IPv6 implementation aspects in the operator’s … implementation aspects in the operator’s ......
-
Upload
truongtuong -
Category
Documents
-
view
217 -
download
2
Transcript of IPv6 implementation aspects in the operator’s … implementation aspects in the operator’s ......
Grzegorz Kornacki – F5 Field Systems Engineer
IPv6 implementation aspects in the operator’s
environment
© F5 Networks, Inc 3
Exposing applications / services to IP v6
Facebook has already done it
https://sites.google.com/site/ipv6implementors/2010/agenda
© F5 Networks, Inc 4
…. scroll down few slides ….
Exposing applications / services to IP v6
Facebook already done it
…. to find regular F5 config file
© F5 Networks, Inc 5
• Plus DNS record
Exposing applications / services to IP v6
It does not have to be CLI:
© F5 Networks, Inc 6
• If there is very old, „black box”-like application that
• Nobody wants to touch
• Cannot log v6 addresses,
• You can:
1. Insert bogus prv v4 address into X-Forwarded-For… and log v4 to v6 mapping into syslog
2. SNAT to bogus prv v4 address… and log v5 to v6 mapping
Exposing applications / services to IP v6
Good to know:
© F5 Networks, Inc 8
Technologies overview
Technology Translation /tunneling Stateful translation place
Dual Stack n/a n/a
6rd (v6 over v4) tunneling n/a
NAT64/DNS64 translation network
XLAT translation network
DS-Lite tunneling network
MAP-E tunneling CPE
MAP-T translation CPE
© F5 Networks, Inc 10
Leading American Cable TV Service provider – over 15M CPEs
• New VOD servers deployed in IP v6 network only.
• Old Set Top Boxes equipped in IP v4 stack. Service Provider not able to replace all Set Top Boxes at once.
• New STB <-> new VOD server
Out of the classification example
v6 Vod server v6 STB
Pure IP v6
© F5 Networks, Inc 11
Leading American Cable TV Service provider – over 15M CPEs
• Old STB <-> new VOD server
Out of the classification example
F5 LTM
DNS
mappings between:
Server name - v4
Server name - v6
v6 Vod serverv4 STB
IP v6 IP v4
© F5 Networks, Inc 12
F5 LTM
DNS
v6 Vod serverv4 STB
IP v6 IP v4
Out of the classification example
Leading American Cable TV Service provider – over 15M CPEs
• Old STB <-> new VOD server
Old v4 svr address Own v4New v6 <96bit prf>:<src ip v4>
1. PTR query to get a name of the svr
2. AAAA query to get v6 address
© F5 Networks, Inc 13
F5 LTM
DNS
v6 Vod serverv4 STB
IP v6 IP v4
Out of the classification example
Leading American Cable TV Service provider – over 15M CPEs
• Old STB <-> new VOD server
Old v4 svr address Own v4New v6 <96bit prf>:<src ip v4>
1. query for a name of the server
2. query to get v4 address
© F5 Networks, Inc 14
Out of the classification example
Leading American Cable TV Service provider – over 15M CPEs
• Old STB <-> new VOD server
Yes, it is F5 iRules!!!
The only Event used:
CLIENT_ACCEPTED
Commands used:
split, lrange, lindex, string tolower, getfield (standard TCL commands)
IP::client_addr, IP::local_addr
RESOLV::lookup
node, snat
No single if/then, or switch, or while
© F5 Networks, Inc 15
IPv4/IPv6 network
Plain Dual-Stack with NAT44
CPE/AG Access Node
(dual-stack)
BRAS/BNG
GGSN/PGW
(dual-stack)
Home environment
IPv4
IPv6
IPv6
Internet
IPv4
Internet
CGN
NAT44
• Translating private IPv4 address into public IPv4 address on the internet side (1:1 NAT and N:1 NAPT)
• Stateful operation
NAT44
Smart
Phone
PROS
• Full manageability of the IPv4 and IPv6 subscriber traffic (on
BNG / GGSN)
• Field-proven model that can be used in fixed and mobile
(uniform model / FMC)
• No tunneling – less overhead, no fragmentation issues, etc.
