IPv4 Exhaustion: NAT and Transition to IPv6 for Service...

IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers

Rajiv Asati, Distinguished Engineer, Cisco

Yenu Gobena, Distinguished Services Engineer, Cisco

BRKSPG-2602

Agenda

• Goal of Transition Technologies

• Overview of Transition Technologies

• Dual Stack and Happy Eyeballs

• CGN, Dual-Stack Lite, 6rd, MAP

• IPv4 Address Sharing - Impact

• NAT64 for IPv6-only networks

• Port Control Protocol

• Conclusion

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

IPv4 – ClassicBut spare parts have run out

BRKSPG-2602 3


IPv6 – Next gen Super VehicleGetting to full parity and end-end use takes time

Caution:

New road

may be

needed

BRKSPG-2602 4


Transition TechnologiesDriving your classic IPv4 (or next gen IPv6) around

BRKSPG-2602 5


Abstract

• To continue adding subscribers after IPv4 exhaustion, service providers will need to use NAT while also deploying IPv6.

• This talk discusses few transition mechanisms for Service Providers, including MAP (Mapping of Address and Port), 464XLAT, DS-Lite and CGN 44 and 64.

• 6rd is included for reference as well.

• This session is for Service Providers.

BRKSPG-2602 6


IPv6-Related SessionsSession Title

TECSPM-2001 IPv6 LTE/EPC Design and Deployment

BRKRST-2301 Enterprise IPv6 Deployment

BRKRST-2311 IPv6 Planning, Deployment and Operation Considerations

BRKSPG-2603 How to Securely Operate an IPv6 Network

BRKSEC-2003 IPv6 Security Threats and Mitigations

BRKSEC-3003 Advanced IPv6 Security: Securing Link Operations at First Hop

BRKRST-2044 Enterprise Multi-Homed Internet Edge Architectures

PNLCRS-2303 Experiences with Deploying IPv6

LTRRST-1301, LTRSEC-3033 IPv6 Hands-on Lab, IPv6 Network Threat Defense, Countermeasures and Controls

BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers

COCRST-2355 Inside Cisco IT: Making the Leap to IPv6

BRKCRT-9344 IPv6 for Cert Nuts

BRKEWN-2010 Design and Deployment of Enterprise WLANs

BRKRST-2304 Hitchhiker’s Guide to Troubleshooting IPv6

BRKSPG-2606 MAP - Let's Solve IPv4 Address Exhaustion without Stateful CGN

BRKSPG-2607 IPv6 Deployment Best Practices for the Access Network

BRKSPG-3300 Service Provider IPv6 Deployment

BRKSPG-2903 Network Services in IOS-XR

Search Session Builder: “ipv6”

BRKSPG-2602 7


Recommended Approach for IPv6

• Dual-Stack all the to the hosts• Dual-stack on Hosts

• Windows, OSX, iOS, Android, Linux, BSD

• Dual-Stack in Network

• But…• IPv4 exhaustion is underway

• Every host can NOT be assigned an IPv4 address

• Two protocol stacks to be managed in network

Dual-Stack Deployment (per IETF RFC 4213)

IPv4+IPv6 Hosts (Dual Stack)

IPv4+IPv6

Network

BRKSPG-2602 8

Note: RFC7755 suggests Single-stack IPv6 for DC



• Dual-Stack to the hosts• ~100% of Mobile hosts and ~90% of Desktop hosts now support it (..go away WinXP..)

Dual-Stack Deployment (per IETF RFC 4213), since 2005

Source – Desktop Operating System, Netmarketshare, June 2016

BRKSPG-2602 9

Source – Mobile Operating System, Netmarketshare, June 2016



• Dual-Stack to the hosts

• Hosts support dual stack• Windows, OSX, iOS, Linux

Dual-Stack Deployment (RFC 4213)

Source – The Next Web, Sept 2015

BRKSPG-2602 10


IPv4 Address Depletion Causes Impact differently

• The ISP Impact:

• Lack of IPv4 addresses for users

• Harder to grow the business

• The user Impact (explicit or implicit):

