NPTV6 AND NAT64 FOR IPV6 ENVIRONMENT -...
-
Upload
duongkhanh -
Category
Documents
-
view
223 -
download
1
Transcript of NPTV6 AND NAT64 FOR IPV6 ENVIRONMENT -...
NPTV6 AND NAT64 FOR IPV6 ENVIRONMENT
Adrien Desportes ([email protected]) Juniper Systems Engineer
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 2
AGENDA
NPTv6: purpose and standardization status
NAT64: practical use case
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 3
WHAT IS NPTV6?
One-to-one translation between inside and outside addresses § No attempt to conserve outside address space
Algorithmic translation § Overwrite high order bits
Stateless translation
Checksum neutral
No requirement for routing symmetry
By default, supports inbound connection requests
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 4
MOTIVATION FOR NPTV6
NPTv6 provides addressing independence for single homed sites
NPTv6 provides addressing independence for multi-homed sites without injecting provider independent addresses into the global routing system and causing excessive routing table growth
Presentation prepared with the help & courtesy of Ron Bonica author of draft-bonica-v6-multihome-02 that updates Section 2.4 of RFC 6296
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 5
TOPOLOGY
Upstream Upstream Provider #1 Provider #2 / \ / \ / \ / \ / +------+ +------+ \ +------+ |Backup| |Backup| +------+ | PE | | PE | | PE | | PE | | #1 | | #1 | | #2 | | #2 | +------+ +------+ +------+ +------+ | | | | +------+ +------+ |NPTv6 | |NPTv6 | | #1 | | #2 | +------+ +------+ | | | | ------------------------------------------------------ Internal Network
PAB#1 PAB#2
CNB#1 (/64)
CNB#2 (/64)
SAB ULA…(/63)
CAB#2 (/127) CAB#1
(/127)
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 6
SITE NUMBERING
Hosts numbered from the lower half of the SAB normally receive inbound traffic from Upstream Provider #1
Hosts numbered from the higher half of the SAB normally receive inbound traffic from Upstream Provider #2
Selected hosts can receive inbound traffic from both Upstream Provider #1 and Upstream Provider #2
§ These hosts have multiple SAB addresses
§ At least one address is drawn from the lower half of the SAB
§ At lease one address is drawn from the higher half of the SAB
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 7
TRANSLATION STATELESS 1:1 NAT
Inbound • If the 64 high-order bits of the destination address match the 64 high-order
bits of CNB #1, overwrite those bits with the 64 bits that identify the lower half of the SAB
• Same if 64 high-order bits match CNB#2
• Else silently discard
Outbound • If the 64 high-order bits of the source address match the 64 bits that identify
the lower half of the SAB, overwrite those bits with the 64 high order bits of CNB #1
• Same if 64 high-order bits match higher half of SAB
• Else silently discard
Same rules on both NPT devices
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 8
ROUTING
ISP #1
NPTv6 #1
PE #1
Backup PE #1 ISP #2
NPTv6 #2
PE #2
Backup PE #2
Multi-hop EBGP
Multi-homed Site
Multi-hop EBGP
Outside interface
Outside interface
Two default routes circulate within the site (inside interface of NPTv6 #1 and inside interface of NPTv6 #2)
ASBR
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 9
ROUTING
ISP #1
NPTv6 #1
PE #1
Backup PE #1 ISP #2
NPTv6 #2
PE #2
Backup PE #2
Multi-hop EBGP
Multi-homed Site
Multi-hop EBGP
Outside interface
Outside interface
Advertise CNB#1 Next-hop self High Pref
Advertise CNB#1 Next-hop self Low Pref
iBGP iBGP
Advertise PAB#1
ASBR
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 10
RECOVERY
ISP #1