CONS
• May require more licenses on BNG and/or GGSN for
dual-stack operation
(pre 3GPP R9)
• Poor mobile phone coverage
• In fixed the access and aggregation network should be IPv6
aware
• Routing private IPv4 addresses in the SP backbone may be
undesirable
Plain Dual-stack with NAT 44Pros and Cons
© F5 Networks, Inc 17
IPv6 Rapid Deployment (6RD)
• Decapsulate IPv4 tunnels coming from CPE
• Forward encapsulated IPv6 packets coming out of these IPv4 tunnels towards IPv6 internet
• Note : source IPv6 address for user is constructed out of the 6RD prefix and the IPv4 address of the user (this allows for a stateless operation of the 6RD BR)
6RD Border Relay
IPv4
network
CPE/AG Access Node
(IPv4)
BRAS/BNG
GGSN/PGW
(IPv4)
Home environment
IPv4
IPv6
IPv6
Internet
IPv4
Internet
6RD
Border Relay
IPv4 tunnel
CGN
NAT44
PROS
• No additional license costs on BNG/GGSN (keep IPv4 based
BNG/GGSN)
• Solution is transparent for the whole IPv4 network and requires
little to no changes in the network
• Cheapest solution to introduce IPv6
CONS
• Not future proof (“tunnel the future over legacy”), so
considered ‘temporary’ and just postpones a real
investment in an IPv6 network
• Still requires a NAT44 to deal with IPv4 address depletion
• CPE vendor support still limited
• Tunneling technique, potentially resulting in fragmentation &
reassembly issues
6RDPros and Cons
© F5 Networks, Inc 19
IPv6 network
NAT64 with DNS64
CPE/AG Access Node
(IPv6 only)
BRAS/BNG
GGSN/PGW
(IPv6 only)
Home environment
IPv6
IPv6
IPv6
Internet
IPv4
Internet
NAT64
DNS64
• Attracts IPv6 subscriber traffic for specific IPv6 destination prefix used to perform NAT64
• Extracts IPv4 destination address out of the IPv6 destination address
• Uses a public IPv4 address pool to source traffic towards IPv4 destination address (stateful)
NAT64
• In case no AAAA exists for a destination, the DNS64 function adds ‘specific’ IPv6 destination prefix to the A address
of the destination and constructs a AAAA response based on that
• DNS64 can be internal in BIGIP providing NAT64 function or can be external
DNS64
Smart
Phone
© F5 Networks, Inc 20
Reachability of Top 88 Websites with NAT64/DNS64
IPv6 + F5 NAT64/DNS64Pure IPv6
PROS
• Natural phase-out of NAT
• Future-proof, setting the standard on IPv6 connectivity
towards end users (IPv6 only sessions)
• No additional license costs on BNG/GGSN (transition from
IPv4 to IPv6 on user side)
• No tunneling – less overhead, no fragmentation issues, etc.
CONS
• Testing by other operators reveal some issues with
applications : Skype, Google videochat
• IPv4 literals in websites
• Not practical for fixed deployments : end-user equipment
may not be IPv6-capable (gaming consoles, STB, ... )
Network Migration – NAT 64Pros and Cons
© F5 Networks, Inc 22
IPv6 network
XLAT (CLAT + NAT64)
CPE/AG Access Node
(IPv6 only)
BRAS/BNG
GGSN/PGW
(IPv6 only)
Home environment
IPv6
IPv6
IPv6
Internet
IPv4
Internet
NAT64
DNS64
• PLAT is Provider-side transLATor [RFC6146].
• It translates N:1 global IPv6 addresses to global IPv4 addresses.
• It’s in fact NAT64 under the new name
• PLAT does not require DNS64
PLAT
Smart
Phone
• CLAT is Customer-side transLATor (XLAT) [RFC6145].
• It translates 1:1 private IPv4 addresses to global IPv6 addresses.
• The CLAT function is applicable to a router or an end-node such as a mobile phone or PC.
• It's usually seen as virtual interface with v4 address
PLAT
PROS
• Delivers v4 address to the application that needs them
• Natural phase-out of NAT
• Future-proof, setting the standard on IPv6 connectivity
towards end users (IPv6 only sessions)
• No additional license costs on BNG/GGSN (transition from
IPv4 to IPv6 on user side)
• No tunneling – less overhead, no fragmentation issues, etc.
CONS
• IPv4 literals in websites
• Could be solved with iRules
Network Migration – XLATPros and Cons
PROS cont.
