IPv4 Exhaustion - NAT and Transition To IPv6 - BRKSPG-2602

IPv4 Exhaustion: NAT and Transition to IPv6
for Service Providers

Session BRKSPG-2602
BRKSPG-2602 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
Goal of Transition Technologies

Overview of Transition Technologies
Dual Stack and Happy Eyeballs
6rd, 6rd with NAT, Dual-Stack Lite, CGN
Port Control Protocol
NAT64 for IPv6-only networks
This is a Service Provider talk !
BRKSPG-2602 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Goal of IPv6 Transition Technologies
Recommended Approach to Deployment:
RFC 4213 Dual-Stack Deployment
IPv4+IPv6 Hosts (Dual Stack)

Solution:
Hosts today support dual stack
Windows 7, OSX, iOS, Linux, BSD
Make the network support dual stack IPv4+IPv6
But Network
IPv4 exhaustion means we cannot assign

every host an IPv4 address
IPv6-only
Hosts or Network
Perspective
Long term: simple network, single protocol IPv6

Short term: cant switch to IPv6 immediately
So:
IPv6 needs to interoperate with IPv4
Address Depletion Causes Friction
The ISP problem:

Users need the IPv4 Internet
Harder to grow the business
The user problem:
Shared IPv4 address space
At some point, services will work better using IPv6
Transition Goals
1. Turn on IPv6 in the network core

2. Deploy IPv6 to end users
Without host changes (without Teredo or ISATAP)
3. Operationally sound
Consistent user experience
Easy to troubleshoot
Transition Technologies in one Slide
Obtain IPv4 Addresses

IPv4
IPv4 Address Sharing
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Obtain IPv4 addresses from RIR or open market

RIR: request IPv4 addresses. There are still addresses available!
Open market: $10 per IPv4 address
Advantage: No CGN, no address sharing, no operational changes

Disadvantage: If not also deploying IPv6, probably delaying the inevitable
Deploy IPv6, too!
Dual Stack: Host Gets IPv4 and IPv6 Address

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Problems with Dual Stack
Dual Stack: Host gets IPv6 address and IPv4 address

IPv4 address might be shared with other hosts (NAT, MAP)
Dual stack is not perfect
Hosts simply prefer IPv6 over IPv4
This is generally necessary
It gets IPv6 traffic on the network
Without this preference, IPv4 would persist until IPv4 is turned off
But what if IPv6 is broken? Overloaded???
IPv6 peering is down ...
Tunnel is down ...
Problem and Solution
Dual-stack client connecting to dual-stack server

Dual-stack cannot be slower than IPv4
If slower, users blame IPv6 and disable IPv6!
IPv6 cannot be slower than IPv4
Problem Described
The Happy Eyeballs Solution
Optimizing Happy Eyeballs
Happy Eyeballs
Users are happy fast response even if IPv6 (or IPv4) path is down
Network administrators are happy
Users no longer trying to disable IPv6
Reduces IPv4 usage (reduces load on CGN)
Content providers are happy
Improved geolocation and DoS visibility with IPv6
RFC6555, draft-ietf-v6ops-happy-eyeballs
By Dan Wing and Andrew Yourtchenko
Happy Eyeballs Coverage
Web browsing is the most common application
www other
First, improve the web browsing experience

Second, improve other applications
Instant messaging, email client, etc.
Happy Eyeballs Implementations
Google Chrome (in current stable channel)

Mozilla Firefox version 13
Apple OSX 10.7 (Lion)

getaddrinfo()
Safari
Apple iOS 4.3.1
Chrome and Firefox Implementation
Utilizes long-established 250-300ms backup thread

Originally just tried the next IP address
Happy Eyeballs: tries the next IP address family
Follows getaddrinfo() address preference
IPv6 is usually preferred by the Operating System
Result: IPv6 gets 250-300ms head start
Apple Implementation
Apple Framework calling CFSocketStream

A and AAAA queried simultaneously
Attempt connection immediately
First to connect wins
Legacy applications calling getaddrinfo()
Addresses sorted based on previous connection success and connection failure
Result: user connects to fastest of IPv6 or IPv4
http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html
IPv4 Address Sharing: CGN

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Carrier Grade NAT (CGN, LSN)
Subscribers Provider IP NGN Internet
Private
IP
Private
IPv4
Private IP IP
IPv4
IPv4
Private IP
IPv4 Carrier Grade

NAT44
(CGN, LSN)
Private Private IP Moves into the SP
IP
Dual-Stack Lite

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Dual-Stack Lite
Uses Carrier-Grade NAT44 (CGN)

Requires IPv6 access network
IPv4-over-IPv6 tunnel from subscriber to CGN
Requires CPE router to support Dual-Stack Lite
RFC6333
Dual-Stack Lite: IPv4 over IPv6 Access
Subscribers NAT44 (AFTR) Internet
Private
IPv4
IPv6
IPv4
IPv6
Private IPv6
IPv4
IPv4
IPv6
IPv4-over-IPv6 Carrier-Grade
tunnels NAT44 (CGN, LSN)
6rd and 6rd with CGN

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Problem: Gap in IPv6 Availability
AAA,
DHCP,
OSS
IPv6 Ready
Backbone
(6PE or
Native)
IPv6 Ready RG Access BNG Router

Hosts Node (BRAS,
(DSLAM) CMTS)
IPv4-Only Access,
Aggregation, AAA
6rd: While Connecting IPv6 Islands
IPv6 over IPv4
Subscribers Provider IP NGN Internet
Private
IPv4
IPv6 Private IP IPv4
IPv6
Private IPv6
IPv4 IPv4
IPv4
IPv6
Border Relay
IPv6 Moves out to Subscribers IPv6
6rd in One Slide
Subscriber IPv6 prefix One line global
derived from IPv4 address config for IPv6
Gateway 6rd
6rd 6rd
IPv4 + IPv6 Dual Stack

Native or
IPv4 + IPv6 6PE Core
IPv4 + IPv6
CE 6rd Border 6rd
Relays
IPv4
Native dual-stack IP service to the Subscriber
Simple, stateless, automatic IPv6-in-IPv4 encapsulation and decapsulation
IPv6 traffic automatically follows IPv4 Routing
6rd Border Relay placed at IPv6 edge
6rd with CGN
IPv4
CGN44
IPv6
6rd
CGN and 6rd IPv6 content flows directly

e.g., OSX, iOS, or Windows 7 will use IPv6
IPv4 content goes through CGN
Essential Parts of 6rd
Delivers IPv6 to subscribers, over IPv4

infrastructure
IPv6 Prefix Delegation derived from IPv4
Little configuration effort
Stateless 6rd border relay
Anycast redundancy
Works with Carrier Grade NAT
MAP

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Mapping of Address and Port
Stateless device in operators network

No single point of failure, no need for high availability hardware
Can use anycast, can have asymmetric routing
Embeds part of subscribers IPv4 address and port into IPv6 address
Thus, IPv4 address plan influences IPv6 addressing plan
Need to decide how many UDP/TCP ports to allocate to each user
Mapping of Address and Port (MAP)
MAP-T, Translation
Formerly called Dual-IVI, draft-mdt-softwire-map-translation
CPE router performs NAT46, ISP performs NAT64
Advantage: IPv6 on the wire, (future) ability to do NAT46
MAP-E, Encapsulation
Formerly called 4rd, draft-mdt-softwire-map-encapsulation
Advantage: Tunnel (familiar technology)
4rd-U
Combination of MAP-T and MAP-E, draft-despres-softwire-4rd-u
Non-translatable IPv4 placed into IPv6 Fragmentation Header
Deep Dive: Address Sharing

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
IP Reputation
Reputation based on IPv4 address

Shared IP address = shared suffering
Workaround: distinguish between subscribers sharing IP address
draft-ietf-intarea-nat-reveal-analysis
draft-wing-nat-reveal-option
Server logs currently only contain IPv4 address
Servers logs need to include source port number, recommended by RFC6302
Better have users and content providers use IPv6!
Affects NATs, as everyone knows

Also affects non-NAT architectures!
CGN
a big NAT operated by an ISP (carrier), enterprise, or University
Dual-Stack Lite (called AFTR)
NAT444 (subscribers NAT44 and ISPs CGN44)
NAT64
MAP (Mapped Address and Port)
Conceptually, a CGN with (some) fixed ports
Address + Port, SD-NAT (Juniper), Deterministic NAT (Cablelabs)
IP Reputation
Image source: Jason Fesler, Yahoo!

Captcha challenge
Network Numbering, Port Limits, and Port
Forwarding
Subscribers will always have NATs at home
Faster wireless, $20 rebate coupon
Network numbering between subscriber and address-sharing device
RFC1918 conflicts with users space, breaks some subscriber NATs
Thus, use RFC1918 space or maybe RFC6598 (100.64.0.0/10) space
Per-subscriber TCP/UDP port limits
Prevent denying service to other subscribers
If too low, can interfere with applications (see next slide)
Port forwarding
Games, servers at home (Slingbox, webcam, etc.)
See also RFC6269

Insufficient Ports Break Applications
Shin Miyakawa, NTT Communications

Deep Dive: CGN

IPv4
IPv4 CGN Dual
6rd Dual
Address Stack
+ Stack MAP
Run-Out CGN Lite
IPv6 6rd
Application Layer Gateway (ALG)
Application awareness inside the NAT:

modify IP addresses and ports in application payload
creates NAT mapping
Each application requires a separate ALG
FTP, SIP, RTSP, RealAudio,
ALG needs to understand application nuances
ALG requires:
Un-encrypted signaling (!!)
Restricted network topology
Summary: ALG prevents application evolution and introduce bugs
Modern Applications Avoid Relying on ALG
Successful applications have to work everywhere
Coffee shop, home, work, hotel, airport, 3G
FTP Passive Mode

ICE (RFC5245) and STUN (RFC5389)
Intelligence in endpoint
Useful for offer/answer protocols (SIP, XMPP)
RTSPv1 abandoned on the desktop
effectively replaced with Flash over HTTP, and soon HTML5
RTSPv2 has ICE-like solution
Skype does its own NAT traversal
Linksys disabled SIP ALGs around 2006

Because of bugs and incompatibilities with SIP endpoints
CGN and Application Layer Gateway:
Operational Issues
Debugging / Troubleshooting Problems
SIP from vendor X works, but vendor Y breaks:
1. Vendor Y violated standard?
Meanwhile:
2. Vendor X has special sauce??
unhappy
3. ALG is broken??? users
Delays
Months for vendor turn-around for patches
Months for SP testing/qualification/upgrade window
ALG can break competitors over-the-top application (e.g.,
SIP, streaming video)
Regulators frown on interference
Port Forwarding
Running a server permanently
Slingbox (TCP/5001), Webcam (TCP/80)
Running a server temporarily
During a VoIP call
UPnP IGD 1.0, commonly available
Enabled on ~20% of home NATs
IPv4 only. Multicast discovery
Not available on enterprise NATs
UPnP IGD 2.0, recently standardized
Supports IPv6. No support for NAT64 or NAT46
NAT-PMP, Apple
IP Address Sharing: Operating a Server
One port only goes to one subscriber
Everybody wants TCP/80
Address
IPv4
IPv4private Sharing Internet
device
(CGN, MAP)
TCP/80
(HTTP)
Port Control Protocol (PCP)
UPnP IGD 1.0 and 2.0 are unsuitable for CGN
Multicast discovery, no support for NAT64, XML
PCP is a new protocol, draft-ietf-pcp-base
Simple UDP request/responses, easy to parse
Two major functions:
1. Port forwarding
2. Reduce keepalive traffic (battery-operated devices: tablets, smartphones)
PCP Supports:
IPv6 firewall, IPv4 firewall, NAT44, NAT64, NAT46, NPTv6 (NAT66), RFC6296
Home NAT and Carrier Grade NAT
Supported by all the major vendors
PCP: Purpose
Control TCP and UDP ports in NATs and firewalls

Operate a server (e.g., webcam, NAS)
Operating a symmetric client/server (e.g., VoIP)
Reduce TCP/UDP keepalive messages (e.g., wireless device)
Restore state (e.g., NAT power loss or crash)
52
PCP Deployment
Host implements PCP
PCP Server
PCP Server
Proxy UPnP IGD to PCP

Customer PCP
PCP Server
UPnP IGD Premise Client
Router
NAT64 for IPv6-only Networks
NAT64 Introduction
Translate between IPv6 and IPv4
IPv4
IPv6
NAT64
IPv6-only hosts IPv4-only hosts
From NAT-PT to NAT64
NAT-PT (RFC2766) combined all translation scenarios

IPv4 to IPv6 is problematic; IPv6 space is bigger
Broke DNSSEC
NAT-PT is legacy do not use it! (it has known problems)
RFC4966 said IPv6/IPv4 translation causes other side

effects
And some are not solvable
But we need a translation solution, called NAT64

IETF started new solution in 2009, finished in 2010
Cisco shipped new solution in 2011
IPv6/IPv4 Translation
Stateful Stateless
1:N translation 1:1 translation
NAPT NAT
TCP, UDP, ICMP Any protocol
Shares IPv4 addresses No IPv4 address savings
Just like dual-stack
(MAP does share)
IPv4/IPv6 Translation Scenarios
stateful stateless
IPv6 IPv4
1. Network
Internet
2. IPv4 IPv6
Network
Internet
3. IPv6 IPv4
Internet Network
4. IPv4 IPv6 Not yet needed;

Network
Internet no IPv6-only content
5. IPv6
Network
IPv4
Network
6. IPv4
Network
IPv6
Network
Details on Scenario 1 and Scenario 3
stateful stateless
IPv6 IPv4
1. Network
Internet
2. IPv4 IPv6
Network
Internet
3. IPv6 IPv4
Internet Network

Network
5. IPv6
Network
IPv4
Network
6. IPv4
Network
IPv6
Network
Connecting an IPv6 network to the IPv4 Internet
IPv6-only trials at T-Mobile USA, Swisscom, China Mobile

85% of mobile applications work IPv6 native or work with NAT64
IPv6-only is not yet viable for wireline Internet service

Too many IPv4-only computers, users, and applications
Televisions, streaming media players, ...
While at Cisco Live: experiment with the IPv6-only SSID

It uses DNS64 & NAT64 to access to the IPv4 Internet
Connecting an IPv6 network to the IPv4 Internet
IPv6
Internet
DNS64
IPv6/IPv4
IPv4
Translator
Internet
(NAT64)
IPv6-only clients
Operators IPv6 network Internet

(An IPv6 Network)
DNS64
Synthesizes AAAA records when AAA not present
With IPv6 prefix of NAT64 translator
DNS64 Internet
IPv6-only host
AAAA? AAAA?
Empty answer
(sent
simultaneously) A?
2001:DB8:ABCD::192.0.2.1 192.0.2.1
DNS64
Works for applications that do DNS queries
http://www.example.com
IMAP, connecting to XMPP servers, etc.
Works with DNSSEC
Breaks for applications that use IP address literals
http://1.2.3.4
SIP, RTSP, H.323, XMPP peer to peer, etc.
Solutions:
Application-level proxy for IP address literals (HTTP proxy)
Learn NAT64s prefix, draft-ietf-behave-nat64-discovery-heuristic
NAT46/BIH (Bump In the Host), RFC6535
464XLAT (see next slide)
464XLAT
15% of applications break with IPv6 native or break with NAT64

Skype, among other interesting applications
http://tinyurl.com/nat64-breakage for a list
464 translation helps many of those 15% applications
464 = Handset does IPv4 to IPv6 translation (NAT46), network does NAT64
draft-ietf-v6ops-464xlat
Details on Scenario 1 and Scenario 3
stateful stateless
IPv6 IPv4
1. Network
Internet
2. IPv4 IPv6
Network
Internet
3. IPv6 IPv4
Internet Network

Network
5. IPv6
Network
IPv4
Network
6. IPv4
Network
IPv6
Network
IPv6 Internet into IPv4-only Datacenter
IPv6 Stateful
NAT64 Public IPv4
Private IPv4
IPv6 Internet IPv4 Datacenter
Issues with NAT64 for Data Center
Requires stateful translation
Because IPv6 Internet is bigger than IPv4 address space
Cannot represent every address in IPv4
All connections come from translators IPv4 address
Problem for abuse logging
Lack of X-Forwarded-For: header
Application proxy can be superior
Application proxy can add X-Forwarded-For: header
Example: Load balancer, Lighthttpd
But TLS interaction is different
See BRKRST-2301 and

