IPv6 implementation aspects in the operator s environment Grzegorz Kornacki F5 Field Systems Engineer
Exposing applications & services to IP v6
Exposing applications / services to IP v6 Facebook has already done it https://sites.google.com/site/ipv6implementors/2010/agenda 3
Exposing applications / services to IP v6 Facebook already done it. scroll down few slides.. to find regular F5 config file 4
Exposing applications / services to IP v6 It does not have to be CLI: Plus DNS record 5
Exposing applications / services to IP v6 Good to know: If there is very old, black box -like application that Nobody wants to touch Cannot log v6 addresses, You can: 1. Insert bogus prv v4 address into X-Forwarded-For and log v4 to v6 mapping into syslog 2. SNAT to bogus prv v4 address and log v5 to v6 mapping 6
Providing IP v6 to your Subscribers
Technologies overview Technology Translation /tunneling Stateful translation place Dual Stack n/a n/a 6rd (v6 over v4) tunneling n/a NAT64/DNS64 translation network XLAT translation network DS-Lite tunneling network MAP-E tunneling CPE MAP-T translation CPE 8
Out of classification example
Out of the classification example Leading American Cable TV Service provider over 15M CPEs New VOD servers deployed in IP v6 network only. Old Set Top Boxes equipped in IP v4 stack. Service Provider not able to replace all Set Top Boxes at once. New STB <-> new VOD server Pure IP v6 v6 Vod server v6 STB 10
Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server mappings between: Server name - v4 Server name - v6 DNS IP v6 IP v4 v6 Vod server F5 LTM v4 STB 11
Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server DNS 1. PTR query to get a name of the svr 2. AAAA query to get v6 address <96bit prf>:<src ip v4> New v6 IP v6 IP v4 v6 Vod server F5 LTM Own v4 Old v4 svr address v4 STB 12
Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server DNS 1. query for a name of the server 2. query to get v4 address <96bit prf>:<src ip v4> New v6 IP v6 IP v4 v6 Vod server F5 LTM Own v4 Old v4 svr address v4 STB 13
Out of the classification example Leading American Cable TV Service provider over 15M CPEs Old STB <-> new VOD server Yes, it is F5 irules!!! The only Event used: CLIENT_ACCEPTED Commands used: split, lrange, lindex, string tolower, getfield (standard TCL commands) IP::client_addr, IP::local_addr RESOLV::lookup node, snat No single if/then, or switch, or while 14
Plain Dual-Stack with NAT44 IPv6 Home environment Internet Smart Phone IPv4/IPv6 network IPv6 CGN IPv4 CPE/AG Access Node BRAS/BNG (dual-stack) GGSN/PGW NAT44 IPv4 Internet (dual-stack) NAT44 Translating private IPv4 address into public IPv4 address on the internet side (1:1 NAT and N:1 NAPT) Stateful operation 15
Plain Dual-stack with NAT 44 Pros and Cons PROS CONS Full manageability of the IPv4 and IPv6 subscriber traffic (on BNG / GGSN) May require more licenses on BNG and/or GGSN for dual-stack operation (pre 3GPP R9) Field-proven model that can be used in fixed and mobile (uniform model / FMC) Poor mobile phone coverage No tunneling less overhead, no fragmentation issues, etc. In fixed the access and aggregation network should be IPv6 aware Routing private IPv4 addresses in the SP backbone may be undesirable
IPv6 Rapid Deployment (6RD) 6RD Border Relay IPv6 Home environment Internet IPv4 network IPv6 IPv4 tunnel CGN IPv4 CPE/AG Access Node BRAS/BNG (IPv4) GGSN/PGW NAT44 IPv4 Internet (IPv4) 6RD Border Relay Decapsulate IPv4 tunnels coming from CPE Forward encapsulated IPv6 packets coming out of these IPv4 tunnels towards IPv6 internet Note : source IPv6 address for user is constructed out of the 6RD prefix and the IPv4 address of the user (this allows for a stateless operation of the 6RD BR) 17
