Dual-Stack lite. Alain Durand. May 28th, 2009

Similar documents
Post IPv4 completion. Making IPv6 deployable incrementally by making it. Alain Durand

Dual stack lite. draft-durand-softwire-dual-stack-lite-01. A. Durand, R. Droms, B. Haberman, J. Woodya<

NAT444+v6 Softwire. Shin Miyakawa, Ph.D. NTT Communications Corporation

Transition To IPv6 October 2011

Outline. Background IETF activities Solutions & problems Next steps

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

Mapping of Address and Port (MAP) an ISPs Perspective. E. Jordan Gottlieb Principal Engineer Charter Communications

TR-242 IPv6 Transition Mechanisms for Broadband Networks

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

Mapping of Address and Port using Translation (MAP-T) E. Jordan Gottlieb Network Engineering and Architecture

FROM AN IPV4 GLOBAL INTERNET TO A MIX OF IPV4 NATED AND IPV6 WORLD. Alain Durand- Dir of Software Engineering PSG/CTO,

Internet Engineering Task Force (IETF) Request for Comments: 7040 Category: Informational. O. Vautrin Juniper Networks Y. Lee Comcast November 2013

BIG-IP CGNAT: Implementations. Version 13.0

Carrier Grade Network Address Translation

Network Configuration Example

Comcast IPv6 Trials NANOG50 John Jason Brzozowski

Why IPv6? Roque Gagliano LACNIC

IPv6 Community Wifi. Unique IPv6 Prefix per Host. IPv6 Enhanced Subscriber Access for WLAN Access Gunter Van de Velde Public.

IPv6 Evolution and Migration Solution

Stateful Network Address Translation 64

IPV6 SIMPLE SECURITY CAPABILITIES.

Yasuo Kashimura Senior Manager, Japan, APAC IPCC Alcatel-lucent

Carrier Grade NAT - Observations and Recommendations. Chris Grundemann North American IPv6 Summit 11 April 2012

IPv6 Transition Technology

IPv6 Transitioning. An overview of what s around. Marco Hogewoning Trainer, RIPE NCC

Intended status: Standards Track Expires: April 26, 2012 Y. Ma Beijing University of Posts and Telecommunications October 24, 2011

Network Configuration Example

IPv4/IPv6 Smooth Migration (IVI) Xing Li etc

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

BIG-IP CGNAT: Implementations. Version 12.1

ARCHITECTING THE NETWORK FOR THE MOBILE IPV6 TRANSITION. Gary Hauser Sr. Marketing Mgr. Mobility Sector Member 3GPP RAN3 WG

Stateless automatic IPv4 over IPv6 Tunneling (SA46T)

Transition Strategies from IPv4 to IPv6: The case of GRNET

IPv6 Transition Solutions for 3GPP Networks

Network Address Translators (NATs) and NAT Traversal

Restrictions for Disabling Flow Cache Entries in NAT and NAT64

Host-based Translation Problem Statement.

Stateless 4V6. draft-dec-stateless-4v6. September 2011

Mapping of Address and Port Using Translation

IPv6 Transition Mechanisms

IPv6 Transition Strategies

IETF Activities Update

IPv6 Transition Mechanisms

Introduction to Network Address Translation

Planning for Information Network

Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager 2003, Cisco Systems, Inc. All rights reserved.

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

ETSI TS V1.1.1 ( )

COE IPv6 Roadmap Planning. ZyXEL

6RD. IPv6 Rapid Deployment. Version Fred Bovy. Chysalis6 6RD 1-1

Deploy CGN to Retain IPv4 Addressing While Transitioning to IPv6

BIG-IP TMOS : Tunneling and IPsec. Version 13.0

IPv6 in 2G and 3G Networks. John Loughney. North American IPv6 Forum 2004

Considerations and Actions of Content Providers in Adopting IPv6

Internet Engineering Task Force (IETF) Request for Comments: C. Jacquenet. Orange. S. Vinapamula Juniper Networks Q. Wu Huawei January 2019

IETF Activities Update

Implementing NAT-PT for IPv6

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

IPv6 migration strategies for mobile networks

Chapter 15 IPv6 Transition Technologies

IPv6 Deployment Experiences. John Jason Brzozowski

IPv6 implementation in a multi-vendor network.

