IPv6 implementation aspects in the operator s environment. Grzegorz Kornacki F5 Field Systems Engineer

Similar documents
RE-ARCHITECTING THE GI LAN OPTIMIZE & MONETIZE MOBILE BROADBAND. Bart Salaets Solution Architect

A Practical Approach to IPv6

Traffic Steering & Service Chaining

BIG-IP CGNAT: Implementations. Version 13.0

BIG-IP CGNAT: Implementations. Version 12.1

IPv6 migration strategies for mobile networks

IPv6 Transition Technology

Service Providers trends & F5 Networks SP s portfolio overview

Transition To IPv6 October 2011

COE IPv6 Roadmap Planning. ZyXEL

IPv6 Transition Strategies

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

IPv6 Transition Mechanisms

Leverage SDN Principles in LTE to Meet Future Network Demands

IPv6 Transition Strategies

Network Configuration Example

Stateless 4V6. draft-dec-stateless-4v6. September 2011

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

ARCHITECTING THE NETWORK FOR THE MOBILE IPV6 TRANSITION. Gary Hauser Sr. Marketing Mgr. Mobility Sector Member 3GPP RAN3 WG

Mapping of Address and Port using Translation (MAP-T) E. Jordan Gottlieb Network Engineering and Architecture

6RD. IPv6 Rapid Deployment. Version Fred Bovy. Chysalis6 6RD 1-1

IPv6 Transition Mechanisms

Carrier Grade NAT - Observations and Recommendations. Chris Grundemann North American IPv6 Summit 11 April 2012

BIG-IP CGNAT: Implementations. Version 12.0

DESIGNING VALUE ADDED SERVICES IN WIRELINE NETWORKS. Norbert Wicker, EMEA Advanced Technology Specialist 8 th September 2012

IPv6 Transition Planning

Network Address Translation Configuration Commands

Towards IPv6 only: A large scale lw4o6 deployment (rfc7596) for broadband

NAT Command Reference

Internet Engineering Task Force (IETF) Request for Comments: 7040 Category: Informational. O. Vautrin Juniper Networks Y. Lee Comcast November 2013

Journey to IPv6 A Real-World deployment for Mobiles

Journey to IPv6: A Real-World deployment for Mobiles

IPv6 Community Wifi. Unique IPv6 Prefix per Host. IPv6 Enhanced Subscriber Access for WLAN Access Gunter Van de Velde Public.

Yasuo Kashimura Senior Manager, Japan, APAC IPCC Alcatel-lucent

Simplifying Security for Mobile Networks

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

The trend of IPv4 over IPv6 techniques, use cases and experience

Dual-Stack lite. Alain Durand. May 28th, 2009

Host-based Translation Problem Statement.

The End of IPv4? Migration Paths to IPv6 WHITE PAPER

IPv6 Evolution and Migration Solution

F5 IPv6 Solutions. Ariel Santa Cruz FSE SoLA F5 Networks Inc. F5 Networks, Inc.

FROM AN IPV4 GLOBAL INTERNET TO A MIX OF IPV4 NATED AND IPV6 WORLD. Alain Durand- Dir of Software Engineering PSG/CTO,

Solutions Guide. F5 solutions for the emerging 5G landscape

It s a Lifecycle Strategy

IPv6 Transitioning. An overview of what s around. Marco Hogewoning Trainer, RIPE NCC

OVERVIEW. Virtual Solutions for Your NFV Environment

Enabling Agile Service Chaining with Service Based Routing

Network Configuration Example

Network Configuration Example

Migration to IPv6 using DNS64/NAT64. Stephan Lagerholm

ETSI TS V1.1.1 ( )

Colloque IPv6. d IPv6 dans les réseaux mobiles. David BINET. Orange. Caen, 13 Juin 2013

IPv6 in Cellular Networks

Intended status: Standards Track Expires: April 26, 2012 Y. Ma Beijing University of Posts and Telecommunications October 24, 2011

IP Services Gateway Overview

Why, When & How? Asela Galappattige Sri Lanka Telecom PLC

Key Steps in the Transition to IPv6 WHITE PAPER

Mapping of Address and Port (MAP) an ISPs Perspective. E. Jordan Gottlieb Principal Engineer Charter Communications

IPv6 transition for mobile networks. Tomas lynch ip & convergence Lacnog, sao paulo, brazil October 2010

3GPP TR V1.1.1 ( )

Deploy CGN to Retain IPv4 Addressing While Transitioning to IPv6

Cisco IOS XR Carrier Grade NAT Command Reference for the Cisco CRS Router, Release 5.2.x