• IP reputation (more on this later)• IPv4 address sharing

• Breaks applications

• Complicates operating servers

• Limits UDP/TCP ports per user

• IPv6 enabled services are catching up

BRKSPG-2602 11


Translation (NAT)

• Share IPv4 addresses

• Well understood

• “Lossy”

• Not true end-end

Dual Stack

• Easiest to deploy

• Requires IPv4 addresses

Tunneling (Encapsulation)

• Encapsulate v6 traffic in v4

packets (and vice versa)

• Routing can be sub-optimal

• Extra overhead and traffic

classification dillemmas

…tunnel where you need

to…“Dual stack when you can… …translate when you must.”

IPv6 Deployment Options: Guideline

BRKSPG-2602 12


Transition Technologies

• How do we migrate from IPv4 to IPv6?

• Short term1: can’t enable IPv6 immediately, need more IPv4 (or share IPv4)

• Short term2: enable IPv6 immediately, need more IPv4 (or share IPv4)

• Long term: simple network, single protocol – IPv6

• What does this really mean?

• IPv6 to co-exist with IPv4

• IPv4 address sharing to become wide-spread

• IPv6 to interoperate with IPv4

Transition technologies help with IPv4 to IPv6

migration

BRKSPG-2602 13

Agenda




• CGN, Dual-Stack Lite, 6rd, 6rd, MAP




• Conclusion


IPv4->IPv6 Transition Technologies in One Slide

IPv4

Address

Run-Out

IPv4

IPv66rd

CGN

+

6rd

Dual

StackCGN

+

DS-

Lite

Obtain IPv4 Addresses

MAP

CGN

IPv4 Address Sharing

BRKSPG-2602 15



IPv4

Address

Run-Out

IPv66rd

6rd

+

CGN

Dual

StackDual

Stack

LiteMAP

CGN



IPv4

BRKSPG-2602 16



• Obtain IPv4 addresses from RIR or open market

• RIR: request IPv4 addresses. There are still a few addresses available!

• Open market: USD $10-$20 per IPv4 address

• Advantages:

• No CGN, no address sharing, no operational changes

• Disadvantages:

• If business growing, delaying the inevitable

• Geo-location needs to be updated (mileage varies)

• Deploy IPv6, too!

BRKSPG-2602 17


Transition TechnologiesSummary

CPE

Changes

needed

Access

network

Tunnel or

translate?

In-network

state?

Arbitrary

addressing?

1 Dual-Stack Yes|No IPv4+IPv6 -NA- -NA- Yes

2 CGN No IPv4 Translate Yes (CGN) Yes

3 DS-Lite Yes IPv6 Both Yes (CGN) Yes

4 6rd Yes IPv4 Tunnel No No

5 6rd + CGN Yes IPv4 Both Yes (CGN) No

6 MAP Yes IPv6MAP-T: translate

MAP-E: tunnelNo Yes*

*allows both arbitrary and algorithmic mapping

BRKSPG-2602 18

Agenda








• Conclusion


1. Dual Stack Host Gets both IPv4 and IPv6 Addresses

IPv4

Address

Run-Out

Dual

Stack

Lite

CGN

6rd

6rd

+

CGNMAP

IPv4 Address SharingIPv4

IPv6

Dual

Stack


BRKSPG-2602 21


1. Dual StackThe Plan

• Dual Stack has been “the plan” for IPv6 migration since ... Forever

• The Plan:

• Clients get IPv6 & IPv4 addresses

• Servers get IPv6 & IPv4 addresses

• Networks enabled with both IPv4 and IPv6

• IPv6 is likely preferred

Drive both cars

BRKSPG-2602 22


1. Dual StackThe Reality

• Reality: More and more IPv4 address sharing (NAT, MAP)

• Covered in co-existence section later on.

• Hosts should prefer IPv6 to IPv4

• Generally necessary to get IPv6 on the network

• Without this preference, IPv4 would persist until IPv4 is turned off

• But what if IPv6 is broken? Overloaded???

• IPv6 peering is down ...

• Tunnel is down ...

