-
5/24/2018 Carrier Grade NAT
65/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Dual-Stack: The classic RFC 4213 solution
Logical deployment choice when one has little control over end-point
3GPP/3GPP2 architectures support Dual-Stack, as well as Wireline (Broadband/DSL Forum, DOCSIS)
IPv6 endpoint enablementHandset upgrade often required to get IPv6 or Dual-Stack (both stacks active at a time)
DSL/FTTH/Cable CPEno s/w upgrades new RFP needed
IMS/VoIP mass market (80% of all phones are still voice-focused handsets)
Deploying IPv6 in dual stack does not solve IPv4 address exhaustion: CGN needed
IPv4
Private
IPv4
IPv4
IPv6
IPv6
IPv6
IPv4IPv4
IPv6CGN
-
5/24/2018 Carrier Grade NAT
66/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
I get AAAA, I have IPv6 configured locally (SLAAC).But what if IPv6 network is broken?
Behavior of atypical Web-
Browser
draft-ietf-v6ops-happy-eyeballs http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02 -
5/24/2018 Carrier Grade NAT
67/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Slide courtesy of Teemu Savolainen (presented at v6ops, IETF 80)
draft-ietf-v6ops-happy-eyeballssuggest to send 2 TCP SYNs IPv4 and IPv6
http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02 -
5/24/2018 Carrier Grade NAT
68/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Happy Eyeballsimproving end user experience
draft-ietf-v6ops-happy-eyeballs http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html
NOTEthis impacts CGN44:
high session setup rate [sps]
Implementations: Firefox 10 Chrome (last stable) OSX 10.7 Lion
getaddrinfo() Safari
iPhone iOS 4.3.1
http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02 -
5/24/2018 Carrier Grade NAT
69/111
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 69
IPv6/MPLS Core is easy. The Access is difficult.
Access Node
DHCPv6 snooping
LDRA/Opt37
ICMPv6 snooping IPv6 NMS
IPv6 Security
User
OS v6 Stack
RG
IPv6 LAN
IPv6 WAN
IPv6 NMS
Aggregation
ICMPv6 snooping
IPv6 NMS
Core
IPv6 Routing
MPLS 6PE/6VPE
Aggregation
IPv6 Stack
IPv6 PE/VPE
IPv6 Routing
IPv6 NMS
AAA/DHCP
BNGAccess NodeDSLAM, MSAN, OLT...
RG
IPv6 IPv4L2
Why cant todays broadband user just access IPv6 Internet?
NMS/Addressing
IPv6 Parameters
DHCPv6
Key problem with native v6: Access Node (DSLAM, MSAN, OLT, FTTX switch),CPE (new box needed), sometimes BRAS/GGSN (no dual-stack sessions)
Tunneling IPv6 over existing PPPoE (dual-stack pppoe) or IPv4 infrastructure
(6RD) provides a transition solution with minimal number of touch points
-
5/24/2018 Carrier Grade NAT
70/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Broadband PPP Access
Dual-stack IPv6 and IPv4 supported over a shared PPPsession with v4 and v6 NCPs running as ships in the night.
IPCP assigns IPv4, IPv6CP + DHCP-PD assignsIPv6
ASR1000dual-stack pppoe (16-64k sessions), no extraBRAS sessions required, ISGv6 supported
Broadband IPoE AccessCurrently 2 sessions are neededv4 and v6
ASR1000ISGv6 supports IPv6 Sessions(unclassified ipv6 prefix based)
-Future: dual-stack v4v6 session is being worked on inBBF (Broadband Forum, ex DSL Forum)
Mobile AccessFour types of PDP/PDN contexts: PPP (legacy), IPv4,IPv6, new IPv4v6 (introduced in 3GPP Rel 9)
ASR5000Ciscos Packet Core solution
Dual-stack capable UEs are to request IPv4v6 PDN(MIPv6, complex roaming scenarios, etc.)
