ipv4 exhaustion: nat and transition to ipv6 · cisco public 22 towards ipv6 …with or without ipv4...

IPv4 Exhaustion:NAT and Transition to IPv6 for Service Providers

Rajiv Asati, Distinguished Engineer, Cisco

BRKSPG-2602

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKSPG-2602

Hmmm……..CGNAT issue or something else ?


IPv4 – ClassicBut spare parts have run out

5BRKSPG-2602


IPv6 – Next Gen Getting to full parity and end-end use takes time

6BRKSPG-2602

Caution:

New road

may be

needed


Transition TechnologiesDriving your classic IPv4 (or next gen IPv6) around

7BRKSPG-2602


Abstract

• Any service provider that has exhausted its IPv4 address pool, will not only have to deploy/offer IPv6, but also employ IPv4 sharing. This is because chunk of content may be reachable only via IPv4 internet, even though majority is available via IPv6 internet.

• This session discusses few mechanisms such as MAP-T/E, 464XLAT, DS-Lite and CGN 64/44 etc. that facilitate IPv4 sharing with and without IPv6. It contrasts stateful and stateless translation techniques as well.

• 6rd is included for reference as well.

• This session is intended for Service Providers.

8BRKSPG-2602

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKSPG-2602

IPv6 Adoption Continues to increase…

Source: https://www.akamai.com/ Source: https://www.google.com/

• Goal of Transition Technologies

• Overview of Transition Technologies

• Single-Stack

• Dual Stack – Impact ( & Happy Eyeballs)

• IPv4 Address Sharing - Impact

• CGN 44, DS-Lite, 6rd, MAP

• CGN 64 for IPv6-only

• Conclusion

Agenda


Recommended Approach for IPv6

• Dual-Stack to the hosts *

• Hosts: Windows, OSX, iOS, Android, Linux etc.

• Routers: IOS, XR, NXOS etc.

Dual-Stack Deployment (per IETF RFC 4213)

IPv4+IPv6 Hosts (Dual Stack)

IPv4+IPv6

Network

BRKSPG-2602 12

* RFC7755 now suggests Single-stack IPv6 for DC

IPv4 and/or IPv6 Destinations






Dual-Stack Deployment (per IETF RFC 4213), since 2005

Source – Desktop Operating System, Netmarketshare, Jan’14-Dec’16

BRKSPG-2602 13

Source – Mobile Operating System, Statistica, Jan 2017

~90% of Desktop hosts

and ~99% of Mobile hosts

support Dual-Stack






• But note…

• IPv4 exhaustion is underway• Every host can NOT be assigned a public IPv4 address

• Two protocol stacks to be managed in network

Dual-Stack Deployment (per IETF RFC 4213)

IPv4+IPv6 Hosts (Dual Stack)

IPv4+IPv6

Network

BRKSPG-2602 14

* RFC7755 now suggests Single-stack IPv6 for DC

IPv4 and/or IPv6 Destinations


IPv4 Address Depletion Causes Impact differently

• The ISP Impact:

• Lack of IPv4 addresses for users

• Harder to grow the business

• The User Impact (explicit or implicit):

• IP reputation (more on this later)• IPv4 address sharing

• Breaks applications

• Complicates operating servers

• Limits UDP/TCP ports per user

• IPv6 enabled services are catching up

BRKSPG-2602 15


Transition Technologies

• How do we migrate from IPv4 to IPv6?

• Short term1: can’t enable IPv6 immediately, need more IPv4 (or share IPv4)

• Short term2: enable IPv6 immediately, need more IPv4 (or share IPv4)

• Long term: simple network, single protocol – IPv6

• What does this really mean?

• IPv6 to co-exist with IPv4

• IPv4 address sharing to become wide-spread

• IPv6 to interoperate with IPv4

17BRKSPG-2602

Transition technologies pave the way to move from

IPv4 to IPv6



• Single-Stack




• CGN 64 for IPv6-only

• Conclusion

Agenda


?