• Is applicable for fix-line providers
• As software package for PCs
• Light-weight home router patch
© F5 Networks, Inc 24
Scalability & PerformanceAddress translation is within « DNA » of F5
• CGNAT requires TCP/UDP connection management
• Packet based solutions are not designed for that
• Connection management is “native” in BIG-IP system
Unprecedented scale & performance
Single B4340N blade VIPRION 4800 chassis
with 8 blades
1M connections per sec 8M connections per sec
60M connections 480M connections
80Gbps throughput 640Gbps throughput
© F5 Networks, Inc 25
Translation & Mapping Flexibility
NAPT
Standard
NAPT
Deterministic
NAPT
PBA
NAT44NAT64
DNS64DSLite 6RD
HairpinningEIM
Translation
Modes
Transition
Techniques
Mapping &
Filtering
Next release
Custom
Custom
EIF Custom PCP
Now iRules
© F5 Networks, Inc 26
Logging Flexibility Enriched CGNAT logging – adding subscriber info
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto TCP -pool syslog_server_pool]
# Lookup the MSISDN
set m [table lookup -subtable msisdn [IP::client_addr]]
set i [table lookup -subtable imsi [IP::client_addr]]
set c [table lookup -subtable chrid [IP::client_addr]]
}
#
when SERVER_CONNECTED {
# Get time
set t [clock format [clock seconds] -format {%Y%m%d%H%M%S}]
HSL::send $hsl "<190> 0;$t;$m;$i;$c;[IP::client_addr];[TCP::client_port];[IP::local_addr];[TCP::local_port];[IP::remote_addr];[TCP::remote_port];[IP::protocol]\n"
}
27CONFIDENTIAL © F5 Networks, Inc.
IPv6 network
Dual Stack Lite (DS-Lite)Supported now
CPE/RG
(B4)
Access Node
(IPv6 only)
BRAS/BNG
GGSN/PGW
(IPv6 only)
Home environment
IPv4
IPv6
AFTRAFTR
NAT44NAT44
IPv6
Internet
IPv4
Internet
DS-Lite
(AFTR)
• Decapsulate IPv6 tunnels from CPE (hosting B4 function)
• Provide a stateful NAT44 function to the encapsulated IPv4 traffic
• Encapsulated IPv4 traffic has overlapping addresses
AFTR functionAFTR function
IPv6 tunnel
Unable to steer tunneled
trafficUnable to distinguish
subscribers’ sessions
© F5 Networks, Inc 29
F5 Network Services
A unified platform and single management framework
Intelligent traffic managementCGNAT and
IPv6 migration
ICSA certified
network firewall
Policy
enforcement
Header enrichment and TCP
optimization
Local
DNS
URL
filtering
© F5 Networks, Inc 30
F5 and intelligent traffic steering to VAS platformsA unified platform simplifies delivery of network services
with f5
PGWInternet
VIPRION
RTR
Data Center
Video
Optimization
Transparent Caching URL Filtering Parental
Controls
Context-aware steering &
intelligent service chaining
DS-Lite termination with
subscriber awareness
© F5 Networks, Inc 31
• G i F irewalls are used in the mob ile data path to protect
• Subscribers (e.g. battery drain attacks)
• Network (e.g. port scans and sweeps leading to RNC paging / signaling overload)
• IPv4 address exhaustion resulted in CGNAT dep loyments
• NAT44 enabled on the existing Gi firewall
• NAT44 enabled on a different standalone CGNAT platform
• CGNAT function is a stateful operation and hence has several characteristics of a Gi firewall
• Future challenges
• Traditional firewalls are lacking scale/performance to deal with increasing NAT44 traffic
• Some standalone CGNAT platforms (routers) are lacking security features to deal with new Gi firewall requirements (IPv6)
Network security & CGNAT in mobile
Evolution and next steps
© F5 Networks, Inc 32
Mobile networks in EMEA
Typical IPv4-IPv6 Transition Plan
Public IPv4
(Gi-FW)
Private IPv4
(CGNAT)
Public IPv6
(Gi-FW)
2010 2013 2016
Capacity / Throughput
Address consumption
Public IPv4 address space exhausted
Need to introduce private IPv4
Introduction of IPv6
© F5 Networks, Inc 33
CGNAT and Gi-FW needs in mobile
Option 1 : Leverage FW for CGNAT
Public IPv4
(Firewall for Gi-FW)
Private IPv4
Public IPv6
2010 2013 2016
Firewall max capacity reached
(connections / bandwidth)
Enable NAT on Firewall(Firewall for CGNAT)
Options
• Add more firewalls with load balancers
• Investigate alternatives (router, ADC)
Options
• Add more firewalls with load balancers
• Investigate alternatives (router, ADC)
© F5 Networks, Inc 34
CGNAT and Gi-FW needs in mobile
Option 2 : Introduce Router for CGNAT
Public IPv4
(Firewall for Gi-FW)
Private IPv4
Public IPv6
2010 2013 2016
IPv6 requires a Gi Firewall again
Add Router for CGNAT(Router for CGNAT)
Options
• Introduce new firewalls for IPv6
• Investigate alternatives (ADC)
Options
• Introduce new firewalls for IPv6
• Investigate alternatives (ADC)
© F5 Networks, Inc 35
CGNAT and Gi-FW needs in mobile
Option 3 : F5 for consolidated Gi-FW / CGNAT
Public IPv4
(Firewall for Gi-FW)
Private IPv4
Public IPv6
2010 2013 2016
IPv6 requires a Gi Firewall again
(Enable AFM module on F5)
Introduce F5
for CGNAT
(F5 for CGNAT)
© F5 Networks, Inc 36
Platform consolidation: happening now
Network function consolidation
L2 switching
MPLS L2 PE
L3 routing
MPLS L3 PE
BRAS/BNG
Full Proxy
(TCP opt, HHE)
Firewall
L3/L4
Steering
Policy Enforcement
CGNAT
TCP OPTIM
DPI/PCEF
L7 STEERING
FW/CGN
HTTP HE
2010–20142005–2010 L2–L3 L4–L7
IP Routing
MPLS L2 PE
MPLS L3 PE
BRAS/BNG
Multi-service
router
Dedicated platforms,
different vendors
Single platform,
L2–L3 consolidation
Dedicated platforms,
different vendors
Unified platform,
L4–L7 consolidation
© F5 Networks, Inc 37
F5 – the only reasonable choice
CGNAT
Gi-FW
(AFM)
GGSN
PGW
Internet
Private
IPv4
Public
IPv6
Public
IPv6
Public
IPv4 IPv4
CGNAT
IPv6
Gi-FW
Time
Traffic
Distribution
High scale / performance
Gradual transition from CGNAT to IPv6 Gi-FW
Investment protection
High scale / performance
Gradual transition from CGNAT to IPv6 Gi-FW
Investment protection
NAT44 → NAT64
© F5 Networks, Inc 40
www.server.com (A)
1. DNS query www.server.com
v6
DNS
2. ADC sends AAAA & A Queries to DNS
3a. If v6 DNS then AAAA record returned to client as usual 3b. If only v4 DNS A record returned, ADC adds 96 bit prefix to A record and
returns AAAA to client
www.server.com (AAAA)
4. ADC responds to DNS request with AAAA response
IPv4/IPv6
DNS64
v4
DNS
IPv6 client
DNS 64 in action
InternetInternet
Internet
© F5 Networks, Inc 41
Network
IPv6
www.server.com (A)
v6
DNS
www.server.com (AAAA)
2. Server responds directly to IPv6 Client
IPv6
DNS64
v4
DNS
IPv6 clientwww.server.com
1. Client sends traffic to Server www.server.com
with IPv6 address
1: IPv6 client access IPv6 content
© F5 Networks, Inc 42
1. Client sends traffic to www.server.com with IPv6 Address and LTM 96Bit Prefix
2. LTM transforms v6 address
to v4 addresses for outgoing
3. LTM maps and transforms
v4 addresses to v6 for return traffic
NAT64 Mapping: 96BitPrefix+IPv4 address to IPv4 Address
IPv6 client
www.server.com
(IPv4)
4. LTM responds with IPv6 Source to Client
BIG-IP translates IPv6 IP Adresses with prefix to IPv4 Adresses (NAT64)
2: IPv6 client access IPv4 content
IPv4
© F5 Networks, Inc 43
IPv6 to IPv4 Gateway: NAT64
IPv6 Client
IPv6 Network IPv4 Network
IPv6 to IPv4 Gateway
www.ipv4test.com
IPv4: 16.100.100.100
