IPv6 implementation aspects in the operator’s … implementation aspects in the operator’s ......

Grzegorz Kornacki – F5 Field Systems Engineer

IPv6 implementation aspects in the operator’s

environment

Exposing applications & services to IP v6

© F5 Networks, Inc 3

Exposing applications / services to IP v6

Facebook has already done it

https://sites.google.com/site/ipv6implementors/2010/agenda


…. scroll down few slides ….


Facebook already done it

…. to find regular F5 config file


• Plus DNS record


It does not have to be CLI:


• If there is very old, „black box”-like application that

• Nobody wants to touch

• Cannot log v6 addresses,

• You can:

1. Insert bogus prv v4 address into X-Forwarded-For… and log v4 to v6 mapping into syslog

2. SNAT to bogus prv v4 address… and log v5 to v6 mapping


Good to know:

Providing IP v6 to your Subscribers


Technologies overview

Technology Translation /tunneling Stateful translation place

Dual Stack n/a n/a

6rd (v6 over v4) tunneling n/a

NAT64/DNS64 translation network

XLAT translation network

DS-Lite tunneling network

MAP-E tunneling CPE

MAP-T translation CPE

Out of classification example


Leading American Cable TV Service provider – over 15M CPEs

• New VOD servers deployed in IP v6 network only.

• Old Set Top Boxes equipped in IP v4 stack. Service Provider not able to replace all Set Top Boxes at once.

• New STB <-> new VOD server

Out of the classification example

v6 Vod server v6 STB

Pure IP v6



• Old STB <-> new VOD server


F5 LTM

DNS

mappings between:

Server name - v4

Server name - v6

v6 Vod serverv4 STB

IP v6 IP v4


F5 LTM

DNS

v6 Vod serverv4 STB

IP v6 IP v4




Old v4 svr address Own v4New v6 <96bit prf>:<src ip v4>

1. PTR query to get a name of the svr

2. AAAA query to get v6 address


F5 LTM

DNS

v6 Vod serverv4 STB

IP v6 IP v4




Old v4 svr address Own v4New v6 <96bit prf>:<src ip v4>

1. query for a name of the server

2. query to get v4 address





Yes, it is F5 iRules!!!

The only Event used:

CLIENT_ACCEPTED

Commands used:

split, lrange, lindex, string tolower, getfield (standard TCL commands)

IP::client_addr, IP::local_addr

RESOLV::lookup

node, snat

No single if/then, or switch, or while


IPv4/IPv6 network

Plain Dual-Stack with NAT44

CPE/AG Access Node

(dual-stack)

BRAS/BNG

GGSN/PGW

(dual-stack)

Home environment

IPv4

IPv6

IPv6

Internet

IPv4

Internet

CGN

NAT44

• Translating private IPv4 address into public IPv4 address on the internet side (1:1 NAT and N:1 NAPT)

• Stateful operation

NAT44

Smart

Phone

PROS

• Full manageability of the IPv4 and IPv6 subscriber traffic (on

BNG / GGSN)

• Field-proven model that can be used in fixed and mobile

(uniform model / FMC)

• No tunneling – less overhead, no fragmentation issues, etc.

CONS

• May require more licenses on BNG and/or GGSN for

dual-stack operation

(pre 3GPP R9)

• Poor mobile phone coverage

• In fixed the access and aggregation network should be IPv6

aware

• Routing private IPv4 addresses in the SP backbone may be

undesirable

Plain Dual-stack with NAT 44Pros and Cons


IPv6 Rapid Deployment (6RD)

• Decapsulate IPv4 tunnels coming from CPE

• Forward encapsulated IPv6 packets coming out of these IPv4 tunnels towards IPv6 internet

• Note : source IPv6 address for user is constructed out of the 6RD prefix and the IPv4 address of the user (this allows for a stateless operation of the 6RD BR)

6RD Border Relay

IPv4

network

CPE/AG Access Node

(IPv4)

BRAS/BNG

GGSN/PGW

(IPv4)

Home environment

IPv4

IPv6

IPv6

Internet

IPv4

Internet

6RD

Border Relay

IPv4 tunnel

CGN

NAT44

PROS

• No additional license costs on BNG/GGSN (keep IPv4 based

BNG/GGSN)

• Solution is transparent for the whole IPv4 network and requires

little to no changes in the network

• Cheapest solution to introduce IPv6

CONS

• Not future proof (“tunnel the future over legacy”), so

considered ‘temporary’ and just postpones a real

investment in an IPv6 network

• Still requires a NAT44 to deal with IPv4 address depletion

• CPE vendor support still limited

• Tunneling technique, potentially resulting in fragmentation &

reassembly issues

6RDPros and Cons


IPv6 network

NAT64 with DNS64

CPE/AG Access Node

(IPv6 only)

