Carrier Grade NAT PDF

Carrier-Grade NAT
IPv4 Exhaust and IPv6 Transition in Internet

Josef Ungerman
Cisco, CCIE#6167
2010 Cisco and/or its affiliates. All rights reserved. 1

Motivation
World IPv6 Launch 6/6/2012
Carrier-Grade NAT
Definition and design
Dual-stack
v4v6, v6-only, NAT64, 464
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
PPPoE and IPoE sessions
Cisco CGN Products
ASR1000, ASR5000, ASR9000, CRS
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Feb 3, 2011
IANA Pool
RIR Pool
*
Feb 6, 2012
Mar 23, 2011:
$11.25 per IPv4
http://blog.internetgovernan
ce.org/blog/_archives/2011/
3/23/4778509.html
Need for SIDR (Secure

Inter-Domain Routing)
Distributed database and
RPKI infrastructure for
verifying PREFIX origin AS
with RIR
Internet v6 Content
YouTube goes IPv6
- DE-CIX: 30x increase
Google is 1/10th of
Internet
Netflix Video surpasses

p2p in US (29.7%)
NIX.CZ World IPv6 Day (June 8, 2011)

NIC.CZ cca 70.000 domains with AAAA
What was it?
A single day (24 hrs) where major content providers advertised a AAAA DNS
record for their production service (e.g. www.cisco.com, www.facebook.com);
coordinated by the Internet Society
Who participated?
Google, Facebook, Yahoo!, Akamai , Cisco , Limelight Networks were among
434 participants that offered content from their main websites over IPv6 for a
24-hour "test drive. Cross-industry community effort:
http://www.worldipv6day.org/participants/index.html
Why do this?
Demonstrates commercial viability of IPv6
Helps identify areas of improvement in IPv6 functionality
What happened? Nothing!

Only isolated issues reported
>3% of v6 traffic is v6-enabled countries like France
Example: Y! 2.2M users served over IPv6, 10 support calls
Example: Akamai 8M requests during W6D

Example: AAAA to everyone (incl. 2.5M FB-Connect websites)
What is it?
www.worldipv6launch.org ; coordinated by the Internet Society
W6L: Turn it on, leave it on.

Since 6/6/12, IPv6 becomes part of a regular business!
Who will turn on IPv6 AAAA forever?

Google, Facebook, Yahoo!, Akamai , Microsoft
CPE vendors Cisco, D-Link
Practical support: http://www.internetsociety.org/deploy360/
V6 World Congress, Feb 2012

Motto links to W6L: Open The Floodgates
strategy alignment example
IPv4 Address space completion National IPv6 Strategies
Compliance: U.S. Federal
Public or Private Space Mandate, IPv6 task force
Limiting network expansion Next Generation Internet
and putting at risk business (CNGI) project in China
continuity and Japan
Introducing Operational European Commission
challenges Recommendation
IPv6 Next generation Network

IPv6 on in Microsoft Vista architecture require IPv6
Sensor Networks DOCSIS 3.0,Quad Play
Apple's Back to My Mac Mobile SP
v6 over v4 OTT tunnel Networks in Motion
providers Networked Sensors, i.e.: AIRS
IPv6 in Client Software Infrastructure Evolution
Are
Characteristic Reason Example
Infrequent Use Maintaining NAT bindings Earthquake Warning service
for rare occurrence events NTT IPv6
is inefficient Smoke detectors: 6LoWPAN
Universal Reachability of devices in Dozens of IPv6 Tunnel
Connectivity the home brokers = unconstrained
Peer-to-peer
Green Network A PC with many networked Skype for iPhone drains
applications sends many batteries from application via
keep-alives. Each needs data plane keep-alive
power across network.
Scalable/Green Persistent client/server Facebook IM long polling
Data Center transport connection is
needed to keep NAT open
High bit Smaller SP margin per bit Netflix On-Demand supports
Rate+NAT for AFT vs competitors IPv6.
without that cost Google 1/10th Internet traffic
FCB Internet: Faster, Cleaner, Better.

Dual-stack variations CGNv4 needed anyway.
IPv4 Private IP 6 over 4 4+6 4 over 6 All IPv6
CGN (NAT44) 6PE, 6rd, Dual Stack NAT64, 4rd,

MIP, PPP DS-Lite dIVI/MAP-T
Preserve
Prepare
Prosper
= IPv4 = Private IP = IPv6
Motivation
Carrier-Grade NAT
Dual-stack
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
Cisco CGN Products
Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)
Public IPv4 Deployment
public IPv4 public IPv4
IPv4 IPv4
Public Public
Serving PDNGW
eNB Gateway
Public IPv4 addresses used in Transport Network
Public IPv4 addresses used on Handset for Service access
Declining Adoption
<30% of all carriers offer public IPv4 addresses to their subscribers
NAT44
Central Large Scale NAT44
IPv4 user plane with Large Scale NAT44
3GPP defined tunneling:
- GTP O(10G) throughput
v4 user plane:
- PMIP/GRE
- Native IPv4 forwarding O(20M) bindings
- IPsec Some subscriber awareness
to/from CGN
NAT44
private IPv4 private IPv4 NAT public IPv4
IPv4 IPv4 IPv4

Public
Private IPv4 Address
assigned to UE CGN/
eNB SGW PGW
CGv6
Public IPv4 Address/
v4 Core Network: port assigned by CGN
- native IPv4
Limited IPv4 life extension Evolution of current NAT solutions

SP operates non overlapping private address space ~70% of all mobile operators
UE obtains a IPv4 address from the private SP address space leverage NAT44
CGN/CGv6 performs NAT(P)44 with high scalability Many deployments implement
NAT44 on Enterprise-Class
Many UEs are serviced by fewer Public IP-Address on LSN
Firewalls:
Dynamically reuses available pool of Public IP-address/port bindings
Scale & throughput challenges
Multiple customers multiplexed behind an SP
managed NAT device (a Large Scale NAT)
LSN44 multiplexes several customers onto the
same public IPv4 address
Each customer has unique private IPv4 address
AAA
NAT44 NAT44
NAT IPv4
Internet
IPv4-Private IPv4-Private
Home Access
Gateway Node BRAS CGN
NAT44 can be deployed as centralized or distributed function.
CPE based NAT44 + LSN44 = NAT444 solution
Most of Broadband users are behind NAT today!
When say NAT, they typically mean NAPT
NAT NAPT
First described in 1991 (draft- Described in 2001 (RFC3022)
tsuchiya-addrtrans), RFC1631 1:N translation
1:1 translation: Does not Conserves IPv4 addresses
conserve IPv4 addresses
Allows multiple hosts to share one
Per-flow stateless IPv4 address
Todays primary use is inside of Only TCP, UDP, and ICMP
enterprise networks
Connection has to be initiated from
Connect overlapping RFC1918
address space inside
Per-flow stateful
Note: NAT66 is stateful or Commonly used in home gateways
stateless, but it is not NAPT and enterprise NAT
NAT44 is used to differentiate IPv4-IPv4 NAPT from

Address Family Translation, typically referred to as NAT64 and NAT46
Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)
CGN = IP Address Sharing
Inherent issues
draft-ford-shared-addressing-issues
Servers must log also source port numbers
Shared IP address = shared suffering
Blacklisting, spam,
Tracking and Law Enforcement
draft-ietf-intarea-server-logging-recommendations
Requesting specific ports Not everyone can get port 80
Geo-Location issues (get me the nearest ATM)
Complicates inbound access to media
Keepalives power consumption, mobile battery drain
Adds transport cost [$/Gbps]
ALG (Application Layer Gateway). L3 L4 L7
Fixup for applications that have problems with
Firewall (and Symmetric NAT)
m/c=10.1.1.1/1234
No Inbound connections (media, p2p,)
No problem with Full Cone NAT (ALG not needed)
Fixups for NAT-unaware applications

Applications that embed the IP-address in the payload or use it FW/NAT with
as user identity (did the developers respect the OSI model?) SIP ALG
Old applications, Enterprise-oriented applications
No ALGs for many applications

Encrypted or Integrity-protected protocols Internet
eg. SIP over TLS, HTTPS://1.2.3.4 (with IPv4 address
literal),
Modern Internet Apps work fine through NAT/FW m/c=161.44.1.1/5678

Why the world uses Skype and not SIP?
Operational headache
Undefined performance impact, numerous DoS attack vectors
Different application versions need different ALGs
Extensions, deviations eg. Microsoft NetMeeting different from Polycom H.323
ALGs from different vendors behave differently, tough upgrades
In case of a bug which vendor is guilty? How long will it take to get a fix?
Regulatory issues
ISPs cant sniff/modify Over The Top applications data using ALGs
eg. break location awareness in Vonage emergency calls
eg. break RTSP media streaming from NetFlix or Amazon
ALG interference with NAT traversal techniques SIP ICE, RTSP mmusic,
ALGs work fine in the closed Enterprise IT environment,

but are ALGs desirable in Internet?
Are there any NAT-unaware Internet apps yet?
iTunes
Google
Maps
Playstation
Network
Windows Live
iPhone Messenger
App
Store
Google
Talk
Temporary exceptions (old protocols) RTSPv1 (m.youtube.com) or MS PPTP
Symmetric NAT
Firewalling behavior
Often implemented on Firewalls, CPE routers
PAT device generates PAT

entry such as below.
Inside Inside Outside Outside

local global local global
192.168.1.1 140.0.0.1 150.0.0.1 150.0.0.1
:5000 :6000 :6000 :6000

User-B
User-A sends packets to User-B
150.0.0.1/24
To: 140.0.0.1:6000
User-A NAT/PAT
NAT POOL 140.0.0.1/24
To: 140.0.0.1:6000
192.168.1.1/24
Translates src-ip and src-port
192.168.1.1:5000 140.0.0.1:6000
Symmetric NAT is
User-B is only translated to go into inside network. User-C
160.0.0.1/24
User-C can not reach User-A.
Full cone NAT
Free NAT traversal requires Full cone NAT.

Full cone NAT is mentioned in RFC3489 Section-5.
What is Full cone NAT?.
PAT device generates PAT Match all !!

entry such as below.
Inside Inside Outside Outside
local global local global
192.168.1.1 140.0.0.1 any any
:5000 :6000
User-B
User-A sends packets to User-B
150.0.0.1/24
To: 140.0.0.1:6000
User-A
NAT/PAT To: 140.0.0.1:6000
NAT POOL 140.0.0.1/24
192.168.1.1/24

Translates src-ip and src-port
Full cone NAT is 192.168.1.1:5000 140.0.0.1:6000
User-C
Not only User-B but also User-C can reach to User-A
160.0.0.1/24
Endpoint Independent Address Dependent Address and port Dependent
A:1000 B:2000 B:2000

A:1000 B:2000 A:1000
B:2001 B:2001
B:2001
Y:200 Y:200 Y:300 Y:200 Y:300 Y:400
Inside Outside Dst Inside Outside Dst

Inside Outside Dst
X:100 Y:200 - X:100 Y:200 A:1000
X:100 Y:200 A:any
X:100 Y:300 B:2000
X:100 Y:300 B:any
X:100 Y:400 B:2001
X:100 X:100 X:100
IP Addres: Port Number
Endpoint Independent Address Dependent Address and Port Dependent
A:1000 B:2000 A:1000 B:2000 A:1000 B:2000

A:1001 A:1001 A:1001
Y:200 Y:200 Y:200
Inside Outside from Inside Outside from Inside Outside from

X:100 Y:200 - X:100 Y:200 A X:100 Y:200 A:1000
X:100 X:100 X:100
IP Addres: Port Number
Filtering
behavior Independent Address Address:Port
Dependent Dependent
Address Restricted Port Restricted
Independent Full Cone NAT NAT NAT
Mapping
Address
Dependent Symmetric NAT
Address:Port
Dependent
Restricted
CGN
IOS Router(enable-sym-port)
Linksys
WRT610N IOS Router
Classic STUN : simple traversal of UDP through NAT(RFC3489)

now : Session Traversal Utilities for NAT(RFC5389)
FTP PASV, data connection always to server
ICE, STUN, TURN

NAT EIM/EIF Intelligence in endpoint
Useful for offer/answer protocols
(SIP, XMPP, probably more)
Standardized in MMUSIC and BEHAVE
RTSPv1, effectively replaced with Flash over HTTP
RTSPv2, ICE-like solution
Skype, encrypted and does its own NAT traversal
Port 80/443 apps

STUN: Session Traversal Utilities for NAT RFC 5389
ICE: Interactive Connectivity Establishment RFC 5245
TURN: Traversal Using Relays around NAT RFC 5766
with EIM/EIF (Full Cone NAT)
Requirement: Endpoint Independence on ALG/fixups, Maximum application transparency
Use Case Example: This is for Session Traversal Utilities for NAT (STUN, ICE) and is
used by P2P apps to advertise themselves such that others can contact from outside-in
2) STUN Serv returns 2) STUN Serv returns

User-Bs translated (src- User-As translated (src-
ip, src-port) to User-A ip, src-port) to User-B
STUN Server
3) User-A and User-B

can communicate NAT
NAT
with each other
directly.
1) User-A connects 1) User-B connects

to STUN Server to STUN Server
* source: RFC4787, RFC5382, RFC5508
Session Traversal Utilities for NAT RFC 5389
Request/response protocol, used by:

STUN itself (to learn IP address)
ICE (for connectivity checks)
TURN (to configure TURN server)
The response contains IP address and port of request

Runs over UDP (typical) or TCP, port 3478
Think http://whatismyip.com
Interactive Connectivity Establishment RFC 5245
Procedure for Optimizing Media Flows
Defines SDP syntax to indicate candidate addresses

Uses STUN messages for connectivity checks
Sent to RTP peer, using same ports as RTP
First best path wins
Basic steps:
1. Gather all my IP addresses
EXAMPLES
2. Send them to my peer
Google chat (XMPP)
3. Do connectivity checks
Microsoft MSN (SIP inside of XML)
Yahoo (SIP)
Counterpath softphone (SIP)
Traversal Using Relays around NAT RFC 5766
Media Relay Protocol and Media Relay Server
Only used when:

Both endpoints are behind Address and Port-Dependent Filtering
NATs (rare, about 25% of NATs), or
One endpoint doesnt implement ICE, and is behind a Address and
Port-Dependent Filtering NAT
New IP Infrastructure Element
Separate Infrastructural Necessity from Services (firewalling, etc.)
No ALGs, no firewalling behavior
Focus on:
Transparency keep just the necessary, endpoint independence
Scale & Performance minimal cost
Security logging, port limits
IPv6 preparation NAT64, 6RD, etc.
IETF BEHAVE working group

Behavior Engineering for Hindrance Avoidance
IETF target is to promote IPv6, not to prolong IPv4 forever
RFC4787 (July 2007)
A CGN is defined by constrained behavior:
NAT Behavior Compliance (RFC4787, RFC5382, RFC5508)
Endpoint Independent Mapping and Filtering (Full Cone NAT)
Paired IP address pooling behavior
Port Parity preservation for UDP
Hairpinning behavior
Static Port Forwarding (PCP)
Current ALGs: RTSPv1, sometimes PPTP
Management
Port Limit per subscriber
Mapping Refresh
NAT logging
Redundancy (Intra-box Active/Standby, Inter-box Active/Active)
Paired (recommended) : use the same
external IP address mapping for all
A:200 B:201 sessions associated with the same
Outside A:201 B:202
internal IP address
A:202 B:200
Inside Some peer to peer applications dont

X:101
Y:102 Y:100
negotiate the IP address for multiple
X:102
X:100 Y:101 sessions (eg. apps that are not able to
negotiate the IP address for RTP and
Inside Outside
RTCP separately)
X:100 A:200
X:101 A:201
X:102 A:202
Y:100 B:200
Y:101 B:201
Y:102 B:202
Use Case: Allow communications
between two endpoints behind the
same NAT when they are trying
Outside A:200 B:200 Inside Outside each other's external IP addresses
X:100 A:200
Y:100 B:200
Inside
X:100 Y:100
Notation X:100 IPv4 address:Port *

* TCP/UDP port or Query ID for ICMP
Requirement: Ability to configure, a fixed private (internal) IP
address:port associated with a particular subscriber while CGN
allocates a free public IP address:port
Future: PCP (Port Control Protocol) for users
Option 1:
Handset/Host
with PCP Client
PCP
NAT-PMP
Option 2:
PCP client Option 2: PCP Server
UPnP IGD
on CPE PCP Client,
UPnP IGD proxy;
NAT-PMP proxy
Delegate port numbers to requesting applications/hosts to avoid requirement for ALGs

draft-ietf-pcp-base
No Port Overloading
A NAT must not have a "Port assignment" behavior of "Port
overloading( i.e. use port preservation even in the case of collision).
Most applications will fail if this is used.
Port Parity Preservation

An even port will be mapped to an even port, and an odd port will be
mapped to an odd port. This behavior respects the [RFC3550] rule
that RTP use even ports, and RTCP use odd ports.
Port Limit Per Subscriber

Configurable port limit per subscriber for the system (includes TCP,
UDP and ICMP). NAT Security DoS attack/virus exhaust prevention.
2011 Cisco and/or its affiliates. All rights reserved. * source: RFC4787, RFC5382
Cisco Confidential 40
Example: GoogleMaps with Max 30 Connections
Example/Slides Courtesy of NTT, See Also:
Hiroshi Esaki: www2.jp.apan.net/meetings/kaohsiung2009/presentations/ipv6/esaki.ppt
Courtesy of NTT, see also Hiroshi Esaki:
www2.jp.apan.net/meetings/kaohsiung20
09/presentations/ipv6/esaki.ppt
Source:
Application behaviors in in terms of port/session consumptions on NAT
http://opensourceaplusp.weebly.com/experiments-results.html
See also An Experimental Study of Home Gateway Characteristics
https://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdf
http://www.ietf.org/proceedings/78/slides/behave-8.pdf
Classic IOS: per box, default is none, ASR1K since 3.4S
ip nat translation max-entries all-host 300
IOS XR: per CGN instance, default is 100

service cgn CGN1
portlimit 300
XR: When Port limit is exceeded, the Pkt

RP/0/RP0/CPU0:R#show cgn demo stat sum is dropped and an ICMP with Type3:
Destination Unreachable, Code13:
Statistics summary of cgn: 'demo' Communication Administratively
Number of active translations: 86971 Prohibited is returned to the Sender
Translations create rate: 0
Translations delete rate: 0
Inside to outside forward rate: 101
Outside to inside forward rate: 4
Inside to outside drops port limit exceeded: 5
Inside to outside drops system limit reached: 0
Inside to outside drops resource depletion: 0
Outside to inside drops no translation entry: 6216513
Pool address totally free: 507
Pool address used: 69
NAT Session Setup Rate [sps] sessions per second
Average # of New Sessions per User, during peak hours
Huge load during a failover scenarios or after a power blackout
Failing to cope with SPS = huge TCP delays, timeouts/retransmissions
Session limit per user

Maximum # of Concurrent Sessions per User
AJAX-based applications with tens/hundreds of TCP sessions
Eg. Relaunching Firefox with Tabs opens hundreds of sessions
Maximum Number of Sessions per CGN

Average # of Concurrent Sessions per User, during peak hours
UDP must not expire in less than 2 minutes (RFC4787)
UDP/TCP timers for Initializing and Established sessions should be configurable
L (Low-scale) Scenario 3G mobile users, smart-phones
M (Medium-scale) Scenario ADSL subscribers, PC users with 3G/4G dongles,
Tablets, WiFi and top smart-phone users
H (High-scale) Scenario heavy Broadband users, Internet sharing
100K BB users = up to 100Ksps and 10Mcs during peak hour!

IOS XR Type Default Value
ICMP 60 sec
UDP init 30 sec
UDP active 120 sec
TCP Init 120 sec
TCP active 30 min
*) Default Refresh Direction is Bidirectional (configurable to OutBound only)
IOS XE (ASR1000)
timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
High Availability scenarios
Intra-chassis, Inter-chassis
Active/Standby, Active/Active
Stateful or stateless
Millions of short-lived Layer-4 session
Stateful sync makes no sense for such
ephemeral state (memory & CPU) eg.
ASR1000 does not sync http
Stateless redundancy
1Msps = 100K active users (10Mcs) are up in 10s minimal loss
Load-sharing = simple ECMP routing
Best Practice: Simple Non-Revertive 1:1 Warm Standby
Data Retention Law compliance, user trackability
Who posted a content to a server on Tue at 8:09:10pm?
Global IP:port CGN Log Private IP:port MSISDN
Directive 2006/24/EC - Data Retention
Logging Format
Must be fast and efficient (binary format)
Syslog very chatty, inefficient ASCII encoding
1 Msps = cca 176 Mbps, 14.7 Kpps
Netflow v9 or IPFIX
21B add-event, 11B delete-event
Compare to ASCII syslog (113B for add-event)!
Up to 68 add-events per 1500B export packet
Dynamic, template-based format
Tip: IsarFlow tested CGN NFv9 Collector
Add Event Field ID Attribute Value

Template 256 234 Incoming VRF ID 32 bit ID
(21B)
235 Outgoing VRF ID 32 bit ID
8 Source IP Address IPv4 Address
225 Translated Source IP IPv4 Address
Address
7 Source Port 16 bit port
227 Translated Source Port 16 bit port
4 Protocol 8bit value
Delete Event Field ID Attribute Value

Template 257
234 Incoming VRF ID 32 bit ID
(11B)
2011 Cisco and/or its affiliates. All rights reserved. 4 Protocol 8bit value Cisco Confidential 53
Collector Performance 100K users, average and peak
Storage Capacity includes per-day user behavior
Reality check: 100K CGN users would consume 3.5TB storage per year
(compressed, fully SQL searchable data)
E-Shop: 4TB disk, 300 Euro
No need to bother with logging reduction
and data analytics
Destination Based Logging

Keep and log destination IP:port
Just like in a Symmetric NAT/Firewall, but still keep EIM/EIF
Usage
Servers that do not log port (Apache default)
Data Analytics (Full Netflow like info)
Per-user functions (Firewall, LI, AAA) still

must be done on private IP (before NAT).
Tip: IsarFlow tested CGN NFv9 Collector
Add Event Field ID Attribute Value

Template 271 234 Incoming VRF ID 32 bit ID
(27B)
235 Outgoing VRF ID 32 bit ID
225 Translated Source IP Address IPv4 Address
227 Translated Source Port 16 bit port
12 Destination Address IPv4 Address
11 Destination Port 16 bit port
4 Protocol 8 bit value
NAT44:
Add Event, Template 271 (27B)
Delete Event, Template 272 (17B)
NAT64:
Add Event, Template 260 (47B)
Delete Event, Template 261 (37B)
Syslog (ASCII) cannot really log at full speed
Example (RFC5424 compliant):
1 2011 May 31 10:30:45 192.168.2.3 - - NAT44 [UserbasedA - 10.1.32.45 INVRFA 100.1.1.28
12544 12671]
Huge load (compare 113 or 250 B for syslog and 21 B for Netflow v9)
Both Syslog and Netflow are UDP, but syslog misses the sequence #
Solution: Bulk port range allocation

Pre-allocates a port-set per user (eg. 512 ports)
PROS: Log size reduction (is it a problem in today?)
CONS: breaks randomization (port guessing attacks), cannot log the destination
SDNAT (Staleless Deterministic NAT), aka. Algorithmic NAT

No logging at all, but
Unrealistic requirements (eg. control of host stack and A+P routing changes)
Implementation
When subscriber creates first connection, N contiguous outside ports are pre-
allocated (additional connections N will use one of the pre-allocated ports).
Bulk-allocation message is logged for the port-range, bulk-delete logged if no
more sessions in this range.
Example: bulk-port-alloc size 512
Problem: bulk port alloc may break TCP port randomization

Algorithms in host stacks preventing guessing for TCP hijacking
Normal non-bulk port allocation is random

Random ports, prefer IP address with at least 1/3 rd free ports
The first 1024 ports are reserved (never allocated)
Paired pooling behavior and port parity preservation during allocation
Add Event, Template 265
Field ID Field Size
234 Incoming VRF ID 4 bytes
235 Outgoing VRF ID 4 bytes
8 Incoming/Inside Source IPv4 Address 4 bytes
225 Translated Source IPv4 Address 4 bytes
295 Translated Source Port Start 2 bytes
296 Translated Source Port End 2 bytes
Delete Event, Template 266
Field ID Field Size
234 Incoming VRF ID 4 bytes
8 Incoming/Inside Source IPv4 Address 4 bytes
295 Translated Source Port Start 4 bytes
NOTE: Bulk Port Allocation is mutually exclusive with Destination Based Logging (DBL).
Option 1: NAT on BNG/PGW/GGSN (per-subscriber)
Key Benefits:
Subscriber aware NAT
- per subscriber control
NAT44
- per subscriber accounting
private IPv4 NAT public IPv4 Large Scale (further
enhanced by distribution)
IPv4 IPv4
Public Highly available
SGW PGW
(incl. geo-redundancy)
eNB
Cisco ASR5000
Option 2: NAT on Internet Gateway (as far from subscribers as possible)

Key Benefits:
Integrated NAT for multiple
NAT44 administrative domains
(operational separation)
Large Scale
IPv4 Overlapping private IPv4
IPv4 IPv4
Public domains (e.g. w/ VPNs)
eNB SGW PGW CGN/ Cisco Internet Gateways:
CGv6
CRS, GSR, ASR9K, ASR1K
On PGW put revenue-generating services (charging, firewall,)

BEST PRACTICE On Internet Gateway put infrastructural functions (BGP, CGN,)
NAT Firewall
Firewall motivation is inbound filtering
ALGs are required; NAT can be used or not
CGN motivation is IPv4 exhaust solution
Maximum simplicity, transparency, massive logging
DPI, LI, AAA, Firewalling

must be done on private address space
after NAT, it would be too late (NAT hides users L3 identity)
CGN is one of the last operation before packet goes to Internet
NAT44
IPv4 IPv4 IPv4

Public
SGW PGW CGN/

eNB CGv6
Gi Firewall
Protects against overcharging for usage-billed (non flat-fee) APNs
Protects against network scans waking phones from fast dormancy state (battery drain)
CGN does not do help, real firewall is needed
PGW, GGSN Gi FW IGW

Solution 1
IPv4 IPv4
PDP, Firewall,
ALGs (no NAT) CGN, Public
LI, DPI
logging
PGW, GGSN IGW

Solution 2
IPv4 IPv4
PDP, LI, DPI, ALG
Per-PDP Firewall (no NAT) CGN, Public
logging
Solution 3 PGW, GGSN IGW
private IPv4 NAT public IPv4
IPv4 IPv4
PDP, LI, DPI, ALG BGP Public
Per-PDP Firewall & NAT
Current Situation
Massive growth of number of mobile data
traffic and number of mobile end-points
IPv4 run out: Most Operators started to
deploy NAT44
Offload NAT44 Infrastructure

IPv6 traffic bypasses NAT44
After W6L, IPv6 content and video comes
Regulation and New Standards
IPv6 will become cheaper (eg. Bigger
volume quotas or no FUP for v6)
Ultimately: IPv4 space pollution IPv6
Faster, Cleaner and Better Internet
Motivation
Carrier-Grade NAT
Dual-stack
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
Cisco CGN Products
IPv4
IPv4
IPv6
CGN
IPv6
IPv6
Private
IPv4 IPv4
IPv4
IPv6
Dual-Stack: The classic RFC 4213 solution

Logical deployment choice when one has little control over end-point
3GPP/3GPP2 architectures support Dual-Stack, as well as Wireline (Broadband/DSL Forum, DOCSIS)
IPv6 endpoint enablement

Handset upgrade often required to get IPv6 or Dual-Stack (both stacks active at a time)
DSL/FTTH/Cable CPE no s/w upgrades new RFP needed
IMS/VoIP mass market (80% of all phones are still voice-focused handsets)
Deploying IPv6 in dual stack does not solve IPv4 address exhaustion: CGN needed
I get AAAA, I have IPv6 configured locally (SLAAC).
But what if IPv6 network is broken?
Behavior of a
typical Web-
Browser
2011 Cisco and/or its affiliates. All rights reserved.

draft-ietf-v6ops-happy-eyeballs Cisco Confidential 66
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html
Slide courtesy of Teemu Savolainen (presented at v6ops, IETF 80)
draft-ietf-v6ops-happy-eyeballs suggest to send 2 TCP SYNs IPv4 and IPv6
Happy Eyeballs improving end user experience
Implementations:
Firefox 10
Chrome (last stable)
OSX 10.7 Lion
getaddrinfo()
Safari
iPhone iOS 4.3.1
NOTE this impacts CGN44: draft-ietf-v6ops-happy-eyeballs
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html
high session setup rate [sps]
IPv6/MPLS Core is easy. The Access is difficult.
Why cant todays broadband user just access IPv6 Internet?
NMS/Addressing
AAA/DHCP IPv6 Parameters
DHCPv6
IPv6 IPv4
L2
RG Access Node
DSLAM, MSAN, OLT... BNG
User RG Access Node Aggregation Aggregation Core

OS v6 Stack IPv6 LAN DHCPv6 snooping ICMPv6 snooping IPv6 Stack IPv6 Routing
IPv6 WAN LDRA/Opt37 IPv6 NMS IPv6 PE/VPE MPLS 6PE/6VPE
IPv6 NMS IPv6 Routing
ICMPv6 snooping
IPv6 NMS
IPv6 NMS
IPv6 Security
Key problem with native v6: Access Node (DSLAM, MSAN, OLT, FTTX switch),
CPE (new box needed), sometimes BRAS/GGSN (no dual-stack sessions)
Tunneling IPv6 over existing PPPoE (dual-stack pppoe) or IPv4 infrastructure
(6RD) provides a transition solution with minimal number of touch points
Broadband PPP Access
PPP Session
Dual-stack IPv6 and IPv4 supported over a shared PPP
session with v4 and v6 NCPs running as ships in the night. IPv4
IPv6
IPCP assigns IPv4, IPv6CP + DHCP-PD assigns
IPv6
ASR1000 dual-stack pppoe (16-64k sessions), no extra
BRAS sessions required, ISGv6 supported
Broadband IPoE Access VLAN
Currently 2 sessions are needed v4 and v6 IPv4 Session
ASR1000 ISGv6 supports IPv6 Sessions IPv6 Session
(unclassified ipv6 prefix based) L2 Session
-Future: dual-stack v4v6 session is being worked on in IPv4
BBF (Broadband Forum, ex DSL Forum) IPv6
Mobile Access
Four types of PDP/PDN contexts: PPP (legacy), IPv4,
IPv6, new IPv4v6 (introduced in 3GPP Rel 9)
ASR5000 Ciscos Packet Core solution IPv4v6 PDN
Dual-stack capable UEs are to request IPv4v6 PDN IPv4

IPv6
(MIPv6, complex roaming scenarios, etc.)
Use Dual-stack PPPoE
Customer Access Aggregation Edge Core
IP/MPLS
X BNG
Native Dual-Stack IPv4/IPv6 service on RG LAN side

NO changes in existing Access/Aggregation Infrastructure
One PPPoE session per Address Family (IPv4 or IPv6) or one PPPoE session carrying
both IPv4 and IPv6 NCPs running as ships in the night
Dual stack must not consume extra BNG session state
SLAAC or DHCPv6 can be used to number the WAN link with a Global address
DHCPv6-PD is used to delegate a prefix for the Home Network
PPPoE Tag Line-id authentication, Radius IPv6 attributes as per rfc3162
Dual-stack PPPoE support in hardware ASR1000 (32K+ sessions with features)

ASR9000 (end of 2012)
Use 6RD Rapid Deployment (RFC5969)
6r 6r
IPv4 + IPv6 d d
CGN
IPv4 + IPv6
IPv4 + IPv6
IPv4 + IPv6 Core / Internet
IGW 6rd BR
CPE 6rd RG (Border Relay)
(Remote Gateway)
IPv4
IPv6 Destination = Inside 6rd Domain IPv6 Destination = Outside 6rd Domain
- encapsulate in IPv4, protocol 41 (address
- encapsulate in IPv4 for the BR
extracted from v6 prefix that contains v4 part)
6rd (Rapid Deployment) Residences IPv6 Subnet is constructed from:
ISPs IPv6 Prefix + RG IPv4 Address + Subnet ID + Interface ID

Automatic tunneling of 6 in 4
/56 /64 /128
Simple and stateless CPE, uses /32 prefix of the ISP
Large deployments (Free France, AT&T US, DSL and Cable)
Linksys CPE support http://home.cisco.com/en-us/ipv6
Replaces classic 6to4 tunneling (2002::/16 being obsoleted by IETF)
6RD BR support in hardware 7600 ES+, ASR1000, CRS CGSE

The One-Stack View
Being asked to go here next
Where we are right now
Dual-Stack
One Network. Dual-Stack Lite One Network.
Addresses Run-Out SP-class XLAT
Operations & Deployment
and enables IPv6 is IPv6 transition

connectivity vehicle for 6-4 and
over IPv4 infra 4-6-4 cases
Cost/Complexity
Stateful
NAT64 Stateless
6rd Two Networks!!
CGN Big CGN in IPv6 NAT64/DIVI
network.
IPv6 cant talk to Stateless
IPv4 4o6/4RD
IPv4 Majority IP in IPv6

Operator Network
IPv6 and Large Scale Address Family Translation
AFT64 technology is only applicable in case where there are

IPv6 only end-points that need to talk to IPv4 only end-points.
NAT64 for going from IPv6 to IPv4.
IPv4
Public
NAT
NAT64
IPv6
Public Serving PGW
eNB IPv6
Gateway
Public
NAT64 and DNS64 is the solution
NAT-PT is obsoleted by IETF (due to stateful DNS)

See also draft-ietf-behave-v6v4-framework, draft-ietf-behave-v6v4-xlate, draft-ietf-behave-
v6v4-xlate-stateful (now RFC6144, 6145, 6146)
Stateful AFT64
AFT keeps binding state
between inner IPv6 address
IPv6 addresses representing IPv4 hosts and outer IPv4+port
IPv4 Mapped IPv6 Addresses Application dependent,
Format just like NAPTv4*
Any IPv6 address PREFIX :IPv4 Portion:(optional Suffix)
NAT64 LSN IPv4 address

AFT64
IPv6 announced
IPv4
NAT
PREFIX:: Public
IPv6 announced in AFT64
LSN64
UE IPv6 IGP
N:1 Multiple IPv6 addresses

Responsible for Synthesizing map to single IPv4
IPv4-Mapped IPv6 addresses
A Records with IPv4 address
AAAA Records with synthesized Address:
PREFIX:IPv4 Portion DNS64
*Note: ALGs for NAT64 and NAT44 are not necessarily the same, should be avoided in CGN
Stateless AFT64
AFT keeps no binding state
IPv6 addresses assigned to IPv6 IPv6 <-> IPv4 mapping
IPv6 addresses representing IPv4 hosts
hosts computed algorithmically
IPv4 Translatable IPv6 addresses IPv4 Mapped IPv6 Addresses
Application dependent still
Format Format
PREFIX:IPv4 Portion:(SUFFIX) PREFIX:IPv4 Portion:(SUFFIX)
ISPs IPv4 LIR

NAT64 address
AFT64
IPv6 announced
NAT
IPv4
0::0 Stateless
Public
IPv6 announced in AFT64
LSN64
UE IPv6 IGP
1:1 Single IPv6 addresses

Responsible for Synthesizing
map to single IPv4
IPv4-Mapped IPv6 addresses
Incoming Responses: A Records with IPv4 address
AAAA Records with synthesized address: Outgoing Responses: A Records with IPv4 Portion
PREFIX:IPv4 Portion:(SUFFIX)
DNS64
*USAGE: 464 DIVI (MAP-T) or v6 DataCenter (Internet-v4 accesses v6 content)

Stateless NAT64 applied (dIVI dual46, or 464)
Stateful
NAT46 Stateless
+ port-set NAT64
IPv4-Only Private NATe IPv6 + IPv4

IPv6 IPv4-Public
IPv6
IPv6 Gateway
CPE (IPv6)
draft-mdt-softwire-map-translation-00 (MAP-T)
Demo code ready (ASR1000 World V6 Congress demo)
Employs port restricted NAT44 + stateless NAT46 for allowing IPv4-only host
access to IPv4 internet. Also Enables IPv6-only devices to access IPv4 internet.
Algorithmic mapping (based on configured or well known schema) of IPv4 ports
to/from IPv6 address
Encapsulation employs IPv4-embedded IPv6 addresses
Stateless NAT64. Can also be enabled in stateful mode for other IPv6 only clients
IPv6 hosts use native addressing and IPv6 routing to public IPv6 internet
Future, no rough consensus in IETF yet
Stateful NAT44
port-restricted Stateless
+ v6 encaps Relay
IPv4-Only Private NATe IPv6 + IPv4

IPv6 IPv4-Public
IPv6
IPv6 Gateway
CPE (IPv6) BR
4RD (draft-despres-softwire-4rd-u) header mapping from 4 to 6 (with fragment hdr)

MAP-E (draft-mdt-softwire-map-encapsulation) tunneling 4 over 6
Keep NAT44 on CPE where it is today, just adds port restriction to tackle the v4 exhaust
Avoids central stateful CGN
No NAT, Stateful
v6 tunneling NAT44
IPv4-Only Private IPv6 + IPv4

IPv6 IPv4-Public
IPv6
IPv6 Gateway CGN44
CPE
(B4) (IPv6) (AFTR)
DS-Lite (draft-ietf-softwire-dual-stack-lite) it is available today (CRS/ASR9K, some CPEs)

Removes NAT44 from CPE where it is today, and moves it to central CGN
Dumb tunneling, no user-to-user v4 traffic (everything must go to central AFTR)
Concept (draft-ietf-softwire-gateway-init-ds-lite)
Inner portion of NAT-binding
identified by combination of
CID, Tunnel-Identifier, and
Flow optionally other identifiers
Association NA(P)T 44
VPN1/10.1.1.1 VPN1
10.1.1.1 134.95.166.10
Tunnel1/CID-1
TCP/4444 TCP/7777
Public
VPN2/10.1.1.1 VPN2
IPv4
134.95.166.10
Tunnel2/CID2 10.1.1.1
TCP/8888 Internet
TCP/5555
UE Access Tunnel
IP/MPLS
PGW Carrier Grade NAT (CGN)
DS-Lite is not for Mobile it would require PhoneOS changes (unrealistic)

GI-DS-Lite Gateway tunnels traffic which requires NAT44 towards CGN
(Selective Extension of Access-Tunneling)
Gateway and CGN use Context-ID (e.g. Private IP address) for Flow-Identification
No changes to UE (Phone OS) & Access & Roaming Architecture
Tunnel Encapsulations: MPLS (typical today) or IPinIP, GRE in future
Motivation
Carrier-Grade NAT
Dual-stack
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
Cisco CGN Products
Recommendation (clause 10)
3GPP specifications recognize two main
strategies to provide IPv6 connectivity to
UEs.
For the first strategy, the operator may provide
IPv4 and IPv6 connectivity for the UE.
According to the scenario considered, the Note: Clause 7 lists 3 solutions
1) NAPT44
operator will assign a public IPv4 address or a 2) GI-DS-lite (encapsulations
private IPv4 address in addition to an IPv6 defined in 3GPP:
prefix. The operator can select one of the GRE and MPLS VPN)
technical solutions described in clause 7 of this 3) Stateful NAT64
document.
The second strategy, consisting of providing the
UE with IPv6-only connectivity, can be
considered as a first stage or an ultimate target
scenario for operators. The operator can use
NAT64/DNS64 capability to access to IPv4-only
services if access to IPv4 services is needed.
Already being done by
T-Mobile USA
Their reason make perfectly good
sense
And they are proving it can work
Problem: v4-only apps (eg. Skype)
..Busiest day for a NAT64 box is the

day you turn it on for the first time..
Source: Google IPv 6 Implementors Conference,
Cameron Byrne, T-Mobile https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-
Mobile_IPv6GoogleMeeting.pdf?attredirects=0
http://w w w .networkworld.com/community/blog/testing-nat64-and-dns64
PDP Types: IPv4, IPv6 and IPv4v6
IPv4v6 (duals stack)

introduced in EPC from 3GPP Release 8
in 2G/3G SGSN/GGSN from 3GPP Release 9
PCRF/AAA/DHCP
IPv4-Public
IPv6-Public
eNodeB SGW PGW
Select GGSN for given APN
UE SGSN GGSN AAA DHCP

Attach Request
Create PDP Context Request
(APN, QoS, PDP-type=IPv6,) /64 prefix allocation:
3 Options: Local Pool, AAA, DHCP
Option 1 /64 prefix allocation from local pool
empty UE IP-address Prefix Retrieval
Option 2
for dynamic allocation
DHCPv6 PD
Option 3
Prefix communicated to
Create PDP Context Reply SGSN
(UE IP-address,
Protocol config options
Attach Accept (e.g. DNS-server list,),
cause)
Router Solicitation SLAAC
Router Advertisement
DHCPv6 Information Request DHCPv6 Relay Forward

DHCPv6 Reply DHCPv6 Relay Reply
DHCPv6 Reply DHCPv6 Relay Reply
IPv6 Config: 1 Method IPv4 Config: 2 Methods
SLAAC after the bearer setup (/64 Within EPS bearer setup signaling (typical)
prefix)
DHCPv4 (DHCP optional on UE and PGW)
Rel-10: DHCP-PD (enables Mobile
Router)
UE eNB MME SGW PGW HSS/AAA DHCP
Attach Request /64 prefix allocation:
Attach Request
3 Options: Local Pool, AAA, DHCP
Authentication of UE
Create Session Request Create Session
(APN, QoS, Request
PDN-type=IPv6,) Option 1 /64 prefix allocation from local pool
empty UE IP-address
for dynamic allocation Option 2 Prefix Retrieval from AAA
Create Session Option 3 DHCPv6 PD
Create Session Response
Attach Accept/ Response (UE IP-address, Prefix communicated to
Reconfigure Initial Context Protocol config options SGW/MME
Radio Bearer Setup request (e.g. DNS-server list,),
(per MME params) cause)
Initial Context
Direct Transfer Response
(incl. Attach Attach
Complete) Complete
Uplink Data
Modify Bearer Request/Response
Downlink Data
Router Solicitation
SLAAC
Router Advertisement
DHCPv6 Information Request DHCPv6 Relay Forward
DHCPv6 Relay Reply DHCPv6 Reply
Content providers
2G MS
RAN
Policy WAP Internet
3G MS
NodeB DMZ
Femto HNB RNC
Gn/Gp (GTP) DPI
Gn NAT
Core Network
Ga GGSN
SGSN (GTP) Ga (GTP)
GRX IMS Core
DNS
Ga (GTP) RADIUS QS
IXC
Charging Roaming Signaling

DHCP Data
Billing System Gateway partners
Element Design consideration (If IPv6 is used for internet & internal Apps) Impact
eNodeB Radio layer. Can use IPv4 backhaul No
RNC Iu-CS/Iu-PS can use IPv4 backhaul No
SGSN Initiate mobile APN query & authentication Yes
HLR/HSS IPv6 capable Yes
GGSN IPv6 PDP, standards IPv6 features, prefix allocation Yes
Billing Mediation and processing of IPv6 CDR Yes
DPI, Quote Server Pre-paid implementation, IPv6 parsing & CDR capability Yes
WAP, Data Accelerator IPv6 packet compressions, cache capability Yes
Firewalls IPv6 rules capability, performance Yes
DNS
2011 Cisco and/or its affiliates. All rights reserved. IPv6 DNS capability Yes
Cisco Confidential 86
Two IPv6 Deployment Domains
HSS SWx (DIAMETER)
S12 (GTP-U)
UTRAN
S6a PCRF
S4 (GTP-C, GTP-U)
(DIAMETER)
SGSN
GERAN Rx+
S3
(GTP-C) MME
S11 Gxc
(GTP-C) (Gx+) 3GPP
Gx Gxa Gxb
S1-MME S10 AAA
(Gx+) (Gx+) (Gx+) S6b
(S1-AP) (GTP-C)
(DIAMETER)
S5 (PMIPv6, GRE) Operators x-CSCF
E-UTRAN S1-U
S5 (GTP-C, GTP-U) PDN-GW
SGi IP Services
(GTP-U)
UE eNB S-GW
SWm
(DIAMETER)
S2a
(PMIPv6, GRE S2b
SWa
MIPv4 FACoA) (PMIPv6,
(TBD)
GRE)
STa (RADIUS, ePDG
DIAMETER) SWn
(TBD)
Trusted Non-3GPP
IP Access Untrusted Non-3GPP
IP Access
SWu (IKEv2,
MOBIKE, IPSec)
Initial Deployment Objective / Driver

1 Enable IPv6 customer applications Enable IPv6 transport
2
IPv6 for user plane interfaces IPv6 Home-PLMN
IPv6 Visted-PLMN
IPv6 related attributes for control plane interfaces
IPv6 Interconnect-PLMN
IPv6 related attributes for policy/charging/control
interfaces
Note: Protocol choice analysis in TR 29.803
Transport Options GTP or PMIPv6 (since R8)
GTP-based Architecture (3G/4G) non-3GPP access (SAE, 23.402)
IPv4 IPv6 HSS SWx (DIAMETER) IPv4 IPv6

S12 (GTP-U) IPv4 IPv6
GTPv1/v0-U IPsec
UTRAN
IPv4 IPv6 PCRF GRE
UDP
S4 (GTP-C, GTP-U) S6a UDP
(DIAMETER) IPv4 IPv6
SGSNIPv6
IPv4 IPv4 IPv6 ePDG PGW
GERAN GGSN/PGW AP Rx+
SGSN/SGW S3
(e.g. Femto-AP)
User-Plane MME
(GTP-C) User-Plane
S11 Gxc
(GTP-C) (Gx+) 3GPP
Gx Gxa Gxb
S1-MME S10 AAA
(Gx+) (Gx+) (Gx+) S6b
(S1-AP) (GTP-C)
(DIAMETER)
S5 (PMIPv6, GRE) Operators x-CSCF
E-UTRAN S1-U
S5 (GTP-C, GTP-U) PDN-GW
SGi IP Services
(GTP-U)
UE eNB S-GW
SWm
(DIAMETER)
S2a
(PMIPv6, GRE S2b
MIP-based Architecture (SAE, 23.402) SWa
MIPv4 FACoA) (PMIPv6,
(TBD)
GRE)
STa (RADIUS, ePDG
IPv4 IPv6 DIAMETER) SWn
(TBD)
GRE IPv4 IPv6
Trusted Non-3GPP
IPv4 IPv6 IP Access Untrusted Non-3GPP
SGW PGW
User-Plane IP Access
SWu (IKEv2,
MOBIKE, IPSec)
SP WiFi Offload uses PMIP too

Hardware-based implementation: MAG/LMA in ASR1000, LMA in ASR5000
Motivation
Carrier-Grade NAT
Dual-stack
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
Cisco CGN Products
basic Authentication/Authorization + DHCP-PD
BNG Radius DHCPv6
AAA
Routed RG Ethernet or DSL Access Node
PPPoE
PPP LCP
RADIUS "user1
Access-Request Line-id
RADIUS Framed-Protocol PPP

User-Name user1
Access-Accept Service-Type Framed
PPP IPv6CP (Optional) framed-ipv6-prefix
Link Local
SLAAC + ICMPv6 Router Advertisement RA with O-bit
Default route
to BNG (Optional) Prefix
installed
DHCPv6 Solicit
PD + DNS DHCPv6 Relay Forward
Relay-fwd
DHCPv6 Relay Reply
Relay-Reply
DHCPv6 Reply*
PD=2001:DB8:AAAA::/56
ICMPv6 RA DNS server= 2001:DB8:BB::1
RA with O-bit
SLAAC Prefix=2001:DB8:AA
2001:DB8:AAAA AA::/64
::1 + Default
route installed
DHCPv6 Request
DNS
DHCPv6 Response
DNS=2001:DB8:BB::1
* Assuming DHCPv6 rapid
commit is in effect
1:1 VLAN (QinQ)
Access Node BNG
Customer 1
1:1 VLANs
Customer 2
At L2, IPv6oE with 1:1 VLANs resembles PPPoE

Moderate changes to Access Node to support IPv6 need to forward v6 ethertype
Point-to-point broadcast domain does not require any special L2 forwarding
constraints on Access Node, and SLAAC and Router Discovery work the same
Line-identifier used for 1:1 VLAN mapping= (S-TAG, C-TAG)
However 1:1 VLANs and IPoE do require some extra BNG functionality
Statically pre-configured VLAN subinterfaces with IPv6 parameters (eg RA + services)
ND + ND Cache limit
DHCPv6 PD Server or Relay
DHCPv6-PD or DHCPv6 server capabilities can be used at BNG to delegate a prefix
for the Home Network
1:1 VLAN (QinQ)
BNG
Ethernet or DSL Access Node
Customer 1 Shared subnet (split-horizon)
X::/56 - Just link local, or NMS /64
N:1 VLAN
Customer 2
Y::/56
802.1Q
Split-horizon L2 forwarding rule

User-user traffic is blocked at L2 (NBMA network behavior)
BNG is the default-gw for CPEs (all traffic goes via BNG), no proxy-ND
Subscriber line identification
VLAN no longer provides a mapping of the subscriber line
LDRA (Lightweight DHCP Relay Agent) on the Access-Node to convey Opt.37 line-id
as the circuit and remote-id (draft-ietf-dhc-dhcpv6-ldra-03)
DHCPv6 is needed, SLAAC is not enough
SLAAC has no line-id insertion, problems with failure recovery with RA, no DNS
N:1 VLAN + DHCP-PD + AAA Radius
BNG DHCPv6
AAA
Routed RG Ethernet or DSL Access Node
ICMPv6 RA RA with O-bit
DHCPv6 Solicit
PD + DNS Circuit-id Inserted and
DHCP relayed
DHCPv6 Relay Forward

SOLICIT + Interface-id RADIUS DUID,
Access-Request Interface-id
RADIUS
Access-Accept
DHCPv6 Relay Forward
Relay-fwd
DHCPv6 Relay Reply
Relay-Reply
DHCPv6 Relay Reply PD Route installed
DHCPv6 Reply Reply + Interface-id
PD=2001:DB8:AAAA::/56
DNS server= 2001:DB8:BB::1
ICMPv6 RA
SLAAC
2001:DB8:AAAA RA with O-bit
::1 + Default Prefix=2001:DB8:AA
route installed AA::/64
DHCPv6 Request
DNS
DHCPv6 Response
DNS=2001:DB8:BB::1
Features RP2+ESP20
PPPoEoQinQ Dual-stack Sessions (PTA) 32,000
QinQ sub-interfaces 32,000
H-QoS on PTA Sessions 32,000
Per User ACL 1 ACE per ACL, input ACL only
Downstream Unicast Traffic 2Gbps (64 byte)
Upstream Unicast Traffic 2Gbps (64 byte)
uRPF Enabled per-session
AAA Accounting Start-Stop Accounting
PPP Keepalives (seconds) 30
High Availability SSO
Today (3.6S) we can do much more:

Per-session CGN NAT44, IPv6 uplink AVC (DPI), ISGv6, 6VPE VRF, 48K/64K sessions
6rd IPv6 Prefix Customer IPv6 Prefix
Subnet-
2011:1000 1.1.1
ID
Interface ID
0 32 56 64
In this example, the
6rd Prefix is /32
Customers IPv4 prefix, without the 10. (24 bits)
Any number of bits may be masked off, as long as they are common for
the entire domain. This is very convienent when deploying with a CGSE ,
but is equally applicable to aggregated global IPv4 space.
6r 6r
IPv4 + IPv6 d d
IPv4 + IPv6
IPv4 + IPv6
IPv4 + IPv6 Core /
6rd Border
CE Relays Internet
IPv4
THEN Encap in IPv4 with

IF 6rd IPv6 Prefix embedded address (using
Positive Match normal 6to4 encap)
Dest = Inside 6rd Domain 2001:100 8101:0101 Interface ID
ELSE (6rd IPv6 Prefix ENCAP with BR IPv4

Negative Match) Anycast Address
IPv6 Dest = Outside 6rd

Domain Not 2001:100 Interface ID
Between Subscriber and Internet, Private IPv4 Addr
IPv6 Internet
(2001:4860:0:1001::68)
3456:789:0003:0101::12001:4860:0:1001::68Payload
ISP
IPv6 Core
copy v4 addr from v6
2001:4860:0:1001::683456:789:0003:0101::1Payload
6rd BR
10.3.1.110.100.100.13456:789:0003:0101::12001:4860:0:1001::68Payload
ISP
IPv4 Core
10.100.100.110.3.1.1 2001:4860:0:1001::683456:789:0003:0101::1Payload
BNG
10.3.1.110.100.100.13456:789:0003:0101::12001:4860:0:1001::68Payload
IPv4 Access
Network
6rd RG 10.100.100.110.3.1.1 2001:4860:0:1001::683456:789:0003:0101::1Payload
3456:789:0003:0101::12001:4860:0:1001::68Payload Subscriber
Network v6 prefix derived from v4 addr
(v4+v6)
Address Legend
10.100.100.1 6RD BR Anycast Address
10.3.1.1 RG Private IPv4 Address, obtained via DHCPv4 Encapsulation Legend
2001:4860:0:1001::68 www.google.com IPv6 Address
Destination Source
3456:789:0003:0101::1RG IPv6 Address, SP IPv6 Prefix 3456:789/28 IPv4 Address IPv4 Address Destination IPv6 Address Source IPv6 Address Payload
2011 Cisco and/or its affiliates. All rights
obtained viareserved.
DHCPv4 new option or TR69 Cisco Confidential 97
Between Subscribers, Private IPv4 Addr
IPv6 Internet
ISP
IPv6 Core
6rd BR
ISP
IPv4 Core
10.3.2.1 10.3.2.1 3456:789:0003:0201::13456:789:0003:0101::1 Payload
BNG BNG
10.3.2.1 10.3.1.1 3456:789:0003:0201::13456:789:0003:0101::1Payload
IPv4 Access
Network
10.3.2.1 10.3.1.1 3456:789:0003:0201::13456:789:0003:0101::1 Payload

6rd RG2 6rd RG1
3456:789:0003:0201::13456:789:0003:0101::1Payload Subscriber Subscriber v6 prefix derived from v4 addr
Network Network v6 prefix derived
from v4 addr
(v4+v6) (v4+v6)
Address Legend
10.3.2.1 RG2 Private IPv4 Address
10.3.1.1 RG1 Private IPv4 Address
3456:789:0003:0202::1RG2 IPv6 Address, SP IPv6 Prefix 3456:789/28
3456:789:0003:0201::1RG1 IPv6 Address, SP IPv6 Prefix 3456:789/28
Security
Anti-spoofing - 6RD BR checks if IPv6 source addr matches the encapsulated
IPv4 address
6RD RG (CPE) also verifies if the BR anycast address matches IPv6 source
QoS
V6 DSCP is automatically copied into V4
QoS pre-classify supported
HA
6RD is stateless no SSO needed at 6RD BR
We use Anycast (same /32s in IGP, nearest is BR chosen)
Scale and Performance

ASR1000, 7600 (ES+ since 15.1(3)S)
512 6RD Tunnel interfaces (meaning 512 6RD domains)
VRF awareness
Source: http://home.cisco.com/en-us/ipv6
Goal is a universal dual-stack home gateway (6RD on by default).
Motivation
Carrier-Grade NAT
Dual-stack
IPv6 in Mobile
Role in 3G and EPS
IPv6 in Wireline
Cisco CGN Products
CRS
CGSE PLIM + FP40 (NAT44, NAT64, 6RD, DS-Lite)
20M xlates, 1Msps, 20Gbps
ASR9000
ISM Module (NAT44, DS-Lite); BNG NAT44 for PPPoE sessions
20M xlates, 1Msps, 15Gbps
ASR5000
Per-subscriber GGSN/PGW NAPT, Gi Firewall, DPI, charging
120M xlates, 1Msps
ASR1000
Integrated (NAT44, NAT64, 6RD); BNG NAT44 for PPPoE sessions
2M xlates, 100Ksps, 20Gbps
XR12000
CGN Daughter Card for the PRP-3 (NAT44, future NAT64)
10M xlates, 250Ksps, 6Gbps
CGSE Carrier Grade Services Engine
Introducing the new engine for massive Cisco CGv6 deployments
20+ million sessions

1+ million sessions per second [sps]
20Gb/s of throughput
Up to 240M xlates (12 CGSEs per chassis)
CGSE PLIM 64K global IPs (100s of thousands of users)
Intra- or Inter-Chassis Redundancy
CGN features IPv6 preparation

Subscriber port limit 6rd BR (XR 3.9.3)
Per L4 protocol/port timers Stateless NAT64 (XR 3.9.3)
Static port forwarding Stateful NAT64 (XR 4.1.2)
Netflow v9 logging DS-Lite, bulk ports alloc and syslog (4.2.1)
RTSPv1 ALG Destination based logging (4.2.1, 4.3)
Future: PCP, PPTP ALG, MAP
Dest 0.0.0.0/0 -> AppSVI1 Dest NAT Pool-> AppSVI2
Inside Outside
VRF VRF
Private IPv4 Interface CGSE Interface
Public IPv4
Subscribers VLAN App Int App int VLAN
VLAN
Inside Outside
Entry1 10.12.0.29:334 100.0.0.221:18808
Entry2 10.12.0.29:856 100.0.0.221:40582
Entry..
VRFs to Separate the Private and Timers (per cgn) Default Value
Public Routing Table. ICMP 60 sec
Interfaces are associated with a VRF. UDP init 30 sec
ServiceAPP interfaces are used to UDP active 120 sec
send packets to/from CGSE TCP Init 120 sec
2011 Cisco and/or its affiliates. All rights reserved. TCP active 30 min Cisco Confidential 104
Uses a Line Card slot paired with FP40
Supports 20 Gbps aggregate bandwidth
20M NAT44 Translations
15M NAT64 Translations
Octeon CPUs 1M sps
Accel M M
FPGA iPSE IngressQ F
I I
D D A
P P B
PLA L L R
A A I
N N
Accel E EgressQ ePSE FabQs E
C
FPGA
Service Engine PLIM Modular Services Card

FP40, MSC20, MSC40
Uses a line card slot connects via fabric
ISM supports 10 Gbps aggregate bandwidth
20M NAT44 Translations (today)
15M NAT64 Translations (planned)
1M sps
ISM Mgmt CPU
Application
Memory
B
24Gb Bridge A
C
K
I/O Fabric P
Hub ASIC L
A
24Gb N
Bridge E
Application
CPUs Modular
(Intel) Expansion
Cards (2)
daugther card on GSR PRP-3
SMDC supports 10 Gbps aggregate bandwidth (~6Gbps NAT)

10M NAT44 Translations (today)
7M NAT64 Translations (planned)
250K sps
SMDC (Service Module Daughter Card)
PRP-3 (fast CPU, 8GB DRAM, 80GB HD)

SMDC is field replacable
Dual PRP-3 1:1 redundancy
ESP Type Session Forwarding Translation Setup/Teardown
Scalability Performance Rate (xlat/sec)
ESP5/ASR 256k 3Mpps 50k

1001
ESP10 1M 6Mpps 100k
ESP20 2M 8Mpps 200k
ESP40 2M 9Mpps 200k
Above number are based on few nat pools.
The maximum number of nat pools supported is 1200 on a ESP20/ESP40, 600 on ESP10,
300 on ESP5, but session scalability is unknown when nat pools scale.
ASR 1000 support up to 16k static NAT entries in single RP system or inter-box HA
ASR 1000 support up to 4k static NAT entries in redundant RP system
Support up to 1K VRFs for VRF aware NAT
Maximum interfaces support is not limited by NAT
Maximum ACL is not limited by NAT, but by standard TCAM ACL limit
Route-map scaling maximum is 1024
ESP Type Session Forwarding Translation
Scalability Performance Setup/Teardown Rate
(xlat/sec)
ESP5 / 256k 2Mpps 70k
ASR 1001
ESP10 1M 4.2Mpps 100k
Support maximum 16k static entries
Maximum interfaces support is not limited by NAT64
Maximum ACL is not limited by NAT64, but by standard TCAM ACL limit.
Stateful HA possible, by default disabled for short-lived port http tcp/80
nat64 switchover replicate http enable port 80
IPv4 exhaust business continuity
CGN role and definition, RFC4787
CGN performance SPS, # of sessions, logging
Dual-stack in Mobile and Wireline networks
NAT64 Avoiding Dual-Stack
Future 464 traversal technologies
Related Cisco Products
Thank you.

Carrier Grade NAT PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Carrier Grade NAT PDF

Transféré par

Droits d'auteur :

Formats disponibles

Carrier-Grade NAT

IPv4 Exhaust and IPv6 Transition in Internet

2010 Cisco and/or its affiliates. All rights reserved. 1

Need for SIDR (Secure

Netflix Video surpasses

NIX.CZ World IPv6 Day (June 8, 2011)

What happened? Nothing!

Example: Akamai 8M requests during W6D

W6L: Turn it on, leave it on.

Who will turn on IPv6 AAAA forever?

Practical support: http://www.internetsociety.org/deploy360/

V6 World Congress, Feb 2012

IPv6 Next generation Network

IPv6 in Client Software Infrastructure Evolution

FCB Internet: Faster, Cleaner, Better.

IPv4 Private IP 6 over 4 4+6 4 over 6 All IPv6

CGN (NAT44) 6PE, 6rd, Dual Stack NAT64, 4rd,

= IPv4 = Private IP = IPv6

public IPv4 public IPv4

Public IPv4 addresses used in Transport Network

Public IPv4 addresses used on Handset for Service access

private IPv4 private IPv4 NAT public IPv4

IPv4 IPv4 IPv4

Limited IPv4 life extension Evolution of current NAT solutions

NAT44 can be deployed as centralized or distributed function.

CPE based NAT44 + LSN44 = NAT444 solution

NAT44 is used to differentiate IPv4-IPv4 NAPT from

Adds transport cost [$/Gbps]

Fixups for NAT-unaware applications

No ALGs for many applications

Modern Internet Apps work fine through NAT/FW m/c=161.44.1.1/5678

ALGs work fine in the closed Enterprise IT environment,

PAT device generates PAT

Inside Inside Outside Outside

Free NAT traversal requires Full cone NAT.

PAT device generates PAT Match all !!

A:1000 B:2000 B:2000

Y:200 Y:200 Y:300 Y:200 Y:300 Y:400

Inside Outside Dst Inside Outside Dst

X:100 X:100 X:100

IP Addres: Port Number

A:1000 B:2000 A:1000 B:2000 A:1000 B:2000

Y:200 Y:200 Y:200

Inside Outside from Inside Outside from Inside Outside from

X:100 X:100 X:100

IP Addres: Port Number

Classic STUN : simple traversal of UDP through NAT(RFC3489)

ICE, STUN, TURN

RTSPv2, ICE-like solution

Skype, encrypted and does its own NAT traversal

Port 80/443 apps

Requirement: Endpoint Independence on ALG/fixups, Maximum application transparency

2) STUN Serv returns 2) STUN Serv returns

3) User-A and User-B

1) User-A connects 1) User-B connects

Request/response protocol, used by:

The response contains IP address and port of request

Procedure for Optimizing Media Flows

Defines SDP syntax to indicate candidate addresses

Counterpath softphone (SIP)

Media Relay Protocol and Media Relay Server

Only used when:

IETF BEHAVE working group