IPv6 translation methods
- 1. Migrating from IPv4 to IPv6: Translation Methods Ahmad Hijazi Lebanese Univerity, Université Toulouse III - Paul Sabatier M2 - Systèmes de Télécommunications & Réseaux Informatiques 18 October 2016 Directed by Dr. Khaled Dasouki 1
- 2. What will be discussed? • Native Dual Stack • Dual-Stack Lite (DS-Lite) • Nat64 • 6RD 2
- 3. Native Dual Stack - Introduction Dual stack means that devices are able to run IPv4 and IPv6 in parallel. It allows hosts to simultaneously reach IPv4 and IPv6 content, so it offers a very flexible coexistence strategy. 3
- 4. Native Dual Stack - Introduction • Deploying IPv6 services as native dual stack is the best case approach for most operators and subscribers. However, it is the most difficult. • No special encapsulation or tunneling is required. • Native IPv4 and IPv6 services are offered in parallel in the same subscriber session. 4
- 5. Native Dual Stack - Problems • Deployment complexity levels vary in different environments. - Some networks with minimal or no legacy equipment may find deploying native dual stack services very easy. - Other networks with older or legacy equipment may find dual stack is not possible due to equipment constraints. - Transition is made from the core to the edge. • What’s the impact of running two parallel stacks on the network? Twice the monitoring, reporting, etc… 5
- 6. Native Dual Stack – Domain Impact DOMAIN IMPACT ACCESS • Zero impact in PPPoE environments . SUBSCRIBER EDGE • High impact – need to support IPv6 services. • Scaling may be impacted when enabling IPv6 in BNG. Equivalency of features in the subscriber edge node is required – IPv4 & IPv6 should feel the same. HOME NETWORK • Still the most complex domain to manage. • Customer Gateway most likely needs to be replaced. • Home network components need to support IPv6. • Internal addressing structure for the home network needs to be considered too. 6
- 7. Dual Stack Lite (DS-Lite) - Introduction • IPv6 dual-stack lite (DS-Lite) is a technology that enables Internet service providers to move to an IPv6 network while simultaneously handling IPv4 address depletion. • DS-Lite allows service providers to migrate to an IPv6 access network without changing end-user software. The device that accesses the Internet remains the same, thus allowing IPv4 users to continue accessing IPv4 internet content with minimum disruption to their home networks, while enabling IPv6 users to access IPv6 content. 7
- 8. DS-Lite - Components The DS-Lite deployment model consists of the following components: • Softwire initiator for the DS-Lite home router--Encapsulates the IPv4 packet and transmits it across an IPv6 tunnel. • Softwire concentrator for DS-Lite carrier-grade Network Address Translation (NAT)– Decapsulates the IPv4-in-IPv6 packet and also performs IPv4-IPv4 NAT translations using unique IPv6 transport address for NAT mapping (LSNAT). 8
- 9. DS-Lite - Topology • B4 = Basic Bridging Broadband element (“Before”) - Home Router • CPE = Customer Premise Equipment • AFTR = Address Family Transition Router Element (“After”) - ISP to internet router • LSN = Large Scale Nat 9 Softwire Initiator Softwire Concentrator
- 10. DS-Lite Scenario 1: Existing IPv4 Customer • DS-lite tunnels Ipv4 packets over Ipv6 from the CPE to LSN 10 IPv4 Internet LSN CPE Service Provider 10.1.1.1 IPv6 Tunnel Endpoint IPv6 Link Address Mapping Inside: IPv4 SA + IPv6 SA + Port Outside: IPv4 Outside Address + Port Outside Address 201.15.12.1
- 11. DS-Lite Scenario 2: Dual IP Customer • IPv6 packets are routed normally while IPv4 packets are routed to the LSN 11 IPv4 Internet LSN Service Provider 10.1.1.1 IPv6 Link IPv6 Internet Home Gateway 2001:db8:1:2::abcd:1234
- 12. DS-Lite – Domain Impact DOMAIN IMPACT ACCESS • Access network becomes single stack IPv6 only. All upgrades that a native dual-stack scenario requires are also required for DS-Lite. • All CPE attaching to the network must support DS-Lite and IPv6 attachment. SUBSCRIBER EDGE • AFTR node(s) are needed in the network. • May be collocated in the BNG or a dedicated element. • LSNAT and support infrastructure is required. • BNG must support all requisites for implementing IPv6 subscriber management. • Older equipment that does not support IPv6 will need to be replaces. HOME NETWORK • Still the most complex domain to manage. • Customer Gateway (DSL modem/router, cable modem, etc) most likely needs to be replaced, must support IPv6-only WAN, IPv4 NAT at the customer gateway is removed. • Internal addressing structure for the home network needs to be considered too. 12