BRAS/BNG

GGSN/PGW

(IPv6 only)

Home environment

IPv6

IPv6

IPv6

Internet

IPv4

Internet

NAT64

DNS64

• Attracts IPv6 subscriber traffic for specific IPv6 destination prefix used to perform NAT64

• Extracts IPv4 destination address out of the IPv6 destination address

• Uses a public IPv4 address pool to source traffic towards IPv4 destination address (stateful)

NAT64

• In case no AAAA exists for a destination, the DNS64 function adds ‘specific’ IPv6 destination prefix to the A address

of the destination and constructs a AAAA response based on that

• DNS64 can be internal in BIGIP providing NAT64 function or can be external

DNS64

Smart

Phone


Reachability of Top 88 Websites with NAT64/DNS64

IPv6 + F5 NAT64/DNS64Pure IPv6

PROS

• Natural phase-out of NAT

• Future-proof, setting the standard on IPv6 connectivity

towards end users (IPv6 only sessions)

• No additional license costs on BNG/GGSN (transition from

IPv4 to IPv6 on user side)


CONS

• Testing by other operators reveal some issues with

applications : Skype, Google videochat

• IPv4 literals in websites

• Not practical for fixed deployments : end-user equipment

may not be IPv6-capable (gaming consoles, STB, ... )

Network Migration – NAT 64Pros and Cons


IPv6 network

XLAT (CLAT + NAT64)

CPE/AG Access Node

(IPv6 only)

BRAS/BNG

GGSN/PGW

(IPv6 only)

Home environment

IPv6

IPv6

IPv6

Internet

IPv4

Internet

NAT64

DNS64

• PLAT is Provider-side transLATor [RFC6146].

• It translates N:1 global IPv6 addresses to global IPv4 addresses.

• It’s in fact NAT64 under the new name

• PLAT does not require DNS64

PLAT

Smart

Phone

• CLAT is Customer-side transLATor (XLAT) [RFC6145].

• It translates 1:1 private IPv4 addresses to global IPv6 addresses.

• The CLAT function is applicable to a router or an end-node such as a mobile phone or PC.

• It's usually seen as virtual interface with v4 address

PLAT

PROS

• Delivers v4 address to the application that needs them

• Natural phase-out of NAT

• Future-proof, setting the standard on IPv6 connectivity

towards end users (IPv6 only sessions)

• No additional license costs on BNG/GGSN (transition from

IPv4 to IPv6 on user side)


CONS

• IPv4 literals in websites

• Could be solved with iRules

Network Migration – XLATPros and Cons

PROS cont.

• Is applicable for fix-line providers

• As software package for PCs

• Light-weight home router patch


Scalability & PerformanceAddress translation is within « DNA » of F5

• CGNAT requires TCP/UDP connection management

• Packet based solutions are not designed for that

• Connection management is “native” in BIG-IP system

Unprecedented scale & performance

Single B4340N blade VIPRION 4800 chassis

with 8 blades

1M connections per sec 8M connections per sec

60M connections 480M connections

80Gbps throughput 640Gbps throughput


Translation & Mapping Flexibility

NAPT

Standard

NAPT

Deterministic

NAPT

PBA

NAT44NAT64

DNS64DSLite 6RD

HairpinningEIM

Translation

Modes

Transition

Techniques

Mapping &

Filtering

Next release

Custom

Custom

EIF Custom PCP

Now iRules


Logging Flexibility Enriched CGNAT logging – adding subscriber info

when CLIENT_ACCEPTED {

set hsl [HSL::open -proto TCP -pool syslog_server_pool]

# Lookup the MSISDN

set m [table lookup -subtable msisdn [IP::client_addr]]

set i [table lookup -subtable imsi [IP::client_addr]]

set c [table lookup -subtable chrid [IP::client_addr]]

}

#

when SERVER_CONNECTED {

# Get time

set t [clock format [clock seconds] -format {%Y%m%d%H%M%S}]

HSL::send $hsl "<190> 0;$t;$m;$i;$c;[IP::client_addr];[TCP::client_port];[IP::local_addr];[TCP::local_port];[IP::remote_addr];[TCP::remote_port];[IP::protocol]\n"

}

27CONFIDENTIAL © F5 Networks, Inc.