19BRKSPG-2602

Towards IPv6 …with or without IPv4Transition Technologies in One Slide

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

1. CGN = Carrier Grade NAT - Stateful

2. Modified to support DS-Lite

This is

where

we

have to

be:

Mostly

IPv6;


?Obtain More IPv4 Addresses

20BRKSPG-2602


This is

where

we are:

Mostly

IPv4 &

Address

Run-out

IPv4

IPv6

Dual

Stack

MAP

CGN

Share IPv4 Addresses



CGN

44

+

Dual

Stack

CGN

44*

+

DS-

Lite

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack



OptionsCPE LAN

IPv4 or IPv6

CPE WAN

IPv4 or IPv6

Tunnel or

Translate?

In-network

“State”?

Arbitrary IP

addressing of

CPE?

Extra CPE

features?

0 Single-Stack IPv4 IPv4 -NA- -NA- Yes No

1 Dual-Stack IPv4 + IPv6 IPv4+IPv6 -NA- -NA- Yes No**

2 Single-Stack IPv4 IPv4 Translate Yes (CGN44) Yes No

3 Dual-Stack IPv4 + IPv6 IPv4+IPv6 Translate Yes (CGN44) Yes No**

4 DS-Lite IPv4 + IPv6 IPv6 Both Yes (CGN44) Yes Yes

5 6rd IPv4 + IPv6 IPv4 Tunnel No No Yes

6 6rd + CGN IPv4 + IPv6 IPv4 Both Yes (CGN44) No Yes

7 MAP IPv4 + IPv6 IPv6 Either No Yes* Yes

8 Single-Stack IPv6 IPv6 Translate Yes (CGN64) Yes Yes|No

* Allows both arbitrary and algorithmic mapping

** Changes needed if IPv6 is not supported by existing CPE



• Single-Stack IPv4 – Obtain more IPv4



• Single-Stack IPv4 – CGN 44, 6rd

• Single-Stack IPv6 – DS-Lite, MAP

• Single-Stack IPv6 – CGN 64

• Conclusion

Agenda


0. Obtain IPv4 AddressesHost/CPE gets just IPv4 prefixes

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

CGN


BRKSPG-2602 24

CGN

44

+

Dual

Stack

CGN

*

+

DS-

Lite

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Obtain More IPv4 Addresses

IPv4


0. Obtain IPv4 Addresses

• Obtain IPv4 addresses from Regional Internet Registry (RIRs) or open market

• RIR: May Not have any left.

• Open market: USD $10-$15 per IPv4 address

• IPv6, well, is optional

• ADVANTAGES:

• No CGN, no address sharing, no operational changes

• No need to press for IPv6 deployment

• DISADVANTAGES :

• If business growing, delaying the inevitable

• Geo-location needs to be updated (mileage varies)

• No IPv6 deployed

• Reputation might be bad

BRKSPG-2602 25







• Single-Stack IPv6 & CGN 64

• Conclusion

Agenda


1. Dual-StackHost/CPE gets both IPv4 and IPv6 prefixes

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

CGN


BRKSPG-2602 27



CGN

44

+

Dual

Stack

CGN

*

+

DS-

Lite

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;


IPv4

IPv6

Dual

Stack


1. Dual StackThe Reality

• Reality: More and more IPv4 address sharing (NAT, MAP)

• Covered in co-existence section later on.

• Hosts should prefer IPv6 to IPv4

• Generally necessary

• Without this preference, IPv4 would persist until IPv4 is turned off

• But what if IPv6 is broken? Overloaded???

• IPv6 peering is down ...

• Tunnel is down ...

• (Microsoft IPv6 NCSI is down....)

IPv6 Road

BRKSPG-2602 29


1. Dual StackDo I use IPv6 or IPv4 ?

• Dual-stack client connecting to dual-stack server

• IPv6 is preferred by default (RFC6724)

• If IPv6 is slower, then users blame IPv6 and may disable IPv6!

• IPv6 better not be slower than IPv4

• Who can guarantee that !

• What if IPv6 is broken altogether?

• What if IPv6 is broken to few websites?

