IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers

Transcription

1

2 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers Rajiv Asati, Distinguished Engineer, Cisco

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkspg Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Hmmm..CGNAT issue or something else?

5 IPv4 Classic But spare parts have run out BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 IPv6 Next Gen Getting to full parity and end-end use takes time Caution: New road may be needed BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Transition Technologies Driving your classic IPv4 (or next gen IPv6) around BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Abstract Any service provider that has exhausted its IPv4 address pool, will not only have to deploy/offer IPv6, but also employ IPv4 sharing. This is because chunk of content may be reachable only via IPv4 internet, even though majority is available via IPv6 internet. This session discusses few mechanisms such as MAP-T/E, 464XLAT, DS-Lite and CGN 64/44 etc. that facilitate IPv4 sharing with and without IPv6. It contrasts stateful and stateless translation techniques as well. 6rd is included for reference as well. This session is intended for Service Providers. BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 IPv6 Adoption Continues to increase Source: Source: BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact CGN 44, DS-Lite, 6rd, MAP CGN 64 for IPv6-only Conclusion

11 Recommended Approach for IPv6 Dual-Stack Deployment (per IETF RFC 4213) Dual-Stack to the hosts * Hosts: Windows, OSX, ios, Android, Linux etc. Routers: IOS, XR, NXOS etc. IPv4+IPv6 Hosts (Dual Stack) IPv4+IPv6 Network IPv4 and/or IPv6 Destinations * RFC7755 now suggests Single-stack IPv6 for DC BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 12

12 Recommended Approach for IPv6 Dual-Stack Deployment (per IETF RFC 4213), since 2005 Dual-Stack to the hosts * Hosts: Windows, OSX, ios, Android, Linux etc. Routers: IOS, XR, NXOS etc. ~90% of Desktop hosts and ~99% of Mobile hosts support Dual-Stack Source Mobile Operating System, Statistica, Jan 2017 Source Desktop Operating System, Netmarketshare, Jan 14-Dec 16 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 13

13 Recommended Approach for IPv6 Dual-Stack Deployment (per IETF RFC 4213) Dual-Stack to the hosts * Hosts: Windows, OSX, ios, Android, Linux etc. Routers: IOS, XR, NXOS etc. IPv4+IPv6 Hosts (Dual Stack) But note IPv4 exhaustion is underway Every host can NOT be assigned a public IPv4 address Two protocol stacks to be managed in network IPv4+IPv6 Network IPv4 and/or IPv6 Destinations * RFC7755 now suggests Single-stack IPv6 for DC BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 14

14 IPv4 Address Depletion Causes Impact differently The ISP Impact: Lack of IPv4 addresses for users Harder to grow the business The User Impact (explicit or implicit): IP reputation (more on this later) IPv4 address sharing Breaks applications Complicates operating servers Limits UDP/TCP ports per user IPv6 enabled services are catching up BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 15

15 Transition Technologies How do we migrate from IPv4 to IPv6? Short term1: can t enable IPv6 immediately, need more IPv4 (or share IPv4) Short term2: enable IPv6 immediately, need more IPv4 (or share IPv4) Long term: simple network, single protocol IPv6 What does this really mean? IPv6 to co-exist with IPv4 IPv4 address sharing to become wide-spread IPv6 to interoperate with IPv4 Transition technologies pave the way to move from IPv4 to IPv6 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 17

16 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact CGN 44, DS-Lite, 6rd, MAP CGN 64 for IPv6-only Conclusion

17 Towards IPv6 with or without IPv4 Transition Technologies in One Slide This is where we are: Mostly IPv4 & Address Run-out? This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 19

18 Towards IPv6 with or without IPv4 Transition Technologies in One Slide This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Obtain More IPv4 Addresses? Dual Stack Stack CGN 44 + Dual Stack Share IPv4 Addresses CGN CGN rd (Dual- Stack) CGN 44* + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 20

