ipv4 exhaustion: nat and transition to ipv6 · cisco public 22 towards ipv6 …with or without ipv4...
TRANSCRIPT
IPv4 Exhaustion:NAT and Transition to IPv6 for Service Providers
Rajiv Asati, Distinguished Engineer, Cisco
BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 – ClassicBut spare parts have run out
5BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 – Next Gen Getting to full parity and end-end use takes time
6BRKSPG-2602
Caution:
New road
may be
needed
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition TechnologiesDriving your classic IPv4 (or next gen IPv6) around
7BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
• Any service provider that has exhausted its IPv4 address pool, will not only have to deploy/offer IPv6, but also employ IPv4 sharing. This is because chunk of content may be reachable only via IPv4 internet, even though majority is available via IPv6 internet.
• This session discusses few mechanisms such as MAP-T/E, 464XLAT, DS-Lite and CGN 64/44 etc. that facilitate IPv4 sharing with and without IPv6. It contrasts stateful and stateless translation techniques as well.
• 6rd is included for reference as well.
• This session is intended for Service Providers.
8BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKSPG-2602
IPv6 Adoption Continues to increase…
Source: https://www.akamai.com/ Source: https://www.google.com/
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• CGN 44, DS-Lite, 6rd, MAP
• CGN 64 for IPv6-only
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack to the hosts *
• Hosts: Windows, OSX, iOS, Android, Linux etc.
• Routers: IOS, XR, NXOS etc.
Dual-Stack Deployment (per IETF RFC 4213)
IPv4+IPv6 Hosts (Dual Stack)
IPv4+IPv6
Network
BRKSPG-2602 12
* RFC7755 now suggests Single-stack IPv6 for DC
IPv4 and/or IPv6 Destinations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack to the hosts *
• Hosts: Windows, OSX, iOS, Android, Linux etc.
• Routers: IOS, XR, NXOS etc.
Dual-Stack Deployment (per IETF RFC 4213), since 2005
Source – Desktop Operating System, Netmarketshare, Jan’14-Dec’16
BRKSPG-2602 13
Source – Mobile Operating System, Statistica, Jan 2017
~90% of Desktop hosts
and ~99% of Mobile hosts
support Dual-Stack
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack to the hosts *
• Hosts: Windows, OSX, iOS, Android, Linux etc.
• Routers: IOS, XR, NXOS etc.
• But note…
• IPv4 exhaustion is underway• Every host can NOT be assigned a public IPv4 address
• Two protocol stacks to be managed in network
Dual-Stack Deployment (per IETF RFC 4213)
IPv4+IPv6 Hosts (Dual Stack)
IPv4+IPv6
Network
BRKSPG-2602 14
* RFC7755 now suggests Single-stack IPv6 for DC
IPv4 and/or IPv6 Destinations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 Address Depletion Causes Impact differently
• The ISP Impact:
• Lack of IPv4 addresses for users
• Harder to grow the business
• The User Impact (explicit or implicit):
• IP reputation (more on this later)• IPv4 address sharing
• Breaks applications
• Complicates operating servers
• Limits UDP/TCP ports per user
• IPv6 enabled services are catching up
BRKSPG-2602 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition Technologies
• How do we migrate from IPv4 to IPv6?
• Short term1: can’t enable IPv6 immediately, need more IPv4 (or share IPv4)
• Short term2: enable IPv6 immediately, need more IPv4 (or share IPv4)
• Long term: simple network, single protocol – IPv6
• What does this really mean?
• IPv6 to co-exist with IPv4
• IPv4 address sharing to become wide-spread
• IPv6 to interoperate with IPv4
17BRKSPG-2602
Transition technologies pave the way to move from
IPv4 to IPv6
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• CGN 44, DS-Lite, 6rd, MAP
• CGN 64 for IPv6-only
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
?
19BRKSPG-2602
Towards IPv6 …with or without IPv4Transition Technologies in One Slide
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
This is
where
we
have to
be:
Mostly
IPv6;
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
?Obtain More IPv4 Addresses
20BRKSPG-2602
Towards IPv6 …with or without IPv4Transition Technologies in One Slide
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
IPv4
IPv6
Dual
Stack
MAP
CGN
Share IPv4 Addresses
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
CGN
44
+
Dual
Stack
CGN
44*
+
DS-
Lite
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKSPG-2602
Towards IPv6 …with or without IPv4Transition Technologies in One Slide
OptionsCPE LAN
IPv4 or IPv6
CPE WAN
IPv4 or IPv6
Tunnel or
Translate?
