extend ipv4 and ease the transition to an ipv6 world

Always Secure. Always Available.

Extend IPv4 and Ease the Transition to an IPv6 World


Confidential | Do Not Distribute 2

Market Trends


Exponential Rise in Devices, Users & Traffic

Extend IPv4 & Mitigate

to IPv6

I N T E R N E T T R A F F I C

D I G I T A L C O N T E N T

I P V 6 C O N T E N T

I N T E R N E T O F T H I N G S

by 2025. 70% of global population

5.8 Billion

Mobile Subscribers

IPv6 ADOPTION

30%Access Google via IPv6

Of Users

As of Dec. 2019

Source: Google

TOTAL OF CONNECTED DEVICES

3XBy 2025, monthly traffic will be 560 EB

Larger than 2019

IP TRAFFIC PER MONTH

Source: Ericsson Mobility Report, Q4 2019

By 2025, the total IoT devices connected to the Internet will reach

25 BillionSource: GSMA, Mobile Economy 2020

Source: GSMA, Mobile Economy 2020


• ARIN’s free pool of IPv4 addresses depleted in September 2015• Waiting list for IPv4 addresses

• Allocation of maximum-size aggregate limited to /22

• Average price increased over 4X in last five years

Depletion of IPv4 Address Space


$6

$17 $18

$20-$25

2015 2018 мар.19 апр.20

Average Price of IPv4 Address

Source: Heficed, IPv4Marketgroup

“Field experts and RIRs I have been talking to predict that one IPv4 address might be sold for as much as 35 dollars in the future.”

Vincentas Grinius, CEO of Heficed, an IP address-centric company


Status of IPv6 Adoption

• Percentage of users that accessed Google over IPv6: • <1% (Jan 2012)

• 29.85% (April 5, 2020)


IoT – Ultimate Driver for IPv6 Global Adoption

B Y O D I N

E NTE RP RI S E

& I NTE RNE T

CONNECTED

CAR

EBOOK

GAME CONSOLE

MOBILE

DIGITAL WEIGHT

SCALE

SURVEILLANCE

CAMERA

DIGITAL DVD

RECORDER

HEART

RATE

MONITOR

TV ANYWHERE

• IP Address Proliferation:• More users, devices & applications• BYOD in enterprise & smart homes

• Internet of Things Adoption• 93% of enterprise will adopt IoT Technology• Every second, 127 ADDITIONAL IoT devices are

connected to The Internet

• Massive acceleration towards IPv6• 80% of US smartphones use IPv6• IPv6 advantages for IoT

• 340 undecillion addresses available• Preserves battery life of IoT devices• Reduces administrative and maintenance

burden


What Network Operators Want

Extend the Life of IPv4 Network Infrastructure

Flexible Deployment Options for IPv6 Migration

Integrated DDoS Security

Efficient Network Transformation



A10 Thunder CGN Solution


Carrier Grade Networking

High-Performance IPv4 Preservation and IPv6 Transition Technologies

Extend the Life of IPv4 Network Infrastructure

Application Reliability & Security

Flexible Deployment Options for IPv6 Migration

Secure, Always-on Experience With Lower Total Cost of Ownership (TCO)


A10 CGN Capabilities

High-Performance IPv4 Preservation and IPv6 Transition Technologies

Carrier Grade Networking

Extend IPv4Application Reliability & Security

IPv6 Transition

Visibility - sFlow, Netflow, aXAPI, CGN Logging, CEF, Analytics, One-DDoS Detection

Comprehensive Feature Set

• Standardized CGNAT

• Comprehensive IPv6 migration techniques

• Integrated DDoS protection

• Application & Subscriber awareness

High Performance

• 384M concurrent sessions

• 385 Gbps throughput

• Cluster of up to 3.08 Tbps

Efficient & Flexible Form Factors

• Physical, Containers, Bare Metal & Virtual

• Scaleout cluster

• Best industry footprint: 1-3 RU

• All inclusive license


A10 Thunder CGN Portfolio

Flex ible Deployment OptionsCGN

Note: For the complete range of CGN products refer to the Datasheet

200 Mbps to 100 Gbps

VirtualBare MetalAppliances

5 Gbps to 385 Gbps 10 Gbps to 60 Gbps

Containers

Up to 180 Gbps

• High-performance appliance for your most demanding requirements

• Thunder SPE Appliances: Security and Policy Engine (SPE) delivers ultra-high-speed security and policy enforcement