PPP Session
IPv4IPv6
VLAN
IPv6 Session
L2 Session
IPv4IPv6
IPv4 Session
IPv4v6 PDN
IPv4IPv6
-
5/24/2018 Carrier Grade NAT
71/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
CoreEdgeAggregationAccess
IP/MPLS
Customer
Native Dual-Stack IPv4/IPv6 service on RG LAN side
NO changes in existing Access/Aggregation Infrastructure
One PPPoE session per Address Family (IPv4 or IPv6) or one PPPoE session carryingboth IPv4 and IPv6 NCPs running as ships in the night
Dual stack must not consume extra BNG session state
SLAAC or DHCPv6 can be used to number the WAN link with a Global address
DHCPv6-PD is used to delegate a prefix for the Home Network
PPPoE Tag Line-id authentication, Radius IPv6 attributes as per rfc3162
BNG
Dual-stack PPPoE support in hardwareASR1000 (32K+ sessions with features)ASR9000 (end of 2012)
X
Use Dual-stack PPPoE
-
5/24/2018 Carrier Grade NAT
72/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
CPE6rd RG(Remote Gateway)
6rd
IGW6rd BR(Border Relay)
IPv4+ IPv6
IPv4
IPv4 + IPv6Core / Internet
IPv4+ IPv6
IPv4+ IPv6
6rd
IPv6 Destination = Inside 6rd Domain- encapsulate in IPv4, protocol 41 (addressextracted from v6 prefix that contains v4 part)
IPv6 Destination = Outside 6rd Domain- encapsulate in IPv4 for the BR
6rd (Rapid Deployment)
Automatic tunneling of 6 in 4Simple and stateless CPE, uses /32 prefix of the ISP
Large deployments (Free France, AT&T US, DSL and Cable)
Linksys CPE supporthttp://home.cisco.com/en-us/ipv6
Replaces classic 6to4 tunneling (2002::/16 being obsoleted by IETF)
6RD BR support in hardware7600 ES+, ASR1000, CRS CGSE
CGN
+ RG IPv4 Address + Subnet ID + Interface ID
/56 /64 /128
Residences IPv6 Subnet is constructed from:
ISPs IPv6 Prefi x
Use 6RDRapid Deployment (RFC5969)
http://home.cisco.com/en-us/ipv6http://rfc5969/http://rfc5969/http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6 -
5/24/2018 Carrier Grade NAT
73/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
The One-Stack View
Operations&Deployment
Cost/Complexity
IPv4 IPv6
CGN6rd
Dual-Stack
Dual-Stack
Lite
Stateful
NAT64 Stateless
NAT64/DIVI
Stateless
4o6/4RD
Majority IP inOperator Network
One Network.Addresses Run-Out
and enables IPv6connectivityover IPv4 infra
Two Networks!! Big CGN in IPv6
network. IPv6 cant talk to
IPv4
One Network. SP-class XLAT
is IPv6 transitionvehicle for 6-4 and4-6-4 cases
Where we are right now
Being asked to go here next
-
5/24/2018 Carrier Grade NAT
74/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
IPv6 and Large Scale Address Family Translation
AFT64 technology is only applicable in case where there areIPv6 only end-points that need to talk to IPv4 only end-points.
NAT64 for going from IPv6 to IPv4.
NAT64 and DNS64 is the solution
NAT-PT is obsoleted by IETF (due to stateful DNS)
See also draft-ietf-behave-v6v4-framework, draft-ietf-behave-v6v4-xlate, draft-ietf-behave-
v6v4-xlate-stateful (now RFC6144, 6145, 6146)
PGWServing
GatewayeNB
NAT64
IPv4Public
NAT
IPv6Public
IPv6Public
-
5/24/2018 Carrier Grade NAT
75/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
NAT64
LSN64
NAT
NAT64
LSN64
NATNAT
*Note: ALGs for NAT64 and NAT44 are not necessarily the same, should be avoided in CGN
IPv4Public
IPv6
IPv6UE
Any IPv6 address
IPv6 addresses representing IPv4 hosts
IPv4 Mapped IPv6 AddressesFormatPREFIX :IPv4 Portion:(optional Suffix)
PREFIX::announced inIPv6 IGP
N:1 Multiple IPv6 addressesmap to single IPv4
LSN IPv4 address
announced
DNS64
Responsible for SynthesizingIPv4-Mapped IPv6 addresses
A Records with IPv4 address
AAAA Records with synthesized Address:
PREFIX:IPv4 Portion
Stateful AFT64AFT keeps binding statebetween inner IPv6 addressand outer IPv4+port
Application dependent,just like NAPTv4*
AFT64
AFT64
-
5/24/2018 Carrier Grade NAT
76/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
IPv6
IPv6 addresses assigned to IPv6hosts
IPv4 Translatable IPv6 addresses
FormatPREFIX:IPv4 Portion:(SUFFIX)
IPv6 addresses representing IPv4 hosts
IPv4 Mapped IPv6 Addresses
FormatPREFIX:IPv4 Portion:(SUFFIX)
0::0announced inIPv6 IGP
1:1 Single IPv6 addressesmap to single IPv4
ISPs IPv4 LIR
address
announced
DNS64
Responsible for SynthesizingIPv4-Mapped IPv6 addresses
Incoming Responses: A Records with IPv4 address
AAAA Records with synthesized address:PREFIX:IPv4 Portion:(SUFFIX)
NAT64
Stateless
LSN64
NATNAT
Outgoing Responses: A Records with IPv4 Portion
Stateless AFT64AFT keeps no binding stateIPv6 IPv4 mapping
computed algorithmically
Application dependent still
AFT64
AFT64
IPv4Public
IPv6UE
*USAGE: 464 DIVI (MAP-T) or v6 DataCenter (Internet-v4 accesses v6 content)
-
5/24/2018 Carrier Grade NAT
77/111
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 77
draft-mdt-softwire-map-translation-00 (MAP-T)
Demo code ready (ASR1000World V6 Congress demo)
Employs port restricted NAT44 + stateless NAT46 for allowing IPv4-only hostaccess to IPv4 internet. Also Enables IPv6-only devices to access IPv4 internet.
