IPv4 Exhaustion: NAT and Transition to IPv6 for Service...
Transcript of IPv4 Exhaustion: NAT and Transition to IPv6 for Service...
IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers
Rajiv Asati, Distinguished Engineer, Cisco
Yenu Gobena, Distinguished Services Engineer, Cisco
BRKSPG-2602
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 – ClassicBut spare parts have run out
BRKSPG-2602 3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 – Next gen Super VehicleGetting to full parity and end-end use takes time
Caution:
New road
may be
needed
BRKSPG-2602 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition TechnologiesDriving your classic IPv4 (or next gen IPv6) around
BRKSPG-2602 5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
• To continue adding subscribers after IPv4 exhaustion, service providers will need to use NAT while also deploying IPv6.
• This talk discusses few transition mechanisms for Service Providers, including MAP (Mapping of Address and Port), 464XLAT, DS-Lite and CGN 44 and 64.
• 6rd is included for reference as well.
• This session is for Service Providers.
BRKSPG-2602 6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6-Related SessionsSession Title
TECSPM-2001 IPv6 LTE/EPC Design and Deployment
BRKRST-2301 Enterprise IPv6 Deployment
BRKRST-2311 IPv6 Planning, Deployment and Operation Considerations
BRKSPG-2603 How to Securely Operate an IPv6 Network
BRKSEC-2003 IPv6 Security Threats and Mitigations
BRKSEC-3003 Advanced IPv6 Security: Securing Link Operations at First Hop
BRKRST-2044 Enterprise Multi-Homed Internet Edge Architectures
PNLCRS-2303 Experiences with Deploying IPv6
LTRRST-1301, LTRSEC-3033 IPv6 Hands-on Lab, IPv6 Network Threat Defense, Countermeasures and Controls
BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers
COCRST-2355 Inside Cisco IT: Making the Leap to IPv6
BRKCRT-9344 IPv6 for Cert Nuts
BRKEWN-2010 Design and Deployment of Enterprise WLANs
BRKRST-2304 Hitchhiker’s Guide to Troubleshooting IPv6
BRKSPG-2606 MAP - Let's Solve IPv4 Address Exhaustion without Stateful CGN
BRKSPG-2607 IPv6 Deployment Best Practices for the Access Network
BRKSPG-3300 Service Provider IPv6 Deployment
BRKSPG-2903 Network Services in IOS-XR
Search Session Builder: “ipv6”
BRKSPG-2602 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack all the to the hosts• Dual-stack on Hosts
• Windows, OSX, iOS, Android, Linux, BSD
• Dual-Stack in Network
• But…• IPv4 exhaustion is underway
• Every host can NOT be assigned an IPv4 address
• Two protocol stacks to be managed in network
Dual-Stack Deployment (per IETF RFC 4213)
IPv4+IPv6 Hosts (Dual Stack)
IPv4+IPv6
Network
BRKSPG-2602 8
Note: RFC7755 suggests Single-stack IPv6 for DC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack to the hosts• ~100% of Mobile hosts and ~90% of Desktop hosts now support it (..go away WinXP..)
Dual-Stack Deployment (per IETF RFC 4213), since 2005
Source – Desktop Operating System, Netmarketshare, June 2016
BRKSPG-2602 9
Source – Mobile Operating System, Netmarketshare, June 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Approach for IPv6
• Dual-Stack to the hosts
• Hosts support dual stack• Windows, OSX, iOS, Linux
Dual-Stack Deployment (RFC 4213)
Source – The Next Web, Sept 2015
BRKSPG-2602 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 Address Depletion Causes Impact differently
• The ISP Impact:
• Lack of IPv4 addresses for users
• Harder to grow the business
• The user Impact (explicit or implicit):
• IP reputation (more on this later)• IPv4 address sharing
• Breaks applications
• Complicates operating servers
• Limits UDP/TCP ports per user
• IPv6 enabled services are catching up
BRKSPG-2602 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Translation (NAT)
• Share IPv4 addresses
• Well understood
• “Lossy”
• Not true end-end
Dual Stack
• Easiest to deploy
• Requires IPv4 addresses
Tunneling (Encapsulation)
• Encapsulate v6 traffic in v4
packets (and vice versa)
• Routing can be sub-optimal
• Extra overhead and traffic
classification dillemmas
…tunnel where you need
to…“Dual stack when you can… …translate when you must.”