In-network
“State”?
Arbitrary IP
addressing of
CPE?
Extra CPE
features?
0 Single-Stack IPv4 IPv4 -NA- -NA- Yes No
1 Dual-Stack IPv4 + IPv6 IPv4+IPv6 -NA- -NA- Yes No**
2 Single-Stack IPv4 IPv4 Translate Yes (CGN44) Yes No
3 Dual-Stack IPv4 + IPv6 IPv4+IPv6 Translate Yes (CGN44) Yes No**
4 DS-Lite IPv4 + IPv6 IPv6 Both Yes (CGN44) Yes Yes
5 6rd IPv4 + IPv6 IPv4 Tunnel No No Yes
6 6rd + CGN IPv4 + IPv6 IPv4 Both Yes (CGN44) No Yes
7 MAP IPv4 + IPv6 IPv6 Either No Yes* Yes
8 Single-Stack IPv6 IPv6 Translate Yes (CGN64) Yes Yes|No
* Allows both arbitrary and algorithmic mapping
** Changes needed if IPv6 is not supported by existing CPE
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• Single-Stack IPv4 – CGN 44, 6rd
• Single-Stack IPv6 – DS-Lite, MAP
• Single-Stack IPv6 – CGN 64
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
0. Obtain IPv4 AddressesHost/CPE gets just IPv4 prefixes
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
CGN
Share IPv4 Addresses
BRKSPG-2602 24
CGN
44
+
Dual
Stack
CGN
*
+
DS-
Lite
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Obtain More IPv4 Addresses
IPv4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
0. Obtain IPv4 Addresses
• Obtain IPv4 addresses from Regional Internet Registry (RIRs) or open market
• RIR: May Not have any left.
• Open market: USD $10-$15 per IPv4 address
• IPv6, well, is optional
• ADVANTAGES:
• No CGN, no address sharing, no operational changes
• No need to press for IPv6 deployment
• DISADVANTAGES :
• If business growing, delaying the inevitable
• Geo-location needs to be updated (mileage varies)
• No IPv6 deployed
• Reputation might be bad
BRKSPG-2602 25
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• CGN 44, DS-Lite, 6rd, MAP
• Single-Stack IPv6 & CGN 64
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-StackHost/CPE gets both IPv4 and IPv6 prefixes
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
CGN
Share IPv4 Addresses
BRKSPG-2602 27
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
CGN
44
+
Dual
Stack
CGN
*
+
DS-
Lite
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Obtain More IPv4 Addresses
IPv4
IPv6
Dual
Stack
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackThe Reality
• Reality: More and more IPv4 address sharing (NAT, MAP)
• Covered in co-existence section later on.
• Hosts should prefer IPv6 to IPv4
• Generally necessary
• Without this preference, IPv4 would persist until IPv4 is turned off
• But what if IPv6 is broken? Overloaded???
• IPv6 peering is down ...
• Tunnel is down ...
• (Microsoft IPv6 NCSI is down....)
IPv6 Road
BRKSPG-2602 29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackDo I use IPv6 or IPv4 ?
• Dual-stack client connecting to dual-stack server
• IPv6 is preferred by default (RFC6724)
• If IPv6 is slower, then users blame IPv6 and may disable IPv6!
• IPv6 better not be slower than IPv4
• Who can guarantee that !
• What if IPv6 is broken altogether?
• What if IPv6 is broken to few websites?
BRKSPG-2602 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackProblem: IPv6 is Broken or slower to a certain website !