BRKSPG-2602 30


1. Dual StackProblem: IPv6 is Broken or slower to a certain website !

BRKSPG-2602 31

Unhappy

user


1. Dual StackSolution – Happy Eyeballs (RFC6555)

BRKSPG-2602 32

Note: Slight Preference is given to IPv6 connection


1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555/ RFC8305)

BRKSPG-2602 33



BRKSPG-2602 34



BRKSPG-2602 35



BRKSPG-2602 36



BRKSPG-2602 37

Happy

user


1. Dual-StackHappy Eyeballs (RFC6555 and RFC8305)

• Users are happy

• Aimed initially at web browsing

• Web browsing is the most common application

• Fast response even if IPv6 (or IPv4) path is down

• Network administrators are happy

• Users no longer trying to disable IPv6

• Reduces IPv4 usage (reduces load on CGN)

• Content providers are happy

• Improved geolocation and DoS visibility with IPv6

BRKSPG-2602 38

Source: http://seclists.org/nanog/2016/Jun/809


1. Dual-StackHappy Eyeballs Implementations

• Google Chrome and Mozilla Firefox: Yes

• Utilizes long-established 250-300ms ‘backup’ thread

• Follows getaddrinfo() address preference

• Apple Safari, iOS*, OSX* : Yes

• DNS AAAA sent before A query on the wire

• If AAAA reply comes first, then v6 SYN sent immediately

• If A reply comes before 25ms of AAA reply, then v4 SYN sent

• Else, Heuristics based Address selection algorithm is applied

• Microsoft Windows OS and Internet Explorer : NO

• Not even something like happy eyeballs

• Cisco WebEx : Yes

• Cisco AnyConnect: No

RFC6555 Compliant

* http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html

* https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html

BRKSPG-2602 39

http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html

https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html









• Conclusion

Agenda


IPv4 Address Sharing.

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

CGN

BRKSPG-2602 42



CGN

44

+

Dual

Stack

CGN

*

+

DS-

Lite

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack


IPv4

IPv6



Image source: Jason Fesler, Yahoo!

BRKSPG-2602 43

IPv4 Address Sharing :Watch out for your Reputation


IP Address Sharing: Watch out for IP Reputation (1/2)

• Reputation based on IPv4 address• Shared IP address = shared suffering

• Workaround: Distinguish subscribers (sharing IP address, or not sharing)• draft-ietf-intarea-nat-reveal-analysis

• draft-wing-nat-reveal-option

• Server logs currently only contain IPv4 address• Servers logs need to include source port number, recommended by RFC6302

• Best Solution – have users and content providers use IPv6!

BRKSPG-2602 44


IP Address Sharing: Watch out for IP Reputation (2/2)

• Affects NATs, as everyone knows• NAT44 (CGN44): a big NAT operated by an ISP (“carrier”), enterprise, or University

• NAT444 (subscriber’s NAT44 + ISP’s CGN44)

• NAT64 (CGN64)

• DS-Lite (called “AFTR” = Modified CGN44)

• Also affects non-CGN architectures!• MAP (Mapped Address and Port)

• Conceptually, a CGN with (some) fixed ports

• Address + Port, SD-NAT, Deterministic NAT

BRKSPG-2602 45









• Conclusion

Agenda


Carrier Grade NAT (CGN).

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

BRKSPG-2602 47



CGN

44

+

Dual

Stack

CGN

*

+

DS-

Lite

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack


IPv4

IPv6


CGN


CGN

• Carrier Grade Network Address Translation

• Address and Port Translator (NAPT), really

• Like the common residential NAT (Linksys, etc.)

• Using RFC5389 terminology: Mapping independent non filtering (EIM and EIF)

• Bigger (e.g. large scale)

• Port Logging (e.g. syslog, netflow v9)

• Per-user port limit

• Shared IPv4 space : 100.64.0.0/10 instead of private IPv4 space is an option

BRKSPG-2602 48


CGNPrivate IPv4 Moves into SP

Stateful NAT function

inside SP network

Supported on ASR9K,

ASR1K, FirePower, CRS

BRKSPG-2602 49


CGN

• Nicknamed NAT444 = NAT44 in home, NAT44 in ISP

• Advantages:

1. Very well known technology

2. No dependency on CPE router

• Disadvantages:

1. Logging

2. Port Forwarding

3. Certain Applications may NOT sufficiently work e.g. RFC7021

4. ALG, Logging

5. Network/Routing Design Headache

6. IPv4 address sharing efficiency

7. Any application hardcoding a specific port# may not work without UPnPv2+PCP

See BRKSPG-3334 from CiscoLive2014 for more details

Supported on ASR9K,

ASR1K, FirePower,CRS

BRKSPG-2602 50


CGNALG, Logging

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

CGN



6rd

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack


IPv4

IPv6

ALG, Logging etc. issues

applicable to all these

solutions relying on CGN


CGN

44

+

Dual

Stack

CGN

44

+

DS-

Lite

CGN

64

+

Single

-Stack

CGN

44

+

6rd

(Dual-

Stack)


CGNApplication Layer Gateway (ALG)

• ALG = Application awareness inside the NAT:

• modify IP addresses and ports in application payload

• creates NAT mapping

• Each application requires a separate ALG

• FTP, SIP, RTSP, RealAudio, …

• ALG needs to understand application nuances

• ALG requires:

• Un-encrypted signaling (!!)

• Restricted network topology

• Summary: ALG prevents application evolution and introduces bugs

BRKSPG-2602 52


CGNModern Applications Avoid Relying on ALG

• Successful applications have to work everywhere• Coffee shop, home, work, hotel,

airport, 3G

• FTP Passive Mode

• ICE (RFC5245) and STUN (RFC5389)• Intelligence in endpoint

• Useful for offer/answer protocols (SIP, XMPP)

• RTSPv1 abandoned on the desktop• effectively replaced with Flash over HTTP, and

soon HTML5

• RTSPv2 has ICE-like solution

• Skype does its own NAT traversal

• Linksys disabled SIP ALGs around 2006• Because of bugs and incompatibilities with SIP

endpoints

Reference

BRKSPG-2602 53


• Debugging / Troubleshooting Problems

•SIP from vendor X works, but vendor Y breaks:1. Vendor Y violated standard?

2. Vendor X has special sauce??

3. ALG is broken???

• Delays

•Months for vendor turn-around for patches

•Months for SP testing/qualification/upgrade window

• ALG can break competitor’s over-the-top application (e.g., SIP, streaming video)

•Regulators frown on interference

Meanwhile:

unhappy

users

CGNALG related Operational Issues


BRKSPG-2602 54

Reference


CGNLogging Source Port Ranges

• Stateful NAT requires logging (NAT44, NAT64, DS-Lite…)

• NAT mappings are temporary (similar to DHCP addresses)

• Logging each NAT mapping creates large logs!

• Bulk port allocation (BPA) reduces logging, at the expense of reduced efficiency of IPv4 address sharing

• Bulk size of N ports, logs reduced by 1/N

• Acceptable compromise !!!

• Recommended

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 55


Reference

42.5TB over 60 days for

200K subscribers, 72K

flows/second

(each syslog comprised

private source IP:port,

public source IP:port,

protocol, and timestamp,

resulting in ~100B in

ASCII). See note below.


Carrier Grade NATLogging Destination

• Server Log combined with CGN log identifies subscribers• Timestamp (new)

• Source IP address, source port (new), destination IP address, destination port

• RFC6302

• Some servers don’t enable source port logging, or don’t have good timestamp• Note that majority support logging source port, but don’t do so by default, see

RFC7768 and draft-daveor-cgn-logging

• Tempting to log destination IP (and port) at CGN• Consider privacy and legal issues

• Incompatible with bulk port allocation, increases logging costs

• Not recommended

BRKSPG-2602 56


Supported on ASR9K,

ASR1K, CRS

Reference


CGN – Common Sane Practices

• Use Bulk Port Allocation

• Limit number of users sharing an IPv4 address as much as possible*

• Monitor KPIs e.g. # of outbound SSH connections with a threshold

• Log NAT connections

•

57BRKSPG-2602

* Tricky because you would want higher sharing ratio, given IPv4 shortage


DS-Lite

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

CGN

44

+

Dual

Stack

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack


IPv4

IPv6

Note: DS-Lite requires CGN

CGN


CGN

44

+

DS-

Lite


DS-Lite IPv4 over IPv6 Access

Stateful NAT 44

function (on routers)

inside SP network

IPv4-over-IPv6

tunnels

Supported on ASR9K,

ASR1K, CRS

59


DS-Lite

• Requires IPv6 access network

• Tunnels subscriber IPv4 traffic to a CGN device

• Uses Carrier-Grade NAT (CGN)

• Requires CPE router support

• RFC6333

• MTU – Watch out !!