IPv6 Implementation Best Practices For Service Providers

BIG-IP Network Firewall: Policies and Implementations. Version 13.0

IPv6 deployment scenarios in mobile networks Jouni Korhonen Netnod Spring Meeting 9-11 March, 2011 Stockholm, Sweden

The case for IPv6-only data centres...and how to pull it off in today's IPv4-dominated world

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Control and Optimize Your 4G LTE Network with Diameter

Carrier Grade Network Address Translation

Executive Summary...1 Chapter 1: Introduction...1

IPv6 in the Telco Cloud

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

TR-242 IPv6 Transition Mechanisms for Broadband Networks

MAP-E as IPv4 over IPv6 Technology

Tunnels. Jean Yves Le Boudec 2015

A Evolvable RANGI Transition Strategy

Chapter 15 IPv6 Transition Technologies

IPv4 and IPv6 Transition & Coexistence

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

PRACTICAL IPV6 DEPLOYMENT FOR THE MASS MARKET

ISG-600 Cloud Gateway

Cisco ASR 5000 Series Small Cell Gateway

Subscriber Data Correlation

Mobil Core Monitoring Session aware load balancing of GTPv1 and GTPv2 traffic to multiple probes

Product Brochure Traffix Signaling Delivery Controller (SDC)

Network Virtualisation Vision and Strategy_ (based on lesson learned) Telefónica Global CTO

MPLS VPN--Inter-AS Option AB

Network Address Translators (NATs) and NAT Traversal

Cubro Sessionmaster EXA40 series

Intelligent Service Function Chaining. March 2015

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

What's the big deal about IPv6? A plain-english guidebook for non-technical managers

NAT444+v6 Softwire. Shin Miyakawa, Ph.D. NTT Communications Corporation

BIG-IP DNS Services: Implementations. Version 12.0

Tunnels. Jean Yves Le Boudec 2015

Network Interconnection

Comcast IPv6 Trials NANOG50 John Jason Brzozowski

CS 356: Computer Network Architectures. Lecture 14: Switching hardware, IP auxiliary functions, and midterm review. [PD] chapter 3.4.1, 3.2.

ENTERPRISE. Brief selected topics. Jeff Hartley, SP ADP SE

Transcription:

IPv6 implementation aspects in the operator s environment Grzegorz Kornacki F5 Field Systems Engineer

Exposing applications & services to IP v6

Exposing applications / services to IP v6 Facebook has already done it https://sites.google.com/site/ipv6implementors/2010/agenda 3

Exposing applications / services to IP v6 Facebook already done it. scroll down few slides.. to find regular F5 config file 4

Exposing applications / services to IP v6 It does not have to be CLI: Plus DNS record 5

Exposing applications / services to IP v6 Good to know: If there is very old, black box -like application that Nobody wants to touch Cannot log v6 addresses, You can: 1. Insert bogus prv v4 address into X-Forwarded-For and log v4 to v6 mapping into syslog 2. SNAT to bogus prv v4 address and log v5 to v6 mapping 6

Providing IP v6 to your Subscribers

Technologies overview Technology Translation /tunneling Stateful translation place Dual Stack n/a n/a 6rd (v6 over v4) tunneling n/a NAT64/DNS64 translation network XLAT translation network DS-Lite tunneling network MAP-E tunneling CPE MAP-T translation CPE 8

Out of classification example

Out of the classification example Leading American Cable TV Service provider over 15M CPEs New VOD servers deployed in IP v6 network only. Old Set Top Boxes equipped in IP v4 stack. Service Provider not able to replace all Set Top Boxes at once. New STB <-> new VOD server Pure IP v6 v6 Vod server v6 STB 10

Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server mappings between: Server name - v4 Server name - v6 DNS IP v6 IP v4 v6 Vod server F5 LTM v4 STB 11

Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server DNS 1. PTR query to get a name of the svr 2. AAAA query to get v6 address <96bit prf>:<src ip v4> New v6 IP v6 IP v4 v6 Vod server F5 LTM Own v4 Old v4 svr address v4 STB 12

Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server DNS 1. query for a name of the server 2. query to get v4 address <96bit prf>:<src ip v4> New v6 IP v6 IP v4 v6 Vod server F5 LTM Own v4 Old v4 svr address v4 STB 13

Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server Yes, it is F5 irules!!! The only Event used: CLIENT_ACCEPTED Commands used: split, lrange, lindex, string tolower, getfield (standard TCL commands) IP::client_addr, IP::local_addr RESOLV::lookup node, snat No single if/then, or switch, or while 14