IPv6 network

Dual Stack Lite (DS-Lite)Supported now

CPE/RG

(B4)

Access Node

(IPv6 only)

BRAS/BNG

GGSN/PGW

(IPv6 only)

Home environment

IPv4

IPv6

AFTRAFTR

NAT44NAT44

IPv6

Internet

IPv4

Internet

DS-Lite

(AFTR)

• Decapsulate IPv6 tunnels from CPE (hosting B4 function)

• Provide a stateful NAT44 function to the encapsulated IPv4 traffic

• Encapsulated IPv4 traffic has overlapping addresses

AFTR functionAFTR function

IPv6 tunnel

Unable to steer tunneled

trafficUnable to distinguish

subscribers’ sessions


F5 Network Services

A unified platform and single management framework

Intelligent traffic managementCGNAT and

IPv6 migration

ICSA certified

network firewall

Policy

enforcement

Header enrichment and TCP

optimization

Local

DNS

URL

filtering


F5 and intelligent traffic steering to VAS platformsA unified platform simplifies delivery of network services

with f5

PGWInternet

VIPRION

RTR

Data Center

Video

Optimization

Transparent Caching URL Filtering Parental

Controls

Context-aware steering &

intelligent service chaining

DS-Lite termination with

subscriber awareness


• G i F irewalls are used in the mob ile data path to protect

• Subscribers (e.g. battery drain attacks)

• Network (e.g. port scans and sweeps leading to RNC paging / signaling overload)

• IPv4 address exhaustion resulted in CGNAT dep loyments

• NAT44 enabled on the existing Gi firewall

• NAT44 enabled on a different standalone CGNAT platform

• CGNAT function is a stateful operation and hence has several characteristics of a Gi firewall

• Future challenges

• Traditional firewalls are lacking scale/performance to deal with increasing NAT44 traffic

• Some standalone CGNAT platforms (routers) are lacking security features to deal with new Gi firewall requirements (IPv6)

Network security & CGNAT in mobile

Evolution and next steps


Mobile networks in EMEA

Typical IPv4-IPv6 Transition Plan

Public IPv4

(Gi-FW)

Private IPv4

(CGNAT)

Public IPv6

(Gi-FW)

2010 2013 2016

Capacity / Throughput

Address consumption

Public IPv4 address space exhausted

Need to introduce private IPv4

Introduction of IPv6


CGNAT and Gi-FW needs in mobile

Option 1 : Leverage FW for CGNAT

Public IPv4

(Firewall for Gi-FW)

Private IPv4

Public IPv6

2010 2013 2016

Firewall max capacity reached

(connections / bandwidth)

Enable NAT on Firewall(Firewall for CGNAT)

Options

• Add more firewalls with load balancers

• Investigate alternatives (router, ADC)

Options

• Add more firewalls with load balancers

• Investigate alternatives (router, ADC)



Option 2 : Introduce Router for CGNAT

Public IPv4


Private IPv4

Public IPv6

2010 2013 2016

IPv6 requires a Gi Firewall again

Add Router for CGNAT(Router for CGNAT)

Options

• Introduce new firewalls for IPv6

• Investigate alternatives (ADC)

Options

• Introduce new firewalls for IPv6

• Investigate alternatives (ADC)



Option 3 : F5 for consolidated Gi-FW / CGNAT

Public IPv4


Private IPv4

Public IPv6

2010 2013 2016

IPv6 requires a Gi Firewall again

(Enable AFM module on F5)

Introduce F5

for CGNAT

(F5 for CGNAT)


Platform consolidation: happening now

Network function consolidation

L2 switching

MPLS L2 PE

L3 routing

MPLS L3 PE

BRAS/BNG

Full Proxy

(TCP opt, HHE)

Firewall

L3/L4

Steering

Policy Enforcement

CGNAT

TCP OPTIM

DPI/PCEF

L7 STEERING

FW/CGN

HTTP HE

2010–20142005–2010 L2–L3 L4–L7

IP Routing

MPLS L2 PE

MPLS L3 PE

BRAS/BNG

Multi-service

router

Dedicated platforms,

different vendors

Single platform,

L2–L3 consolidation

Dedicated platforms,

different vendors

Unified platform,

L4–L7 consolidation


F5 – the only reasonable choice

CGNAT

Gi-FW

(AFM)

GGSN

PGW

Internet

Private

IPv4

Public

IPv6

Public

IPv6

Public

IPv4 IPv4

CGNAT

IPv6

Gi-FW

Time

Traffic

Distribution

High scale / performance

Gradual transition from CGNAT to IPv6 Gi-FW

Investment protection

High scale / performance

Gradual transition from CGNAT to IPv6 Gi-FW

Investment protection

NAT44 → NAT64

Backup slides


www.server.com (A)