19 Towards IPv6 with or without IPv4 Transition Technologies in One Slide Options CPE LAN IPv4 or IPv6 CPE WAN IPv4 or IPv6 Tunnel or Translate? In-network State? Arbitrary IP addressing of CPE? Extra CPE features? 0 Single-Stack IPv4 IPv4 -NA- -NA- Yes No 1 Dual-Stack IPv4 + IPv6 IPv4+IPv6 -NA- -NA- Yes No** 2 Single-Stack IPv4 IPv4 Translate Yes (CGN44) Yes No 3 Dual-Stack IPv4 + IPv6 IPv4+IPv6 Translate Yes (CGN44) Yes No** 4 DS-Lite IPv4 + IPv6 IPv6 Both Yes (CGN44) Yes Yes 5 6rd IPv4 + IPv6 IPv4 Tunnel No No Yes 6 6rd + CGN IPv4 + IPv6 IPv4 Both Yes (CGN44) No Yes 7 MAP IPv4 + IPv6 IPv6 Either No Yes* Yes 8 Single-Stack IPv6 IPv6 Translate Yes (CGN64) Yes Yes No * Allows both arbitrary and algorithmic mapping ** Changes needed if IPv6 is not supported by existing CPE BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 22

20 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack IPv4 Obtain more IPv4 Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact Single-Stack IPv4 CGN 44, 6rd Single-Stack IPv6 DS-Lite, MAP Single-Stack IPv6 CGN 64 Conclusion

21 0. Obtain IPv4 Addresses Host/CPE gets just IPv4 prefixes This is where we are: Mostly IPv4 & Address Run-out IPv4 Dual Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN rd (Dual- 6rd Stack) CGN * + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 24

22 0. Obtain IPv4 Addresses Obtain IPv4 addresses from Regional Internet Registry (RIRs) or open market RIR: May Not have any left. Open market: USD $10-$15 per IPv4 address IPv6, well, is optional ADVANTAGES: No CGN, no address sharing, no operational changes No need to press for IPv6 deployment DISADVANTAGES : If business growing, delaying the inevitable Geo-location needs to be updated (mileage varies) No IPv6 deployed Reputation might be bad BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 25

23 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack IPv4 Obtain more IPv4 Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact CGN 44, DS-Lite, 6rd, MAP Single-Stack IPv6 & CGN 64 Conclusion

24 1. Dual-Stack Host/CPE gets both IPv4 and IPv6 prefixes This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN rd (Dual- 6rd Stack) CGN * + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 27

25 1. Dual Stack The Reality Reality: More and more IPv4 address sharing (NAT, MAP) Covered in co-existence section later on. Hosts should prefer IPv6 to IPv4 Generally necessary Without this preference, IPv4 would persist until IPv4 is turned off But what if IPv6 is broken? Overloaded??? IPv6 peering is down... Tunnel is down... (Microsoft IPv6 NCSI is down...) IPv6 Road BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 29

26 1. Dual Stack Do I use IPv6 or IPv4? Dual-stack client connecting to dual-stack server IPv6 is preferred by default (RFC6724) If IPv6 is slower, then users blame IPv6 and may disable IPv6! IPv6 better not be slower than IPv4 Who can guarantee that! What if IPv6 is broken altogether? What if IPv6 is broken to few websites? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 30

27 1. Dual Stack Problem: IPv6 is Broken or slower to a certain website! Unhappy user BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 31

28 1. Dual Stack Solution Happy Eyeballs (RFC6555) Note: Slight Preference is given to IPv6 connection BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 32

29 1. Dual Stack Solution Happy Eyeballs Optimization (RFC6555/ RFC8305) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 33

30 1. Dual Stack Solution Happy Eyeballs Optimization (RFC6555/ RFC8305) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 34

31 1. Dual Stack Solution Happy Eyeballs Optimization (RFC6555/ RFC8305) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 35

32 1. Dual Stack Solution Happy Eyeballs Optimization (RFC6555/ RFC8305) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 36

33 1. Dual Stack Solution Happy Eyeballs Optimization (RFC6555/ RFC8305) Happy user BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 37

34 1. Dual-Stack Happy Eyeballs (RFC6555 and RFC8305) Users are happy Aimed initially at web browsing Web browsing is the most common application Fast response even if IPv6 (or IPv4) path is down Network administrators are happy Users no longer trying to disable IPv6 Reduces IPv4 usage (reduces load on CGN) Content providers are happy Improved geolocation and DoS visibility with IPv6 Source: BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 38

35 1. Dual-Stack Happy Eyeballs Implementations Google Chrome and Mozilla Firefox: Yes Utilizes long-established ms backup thread Follows getaddrinfo() address preference Apple Safari, ios*, OSX* : Yes DNS AAAA sent before A query on the wire If AAAA reply comes first, then v6 SYN sent immediately If A reply comes before 25ms of AAA reply, then v4 SYN sent Else, Heuristics based Address selection algorithm is applied Microsoft Windows OS and Internet Explorer : NO Not even something like happy eyeballs Cisco WebEx : Yes Cisco AnyConnect: No * * RFC6555 Compliant BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 39