Algorithmic mapping (based on configured or well known schema) of IPv4 ports
to/from IPv6 address Encapsulation employs IPv4-embedded IPv6 addresses
Stateless NAT64. Can also be enabled in stateful mode for other IPv6 only clients
IPv6 hosts use native addressing and IPv6 routing to public IPv6 internet
CPE
NATe
Gateway(IPv6)
IPv6
IPv6 + IPv4IPv4-Public
IPv6
StatefulNAT46
+ port-setStateless
NAT64
IPv4-Only Private
IPv6
Stateless NAT64 applied (dIVIdual46, or 464)
F t h i IETF t
-
5/24/2018 Carrier Grade NAT
78/111
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 78
CPE
NATe
Gateway(IPv6)
IPv6IPv6 + IPv4IPv4-Public
IPv6
Stateful NAT44port-restricted
+ v6 encaps
StatelessRelay
IPv4-Only Private
IPv6BR
CPE(B4)
Gateway(IPv6)
IPv6
IPv6 + IPv4
IPv4-PublicIPv6
No NAT,v6 tunneling
StatefulNAT44
IPv4-Only Private
IPv6 CGN44(AFTR)
DS-Lite (draft-ietf-softwire-dual-stack-lite)it is available today (CRS/ASR9K, some CPEs)
Removes NAT44 from CPE where it is today, and moves it to central CGN
Dumb tunneling, no user-to-user v4 traffic (everything must go to central AFTR)
Future, no rough consensus in IETF yet
4RD(draft-despres-softwire-4rd-u)header mapping from 4 to 6 (with fragment hdr)
MAP-E (draft-mdt-softwire-map-encapsulation)tunneling 4 over 6
Keep NAT44 on CPE where it is today, just adds port restriction to tackle the v4 exhaust
Avoids central stateful CGN
-
5/24/2018 Carrier Grade NAT
79/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Concept (draft-ietf-softwire-gateway-init-ds-lite)
PublicIPv4
Internet
NA(P)T 44Flow
Association
Access Tunnel
PGW
UE
Carrier Grade NAT (CGN)
VPN1/10.1.1.1Tunnel1/CID-1
VPN2/10.1.1.1Tunnel2/CID2
VPN110.1.1.1
TCP/4444
VPN210.1.1.1
TCP/5555
134.95.166.10TCP/7777
134.95.166.10TCP/8888
Inner portion of NAT-bindingidentified by combination ofCID, Tunnel-Identifier, and
optionally other identifiers
DS-Lite is not for Mobileit would require PhoneOS changes (unrealistic)
GI-DS-LiteGateway tunnels traffic which requires NAT44 towards CGN(Selective Extension of Access-Tunneling)
Gateway and CGN use Context-ID (e.g. Private IP address) for Flow-Identification
No changes to UE (Phone OS) & Access & Roaming Architecture
Tunnel Encapsulations: MPLS (typical today) or IPinIP, GRE in future
IP/MPLS
-
5/24/2018 Carrier Grade NAT
80/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
-
5/24/2018 Carrier Grade NAT
81/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Recommendation (clause 10)
3GPP specifications recognize two main
strategies to provide IPv6 connectivity toUEs.
For the first strategy, the operator may provideIPv4 and IPv6 connectivity for the UE.According to the scenario considered, the
operator will assign a public IPv4 address or aprivate IPv4 address in addition to an IPv6prefix. The operator can select one of thetechnical solutions described in clause 7 of thisdocument.
The second strategy, consisting of providing the
UE with IPv6-only connectivity, can beconsidered as a first stage or an ultimate targetscenario for operators. The operator can useNAT64/DNS64 capability to access to IPv4-onlyservices if access to IPv4 services is needed.