• Container native deployment (Docker, Kubernetes)

• FlexPool licensing

• Customer choice of off-the-shelf hardware


• VMware, Hyper-V & KVM hypervisors

• KVM: DPDK, SR-IOV, PCI Passthrough


Advanced Core Operating System (ACOS)

https://www.a10networks.com/wp-content/uploads/A10-DS-15102-EN.pdf



Key Components


IPv4 Preservation – Leverage Existing IPv4 Infrastructure

• Uses CGNAT (Carrier-Grade NAT) feature

• Allows oversubscribing limited IPv4 addresses

• Transparent IPv4 connectivity

• Enables providers to limit ports per subscriber

• Seamless user experience

Thunder CGN

Consumer NAT/Private IPv4 Address

Private/CGN Scoped IPv4 Address

EnterpriseNAT44

Service ProviderNAT444

Mobile ProviderNAT44

Service Provideror EnterpriseIPv4 Network

Public IPv4Address

IPv4 Internet


IPv6 Migration – Broad Transition Options

• Ensures IPv6 <-> IPv4 communication with various encapsulation or translation mechanisms

• Interplay for phased transition

• Seamless user experience

• Preservation and migration solutions: • 6rd, Stateful NAT64/DNS64, Stateless

NAT46, DS-Lite/LW4o6, MAP-T and MAP-E

Clients6rd

6rd/DS-Lite/NAT64/DNS64/MAP-T/MAP-E

ClientsMAP-T MAP-E

DS-Lite/LW4o6

ClientsNAT64/DNS64

Internet

Thunder CGN


IPv6 Migration – Supported Technologies

Encapsulation

• Encapsulation:• 6rd

• DS-Lite

• LW4o6

• MAP-E

• Translation:• NAT64/DNS64

• NAT46

• MAP-T

IPv6 Internet

IPv4

6rd

IPv4 Internet

IPv6

NAT64/DNS64(Stateful)

IPv6

IPv6 Internet

IPv4

Stateless NAT46

IPv6

IPv4

IPv4 Internet

Subscriber Access/Core Translation Destination

DS-Lite/LW4o6

MAP-T / MAP-E


Integrated DDoS Protection for CGNAT IP Pools

• Protect network infrastructure and CGN device• Volumetric traffic to the network device

and public/IP NAT pools

• Attackers target well known ports

• Protect against attacks from outside• Traffic to internal host and service

behind NAT

• Need to inspect good and bad traffic destined to internal hosts and services

• Protect against attacks from inside• Traffic from compromised internal host


Application Integrity

ALG support for legacy and emerging apps• Encapsulating Security Payload (ESP)

• File Transfer Protocol (FTP) Enabled by default

• H.323 standard (H323)

• Media Gateway Control Protocol (MGCP)

• Point-to-Point Tunneling Protocol (PPTP) Generic Routing Encapsulation (GRE)

• Real Time Streaming Protocol (RTSP)

• Session Initiation Protocol (SIP)

• Trivial File Transfer Protocol (TFTP)

Provides necessary visibility into packet payload

Protocols carrying apps remain functional


Superior Logging Capability

• Logging and LEA Compliance• Compliance with Law Enforcement Agency (LEA) requests

• Tools for high-speed logging that dramatically minimize log volume

• Security: Identity hackers by IP

• Traffic mirroring

• High Availability for Business Continuity• Stateful session synchronization

• Ensures active sessions maintained during failover

• Meet Service Level Agreements (SLA) and user satisfaction


CGNAT Scaleout – Traffic Distribution

• “Add as you grow” capability

• Cluster of up to 8 devices

• Expand NAT pool capacity

• Increase performance and scale

• Built-in high availability with seamless failover without service interruption

CGNAT Cluster

Outbound traffic distribution by upstream node using ECMP hash

Inbound traffic arrives on a specific cluster node based on advertised NAT address route

Users/ Subscribers

Internet

BGP is used to send traffic to upstream


Ease of Use & Management

Command Line Interface (CLI)