36 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack IPv4 Obtain more IPv4 Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact Single-Stack IPv4 CGN 44, 6rd Single-Stack IPv6 DS-Lite, MAP Single-Stack IPv6 CGN 64 Conclusion

37 IPv4 Address Sharing. This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN CGN rd (Dual- Stack) CGN * + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 42

38 IPv4 Address Sharing : Watch out for your Reputation Image source: Jason Fesler, Yahoo! BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 43

39 IP Address Sharing: Watch out for IP Reputation (1/2) Reputation based on IPv4 address Shared IP address = shared suffering Workaround: Distinguish subscribers (sharing IP address, or not sharing) draft-ietf-intarea-nat-reveal-analysis draft-wing-nat-reveal-option Server logs currently only contain IPv4 address Servers logs need to include source port number, recommended by RFC6302 Best Solution have users and content providers use IPv6! BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 44

40 IP Address Sharing: Watch out for IP Reputation (2/2) Affects NATs, as everyone knows NAT44 (CGN44): a big NAT operated by an ISP ( carrier ), enterprise, or University NAT444 (subscriber s NAT44 + ISP s CGN44) NAT64 (CGN64) DS-Lite (called AFTR = Modified CGN44) Also affects non-cgn architectures! MAP (Mapped Address and Port) Conceptually, a CGN with (some) fixed ports Address + Port, SD-NAT, Deterministic NAT BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 45

41 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack IPv4 Obtain more IPv4 Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact Single-Stack IPv4 CGN 44, 6rd Single-Stack IPv6 DS-Lite, MAP Single-Stack IPv6 CGN 64 Conclusion

42 Carrier Grade NAT (CGN). This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN CGN rd (Dual- Stack) CGN * + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 47

43 CGN Carrier Grade Network Address Translation Address and Port Translator (NAPT), really Like the common residential NAT (Linksys, etc.) Using RFC5389 terminology: Mapping independent non filtering (EIM and EIF) Bigger (e.g. large scale) Port Logging (e.g. syslog, netflow v9) Per-user port limit Shared IPv4 space : /10 instead of private IPv4 space is an option BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 48

44 CGN Private IPv4 Moves into SP Supported on ASR9K, ASR1K, FirePower, CRS Stateful NAT function inside SP network BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 49

45 CGN Nicknamed NAT444 = NAT44 in home, NAT44 in ISP Advantages: 1. Very well known technology 2. No dependency on CPE router Supported on ASR9K, ASR1K, FirePower,CRS Disadvantages: 1. Logging 2. Port Forwarding 3. Certain Applications may NOT sufficiently work e.g. RFC ALG, Logging 5. Network/Routing Design Headache 6. IPv4 address sharing efficiency See BRKSPG-3334 from CiscoLive2014 for more details 7. Any application hardcoding a specific port# may not work without UPnPv2+PCP BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 50

46 CGN ALG, Logging ALG, Logging etc. issues applicable to all these solutions relying on CGN This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN CGN rd (Dual- Stack) CGN 44 + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 51

47 CGN Application Layer Gateway (ALG) ALG = Application awareness inside the NAT: modify IP addresses and ports in application payload creates NAT mapping Each application requires a separate ALG FTP, SIP, RTSP, RealAudio, ALG needs to understand application nuances ALG requires: Un-encrypted signaling (!!) Restricted network topology Summary: ALG prevents application evolution and introduces bugs BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 52

48 CGN Modern Applications Avoid Relying on ALG Successful applications have to work everywhere Coffee shop, home, work, hotel, airport, 3G FTP Passive Mode ICE (RFC5245) and STUN (RFC5389) Intelligence in endpoint Useful for offer/answer protocols (SIP, XMPP) RTSPv1 abandoned on the desktop effectively replaced with Flash over HTTP, and soon HTML5 RTSPv2 has ICE-like solution Skype does its own NAT traversal Reference Linksys disabled SIP ALGs around 2006 Because of bugs and incompatibilities with SIP endpoints BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 53