BRKSPG-2602 31
Unhappy
user
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs (RFC6555)
BRKSPG-2602 32
Note: Slight Preference is given to IPv6 connection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555/ RFC8305)
BRKSPG-2602 33
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555/ RFC8305)
BRKSPG-2602 34
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555/ RFC8305)
BRKSPG-2602 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555/ RFC8305)
BRKSPG-2602 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555/ RFC8305)
BRKSPG-2602 37
Happy
user
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-StackHappy Eyeballs (RFC6555 and RFC8305)
• Users are happy
• Aimed initially at web browsing
• Web browsing is the most common application
• Fast response even if IPv6 (or IPv4) path is down
• Network administrators are happy
• Users no longer trying to disable IPv6
• Reduces IPv4 usage (reduces load on CGN)
• Content providers are happy
• Improved geolocation and DoS visibility with IPv6
BRKSPG-2602 38
Source: http://seclists.org/nanog/2016/Jun/809
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-StackHappy Eyeballs Implementations
• Google Chrome and Mozilla Firefox: Yes
• Utilizes long-established 250-300ms ‘backup’ thread
• Follows getaddrinfo() address preference
• Apple Safari, iOS*, OSX* : Yes
• DNS AAAA sent before A query on the wire
• If AAAA reply comes first, then v6 SYN sent immediately
• If A reply comes before 25ms of AAA reply, then v4 SYN sent
• Else, Heuristics based Address selection algorithm is applied
• Microsoft Windows OS and Internet Explorer : NO
• Not even something like happy eyeballs
• Cisco WebEx : Yes
• Cisco AnyConnect: No
RFC6555 Compliant
* http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html
* https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html
BRKSPG-2602 39
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• Single-Stack IPv4 – CGN 44, 6rd
• Single-Stack IPv6 – DS-Lite, MAP
• Single-Stack IPv6 – CGN 64
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 Address Sharing.
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
CGN
BRKSPG-2602 42
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
CGN
44
+
Dual
Stack
CGN
*
+
DS-
Lite
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
Obtain More IPv4 Addresses
IPv4
IPv6
Share IPv4 Addresses
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Image source: Jason Fesler, Yahoo!
BRKSPG-2602 43
IPv4 Address Sharing :Watch out for your Reputation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Sharing: Watch out for IP Reputation (1/2)
• Reputation based on IPv4 address• Shared IP address = shared suffering
• Workaround: Distinguish subscribers (sharing IP address, or not sharing)• draft-ietf-intarea-nat-reveal-analysis
• draft-wing-nat-reveal-option
• Server logs currently only contain IPv4 address• Servers logs need to include source port number, recommended by RFC6302
• Best Solution – have users and content providers use IPv6!
BRKSPG-2602 44
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Sharing: Watch out for IP Reputation (2/2)
• Affects NATs, as everyone knows• NAT44 (CGN44): a big NAT operated by an ISP (“carrier”), enterprise, or University
• NAT444 (subscriber’s NAT44 + ISP’s CGN44)
• NAT64 (CGN64)
• DS-Lite (called “AFTR” = Modified CGN44)
• Also affects non-CGN architectures!• MAP (Mapped Address and Port)
• Conceptually, a CGN with (some) fixed ports
• Address + Port, SD-NAT, Deterministic NAT
BRKSPG-2602 45
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• Single-Stack IPv4 – CGN 44, 6rd
• Single-Stack IPv6 – DS-Lite, MAP
• Single-Stack IPv6 – CGN 64
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NAT (CGN).
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
BRKSPG-2602 47
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
CGN
44
+
Dual
Stack
CGN
*
+
DS-
Lite
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
Obtain More IPv4 Addresses
IPv4
IPv6
Share IPv4 Addresses
CGN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGN
• Carrier Grade Network Address Translation
• Address and Port Translator (NAPT), really
• Like the common residential NAT (Linksys, etc.)
• Using RFC5389 terminology: Mapping independent non filtering (EIM and EIF)
• Bigger (e.g. large scale)
• Port Logging (e.g. syslog, netflow v9)
• Per-user port limit
• Shared IPv4 space : 100.64.0.0/10 instead of private IPv4 space is an option
BRKSPG-2602 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGNPrivate IPv4 Moves into SP
Stateful NAT function
inside SP network
Supported on ASR9K,
ASR1K, FirePower, CRS
BRKSPG-2602 49
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGN
• Nicknamed NAT444 = NAT44 in home, NAT44 in ISP
• Advantages:
1. Very well known technology
2. No dependency on CPE router
• Disadvantages:
1. Logging
2. Port Forwarding
3. Certain Applications may NOT sufficiently work e.g. RFC7021
4. ALG, Logging
5. Network/Routing Design Headache
6. IPv4 address sharing efficiency
7. Any application hardcoding a specific port# may not work without UPnPv2+PCP
See BRKSPG-3334 from CiscoLive2014 for more details
Supported on ASR9K,
ASR1K, FirePower,CRS
BRKSPG-2602 50
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51BRKSPG-2602
CGNALG, Logging
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
CGN
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
6rd
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
Obtain More IPv4 Addresses
IPv4
IPv6
ALG, Logging etc. issues
applicable to all these
solutions relying on CGN
Share IPv4 Addresses
CGN
44
+
Dual
Stack
CGN
44
+
DS-
Lite
CGN
64
+
Single
-Stack
CGN
44
+
6rd
(Dual-
Stack)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGNApplication Layer Gateway (ALG)
• ALG = Application awareness inside the NAT:
• modify IP addresses and ports in application payload
• creates NAT mapping
• Each application requires a separate ALG
• FTP, SIP, RTSP, RealAudio, …
• ALG needs to understand application nuances
• ALG requires:
• Un-encrypted signaling (!!)