• (Microsoft IPv6 NCSI is down.... More on that in a few slides)

IPv6 Road

BRKSPG-2602 23


1. Dual StackDo I use IPv6 or IPv4 ?

• Dual-stack client connecting to dual-stack server

• IPv6 is preferred by default (RFC6724)

• If IPv6 is slower, then users blame IPv6 and may disable IPv6!

• IPv6 better not be slower than IPv4

• Who can guarantee that !

• What if IPv6 is broken altogether?

• What if IPv6 is broken to few websites?

BRKSPG-2602 24


1. Dual StackProblem: IPv6 is Broken to a certain website?

BRKSPG-2602 25


1. Dual StackSolution – Happy Eyeballs (RFC6555)

BRKSPG-2602 26

Note: Slight Preference is given to IPv6 connection


1. Dual StackSolution – Happy Eyeballs Optimization (RFC6555)

BRKSPG-2602 27


1. Dual-StackHappy Eyeballs (RFC6555)

• Users are happy

• Aimed initially at web browsing

• Web browsing is the most common application

• Fast response even if IPv6 (or IPv4) path is down

• Network administrators are happy

• Users no longer trying to disable IPv6

• Reduces IPv4 usage (reduces load on CGN)

• Content providers are happy

• Improved geolocation and DoS visibility with IPv6

BRKSPG-2602 28

Source: http://seclists.org/nanog/2016/Jun/809


1. Dual-StackHappy Eyeballs Implementations

• Google Chrome and Mozilla Firefox: Yes

• Utilizes long-established 250-300ms ‘backup’ thread

• Follows getaddrinfo() address preference

• Apple Safari, iOS*, OSX* : Yes

• DNS AAAA sent before A query on the wire

• If AAAA reply comes first, then v6 SYN sent immediately

• If A reply comes before 25ms of AAA reply, then v4 SYN sent

• Else, Heuristics based Address selection algorithm is applied

• Microsoft Windows OS and Internet Explorer : NO

• Not even something like happy eyeballs

• Cisco WebEx : Yes

RFC6555 Compliant

* http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html

* https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html

BRKSPG-2602 29

http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html

https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html


1. Dual-StackHappy Eyeballs Implementations (contd.)

• On Windows OS, IPv6 experience may also get worse

• Network Connectivity Status Indicator (NCSI) checks IPv6 connectivity (HTTP with http://ipv6.msftncsi.com/ncsi.txt)

• If NCSI works, IPv6 is enabled

• If NCSI fails, IPv6 is de-prioritized to IPv4 (specific IPv6 routes can be prioritized)

Weird…huh !

NCSI IPv6 works, but status shows it doesn’t.

BRKSPG-2602 30

Agenda




• CGN, DS-Lite, 6rd, MAP




• Conclusion


Carrier Grade NAT (CGN)

IPv4

Address

Run-Out

IPv66rd

6rd

+

CGN

Dual

StackDual

Stack

Lite


MAP

IPv4IPv4 Address Sharing

CGN

Note - CGN is also known as LSN

BRKSPG-2602 32


CGN

• Carrier Grade Network Address Translation

• Address and Port Translator (NAPT), really

• Like the common residential NAT (Linksys, etc.)

• Using RFC5389 terminology: Mapping independent non filtering (EIM and EIF)

• Bigger (e.g. large scale)

• Port Logging (e.g. syslog, netflow v9)

• Per-user port limit

• Shared IPv4 space : 100.64.0.0/10 instead of private IPv4 space is an option

BRKSPG-2602 33


CGNPrivate IPv4 Moves into SP

Stateful NAT function

inside SP network

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 34


CGN

• Nicknamed NAT444 = NAT44 in home, NAT44 in ISP

• Advantages:

1. Very well known technology

2. No dependency on CPE router

• Disadvantages:

1. Port Forwarding

2. Certain Applications may not work

3. Logging

4. Network/Routing Design Headache

5. IPv4 address sharing efficiency

See BRKSPG-3334 from CiscoLive2014 for more details

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 35


CGNALG, Logging

IPv4

Address

Run-Out6rd

Dual

Stack



CGN

IPv6

6rd

+

CGN

DS-

Lite

ALG, Logging etc. issues

applicable to all these

solutions relying on CGN

BRKSPG-2602 36


Carrier Grade NATApplication Layer Gateway (ALG)

• ALG = Application awareness inside the NAT:

• modify IP addresses and ports in application payload

• creates NAT mapping

• Each application requires a separate ALG

• FTP, SIP, RTSP, RealAudio, …

• ALG needs to understand application nuances

• ALG requires:

• Un-encrypted signaling (!!)