Plain Dual-Stack with NAT44 IPv6 Home environment Internet Smart Phone IPv4/IPv6 network IPv6 CGN IPv4 CPE/AG Access Node BRAS/BNG (dual-stack) GGSN/PGW NAT44 IPv4 Internet (dual-stack) NAT44 Translating private IPv4 address into public IPv4 address on the internet side (1:1 NAT and N:1 NAPT) Stateful operation 15

Plain Dual-stack with NAT 44 Pros and Cons PROS CONS Full manageability of the IPv4 and IPv6 subscriber traffic (on BNG / GGSN) May require more licenses on BNG and/or GGSN for dual-stack operation (pre 3GPP R9) Field-proven model that can be used in fixed and mobile (uniform model / FMC) Poor mobile phone coverage No tunneling less overhead, no fragmentation issues, etc. In fixed the access and aggregation network should be IPv6 aware Routing private IPv4 addresses in the SP backbone may be undesirable

IPv6 Rapid Deployment (6RD) 6RD Border Relay IPv6 Home environment Internet IPv4 network IPv6 IPv4 tunnel CGN IPv4 CPE/AG Access Node BRAS/BNG (IPv4) GGSN/PGW NAT44 IPv4 Internet (IPv4) 6RD Border Relay Decapsulate IPv4 tunnels coming from CPE Forward encapsulated IPv6 packets coming out of these IPv4 tunnels towards IPv6 internet Note : source IPv6 address for user is constructed out of the 6RD prefix and the IPv4 address of the user (this allows for a stateless operation of the 6RD BR) 17

6RD Pros and Cons PROS CONS No additional license costs on BNG/GGSN (keep IPv4 based considered temporary and just postpones a real BNG/GGSN) Not future proof ( tunnel the future over legacy ), so investment in an IPv6 network Solution is transparent for the whole IPv4 network and requires little to no changes in the network Still requires a NAT44 to deal with IPv4 address depletion Cheapest solution to introduce IPv6 CPE vendor support still limited Tunneling technique, potentially resulting in fragmentation & reassembly issues

NAT64 with DNS64 IPv6 Home environment Internet Smart Phone IPv6 network IPv6 NAT64 IPv6 CPE/AG Access Node BRAS/BNG (IPv6 only) GGSN/PGW DNS64 IPv4 Internet (IPv6 only) DNS64 In case no AAAA exists for a destination, the DNS64 function adds specific IPv6 destination prefix to the A address of the destination and constructs a AAAA response based on that DNS64 can be internal in BIGIP providing NAT64 function or can be external NAT64 Attracts IPv6 subscriber traffic for specific IPv6 destination prefix used to perform NAT64 Extracts IPv4 destination address out of the IPv6 destination address Uses a public IPv4 address pool to source traffic towards IPv4 destination address (stateful) 19

Reachability of Top 88 Websites with NAT64/DNS64 Pure IPv6 IPv6 + F5 NAT64/DNS64 20

Network Migration NAT 64 Pros and Cons PROS CONS Natural phase-out of NAT Future-proof, setting the standard on IPv6 connectivity applications : Skype, Google videochat towards end users (IPv6 only sessions) No additional license costs on BNG/GGSN (transition from IPv4 to IPv6 on user side) No tunneling less overhead, no fragmentation issues, etc. Testing by other operators reveal some issues with IPv4 literals in websites Not practical for fixed deployments : end-user equipment may not be IPv6-capable (gaming consoles, STB,... )

XLAT (CLAT + NAT64) IPv6 Home environment Internet Smart Phone IPv6 network IPv6 NAT64 IPv6 CPE/AG Access Node BRAS/BNG (IPv6 only) GGSN/PGW DNS64 IPv4 Internet (IPv6 only) PLAT PLAT CLAT is Customer-side translator (XLAT) [RFC6145]. PLAT is Provider-side translator [RFC6146]. It translates 1:1 private IPv4 addresses to global IPv6 addresses. It translates N:1 global IPv6 addresses to global IPv4 addresses. The CLAT function is applicable to a router or an end-node such as a mobile phone or PC. It s in fact NAT64 under the new name It's usually seen as virtual interface with v4 address PLAT does not require DNS64 22

Network Migration XLAT Pros and Cons PROS PROS cont. Delivers v4 address to the application that needs them Natural phase-out of NAT As software package for PCs Future-proof, setting the standard on IPv6 connectivity Light-weight home router patch Is applicable for fix-line providers towards end users (IPv6 only sessions) No additional license costs on BNG/GGSN (transition from IPv4 to IPv6 on user side) No tunneling less overhead, no fragmentation issues, etc. CONS IPv4 literals in websites Could be solved with irules