- 13. Nat64 - Introduction • Addresses operators who want IPv6-only access networks, but providing support for IPv4-only servers or content. • Minimal set of applications. • Does not support IPv4-only hosts attaching to the network. • CPE/UE connects to hosts through a synthesized IPv6 address, provided by a DNS64 engine. • Well known prefix 64:ff9b::/96 is used to map IPv4 server addresses. • Any client that cannot use a DNS64 server or provide local DNS64 resolution will not be able to connect to the IPv4 server, e.g. no more connecting by IP address. 13
- 14. Nat64 - Introduction • Significant impact in the CPE domain as the CPE must be upgraded to support IPv6 WAN and all associated connectivity (management, VoIP, IPTV, etc), however NAT function is removed from CPE which potentially reduces cost (CPU/memory) in maintaining NAT state in the CPE. • NAT64 provides an interesting and easy approach to an IPv6-only network by simply turning IPv4 off in the future when it is no longer required. • NAT64 typically assumes an IPoE deployment but could be used in the PPP case as well. • Debate over SLAAC vs. DHCPv6 in the access attachment continues, however general recommendation and approach is DHCPv6 based to align with DHCPv4 model in existing networks. 14
- 15. DNS64 In Action 15 Q: AAAA for example.com Q: AAAA for example.com R: Name Error Q: A for example.com R: example.com (A) = 192.0.2.23 DNS translation for WKP R: example.com (AAAA) = 64:FF9B::192.0.2.23 Well-Known Prefix DNS64 –NAT64 Nat64 Prefix: 64:FF9B::
- 16. NAT64 In Action 16 TCP SYN S=C-v6 D=64:FF9B::192.0.2.23 TCP SYN S=NP-v4 D=S-v4 TCP ACK S=S-v4 D=NP-v4 Translation NP-v4 + port into C-v6 TCP Ack S=WKP-v6 D=C-v6 Translation WKP-v6 into IPv4, pick free IPv4 addr/port from pool, build NAT session entry
- 17. NAT64 – Domain Impact DOMAIN IMPACT ACCESS • Access network becomes single stack IPv6 only. All upgrades that a native dual-stack scenario requires are also required for NAT64. • All devices attaching to the network must support IPv6, including in-home. SUBSCRIBER EDGE • NAT64 is needed in the network. • May be collocated in the BNG or a dedicated element. • DNS64 node must also be deployed. • BNG must support all requisites for implementing IPv6 subscriber management. HOME NETWORK • Customer Gateway (DSL modem/router, cable modem, etc) most likely needs to be replaced, must support IPv6-only WAN. • IPv4 NAT at the customer gateway is removed, and direct IPv4 support may be removed. • Home network components must support IPv6. • Internal addressing structure for the home network needs to be considered too. 17
- 18. 6 Rapid Deployment (6RD) - Intro • 6rd is a stateless tunneling mechanism which allows a Service Provider to rapidly deploy IPv6 in a lightweight and secure manner without requiring upgrades to existing IPv4 access network infrastructure. • 6rd specifically targets the case where operators wish to immediately deploy IPv6 to their subscriber base, but cannot enable it in the native access. As 6rd encapsulates IPv6 in IPv4, it can be deployed across any existing IPv4 network. • Access network and subscriber management edge face no changes. 18
- 19. 6RD - Components 6rd consists of two main hardware components, the CE (Customer Equipment) router and the BR (Border Relay) router: • Customer Edge Router The CE router sits at the edge of the service provider IPv4 access infrastructure and provides IPv6 connectivity to this end user's network. The native IPv6 traffic coming from the end user hosts is encapsulated in IPv4 by the CE router and tunneled to the BR router or directly to other CE routers in the same 6rd domain. Conversely, encapsulated 6rd traffic received from the Internet through the BR router and 6rd traffic from other CE routers will be de-capsulated and forwarded to the end-user nodes. • Border Relay Router The BR router provides connectivity between the CE routers and the IPv6 network (public or private Internet). Both the CE and BR routers are dual-stack devices, and the devices between the BR and CE routers can be IPv4 only. 19
- 20. 6RD - Topology 20 • The 6rd CE LAN-side interface carries traffic to and from IPv6 hosts. • The multipoint tunnel interface carries tunnel encapsulated traffic to and from IPv6 hosts. • The encapsulation used for the 6rd tunnel is a direct IPv6-in-IPv4 encapsulation. • Device-to-device traffic may be routed directly, and not through the BR when staying within a 6rd domain.
