Académique Documents
Professionnel Documents
Culture Documents
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Feb 3, 2011
IANA Pool
RIR Pool
*
Feb 6, 2012
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Mar 23, 2011:
$11.25 per IPv4
http://blog.internetgovernan
ce.org/blog/_archives/2011/
3/23/4778509.html
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Internet v6 Content
YouTube goes IPv6
- DE-CIX: 30x increase
Google is 1/10th of
Internet
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What was it?
A single day (24 hrs) where major content providers advertised a AAAA DNS
record for their production service (e.g. www.cisco.com, www.facebook.com);
coordinated by the Internet Society
Who participated?
Google, Facebook, Yahoo!, Akamai , Cisco , Limelight Networks were among
434 participants that offered content from their main websites over IPv6 for a
24-hour "test drive. Cross-industry community effort:
http://www.worldipv6day.org/participants/index.html
Why do this?
Demonstrates commercial viability of IPv6
Helps identify areas of improvement in IPv6 functionality
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
What is it?
www.worldipv6launch.org ; coordinated by the Internet Society
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
strategy alignment example
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
IPv4 Address space completion National IPv6 Strategies
Compliance: U.S. Federal
Public or Private Space Mandate, IPv6 task force
Limiting network expansion Next Generation Internet
and putting at risk business (CNGI) project in China
continuity and Japan
Introducing Operational European Commission
challenges Recommendation
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Are
Characteristic Reason Example
Infrequent Use Maintaining NAT bindings Earthquake Warning service
for rare occurrence events NTT IPv6
is inefficient Smoke detectors: 6LoWPAN
Universal Reachability of devices in Dozens of IPv6 Tunnel
Connectivity the home brokers = unconstrained
Peer-to-peer
Green Network A PC with many networked Skype for iPhone drains
applications sends many batteries from application via
keep-alives. Each needs data plane keep-alive
power across network.
Scalable/Green Persistent client/server Facebook IM long polling
Data Center transport connection is
needed to keep NAT open
High bit Smaller SP margin per bit Netflix On-Demand supports
Rate+NAT for AFT vs competitors IPv6.
without that cost Google 1/10th Internet traffic
Preserve
Prepare
Prosper
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Public IPv4 Deployment
IPv4 IPv4
Public Public
Serving PDNGW
eNB Gateway
Declining Adoption
<30% of all carriers offer public IPv4 addresses to their subscribers
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
NAT44
Central Large Scale NAT44
IPv4 user plane with Large Scale NAT44
3GPP defined tunneling:
- GTP O(10G) throughput
v4 user plane:
- PMIP/GRE
- Native IPv4 forwarding O(20M) bindings
- IPsec Some subscriber awareness
to/from CGN
NAT44
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Multiple customers multiplexed behind an SP
managed NAT device (a Large Scale NAT)
LSN44 multiplexes several customers onto the
same public IPv4 address
Each customer has unique private IPv4 address
AAA
NAT44 NAT44
NAT IPv4
Internet
IPv4-Private IPv4-Private
Home Access
Gateway Node BRAS CGN
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Most of Broadband users are behind NAT today!
When say NAT, they typically mean NAPT
NAT NAPT
First described in 1991 (draft- Described in 2001 (RFC3022)
tsuchiya-addrtrans), RFC1631 1:N translation
1:1 translation: Does not Conserves IPv4 addresses
conserve IPv4 addresses
Allows multiple hosts to share one
Per-flow stateless IPv4 address
Todays primary use is inside of Only TCP, UDP, and ICMP
enterprise networks
Connection has to be initiated from
Connect overlapping RFC1918
address space inside
Per-flow stateful
Note: NAT66 is stateful or Commonly used in home gateways
stateless, but it is not NAPT and enterprise NAT
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
CGN = IP Address Sharing
Inherent issues
draft-ford-shared-addressing-issues
Servers must log also source port numbers
Shared IP address = shared suffering
Blacklisting, spam,
Tracking and Law Enforcement
draft-ietf-intarea-server-logging-recommendations
Requesting specific ports Not everyone can get port 80
Geo-Location issues (get me the nearest ATM)
Complicates inbound access to media
Keepalives power consumption, mobile battery drain
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
ALG (Application Layer Gateway). L3 L4 L7
Fixup for applications that have problems with
Firewall (and Symmetric NAT)
m/c=10.1.1.1/1234
No Inbound connections (media, p2p,)
No problem with Full Cone NAT (ALG not needed)
Regulatory issues
ISPs cant sniff/modify Over The Top applications data using ALGs
eg. break location awareness in Vonage emergency calls
eg. break RTSP media streaming from NetFlix or Amazon
ALG interference with NAT traversal techniques SIP ICE, RTSP mmusic,
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
iTunes
Google
Maps
Playstation
Network
Windows Live
iPhone Messenger
App
Store
Google
Talk
Temporary exceptions (old protocols) RTSPv1 (m.youtube.com) or MS PPTP
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Symmetric NAT
Firewalling behavior
Often implemented on Firewalls, CPE routers
To: 140.0.0.1:6000
User-A NAT/PAT
NAT POOL 140.0.0.1/24
To: 140.0.0.1:6000
192.168.1.1/24
Translates src-ip and src-port
192.168.1.1:5000 140.0.0.1:6000
Symmetric NAT is
User-B is only translated to go into inside network. User-C
160.0.0.1/24
User-C can not reach User-A.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Full cone NAT
To: 140.0.0.1:6000
User-A
NAT/PAT To: 140.0.0.1:6000
NAT POOL 140.0.0.1/24
192.168.1.1/24
Translates src-ip and src-port
Full cone NAT is 192.168.1.1:5000 140.0.0.1:6000
User-C
Not only User-B but also User-C can reach to User-A
160.0.0.1/24
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Endpoint Independent Address Dependent Address and port Dependent
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Endpoint Independent Address Dependent Address and Port Dependent
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Filtering
behavior Independent Address Address:Port
Dependent Dependent
Address Restricted Port Restricted
Independent Full Cone NAT NAT NAT
Mapping
Address
Dependent Symmetric NAT
Address:Port
Dependent
Restricted
CGN
IOS Router(enable-sym-port)
Linksys
WRT610N IOS Router
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
with EIM/EIF (Full Cone NAT)
Use Case Example: This is for Session Traversal Utilities for NAT (STUN, ICE) and is
used by P2P apps to advertise themselves such that others can contact from outside-in
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Session Traversal Utilities for NAT RFC 5389
Think http://whatismyip.com
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Interactive Connectivity Establishment RFC 5245
Yahoo (SIP)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Traversal Using Relays around NAT RFC 5766
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
New IP Infrastructure Element
Separate Infrastructural Necessity from Services (firewalling, etc.)
No ALGs, no firewalling behavior
Focus on:
Transparency keep just the necessary, endpoint independence
Scale & Performance minimal cost
Security logging, port limits
IPv6 preparation NAT64, 6RD, etc.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
RFC4787 (July 2007)
A CGN is defined by constrained behavior:
NAT Behavior Compliance (RFC4787, RFC5382, RFC5508)
Endpoint Independent Mapping and Filtering (Full Cone NAT)
Paired IP address pooling behavior
Port Parity preservation for UDP
Hairpinning behavior
Static Port Forwarding (PCP)
Current ALGs: RTSPv1, sometimes PPTP
Management
Port Limit per subscriber
Mapping Refresh
NAT logging
Redundancy (Intra-box Active/Standby, Inter-box Active/Active)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Paired (recommended) : use the same
external IP address mapping for all
A:200 B:201 sessions associated with the same
Outside A:201 B:202
internal IP address
A:202 B:200
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Use Case: Allow communications
between two endpoints behind the
same NAT when they are trying
Outside A:200 B:200 Inside Outside each other's external IP addresses
X:100 A:200
Y:100 B:200
Inside
X:100 Y:100
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Requirement: Ability to configure, a fixed private (internal) IP
address:port associated with a particular subscriber while CGN
allocates a free public IP address:port
Future: PCP (Port Control Protocol) for users
Option 1:
Handset/Host
with PCP Client
PCP
NAT-PMP
Option 2:
PCP client Option 2: PCP Server
UPnP IGD
on CPE PCP Client,
UPnP IGD proxy;
NAT-PMP proxy
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
No Port Overloading
A NAT must not have a "Port assignment" behavior of "Port
overloading( i.e. use port preservation even in the case of collision).
Most applications will fail if this is used.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Courtesy of NTT, see also Hiroshi Esaki:
www2.jp.apan.net/meetings/kaohsiung20
09/presentations/ipv6/esaki.ppt
Source:
Application behaviors in in terms of port/session consumptions on NAT
http://opensourceaplusp.weebly.com/experiments-results.html
See also An Experimental Study of Home Gateway Characteristics
https://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdf
http://www.ietf.org/proceedings/78/slides/behave-8.pdf
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Classic IOS: per box, default is none, ASR1K since 3.4S
ip nat translation max-entries all-host 300
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
L (Low-scale) Scenario 3G mobile users, smart-phones
M (Medium-scale) Scenario ADSL subscribers, PC users with 3G/4G dongles,
Tablets, WiFi and top smart-phone users
H (High-scale) Scenario heavy Broadband users, Internet sharing
Stateful or stateless
Millions of short-lived Layer-4 session
Stateful sync makes no sense for such
ephemeral state (memory & CPU) eg.
ASR1000 does not sync http
Stateless redundancy
1Msps = 100K active users (10Mcs) are up in 10s minimal loss
Load-sharing = simple ECMP routing
Best Practice: Simple Non-Revertive 1:1 Warm Standby
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Data Retention Law compliance, user trackability
Who posted a content to a server on Tue at 8:09:10pm?
Global IP:port CGN Log Private IP:port MSISDN
Directive 2006/24/EC - Data Retention
Logging Format
Must be fast and efficient (binary format)
Syslog very chatty, inefficient ASCII encoding
1 Msps = cca 176 Mbps, 14.7 Kpps
Netflow v9 or IPFIX
21B add-event, 11B delete-event
Compare to ASCII syslog (113B for add-event)!
Up to 68 add-events per 1500B export packet
Dynamic, template-based format
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Tip: IsarFlow tested CGN NFv9 Collector
Reality check: 100K CGN users would consume 3.5TB storage per year
(compressed, fully SQL searchable data)
E-Shop: 4TB disk, 300 Euro
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
and data analytics
Usage
Servers that do not log port (Apache default)
Data Analytics (Full Netflow like info)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Tip: IsarFlow tested CGN NFv9 Collector
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Implementation
When subscriber creates first connection, N contiguous outside ports are pre-
allocated (additional connections N will use one of the pre-allocated ports).
Bulk-allocation message is logged for the port-range, bulk-delete logged if no
more sessions in this range.
NAT44
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Gi Firewall
Protects against overcharging for usage-billed (non flat-fee) APNs
Protects against network scans waking phones from fast dormancy state (battery drain)
CGN does not do help, real firewall is needed
IPv4 IPv4
PDP, LI, DPI, ALG
Per-PDP Firewall (no NAT) CGN, Public
logging
IPv4 IPv4
PDP, LI, DPI, ALG BGP Public
Per-PDP Firewall & NAT
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Current Situation
Massive growth of number of mobile data
traffic and number of mobile end-points
IPv4 run out: Most Operators started to
deploy NAT44
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
IPv4
IPv4
IPv6
CGN
IPv6
IPv6
Private
IPv4 IPv4
IPv4
IPv6
Deploying IPv6 in dual stack does not solve IPv4 address exhaustion: CGN needed
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
I get AAAA, I have IPv6 configured locally (SLAAC).
But what if IPv6 network is broken?
Behavior of a
typical Web-
Browser
Implementations:
Firefox 10
Chrome (last stable)
OSX 10.7 Lion
getaddrinfo()
Safari
iPhone iOS 4.3.1
NOTE this impacts CGN44: draft-ietf-v6ops-happy-eyeballs
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html
high session setup rate [sps]
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
IPv6/MPLS Core is easy. The Access is difficult.
NMS/Addressing
AAA/DHCP IPv6 Parameters
DHCPv6
IPv6 IPv4
L2
RG Access Node
DSLAM, MSAN, OLT... BNG
Mobile Access
Four types of PDP/PDN contexts: PPP (legacy), IPv4,
IPv6, new IPv4v6 (introduced in 3GPP Rel 9)
ASR5000 Ciscos Packet Core solution IPv4v6 PDN
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Use Dual-stack PPPoE
Customer Access Aggregation Edge Core
IP/MPLS
X BNG
SLAAC or DHCPv6 can be used to number the WAN link with a Global address
DHCPv6-PD is used to delegate a prefix for the Home Network
PPPoE Tag Line-id authentication, Radius IPv6 attributes as per rfc3162
6r 6r
IPv4 + IPv6 d d
CGN
IPv4 + IPv6
IPv4 + IPv6
IPv4 + IPv6 Core / Internet
IGW 6rd BR
CPE 6rd RG (Border Relay)
(Remote Gateway)
IPv4
IPv6 Destination = Inside 6rd Domain IPv6 Destination = Outside 6rd Domain
- encapsulate in IPv4, protocol 41 (address
- encapsulate in IPv4 for the BR
extracted from v6 prefix that contains v4 part)
6rd (Rapid Deployment) Residences IPv6 Subnet is constructed from:
Dual-Stack
One Network. Dual-Stack Lite One Network.
Addresses Run-Out SP-class XLAT
Operations & Deployment
Stateful
NAT64 Stateless
6rd Two Networks!!
CGN Big CGN in IPv6 NAT64/DIVI
network.
IPv6 cant talk to Stateless
IPv4 4o6/4RD
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
IPv6 and Large Scale Address Family Translation
IPv4
Public
NAT
NAT64
IPv6
Public Serving PGW
eNB IPv6
Gateway
Public
IPv4
NAT
PREFIX:: Public
IPv6 announced in AFT64
LSN64
UE IPv6 IGP
NAT
IPv4
0::0 Stateless
Public
IPv6 announced in AFT64
LSN64
UE IPv6 IGP
draft-mdt-softwire-map-translation-00 (MAP-T)
Demo code ready (ASR1000 World V6 Congress demo)
Employs port restricted NAT44 + stateless NAT46 for allowing IPv4-only host
access to IPv4 internet. Also Enables IPv6-only devices to access IPv4 internet.
Algorithmic mapping (based on configured or well known schema) of IPv4 ports
to/from IPv6 address
Encapsulation employs IPv4-embedded IPv6 addresses
Stateless NAT64. Can also be enabled in stateful mode for other IPv6 only clients
IPv6 hosts use native addressing and IPv6 routing to public IPv6 internet
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Future, no rough consensus in IETF yet
Stateful NAT44
port-restricted Stateless
+ v6 encaps Relay
No NAT, Stateful
v6 tunneling NAT44
VPN1/10.1.1.1 VPN1
10.1.1.1 134.95.166.10
Tunnel1/CID-1
TCP/4444 TCP/7777
Public
VPN2/10.1.1.1 VPN2
IPv4
134.95.166.10
Tunnel2/CID2 10.1.1.1
TCP/8888 Internet
TCP/5555
UE Access Tunnel
IP/MPLS
PGW Carrier Grade NAT (CGN)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Recommendation (clause 10)
3GPP specifications recognize two main
strategies to provide IPv6 connectivity to
UEs.
For the first strategy, the operator may provide
IPv4 and IPv6 connectivity for the UE.
According to the scenario considered, the Note: Clause 7 lists 3 solutions
1) NAPT44
operator will assign a public IPv4 address or a 2) GI-DS-lite (encapsulations
private IPv4 address in addition to an IPv6 defined in 3GPP:
prefix. The operator can select one of the GRE and MPLS VPN)
technical solutions described in clause 7 of this 3) Stateful NAT64
document.
The second strategy, consisting of providing the
UE with IPv6-only connectivity, can be
considered as a first stage or an ultimate target
scenario for operators. The operator can use
NAT64/DNS64 capability to access to IPv4-only
services if access to IPv4 services is needed.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Already being done by
T-Mobile USA
Their reason make perfectly good
sense
And they are proving it can work
http://w w w .networkworld.com/community/blog/testing-nat64-and-dns64
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
PDP Types: IPv4, IPv6 and IPv4v6
PCRF/AAA/DHCP
IPv4-Public
IPv6-Public
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Select GGSN for given APN
Element Design consideration (If IPv6 is used for internet & internal Apps) Impact
eNodeB Radio layer. Can use IPv4 backhaul No
RNC Iu-CS/Iu-PS can use IPv4 backhaul No
SGSN Initiate mobile APN query & authentication Yes
HLR/HSS IPv6 capable Yes
GGSN IPv6 PDP, standards IPv6 features, prefix allocation Yes
Billing Mediation and processing of IPv6 CDR Yes
DPI, Quote Server Pre-paid implementation, IPv6 parsing & CDR capability Yes
WAP, Data Accelerator IPv6 packet compressions, cache capability Yes
Firewalls IPv6 rules capability, performance Yes
DNS
2011 Cisco and/or its affiliates. All rights reserved. IPv6 DNS capability Yes
Cisco Confidential 86
Two IPv6 Deployment Domains
HSS SWx (DIAMETER)
S12 (GTP-U)
UTRAN
S6a PCRF
S4 (GTP-C, GTP-U)
(DIAMETER)
SGSN
GERAN Rx+
S3
(GTP-C) MME
S11 Gxc
(GTP-C) (Gx+) 3GPP
Gx Gxa Gxb
S1-MME S10 AAA
(Gx+) (Gx+) (Gx+) S6b
(S1-AP) (GTP-C)
(DIAMETER)
S5 (PMIPv6, GRE) Operators x-CSCF
E-UTRAN S1-U
S5 (GTP-C, GTP-U) PDN-GW
SGi IP Services
(GTP-U)
UE eNB S-GW
SWm
(DIAMETER)
S2a
(PMIPv6, GRE S2b
SWa
MIPv4 FACoA) (PMIPv6,
(TBD)
GRE)
STa (RADIUS, ePDG
DIAMETER) SWn
(TBD)
Trusted Non-3GPP
IP Access Untrusted Non-3GPP
IP Access
SWu (IKEv2,
MOBIKE, IPSec)
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
basic Authentication/Authorization + DHCP-PD
BNG Radius DHCPv6
AAA
Routed RG Ethernet or DSL Access Node
PPPoE
PPP LCP
RADIUS "user1
Access-Request Line-id
Link Local
SLAAC + ICMPv6 Router Advertisement RA with O-bit
Default route
to BNG (Optional) Prefix
installed
DHCPv6 Solicit
PD + DNS DHCPv6 Relay Forward
Relay-fwd
DHCPv6 Relay Reply
Relay-Reply
DHCPv6 Reply*
PD=2001:DB8:AAAA::/56
ICMPv6 RA DNS server= 2001:DB8:BB::1
RA with O-bit
SLAAC Prefix=2001:DB8:AA
2001:DB8:AAAA AA::/64
::1 + Default
route installed
DHCPv6 Request
DNS
DHCPv6 Response
DNS=2001:DB8:BB::1
* Assuming DHCPv6 rapid
commit is in effect
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
1:1 VLAN (QinQ)
Access Node BNG
Customer 1
1:1 VLANs
Customer 2
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
1:1 VLAN (QinQ)
BNG
Ethernet or DSL Access Node
Customer 1 Shared subnet (split-horizon)
X::/56 - Just link local, or NMS /64
N:1 VLAN
Customer 2
Y::/56
802.1Q
DHCPv6 Solicit
PD + DNS Circuit-id Inserted and
DHCP relayed
RADIUS
Access-Accept
DHCPv6 Relay Forward
Relay-fwd
DHCPv6 Relay Reply
Relay-Reply
DHCPv6 Relay Reply PD Route installed
DHCPv6 Reply Reply + Interface-id
PD=2001:DB8:AAAA::/56
DNS server= 2001:DB8:BB::1
ICMPv6 RA
SLAAC
2001:DB8:AAAA RA with O-bit
::1 + Default Prefix=2001:DB8:AA
route installed AA::/64
DHCPv6 Request
DNS
DHCPv6 Response
DNS=2001:DB8:BB::1
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Features RP2+ESP20
PPPoEoQinQ Dual-stack Sessions (PTA) 32,000
Subnet-
2011:1000 1.1.1
ID
Interface ID
0 32 56 64
In this example, the
6rd Prefix is /32
Any number of bits may be masked off, as long as they are common for
the entire domain. This is very convienent when deploying with a CGSE ,
but is equally applicable to aggregated global IPv4 space.
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
6r 6r
IPv4 + IPv6 d d
IPv4 + IPv6
IPv4 + IPv6
IPv4 + IPv6 Core /
6rd Border
CE Relays Internet
IPv4
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
Between Subscriber and Internet, Private IPv4 Addr
IPv6 Internet
(2001:4860:0:1001::68)
3456:789:0003:0101::12001:4860:0:1001::68Payload
ISP
IPv6 Core
copy v4 addr from v6
2001:4860:0:1001::683456:789:0003:0101::1Payload
6rd BR
10.3.1.110.100.100.13456:789:0003:0101::12001:4860:0:1001::68Payload
ISP
IPv4 Core
10.100.100.110.3.1.1 2001:4860:0:1001::683456:789:0003:0101::1Payload
BNG
10.3.1.110.100.100.13456:789:0003:0101::12001:4860:0:1001::68Payload
IPv4 Access
Network
6rd RG 10.100.100.110.3.1.1 2001:4860:0:1001::683456:789:0003:0101::1Payload
3456:789:0003:0101::12001:4860:0:1001::68Payload Subscriber
Network v6 prefix derived from v4 addr
(v4+v6)
Address Legend
10.100.100.1 6RD BR Anycast Address
10.3.1.1 RG Private IPv4 Address, obtained via DHCPv4 Encapsulation Legend
2001:4860:0:1001::68 www.google.com IPv6 Address
Destination Source
3456:789:0003:0101::1RG IPv6 Address, SP IPv6 Prefix 3456:789/28 IPv4 Address IPv4 Address Destination IPv6 Address Source IPv6 Address Payload
2011 Cisco and/or its affiliates. All rights
obtained viareserved.
DHCPv4 new option or TR69 Cisco Confidential 97
Between Subscribers, Private IPv4 Addr
IPv6 Internet
ISP
IPv6 Core
6rd BR
ISP
IPv4 Core
10.3.2.1 10.3.2.1 3456:789:0003:0201::13456:789:0003:0101::1 Payload
BNG BNG
10.3.2.1 10.3.1.1 3456:789:0003:0201::13456:789:0003:0101::1Payload
IPv4 Access
Network
Address Legend
10.3.2.1 RG2 Private IPv4 Address
10.3.1.1 RG1 Private IPv4 Address
3456:789:0003:0202::1RG2 IPv6 Address, SP IPv6 Prefix 3456:789/28
3456:789:0003:0201::1RG1 IPv6 Address, SP IPv6 Prefix 3456:789/28
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Security
Anti-spoofing - 6RD BR checks if IPv6 source addr matches the encapsulated
IPv4 address
6RD RG (CPE) also verifies if the BR anycast address matches IPv6 source
QoS
V6 DSCP is automatically copied into V4
QoS pre-classify supported
HA
6RD is stateless no SSO needed at 6RD BR
We use Anycast (same /32s in IGP, nearest is BR chosen)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Source: http://home.cisco.com/en-us/ipv6
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
CRS
CGSE PLIM + FP40 (NAT44, NAT64, 6RD, DS-Lite)
20M xlates, 1Msps, 20Gbps
ASR9000
ISM Module (NAT44, DS-Lite); BNG NAT44 for PPPoE sessions
20M xlates, 1Msps, 15Gbps
ASR5000
Per-subscriber GGSN/PGW NAPT, Gi Firewall, DPI, charging
120M xlates, 1Msps
ASR1000
Integrated (NAT44, NAT64, 6RD); BNG NAT44 for PPPoE sessions
2M xlates, 100Ksps, 20Gbps
XR12000
CGN Daughter Card for the PRP-3 (NAT44, future NAT64)
10M xlates, 250Ksps, 6Gbps
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
CGSE Carrier Grade Services Engine
Inside Outside
Entry1 10.12.0.29:334 100.0.0.221:18808
Entry2 10.12.0.29:856 100.0.0.221:40582
Entry..
VRFs to Separate the Private and Timers (per cgn) Default Value
Public Routing Table. ICMP 60 sec
Interfaces are associated with a VRF. UDP init 30 sec
ServiceAPP interfaces are used to UDP active 120 sec
send packets to/from CGSE TCP Init 120 sec
2011 Cisco and/or its affiliates. All rights reserved. TCP active 30 min Cisco Confidential 104
Uses a Line Card slot paired with FP40
Supports 20 Gbps aggregate bandwidth
20M NAT44 Translations
15M NAT64 Translations
Octeon CPUs 1M sps
Accel M M
FPGA iPSE IngressQ F
I I
D D A
P P B
PLA L L R
A A I
N N
Accel E EgressQ ePSE FabQs E
C
FPGA
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
Uses a line card slot connects via fabric
ISM supports 10 Gbps aggregate bandwidth
20M NAT44 Translations (today)
15M NAT64 Translations (planned)
1M sps
ISM Mgmt CPU
Application
Memory
B
24Gb Bridge A
C
K
I/O Fabric P
Hub ASIC L
A
24Gb N
Bridge E
Application
CPUs Modular
(Intel) Expansion
Cards (2)
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
daugther card on GSR PRP-3
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
World IPv6 Launch 6/6/12
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Thank you.