6RD Pros and Cons PROS CONS No additional license costs on BNG/GGSN (keep IPv4 based considered temporary and just postpones a real BNG/GGSN) Not future proof ( tunnel the future over legacy ), so investment in an IPv6 network Solution is transparent for the whole IPv4 network and requires little to no changes in the network Still requires a NAT44 to deal with IPv4 address depletion Cheapest solution to introduce IPv6 CPE vendor support still limited Tunneling technique, potentially resulting in fragmentation & reassembly issues
NAT64 with DNS64 IPv6 Home environment Internet Smart Phone IPv6 network IPv6 NAT64 IPv6 CPE/AG Access Node BRAS/BNG (IPv6 only) GGSN/PGW DNS64 IPv4 Internet (IPv6 only) DNS64 In case no AAAA exists for a destination, the DNS64 function adds specific IPv6 destination prefix to the A address of the destination and constructs a AAAA response based on that DNS64 can be internal in BIGIP providing NAT64 function or can be external NAT64 Attracts IPv6 subscriber traffic for specific IPv6 destination prefix used to perform NAT64 Extracts IPv4 destination address out of the IPv6 destination address Uses a public IPv4 address pool to source traffic towards IPv4 destination address (stateful) 19
Reachability of Top 88 Websites with NAT64/DNS64 Pure IPv6 IPv6 + F5 NAT64/DNS64 20
Network Migration NAT 64 Pros and Cons PROS CONS Natural phase-out of NAT Future-proof, setting the standard on IPv6 connectivity applications : Skype, Google videochat towards end users (IPv6 only sessions) No additional license costs on BNG/GGSN (transition from IPv4 to IPv6 on user side) No tunneling less overhead, no fragmentation issues, etc. Testing by other operators reveal some issues with IPv4 literals in websites Not practical for fixed deployments : end-user equipment may not be IPv6-capable (gaming consoles, STB,... )
XLAT (CLAT + NAT64) IPv6 Home environment Internet Smart Phone IPv6 network IPv6 NAT64 IPv6 CPE/AG Access Node BRAS/BNG (IPv6 only) GGSN/PGW DNS64 IPv4 Internet (IPv6 only) PLAT PLAT CLAT is Customer-side translator (XLAT) [RFC6145]. PLAT is Provider-side translator [RFC6146]. It translates 1:1 private IPv4 addresses to global IPv6 addresses. It translates N:1 global IPv6 addresses to global IPv4 addresses. The CLAT function is applicable to a router or an end-node such as a mobile phone or PC. It s in fact NAT64 under the new name It's usually seen as virtual interface with v4 address PLAT does not require DNS64 22
Network Migration XLAT Pros and Cons PROS PROS cont. Delivers v4 address to the application that needs them Natural phase-out of NAT As software package for PCs Future-proof, setting the standard on IPv6 connectivity Light-weight home router patch Is applicable for fix-line providers towards end users (IPv6 only sessions) No additional license costs on BNG/GGSN (transition from IPv4 to IPv6 on user side) No tunneling less overhead, no fragmentation issues, etc. CONS IPv4 literals in websites Could be solved with irules
Scalability & Performance Address translation is within «DNA» of F5 CGNAT requires TCP/UDP connection management Packet based solutions are not designed for that Connection management is native in BIG-IP system Single B4340N blade VIPRION 4800 chassis with 8 blades 1M connections per sec 8M connections per sec 60M connections 480M connections 80Gbps throughput 640Gbps throughput Unprecedented scale & performance 24
Translation & Mapping Flexibility NAPT NAPT Standard Deterministic Translation Modes Transition NAT64 NAT44 Techniques Mapping & DSLite DNS64 EIM EIF NAPT Custom PBA Custom 6RD Custom Hairpinning PCP Filtering Now irules Next release 25