- 21. 6RD – Domain Impact DOMAIN IMPACT ACCESS • No impact for 6rd – access network remains exactly the same. SUBSCRIBER EDGE • Border relay (BR) is needed in the network May be collocated in the BNG or a dedicated element. • No change to the subscriber management at the BNG. HOME NETWORK • Customer Gateway (DSL modem/router, cable modem, etc) most likely needs to be replaced, or upgraded – must support 6RD. • IPv4 NAT at the customer gateway is still present. • Home network components need to support IPv6 for native services. 21
- 22. Methods of Transition 22 Home Device Access Network Destination Solutions IPv4 IPv4 IPv4 Internet Dual Stack IPv6 IPv6 IPv6 Internet IPv4/6 IPv6 IPv4 Internet DS-Lite IPv6 IPv6 IPv4 Internet NAT64 Stateful IPv4/6 IPv4 IPv4/6 Internet 6RD
- 23. Summaries and Comparison 23 Native Dual Stack DS-Lite NAT64 6RD CPE Almost always CPE change CPE change and support for DSLite CPE change (IPv6 only) CPE change End-user Impact OK – not much changes OK – not much changes NOK – any IPv4-only devices are impacted. No non-DNS64 support. OK – not much changes Pros ‘Simple’ technology with no transition or tunneling involved. Single address family in the access network Single address family in the access network • Single address family in the access network • Quick to deploy Cons • Cost of supporting dual- stack networks • Device support • Deployment time • All the effort of deploying dual-stack • Extra DS-Lite AFTR needed • Device support • Application brokeness with IPv4-literals • NAT logging required • Will only work for IPv6- supporting hosts. • Device support • Not necessarily a ‘long term’ solution Most Suitable For Deployment everywhere! Best long term option that gives the widest support for both address families Wireline, Wireless New build environments where both removing IPv4 from and deploying IPv6-only access is feasible. Wireline New build environments where IPv6-only access is acceptable and the majority of content will work through NAT64/DNS64 Wireless environments Legacy environments that cannot support native IPv6 access, and are willing to trade-off multi-stage migrations over the long term Wireline environments
- 24. 24 Thank You !
Editor's Notes
- #7: PPPoE : http://searchnetworking.techtarget.com/definition/PPPoE
- #8: http://www.networkworld.com/article/2232181/cisco-subnet/understanding-dual-stack-lite.html
- #9: http://www.networkworld.com/article/2232181/cisco-subnet/understanding-dual-stack-lite.html
- #11: https://www.youtube.com/watch?v=rYYra_C-oxA
- #12: https://www.youtube.com/watch?v=rYYra_C-oxA
- #15: http://www.ciscopress.com/articles/article.asp?p=2154680
- #21: In the network shown in Figure 2, the CE routers provide a range of prefixes to their sites. These prefixes are called 6rd delegated prefixes and are similar to IPv6 Domain Host Configuration Protocol Version 6 (DHCPv6) PD prefixes. A 6rd delegated prefix consists of the following elements: • An IPv6 prefix selected by the service provider to be the common 6rd service provider prefix for the given 6rd deployment • An assigned IPv4 address for the CE router; this address can be global or private, and 6rd does not have to use all 32 bits of the IPv4 address (as explained later in this document)