• Restricted network topology

• Summary: ALG prevents application evolution and introduces bugs

BRKSPG-2602 37


Carrier Grade NATModern Applications Avoid Relying on ALG

• Successful applications have to work everywhere• Coffee shop, home, work, hotel,

airport, 3G

• FTP Passive Mode

• ICE (RFC5245) and STUN (RFC5389)• Intelligence in endpoint

• Useful for offer/answer protocols (SIP, XMPP)

• RTSPv1 abandoned on the desktop• effectively replaced with Flash over HTTP, and

soon HTML5

• RTSPv2 has ICE-like solution

• Skype does its own NAT traversal

• Linksys disabled SIP ALGs around 2006• Because of bugs and incompatibilities with SIP

endpoints

Reference

BRKSPG-2602 38


• Debugging / Troubleshooting Problems

•SIP from vendor X works, but vendor Y breaks:1. Vendor Y violated standard?

2. Vendor X has special sauce??

3. ALG is broken???

• Delays

•Months for vendor turn-around for patches

•Months for SP testing/qualification/upgrade window

• ALG can break competitor’s over-the-top application (e.g., SIP, streaming video)

•Regulators frown on interference

Meanwhile:

unhappy

users

Carrier Grade NATALG related Operational Issues


Reference

BRKSPG-2602 39


Carrier Grade NATLogging Source Port

• Stateful NAT requires logging (NAT44, NAT64, DS-Lite AFTR,…)

• NAT mappings are temporary (similar to DHCP-assigned addresses)

• Logging each NAT mapping creates large logs!

• Bulk port allocation (BPA) reduces logging, at the expense of reduced efficiency of IPv4 address sharing

• Bulk size of N ports, logs reduced by 1/N

• Acceptable compromise !!!

• Recommended

Supported on ASR9K,

ASR1K, CRS

Reference

BRKSPG-2602 40



Carrier Grade NATLogging Destination

• Server Log combined with CGN log identifies subscribers

• Timestamp (new)

• Source IP address, source port (new), destination IP address, destination port

• RFC6302

• Some servers don’t log source port, or don’t have good timestamp

• Tempting to log destination IP (and port) at CGN

• Consider privacy and legal issues

• Incompatible with bulk port allocation, increases logging costs

• Not recommended

Supported on ASR9K,

ASR1K, CRS

Reference

BRKSPG-2602 41



DS-Lite

IPv4

Address

Run-Out6rd

6rd

+

CGN

Dual

Stack


MAP

CGN

DS

Stac

k

Lite


IPv6

Note: DS-Lite requires CGNBRKSPG-2602 42


DS-Lite: IPv4 over IPv6 Access

Stateful NAT function

(on routers) inside SP

network

IPv4-over-IPv6

tunnels

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 43


DS-Lite

• Requires IPv6 access network

• Tunnels subscriber IPv4 traffic to a CGN device

• Uses Carrier-Grade NAT (CGN)

• Requires CPE router support

• RFC6333

• MTU – Watch out !!