BRKSPG-2602 60


• Advantages:

• Leverages IPv6 in the network

• Disadvantages:

• Dependency on CPE router

• NAT disabled on CPE router

• Content Caching function may break

• DPI function may break

• QoS function may break

• All disadvantages of CGN also apply

DS-Lite

BRKSPG-2602 61


6rd and 6rd with CGN

IPv4

Address

Run-Out

Dual

StackDual

Stack

Lite

Obtain IPv4 Addresses

MAP

CGN

IPv4

IPv66rd

6rd

+

CGN

IPv4 Address Sharing

Reference

BRKSPG-2602 62


6rd - IPv6 over (Public) IPv4

IPv6 Moves out to Subscribers

IPv6-over-IPv4 tunnels

Stateless Tunneling function

(on routers) inside SP

network

Native Dual-Stack at Home

Supported on ASR9K,

ASR1K, CRS

Reference

BRKSPG-2602 63


6rd + CGN = IPv6 over (Private) IPv4

IPv6 Moves out to Subscribers

Private IPv4 move into SP*IPv6-over-IPv4 tunnels

Stateless Tunneling function

(on routers)

Stateful NAT function (on

routers) inside SP network*

* Assuming RFC1918 usage

Supported on ASR9K,

ASR1K, CRS

Reference


MAP (Mapping of Address and Port)

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

CGNCGN

44

+

Dual

Stack

CGN

*

+

DS-

Lite

CGN

64

+

Single

-Stack

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack


IPv4

IPv6


MAP



MAP (Mapping of Address and Port)

• Allows sharing of IPv4 address across an IPv6 WAN network

• Each CPE gets a shared IPv4 address with a unique TCP/UDP port-range via “rules”

• All or part of IPv4 address can be derived from the assigned IPv6 prefix (allows for route summarization)

• Need to allocate UDP/TCP port range(s) to each CPE

• Stateless Border Relays in SP network

• Can be implemented in hardware (superior performance)

• Can use anycast, can have asymmetric routing

• No single point of failure, no need for high availability hardware

Supported on ASR9K,

ASR1K,

BRKSPG-2602 67


MAP-E : Stateless 464 Encapsulation

IPv4-over-IPv6

Stateless Tunneling function (on

routers)

- No Stateful CGN-

Supported on ASR9K,


MAP-T : Stateless 464 Translation

Stateless 64 translation function

(on routers)

- No Stateful CGN -

Native IPv6

Supported on ASR9K,

ASR1K


MAP

• MAP has two flavors (both standardized):

• MAP-T : RFC7599

• MAP-E : RFC7597

• Advantages:

• Leverages IPv6 in the network

• No CGN inside SP network

• No need for NAT Logging (DHCP logging as usual)

• No need for ALGs

• No need for Stateful NAT64/DNS64

• Disadvantages:

• Dependency on CPE router

• Any application hardcoding any port# might not work without UPnPv2 support

BRKSPG-2602 70


MAP Addressing Toolhttp://map46.cisco.com/

http://map46.cisco.com/









• Conclusion

Agenda

Try V6-only WiFi:

SSID: CL-NAT64

WPA2-PSK: cl-nat64

5GHz only

While Client-side apps (mobile or desktop) got IPv6-only support, Server-side still need to catch up…

e.g. Apple FaceTime, iMessage, iCloud, etc.