49 CGN ALG related Operational Issues Reference Debugging / Troubleshooting Problems SIP from vendor X works, but vendor Y breaks: 1. Vendor Y violated standard? 2. Vendor X has special sauce?? 3. ALG is broken??? Delays Months for vendor turn-around for patches Months for SP testing/qualification/upgrade window ALG can break competitor s over-the-top application (e.g., SIP, streaming video) Regulators frown on interference Meanwhile: unhappy users See BRKSPG-3334 from CiscoLive2014 for more details BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 54

50 CGN Logging Source Port Ranges Stateful NAT requires logging (NAT44, NAT64, DS-Lite ) NAT mappings are temporary (similar to DHCP addresses) Logging each NAT mapping creates large logs! Bulk port allocation (BPA) reduces logging, at the expense of reduced efficiency of IPv4 address sharing Bulk size of N ports, logs reduced by 1/N Acceptable compromise!!! Recommended Supported on ASR9K, ASR1K, CRS 42.5TB over 60 days for 200K subscribers, 72K flows/second (each syslog comprised private source IP:port, public source IP:port, protocol, and timestamp, resulting in ~100B in ASCII). See note below. Reference See BRKSPG-3334 from CiscoLive2014 for more details BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 55

51 Carrier Grade NAT Logging Destination Supported on ASR9K, ASR1K, CRS Reference Server Log combined with CGN log identifies subscribers Timestamp (new) Source IP address, source port (new), destination IP address, destination port RFC6302 Some servers don t enable source port logging, or don t have good timestamp Note that majority support logging source port, but don t do so by default, see RFC7768 and draft-daveor-cgn-logging Tempting to log destination IP (and port) at CGN Consider privacy and legal issues Incompatible with bulk port allocation, increases logging costs Not recommended See BRKSPG-3334 from CiscoLive2014 for more details BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 56

52 CGN Common Sane Practices Use Bulk Port Allocation Limit number of users sharing an IPv4 address as much as possible* Monitor KPIs e.g. # of outbound SSH connections with a threshold Log NAT connections * Tricky because you would want higher sharing ratio, given IPv4 shortage BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 57

53 DS-Lite This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN rd (Dual- 6rd Stack) CGN 44 + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; Note: DS-Lite requires CGN BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 58

54 DS-Lite IPv4 over IPv6 Access IPv4-over-IPv6 tunnels Supported on ASR9K, ASR1K, CRS Stateful NAT 44 function (on routers) inside SP network 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

55 DS-Lite Requires IPv6 access network Tunnels subscriber IPv4 traffic to a CGN device Uses Carrier-Grade NAT (CGN) Requires CPE router support RFC6333 MTU Watch out!! BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 60

56 DS-Lite Advantages: Leverages IPv6 in the network Disadvantages: Dependency on CPE router NAT disabled on CPE router Content Caching function may break DPI function may break QoS function may break All disadvantages of CGN also apply BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 61

57 6rd and 6rd with CGN Reference Obtain IPv4 Addresses IPv4 IPv4 Address Sharing IPv4 Address Run-Out CGN 6rd + CGN Dual Stack Lite MAP Dual Stack IPv6 6rd BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 62

58 Reference 6rd - IPv6 over (Public) IPv4 IPv6 Moves out to Subscribers IPv6-over-IPv4 tunnels Supported on ASR9K, ASR1K, CRS Native Dual- Stack at Home Stateless Tunneling function (on routers) inside SP network BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 63

59 6rd + CGN = IPv6 over (Private) IPv4 Reference IPv6 Moves out to Subscribers Private IPv4 move into SP* IPv6-over-IPv4 tunnels Supported on ASR9K, ASR1K, CRS Stateless Tunneling function (on routers) Stateful NAT function (on routers) inside SP network* * Assuming RFC1918 usage 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

60 MAP (Mapping of Address and Port) This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN rd (Dual- 6rd Stack) CGN * + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; See BRKSPG-3820 from CiscoLive2014 for more details BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 66

61 MAP (Mapping of Address and Port) Supported on ASR9K, ASR1K, Allows sharing of IPv4 address across an IPv6 WAN network Each CPE gets a shared IPv4 address with a unique TCP/UDP port-range via rules All or part of IPv4 address can be derived from the assigned IPv6 prefix (allows for route summarization) Need to allocate UDP/TCP port range(s) to each CPE Stateless Border Relays in SP network Can be implemented in hardware (superior performance) Can use anycast, can have asymmetric routing No single point of failure, no need for high availability hardware BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 67

62 MAP-E : Stateless 464 Encapsulation Supported on ASR9K, IPv4-over-IPv6 Stateless Tunneling function (on routers) - No Stateful CGN- BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 68