BRKSPG-2602 44


• Advantages:

• Leverages IPv6 in the network

• Disadvantages:

• Dependency on CPE router

• NAT disabled on CPE router

• Content Caching function may break

• DPI function may break

• QoS function may break

• All disadvantages of CGN also apply

DS-Lite

BRKSPG-2602 45


6rd and 6rd with CGN

IPv4

Address

Run-Out

Dual

StackDual

Stack

Lite


MAP

CGN

IPv4

IPv66rd

6rd

+

CGN


Reference

BRKSPG-2602 46


6rd - IPv6 over (Public) IPv4

IPv6 Moves out to Subscribers

IPv6-over-IPv4 tunnels

Stateless Tunneling function

(on routers) inside SP

network

Native Dual-Stack at Home

Supported on ASR9K,

ASR1K, CRS

Reference

BRKSPG-2602 47


6rd + CGN = IPv6 over (Private) IPv4

IPv6 Moves out to Subscribers

Private IPv4 move into SP*IPv6-over-IPv4 tunnels

Stateless Tunneling function

(on routers)

Stateful NAT function (on

routers) inside SP network*

* Assuming RFC1918 usage

Supported on ASR9K,

ASR1K, CRS

Reference

BRKSPG-2602 48


IPv4 + IPv6

IPv4 + IPv6

IPv4 + IPv6

6rdIPv6 tunneled over IPv4 access network

• Native dual-stack IP service to the Subscriber

• Simple, stateless, automatic IPv6-in-IPv4 encapsulation and decapsulation

• IPv6 traffic automatically follows IPv4 Routing

• 6rd Border Relays placed at IPv6 edge

IPv4

Dual Stack

Native or

6PE Core

6rd

BR

“One line” global

config for IPv6

Gateway

Subscriber IPv6 prefix

derived from IPv4 address

6rd

CE

Supported on ASR9K,

ASR1K, CRS

Reference

BRKSPG-2602 49


MAP (Mapping of Address and Port)

IPv4

Address

Run-Out6rd

6rd

+

CGN

Dual

StackDual

Stack

Lite


CGN

IPv4

IPv6

MAP


See BRKSPG-3820 for detailed MAP discussion

BRKSPG-2602 50


MAP (Mapping of Address and Port)

• Allows sharing of IPv4 address across an IPv6 network

• Each shared IPv4 end-point gets a unique TCP/UDP port-range via “rules”

• All or part of IPv4 address can be derived from IPv6 prefix (allows for route summarization)

• Need to allocate UDP/TCP port range(s) to each CPE

• Stateless Border Relays in SP network

• Can be implemented in hardware (superior performance)

• Can use anycast, can have asymmetric routing

• No single point of failure, no need for high availability hardware

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 51


MAP-E : Stateless 464 Encapsulation

IPv4-over-IPv6

Stateless Tunneling function (on

routers)

- No CGN-

Supported on ASR9K,

BRKSPG-2602 52


MAP-T : Stateless 464 Translation

Stateless 64 translation function

(on routers)

- No CGN -

Native IPv6

Supported on ASR9K,

ASR1K

BRKSPG-2602 53


MAP

• MAP is standardized at the IETF (in RFC editor queue)

• https://tools.ietf.org/html/draft-ietf-softwire-map/

• Advantages:

• Leverages IPv6 in the network

• No CGN inside SP network

• No need for Logging

• No need for ALGs

• Disadvantages:

• Dependency on CPE router

BRKSPG-2602 54


MAP Addressing Toolhttp://map46.cisco.com/

BRKSPG-2602 55

http://map46.cisco.com/

Agenda




• CGN, Dual-Stack Lite, 6rd, MAP




• Conclusion


IPv4 Address SharingLet’s get dirty …

IPv4

Address

Run-Out6rd

Dual

Stack



CGN

IPv6

6rd

+

CGN

DS-

Lite MAP

BRKSPG-2602 57


IP Address Sharing: IP Reputation (1/2)

• Reputation based on IPv4 address• Shared IP address = shared suffering

• Workaround: Distinguish subscribers (sharing IP address, or not sharing)• draft-ietf-intarea-nat-reveal-analysis

• draft-wing-nat-reveal-option

• Server logs currently only contain IPv4 address• Servers logs need to include source port number, recommended by RFC6302

• Best Solution – have users and content providers use IPv6!