IPv6 Deployment Options: Guideline
BRKSPG-2602 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition Technologies
• How do we migrate from IPv4 to IPv6?
• Short term1: can’t enable IPv6 immediately, need more IPv4 (or share IPv4)
• Short term2: enable IPv6 immediately, need more IPv4 (or share IPv4)
• Long term: simple network, single protocol – IPv6
• What does this really mean?
• IPv6 to co-exist with IPv4
• IPv4 address sharing to become wide-spread
• IPv6 to interoperate with IPv4
Transition technologies help with IPv4 to IPv6
migration
BRKSPG-2602 13
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4->IPv6 Transition Technologies in One Slide
IPv4
Address
Run-Out
IPv4
IPv66rd
CGN
+
6rd
Dual
StackCGN
+
DS-
Lite
Obtain IPv4 Addresses
MAP
CGN
IPv4 Address Sharing
BRKSPG-2602 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Obtain IPv4 Addresses
IPv4
Address
Run-Out
IPv66rd
6rd
+
CGN
Dual
StackDual
Stack
LiteMAP
CGN
IPv4 Address Sharing
Obtain IPv4 Addresses
IPv4
BRKSPG-2602 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Obtain IPv4 Addresses
• Obtain IPv4 addresses from RIR or open market
• RIR: request IPv4 addresses. There are still a few addresses available!
• Open market: USD $10-$20 per IPv4 address
• Advantages:
• No CGN, no address sharing, no operational changes
• Disadvantages:
• If business growing, delaying the inevitable
• Geo-location needs to be updated (mileage varies)
• Deploy IPv6, too!
BRKSPG-2602 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transition TechnologiesSummary
CPE
Changes
needed
Access
network
Tunnel or
translate?
In-network
state?
Arbitrary
addressing?
1 Dual-Stack Yes|No IPv4+IPv6 -NA- -NA- Yes
2 CGN No IPv4 Translate Yes (CGN) Yes
3 DS-Lite Yes IPv6 Both Yes (CGN) Yes
4 6rd Yes IPv4 Tunnel No No
5 6rd + CGN Yes IPv4 Both Yes (CGN) No
6 MAP Yes IPv6MAP-T: translate
MAP-E: tunnelNo Yes*
*allows both arbitrary and algorithmic mapping
BRKSPG-2602 18
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual Stack Host Gets both IPv4 and IPv6 Addresses
IPv4
Address
Run-Out
Dual
Stack
Lite
CGN
6rd
6rd
+
CGNMAP
IPv4 Address SharingIPv4
IPv6
Dual
Stack
Obtain IPv4 Addresses
BRKSPG-2602 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackThe Plan
• Dual Stack has been “the plan” for IPv6 migration since ... Forever
• The Plan:
• Clients get IPv6 & IPv4 addresses
• Servers get IPv6 & IPv4 addresses
• Networks enabled with both IPv4 and IPv6
• IPv6 is likely preferred
Drive both cars
BRKSPG-2602 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackThe Reality
• Reality: More and more IPv4 address sharing (NAT, MAP)
• Covered in co-existence section later on.
• Hosts should prefer IPv6 to IPv4
• Generally necessary to get IPv6 on the network
• Without this preference, IPv4 would persist until IPv4 is turned off
• But what if IPv6 is broken? Overloaded???
• IPv6 peering is down ...
• Tunnel is down ...
• (Microsoft IPv6 NCSI is down.... More on that in a few slides)
IPv6 Road
BRKSPG-2602 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackDo I use IPv6 or IPv4 ?