• Restricted network topology
• Summary: ALG prevents application evolution and introduces bugs
BRKSPG-2602 52
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGNModern Applications Avoid Relying on ALG
• Successful applications have to work everywhere• Coffee shop, home, work, hotel,
airport, 3G
• FTP Passive Mode
• ICE (RFC5245) and STUN (RFC5389)• Intelligence in endpoint
• Useful for offer/answer protocols (SIP, XMPP)
• RTSPv1 abandoned on the desktop• effectively replaced with Flash over HTTP, and
soon HTML5
• RTSPv2 has ICE-like solution
• Skype does its own NAT traversal
• Linksys disabled SIP ALGs around 2006• Because of bugs and incompatibilities with SIP
endpoints
Reference
BRKSPG-2602 53
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Debugging / Troubleshooting Problems
•SIP from vendor X works, but vendor Y breaks:1. Vendor Y violated standard?
2. Vendor X has special sauce??
3. ALG is broken???
• Delays
•Months for vendor turn-around for patches
•Months for SP testing/qualification/upgrade window
• ALG can break competitor’s over-the-top application (e.g., SIP, streaming video)
•Regulators frown on interference
Meanwhile:
unhappy
users
CGNALG related Operational Issues
See BRKSPG-3334 from CiscoLive2014 for more details
BRKSPG-2602 54
Reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGNLogging Source Port Ranges
• Stateful NAT requires logging (NAT44, NAT64, DS-Lite…)
• NAT mappings are temporary (similar to DHCP addresses)
• Logging each NAT mapping creates large logs!
• Bulk port allocation (BPA) reduces logging, at the expense of reduced efficiency of IPv4 address sharing
• Bulk size of N ports, logs reduced by 1/N
• Acceptable compromise !!!
• Recommended
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 55
See BRKSPG-3334 from CiscoLive2014 for more details
Reference
42.5TB over 60 days for
200K subscribers, 72K
flows/second
(each syslog comprised
private source IP:port,
public source IP:port,
protocol, and timestamp,
resulting in ~100B in
ASCII). See note below.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NATLogging Destination
• Server Log combined with CGN log identifies subscribers• Timestamp (new)
• Source IP address, source port (new), destination IP address, destination port
• RFC6302
• Some servers don’t enable source port logging, or don’t have good timestamp• Note that majority support logging source port, but don’t do so by default, see
RFC7768 and draft-daveor-cgn-logging
• Tempting to log destination IP (and port) at CGN• Consider privacy and legal issues
• Incompatible with bulk port allocation, increases logging costs
• Not recommended
BRKSPG-2602 56
See BRKSPG-3334 from CiscoLive2014 for more details
Supported on ASR9K,
ASR1K, CRS
Reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGN – Common Sane Practices
• Use Bulk Port Allocation
• Limit number of users sharing an IPv4 address as much as possible*
• Monitor KPIs e.g. # of outbound SSH connections with a threshold
• Log NAT connections
•
57BRKSPG-2602
* Tricky because you would want higher sharing ratio, given IPv4 shortage
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58BRKSPG-2602
DS-Lite
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
CGN
44
+
Dual
Stack
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
Obtain More IPv4 Addresses
IPv4
IPv6
Note: DS-Lite requires CGN
CGN
Share IPv4 Addresses
CGN
44
+
DS-
Lite
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DS-Lite IPv4 over IPv6 Access
Stateful NAT 44
function (on routers)
inside SP network
IPv4-over-IPv6
tunnels
Supported on ASR9K,
ASR1K, CRS
59
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DS-Lite
• Requires IPv6 access network
• Tunnels subscriber IPv4 traffic to a CGN device
• Uses Carrier-Grade NAT (CGN)
• Requires CPE router support
• RFC6333
• MTU – Watch out !!