63 MAP-T : Stateless 464 Translation Supported on ASR9K, ASR1K Native IPv6 Stateless 64 translation function (on routers) - No Stateful CGN - BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 69

64 MAP MAP has two flavors (both standardized): MAP-T : RFC7599 MAP-E : RFC7597 Advantages: Leverages IPv6 in the network No CGN inside SP network No need for NAT Logging (DHCP logging as usual) No need for ALGs No need for Stateful NAT64/DNS64 Disadvantages: Dependency on CPE router Any application hardcoding any port# might not work without UPnPv2 support BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 70

65 MAP Addressing Tool Cisco and/or its affiliates. All rights reserved. Cisco Public

66 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack IPv4 Obtain more IPv4 Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact Single-Stack IPv4 CGN 44, 6rd Single-Stack IPv6 DS-Lite, MAP Single-Stack IPv6 CGN 64 Conclusion Try V6-only WiFi: SSID: CL-NAT64 WPA2-PSK: cl-nat64 5GHz only

67 While Client-side apps (mobile or desktop) got IPv6-only support, Serverside still need to catch up e.g. Apple FaceTime, imessage, icloud, etc. Hence, the shortterm need for NAT64

68 As of June 26 th, 2017 IPv4 Reachability bash-3.2$ ping PING e6858.dsce9.akamaiedge.net ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=57 time= ms ^C bash-3.2$ bash-3.2$ ping init.ess.apple.com PING a239.da1.akamai.net ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=60 time= ms ^C bash-3.2$ bash-3.2$ ping PING e4478.a.akamaiedge.net ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=55 time= ms bash-3.2$ ping configuration.apple.com PING e5153.e9.akamaiedge.net ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=57 time= ms ^C bash-3.2 IPv6 Reachability bash-3.2$ ping6 PING6(56= bytes) 2601:2c7:4000:<removed> --> 2001:559:19:1286::1aca 16 bytes from 2001:559:19:1286::1aca, icmp_seq=0 hlim=61 time= ms ^C bash-3.2$ bash-3.2$ ping6 init.ess.apple.com ping6: getaddrinfo -- nodename nor servname provided, or not known bash-3.2$ bash-3.2$ ping6 ping6: getaddrinfo -- nodename nor servname provided, or not known bash-3.2$ bash-3.2$ ping6 configuration.apple.com ping6: getaddrinfo -- nodename nor servname provided, or not known bash-3.2$

69 IPv6-Only Networks with CGN 64. This is where we are: Mostly IPv4 & Address Run-out IPv4 IPv6 Dual Stack Stack Obtain More IPv4 Addresses CGN 44 + Dual Stack Share IPv4 Addresses CGN rd (Dual- 6rd Stack) CGN * + DS- Lite CGN 64 + Single -Stack MAP This is where we have to be: Mostly IPv6; 1. CGN = Carrier Grade NAT - Stateful 2. Modified to support DS-Lite BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 76

70 IPv6-Only Networks with CGN 64 IPv6-only devices Supported on ASR9K, ASR1K, CRS Stateless or Stateful NAT64 function (on routers) BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 77

71 NAT64 Stateful Supported on ASR9K, ASR1K, CRS Host can be assigned with any IPv6 address (no particular format) Src Addr DestAddr IPv6 Header 2001:db8:abcd:2::1 2001:DB8:ABCD:< > Src Addr Dest Addr IPv4 Header IPv6 Endpoint 2001:db8:abcd:2::1 IPv6 2001:DB8:ABCD::/64 announced in IPv6 Routing domain NAT64 NAT LSN64 Stateful (203.0/24) announced in IPv4 Routing domain IPv4 Endpoint NAT keeps binding state between inner IPv6 address and outer IPv4+port DNS64 needed Application dependent/algs may be required BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 79

72 NAT64 Stateless Supported on ASR9K, ASR1K, CRS Host must be assigned an IPv4 Translatable IPv6 address Src Addr DestAddr IPv6 Header 2001:db8:< >:: 2001:DB8::< >:: Src Addr Dest Addr IPv4 Header IPv6 Endpoint 2001:db8:< >:: IPv6 2001:DB8:ABCD::/64 announced in IPv6 Routing domain NAT64 NAT Stateless LSN64 IPv4 Endpoint (203.0/24) announced in IPv4 Routing domain No NAT binding state; IPv6 <-> IPv4 mapping computed algorithmically DNS64 needed Application dependent ALGs might be required BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 80