Hence, the short-

term need for

NAT64…

IPv4 Reachability

bash-3.2$ ping www.apple.com

PING e6858.dsce9.akamaiedge.net (104.112.153.131): 56 data bytes

64 bytes from 104.112.153.131: icmp_seq=0 ttl=57 time=32.063 ms

^C

bash-3.2$

bash-3.2$ ping init.ess.apple.com

PING a239.da1.akamai.net (23.205.120.82): 56 data bytes


^C

bash-3.2$

bash-3.2$ ping www.icloud.com

PING e4478.a.akamaiedge.net (23.206.217.193): 56 data bytes


bash-3.2$ ping configuration.apple.com

PING e5153.e9.akamaiedge.net (104.113.5.216): 56 data bytes


^C

bash-3.2

IPv6 Reachability

bash-3.2$ ping6 www.apple.com

PING6(56=40+8+8 bytes) 2601:2c7:4000:<removed> --> 2001:559:19:1286::1aca

16 bytes from 2001:559:19:1286::1aca, icmp_seq=0 hlim=61 time=11.470 ms

^C

bash-3.2$

bash-3.2$ ping6 init.ess.apple.com

ping6: getaddrinfo -- nodename nor servname provided, or not known

bash-3.2$

bash-3.2$ ping6 www.icloud.com


bash-3.2$

bash-3.2$ ping6 configuration.apple.com


bash-3.2$

As of June 26th, 2017


IPv6-Only Networks with CGN 64.

This is

where

we are:

Mostly

IPv4 &

Address

Run-out

Dual

Stack

MAP

BRKSPG-2602 76



CGN

44

+

Dual

Stack

CGN

*

+

DS-

Lite

6rd

CGN

44

+

6rd

(Dual-

Stack)

This is

where

we

have to

be:

Mostly

IPv6;

Dual

Stack


IPv4

IPv6

CGN


CGN

64

+

Single

-Stack


IPv6-Only Networks with CGN 64

Stateless or Stateful NAT64

function (on routers)

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 77

IPv6-only devices


NAT64

LSN64

NAT

NAT64

LSN64

NATNAT

NAT64 – Stateful

IPv6

IPv6

Endpoint

2001:db8:abcd:2::1

2001:DB8:ABCD::/64

announced in

IPv6 Routing domain

(203.0/24)

announced in

IPv4 Routing domain• NAT keeps binding state between inner IPv6 address and outer IPv4+port

• DNS64 needed

•Application dependent/ALGs may be required

2001:db8:abcd:2::1

IPv6 Header

Src Addr

DestAddr 2001:DB8:ABCD:<92.0.2.1>

IPv4

Endpoint

92.0.2.1

203.0.113.1

IPv4 Header

Src

Addr

Dest

Addr92.0.2.1

Host can be

assigned with any

IPv6 address (no

particular format)

Stateful

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 79


NAT64

LSN64

NAT

NAT64

LSN64

NATNAT

NAT64 – Stateless

IPv6

IPv6

Endpoint

2001:db8:<203.0.114.1>::

2001:DB8:ABCD::/64

announced in

IPv6 Routing domain

(203.0/24)

announced in

IPv4 Routing domain• No NAT binding state; IPv6 <-> IPv4

mapping computed algorithmically

• DNS64 needed

• Application dependent ALGs might be required

2001:db8:<203.0.114.1>::

IPv6 Header

Src Addr

DestAddr 2001:DB8::<92.0.2.1>::

IPv4

Endpoint

92.0.2.1

203.0.114.1

IPv4 Header

Src

Addr

Dest

Addr92.0.2.1

Host must be

assigned an “IPv4

Translatable” IPv6

address

Stateless

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 80


NAT64 – Stateful vs. Stateless

Stateless

• 1:1 translation

• “NAT”

• Any protocol

• No IPv4 address savings• Just like dual-stack

• MAP however does save IPv4 addresses by combining NAT46 with NAT44

Stateful

• 1:N translation

• “NAPT”

• TCP, UDP, ICMP

• Shares IPv4 addresses

Note : IPv6-only DC using Stateless 64 : RFC7755

BRKSPG-2602 81


NAT64 DNS64 is important• NAT64 translator is useful only if the traffic can come to it

• IP addresses of IPv6 packets must be formulated accordingly

• DNS64 provides conversion of an IPv4 address into an IPv6 address

• AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g. 2001:DB8:ABCD::)

Internet

AAAA?IPv6-only

Endpoint AAAA?

Empty answer

A?

92.0.2.12001:DB8:ABCD::92.0.2.1

(sent simultaneously)

DNS64 NAT64

BRKSPG-2602 82


DNS64 – Watch out

• Works for applications that do DNS queries

•http://www.example.com

•IMAP, connecting to XMPP servers, etc.