NPTv6 #1
PE #1
Backup PE #1
ISP #2
NPTv6 #2
PE #2 Dyn GRE Tunnel
Multi-homed Site
Outside interface
Outside interface
Advertise CNB#1 Next-hop self Low Pref
iBGP
Advertise PAB#1
ASBR
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 11
LOAD BALANCING
Outbound § Controlled by site
§ Traffic can exit through either NPTv6 gateway
Inbound: connections originating within site § Originating host selects one of its source addresses
§ Selected address determines path or return traffic
Inbound: connections originating outside of the site § Originating host selects one of the addresses advertised in DNS
§ Selected address determines traffic path
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 12
CONCLUSION
Targets SME who want to achieve multi-homing with the following architectural goals:
§ Redundancy
§ Transport-layer survivability
§ Load balancing
§ Address independence
§ Prevent excessive growth of global routing tables
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 13
AGENDA
NPTv6: purpose and standardization status
NAT64: practical use case
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 14
Cloud
Translator
NAT 64
IPv4 IPv6
IPv4 address of www.example.com
IPv6 clients
CLOUD TRANSLATOR ARCHITECTURE
www.example.com DNS AAAA 2001:…
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 15
IPv6
LAB TOPOLOGY – NAT64
IPv6 IPv6
IPv4
IPv6
IPv6 IPv6
IPv4
DNS64
NAT64
IPv6 IPv6 IPv6/IPv4 IPv6/IPv4
ISP v6 Global Public Network
2001:db8:0200:0001::/64
x.x.x.x
10.1.1.2/30 Web Content v4
Host IPv6
10.2.1.0/24
2001:db8:0200:0002::/96
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 16
IPv6
LAB TOPOLOGY – NAT64
IPv6 IPv6
IPv4
IPv6
IPv6 IPv6
IPv4
DNS64
NAT64
IPv6 IPv6 IPv6/IPv4 IPv6/IPv4
ISP v6 Global Public Network
2001:db8:0200:0001::/64
x.x.x.x
10.1.1.2/30 Web Content v4
Host IPv6
10.2.1.0/24
2001:db8:0200:0002::/96
{master}[edit interfaces] [email protected]# show ge-5/0/0.0 family inet; family inet6 { service { input { service-set NAT64_npu1 service-filter NAT64_only; } output { service-set NAT64_npu1 service-filter NAT64_only; } } address 2001:db8:0200:0001::1/64; }
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 17
IPv6
LAB TOPOLOGY – NAT64
IPv6 IPv6
IPv4
IPv6
IPv6 IPv6
IPv4
DNS64
NAT64
IPv6 IPv6 IPv6/IPv4 IPv6/IPv4
ISP v6 Global Public Network
2001:db8:0200:0001::/64
x.x.x.x
10.1.1.2/30 Web Content v4
Host IPv6
10.2.1.0/24
2001:db8:0200:0002::/96
{master}[edit services] [email protected]# show service-set NAT64_npu1 syslog { host local { class { nat-logs; } } } nat-rules NAT64_npu1; interface-service { service-interface sp-1/0/0.0; }
{master}[edit interfaces] [email protected]# show sp-1/0/0.0 family inet; family inet6;
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 18
IPv6
LAB TOPOLOGY – NAT64
IPv6 IPv6
IPv4
IPv6
IPv6 IPv6
IPv4
DNS64
NAT64
IPv6 IPv6 IPv6/IPv4 IPv6/IPv4
ISP v6 Global Public Network
2001:db8:0200:0001::/64
x.x.x.x
10.1.1.2/30 Web Content v4
Host IPv6
10.2.1.0/24
2001:db8:0200:0002::/96
{master}[edit services nat] [email protected]# show pool NAT64_npu1 { address-range low 10.2.1.1 high 10.2.1.250; port { automatic; } } rule NAT64_npu1 { match-direction input; term 1 { from { destination-address { 2001:db8:0200:0002::/96; } } then { translated { source-pool NAT64_npu1; destination-prefix 2001:db8:0200:0002::/96; translation-type { stateful-nat64; } } } } }
Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 19
LOG OPTIMIZATION TECHNIQUES
By default 2 logs are generated by v6 user accessing v4 through NAT64
Optimization with the use of § PBA (one log per ports group)
§ Deterministic (no log at all)
§ XFF