DevOps/NetOps Ready

Graphical User Interface

Harmony Controller Centralized Management & Visibility

• Fewer screens and steps for tasks

• Intuitive and easy to use

• Familiar command structure

• Easy to use, comprehensive help

• Extensive APIs and full operations management tools

• For control, programmability and troubleshooting


A10 Harmony Controller

Alerts and Events

CGN Analytics

Traffic Metrics

Infrastructure Health

Data Center Private Cloud Public Cloud

HARMONY CONTROLLER

APIDevice Configuration

Monitoring Rules

Traffic Policies

Security Policies

Thunder CGN

Centralized Management

CGN Service Analytics

Workflow Automation

Orchestration


Harmony: CGNAT Real-Time Analytics

Subscriber Session Insights

• Average number of active subscribers

• Session opening/closing rates - Behavioral indicators of potential DDoS attack

• Traffic throughput and packet rate for both uplink and downlink traffic

CGNAT & Infrastructure Resource Tracking

• Mappings per protocol & technology - Behavioral indicators of potential botnet DDoS attack

• Utilization of Control CPU, Data CPU & Memory over period of time along with peak values

• Real-time analytics summarizing key performance indicators

Quick Summary


Harmony: CGNAT Troubleshooting Simplified

Top Consumers of Network Resources

• Top subscribers with IPv4 addresses in Uplink or Downlink sorted by volume, packets, and sessions, calculated using sampled logs sorted as per time and percentage.

• User Quota Exceeded: The time series and histogram for user session quota exceeded by quota types: TCP, UDP, ICMP, Extended, Data Sessions or Session Rate.

Port Mapping Analytics

Throughput Time Series

• Throughput time series for total traffic or protocol traffic filtered by Uplink or Downlink measured on subscriber side.


The Synergy in Deploying ADC, CGN & Firewall Together

All-inclusive License with Thunder CFW

• Operational Simplification & Accelerated Rollout- Reduced TCO

• Flexible CGN deployment by Reducing Spares - Cost Effective

• Single-Vendor Solution – Troubleshooting Made Easier

Data Center

Thunder CFW


Competitive OverviewA10 Alternatives

Basic CGNAT

Advanced CGNAT (Sticky NAT, User quotas, EIM/EIF, Hairpinning, Protocol Port Overloading, Fixed-NAT etc.)

Partial

Rich IPv6 migration options (NAT64/DNS64, 6rd, DS-Lite, LW4o6, EM/EIF etc.) Partial

High performance/price Partial

Flexible deployment options (physical, container, bare-metal, virtual) Partial

Small footprint, power & cooling

Integrated DDoS protection for NAT pools

Large number of partitions without additional licensing cost Partial


• Largest MNO in South Korea• First to launch 5G in April 2019• All 5G Traffic goes through A10• Worked with A10 for CGNAT in 4G LTE network

• Challenges for 5G Launch• Support devices that still used IPv4 addressing, while

providing a clear migration path to IPv6 at the edge.• Needed consolidated CGN and security solution that

would seamlessly integrate with its new vEPC

• Stringent Functional Requirements• Consolidated CGNAT and Security (NAT64/464XLAT)• Seamless integration with vEPC• 200 Gbps + 135M CPS• Stringent low latency• Support 1M subs/square kilometer

• Solution Elements• CGN (with CFW)• GiFW (with CFW)• Harmony Controller• Thunder ADC

A10 HELPS SKT ACHIEVE 5G LEADERSHIP

“A10 Networks’ high reliability, which was proven

in our 4G/LTE service network over the past years

has shown the best performance in handling not

only NAT44 but also NAT64 traffic with no service

interruptions. A10 Networks was the only solution

that satisfied 100 per cent of our requirements.”

Se Wook KimDirector of the Core Engineering Team, SK Telecom

“The higher performance and more advanced features

of the A10 Networks Thunder CFW PNF were a key

part of our conclusion so we could guarantee the

quality of services”


Thunder CGN


Summary: Comprehensive IPv4 Preservation & IPv6 Migration Options

• Extend the life of IPv4 network

infrastructure

• Provides flexible deployment options for

IPv6 migration

• Security with integrated DDoS protection

• Superior logging capability

• Best-in-class performance scalability

• Efficient & flexible form factors

Flexible IPv6 Migration Options

Integrated DDoS

Protection

Extend IPv4 @scale

Efficient & Flexible Form

Factors

Thank You


The A10 Advantage



CGN Use Cases


Use Case: Stadium Wireless/Mobile Offload

DNS Load Balancing for IP address management (IPAM)

Subscriber authentication and authorization, Logging

Carrier Grade Network Address Translation (CGNAT)


Use Case: Client Security Camera Access

Port Control Protocol / Layer 7 URL switching

Carrier Grade Network Address Translation (CGNAT)


Use Case: Smart Meter Telemetry (IoT Utility)

Ensure IPv6 only smart meters access to IPv6 server nodes over IPv4 cloud

Secure tunneling mechanism for IPv6 end-points to talk over an IPv4 infrastructure

IPv6

On

lySm

art

Met

ers

IPv6 ServersThunder CFW6in4 Tunneling Support over IPsec



Real World Case Studies


Why A10?