Note: Clause 7 lists 3 solutions1) NAPT44
2) GI-DS-lite (encapsulationsdefined in 3GPP:GRE and MPLS VPN)
3) Stateful NAT64
-
5/24/2018 Carrier Grade NAT
82/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Already being done byT-Mobile USA
Their reason make perfectly goodsense
And they are proving it can work
Problem: v4-only apps (eg. Skype)
Source: Google IPv6 Implementors Conference,
https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-
Mobile_IPv6GoogleMeeting.pdf?attredirects=0
http://www.networkworld.com/community/blog/testing-nat64-and-dns64
..Busiest day for a NAT64 box is the
day you turn it on for the first time..Cameron Byrne, T-Mobile
https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0 -
5/24/2018 Carrier Grade NAT
83/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
IPv4-Public
IPv6-Public
PDP Types: IPv4, IPv6 and IPv4v6 IPv4v6 (duals stack)
introduced in EPC from 3GPP Release 8
in 2G/3G SGSN/GGSN from 3GPP Release 9
PCRF/AAA/DHCP
PGWSGW
0
eNodeB
-
5/24/2018 Carrier Grade NAT
84/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Create PDP Context Reply(UE IP-address,
Protocol config options(e.g. DNS-server list,),
cause)
AAA DHCPGGSNSGSN
Attach Request
Attach Accept
Router Solicitation
Router Advertisement
UE
DHCPv6Information Request
DHCPv6 PDOption 3
DHCPv6Reply
DHCPv6Relay Forward
DHCPv6Relay Reply
DHCPv6Reply DHCPv6Relay Reply
Prefix RetrievalOption 2
Option 1 /64 prefix allocation from local pool
SLAAC
Prefix communicated toSGSN
empty UE IP-address
for dynamic allocation
/64 prefix allocation:3 Options: Local Pool, AAA, DHCP
Create PDP Context Request(APN, QoS, PDP-type=IPv6,)
Select GGSN for given APN
-
5/24/2018 Carrier Grade NAT
85/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
IPv6 Config: 1 MethodSLAAC after the bearer setup (/64prefix)
Rel-10: DHCP-PD (enables MobileRouter)
Create Session Request(APN, QoS,PDN-type=IPv6,)
Create SessionResponse(UE IP-address,Protocol config options(e.g. DNS-server list,),cause)
Create SessionResponse
HSS/AAA DHCPPGWSGWMME
Attac h Request
Router Solicitation
Router Advertisement
UE
DHCPv6Information Request
DHCPv6 PDOption 3
DHCPv6Relay Forward
DHCPv6 Relay Reply DHCPv6Reply
Prefix Retrieval from AAAOption 2
Option 1 /64 prefix allocation from local pool
SLAAC
Prefix communicated toSGW/MME
/64 prefix all ocation:3 Options: Local Pool, AAA, DHC P
eNB
Attac h RequestAuthentic ation of UE
Create SessionRequest
Attac h Accept/Initial ContextSetup request
ReconfigureRadio Bearer(per MME params)
Initial ContextResponseDirect Transfer(incl. AttachComplete)
Attac hComplete
Uplink Data
Downlink DataModify Bearer Request/Res ponse
empty UE IP-addressfor dynamic allocation
IPv4 Config: 2 MethodsWithin EPS bearer setup signaling (typical)
DHCPv4 (DHCP optional on UE and PGW)
-
5/24/2018 Carrier Grade NAT
86/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
ChargingGateway
Data
SGSNGa(GTP) Ga (GTP)
GnGn/Gp (GTP)
InternetDMZ
Core Network
Billing System
Ga (GTP)IXC
Roamingpartners
GRX
RNC
NodeBFemto HNB
RAN
RADIUS
DNS
DPI
GGSN
Policy
NAT
WAP
Signaling
Content providers
IMS Core
DHCP
QS
3G MS
2G MS
Element Design consideration (If IPv6 is used for internet & internal Apps) Impact
eNodeB Radio layer. Can use IPv4 backhaul No
RNC Iu-CS/Iu-PS can use IPv4 backhaul No