• Dual-stack client connecting to dual-stack server
• IPv6 is preferred by default (RFC6724)
• If IPv6 is slower, then users blame IPv6 and may disable IPv6!
• IPv6 better not be slower than IPv4
• Who can guarantee that !
• What if IPv6 is broken altogether?
• What if IPv6 is broken to few websites?
BRKSPG-2602 24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackProblem: IPv6 is Broken to a certain website?
BRKSPG-2602 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs (RFC6555)
BRKSPG-2602 26
Note: Slight Preference is given to IPv6 connection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555)
BRKSPG-2602 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-StackHappy Eyeballs (RFC6555)
• Users are happy
• Aimed initially at web browsing
• Web browsing is the most common application
• Fast response even if IPv6 (or IPv4) path is down
• Network administrators are happy
• Users no longer trying to disable IPv6
• Reduces IPv4 usage (reduces load on CGN)
• Content providers are happy
• Improved geolocation and DoS visibility with IPv6
BRKSPG-2602 28
Source: http://seclists.org/nanog/2016/Jun/809
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-StackHappy Eyeballs Implementations
• Google Chrome and Mozilla Firefox: Yes
• Utilizes long-established 250-300ms ‘backup’ thread
• Follows getaddrinfo() address preference
• Apple Safari, iOS*, OSX* : Yes
• DNS AAAA sent before A query on the wire
• If AAAA reply comes first, then v6 SYN sent immediately
• If A reply comes before 25ms of AAA reply, then v4 SYN sent
• Else, Heuristics based Address selection algorithm is applied
• Microsoft Windows OS and Internet Explorer : NO
• Not even something like happy eyeballs
• Cisco WebEx : Yes
RFC6555 Compliant
* http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html
* https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html
BRKSPG-2602 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-StackHappy Eyeballs Implementations (contd.)
• On Windows OS, IPv6 experience may also get worse
• Network Connectivity Status Indicator (NCSI) checks IPv6 connectivity (HTTP with http://ipv6.msftncsi.com/ncsi.txt)
• If NCSI works, IPv6 is enabled
• If NCSI fails, IPv6 is de-prioritized to IPv4 (specific IPv6 routes can be prioritized)
Weird…huh !
NCSI IPv6 works, but status shows it doesn’t.
BRKSPG-2602 30
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, DS-Lite, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NAT (CGN)
IPv4
Address
Run-Out
IPv66rd
6rd
+
CGN
Dual
StackDual
Stack
Lite
Obtain IPv4 Addresses
MAP
IPv4IPv4 Address Sharing
CGN
Note - CGN is also known as LSN
BRKSPG-2602 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGN
• Carrier Grade Network Address Translation
• Address and Port Translator (NAPT), really
• Like the common residential NAT (Linksys, etc.)
• Using RFC5389 terminology: Mapping independent non filtering (EIM and EIF)
• Bigger (e.g. large scale)
• Port Logging (e.g. syslog, netflow v9)
• Per-user port limit
• Shared IPv4 space : 100.64.0.0/10 instead of private IPv4 space is an option
BRKSPG-2602 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGNPrivate IPv4 Moves into SP
Stateful NAT function
inside SP network
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGN
• Nicknamed NAT444 = NAT44 in home, NAT44 in ISP
• Advantages:
1. Very well known technology
2. No dependency on CPE router
• Disadvantages:
1. Port Forwarding
2. Certain Applications may not work
3. Logging
4. Network/Routing Design Headache
5. IPv4 address sharing efficiency
See BRKSPG-3334 from CiscoLive2014 for more details
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CGNALG, Logging
IPv4
Address
Run-Out6rd
Dual
Stack
Obtain IPv4 Addresses
IPv4IPv4 Address Sharing
CGN
IPv6
6rd
+
CGN
DS-
Lite
ALG, Logging etc. issues
applicable to all these
solutions relying on CGN
BRKSPG-2602 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NATApplication Layer Gateway (ALG)
• ALG = Application awareness inside the NAT:
• modify IP addresses and ports in application payload
• creates NAT mapping
• Each application requires a separate ALG
• FTP, SIP, RTSP, RealAudio, …
• ALG needs to understand application nuances
• ALG requires:
• Un-encrypted signaling (!!)