Hex Notation:
::1064:6464
IPv4 to IPv6 prefix:
64:ff9b::
DNS request: www.ipv4test.com
DNS response: AAAA
www.ipv5test.com = 64.ff9b::1064:6464
GET http://www.ipv4test.com to IPv6: 64.ff9b::1064:6464 GET http://www.ipv4test.com to IPv4: 16.100.100.100
Response http://www.ipv4test.com from IPv4: 16.100.100.100GET http://www.ipv4test.com from IPv6: 64.ff9b::1064:6464
NAT64
DNS64
© F5 Networks, Inc 44
Intelligent Traffic Management in actionSteering to 2 VAS Services : Subscriber & RAT-Type based
GGSN
PGW
Intelligent Traffic ManagementIntelligent Traffic Management
Internet
Subscriber
Service Provider VAS
Parental ControlVideo Optimization
Radius
Diameter Gx, Gy
Other API
(subscriber policies)
Control Plane
AAAAAAPCRFPCRF
User Subscriber Policy
John Video Optimization LTE bypass
Paul Video Optimization always
Parental Control
Emma Parental Control
John
Emma
Paul Policy-enabled per-connection or
per-transaction steering to VAS/Optimization
Radius
(RAT-type updates)
© F5 Networks, Inc 45
Intelligent Traffic Management in actionUser John : http traffic on LTE
GGSN
PGW
Intelligent Traffic ManagementIntelligent Traffic Management
Internet
Subscriber
Service Provider VAS
Parental ControlVideo Optimization
Radius
Diameter Gx, Gy
Other API
Control Plane
AAAAAAPCRFPCRF
John
Emma
Paul Policy-enabled per-connection or
per-transaction steering to VAS/Optimization
Radiushttp (LTE)
User Subscriber Policy
John Video Optimization LTE bypass
Paul Video Optimization always
Parental Control
Emma Parental Control
© F5 Networks, Inc 46
Intelligent Traffic Management in actionUser John : http traffic on 3G
GGSN
PGW
Intelligent Traffic ManagementIntelligent Traffic Management
Internet
Subscriber
Service Provider VAS
Parental ControlVideo Optimization
Radius
Diameter Gx, Gy
Other API
Control Plane
AAAAAAPCRFPCRF
John
Emma
Paul Policy-enabled per-connection or
per-transaction steering to VAS/Optimization
Radiushttp (3G)
User Subscriber Policy
John Video Optimization LTE bypass
Paul Video Optimization always
Parental Control
Emma Parental Control
© F5 Networks, Inc 47
Intelligent Traffic Management in actionUser Paul : http traffic on 3G/LTE
GGSN
PGW
Intelligent Traffic ManagementIntelligent Traffic Management
Internet
Subscriber
Service Provider VAS
Parental ControlVideo Optimization
Radius
Diameter Gx, Gy
Other API
Control Plane
AAAAAAPCRFPCRF
User Subscriber Policy
John Video Optimization LTE bypass
Paul Video Optimization always
Parental Control
Emma Parental Control
John
Emma
Paul Policy-enabled per-connection or
per-transaction steering to VAS/Optimization
Radius
http
© F5 Networks, Inc 48
Intelligent Traffic Management in actionUser Emma : http traffic on 3G/LTE
GGSN
PGW
Intelligent Traffic ManagementIntelligent Traffic Management
Internet
Subscriber
Service Provider VAS
Parental ControlVideo Optimization
Radius
Diameter Gx, Gy
Other API
Control Plane
AAAAAAPCRFPCRF
User Subscriber Policy
John Video Optimization LTE bypass
Paul Video Optimization always
Parental Control
Emma Parental Control
John
Emma
Paul Policy-enabled per-connection or
per-transaction steering to VAS/Optimization
Radius
http
© F5 Networks, Inc 49
References
NAT64/DNS64 (RFCs 6146, 6147)
464XLAT (RFC 6877)
Dual-Stack Lite (DS-Lite - RFC 6333)
XLAT demo: https://sites.google.com/site/tmoipv6/464xlat
https://f5.com/products/service-provider-products/carrier-grade-nat
https://f5.com/products/service-provider-products/policy-enforcement-manager