SGSN Initiate mobile APN query & authentication Yes
HLR/HSS IPv6 capable YesGGSN IPv6 PDP, standards IPv6 features, prefix allocation Yes
Billing Mediation and processing of IPv6 CDR Yes
DPI, Quote Server Pre-paid implementation, IPv6 parsing & CDR capability Yes
WAP, Data Accelerator IPv6 packet compressions, cache capability Yes
Firewalls IPv6 rules capability, performance Yes
DNS IPv6 DNS capability Yes
-
5/24/2018 Carrier Grade NAT
87/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Two IPv6 Deployment Domains
Enable IPv6 customer applications
IPv6 for user plane interfaces
IPv6 related attributes for control plane interfaces
IPv6 related attributes for policy/charging/control
interfacesNote: Protocol choi ce analysis in TR 29.80 3
E-UTRAN
PCRF
S11(GTP-C)
S1-U
(GTP-U)
S2b(PMIPv6,GRE)
S5 (PMIPv6, GRE)
S6a
(DIAMETER)
S1-MME
(S1-AP)
GERAN
S4(GTP-C, GTP-U)
UTRAN
S3(GTP-C)
S12 (GTP-U)
S10(GTP-C)
S5 (GTP-C, GTP-U)
Gx(Gx+)
Gxb(Gx+)
SWx (DI AMETER)
SWn(TBD)
S6b(DIAMETER)
SWm(DIAMETER)
SGi
SWa(TBD)
Gxa(Gx+)
Rx+
UE
S2a(PMIPv6, GRE
MIPv4 FACoA)
Trusted Non-3GPP
IP AccessUntrusted Non-3GPP
IP Access
STa(RADIUS,DIAMETER)
SWu (IKEv2,MOBIKE, IPSec)
Operators
IP ServicesPDN-GW
S-GWeNB
MME
SGSN
x-CSCF
ePDG
HSS
3GPP
AAA
Gxc(Gx+)
Enable IPv6 transport
IPv6 Home-PLMN
IPv6 Visted-PLMN
IPv6 Interconnect-PLMN
Initial Deployment Objective / Driver
1 2
-
5/24/2018 Carrier Grade NAT
88/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Transport OptionsGTP or PMIPv6 (since R8)
E-UTRAN
PCRF
S11(GTP-C)
S1-U(GTP-U)
S2b(PMIPv6,GRE)
S5 (PMIPv6, GRE)
S6a(DIAMETER)
S1-MME(S1-AP)
GERAN
S4 (GTP-C, GTP-U)
UTRAN
S3(GTP-C)
S12 (GTP-U)
S10(GTP-C)
S5 (GTP-C, GTP-U)
Gx
(Gx+)
Gxb
(Gx+)
SWx (DIAMETER)
SWn(TBD)
S6b(DIAMETER)
SWm(DIAMETER)
SGi
SWa(TBD)
Gxa
(Gx+)
Rx+
UE
S2a(PMIPv6, GREMIPv4 FACoA)
Trusted Non-3GPP
IP Access Untrusted Non-3GPP
IP Access
STa (RADIUS,
DIAMETER)
SWu (IKEv2,MOBIKE, IPSec)
Operators
IP ServicesPDN-GW
S-GWeNB
MME
SGSN
x-CSCF
ePDG
HSS
3GPP
AAA
Gxc(Gx+)
UDP
GTPv1/v0-U
IPv4 IPv6
IPv4 IPv6
IPv4 IPv6
GTP-based Architecture (3G/4G)
User-PlaneGGSN/PGWSGSN/SGW
GRE IPv4 IPv6
IPv4 IPv6
IPv4 IPv6
MIP-based Architecture (SAE, 23.402)
User-PlanePGWSGW
IPsec
IPv4 IPv6
IPv4 IPv6
UDPGRE
IPv4 IPv6
IPv4 IPv6
non-3GPP access (SAE, 23.402)
User-Plane
PGWePDGAP(e.g. Femto-AP)
SP WiFi Offload uses PMIP too
Hardware-based implementation: MAG/LMA in ASR1000, LMA in ASR5000
-
5/24/2018 Carrier Grade NAT
89/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NATDefinition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
b i A th ti ti /A th i ti DHCP PD
-
5/24/2018 Carrier Grade NAT
90/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
PPPoE
RADIUSAccess-Request
RADIUSAccess-Accept
PPP LCP
"user1Line-id
Framed-Protocol PPP
User-Name user1Service-Type Framed(Optional) framed-ipv6-prefixPPP IPv6CP
ICMPv6 RA
RA with O-bi t(Optional) Prefix
Routed RG
RadiusAAA
BNG
Ethernet or DSL Access Node
DHCPv6
Link Lo calSLAAC +Default ro uteto BNGinstalled
DHCPv6 SolicitPD + DNS
DHCPv6 Reply*PD=2001:DB8:AAAA::/56
DNS server = 2001:DB8:BB ::1
DHCPv6 RequestDNS
RA with O-bi tPrefix=2001:DB8:AA
AA::/64
DHCPv6 ResponseDNS=2001:DB8:BB::1
SLAAC2001:DB8:AAAA
::1 + Defaultroute installed
ICMPv6 Router Advertisement
* Assuming DHCPv6 rapidcommit is in effect
DHCPv6 Relay ForwardRelay- fwd
DHCPv6 Relay Reply
Relay-Reply
basic Authentication/Authorization + DHCP-PD
-
5/24/2018 Carrier Grade NAT
91/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
At L2, IPv6oE with 1:1 VLANs resembles PPPoE
Moderate changes to Access Node to support IPv6need to forward v6 ethertype
Point-to-point broadcast domain does not require any special L2 forwardingconstraints on Access Node, and SLAAC and Router Discovery work the same
Line-identifier used for 1:1 VLAN mapping= (S-TAG, C-TAG)
However 1:1 VLANs and IPoE dorequire some extra BNG functionalityStatically pre-configured VLAN subinterfaces with IPv6 parameters (eg RA + services)ND + ND Cache limitDHCPv6 PD Server or Relay
DHCPv6-PD or DHCPv6 server capabilities can be used at BNG to delegate a prefixfor the Home Network
Customer 1
BNGAccess Node
Customer 2
1:1 VLANs
1:1 VLAN (QinQ)
-
5/24/2018 Carrier Grade NAT
92/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Customer 1X::/56
802.1Q
N:1 VLAN
Ethernet or DSL Access Node
Customer 2Y::/56
Split-horizon L2 forwarding rule
User-user traffic is blocked at L2 (NBMA network behavior)
BNG is the default-gw for CPEs (all traffic goes via BNG), no proxy-ND
Subscriber line identification
VLAN no longer provides a mapping of the subscriber lineLDRA (Lightweight DHCP Relay Agent) on the Access-Node to convey Opt.37 line-idas the circuit and remote-id (draft-ietf-dhc-dhcpv6-ldra-03)
DHCPv6 is needed, SLAAC is not enough
SLAAC has no line-id insertion, problems with failure recovery with RA, no DNS
BNG
Shared subnet (split-horizon)- Just link local, or NMS /64
1:1 VLAN (QinQ)
N 1 VLAN DHCP PD AAA
-
5/24/2018 Carrier Grade NAT
93/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
ICMPv6 RA
RAwith O-bit
Routed RG
RadiusAAA
BNG
Ethernet or DSL Access Node
DHCPv6
ICMPv6 RA
DHCPv6 SolicitPD + DNS
DHCPv6 ReplyPD=2001:DB8:AAAA:: /56
DNS server = 2001:DB8:B B:: 1
DHCPv6 RequestDNS
RAwith O-bitPrefix=2001:DB8:AA
AA::/64
DHCPv6 ResponseDNS=2001:DB8:BB::1
SLAAC2001:DB8:AAAA
::1 + Defaultroute installed
DHCPv6 Relay ForwardSOLICIT + Interfa ce-id RADIUS
Access-RequestDUID,
Interface-id
RADIUSAccess-Accept
DHCPv6 Relay ForwardRelay- fwd
PD Route installed
DHCPv6 Relay ReplyRelay-Reply
DHCPv6 Relay ReplyReply + Inter face- id
Circuit-id Inserted andDHCP r elayed
N:1 VLAN + DHCP-PD + AAA
-
5/24/2018 Carrier Grade NAT
94/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
Features RP2+ESP20
PPPoEoQinQ Dual-stack Sessions (PTA) 32,000
QinQ sub-interfaces 32,000
H-QoS on PTA Sessions 32,000
Per User ACL 1 ACE per ACL, input ACL only
Downstream Unicast Traffic 2Gbps (64 byte)
Upstream Unicast Traffic 2Gbps (64 byte)
uRPF Enabled per-session
AAA Accounting Start-Stop Accounting
PPP Keepalives (seconds) 30
High Availability SSO
Today (3.6S) we can do much more: Per-session CGN NAT44, IPv6 uplink AVC (DPI), ISGv6, 6VPE VRF, 48K/64K sessions
-
5/24/2018 Carrier Grade NAT
95/111
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 95
2011:1000 1.1.1 Interface ID
Subnet-
ID
0 32 56 64
6rd IPv6 Prefix Customer IPv6 Prefix
Customers IPv4 prefix, without the 10. (24 bits)
In this example, the
6rd Prefix is /32
Any number of bits may be masked off, as long as they are common forthe entire domain. This is very convienent when deploying with a CGSE ,but is equally applicable to aggregated global IPv4 space.