BRKSPG-2602 60
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Advantages:
• Leverages IPv6 in the network
• Disadvantages:
• Dependency on CPE router
• NAT disabled on CPE router
• Content Caching function may break
• DPI function may break
• QoS function may break
• All disadvantages of CGN also apply
DS-Lite
BRKSPG-2602 61
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6rd and 6rd with CGN
IPv4
Address
Run-Out
Dual
StackDual
Stack
Lite
Obtain IPv4 Addresses
MAP
CGN
IPv4
IPv66rd
6rd
+
CGN
IPv4 Address Sharing
Reference
BRKSPG-2602 62
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6rd - IPv6 over (Public) IPv4
IPv6 Moves out to Subscribers
IPv6-over-IPv4 tunnels
Stateless Tunneling function
(on routers) inside SP
network
Native Dual-Stack at Home
Supported on ASR9K,
ASR1K, CRS
Reference
BRKSPG-2602 63
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6rd + CGN = IPv6 over (Private) IPv4
IPv6 Moves out to Subscribers
Private IPv4 move into SP*IPv6-over-IPv4 tunnels
Stateless Tunneling function
(on routers)
Stateful NAT function (on
routers) inside SP network*
* Assuming RFC1918 usage
Supported on ASR9K,
ASR1K, CRS
Reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66BRKSPG-2602
MAP (Mapping of Address and Port)
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
CGNCGN
44
+
Dual
Stack
CGN
*
+
DS-
Lite
CGN
64
+
Single
-Stack
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
Obtain More IPv4 Addresses
IPv4
IPv6
See BRKSPG-3820 from CiscoLive2014 for more details
MAP
Share IPv4 Addresses
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP (Mapping of Address and Port)
• Allows sharing of IPv4 address across an IPv6 WAN network
• Each CPE gets a shared IPv4 address with a unique TCP/UDP port-range via “rules”
• All or part of IPv4 address can be derived from the assigned IPv6 prefix (allows for route summarization)
• Need to allocate UDP/TCP port range(s) to each CPE
• Stateless Border Relays in SP network
• Can be implemented in hardware (superior performance)
• Can use anycast, can have asymmetric routing
• No single point of failure, no need for high availability hardware
Supported on ASR9K,
ASR1K,
BRKSPG-2602 67
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68BRKSPG-2602
MAP-E : Stateless 464 Encapsulation
IPv4-over-IPv6
Stateless Tunneling function (on
routers)
- No Stateful CGN-
Supported on ASR9K,
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69BRKSPG-2602
MAP-T : Stateless 464 Translation
Stateless 64 translation function
(on routers)
- No Stateful CGN -
Native IPv6
Supported on ASR9K,
ASR1K
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP
• MAP has two flavors (both standardized):
• MAP-T : RFC7599
• MAP-E : RFC7597
• Advantages:
• Leverages IPv6 in the network
• No CGN inside SP network
• No need for NAT Logging (DHCP logging as usual)
• No need for ALGs
• No need for Stateful NAT64/DNS64
• Disadvantages:
• Dependency on CPE router
• Any application hardcoding any port# might not work without UPnPv2 support
BRKSPG-2602 70
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP Addressing Toolhttp://map46.cisco.com/
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• Single-Stack IPv4 – CGN 44, 6rd
• Single-Stack IPv6 – DS-Lite, MAP
• Single-Stack IPv6 – CGN 64
• Conclusion
Agenda
Try V6-only WiFi:
SSID: CL-NAT64
WPA2-PSK: cl-nat64
5GHz only
While Client-side apps (mobile or desktop) got IPv6-only support, Server-side still need to catch up…
e.g. Apple FaceTime, iMessage, iCloud, etc.