• Works with DNSSEC (note [1])

• Doesn’t work for applications that don’t do DNS queries or use IP address literals

• http://1.2.3.4

• SIP, RTSP, H.323, XMPP peer to peer, etc.

• Doesn’t work well if Application-level proxy for IP address literals (HTTP proxy) is used

• Learn NAT64’s prefix, RFC 7050

• NAT46/BIH (Bump In the Host), RFC6535

• 464XLAT (RFC6877)

BRKSPG-2602 83

[1] https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/

https://tools.ietf.org/html/rfc7050


IPv6-only

Network

464XLAT = Stateless + Stateful Better Together RFC6877

• Some applications may break with IPv6-only (and NAT64)

• Skype, among other interesting applications (more listed here*)

• 464 translation helps most of those IPv4-only applications

• Endpoint does “Stateless NAT46”, network does “Stateful NAT64” only for IPv4 traffic

• 464 supported _only_ by Android OS;

• Benefit: Network can Provide IPv6-only connectivity to Endpoints without worrying about any IPv4-only apps

Stateful

NAT64IPv4 Internet

Endpoint

BRKSPG-2602 84

* http://tinyurl.com/nat64-breakage

Stateless

NAT46

IPv6 Internet

Note: The

usefulness of

XLAT may

continue to

subside, given

apple mandate for

apps to work with

IPv6-only since

2016, as well as

Cloud Providers

enabling IPv6-only

support

http://tinyurl.com/nat64-breakage


IPv6Internet

IPv4Internet

IPv4Network

IPv6Network

IPv4Network

IPv6Internet

IPv4Internet

IPv6Network

IPv4Network

IPv6Network

IPv4Network

IPv6Network

1.

2.

3.

4.

5.

6.

stateful stateless

Needed (a) if IPv6-only content existed, or (b) IPv4-only LAN with IPv6-only WAN *

NAT64 Scenarios

Covered in this

presentation

Covered in

BRKSPG-

2602 from

2014**

BRKSPG-2602 85

* Verizon stops giving out static IPv4 WAN address(es) in 2017

https://email.vzwshop.com/pub/sf/FormLink?_ri_=X0Gzc2X=YQpglLjHJlTQGrKE40mGHknGjiMzcpzazb6YGYzcBzcqNG9T4za5Yzehza5afUqzbGzcbCnU1KVXMtX=YQpglLjHJlTQGtRr8uTuFp1pXhE2sDNUzbXTqIdCgWBMJSsRRNCzdrFGUumLp9Fzchzc









• Conclusion

Agenda


ConclusionWhatever you do …. Drive Carefully…

BRKSPG-2602 92


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKSPG-2602


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

95BRKSPG-2602


More IPv6 sessions this week at CiscoLive

• BRKSEC-3200 - Advanced IPv6 Security Threats and Mitigation – 30 Jan. 14:15

• BRKIP6-2616 - Beyond Dual-Stack: Using IPv6 like you’ve never imagined – 30 Jan. 16:45

• BRKRST-3304 - Hitchhiker's Guide to Troubleshooting IPv6 - Advanced – 31 Jan. 9:00

• BRKSPG-2602 - IPv4 Exhaustion: NAT and Transition to IPv6 for SPs – 31 Jan. 9:00

• BRKIP6-2301 - Enterprise IPv6 Deployment – 31 Jan. 11:30

• LABSPG-3122 - Advanced IPv6 Routing and services lab – 31 Jan 14:00 & 1 Feb. 14:00

• BRKCOL-2020 - IPv6 in Enterprise Unified Communications Networks – 31 Jan. 16:30

• BRKCOC-2388 - Inside Cisco IT: A Tale of Two Protocols – 2 Feb. 9:00

• BRKIP6-2002 - IPv6 for the World of IoT – 2 Feb. 11:30

BRKSPG-2602

Try V6-only WiFi:

SSID: CL-NAT64

WPA2-PSK: cl-nat64

5GHz only

Thank you

ipv4 exhaustion: nat and transition to ipv6 · cisco public 22 towards ipv6 …with or without ipv4...

Documents