Logging Flexibility Enriched CGNAT logging adding subscriber info when CLIENT_ACCEPTED { set hsl [HSL::open -proto TCP -pool syslog_server_pool] # Lookup the MSISDN set m [table lookup -subtable msisdn [IP::client_addr]] set i [table lookup -subtable imsi set c [table lookup -subtable chrid [IP::client_addr]] [IP::client_addr]] } # when SERVER_CONNECTED { # Get time set t [clock format [clock seconds] -format {%Y%m%d%H%M%S}] HSL::send $hsl "<190> 0;$t;$m;$i;$c;[IP::client_addr];[TCP::client_port];[IP::local_addr];[TCP::local_port];[IP::remote_addr];[TCP::remote_port];[IP::protocol]\n" } 26
Dual Stack Lite (DS-Lite) Supported now IPv6 Home environment Internet Unable to steer tunneled traffic IPv6 network Unable to distinguish IPv6 subscribers sessions AFTR AFTR IPv6 tunnel IPv4 CPE/RG Access Node BRAS/BNG (B4) (IPv6 only) GGSN/PGW NAT44 NAT44 IPv4 Internet (IPv6 only) DS-Lite (AFTR) AFTR AFTR function function CONFIDENTI A L. Decapsulate IPv6 tunnels from CPE (hosting B4 function) Provide a stateful NAT44 function to the encapsulated IPv4 traffic Encapsulated IPv4 traffic has overlapping addresses 27
F5 Network Services A unified platform and single management framework Intelligent traffic management CGNAT and ICSA certified Policy IPv6 migration network firewall enforcement Header enrichment and TCP Local URL optimization DNS filtering 29
F5 and intelligent traffic steering to VAS platforms A unified platform simplifies delivery of network services DS-Lite termination with with f5 subscriber awareness Internet RTR PGW VIPRION Context-aware steering & intelligent service chaining Data Center Video Optimization Transparent Caching URL Filtering Parental Controls 30
Network security & CGNAT in mobile Evolution and next steps Gi Firewalls are used in the mobile data path to protect Subscribers (e.g. battery drain attacks) Network (e.g. port scans and sweeps leading to RNC paging / signaling overload) IPv4 address exhaustion resulted in CGNAT deployments NAT44 enabled on the existing Gi firewall NAT44 enabled on a different standalone CGNAT platform CGNAT function is a stateful operation and hence has several characteristics of a Gi firewall Future challenges Traditional firewalls are lacking scale/performance to deal with increasing NAT44 traffic Some standalone CGNAT platforms (routers) are lacking security features to deal with new Gi firewall requirements (IPv6) 31
Mobile networks in EMEA Typical IPv4-IPv6 Transition Plan Capacity / Throughput Introduction of IPv6 Address consumption Public IPv4 address space exhausted Public IPv6 Need to introduce private IPv4 (Gi-FW) Private IPv4 (CGNAT) Public IPv4 (Gi-FW) 2010 2013 2016 32
CGNAT and Gi-FW needs in mobile Option 1 : Leverage FW for CGNAT Options Firewall max capacity reached (connections / bandwidth) Enable NAT on Firewall Add more firewalls with load balancers Public IPv6 Investigate alternatives (router, ADC) Private IPv4 (Firewall for CGNAT) Public IPv4 (Firewall for Gi-FW) 2010 2013 2016 33
CGNAT and Gi-FW needs in mobile Option 2 : Introduce Router for CGNAT Options IPv6 requires a Gi Firewall again Introduce new firewalls for IPv6 Investigate alternatives (ADC) Public IPv6 Add Router for CGNAT Private IPv4 (Router for CGNAT) Public IPv4 (Firewall for Gi-FW) 2010 2013 2016 34
CGNAT and Gi-FW needs in mobile Option 3 : F5 for consolidated Gi-FW / CGNAT IPv6 requires a Gi Firewall again (Enable AFM module on F5) Public IPv6 Introduce F5 for CGNAT Private IPv4 (F5 for CGNAT) Public IPv4 (Firewall for Gi-FW) 2010 2013 2016 35
Platform consolidation: happening now Network function consolidation L2 L3 2005 2010 L4 L7 2010 2014 Multi-service router L2 switching Full Proxy MPLS L2 PE (TCP opt, HHE) IP Routing Policy Enforcement MPLS L2 PE L3 routing MPLS L3 PE TCP OPTIM DPI/PCEF L7 STEERING Firewall MPLS L3 PE BRAS/BNG FW/CGN CGNAT HTTP HE L3/L4 BRAS/BNG Steering Dedicated platforms, Single platform, Dedicated platforms, Unified platform, different vendors L2 L3 consolidation different vendors L4 L7 consolidation 36