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

IPv6 Implementation Best Practices For Service Providers

Internet Engineering Task Force (IETF) Category: Standards Track. Cisco Systems January A YANG Data Model for Dual-Stack Lite (DS-Lite)

IPv4 to IPv6 Transformation Schemes

Securing the Transition Mechanisms

IETF Update about IPv6

Routing Architecture for the Next Generation Internet (RANGI)

IPv6 Transition Strategies

IPv4 exhaustion and the way forward. Guillermo Cicileo

Practical IPv6 for Windows Administrators

IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network

Networks Fall This exam consists of 10 problems on the following 13 pages.

IPv6 Protocol Architecture

IPv6 Enablement for Enterprises. Waliur Rahman Managing Principal, Global Solutions April, 2011

Internet Engineering Task Force (IETF) Category: Standards Track. February 2012

Cisco IOS XR Carrier Grade NAT Command Reference for the Cisco CRS Router, Release 5.2.x

Recent IPv6 Security Standardization Efforts. Fernando Gont

Network Configuration Example

3GPP TR V1.1.1 ( )

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

IPv6: What is it? Why does it matter?

Blockers to IPv6 Adoption

IPv6 Transition Technologies (TechRef)

OSPFv3-Based Home Networking draft-arkko-homenet-prefix-assignment-02.txt. Jari Arkko, Ericsson Acee Lindem, Ericsson Benjamin Paterson, Cisco

TCP/IP Protocol Suite

Deploying IPv6 Services

Forensic Tracing in the Internet: An Update. Geoff Huston. Chief Scientist APNIC. #apricot2017

LOGICAL ADDRESSING. Faisal Karim Shaikh.

IPv6: Are we really ready to turn off IPv4?

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

Tutorial: IPv6 Technology Overview Part II

Use this section to help you quickly locate a command.

Bulk Logging and Port Block Allocation

Towards IPv6 only: A large scale lw4o6 deployment (rfc7596) for broadband

IPv6. Internet Technologies and Applications

CSC 4900 Computer Networks: Network Layer

Migration to IPv6 from IPv4. Is it necessary?

PacINET The state of IP address distribution and its impact. Elly Tawhai Senior Internet Resource Analyst/Liaison Officer, Pacific, APNIC

Transcription:

Dual-Stack lite Alain Durand May 28th, 2009

Part I: Dealing with reality A dual-prong strategy

IPv4 reality check: completion of allocation is real Today Uncertainty

IPv6 reality check: the IPv4 long tail Post IPv4 allocation completion: Many hosts in the home (eg Win 95/98/2000/XP, Playstations, consumer electronic devices) are IPv4- only. They will not function in an IPv6-only environment. Few of those hosts can and will upgrade to IPv6. Content servers (web, email, ) hosted on the Internet by many different parties will take time to upgrade to support IPv6.

Dealing with both realities: a two prong approach Embrace IPv6 Move as many devices/services to IPv6 as possible to lower dependency on IPv4 addresses Build an IPv6 transition bridge for the IPv4 long tail Goal: Provide IPv4 service without providing a dedicated IPv4 address Technology: Leverage IPv6 access infrastructure Provide only IPv6 addresses to endpoint Share IPv4 addresses in the access networks DS-lite: IPv4/IPv6 tunnel + provider NAT

Part II: Plan A, B, C, Lessons learned

Provisioning color code IPv4 only dual stack provisioned dual stack *, IPv6 only provisioned device link router network * devices with pure IPv6-only code are out of scope

Plan zero: dual stack After IPv4 IANA completion, there will not be enough IPv4 addresses to sustain this model. IPv6 ISP IPv4 legacy customer global v4 address home gateway NAT v4 >v4 IPv4&IPv6 home gateway IPv4&IPv6 home gateway Today such deployments do not see much IPv6 traffic, mainly because there is little content reachable with IPv6. 192.168/16 192.168/16 192.168/16

Plan A: dual-stack core new customers are provisioned with IPv6-only but no IPv4 support lots of broken paths ISP IPv4 legacy customer global v4 address home gateway NAT v4 >v4 IPv6 provisioned home gateway IPv6 provisioned home gateway impact on new customers: legacy IPv4 devices can t get out of the home. new IPv6 devices can t get to the IPv4 Internet. 192.168/16 192.168/16 192.168/16