• Restricted network topology
• Summary: ALG prevents application evolution and introduces bugs
BRKSPG-2602 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NATModern Applications Avoid Relying on ALG
• Successful applications have to work everywhere• Coffee shop, home, work, hotel,
airport, 3G
• FTP Passive Mode
• ICE (RFC5245) and STUN (RFC5389)• Intelligence in endpoint
• Useful for offer/answer protocols (SIP, XMPP)
• RTSPv1 abandoned on the desktop• effectively replaced with Flash over HTTP, and
soon HTML5
• RTSPv2 has ICE-like solution
• Skype does its own NAT traversal
• Linksys disabled SIP ALGs around 2006• Because of bugs and incompatibilities with SIP
endpoints
Reference
BRKSPG-2602 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Debugging / Troubleshooting Problems
•SIP from vendor X works, but vendor Y breaks:1. Vendor Y violated standard?
2. Vendor X has special sauce??
3. ALG is broken???
• Delays
•Months for vendor turn-around for patches
•Months for SP testing/qualification/upgrade window
• ALG can break competitor’s over-the-top application (e.g., SIP, streaming video)
•Regulators frown on interference
Meanwhile:
unhappy
users
Carrier Grade NATALG related Operational Issues
See BRKSPG-3334 from CiscoLive2014 for more details
Reference
BRKSPG-2602 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NATLogging Source Port
• Stateful NAT requires logging (NAT44, NAT64, DS-Lite AFTR,…)
• NAT mappings are temporary (similar to DHCP-assigned addresses)
• Logging each NAT mapping creates large logs!
• Bulk port allocation (BPA) reduces logging, at the expense of reduced efficiency of IPv4 address sharing
• Bulk size of N ports, logs reduced by 1/N
• Acceptable compromise !!!
• Recommended
Supported on ASR9K,
ASR1K, CRS
Reference
BRKSPG-2602 40
See BRKSPG-3334 from CiscoLive2014 for more details
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Carrier Grade NATLogging Destination
• Server Log combined with CGN log identifies subscribers
• Timestamp (new)
• Source IP address, source port (new), destination IP address, destination port
• RFC6302
• Some servers don’t log source port, or don’t have good timestamp
• Tempting to log destination IP (and port) at CGN
• Consider privacy and legal issues
• Incompatible with bulk port allocation, increases logging costs
• Not recommended
Supported on ASR9K,
ASR1K, CRS
Reference
BRKSPG-2602 41
See BRKSPG-3334 from CiscoLive2014 for more details
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DS-Lite
IPv4
Address
Run-Out6rd
6rd
+
CGN
Dual
Stack
Obtain IPv4 Addresses
MAP
CGN
DS
Stac
k
Lite
IPv4IPv4 Address Sharing
IPv6
Note: DS-Lite requires CGNBRKSPG-2602 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DS-Lite: IPv4 over IPv6 Access
Stateful NAT function
(on routers) inside SP
network
IPv4-over-IPv6
tunnels
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DS-Lite
• Requires IPv6 access network
• Tunnels subscriber IPv4 traffic to a CGN device
• Uses Carrier-Grade NAT (CGN)
• Requires CPE router support
• RFC6333
• MTU – Watch out !!