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networ
ks/Internet_Edge/InternetEdgeIPv6.html
Summary
Summary
Goal: provide IPv6 service
Sustain IPv4 service with NAT if necessary
Dual-Stack Lite, 6rd, 6rd with NAT
NAT and NAPT, and CGN
Happy Eyeballs
Port Control Protocol
NAT64 for IPv6-only networks
Summary of Technology Requirements
Access Tunnel or In-network

Update CPE
network translate? state?
CGN No IPv4 Translate Yes (CGN)
DS-Lite Yes IPv6 Both Yes (CGN)
6rd Yes IPv4 Tunnel No
6rd + CGN Yes IPv4 Both Yes (CGN)
MAP-T: translate
MAP Yes IPv6 No
MAP-E: tunnel
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our Dont forget to activate your
portal) or visit one of the Internet Cisco Live Virtual account for access to
stations throughout the Convention all session material, communities, and
on-demand and live activities throughout
Center. the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
LinkedIn Group: http://linkd.in/CiscoLI

IPv4 Exhaustion - NAT and Transition To IPv6 - BRKSPG-2602

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

IPv4 Exhaustion - NAT and Transition To IPv6 - BRKSPG-2602

Enviado por

Direitos autorais:

Formatos disponíveis

IPv4 Exhaustion: NAT and Transition to IPv6

for Service Providers

Goal of Transition Technologies

This is a Service Provider talk !

IPv4+IPv6 Hosts (Dual Stack)

IPv4 exhaustion means we cannot assign

Long term: simple network, single protocol IPv6

The ISP problem:

1. Turn on IPv6 in the network core

Obtain IPv4 Addresses

Obtain IPv4 Addresses

Obtain IPv4 addresses from RIR or open market

Advantage: No CGN, no address sharing, no operational changes

Deploy IPv6, too!

Obtain IPv4 Addresses

Dual Stack: Host gets IPv6 address and IPv4 address

Dual-stack client connecting to dual-stack server

IPv6 cannot be slower than IPv4

Web browsing is the most common application

First, improve the web browsing experience

Google Chrome (in current stable channel)

Apple OSX 10.7 (Lion)

Utilizes long-established 250-300ms backup thread

Result: IPv6 gets 250-300ms head start

Apple Framework calling CFSocketStream

Obtain IPv4 Addresses

Subscribers Provider IP NGN Internet

IPv4 Carrier Grade

Obtain IPv4 Addresses

Uses Carrier-Grade NAT44 (CGN)

Subscribers NAT44 (AFTR) Internet

Obtain IPv4 Addresses

IPv6 Ready RG Access BNG Router

Subscribers Provider IP NGN Internet

IPv6 Private IP IPv4

IPv6 Moves out to Subscribers IPv6

IPv4 + IPv6 Dual Stack

CGN and 6rd IPv6 content flows directly

Delivers IPv6 to subscribers, over IPv4

Works with Carrier Grade NAT

Obtain IPv4 Addresses

Stateless device in operators network

Obtain IPv4 Addresses

Reputation based on IPv4 address

Better have users and content providers use IPv6!

Affects NATs, as everyone knows

Image source: Jason Fesler, Yahoo!

See also RFC6269

Shin Miyakawa, NTT Communications

Obtain IPv4 Addresses

Application awareness inside the NAT:

FTP Passive Mode

Linksys disabled SIP ALGs around 2006

Control TCP and UDP ports in NATs and firewalls

Proxy UPnP IGD to PCP

Translate between IPv6 and IPv4

NAT-PT (RFC2766) combined all translation scenarios

RFC4966 said IPv6/IPv4 translation causes other side

But we need a translation solution, called NAT64

4. IPv4 IPv6 Not yet needed;

4. IPv4 IPv6 Not yet needed;

IPv6-only trials at T-Mobile USA, Swisscom, China Mobile

IPv6-only is not yet viable for wireline Internet service