Plan B: double NAT new customers are provisioned with overlays of RFC1918 two layers of NAT no evolution to IPv6 network gets increasingly complex to operate. Intersections of Net 10 overlays are prone to failures. ISP Net 10 carrier grade NAT Net 10 IPv4 legacy customer global v4 address home gateway NAT v4 >v4 private v4 address home gateway NAT v4 >v4 private v4 address home gateway NAT v4 >v4 complex internal routing (source based?) to handle both legacy & RFC1918 customers on the same access router. 192.168/16 192.168/16 192.168/16

Plan C: dual stack lite new customers can be provisioned with IPv6 only + IPv4 support simplifies network operation provides an upgrade path to IPv6 IPv4 Dual-stack lite provides IPv4 support using an IPv4/IPv6 tunnel to a IPv4/IPv4 NAT. ISP carrier grade NAT IPv6 legacy customer IPv4 provisioned home gateway NAT v4 >v4 IPv6 provisioned home gateway v4 v4 v4 v4/v6 192.168/16 192.168/16

Part III: DS-lite technology Combining two well-known technologies: NAT + Tunneling

Gateway based scenario: IGD are provisioned with IPv6 only + IPv4 support for the home PC from a carrier grade NAT IPv6 packet IPv6 src: IPv6 address of home gateway (IGD) IPv6 dst: IPv6 address of tunnel concentrator, discovered with DHCPv6 IPv4 src: 192.168.1.3 IPv4 dst: www.nanog.org (198.108.95.21) IPv4 src port: 1001 IPv4 dst port: 80 IPv4 packet IPv4 src: from the pool of the ISP IPv4 dst: www.nanog.org (198.108.95.21) IPv4 src port: 45673 IPv4 dst port: 80 PC 192.168.1.3 SRC port 1001 IGD Tunnel concentrator carrier grade NAT IPv4 NAT binding IN: IPv6 src: IPv6 address of IGD + 192.168.1.3 + port1001 OUT: IPv4 src address: from pool of the ISP + port: 45673

End node scenario: Dual stack capable end nodes are provisioned with IPv6 only + IPv4 support from a carrier grade NAT IPv6 packet IPv6 src: IPv6 address of end node IPv6 dst: IPv6 address of tunnel concentrator, discovered with DHCPv6 IPv4 src: well known IPv4 address: (IANA defined) IPv4 dst: www.nanog.org (198.108.95.21) IPv4 src port: 1001 IPv4 dst port: 80 IPv4 packet IPv4 src: from the pool of the ISP IPv4 dst: www.nanog.org (198.108.95.21) IPv4 src port: 45673 IPv4 dst port: 80 Host Tunnel concentrator carrier grade NAT IPv4 NAT binding IN: IPv6 address of end node + well known IPv4 address of end node (IANA defined) + port1001 OUT: IPv4 src address: from pool of the ISP + port: 45673

Part IV: TCP/UDP port consumption Measurements

Measurements Measurement campaign performed on 2008-11-10 Data collected behind a CMTS with 8000 subscribers Caveats: Data was collected on only one point in the network Measurement methodology still needs to be tuned Results need to be compared to other studies Your mileage may vary 16

TCP outgoing ports statistics on a 8000 subscriber sample TCP incoming ports statistics on a 8000 subscriber sample 17

UDP outgoing ports statistics on a 8000 subscriber sample UDP incoming ports statistics on a 8000 subscriber sample 18

Analysis Maximum average: 40,000 ports/protocol/direction It translates into a maximum of 5 ports consumed per user on average in each direction for both TCP & UDP. Total: 20 ports/user on average This needs to be compared with the hundreds/thousands of ports that can be consumed at peak by a single user browsing a Web 2.0/AJAX site. One needs to keep this analysis in mind when designing a port distribution mechanism for a carrier-grade NAT. 19

Part V: DS-lite standardization Draft-ietf-softwire-dual-stack-lite-00.txt

DS-lite Status IETF Latest draft: draft-ietf-softwire-dual-stack-lite-00.txt IETF softwire WG has been re-chartered to standardize DS-lite. Implementations IGD: Open source code (Open-WRT) for a Linksys home router CGN: Vendor code, open source project started