BRKSPG-2602 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Advantages:
• Leverages IPv6 in the network
• Disadvantages:
• Dependency on CPE router
• NAT disabled on CPE router
• Content Caching function may break
• DPI function may break
• QoS function may break
• All disadvantages of CGN also apply
DS-Lite
BRKSPG-2602 45
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
6rd and 6rd with CGN
IPv4
Address
Run-Out
Dual
StackDual
Stack
Lite
Obtain IPv4 Addresses
MAP
CGN
IPv4
IPv66rd
6rd
+
CGN
IPv4 Address Sharing
Reference
BRKSPG-2602 46
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
6rd - IPv6 over (Public) IPv4
IPv6 Moves out to Subscribers
IPv6-over-IPv4 tunnels
Stateless Tunneling function
(on routers) inside SP
network
Native Dual-Stack at Home
Supported on ASR9K,
ASR1K, CRS
Reference
BRKSPG-2602 47
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
6rd + CGN = IPv6 over (Private) IPv4
IPv6 Moves out to Subscribers
Private IPv4 move into SP*IPv6-over-IPv4 tunnels
Stateless Tunneling function
(on routers)
Stateful NAT function (on
routers) inside SP network*
* Assuming RFC1918 usage
Supported on ASR9K,
ASR1K, CRS
Reference
BRKSPG-2602 48
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 + IPv6
IPv4 + IPv6
IPv4 + IPv6
6rdIPv6 tunneled over IPv4 access network
• Native dual-stack IP service to the Subscriber
• Simple, stateless, automatic IPv6-in-IPv4 encapsulation and decapsulation
• IPv6 traffic automatically follows IPv4 Routing
• 6rd Border Relays placed at IPv6 edge
IPv4
Dual Stack
Native or
6PE Core
6rd
BR
“One line” global
config for IPv6
Gateway
Subscriber IPv6 prefix
derived from IPv4 address
6rd
CE
Supported on ASR9K,
ASR1K, CRS
Reference
BRKSPG-2602 49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP (Mapping of Address and Port)
IPv4
Address
Run-Out6rd
6rd
+
CGN
Dual
StackDual
Stack
Lite
Obtain IPv4 Addresses
CGN
IPv4
IPv6
MAP
IPv4 Address Sharing
See BRKSPG-3820 for detailed MAP discussion
BRKSPG-2602 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP (Mapping of Address and Port)
• Allows sharing of IPv4 address across an IPv6 network
• Each shared IPv4 end-point gets a unique TCP/UDP port-range via “rules”
• All or part of IPv4 address can be derived from IPv6 prefix (allows for route summarization)
• Need to allocate UDP/TCP port range(s) to each CPE
• Stateless Border Relays in SP network
• Can be implemented in hardware (superior performance)
• Can use anycast, can have asymmetric routing
• No single point of failure, no need for high availability hardware
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP-E : Stateless 464 Encapsulation
IPv4-over-IPv6
Stateless Tunneling function (on
routers)
- No CGN-
Supported on ASR9K,
BRKSPG-2602 52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP-T : Stateless 464 Translation
Stateless 64 translation function
(on routers)
- No CGN -
Native IPv6
Supported on ASR9K,
ASR1K
BRKSPG-2602 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP
• MAP is standardized at the IETF (in RFC editor queue)
• https://tools.ietf.org/html/draft-ietf-softwire-map/
• Advantages:
• Leverages IPv6 in the network
• No CGN inside SP network
• No need for Logging
• No need for ALGs
• Disadvantages:
• Dependency on CPE router
BRKSPG-2602 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAP Addressing Toolhttp://map46.cisco.com/
BRKSPG-2602 55
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv4 Address SharingLet’s get dirty …
IPv4
Address
Run-Out6rd
Dual
Stack
Obtain IPv4 Addresses
IPv4IPv4 Address Sharing
CGN
IPv6
6rd
+
CGN
DS-
Lite MAP
BRKSPG-2602 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Sharing: IP Reputation (1/2)
• Reputation based on IPv4 address• Shared IP address = shared suffering
• Workaround: Distinguish subscribers (sharing IP address, or not sharing)• draft-ietf-intarea-nat-reveal-analysis
• draft-wing-nat-reveal-option
• Server logs currently only contain IPv4 address• Servers logs need to include source port number, recommended by RFC6302
• Best Solution – have users and content providers use IPv6!