• Small footprint (1RU), lower power

consumption: 30% OPEX reduction

• Higher NAT session capacity

• HA session synchronization

– no service interruptions

• Feature rich

• Dynamic deep packet buffer for

micro-burst traffic flows

• Highly reliable and stable

• < 0.1% of field failure rate

Largest Mobile Network Operator in Korea

Challenges• Future proof IPv6 migration solution

• Preparing for 5G services launch

• Procure cost effective network infrastructure

Results• Deployed 64-bit 1U appliances with standard CLI, intuitive GUI

• Proposed “Thunder 4430S for Mid-Range” & “Thunder 6430 for Large Capacity”

• HA pair with stateful and fast failover ensures constant connectivity

• Utilized A10 CGN for NAT44 & NAT64/464XLAT

• QPS Provider (Quadruple Play Services: Voice, Broadband, IPTV & Mobile)

• 25M smart device subscribers

INTERNAL ONLYCASE STUDY


Largest Mobile Network Operator in Korea

Challenges• Future proof IPv6 migration solution

• Preparing for 5G services launch



• Proposed “Thunder 4430S for Mid-Range” & “Thunder 6430 for Large Capacity”

• HA pair with stateful and fast failover ensures constant connectivity

• Utilized A10 CGN for NAT44 & NAT64/464XLAT

• QPS Provider (Quadruple Play Services: Voice, Broadband, IPTV & Mobile)

• 25M smart device subscribers


IPv4 Preservation / IPv6 Migration Solution

PGW PGW PGW PGW

SGi-BB

HA


One of the Largest Mobile Network Operator in Asia

Challenges• Required reliable security SGi Firewall System to protect

Mobile Core

• Consistent 60 Gbps+ throughput with advanced features

Why A10?• Met SGi Firewall RFP requirements for advanced HA, firewall Logging, integrated security and v4/v6 Support

• Customer tests showed superior performance vs two leading competitors

• Including ~60/~80% lower latency, ~40/~80% less CPU Utilization

• All-inclusive license and converged functionality for lower TCO

INTERNAL ONLY

Business Profile• Tens of millions of Smart Phone Subscribers

(4G LTE + 3G)

• Quad-Play Services Provider (Voice + Broadband + IPTV + Mobile)

CASE STUDY


Why A10?

• Proven Install base of CGN

customers worldwide

• Throughput of 75Gig at 50% CPU

utilization with CPS at150K

• Efficient scaling to support large

and growing subscriber base

• Better price performance over F5

demonstrated with Thunder 6630

Largest LTE Operator in APAC

Challenges• Scale existing IPv4 services for growing smartphone usage

• Overcome exhaustion of public IPv4 addresses

• LSN deployment for LTE & Wi-Fi Subscribers

• Installed F5 VIPRION 2400 Chassis for CGN did not deliver on committed throughputs

Results• Solution deployed in Active-Active with N+M Architecture (N = Active & M =

Backup)

• NAT 44 (LSN) will be deployed today & IPv6 Migration will be deployed in future (NAT 64, XLAT)

• MAP-T planned for next phase FFTX deployment

• NAT session logging as per government regulations

• All-IP Network providing high speed mobile internet services including video, email and web



Largest LTE Operator in APAC



• LSN deployment for LTE & Wi-Fi Subscribers

• Installed F5 VIPRION 2400 Chassis for CGN did not deliver on committed throughputs

Results• Solution deployed in Active-Active with N+M Architecture (N = Active & M =

Backup)

• NAT 44 (LSN) will be deployed today & IPv6 Migration will be deployed in future (NAT 64, XLAT)

• MAP-T planned for next phase FFTX deployment

• NAT session logging as per government regulations

• All-IP Network providing high speed mobile internet services including video, email and web


EPC IMS/OTT

Switch 1 Switch 2

Service Router 1

Service Router 2

A10-1 (N)

A10-2 (N)

A10-3 (N)

A10-4 (N)

A10-5 (N)