Hence, the short-
term need for
NAT64…
IPv4 Reachability
bash-3.2$ ping www.apple.com
PING e6858.dsce9.akamaiedge.net (104.112.153.131): 56 data bytes
64 bytes from 104.112.153.131: icmp_seq=0 ttl=57 time=32.063 ms
^C
bash-3.2$
bash-3.2$ ping init.ess.apple.com
PING a239.da1.akamai.net (23.205.120.82): 56 data bytes
64 bytes from 23.205.120.82: icmp_seq=0 ttl=60 time=21.653 ms
^C
bash-3.2$
bash-3.2$ ping www.icloud.com
PING e4478.a.akamaiedge.net (23.206.217.193): 56 data bytes
64 bytes from 23.206.217.193: icmp_seq=0 ttl=55 time=33.031 ms
bash-3.2$ ping configuration.apple.com
PING e5153.e9.akamaiedge.net (104.113.5.216): 56 data bytes
64 bytes from 104.113.5.216: icmp_seq=0 ttl=57 time=37.035 ms
^C
bash-3.2
IPv6 Reachability
bash-3.2$ ping6 www.apple.com
PING6(56=40+8+8 bytes) 2601:2c7:4000:<removed> --> 2001:559:19:1286::1aca
16 bytes from 2001:559:19:1286::1aca, icmp_seq=0 hlim=61 time=11.470 ms
^C
bash-3.2$
bash-3.2$ ping6 init.ess.apple.com
ping6: getaddrinfo -- nodename nor servname provided, or not known
bash-3.2$
bash-3.2$ ping6 www.icloud.com
ping6: getaddrinfo -- nodename nor servname provided, or not known
bash-3.2$
bash-3.2$ ping6 configuration.apple.com
ping6: getaddrinfo -- nodename nor servname provided, or not known
bash-3.2$
As of June 26th, 2017
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-Only Networks with CGN 64.
This is
where
we are:
Mostly
IPv4 &
Address
Run-out
Dual
Stack
MAP
BRKSPG-2602 76
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite
CGN
44
+
Dual
Stack
CGN
*
+
DS-
Lite
6rd
CGN
44
+
6rd
(Dual-
Stack)
This is
where
we
have to
be:
Mostly
IPv6;
Dual
Stack
Obtain More IPv4 Addresses
IPv4
IPv6
CGN
Share IPv4 Addresses
CGN
64
+
Single
-Stack
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-Only Networks with CGN 64
Stateless or Stateful NAT64
function (on routers)
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 77
IPv6-only devices
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64
LSN64
NAT
NAT64
LSN64
NATNAT
NAT64 – Stateful
IPv6
IPv6
Endpoint
2001:db8:abcd:2::1
2001:DB8:ABCD::/64
announced in
IPv6 Routing domain
(203.0/24)
announced in
IPv4 Routing domain• NAT keeps binding state between inner IPv6 address and outer IPv4+port
• DNS64 needed
•Application dependent/ALGs may be required
2001:db8:abcd:2::1
IPv6 Header
Src Addr
DestAddr 2001:DB8:ABCD:<92.0.2.1>
IPv4
Endpoint
92.0.2.1
203.0.113.1
IPv4 Header
Src
Addr
Dest
Addr92.0.2.1
Host can be
assigned with any
IPv6 address (no
particular format)
Stateful
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 79
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64
LSN64
NAT
NAT64
LSN64
NATNAT
NAT64 – Stateless
IPv6
IPv6
Endpoint
2001:db8:<203.0.114.1>::
2001:DB8:ABCD::/64
announced in
IPv6 Routing domain
(203.0/24)
announced in
IPv4 Routing domain• No NAT binding state; IPv6 <-> IPv4
mapping computed algorithmically
• DNS64 needed
• Application dependent ALGs might be required
2001:db8:<203.0.114.1>::
IPv6 Header
Src Addr
DestAddr 2001:DB8::<92.0.2.1>::
IPv4
Endpoint
92.0.2.1
203.0.114.1
IPv4 Header
Src
Addr
Dest
Addr92.0.2.1
Host must be
assigned an “IPv4
Translatable” IPv6
address
Stateless
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 80
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64 – Stateful vs. Stateless
Stateless
• 1:1 translation
• “NAT”
• Any protocol
• No IPv4 address savings• Just like dual-stack
• MAP however does save IPv4 addresses by combining NAT46 with NAT44
Stateful
• 1:N translation
• “NAPT”
• TCP, UDP, ICMP
• Shares IPv4 addresses
Note : IPv6-only DC using Stateless 64 : RFC7755
BRKSPG-2602 81
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64 DNS64 is important• NAT64 translator is useful only if the traffic can come to it
• IP addresses of IPv6 packets must be formulated accordingly
• DNS64 provides conversion of an IPv4 address into an IPv6 address
• AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g. 2001:DB8:ABCD::)
Internet
AAAA?IPv6-only
Endpoint AAAA?