BRKSPG-2602 58


IP Address Sharing: IP Reputation (2/2)

• Affects NATs, as everyone knows• NAT44 (CGN44): a big NAT operated by an ISP (“carrier”), enterprise, or University

• NAT444 (subscriber’s NAT44 + ISP’s CGN44)

• NAT64 (CGN64)

• DS-Lite (called “AFTR” = Modified CGN44)

• Also affects non-CGN architectures!• MAP (Mapped Address and Port)

• Conceptually, a CGN with (some) fixed ports

• Address + Port, SD-NAT, Deterministic NAT

BRKSPG-2602 59


IP Address Sharing: IP ReputationCGN

Image source: Jason Fesler, Yahoo!BRKSPG-2602 60

Agenda








• Conclusion


NAT64 Introduction

• Translate between IPv6 and IPv4

IPv4IPv6

IPv4-only devicesIPv6-only devices

NAT64

BRKSPG-2602 62


NAT64

Stateless or Stateful NAT64

function (on routers)

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 63


NAT64

LSN64

NAT

NAT64

LSN64

NATNAT

NAT64 – Stateful

IPv6

IPv6

Endpoint

2001:db8:abcd:2::1

2001:DB8:ABCD::/64

announced in

IPv6 Routing domain

(203.0/24)

announced in

IPv4 Routing domain• NAT keeps binding state between inner IPv6 address and outer IPv4+port

• DNS64 needed

•Application dependent/ALGs may be required

2001:db8:abcd:2::1

IPv6 Header

Src Addr

DestAddr 2001:DB8:ABCD:<92.0.2.1>

IPv4

Endpoint

92.0.2.1

203.0.113.1

IPv4 Header

Src

Addr

Dest

Addr92.0.2.1

Host can be

assigned with any

IPv6 address (no

particular format)

Stateful

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 64


NAT64

LSN64

NAT

NAT64

LSN64

NATNAT

NAT64 – Stateless

IPv6

IPv6

Endpoint

2001:db8:<203.0.114.1>::

2001:DB8:ABCD::/64

announced in

IPv6 Routing domain

(203.0/24)

announced in

IPv4 Routing domain• No NAT binding state; IPv6 <-> IPv4

mapping computed algorithmically

• DNS64 needed

• Application dependent ALGs might be required

2001:db8:<203.0.114.1>::

IPv6 Header

Src Addr

DestAddr 2001:DB8::<92.0.2.1>::

IPv4

Endpoint

92.0.2.1

203.0.114.1

IPv4 Header

Src

Addr

Dest

Addr92.0.2.1

Host must be

assigned an “IPv4

Translatable” IPv6

address

Stateless

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 65


NAT64 – Stateful vs. Stateless

Stateless

• 1:1 translation

• “NAT”

• Any protocol

• No IPv4 address savings• Just like dual-stack

• MAP however does save IPv4 addresses by combining NAT46 with NAT44

Stateful

• 1:N translation

• “NAPT”

• TCP, UDP, ICMP

• Shares IPv4 addresses

Note : IPv6-only DC using Stateless 64 : RFC7755

BRKSPG-2602 66


NAT64DNS64 is important• NAT64 translator is useful only if the traffic can come to it

• IP addresses of IPv6 packets must be formulated accordingly

• DNS64 provides conversion of an IPv4 address into an IPv6 address

• AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g. 2001:DB8:ABCD::)

Internet

AAAA?IPv6-only host

AAAA?

Empty answer

A?

92.0.2.12001:DB8:ABCD::92.0.2.1

(sent simultaneously)

DNS64 NAT64

BRKSPG-2602 67


NAT64Connecting an IPv6 network to the IPv4 Internet

IPv6/IPv4

Translator

(“NAT64”)

IPv6-only clients

IPv4

Internet

DNS64

IPv6

Internet

Operator’s IPv6 network

(“An IPv6 Network”)

Internet

Supported on ASR9K,

ASR1K, CRS

BRKSPG-2602 68


DNS64 – Watch out

• Works for applications that do DNS queries

•http://www.example.com

•IMAP, connecting to XMPP servers, etc.

• Works with DNSSEC

• Doesn’t work for applications that don’t do DNS queries or use IP address literals

• http://1.2.3.4

• SIP, RTSP, H.323, XMPP peer to peer, etc.