F5 the only reasonable choice Traffic Distribution Private Public IPv4 IPv4 NAT44 NAT64 IPv4 CGNAT CGNAT GGSN IPv6 PGW Gi-FW Public IPv6 Gi-FW Public (AFM) IPv6 Internet Time High scale / performance Gradual transition from CGNAT to IPv6 Gi-FW Investment protection 37
Backup slides
DNS 64 in action IPv4/IPv6 Internet Internet 1. DNS query www.server.com 4. ADC responds to DNS request with AAAA response IPv6 client 2. ADC sends AAAA & A Queries to DNS www.server.com (A) www.server.com (AAAA) v6 v4 DNS DNS 3a. If v6 DNS then AAAA record returned to client as usual 3b. If only v4 DNS A record returned, ADC adds 96 bit prefix to A record and returns AAAA to client DNS64 40
1: IPv6 client access IPv6 content 1. IPv6 Client sends traffic to Server www.server.com with IPv6 address Network IPv6 www.server.com IPv6 client 2. Server responds directly to IPv6 Client www.server.com (A) www.server.com (AAAA) v6 v4 DNS DNS DNS64 41
2: IPv6 client access IPv4 content NAT64 Mapping: 96BitPrefix+IPv4 address to IPv4 Address 1. Client sends traffic to www.server.com with IPv6 Address and LTM 96Bit Prefix 2. LTM transforms v6 address to v4 addresses for outgoing IPv4 4. LTM responds with IPv6 Source to Client 3. LTM maps and transforms IPv6 client v4 addresses to v6 for return traffic www.server.com BIG-IP translates IPv6 IP Adresses with prefix to IPv4 Adresses (NAT64) (IPv4) 42
IPv6 to IPv4 Gateway: NAT64 IPv6 Client IPv6 to IPv4 Gateway IPv4 to IPv6 prefix: IPv6 Network IPv4 Network 64:ff9b:: www.ipv4test.com IPv4: 16.100.100.100 DNS request: www.ipv4test.com DNS64 Hex Notation: ::1064:6464 DNS response: AAAA www.ipv5test.com = 64.ff9b::1064:6464 GET http://www.ipv4test.com to IPv6: 64.ff9b::1064:6464 GET http://www.ipv4test.com to IPv4: 16.100.100.100 NAT64 GET http://www.ipv4test.com from IPv6: 64.ff9b::1064:6464 Response http://www.ipv4test.com from IPv4: 16.100.100.100 43
Intelligent Traffic Management in action Steering to 2 VAS Services : Subscriber & RAT-Type based User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF Emma AAA AAA Radius Diameter Gx, Gy Radius (RAT-type updates) Other API (subscriber policies) GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 44
Intelligent Traffic Management in action User John : http traffic on LTE User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy Other API http (LTE) Radius GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 45
Intelligent Traffic Management in action User John : http traffic on 3G User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy Other API http (3G) Radius GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 46
Intelligent Traffic Management in action User Paul : http traffic on 3G/LTE User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy Other API Radius GGSN John PGW Internet http Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 47
Intelligent Traffic Management in action User Emma : http traffic on 3G/LTE User Subscriber Policy John Video Optimization LTE bypass Paul Video Optimization always Parental Control Service Provider VAS Video Optimization Control Plane Emma Parental Control Parental Control PCRF PCRF AAA AAA Radius Emma Diameter Gx, Gy http Other API Radius GGSN John PGW Internet Paul Intelligent Traffic Management Policy-enabled per-connection or per-transaction steering to VAS/Optimization Subscriber 48
References https://f5.com/products/service-provider-products/carrier-grade-nat https://f5.com/products/service-provider-products/policy-enforcement-manager NAT64/DNS64 (RFCs 6146, 6147) 464XLAT (RFC 6877) Dual-Stack Lite (DS-Lite - RFC 6333) XLAT demo: https://sites.google.com/site/tmoipv6/464xlat 49