Empty answer
A?
92.0.2.12001:DB8:ABCD::92.0.2.1
(sent simultaneously)
DNS64 NAT64
BRKSPG-2602 82
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS64 – Watch out
• Works for applications that do DNS queries
•http://www.example.com
•IMAP, connecting to XMPP servers, etc.
• Works with DNSSEC (note [1])
• Doesn’t work for applications that don’t do DNS queries or use IP address literals
• http://1.2.3.4
• SIP, RTSP, H.323, XMPP peer to peer, etc.
• Doesn’t work well if Application-level proxy for IP address literals (HTTP proxy) is used
• Learn NAT64’s prefix, RFC 7050
• NAT46/BIH (Bump In the Host), RFC6535
• 464XLAT (RFC6877)
BRKSPG-2602 83
[1] https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-only
Network
464XLAT = Stateless + Stateful Better Together RFC6877
• Some applications may break with IPv6-only (and NAT64)
• Skype, among other interesting applications (more listed here*)
• 464 translation helps most of those IPv4-only applications
• Endpoint does “Stateless NAT46”, network does “Stateful NAT64” only for IPv4 traffic
• 464 supported _only_ by Android OS;
• Benefit: Network can Provide IPv6-only connectivity to Endpoints without worrying about any IPv4-only apps
Stateful
NAT64IPv4 Internet
Endpoint
BRKSPG-2602 84
* http://tinyurl.com/nat64-breakage
Stateless
NAT46
IPv6 Internet
Note: The
usefulness of
XLAT may
continue to
subside, given
apple mandate for
apps to work with
IPv6-only since
2016, as well as
Cloud Providers
enabling IPv6-only
support
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6Internet
IPv4Internet
IPv4Network
IPv6Network
IPv4Network
IPv6Internet
IPv4Internet
IPv6Network
IPv4Network
IPv6Network
IPv4Network
IPv6Network
1.
2.
3.
4.
5.
6.
stateful stateless
Needed (a) if IPv6-only content existed, or (b) IPv4-only LAN with IPv6-only WAN *
NAT64 Scenarios
Covered in this
presentation
Covered in
BRKSPG-
2602 from
2014**
BRKSPG-2602 85
* Verizon stops giving out static IPv4 WAN address(es) in 2017
• Goal of Transition Technologies
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Dual Stack – Impact ( & Happy Eyeballs)
• IPv4 Address Sharing - Impact
• Single-Stack IPv4 – CGN 44, 6rd
• Single-Stack IPv6 – DS-Lite, MAP
• Single-Stack IPv6 – CGN 64
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConclusionWhatever you do …. Drive Carefully…
BRKSPG-2602 92
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
95BRKSPG-2602
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
More IPv6 sessions this week at CiscoLive
• BRKSEC-3200 - Advanced IPv6 Security Threats and Mitigation – 30 Jan. 14:15
• BRKIP6-2616 - Beyond Dual-Stack: Using IPv6 like you’ve never imagined – 30 Jan. 16:45
• BRKRST-3304 - Hitchhiker's Guide to Troubleshooting IPv6 - Advanced – 31 Jan. 9:00
• BRKSPG-2602 - IPv4 Exhaustion: NAT and Transition to IPv6 for SPs – 31 Jan. 9:00
• BRKIP6-2301 - Enterprise IPv6 Deployment – 31 Jan. 11:30
• LABSPG-3122 - Advanced IPv6 Routing and services lab – 31 Jan 14:00 & 1 Feb. 14:00
• BRKCOL-2020 - IPv6 in Enterprise Unified Communications Networks – 31 Jan. 16:30
• BRKCOC-2388 - Inside Cisco IT: A Tale of Two Protocols – 2 Feb. 9:00
• BRKIP6-2002 - IPv6 for the World of IoT – 2 Feb. 11:30
BRKSPG-2602
Try V6-only WiFi:
SSID: CL-NAT64
WPA2-PSK: cl-nat64
5GHz only