IBR

AggregationRouter

CGN Syslog Server

Nexus Switch


SKYCable CGNAT

Challenges• Address imminent IPv4 address exhaustion


• Future proof solution for future IPv6 migration

• Required small datacenter footprint


• Utilized A10 CGN to secure needed IPv4 address expansion

• Subsequently added A10 ADC offerings for server load balancing

• Largest cable provider in the Philippines with 500K subscribers

• Introduced SKYBroadband Internet service with 200Mbps speeds



Large North American Mobile Carrier



• Ensure smooth migration to IPv6

• Provide app transparency for peer-to-peer and streaming

Results• HA pair with stateful and fast failover ensures constant connectivity

• Reduced required public IPv4 usage by 90 percent

• Transparent apps support enabled P2P and client/server apps

• 10X scalability advantage with 256 million concurrent sessions

• Plans to implement NAT64/DNS64 for IPv6 clients/IPv4 content

• Provide high value services including video, email and web

INTERNAL ONLY

A10 consolidates private IPs to a

fraction of public IPv4 addresses

IPv4 Internet

Thousand of private IPv4

addresses

Mobile carrier’s private IPv4

network

IPv6 addresses

Mobile carrier’s private IPv6 network

A10 translates to IPv4 addresses

IPv4 Internet

192.0.n.n

2001:0DB8:AC10:FE012001:0DB8:AC10:FE022001:0DB8:AC10:FE03

2001:0DB8:AC10:FFFE

CASE STUDY

Thank You


The A10 Advantage



Additional Slides


How CFW Protects Mobile Environment

• Gi/SGi Firewall to protect attacks from internet to

the mobile core

• GTP, SCTP Firewall to protect of EPC/MME

infrastructure

• GTP Firewall to protect mobile core from attacks

originating from mobile devices (rate-limiting)

• IPsec to enforce Securing cell-site traffic for Mobile

Backhaul Protection

• IPsec to enforce Wi-Fi offload interconnect

protection

• High performance firewall with integrated CGN,

DDoS protection & high-scale IPsec VPN termination

• Low Footprint

• High Throughput

• Higher Connections Per Sec

(CPS) and concurrent

connections

• CGNAT with ALG support

• Fast connections with low

latency & lower CPU utilization

• GTP, STCP protocol support

• IPsec VPN support

THE NEED

Carrier-class Firewall with

the following:

KEY METRICS


Efficient Gi-LAN with GiFW

SUBSCRIBER AWARENESS

INTELLIGENT TRAFFIC STEERING

THUNDER CFWGi/SGi LAN ConsolidationEPC

InternetSGW PGW

MME

eNB, gNB

DPIFIREWALLCGNAT

Gi/SGi FIREWALL

THUNDER CFW WITH INTEGRATED FIREWALL, CGNAT, DDoS PROTECTION & APPLICATION VISIBILITY

ADC

EPDG


Advantages of Consolidation

• Compute: Single Lookup

• Memory: Single Session table

• Increases performance

• Optimum use of hardware platforms

Optimized Infrastructure

Lower TCO (1) Lower Latency

• Lower CapEx: - Higher performance/device

(thus fewer devices)- Flex pricing (bandwidth,

subscriber)- up to 15%

• Lower OpEx: - via consolidation of NF’s & automation (ML): 35%

• Single hop network

• Consolidated ALG application

(1) Note: Reference White Paper by Ericsson “Dual Mode Core: TCO Benefits”, Consolidation of NF into one VNF yields up to 15% capex reduction and 35% in opex


Orion 5G Security Suite

Gi-LAN

gNB

eNB

GRX/IPX

MEC(Edge Cloud)

Virtual Evolved

Packet Core


Continuous Leadership In Cloud Native Technology

• 2019 Product Announcements• 180 GBPS Firewall Container• 100 GBPS Virtual DDoS Protection• Zap – behavioral • High Performance VNFs across Portfolio• Expanded CFW Suite - Now Shipping

• Carrier Class Firewalls– SGi, GTP/Roaming, EPC• Security Gateway• GTP Director


FlexPool – Capacity Pool Licensing

• Flexible Allocation• Shared capacity pool

• Dynamically scale capacity (no reboot requires)

• User defined Instance sizes

• Investment Protection• License portability

• Eliminate overprovisioning

• Software upgrades & maintenance included

Aligns Consumption with Business Needs

extend ipv4 and ease the transition to an ipv6 world

Documents