-
5/24/2018 Carrier Grade NAT
96/111
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 96
CE
6rd
6rd BorderRelays
IPv4 + IPv6
IPv4
IPv4 + IPv6Core /Internet
IPv4 + IPv6
IPv4 + IPv6
6rd
Not 2001:100 Interface ID
2001:100 8101:0101 Interface ID
THEN Encap in IPv4 with
embedded address (using
normal 6to4 encap)
IF 6rd IPv6 Prefix
Positive Match
ELSE (6rd IPv6 Prefix
Negative Match)
ENCAP with BR IPv4
Anycast Address
Dest = Inside 6rd Domain
IPv6 Dest = Outside 6rdDomain
Between Subscriber and Internet Private IPv4 Addr
-
5/24/2018 Carrier Grade NAT
97/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
IPv4 AccessNetwork
Between Subscriber and Internet, Private IPv4 Addr
IPv6 Internet
ISPIPv6 Core
ISPIPv4 Core
SubscriberNetwork(v4+v6)
BNG
6rd RG
6rd BR
10.100.100.1 2001:4860:0:1001::68
Destination
IPv4 Ad dressDestina tion IPv6 Ad dress Payload
Payload
(2001:4860:0:1001::68)
3456:789:0003:0101::1
Source IPv6 Address
10.3.1.1
Source
IPv4 Ad dress
10.100.100.1 2001:4860:0:1001::683456:789:0003:0101::110.3.1.1
2001:4860:0:1001::683456:789:0003:0101::1
2001:4860:0:1001::68Payload3456:789:0003:0101::1
2001:4860:0:1001::68Payload3456:789:0003:0101::110.100.100.110.3.1.1
2001:4860:0:1001::68Payload3456:789:0003:0101::110.100.100.110.3.1.1
2001:4860:0:1001::68Payload3456:789:0003:0101::1
Payload
Payload
Encapsulation Legend
Address Legend
10.100.100.1 6RD BR An ycast Address
10.3.1.1 RG Private IPv4 Add ress, obtai ned vi a DHCPv4
2001:4860:0:1001::68 www.google.com IPv6 Address
3456:789:0003:0101::1RG IPv6 Address, SP IPv6 Prefi x 3456:78 9/28obtained via DHCPv4 new option or TR69
v6 prefix derived from v4 addr
copy v4 addr from v6
Between Subscribers Private IPv4 Addr
-
5/24/2018 Carrier Grade NAT
98/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
SubscriberNetwork(v4+v6)
IPv4 AccessNetwork
Between Subscribers, Private IPv4 Addr
IPv6 Internet
ISPIPv6 Core
ISPIPv4 Core
SubscriberNetwork(v4+v6)
BNG
6rd RG2
6rd BR
10.3.2.1 3456:789:0003:0201::1 Payload3456:789:0003:0101::110.3.1.1
3456:789:0003:0101::1Payload3456:789:0003:0201::110.3.1.110.3.2.1
3456:789:0003:0101::1Payload3456:789:0003:0201::1
Address Legend
10.3.2.1 RG2 Private IPv4 Ad dress
10.3.1.1 RG1 Private IPv4 Add ress
3456:789:0003:0202::1RG2 IPv6 Address, SP IPv6 Prefix 345 6:789/2 8
3456:789:0003:0201::1RG1 IPv6 Address, SP IPv6 Prefix 345 6:789/2 8
6rd RG1
10.3.2.1 3456:789:0003:0201::1 Payload3456:789:0003:0101::110.3.2.1
BNG
v6 prefix derived from v4 addrv6 prefix derivedfrom v4 addr
-
5/24/2018 Carrier Grade NAT
99/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Security
Anti-spoofing - 6RD BR checks if IPv6 source addr matches the encapsulatedIPv4 address
6RD RG (CPE) also verifies if the BR anycast address matches IPv6 source
QoS
V6 DSCP is automatically copied into V4
QoS pre-classify supported
HA
6RD is statelessno SSO needed at 6RD BR
We use Anycast (same /32s in IGP, nearest is BR chosen)
Scale and Performance
ASR1000, 7600 (ES+ since 15.1(3)S)
512 6RD Tunnel interfaces (meaning 512 6RD domains)
VRF awareness
-
5/24/2018 Carrier Grade NAT
100/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
Source: http://home.cisco.com/en-us/ipv6
Goal is a universal dual-stack home gateway (6RD on by default).
http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6 -
5/24/2018 Carrier Grade NAT
101/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NATDefinition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
-
5/24/2018 Carrier Grade NAT
102/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
CRS
CGSE PLIM + FP40 (NAT44, NAT64, 6RD, DS-Lite)
20M xlates, 1Msps, 20Gbps
ASR9000
ISM Module (NAT44, DS-Lite); BNG NAT44 for PPPoE sessions
20M xlates, 1Msps, 15Gbps
ASR5000Per-subscriber GGSN/PGW NAPT, Gi Firewall, DPI, charging
120M xlates, 1Msps
ASR1000
Integrated (NAT44, NAT64, 6RD); BNG NAT44 for PPPoE sessions
2M xlates, 100Ksps, 20Gbps
XR12000
CGN Daughter Card for the PRP-3 (NAT44, future NAT64)
10M xlates, 250Ksps, 6Gbps
CGSE Carrier Grade Services Engine
-
5/24/2018 Carrier Grade NAT
103/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103
CGSECarrier Grade Services Engine
Introducing the new engine for massive Cisco CGv6 deployments
CGSE PLIM
20+ million sessions
1+ million sessions per second [sps]
20Gb/sof throughput
Up to 240M xlates (12 CGSEs per chassis) 64K global IPs (100s of thousands of users)
Intra- or Inter-Chassis Redundancy
CGN featuresSubscriber port limitPer L4 protocol/port timersStatic port forwardingNetflow v9 loggingRTSPv1 ALG
IPv6 preparation6rd BR (XR 3.9.3)Stateless NAT64 (XR 3.9.3)Stateful NAT64 (XR 4.1.2)DS-Lite, bulk ports alloc and syslog (4.2.1)Destination based logging (4.2.1, 4.3)Future: PCP, PPTP ALG, MAP
-
5/24/2018 Carrier Grade NAT
104/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
Inside Outside
Entry1 10.12.0.29:334 100.0.0.221:18808
Entry2 10.12.0.29:856 100.0.0.221:40582
Entry..
OutsideVRF
Interface
VLAN
Private IPv4Subscribers
Public IPv4
VRFs to Separate the Private andPublic Routing Table.Interfaces are associated with a VRF.ServiceAPP interfaces are used tosend packets to/from CGSE
Dest 0.0.0.0/0 -> AppSVI1 Dest NAT Pool-> AppSVI2
InsideVRF
App Int
CGSEApp int
Interface
VLAN
VLAN
Timers (per cgn) Default Value
ICMP 60 sec
UDP init 30 sec
UDP active 120 sec
TCP Init 120 sec
TCP active 30 min
Uses a Line Card slotpaired with FP40
-
5/24/2018 Carrier Grade NAT
105/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
p
MIDPL
ANE FabQsEgressQ
AccelFPGA
Accel
FPGA
PLA
iPSE
ePSE
IngressQ MIDPL
ANE
FABRIC
Modular Services CardFP40, MSC20, MSC40
Service Engine PLIM
Octeon CPUs
Supports 20 Gbps aggregate bandwidth
20M NAT44 Translations
15M NAT64 Translations
1M sps
Uses a line card slotconnects via fabric
-
5/24/2018 Carrier Grade NAT
106/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
ISM supports 10 Gbps aggregate bandwidth
20M NAT44 Translations (today)
15M NAT64 Translations (planned)
1M sps
BACKPL
ANE
I/OHub
Bridge
ApplicationCPUs(Intel)
24Gb
24Gb
Application
Memory
Bridge
FabricASIC
ModularExpansionCards (2)
ISM Mgmt CPU
daugther card on GSR PRP-3
-
5/24/2018 Carrier Grade NAT
107/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
SMDC supports 10 Gbps aggregate bandwidth (~6Gbps NAT)
10M NAT44 Translations (today) 7M NAT64 Translations (planned)
250K sps
g
SMDC (Service Module Daughter Card)
PRP-3 (fast CPU, 8GB DRAM, 80GB HD)
SMDC is field replacable
Dual PRP-31:1 redundancy
-
5/24/2018 Carrier Grade NAT
108/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
Above number are based on few nat pools.
The maximum number of nat pools supported is 1200 on a ESP20/ESP40, 600 on ESP10,300 on ESP5, but session scalability is unknown when nat pools scale.
ASR 1000 support up to 16k static NAT entriesin single RP system or inter-box HA
ASR 1000 support up to 4k static NAT entries in redundant RP system
Support up to 1K VRFs for VRF aware NAT
Maximum interfaces support is not limited by NAT
Maximum ACL is not limited by NAT, but by standard TCAM ACL limit
Route-map scaling maximum is 1024
ESP Type SessionScalability
ForwardingPerformance
Translation Setup/TeardownRate (xlat/sec)
ESP5/ASR1001
256k 3Mpps 50k
ESP10 1M 6Mpps 100k
ESP20 2M 8Mpps 200k
ESP40 2M 9Mpps 200k
-
5/24/2018 Carrier Grade NAT
109/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
ESP Type SessionScalability
ForwardingPerformance
TranslationSetup/Teardown Rate(xlat/sec)
ESP5 /ASR 1001
256k 2Mpps 70k
ESP10 1M 4.2Mpps 100kESP20 2M 5.5Mpps 175k
ESP40 2M 5.5Mpps 180k
Support maximum 16k static entries
Maximum interfaces support is not limited by NAT64
Maximum ACL is not limited by NAT64, but by standard TCAM ACL limit.
Stateful HA possible, by default disabled for short-lived port http tcp/80
nat64 switchover replicate http enable port 80
-
5/24/2018 Carrier Grade NAT
110/111
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
World IPv6 Launch6/6/12
IPv4 exhaust business continuity
CGN role and definition, RFC4787
CGN performanceSPS, # of sessions, logging
Dual-stack in Mobile and Wireline networks
NAT64Avoiding Dual-Stack
Future 464 traversal technologies
Related Cisco Products
-
5/24/2018 Carrier Grade NAT
111/111
Thank you.