Scalability & Performance Address translation is within «DNA» of F5 CGNAT requires TCP/UDP connection management Packet based solutions are not designed for that Connection management is native in BIG-IP system Single B4340N blade VIPRION 4800 chassis with 8 blades 1M connections per sec 8M connections per sec 60M connections 480M connections 80Gbps throughput 640Gbps throughput Unprecedented scale & performance 24

Translation & Mapping Flexibility NAPT NAPT Standard Deterministic Translation Modes Transition NAT64 NAT44 Techniques Mapping & DSLite DNS64 EIM EIF NAPT Custom PBA Custom 6RD Custom Hairpinning PCP Filtering Now irules Next release 25

Logging Flexibility Enriched CGNAT logging adding subscriber info when CLIENT_ACCEPTED { set hsl [HSL::open -proto TCP -pool syslog_server_pool] # Lookup the MSISDN set m [table lookup -subtable msisdn [IP::client_addr]] set i [table lookup -subtable imsi set c [table lookup -subtable chrid [IP::client_addr]] [IP::client_addr]] } # when SERVER_CONNECTED { # Get time set t [clock format [clock seconds] -format {%Y%m%d%H%M%S}] HSL::send $hsl "<190> 0;$t;$m;$i;$c;[IP::client_addr];[TCP::client_port];[IP::local_addr];[TCP::local_port];[IP::remote_addr];[TCP::remote_port];[IP::protocol]\n" } 26

Dual Stack Lite (DS-Lite) Supported now IPv6 Home environment Internet Unable to steer tunneled traffic IPv6 network Unable to distinguish IPv6 subscribers sessions AFTR AFTR IPv6 tunnel IPv4 CPE/RG Access Node BRAS/BNG (B4) (IPv6 only) GGSN/PGW NAT44 NAT44 IPv4 Internet (IPv6 only) DS-Lite (AFTR) AFTR AFTR function function CONFIDENTI A L. Decapsulate IPv6 tunnels from CPE (hosting B4 function) Provide a stateful NAT44 function to the encapsulated IPv4 traffic Encapsulated IPv4 traffic has overlapping addresses 27

F5 Network Services A unified platform and single management framework Intelligent traffic management CGNAT and ICSA certified Policy IPv6 migration network firewall enforcement Header enrichment and TCP Local URL optimization DNS filtering 29

F5 and intelligent traffic steering to VAS platforms A unified platform simplifies delivery of network services DS-Lite termination with with f5 subscriber awareness Internet RTR PGW VIPRION Context-aware steering & intelligent service chaining Data Center Video Optimization Transparent Caching URL Filtering Parental Controls 30

Network security & CGNAT in mobile Evolution and next steps Gi Firewalls are used in the mobile data path to protect Subscribers (e.g. battery drain attacks) Network (e.g. port scans and sweeps leading to RNC paging / signaling overload) IPv4 address exhaustion resulted in CGNAT deployments NAT44 enabled on the existing Gi firewall NAT44 enabled on a different standalone CGNAT platform CGNAT function is a stateful operation and hence has several characteristics of a Gi firewall Future challenges Traditional firewalls are lacking scale/performance to deal with increasing NAT44 traffic Some standalone CGNAT platforms (routers) are lacking security features to deal with new Gi firewall requirements (IPv6) 31

Mobile networks in EMEA Typical IPv4-IPv6 Transition Plan Capacity / Throughput Introduction of IPv6 Address consumption Public IPv4 address space exhausted Public IPv6 Need to introduce private IPv4 (Gi-FW) Private IPv4 (CGNAT) Public IPv4 (Gi-FW) 2010 2013 2016 32

CGNAT and Gi-FW needs in mobile Option 1 : Leverage FW for CGNAT Options Firewall max capacity reached (connections / bandwidth) Enable NAT on Firewall Add more firewalls with load balancers Public IPv6 Investigate alternatives (router, ADC) Private IPv4 (Firewall for CGNAT) Public IPv4 (Firewall for Gi-FW) 2010 2013 2016 33

CGNAT and Gi-FW needs in mobile Option 2 : Introduce Router for CGNAT Options IPv6 requires a Gi Firewall again Introduce new firewalls for IPv6 Investigate alternatives (ADC) Public IPv6 Add Router for CGNAT Private IPv4 (Router for CGNAT) Public IPv4 (Firewall for Gi-FW) 2010 2013 2016 34