BRKSPG-2602 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Sharing: IP Reputation (2/2)
• Affects NATs, as everyone knows• NAT44 (CGN44): a big NAT operated by an ISP (“carrier”), enterprise, or University
• NAT444 (subscriber’s NAT44 + ISP’s CGN44)
• NAT64 (CGN64)
• DS-Lite (called “AFTR” = Modified CGN44)
• Also affects non-CGN architectures!• MAP (Mapped Address and Port)
• Conceptually, a CGN with (some) fixed ports
• Address + Port, SD-NAT, Deterministic NAT
BRKSPG-2602 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Sharing: IP ReputationCGN
Image source: Jason Fesler, Yahoo!BRKSPG-2602 60
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64 Introduction
• Translate between IPv6 and IPv4
IPv4IPv6
IPv4-only devicesIPv6-only devices
NAT64
BRKSPG-2602 62
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64
Stateless or Stateful NAT64
function (on routers)
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64
LSN64
NAT
NAT64
LSN64
NATNAT
NAT64 – Stateful
IPv6
IPv6
Endpoint
2001:db8:abcd:2::1
2001:DB8:ABCD::/64
announced in
IPv6 Routing domain
(203.0/24)
announced in
IPv4 Routing domain• NAT keeps binding state between inner IPv6 address and outer IPv4+port
• DNS64 needed
•Application dependent/ALGs may be required
2001:db8:abcd:2::1
IPv6 Header
Src Addr
DestAddr 2001:DB8:ABCD:<92.0.2.1>
IPv4
Endpoint
92.0.2.1
203.0.113.1
IPv4 Header
Src
Addr
Dest
Addr92.0.2.1
Host can be
assigned with any
IPv6 address (no
particular format)
Stateful
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64
LSN64
NAT
NAT64
LSN64
NATNAT
NAT64 – Stateless
IPv6
IPv6
Endpoint
2001:db8:<203.0.114.1>::
2001:DB8:ABCD::/64
announced in
IPv6 Routing domain
(203.0/24)
announced in
IPv4 Routing domain• No NAT binding state; IPv6 <-> IPv4
mapping computed algorithmically
• DNS64 needed
• Application dependent ALGs might be required
2001:db8:<203.0.114.1>::
IPv6 Header
Src Addr
DestAddr 2001:DB8::<92.0.2.1>::
IPv4
Endpoint
92.0.2.1
203.0.114.1
IPv4 Header
Src
Addr
Dest
Addr92.0.2.1
Host must be
assigned an “IPv4
Translatable” IPv6
address
Stateless
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64 – Stateful vs. Stateless
Stateless
• 1:1 translation
• “NAT”
• Any protocol
• No IPv4 address savings• Just like dual-stack
• MAP however does save IPv4 addresses by combining NAT46 with NAT44
Stateful
• 1:N translation
• “NAPT”
• TCP, UDP, ICMP
• Shares IPv4 addresses
Note : IPv6-only DC using Stateless 64 : RFC7755
BRKSPG-2602 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64DNS64 is important• NAT64 translator is useful only if the traffic can come to it
• IP addresses of IPv6 packets must be formulated accordingly
• DNS64 provides conversion of an IPv4 address into an IPv6 address
• AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g. 2001:DB8:ABCD::)
Internet
AAAA?IPv6-only host
AAAA?
Empty answer
A?
92.0.2.12001:DB8:ABCD::92.0.2.1
(sent simultaneously)
DNS64 NAT64
BRKSPG-2602 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT64Connecting an IPv6 network to the IPv4 Internet
IPv6/IPv4
Translator
(“NAT64”)
IPv6-only clients
IPv4
Internet
DNS64
IPv6
Internet
Operator’s IPv6 network
(“An IPv6 Network”)
Internet
Supported on ASR9K,
ASR1K, CRS
BRKSPG-2602 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS64 – Watch out
• Works for applications that do DNS queries
•http://www.example.com
•IMAP, connecting to XMPP servers, etc.
• Works with DNSSEC
• Doesn’t work for applications that don’t do DNS queries or use IP address literals
• http://1.2.3.4
• SIP, RTSP, H.323, XMPP peer to peer, etc.
• Doesn’t work well if Application-level proxy for IP address literals (HTTP proxy) is used
• Learn NAT64’s prefix, draft-ietf-behave-nat64-discovery-heuristic
• NAT46/BIH (Bump In the Host), RFC6535
• 464XLAT (RFC6877)
BRKSPG-2602 69
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6
Network
464XLAT = Stateless + Stateful Better Together RFC6877
• ~15% of applications break with IPv6 native or with NAT64
• Skype, among other interesting applications (more listed here*)
• 464 translation helps most of those IPv4 only applications
• Endpoint does “Stateless NAT46”, network does “Stateful NAT64” only for IPv4 traffic
• Benefit: Network Provides only single-stack IPv6 connectivity to Endpoints
• Supported by Android OS already
Stateful
NAT64IPv4 Internet
Endpoint
BRKSPG-2602 70
* http://tinyurl.com/nat64-breakage
Stateless
NAT46
IPv6 Internet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6Internet
IPv4Internet
IPv4Network
IPv6Network
IPv4Network
IPv6Internet
IPv4Internet
IPv6Network
IPv4Network
IPv6Network
IPv4Network
IPv6Network
1.
2.
3.
4.
5.
6.
stateful stateless
Not yet needed; no IPv6-only content
NAT64 Scenarios
Covered so far
Covered
in
Additional
Slides
Section
BRKSPG-2602 71
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Port Forwarding
Why ?
• Running a server permanently
• Slingbox (TCP/5001), Webcam (TCP/80) etc.
• Running a server temporarily
• During a VoIP call
Protocols =
• UPnP IGD 1.0, commonly available
• Does not support IPv6.
• Enabled on ~20% of home CPE routers
• UPnP IGD 2.0, recently standardized
• Supports IPv6.
• No support for NAT64 or NAT46
• NAT-PMP, Apple
BRKSPG-2602 73
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Address Sharing: Operating a Server• One port only goes to one subscriber
• Everybody wants TCP/80
Address
Sharing device
(CGN)
IPv4
Internet
IPv4private
TCP/80
(HTTP)
BRKSPG-2602 74
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Port Control Protocol (PCP) RFC6887
• UPnP IGD 1.0 and 2.0 are unsuitable for CGN
• Multicast discovery, no support for NAT64, XML
• PCP is a new protocol, RFC6887
• Simple UDP request/responses, easy to parse
• PCP has two major functions:
1. Port forwarding
2. Reduce keepalive traffic (battery-operated devices: tablets, smartphones)
• PCP Supports:
• IPv6 firewall, IPv4 firewall, NAT44, NAT64, NAT46, NPTv6 (NAT66), RFC6296
• Home NAT and Carrier Grade NAT
BRKSPG-2602 75
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PCP Deployment Models• Host implements PCP
• Proxy UPnP IGD to PCP via Router PCP Server
Customer
Premise
RouterUPnP IGD
PCP
Client
PCP Server
PCP Server
PCP Server
BRKSPG-2602 76
Agenda
• Goal of Transition Technologies
• Overview of Transition Technologies
• Dual Stack and Happy Eyeballs
• CGN, Dual-Stack Lite, 6rd, 6rd, MAP
• IPv4 Address Sharing - Impact
• NAT64 for IPv6-only networks
• Port Control Protocol
• Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConclusionWhatever you do …. Drive Safe…
BRKSPG-2602 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKSPG-2602 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSPG-2602 80
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016
11:30 am - 12:30 pm, In the Oceanside A room
What to expect from this innovation talk
• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or
watch the broadcast on cisco.com
Thank you