• Doesn’t work well if Application-level proxy for IP address literals (HTTP proxy) is used

• Learn NAT64’s prefix, draft-ietf-behave-nat64-discovery-heuristic

• NAT46/BIH (Bump In the Host), RFC6535

• 464XLAT (RFC6877)

BRKSPG-2602 69


IPv6

Network

464XLAT = Stateless + Stateful Better Together RFC6877

• ~15% of applications break with IPv6 native or with NAT64

• Skype, among other interesting applications (more listed here*)

• 464 translation helps most of those IPv4 only applications

• Endpoint does “Stateless NAT46”, network does “Stateful NAT64” only for IPv4 traffic

• Benefit: Network Provides only single-stack IPv6 connectivity to Endpoints

• Supported by Android OS already

Stateful

NAT64IPv4 Internet

Endpoint

BRKSPG-2602 70

* http://tinyurl.com/nat64-breakage

Stateless

NAT46

IPv6 Internet

http://tinyurl.com/nat64-breakage


IPv6Internet

IPv4Internet

IPv4Network

IPv6Network

IPv4Network

IPv6Internet

IPv4Internet

IPv6Network

IPv4Network

IPv6Network

IPv4Network

IPv6Network

1.

2.

3.

4.

5.

6.

stateful stateless

Not yet needed; no IPv6-only content

NAT64 Scenarios

Covered so far

Covered

in

Additional

Slides

Section

BRKSPG-2602 71

Agenda








• Conclusion


Port Forwarding

Why ?

• Running a server permanently

• Slingbox (TCP/5001), Webcam (TCP/80) etc.

• Running a server temporarily

• During a VoIP call

Protocols =

• UPnP IGD 1.0, commonly available

• Does not support IPv6.

• Enabled on ~20% of home CPE routers

• UPnP IGD 2.0, recently standardized

• Supports IPv6.

• No support for NAT64 or NAT46

• NAT-PMP, Apple

BRKSPG-2602 73


IP Address Sharing: Operating a Server• One port only goes to one subscriber

• Everybody wants TCP/80

Address

Sharing device

(CGN)

IPv4

Internet

IPv4private

TCP/80

(HTTP)

BRKSPG-2602 74


Port Control Protocol (PCP) RFC6887

• UPnP IGD 1.0 and 2.0 are unsuitable for CGN

• Multicast discovery, no support for NAT64, XML

• PCP is a new protocol, RFC6887

• Simple UDP request/responses, easy to parse

• PCP has two major functions:

1. Port forwarding

2. Reduce keepalive traffic (battery-operated devices: tablets, smartphones)

• PCP Supports:

• IPv6 firewall, IPv4 firewall, NAT44, NAT64, NAT46, NPTv6 (NAT66), RFC6296

• Home NAT and Carrier Grade NAT

BRKSPG-2602 75


PCP Deployment Models• Host implements PCP

• Proxy UPnP IGD to PCP via Router PCP Server

Customer

Premise

RouterUPnP IGD

PCP

Client

PCP Server

PCP Server

PCP Server

BRKSPG-2602 76

Agenda








• Conclusion


ConclusionWhatever you do …. Drive Safe…

BRKSPG-2602 78


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

BRKSPG-2602 79

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSPG-2602 80

Please join us for the Service Provider Innovation Talk featuring:

Yvette Kanouff | Senior Vice President and General Manager, SP Business

Joe Cozzolino | Senior Vice President, Cisco Services

Thursday, July 14th, 2016

11:30 am - 12:30 pm, In the Oceanside A room

What to expect from this innovation talk

• Insights on market trends and forecasts

• Preview of key technologies and capabilities

• Innovative demonstrations of the latest and greatest products

• Better understanding of how Cisco can help you succeed

Register to attend the session live now or

watch the broadcast on cisco.com

Thank you

IPv4 Exhaustion: NAT and Transition to IPv6 for Service...

Documents

Transcript of IPv4 Exhaustion: NAT and Transition to IPv6 for Service...