CGNAT and Gi-FW needs in mobile Option 3 : F5 for consolidated Gi-FW / CGNAT IPv6 requires a Gi Firewall again (Enable AFM module on F5) Public IPv6 Introduce F5 for CGNAT Private IPv4 (F5 for CGNAT) Public IPv4 (Firewall for Gi-FW) 2010 2013 2016 35

Platform consolidation: happening now Network function consolidation L2 L3 2005 2010 L4 L7 2010 2014 Multi-service router L2 switching Full Proxy MPLS L2 PE (TCP opt, HHE) IP Routing Policy Enforcement MPLS L2 PE L3 routing MPLS L3 PE TCP OPTIM DPI/PCEF L7 STEERING Firewall MPLS L3 PE BRAS/BNG FW/CGN CGNAT HTTP HE L3/L4 BRAS/BNG Steering Dedicated platforms, Single platform, Dedicated platforms, Unified platform, different vendors L2 L3 consolidation different vendors L4 L7 consolidation 36

F5 the only reasonable choice Traffic Distribution Private Public IPv4 IPv4 NAT44 NAT64 IPv4 CGNAT CGNAT GGSN IPv6 PGW Gi-FW Public IPv6 Gi-FW Public (AFM) IPv6 Internet Time High scale / performance Gradual transition from CGNAT to IPv6 Gi-FW Investment protection 37

Backup slides

DNS 64 in action IPv4/IPv6 Internet Internet 1. DNS query www.server.com 4. ADC responds to DNS request with AAAA response IPv6 client 2. ADC sends AAAA & A Queries to DNS www.server.com (A) www.server.com (AAAA) v6 v4 DNS DNS 3a. If v6 DNS then AAAA record returned to client as usual 3b. If only v4 DNS A record returned, ADC adds 96 bit prefix to A record and returns AAAA to client DNS64 40

1: IPv6 client access IPv6 content 1. IPv6 Client sends traffic to Server www.server.com with IPv6 address Network IPv6 www.server.com IPv6 client 2. Server responds directly to IPv6 Client www.server.com (A) www.server.com (AAAA) v6 v4 DNS DNS DNS64 41

2: IPv6 client access IPv4 content NAT64 Mapping: 96BitPrefix+IPv4 address to IPv4 Address 1. Client sends traffic to www.server.com with IPv6 Address and LTM 96Bit Prefix 2. LTM transforms v6 address to v4 addresses for outgoing IPv4 4. LTM responds with IPv6 Source to Client 3. LTM maps and transforms IPv6 client v4 addresses to v6 for return traffic www.server.com BIG-IP translates IPv6 IP Adresses with prefix to IPv4 Adresses (NAT64) (IPv4) 42

IPv6 to IPv4 Gateway: NAT64 IPv6 Client IPv6 to IPv4 Gateway IPv4 to IPv6 prefix: IPv6 Network IPv4 Network 64:ff9b:: www.ipv4test.com IPv4: 16.100.100.100 DNS request: www.ipv4test.com DNS64 Hex Notation: ::1064:6464 DNS response: AAAA www.ipv5test.com = 64.ff9b::1064:6464 GET http://www.ipv4test.com to IPv6: 64.ff9b::1064:6464 GET http://www.ipv4test.com to IPv4: 16.100.100.100 NAT64 GET http://www.ipv4test.com from IPv6: 64.ff9b::1064:6464 Response http://www.ipv4test.com from IPv4: 16.100.100.100 43

Intelligent Traffic Management in action Steering to 2 VAS Services : Subscriber & RAT-Type based User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF Emma AAA AAA Radius Diameter Gx, Gy Radius (RAT-type updates) Other API (subscriber policies) GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 44

Intelligent Traffic Management in action User John : http traffic on LTE User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy Other API http (LTE) Radius GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 45

Intelligent Traffic Management in action User John : http traffic on 3G User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy Other API http (3G) Radius GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 46

Intelligent Traffic Management in action User Paul : http traffic on 3G/LTE User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy Other API Radius GGSN John PGW Internet http Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 47

Intelligent Traffic Management in action User Emma : http traffic on 3G/LTE User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy http Other API Radius GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 48

References https://f5.com/products/service-provider-products/carrier-grade-nat https://f5.com/products/service-provider-products/policy-enforcement-manager NAT64/DNS64 (RFCs 6146, 6147) 464XLAT (RFC 6877) Dual-Stack Lite (DS-Lite - RFC 6333) XLAT demo: https://sites.google.com/site/tmoipv6/464xlat 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback