IPv4aaS tutorial and hands-on

- 1
IPv6
Transition and Coexistence
IPv6-only and
IPv4 as-a-Service
APRICOT 2019 / APNIC 47
February 2019
Daejeon, South Korea
@JordiPalet
(jordi.palet@theipv6company.com)

- 2
Transition / Co-Existence Techniques
• IPv6 has been designed for easing the transition and coexistence
with IPv4
• Several strategies have been designed and implemented for
coexisting with IPv4 hosts, grouped in three categories:
– Dual stack: Simultaneous support for both IPv4 and IPv6 stacks
– Tunnels: IPv6 packets encapsulated in IPv4 ones
• This has been the commonest choice
• Today expect IPv4 packets in IPv6 ones!
– Translation: Communication of IPv4-only and IPv6-only. Initially
discouraged and only “last resort” (imperfect). Today no other
choice!
• Expect to use them in combination!

- 3
Dual-Stack Approach
• When adding IPv6 to a system, do not delete IPv4
– This multi-protocol approach is familiar and well-understood (e.g., for AppleTalk,
IPX, etc.)
– In the majority of the cases, IPv6 is be bundled with all the OS release, not an
extra-cost add-on
• Applications (or libraries) choose IP version to use
– when initiating, based on DNS response:
• if (dest has AAAA record) use IPv6, else use IPv4
– when responding, based on version of initiating packet
• This allows indefinite co-existence of IPv4 and IPv6, and gradual app-by-app
upgrades to IPv6 usage
• A6 record is experimental

- 4
Dual-Stack Approach
IPv6
Application
TCP/UDP
IPv6
TCP/UDP
IPv6
TCP/UDP
IPv4IPv4
IPv6 IPv4
IPv6-only stack IPv4-only stackDual-stack (IPv4 & IPv6)
IPv6
Application
IPv4
Application
IPv4
Application

- 5
Tunnels to Get Through IPv6-Ignorant Routers
• Encapsulate IPv6 packets inside IPv4 packets
(or MPLS frames) in order to provide IPv6 connectivity through IPv4-
only networks
• Many methods exist for establishing tunnels:
– manual configuration
– “tunnel brokers” (using web-based service to create a tunnel)
– “6over4” (intra-domain, using IPv4 multicast as virtual LAN)
– “6to4” (inter-domain, using IPv4 addr as IPv6 site prefix)
• Can view this as:
– IPv6 using IPv4 as a virtual link-layer, or
– an IPv6 VPN (virtual public network), over the IPv4 Internet
(becoming “less virtual” over time, we hope)

- 6
IPv4/IPv6
IPv4/IPv6
Internet
IPv4
IPv6
IPv6IPv4
Tunnels IPv6 in IPv4

- 7
Translation IPv4/IPv6
• May prefer to use IPv6-IPv4 protocol translation for:
– new kinds of Internet devices (e.g., cell phones, cars, appliances)
– benefits of shedding IPv4 stack (e.g., serverless autoconfig)
• This is a simple extension to NAT techniques, to translate header
format as well as addresses
– IPv6 nodes behind a translator get full IPv6 functionality when talking to
other IPv6 nodes located anywhere
– they get the normal (i.e., degraded) NAT functionality when talking to
IPv4 devices
– methods used to improve NAT functionality (e.g, RSIP) can be used
equally to improve IPv6-IPv4 functionality

- 8
IPv6 Transition Mechanisms
• Some transition mechanism based on tunnels and/or translation:
– 6in4 [6in4]
– TB [TB]
– TSP [TSP]
– 6to4 [6to4]
– Teredo [TEREDO], [TEREDOC]
– Túneles automáticos [TunAut]
– …
– ISATAP [ISATAP]
– 6over4 [6over4]
– Softwires
– 6RD
– NAT64
– DS-Lite
– lw4o6
– 464XLAT
– MAP E/T
– …

- 9
NAT444
NAT
Internet
IPv4
ISP network
AFTR
10.0.0.x/24
AFTR
NAT
10.0.0.x/24
v4 v4 v4 v4/v6
Internet
IPv6
“plain” IPv6
Private IPv4
192.168.1.x
NAT44 Level 1
NAT44 Level 2
Public IPv4

- 10
CGN breaks …
• UPnP-IGD (Universal Plug & Play - Internet Gateway Device protocol)
• NAT-PMP (NAT Port Mapping Protocol)
• Other NAT Traversal mechs
• Security
• AJAX (Asyncronous Javascript And XML)
• FTP (big files)
• BitTorrent/Limewire (seeding – uploading)
• On-line gaming
• Video streaming (Netflix, Hulu, …)
• IP cameras
• Tunnels, VPN, IPsec, ...
• VoIP
• Port forwarding
• ...
• Most of the can be solved with extra work, ALGs, etc., but means extra resources, more
overload of the CGN, so less throughput/performance: Need more CGNs for the same
user-base

- 12
We don’t have IPv4 …
• IPv4 exhaustion avoids
– Assigning IPv4 to end-users
– Assigning IPv4 even in public networks
– Keep scalable interoperability with IPv4-only networks
• Consequence: In many cases, we need to deploy
IPv6-only networks
– OpEx
– No IPv4 resources (CapEx if you buy them)
– Performance
– Efficiency
– RFCs
– Other issues …

- 13
Dual Stack Lite (DS-Lite)
• To cope with the IPv4 exhaustion problem.
• Sharing (same) IPv4 addresses among customers by combining:
– Tunneling
– NAT
• No need for multiple levels of NAT.
• Two elements:
– DS-Lite Basic Bridging BroadBand (B4)
– DS-Lite Address Family Transition Router (AFTR)
• Also called CGN (Carrier Grade NAT) or LSN (Large Scale NAT)

- 14
DS-Lite
CPE
(B4)
Internet
IPv4
ISP network
AFTR
10.0.0.x/24
AFTR
CPE
(B4)
10.0.0.x/24
v4 v4 v4 v4/v6
Internet
IPv6
“plain” IPv6
IPv6-only
access
IPv4-in-IPv6
tunnel
NAT44 Level 1
Public IPv4

- 15
Lightweight 4over6 (lw4o6)
• Similar to DS-Lite -> Changes NAT location
– Better scalability
– Reduces logging
• Sharing SAME IPv4 addresses among several
customers, combining:
• Tunneling
• NAT
• No need for multiple levels of NAT
• Two elements:
• Lw Basic Bridging BroadBand (lwB4) - CPE
• Lw Address Family Transition Router (lwAFTR)

- 16
lw4o6
CPE
(lwB4)
Internet
IPv4
ISP network
lwAFTR
10.0.0.x/24
lwAFTR
CPE
(lwB4)
10.0.0.x/24
v4 v4 v4 v4/v6
Internet
IPv6
“plain” IPv6
IPv6-only
access
IPv4-in-IPv6
tunnel
NAT44 Level 1
Public IPv4

- 17
NAT64 (1)
• When ISPs only provide IPv6 connectivity, or devices are IPv6-only
(cellular phones)
• But still some IPv4-only boxes are on the Internet
• Similar idea as NAT-PT, but working correctly
• Optional element, but decoupled, DNS64
• Good solution if IPv4 is not required at the client
– Client is IPv6-only
• Some apps don’t work (Skype …)
– Peer-to-peer using IPv4 “references”
– Literal addresses
– Socket APIs

- 18
NAT64 (2)
• Stateful NAT64 is a mechanism for translating IPv6 packets to IPv4
packets and vice-versa
– The translation is done by translating the packet headers according to the
IP/ICMP Translation Algorithm.
– The IPv4 addresses of IPv4 hosts are algorithmically translated to and from IPv6
addresses by using a specific algorithm.
– The current specification only defines how stateful NAT64 translates unicast
packets carrying TCP, UDP and ICMP traffic.
– DNS64 is a mechanism for synthesizing AAAA resource records (RR) from A RR.
The IPv6 address contained in the synthetic AAAA RR is algorithmically
generated from the IPv4 address and the IPv6 prefix assigned to a NAT64 device
• NAT64 allows multiple IPv6-only nodes to share an IPv4 address to
access the IPv4 Internet

- 19
NAT64 (3)
• It’s known that there are things that doesn’t work:
– Everything out of TCP,UDP, or ICMP: Multicast, Stream Control
Transmission Protocol (SCTP), the Datagram Congestion Control
Protocol (DCCP), and IPSEC
– Applications that carry layer 3 information in the application layer: FTP
[RFC6384], SIP/H323
– Some apps: online gaming, skype, etc.
• Peer-to-peer using IPv4 “references”
– Literal addresses
– Socket APIs

- 20
NAT64 (4)
CPE
Internet
IPv4
ISP network
NAT64
10.0.0.x/24
NAT64
CPE
v4 v4 v6 v4/v6
Internet
IPv6
”plain” IPv6
IPv6-only
access
Public IPv4
NAT64 DNS64

- 21
NAT64 breaks …
App Name Functionality Version
464XLAT
Fixed
connection tracker Broken NA NA
DoubleTwist Broken 1.6.3 YES
Go SMS Pro Broken NA YES
Google Talk Broken 4.1.2 YES
Google+ Broken 3.3.1 YES
IP Track Broken NA NA
Last.fm Broken NA YES
Netflix Broken NA YES
ooVoo Broken NA YES
Pirates of the Caribean Broken NA YES
Scrabble Free Broken 1.12.57 YES
Skype Broken 3.2.0.6673 YES
Spotify Broken NA YES
Tango Broken NA YES
Texas Poker Broken NA YES
TiKL Broken 2.7 YES
Tiny Towers Broken NA YES
Trillian Broken NA YES
TurboxTax Taxcaster Broken NA
Voxer Walkie Talkie Broken NA YES
Watch ESPN Broken 1.3.1
Zynga Poker Broken NA YES
Xabber XMPP Broken NA
*T-Mobile

- 22
464XLAT
• 464XLAT (RFC6877): RFC6145 + RFC6146
• Very efficient use of scarce IPv4 resources
– N*65.535 flows per each IPv4 address
– Network growth not tied to IPv4 availability
• IPv4 basic service to customers over an-IPv6 only infrastructure
– WORKS with applications that use socket APIs and literal IPv4 addresses (Skype,
etc.)
• Allows traffic engineering
– Without deep packet inspection
• Easy to deploy and available
– Commercial solutions and open source

- 23
464XLAT
CPE
CLAT
Internet
IPv4
ISP network
NAT64
PLAT
10.0.0.x/24
NAT64
PLAT
CPE
CLAT
10.0.0.x/24
v4 v4 v4 v4/v6
Internet
IPv6
“plain” IPv6
IPv6-only
access
NAT46
Public IPv4
DNS64NAT64

- 24
How 464XLAT works?
CLAT PLAT
ISP
+
IPv6 Internet
Public IPv4Private IPv4
IPv4
Internet
IPv4
+
IPv6
IPv4
IPv6
IPv6
IPv6
Stateless (4->6)
[RFC6145]
Stateful (6->4)
[RFC6146]
CLAT: Customer side translator (XLAT)
PLAT: Provider side translator (XLAT)
IPv4
IPv6

- 25
Possible “app” cases
ISP IPv6-only IPv6-only
Internet
464XLAT
Internet
464XLAT
PLAT
DNS64/NAT64
Internet
464XLAT
PLAT
6->4
CLAT
4->6

- 26
464XLAT Addressing
CLAT PLAT
ISP
+
IPv6 Internet
200.3.14.147192.168.2.3
IPv4
Internet
IPv4
+
IPv6
IPv4
IPv6
IPv6
IPv6CLAT
XLATE SRC prefix
[2001:db8:abcd::/96]
XLATE DST prefix
[2001:db8:1234::/96]
PLAT
IPv4 pool
(192.1.0.1 – 192.1.0.250)
XLATE DST prefix
[2001:db8:1234::/96]
IPv4
IPv6
2001:db8:abcd::ab
2001:db8:dada::bb
IPv4 SRC
192.168.2.3
IPv4 DST
200.3.14.147
Stateless
XLATE
[RFC6145]
Stateful
XLATE
[RFC6146]
IPv6 SRC
2001:db8:abcd::192.168.2.3
IPv6 DST
2001:db8:1234::200.3.14.147
IPv4 SRC
192.1.0.1
IPv4 DST
200.3.14.147

- 27
Availability and Deployment
• NAT64:
– A10
– Cisco
– F5
– Juniper
– NEC
– Huawei
– Jool, Tayga, Ecdsys, Linux, OpenBSD, …
• CLAT
– Android (since 4.3)
– Nokia
– Windows
– NEC
– Linux
– Jool
– OpenWRT
– Apple (sort-of, is Bump-in-the-Host [RFC6535] implemented in Happy Eyeballs v2) - IPv6-only since iOS 10.2
• Commercial deployments:
– T-Mobile US: +68 Millions of users
– Orange
– Telstra
– SK Telecom
– …
– Big trials in several ISPs

- 28
MAP Encapsulation (MAP-E)
• Mapping of Address and Port with Encapsulation
• Is a “stateless” DS-Lite
– Provision of an IPv4 prefix, address or “shared” address
– Algorithmic mapping between IPv4 and an IPv6 address
– Extends CIDR to 48 bits (32 IP + 16 port)
• Allows encapsulating IPv4 in IPv6 for both mesh and hubs&spoke
topologies, including mapping-independent IPv4 and IPv6
• Two elements:
• MAP Customer Edge (CE)
• MAP Border Relay (BR)

- 29
MAP-E
CE
Internet
IPv4
ISP Network
BR
10.0.0.x/24
BR
CE
10.0.0.x/24
v4 v4 v4 v4/v6
Internet
IPv6
“plain” IPv6
IPv6-only
access
IPv4-in-IPv6
tunnel
NAT44 Level 1
Public IPv4

- 31
MAP Translation (MAP-T)
• Mapping of Address and Port using Translation
• Similar to MAP-E
• Similar to 464XLAT in the sense of the double translation
NAT46 (CLAT) and NAT64 (PLAT)

- 32
MAP-T
CE
Internet
IPv4
ISP Network
BR
10.0.0.x/24
BR
CE
10.0.0.x/24
v4 v4 v4 v4/v6
Internet
IPv6
“plain” IPv6
IPv6-only
access
IPv4-in-IPv6
tunnel
NAT46
Public IPv4
NAT64
NAT44 Level 1

- 34
MAP-E vs MAP-T
• MAP-E uses extra 20 bytes for the encapsulation (IPv4-in-IPv6
tunnel).
IPv4
IPv6
Transport
Link
IPv4
Transport
Link
IPv4
Transport
Link
IPv6
Transport
Link
ó
IPv4
CE BR
MAP
MAP
MAP-E MAP-T
… …Core IPv6

- 36
Comparing Transition …
6RD Softwires v2 NAT444 DS-Lite Lw4o6 NAT64 464XLAT MAP-E MAP-T
Tunel/Translation (X) T 6in4 T 6in4 X T 4in6 T 4in6 X X T 4in6 X
Dual-stack LAN YES YES optional YES YES NO YES YES YES
IPv4 Multicast YES YES YES NO NO NO NO NO NO
Access Network IPv4 IPv4 IPv4 /dual IPv6 IPv6 IPv6 IPv6 IPv6 IPv6
Overhead 20 bytes 40 bytes - 40 bytes 40 bytes 20 bytes 20 bytes 40 bytes 20 bytes
Impact in IPv6 addressing plan YES NO NO NO NO NO NO YES YES
CPE Update YES YES optional YES YES YES YES YES YES
NAT44/NAPT CPE CPE CPE + CGN CGN CPE CPE CPE CPE CPE
46/64 Translation - - - - - ISP ISP +/or CPE - CPE + ISP
Translation at ISP with or w/o state - - with - - with with w/o w/o
Scalability High Medium Medium Medium High High High High High
Performance High Low Low Low High Medium High High High
ALGs NO NO YES YES NO YES YES YES YES
Any Protocol or only-TCP/UDP/ICMP YES YES YES YES YES NO NO NO NO
Sharing IPv4 Ports NO NO YES YES YES NO NO YES YES
IPv6 Aggregation NO NO optional YES YES YES YES YES YES
IPv4 Mesh YES YES YES NO NO NO NO YES YES
IPv6 Mesh YES NO optional YES YES YES YES YES YES
Impacts on logging NO NO YES YES NO YES YES NO NO
HA simplicity High Low Low Low High Medium High High High
DPI simplicity Low Low High Low Low High High Low High
Support in cellular NO NO YES NO NO YES YES NO NO
Support in CPEs YES YES YES YES YES YES YES YES YES
15.5 12.5 10.5 9.5 15 11.5 14 13 13.5

- 37
How many ports per user?
• Possibly a minimum of 300 per user behind each CPE
– More as AJAX/similar technologies usage increase
– Times average number of users behind each NAT
– And going up
• Be aware of IP/port sharing implications …

- 38
Buying CGNs or IPv4 Addresses
• You buy CGNs instead of
IPv4 addresses
– You start rotating the IPv4
pools at the CGNs because
they get blocked after some
time
– Then you discover a couple of
years after, that all your IPv4
addresses
– Then you buy new addresses
…
• Why not buying the
addresses (now that are
cheaper and available)
instead of buying the CGNs?
https://www.ausnog.net/sites/default/files/ausnog-
2018/presentations/2.6_Phil_Britt_AusNOG2018.pdf

- 39
Recommended Reading
• Basic Requirements for IPv6 Customer Edge Routers (RFC7084)
– Originally include support only for 6RD and DS-LITE
– Being updated to include support for 464XLAT, MAP T/E, lw4o6, …
– https://datatracker.ietf.org/doc/draft-ietf-v6ops-transition-ipv4aas/
• BCOP RIPE690:
– https://www.ripe.net/publications/docs/ripe-690
• Point-to-point links:
– https://datatracker.ietf.org/doc/draft-palet-v6ops-p2p-links/
• NAT64 deployment guidelines:
– https://datatracker.ietf.org/doc/draft-ietf-v6ops-nat64-deployment/

- 40
DNSSEC Considerations
• DNS64 modifies DNS answers and DNSSEC is designed to detect
such modifications, DNS64 can break DNSSEC
• In general, DNS servers with DNS64 function, by default, will not
synthesize AAAA responses if the DNSSEC OK (DO) flag was set in
the query. In this case, as only an A record is available, it means that
the CLAT will take the responsibility, as in the case of literal IPv4
addresses, to keep that traffic flow end-to-end as IPv4, so DNSSEC is
not broken
• Today no apps in cellular that use DNSSEC, but you should be ready
for that
– Consider apps used by means of tethering
– Very relevant for non-cellular networks

- 41
Performance
*FaceBook data
(17/3/2015)
US Mobile Performance – Dual Stack Provider iOS
v6
v4
30%
•  iPhone 6 on LTE only
•  No Instrumentation of the client
•  Examining Client Last Byte Time
•  Time it takes for the device to read the
response
•  Read all the data for a newsfeed
Time of HTTP GET completion
US Mobile Performance – Dual Stack Provider Android
v6
v4
40%
•  Android 4/5
•  Galaxy S5 on LTE only
•  No Instrumentation of the client
•  Examining Client Last Byte Time
•  Time it takes for the device to read the
response
•  Read all the data for a newsfeed
Time of HTTP GET completion
US Mobile Performance – Dual Stack Provider iOS
v6
v4
40%
•  iPhone 6
•  Client instrumentation
•  No A/B testing
•  Mobile Proxygen
•  Examining Total Request Time
•  Similar to Client Last Byte Time
Total Request Time

- 42
Multiservice Network
…
…
464XLAT
PLAT
DNS64/NAT64
…
Cellular network
464XLAT Residential network
Corporate network

- 43
Example Residential Customer
…
IPv4 + IPv6
2001:db8::/32
198.51.100.0/24
FE80::1/64
Internet
LAN Eth1
192.168.1.1
2001:db8:40::41
CPE (CLAT)
Pool IPv4/NAT46: 192.0.0.1/32
Pool IPv6: 2001:db8:2::40/128
2001:db8:1::2
WAN Eth0
Node 1
192.168.1.2/24
2001:db8:40::42/64
BRAS
Eth0
198.51.100.10
2001:db8::10
VM PLAT
(NAT64 + DNS64)
Pool IPv4/NAT64:
198.51.100.11/32
Prefijo IPv6: 64:ff9b::/96
2001:db8:1::1
Eth1
ISP Network User Network
Traffic Legend
Red: IPv6-only
Blue: IPv4-only
Green: Dual-stack
Node “n”
192.168.1.x/24
2001:db8:40::xx/64

- 44
NAT64, DNS64
Jool
APRICOT 2019 / APNIC 47
February 2019
Daejeon, South Korea
@JordiPalet
(jordi.palet@theipv6company.com)

- 45
Jool
• http://jool.mx/
• Open Source SIIT and NAT64 for Linux
• SIIT (RFC7915): Stateless IP/ICMP Translation
Algorithm
– Just “translates 1:1” between IPv4 and IPv6 and back
– SIIT with EAM (Explicit Address Mapping) allows “rules”
• Stateful NAT64, is a NAT between both
– So helps with IPv4 address exhaustion

- 46
Jool Defined Architectures
• SIIT-DC
• 464XLAT
• SIIT-DC DTM (Dual Translation Mode)

- 47
Jool Features
• Runs in Single Interface
– if needed
• “Node-Based Translation”
– Using “namespaces” to “wrap” Jool
• High-Availability
– Daemon that allows constant synchronization of
sessions across Jool instances

- 48
EAMT
• Some examples:
IPv4 Prefix IPv6 Prefix
192.0.2.1/32 2001:db8:aaaa::5/128
198.51.100.0/24 2001:db8:bbbb::/120
203.0.113.8/29 2001:db8:cccc::/125

- 49
Our Demo Setup
…
Internet
LAN Eth1
100.64.0.1/10
2001:13c7:7003:1011::1
CPE (CLAT in VM)
Pool IPv4/NAT46: 100.64.0.0/10
Pool IPv6:
2001:13c7:7003:1010::/106
2001:13c7:7003:1000::1/64
WAN Eth0
Node 1
100.64.x.x/10
2001:13c7:7003:1011::x/64
Eth0
200.0.86.254
001:13c7:7003:52::3/64
Ubuntu Router
NAT64 + DNS64
Pool IPv4/NAT64: 200.0.86.254
Prefix IPv6: 64:ff9b::/96
2001:13c7:7003:1000::/52
DNS1:
2001:13c7:7003:1000::ffff
2001:13c7:7003:1000::ffff
/64
Eth3
SSID: ipv6-lab
pwd: lab-ipv6
Traffic Legend
Red: IPv6-only
Green: Dual-stack
Node “n”
100.64.x.x/10
2001:13c7:7003:1011::x /64

- 50
Demo
ping 1.1.1.1
tracert 1.1.1.1
ping www.google.com
ping -4 www.google.com
tracert6 www.google.com
tracert www.google.com
Also browse to web site that are/aren’t IPv6 enabled and with literals,
for example http://1.1.1.1
In Chrome/Firefox you may want first to install extension “IPvfoo"

- 51
NAT64 Setup
sudo service network-manager stop
sudo service radvd stop
sudo service isc-dhcp-server stop
sudo service isc-dhcp-server6 stop
sysctl -w net.ipv4.conf.all.forwarding=1
ethtool --offload br-lan gro off lro off
ethtool --offload eth0 gro off lro off
ip -6 route replace 2001:13c7:7003:1010::/60 via 2001:13c7:7003:1000::1
modprobe jool pool6=64:ff9b::/96 pool4=200.0.86.254

- 52
DNS64 Setup
/etc/bind/named.conf.options
...
forwarders {
8.8.8.8;
8.8.4.4;
};
dns64 64:ff9b::/96 {
clients { any; };
mapped { any; };
exclude { 0::/3; 4000::/2; 8000::/1; 2001:db8::/32; };
break-dnssec no;
};

- 53
/etc/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet6 static
autoconf 0
accept_ra 0
address 2001:13c7:7003:1000::1
netmask 64
gateway 2001:13c7:7003:1000::ffff
dns-nameservers 2001:13c7:7003:1000::ffff

auto eth1
iface eth1 inet static
address 100.64.0.1
netmask 255.192.0.0
iface eth1 inet6 static
autoconf 0
accept_ra 0
address 2001:13c7:7003:1011::1
netmask 64

- 54
CLAT Setup
sudo service isc-dhcp-server start
sudo service radvd start
sudo stop network-manager
sysctl -w net.ipv4.ip_forward=1
modprobe jool_siit pool6=64:ff9b::/96
jool_siit --eamt --add 100.64.0.0/10 2001:13c7:7003:1010::/106

- 55
Data-Centers without IPv4!
SIIT-DC

- 56
Data-Centers without IPv4!
• Several cases, large content providers with IPv6-only
data-centers and more coming …
• Many ways to do that
– Load Balancing (cost, state, scalability)
– IPv4 traffic (from Internet) finish in IPv6-only clusters
• Same RFC1918 space, for IPv4 BGP sessions
• RFC5549
– Advertising IPv4 Network Layer Reachability Information with an IPv6 Next Hop
• IPv4 in IPv6 tunneling, for IPVS (IP Virtual Server)
• IPv4 link-local (169.254.0.0/16) for Linux and switches

- 57
Advantages of IPv6-only
• IPv6 traffic keeps going up
– Initially more in cellular networks
• This is a ”more expensive” traffic (radio, energy, bandwidth
availability, …)
• More expensive with IPv4 (“keepalives”) than with IPv6
• If the end-points speak IPv6 there is no NAT
– Even better, no CGN
• “performance” or ”user-perceived quality of service increases
– IPv6 40% “faster” than IPv4
• Response time to complete “HTTP GET”
• Using HTTP2 and QUIC can increase that performance

- 58
IPv4 or Dual-Stack?
• Against IPv4:
– Lack of IPv4 addresses
– Overlapping of private addresses
– NAT (state)
– Renumbering (new servers or VMs)
– Lack of IPv6 support
• Against Dual-Stack:
– ”Dual” management costs
• Monitoring, security, human resources, errors, …

- 59
SIIT-DC
• RFC7755 - SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Center Environments
– “464XLAT” for the DC
– No additional software in end-points
• No state!
– High availability: BGP, ECMP, …
• Keeps source IPv4 address
– Logging, geolocation, …
• Avoid dual-stack in the DC
– DC is simplified
• Keeps dual-stack for Internet
– Service is available for all users
• IPv4-only, IPv6-only and dual-stack
• Doesn’t work with literal addresses neither IPv4-only APIs
– Not an issue: a DC use DNS!
– Sorted out as well with RFC7756
• Stateless IP/ICMP Translation for IPv6 Internet Data Center Environments (SIIT-DC): Dual Translation Mode

- 60
Example of DC with SIIT-DC
IPv6-only Data Center
SIIT-DC
BR
SIIT-DC
BR
Internet
IPv4
Internet
IPv6

- 61
Mapping all the IPv4 Internet
Internet
IPv6
Internet
IPv4
0.0.0.0/0
64:ff9b::0.0.0.0/96
• An EAM (Explicit Address Mapping) table is configured in the SIIT-DC BR
Translation prefix: 2001:db8:46::/96
IPv4 pool: 192.0.2.0/24
EAM table:
IPv4 Internet address Address in the DC
192.0.2.1 2001:db8:12:34::1
192.0.2.2 2001:db8:24:68::80
192.0.2.3 2001:db8:24:68::25

- 62
Traffic Flow
• Example from IP 203.0.113.50 to 192.0.2.1
IPv4 -> IPv6 translation
IPv4 IPv6
SRC: 203.0.113.50 2001:db8:46::203.0.113.50
DST: 192.0.2.1 2001:db8:12:34::1
IPv6 -> IPv4 translation
IPv6 IPv4
SRC: 2001:db8:12:34::1 192.0.2.1
DST: 2001:db8:46::203.0.113.50 203.0.113.50

- 63
Support
• Commercial:
– A10
– Brocade
– Cisco
– F5
• Open Source:
– Jool
– Tayga
– VPP

- 64
Thanks!
Contact:
@JordiPalet:
jordi.palet@theipv6company.com

IPv4aaS tutorial and hands-on

More Related Content

What's hot (20)

Similar to IPv4aaS tutorial and hands-on (20)

More from APNIC (20)

Recently uploaded (20)

IPv4aaS tutorial and hands-on