73 NAT64 Stateful vs. Stateless Stateful 1:N translation NAPT TCP, UDP, ICMP Shares IPv4 addresses Stateless 1:1 translation NAT Any protocol No IPv4 address savings Just like dual-stack MAP however does save IPv4 addresses by combining NAT46 with NAT44 Note : IPv6-only DC using Stateless 64 : RFC7755 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 81

74 NAT64 DNS64 is important NAT64 translator is useful only if the traffic can come to it IP addresses of IPv6 packets must be formulated accordingly DNS64 provides conversion of an IPv4 address into an IPv6 address AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix of NAT64 translator (e.g. 2001:DB8:ABCD::) DNS64 NAT64 Internet IPv6-only Endpoint AAAA? (sent simultaneously) 2001:DB8:ABCD:: AAAA? Empty answer A? BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 82

75 DNS64 Watch out Works for applications that do DNS queries IMAP, connecting to XMPP servers, etc. Works with DNSSEC (note [1]) Doesn t work for applications that don t do DNS queries or use IP address literals SIP, RTSP, H.323, XMPP peer to peer, etc. Doesn t work well if Application-level proxy for IP address literals (HTTP proxy) is used Learn NAT64 s prefix, RFC 7050 NAT46/BIH (Bump In the Host), RFC XLAT (RFC6877) [1] BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 83

76 464XLAT = Stateless + Stateful Better Together RFC6877 Some applications may break with IPv6-only (and NAT64) Skype, among other interesting applications (more listed here*) 464 translation helps most of those IPv4-only applications Endpoint does Stateless NAT46, network does Stateful NAT64 only for IPv4 traffic 464 supported _only_ by Android OS; Benefit: Network can Provide IPv6-only connectivity to Endpoints without worrying about any IPv4-only apps Stateless NAT46 Endpoint IPv6-only Network Stateful NAT64 IPv6 Internet IPv4 Internet * Note: The usefulness of XLAT may continue to subside, given apple mandate for apps to work with IPv6-only since 2016, as well as Cloud Providers enabling IPv6-only support BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 84

77 NAT64 Scenarios stateful stateless 1. IPv6 Network IPv4 Internet Covered in this presentation IPv4 Internet IPv6 Internet IPv6 Network IPv4 Network Covered in BRKSPG from 2014** 4. IPv4 Network IPv6 Internet Needed (a) if IPv6-only content existed, or (b) IPv4-only LAN with IPv6-only WAN * * Verizon stops giving out static IPv4 WAN address(es) in IPv6 Network IPv4 Network 6. IPv4 Network IPv6 Network BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 85

78 Agenda Goal of Transition Technologies Overview of Transition Technologies Single-Stack IPv4 Obtain more IPv4 Dual Stack Impact ( & Happy Eyeballs) IPv4 Address Sharing - Impact Single-Stack IPv4 CGN 44, 6rd Single-Stack IPv6 DS-Lite, MAP Single-Stack IPv6 CGN 64 Conclusion

79 Conclusion Whatever you do. Drive Carefully BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 92

80 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkspg Cisco and/or its affiliates. All rights reserved. Cisco Public

81 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

82 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public 95

83 More IPv6 sessions this week at CiscoLive BRKSEC Advanced IPv6 Security Threats and Mitigation 30 Jan. 14:15 BRKIP Beyond Dual-Stack: Using IPv6 like you ve never imagined 30 Jan. 16:45 BRKRST Hitchhiker's Guide to Troubleshooting IPv6 - Advanced 31 Jan. 9:00 BRKSPG IPv4 Exhaustion: NAT and Transition to IPv6 for SPs 31 Jan. 9:00 BRKIP Enterprise IPv6 Deployment 31 Jan. 11:30 Try V6-only WiFi: SSID: CL-NAT64 WPA2-PSK: cl-nat64 5GHz only LABSPG Advanced IPv6 Routing and services lab 31 Jan 14:00 & 1 Feb. 14:00 BRKCOL IPv6 in Enterprise Unified Communications Networks 31 Jan. 16:30 BRKCOC Inside Cisco IT: A Tale of Two Protocols 2 Feb. 9:00 BRKIP IPv6 for the World of IoT 2 Feb. 11:30 BRKSPG Cisco and/or its affiliates. All rights reserved. Cisco Public

84 Thank you

85