IPv4 port distribution Measurements: Average #ports/customer < 10 (per transport protocol) Peak #ports/customer > 100? > 1000? > 5000? Do not dimension for peaks, but for average! No cookie cutter approach Large dynamic pool of ports shared by many customers 22 Customers want to choose their own applications CGN MUST not interfere with applications, eg avoid ALGs, Need to support incoming connections Small static pool of reserved ports under the control of customers

Port forwarding & A+P extensions ISP portal Address & port control tab Provisioning Dst: 1.2.3.4 Port 3000 A+P Dst: 1.2.3.4 Port 3002 Port forwarding User: X CGN External IPv4 address: 1.2.3.4 Port A+P Port forwarding Internal IP Port No NAT NAT to 192.168.1.6 Port 5080 3000 3001 3002 x x x 192.168.1.5 192.168.1.6 80 5080 NAT to 192.168.1.7 Port 5567 A+P Home gateway PC Home gateway PC 3003 3004 x x 192.168.1.7 Port 5567 192.168.1.6 Port 5080 23

Issues with MTU PC MTU 1500 MTU 1460 MTU 1500 Home gateway CGN IPv4 Internet pmtu discovery does NOT work over the tunnel IPv4 fragmentation needs to be avoided 24

Dealing with MTU PC MTU 1500 MTU 1460 MTU 1500 Home gateway CGN IPv4 Internet For TCP: CGN rewrites the TCP MSS in the SYN packet For UDP: HGW & CGN do IPv6 fragmentation/reassembly over the tunnel 25

Part VI: Generic issues with CGN Applies to DS-lite, NAT444, NAT64, IVI,

UPnP Typical UPnP application will: Decide to run on port X Ask IGD to forward port X traffic If IGD declines, try again with X+1 After 10 or so attempts, abort This will NOT work with any IPv4 address sharing mechanism (NAT444, DS-lite, NAT64, IVI, A+P, ) NAT-PMP has a better semantic: IGD can redirect the application to use an alternate available port UPnP forum is reported to be addressing this issue 27

Security issues relative to CGN Port number information is necessary for full identification Need to log port numbers on the receiving side Need to log NAT bindings on CGN CGN needs to enforce per customer limits either on new connection rate or maximum number of sessions User authentication on service provider CGN may not be necessary, users get authenticated at the IPv6 access layer. A simple ACL on the CGN to limit access to the service provider customers seems to be sufficient. 3 rd party CGNs may have different requirements. HGW & CGN need to enforce that customer IPv4 addresses inside of IPv6 tunnel are indeed RFC1918 addresses 28

Other security issues The Internet community needs to deal with Web sites that put IPv4 address in penalty box after a number of unsuccessful login attempts. More generally, the community need to revisit notion that an IPv4 address uniquely identifies a customer. 29

Part VII DS-lite deployment model Horizontal Scaling

Scaling issue with CGN Service provider network CGN 2X thousand users Access router Access router X thousand users Access router X thousand users Access router X/2 thousand users Access router X/2 thousand users 31

Horizontal scaling with DS-lite DHCPv6 option to configure tunnel end-point Enable sending the traffic to as many CGNs as necessary CGN Service provider network CGN CGN CGN CGN 2X thousand users Access router Access router X thousand users Access router X thousand users Access router X/2 thousand users Access router X/2 thousand users 32

Part VIII DS-lite demo at LACNIC XII Thanks to: Yiu Lee, Carl Williams, Anthony Veiga ISC LACNIC, Roque Gagliano

LACNIC/Comcast DS lite demo Lacnic v4/v6 Router IPv6 static route to /56 IPv6 prefix Lacnic dual-stack wired network 1 IPv6 address 1 IPv4 address /56 IPv6 prefix DHCPv6: - IPv6 address of home GW - /64 DHCPv6 prefix delegation - DNS server IPv6 address - CGN IPv6 address IPv6 router DNS/DHCPv6 server Home GW DS lite CGN /64 DHCPv6-PD /32 IPv4 addresses for NAT pool Color code IPv6 Dualstack IPv4 Wifi SSID Lacnicxii dslite PC 1 PC 20 /64 IPv6 prefix

Lacnic IPv6 network 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback