BRKSPG-2602 (2019)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 80

BRKSPG-2602

IPv4 Exhaustion:
NAT and Transition to
IPv6 for Service Providers
Rajiv Asati, Distinguished Engineer
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSPG-2602

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Hmm….CGNAT issue
or something else ?
IPv4 – Classic
But spare parts have run out

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
IPv6 – Next Gen
Getting to full parity and end-end use takes time

Caution:
New road
may be
needed

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Transition Technologies help to continue Driving
classic IPv4 around

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Abstract
• Any Service Provider that has exhausted its IPv4 address pool, will not only have to
deploy/offer IPv6, but also employ IPv4 sharing.
• This is because some content may be reachable only via IPv4 internet, even though majority is
available via IPv6 internet.
• This session discusses few technologies such as MAP-T/E, 464XLAT, DS-Lite and CGN
64/44 etc. that facilitate IPv4 sharing with and without IPv6.
• 6rd is included as a reference as well.

• It contrasts stateful and stateless translation techniques as well.

• This session is intended for Service Providers.

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
IPv6 Adoption Continues to increase…25% globally

Source: https://www.akamai.com/ Source: https://www.google.com/

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Recommended Approach (2005-2015)
RFC 4213: Deploy Dual-Stack and then move to IPv6-only

• Dual-Stack at the Clients IPv4+IPv6 Clients (Dual Stack)


• Windows, OSX, iOS, Android, Linux etc.
• Dual-Stack at the DC/Servers*
• Windows, Linux etc. Network

• Dual-Stack at the Network


• Routers: IOS, XR, NXOS etc.
• Switches: NXOS, CatOS, IOS etc.

IPv4 and/or IPv6


Destinations
* RFC7755 prescribes Single-stack IPv6 for DC
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Recommended Approach (2005 – 2015)
RFC 4213: Deploy Dual-Stack and then move to IPv6-only

• Dual-Stack at the Clients ~90% of Desktop hosts


and ~99% of Mobile hosts
• Windows, OSX, iOS, Android, Linux etc. support Dual-Stack

Source – Mobile Operating System, Statistica, Jan 2017


Source – Desktop Operating System, Netmarketshare, Jan’14-Dec’16

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Recommended Approach (2005 – 2015)
RFC 4213: Deploy Dual-Stack and then move to IPv6-only

• Dual-Stack at the Clients IPv4+IPv6 Clients (Dual Stack)


• Windows, OSX, iOS, Android, Linux etc.
But IPv4 exhaustion means
• Dual-Stack every
at theclient
DC/Servers*
can NOT be
• Windows, Linux etc.
assigned a public IPv4 address Network

• Dual-Stack at the Network


• Routers: IOS, XR, NXOS etc.
But IPv4 exhaustion means
• Switches: NXOS,
every CatOS,
network IOS etc.
device may NOT
be assigned a public IPv4
IPv4 and/or IPv6
address Destinations
* RFC7755 prescribes Single-stack IPv6 for DC
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IPv4 Address Exhaustion Impacts Differently

Impact on •

Lack of IPv4 addresses for users
Harder to grow the business
ISPs •

IPv4 address sharing requires NAT
Stateful NAT requires NAT logging

• IPv4 Address sharing results in shared


Impact on reputation (more on this later)
• Breaks applications

Users • Complicates operating servers


• Limits UDP/TCP ports per user

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Transition Technologies
• Path towards IPv6 for Networks and CPEs - Many are
• can’t enable IPv6 in Network or CPE already here
• enable IPv6 (dual-stack) in Network, but not on CPEs
• enable IPv6 (dual-stack) in Network and on CPEs
• Simplify by removing IPv4 or building IPv6-only Network, CPEs stay on Dual-stack
• Simplify by removing IPv4 or building IPv6-only Network and CPEs
• Your path may mean -
• IPv6 co-existing with IPv4 !
• IPv6 interoperating with IPv4 !
• IPv4 address sharing by CPEs!

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Towards IPv6 …with or without IPv4
Transition Technologies in One Slide

Obtain More IPv4 Addresses

 ?
This is This is
IPv4 Share IPv4 Addresses
where where
we are: we
CGN
CGN CGN CGN have to
Dual
Dual CGN
44 44* 64
44 be:
Stack
Mostly Stack
MAP
IPv4 & + +
6rd
+ +

Address IPv6 Dual 6r


(Dual- DS- Single Mostly
Stack Stack) Lite -Stack
Run-out IPv6;

1. CGN = Carrier Grade NAT - Stateful


2. Modified to support DS-Lite
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Towards IPv6 …with or without IPv4
Transition Technologies in One Slide * Allows both arbitrary and algorithmic mapping
** Changes needed if IPv6 is not supported by existing CPE

Options CPE LAN CPE WAN Tunnel or In-network Arbitrary IP Extra CPE
IPv4 or IPv6 IPv4 or IPv6 Translate? “State”? addressing of CPE? features?
0 Single-Stack IPv4 IPv4 -NA- -NA- Yes No
1 Single-Stack IPv4 IPv4 Translate Yes (CGN44) Yes No
2 Dual-Stack IPv4 + IPv6 IPv4+IPv6 -NA- -NA- Yes No**
3 Dual-Stack IPv4 + IPv6 IPv4+IPv6 Translate Yes (CGN44) Yes No**
4 DS-Lite IPv4 + IPv6 IPv6 Both Yes (CGN44) Yes Yes
5 6rd IPv4 + IPv6 IPv4 Tunnel No No Yes
6 6rd + CGN IPv4 + IPv6 IPv4 Both Yes (CGN44) No Yes
7 MAP IPv4 + IPv6 IPv6 Either No Yes* Yes
8 Single-Stack IPv6 IPv6 Translate Yes (CGN64) Yes Yes|No

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
0. Obtain IPv4 Addresses
Host/CPE gets just IPv4 prefixes
This is Obtain More IPv4 Addresses This is
where IPv4 Share IPv4 Addresses where
we are:
we
CGN
Dual CGN
CGN
44 CGN CGN have
Mostly 44 * 64
to be:
Stack
MA
IPv4 & +
+
+ + P
Addres 6rd
6r
Dual (Dual- DS- Single
Mostly
s Run- Stack Stack)
d Lite -Stack
IPv6;
out

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
0. Obtain IPv4 Addresses
• Obtain IPv4 addresses from Regional Internet Registry (RIRs) or open market
• RIR: May Not have any left. 
• Open market: USD $10-$15 per IPv4 address
• IPv6, well, is optional

• ADVANTAGES:
• No CGN, no address sharing, no operational changes
• No need to press for IPv6 deployment
• DISADVANTAGES :
• If business growing, delaying the inevitable
• Geo-location needs to be updated (mileage varies)
• No IPv6 deployed
• Reputation might be bad

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Carrier Grade NAT (CGN)
.

Obtain More IPv4 Addresses


This is This is
IPv4 Share IPv4 Addresses
where where
we are: we
Dual
Dual CGN
CGN
CGN CGN CGN have to
Sta 44 44 * 64
be:
Stack
Mostly MA
ck
IPv4 & + + + + P
Address IPv6 Dual 6rd
6r
(Dual-
DS- Single Mostly
Stack Lite -Stack
Run-out d
Stack) IPv6;

1. CGN = Carrier Grade NAT - Stateful


2. Modified to support DS-Lite
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
CGN
• Single-Stack IPv4 requires CGN 44, if IPv4 address sharing
• Single-Stack IPv6 would require CGN 64, covered later
• Carrier Grade Network Address Translation
• Address and Port Translator (NAPT), really
• RFC5389 : Endpoint independent Mapping/Filtering (EIM and EIF)
• Similar to residential NAT (Linksys, etc.), but large scale
• Port Logging (e.g. syslog, netflow v9)
• Per-user port limit
• In case of IPv4-only Clients with CGN44: Using 100.64.0.0/10
instead of private IPv4 space is an option
• In case of IPv6-only Clients with CGN64: Using GUA should be
the only option, covered later

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Supported on ASR9K,

CGN
ASR1K, FirePower, CRS

Private IPv4 Moves into SP

Stateful NAT
function inside
SP network

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Supported on ASR9K,
ASR1K, FirePower,CRS
CGN
• Nicknamed NAT444 = NAT44 in home, NAT44 in ISP

• Advantages:
1. Very well known technology
2. No dependency on CPE router

• Disadvantages:
1. Logging = huge storage
2. Port Forwarding breaks
3. Certain Applications may NOT sufficiently work
4. Network/Routing Design Headache
5. IPv4 address sharing efficiency
6. Any application hardcoding a specific port# may not work without UPnPv2+PCP

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
CGN ALG, Logging etc. issues
applicable to all these
ALG, Logging solutions relying on CGN

This is Obtain More IPv4 Addresses This is


where IPv4 Share IPv4 Addresses where
we are:
we
Dual
Dual CGN
CGN
CGN CGN CGN have
Mostly Sta 44 44 44 64
to be:
Stack
MA
IPv4 & ck + + + + P
Addres IPv6 6rd
6r
Dual
(Dual-
DS- Single
Mostly
s Run- Stack
d
Stack)
Lite -Stack
IPv6;
out
1. CGN = Carrier Grade NAT - Stateful
2. Modified to support DS-Lite

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
CGN
Application Layer Gateway (ALG)
• ALG = Application awareness inside the NAT:
• modify IP addresses and ports in application payload
• creates NAT mapping

• Each application requires a separate ALG


• FTP, SIP, RTSP, RealAudio, …
• ALG needs to understand application nuances

• ALG requires:
• Un-encrypted signaling (!!)
• Restricted network topology
• Summary: ALG prevents application evolution and introduces bugs

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
CGN
Modern Applications Avoid Relying on ALG Reference

• FTP Passive Mode


• ICE (RFC5245) and STUN (RFC5389)
• Intelligence in endpoint
• Useful for offer/answer protocols (SIP, XMPP)
• Successful applications have to
work everywhere • RTSPv1 abandoned on the desktop
• Coffee shop, home, work, hotel, • effectively replaced with Flash over HTTP, and soon
airport, 3G HTML5
• RTSPv2 has ICE-like solution
• Skype does its own NAT traversal
• Linksys disabled SIP ALGs around 2006
• Because of bugs and incompatibilities with SIP
endpoints

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
CGN
ALG related Operational Issues Reference

• Debugging / Troubleshooting Problems


•SIP from vendor X works, but vendor Y breaks:
1. Vendor Y violated standard?
2. Vendor X has special sauce??
3. ALG is broken??? Meanwhile:
• Delays unhappy
•Months for vendor turn-around for patches
users
•Months for SP testing/qualification/upgrade window
• ALG can break competitor’s over-the-top application (e.g., SIP, streaming
video)
•Regulators frown on interference

See BRKSPG-3334 from


CiscoLive2014 for more details
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
CGN Supported on ASR9K,
ASR1K, CRS
Logging Source Port Ranges Reference

42.5TB over 60 days for


200K subscribers, 72K
flows/second
• Stateful NAT requires logging (NAT44, NAT64, DS-Lite…)
(each syslog comprised
• NAT mappings are temporary (similar to DHCP addresses)
private source IP:port,
• Logging each NAT mapping creates large logs! public source IP:port,
protocol, and timestamp,
• Bulk port allocation (BPA) reduces logging, at the expense of resulting in ~100B in
ASCII). See note below.
reduced efficiency of IPv4 address sharing  
• Bulk size of N ports, logs reduced by 1/N
• Acceptable compromise !!!
• Recommended See BRKSPG-3334 from
CiscoLive2014 for more details

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Carrier Grade NAT Supported on ASR9K,
ASR1K, CRS
Logging Destination Reference

• Server Log combined with CGN log identifies subscribers


• Timestamp (new)
• Source IP address, source port (new), destination IP address, destination port
• RFC6302
• Some servers don’t enable source port logging, or don’t have good timestamp
• Note that majority support logging source port, but don’t do so by default, see RFC7768 and
draft-daveor-cgn-logging

• Tempting to log destination IP (and port) at CGN


• Consider privacy and legal issues
• Incompatible with bulk port allocation, increases logging costs
See BRKSPG-3334 from
• Not recommended in general CiscoLive2014 for more details

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
CGN – Common Sane Practices
• Use Bulk Port Allocation, if logging

• Limit number of users sharing an IPv4 address *

• Monitor KPIs e.g. # of outbound SSH connections with a threshold

• Test, Test, Test as many apps as possible

* Tricky because you would want higher sharing ratio, given IPv4 shortage
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
6rd and 6rd with CGN Reference

Obtain IPv4 Addresses


IPv4
IPv4 Address Sharing
IPv4 CGN Dual
6rd Dual
Address MA
Stack
+ Stac
Run-Out CGN k P
IPv6 6rd Lite

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
6rd - IPv6 over (Public) IPv4 Supported on ASR9K,
ASR1K, CRS
Reference
IPv6 Moves out to Subscribers
IPv6-over-IPv4 tunnels

Native
Dual-
Stack at
Home

Stateless Tunneling function


(on routers) inside SP
network

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
6rd + CGN = IPv6 over (Private) IPv4 Supported on ASR9K,
ASR1K, CRS
Reference
IPv6 Moves out to Subscribers
IPv6-over-IPv4 tunnels
Private IPv4 move into SP*

Stateless Tunneling function


(on routers)

Stateful NAT function (on


routers) inside SP network*
* Assuming RFC1918 usage
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
1. Dual-Stack
Clients/CPE gets both IPv4 and IPv6 prefixes

Obtain More IPv4 Addresses


This is This is
IPv4 Share IPv4 Addresses
where where
we are: we
CGN
CGN
Dual
Dual CGN 44 CGN CGN have to
44 * 64
be:
Stack
Mostly Stack
+
MA
IPv4 & + + + P
6rd
Address IPv6 Dual 6r
(Dual- DS- Single Mostly
Stack Stack) Lite -Stack
Run-out d IPv6;

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
1. Dual Stack
Do I use IPv6 or IPv4 ?
• Dual-stack client connecting to dual-stack server
• IPv6 is preferred by default (RFC6724)
• If IPv6 is slower, then users blame IPv6 and may disable IPv6! 
• IPv6 better not be slower than IPv4
• Who can guarantee that ! 
• What if IPv6 is broken altogether?
• What if IPv6 is broken to few websites?

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
1. Dual Stack Problem: IPv6 is Broken or slower
to a certain website !

Unhappy
users 

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
1. Dual Stack Solution – Happy Eyeballs
(RFC6555)

Note: Slight Preference is


given to IPv6 connection
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
1. Dual Stack Solution – Happy Eyeballs
Optimization (RFC6555/ RFC8305)

Happy
users 

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Dual-Stack
Happy Eyeballs (RFC6555 and RFC8305)
• Users are happy
• Aimed initially at web browsing
• Web browsing is the most common application
• Fast response even if IPv6 (or IPv4) path is down

• Network administrators are happy


• Users no longer trying to disable IPv6
• Reduces IPv4 usage (reduces load on CGN)

• Content providers are happy Source: http://seclists.org/nanog/2016/Jun/809

• Improved geolocation and DoS visibility with IPv6

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
1. Dual-Stack
Happy Eyeballs Implementations
• Google Chrome and Mozilla Firefox: Yes 
• Utilizes long-established 250-300ms ‘backup’ thread
• Follows getaddrinfo() address preference
• Apple Safari, iOS*, OSX* : Yes 
RFC6555
• DNS AAAA sent before A query on the wire Compliant
• If AAAA reply comes first, then v6 SYN sent immediately
• If A reply comes before 25ms of AAA reply, then v4 SYN sent
• Else, Heuristics based Address selection algorithm is applied
• Microsoft Windows OS and Internet Explorer : NO 
• Not even something like happy eyeballs
• Cisco WebEx : Yes 

• Cisco AnyConnect: No  * http://lists.apple.com/archives/Ipv6-dev/2011/Jul/msg00009.html


* https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
DS-Lite
This is Obtain More IPv4 Addresses This is
where IPv4 Share IPv4 Addresses where
we are:
we
Dual CGN
Dual CGN
CGN
44 CGN CGN have
Mostly Sta 44 44 64
to be:
Stack
MA
IPv4 & ck +
+ + + P
Addres IPv6
6rd
6r
Dual (Dual- DS- Single
Mostly
s Run- Stack Stack)
d Lite -Stack
IPv6;
out

Note: DS-Lite requires CGN


BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
DS-Lite (RFC6333) Supported on ASR9K,
ASR1K, CRS
IPv4 over IPv6 Access
IPv4-over-
IPv6 tunnels

Stateful NAT 44
function (on
routers) inside
SP network

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DS-Lite
• Advantages:
• Leverages IPv6 in the network; Helps with IPv6-only Network

• Disadvantages:
• Dependency on CPE router
• NAT disabled on CPE router
• Content Caching function may break
• DPI function may break
• QoS function may break
• All disadvantages of stateful CG NAT also apply

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
MAP (Mapping of Address and Port) RFC7599
This is Obtain More IPv4 Addresses This is
where IPv4 Share IPv4 Addresses where
we are:
we
Dual CGN
Dual CGN
CGN
44 CGN CGN have
Mostly Sta 44 * 64
to be:
Stack
ck MAP
IPv4 & +
+
+ +

Addres IPv6
6rd
6r
Dual (Dual- DS- Single
Mostly
s Run- Stack Stack)
d Lite -Stack
IPv6;
out
See BRKSPG-3820 from
CiscoLive2014 for more details

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Supported on ASR9K,
ASR1K,
MAP (Mapping of Address and Port)
• Allows sharing of IPv4 address across an IPv6 WAN network
• Each CPE gets a shared IPv4 address with a unique TCP/UDP port-range via “rules”
• All or part of IPv4 address can be derived from the assigned IPv6 prefix (allows for route
summarization)
• Need to allocate UDP/TCP port range(s) to each CPE

• Stateless Border Relays in SP network


• Can be implemented in hardware (superior performance)
• Can use anycast, can have asymmetric routing
• No single point of failure, no need for high availability hardware

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Supported on ASR9K,

MAP-E : Stateless 464 Encapsulation (RFC7597)


IPv4-over-IPv6

Stateless Tunneling
function (on routers)

- No Stateful CGN-

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Supported on ASR9K,

MAP-T : Stateless 464 Translation (RFC7599)


ASR1K

Native IPv6

Stateless 64 translation
function (on routers)

- No Stateful CGN -

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
MAP
• Advantages:
• Leverages IPv6 in the network
• No CGN inside SP network
• No need for NAT Logging (DHCP logging as usual)
• No need for ALGs
• No need for Stateful NAT64/DNS64

• Disadvantages:
• Dependency on CPE router
• Any application hardcoding any port# might not work without UPnPv2 support

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
MAP Design – Simplify Domain Addressing
http://map46.cisco.com/

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
Try V6-only WiFi:
• Conclusion SSID: CL-NAT64
WPA2-PSK: cl-nat64

5GHz only

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
IPv6-Only Networks with CG NAT 64
.
This is Obtain More IPv4 Addresses This is
where IPv4 Share IPv4 Addresses where
we are:
we
Dual CGN
Dual CGN
CGN
44 CGN CGN have
Mostly Sta 44 * 64
to be:
Stack
MA
IPv4 & ck +
+ + + P
Addres IPv6
6rd
6r
Dual (Dual- DS- Single
Mostly
s Run- Stack Stack)
d Lite -Stack
IPv6;
out
1. CGN = Carrier Grade NAT - Stateful

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
While Client-side apps
(mobile or desktop) got
IPv6-only support, Hence, the
short-term
Server-side e.g. need for
FaceTime, iMessage, NAT64…

iCloud etc. still need to


catch up… 
IPv6-Only Networks with CG NAT 64
Supported on ASR9K,
ASR1K, CRS

IPv6-only devices

Stateless or Stateful
NAT64 function (on
routers)

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Supported on ASR9K,
ASR1K, CRS
NAT64 – Stateful
Host can be IPv6 Header IPv4 Header
assigned with
any IPv6 address Src Addr
2001:db8:abcd:2::1
Src
Addr
203.0.113.1
(no particular DestAddr
2001:DB8:ABCD:<92.0.2.1 Dest 92.0.2.1
> Addr
format)

NAT64
IPv6 IPv4
Endpoint
NAT
92.0.2.1
IPv6 2001:DB8:ABCD::/64 (203.0/24)
LSN64
Stateful
Endpoint announced in announced in
IPv6 Routing domain IPv4 Routing domain
2001:db8:abcd:2::1 • NAT keeps binding state between inner
IPv6 address and outer IPv4+port

• DNS64 needed

•Application dependent/ALGs may be


required

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Supported on ASR9K,
ASR1K, CRS
NAT64 – Stateless
Host must be IPv6 Header IPv4 Header
assigned an
2001:db8:<203.0.114.1>:
“IPv4 Src Addr Src
203.0.114.1
: Addr
Translatable” DestAddr 2001:DB8::<92.0.2.1>:: Dest 92.0.2.1
Addr
IPv6 address

NAT64
IPv6 IPv4
Endpoint
NAT
92.0.2.1
IPv6 2001:DB8:ABCD::/64 (203.0/24)
LSN64
Endpoint announced in Stateless announced in
IPv6 Routing domain IPv4 Routing domain
2001:db8:<203.0.114.1>:: • No NAT binding state; IPv6 <-> IPv4
mapping computed algorithmically

• DNS64 needed

• Application dependent ALGs might be


required

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
NAT64 – Stateful vs. Stateless
Stateful Stateless

• 1:N translation • 1:1 translation


• “NAPT” • “NAT”
• TCP, UDP, ICMP • Any protocol
• Shares IPv4 addresses • No IPv4 address savings
•Just like dual-stack
•MAP however does save
IPv4 addresses by combining
NAT46 with NAT44

Note : IPv6-only DC using Stateless 64 : RFC7755


BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
NAT64
DNS64 is important
• NAT64 translator is useful only if the traffic can come to it
• IP addresses of IPv6 packets must be formulated accordingly

• DNS64 provides conversion of an IPv4 address into an IPv6 address


• AAAA record is made up from A record (only if upstream AAAA not present) using IPv6 prefix
of NAT64 translator (e.g. 2001:DB8:ABCD::)
Internet
DNS64 NAT64
IPv6-only
Endpoint AAAA? AAAA?
Empty answer
(sent
simultaneously) A?

2001:DB8:ABCD::92.0.2.1 92.0.2.1

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
DNS64 – Watch out
• Works for applications that do DNS • Doesn’t work for applications that don’t
queries do DNS queries or use IP address
•http://www.example.com literals
•IMAP, connecting to XMPP servers, etc. • http://1.2.3.4
• SIP, RTSP, H.323, XMPP peer to peer, etc.
• Works with DNSSEC (note [1])
• Doesn’t work well if Application-level
proxy for IP address literals (HTTP
proxy) is used
• Learn NAT64’s prefix, RFC 7050

• NAT46/BIH (Bump In the Host),


RFC6535
• 464XLAT (RFC6877)
[1] https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
464XLAT = Stateless + Stateful Better Together 
RFC6877
Note: The usefulness
• Some applications may break with IPv6-only (and NAT64) of XLAT may
continue to subside,
• Skype, among other interesting applications (more listed here*) given apple mandate
for apps to work with
• 464 translation helps most of those IPv4-only applications IPv6-only since 2016,
• Endpoint does “Stateless NAT46”; as well as Cloud
Providers enabling
• Network does “Stateful NAT64” IPv6-only support
(exception: tethering)
• Benefit: Network can move to IPv6-only while allowing for any
IPv4-only apps and ensuring seamless customer experience

IPv6 Internet
Stateless
IPv6-only
Stateful
NAT46 Network IPv4 Internet
NAT64
Endpoint
* http://tinyurl.com/nat64-breakage
BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
NAT64 Scenarios
stateful stateless
IPv6 IPv4 Covered in this
1. Network presentation
Internet
2. IPv4 IPv6
Network
Covered in
Internet BRKSPG-
2602 from
3. IPv6 IPv4 2014**
Network
Internet
Needed (a) if IPv6-only content existed, or
4. IPv4
Network
IPv6 (b) IPv4-only LAN with IPv6-only WAN *
Internet * Verizon stops giving out static IPv4 WAN address(es) in 2017

5. IPv6
Network
IPv4
Network

6. IPv4
Network
IPv6
Network

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
IPv4 Address Sharing
.

Obtain More IPv4 Addresses


This is This is
IPv4 Share IPv4 Addresses
where where
we are: we
Dual
Dual CGN
CGN
CGN CGN CGN have to
Sta 44 44 * 64
be:
Stack
Mostly MA
ck
IPv4 & + + + + P
Address IPv6 Dual 6rd
6r
(Dual-
DS- Single Mostly
Stack Lite -Stack
Run-out d
Stack) IPv6;

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
IPv4 Address Sharing :
Watch out for IP Reputation

Image source: Jason Fesler, Yahoo!

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
IP Address Sharing:
Watch out for IP Reputation (1/2)
• Reputation based on IPv4 address
• Shared IP address = shared suffering

• Workaround: Distinguish subscribers (sharing IP address, or not sharing)


• draft-ietf-intarea-nat-reveal-analysis
• draft-wing-nat-reveal-option
• Server logs currently only contain IPv4 address
• Servers logs need to include source port number, recommended by RFC6302

• Best Solution – have users and content providers use IPv6!

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
IP Address Sharing:
Watch out for IP Reputation (2/2)
• Affects NATs, as everyone knows
• NAT44 (CGN44): a big NAT operated by an ISP, enterprise, or University
• NAT444 (subscriber’s NAT44 + ISP’s CGN44)
• NAT64 (CGN64)
• DS-Lite (called “AFTR” = Modified CGN44)

• Also affects non-CGN architectures!


• MAP (Mapped Address and Port)
• Conceptually, a CGN with (some) fixed ports
• Address + Port, SD-NAT, Deterministic NAT

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Agenda
• Introduction
• Overview of Transition Technologies
• Single-Stack IPv4 – Obtain more IPv4
• Single-Stack IPv4 – CGN 44, 6rd
• Dual Stack – Impact ( & Happy Eyeballs)
• Single-Stack IPv6 – DS-Lite, MAP-T/E
• Single-Stack IPv6 – CGN 64
• IPv4 Address Sharing - Impact
• Conclusion

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Conclusion
More stateless, More IPv6, the better.. * Allows both arbitrary and algorithmic mapping
** Changes needed if IPv6 is not supported by existing CPE

Options CPE LAN CPE WAN Tunnel or In-network Arbitrary IP Extra CPE
IPv4 or IPv6 IPv4 or IPv6 Translate? “State”? addressing of CPE? features?
0 Single-Stack IPv4 IPv4 -NA- -NA- Yes No
1 Single-Stack IPv4 IPv4 Translate Yes (CGN44) Yes No
2 Dual-Stack IPv4 + IPv6 IPv4+IPv6 -NA- -NA- Yes No**
3 Dual-Stack IPv4 + IPv6 IPv4+IPv6 Translate Yes (CGN44) Yes No**
4 DS-Lite IPv4 + IPv6 IPv6 Both Yes (CGN44) Yes Yes
5 6rd IPv4 + IPv6 IPv4 Tunnel No No Yes
6 6rd + CGN IPv4 + IPv6 IPv4 Both Yes (CGN44) No Yes
7 MAP IPv4 + IPv6 IPv6 Either No Yes* Yes
8 Single-Stack IPv6 IPv6 Translate Yes (CGN64) Yes Yes|No

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Conclusion
Drive for (Stateless) Simplicity…be Careful

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Don’t miss the Service Provider Hub !
5G Virtual Reality
Demos Experience
Experience 7 Essential Enjoy “Running with the 5G Bull”
Technology and 3 Generate immersive demo
Revenue with 5G demos and
join our guided demo tours

More Sessions
Check out the
Service Provider Digital Transformation Assessment
Technology Track by Take a meeting session to benchmark your
scanning the code digital readiness against your industry peers

Want to see use cases, solution details and more. Visit www.cisco.com/go/sp
More IPv6 Sessions
When Session Title
29 Jan 2019 / 11:00 BRKIP6-2191 IPv6: The Protocol
29 Jan 2019 / 14:15 LABSPG-3122 Advanced IPv6 Routing and services lab
29 Jan 2019 / 14:30 BRKIP6-2616 Beyond Dual-Stack: Using IPv6 like you’ve never imagined
30 Jan 2019 / 11:00 BRKSPG-2602 IPv4 Exhaustion: NAT and Transition to IPv6 for Service Providers
30 Jan 2019 / 14:30 BRKIP6-2301 Intermediate - Enterprise IPv6 Deployment

31 Jan 2019 / 08:30 BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6 - Advanced

31 Jan 2019 / 11:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Deploying IPv6

31 Jan 2019 / 11:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation

31 Jan 2019 / 14:00 LTRIPV-2494 IPv6 Transformation Lab

31 Jan 2019 / 14:00 LABSPG-3122 Advanced IPv6 Routing and services lab

LABIPV-2261 IPv6 planning, deployment and transition


LABCRS-1000 Intro IPv6 Addressing and Routing Lab

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKSPG-2602

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations

Don’t forget: Cisco Live sessions will be available for viewing


on demand after the event at ciscolive.cisco.com

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Continue Your Education

Demos in Meet the Related


Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings

BRKSPG-2602 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Thank you

You might also like