1. DNS query www.server.com

v6

DNS

2. ADC sends AAAA & A Queries to DNS

3a. If v6 DNS then AAAA record returned to client as usual 3b. If only v4 DNS A record returned, ADC adds 96 bit prefix to A record and

returns AAAA to client

www.server.com (AAAA)

4. ADC responds to DNS request with AAAA response

IPv4/IPv6

DNS64

v4

DNS

IPv6 client

DNS 64 in action

InternetInternet

Internet


Network

IPv6

www.server.com (A)

v6

DNS

www.server.com (AAAA)

2. Server responds directly to IPv6 Client

IPv6

DNS64

v4

DNS

IPv6 clientwww.server.com

1. Client sends traffic to Server www.server.com

with IPv6 address

1: IPv6 client access IPv6 content

http://www.server.com/




1. Client sends traffic to www.server.com with IPv6 Address and LTM 96Bit Prefix

2. LTM transforms v6 address

to v4 addresses for outgoing

3. LTM maps and transforms

v4 addresses to v6 for return traffic

NAT64 Mapping: 96BitPrefix+IPv4 address to IPv4 Address

IPv6 client

www.server.com

(IPv4)

4. LTM responds with IPv6 Source to Client

BIG-IP translates IPv6 IP Adresses with prefix to IPv4 Adresses (NAT64)

2: IPv6 client access IPv4 content

IPv4





IPv6 to IPv4 Gateway: NAT64

IPv6 Client

IPv6 Network IPv4 Network

IPv6 to IPv4 Gateway

www.ipv4test.com

IPv4: 16.100.100.100

Hex Notation:

::1064:6464

IPv4 to IPv6 prefix:

64:ff9b::

DNS request: www.ipv4test.com

DNS response: AAAA

www.ipv5test.com = 64.ff9b::1064:6464

GET http://www.ipv4test.com to IPv6: 64.ff9b::1064:6464 GET http://www.ipv4test.com to IPv4: 16.100.100.100

Response http://www.ipv4test.com from IPv4: 16.100.100.100GET http://www.ipv4test.com from IPv6: 64.ff9b::1064:6464

NAT64

DNS64




Intelligent Traffic Management in actionSteering to 2 VAS Services : Subscriber & RAT-Type based

GGSN

PGW

Intelligent Traffic ManagementIntelligent Traffic Management

Internet

Subscriber

Service Provider VAS

Parental ControlVideo Optimization

Radius

Diameter Gx, Gy

Other API

(subscriber policies)

Control Plane

AAAAAAPCRFPCRF

User Subscriber Policy

John Video Optimization LTE bypass

Paul Video Optimization always

Parental Control

Emma Parental Control

John

Emma

Paul Policy-enabled per-connection or

per-transaction steering to VAS/Optimization

Radius

(RAT-type updates)

http://www.ipv4test.com/







Intelligent Traffic Management in actionUser John : http traffic on LTE

GGSN

PGW


Internet

Subscriber



Radius

Diameter Gx, Gy

Other API

Control Plane

AAAAAAPCRFPCRF

John

Emma



Radiushttp (LTE)




Parental Control



Intelligent Traffic Management in actionUser John : http traffic on 3G

GGSN

PGW


Internet

Subscriber



Radius

Diameter Gx, Gy

Other API

Control Plane

AAAAAAPCRFPCRF

John

Emma



Radiushttp (3G)




Parental Control



Intelligent Traffic Management in actionUser Paul : http traffic on 3G/LTE

GGSN

PGW


Internet

Subscriber



Radius

Diameter Gx, Gy

Other API

Control Plane

AAAAAAPCRFPCRF




Parental Control


John

Emma



Radius

http


Intelligent Traffic Management in actionUser Emma : http traffic on 3G/LTE

GGSN

PGW


Internet

Subscriber



Radius

Diameter Gx, Gy

Other API

Control Plane

AAAAAAPCRFPCRF




Parental Control


John

Emma



Radius

http


References

NAT64/DNS64 (RFCs 6146, 6147)

464XLAT (RFC 6877)

Dual-Stack Lite (DS-Lite - RFC 6333)

XLAT demo: https://sites.google.com/site/tmoipv6/464xlat

https://f5.com/products/service-provider-products/carrier-grade-nat

https://f5.com/products/service-provider-products/policy-enforcement-manager

IPv6 implementation aspects in the operator’s … implementation aspects in the operator’s ......

Documents

Transcript of IPv6 implementation aspects in the operator’s … implementation aspects in the operator’s ......