TechWiseTV Deep Dive on Stateful NAT64 Technology: … · smart phones (3G, LTE etc.) Or ,...

© 2011 Cisco and/or its affiliates. All rights reserved. 1

TechWiseTV Deep Dive on Stateful NAT64 Technology: Connecting IPv6 and IPv4 Networks

Prashant Jhingran

Senthil Sivakumar


Speakers

Prashant Jhingran

Technical Marketing Engineer, NOSTG

[email protected]

Senthil Sivakumar

Technical Leader, SRTG

[email protected]

Panelists

Cheryl Edwards

Technical Leader, ASR 1000

Dushyant Joshi

Software Engineer

SRTG

Muhammad Abid

Product Manager, ASR 1000

mailto:[email protected]

mailto:[email protected]


IPv6 Market Drivers

Recent IPv6 Successful Deployment

IPv6 Transition Technologies

IPv6/IPv4 Translation Scenarios

Technologies Facilitating IPv6/IPv4 Translation

Stateful NAT64 Implementation on ASR1000

Poll Survey

Day in the life of a NAT64 Packet on ASR1000

Configuration/Show Commands

Troubleshooting/Debugging

Summary

References


2010

Civilian US Government Agencies

mandated to provide external IPv6

connectivity

NOVEMBER, 2010

2012 2011

Globalization: 25% of the world‟s

population using 100% of IPv4 addresses

SEPTEMBER, 2012

FEB, 2011 Date the last IPv4 addresses was

allocated


Early

Adopters

Globalization

IPv6 Government

Mandate Deadlines

IPv4/IPv6

Co-existence

High Risk Low Risk Moderate Risk

2010 2012 2014

Transition

Planning

2011: Internet Evolution begins – “…IPv6 is important to all of us (…) to everyone around the world, It is crucial to our ability to tie together everyone and every device”. John Chambers

• 2012: Mandates take effect – Transition to IPv6 forces customers to acquire product or managed services to sustain business and customer reach

IPv6 Business Impact – The Cost of Waiting Goes Up

• 2010: Low Impact – Buying behavior shift

limited to mandated and early adopter sites

• 2014: IPv6 is mainstream – customers without transition

infrastructure experience reduced service levels, diminished

customer reach, increase operational complexity


Devices Connected to the Network,

50 BILLION In 2013….There Will Be

up from 35 BILLION in 2010

Mobile and the Internet of Things drive growth

Source: Forrester, Cisco IBSG


National IPv6 Strategies

US DoD, China NGI, EU

IPv6

IPv4 Address Run-Out

Infrastructure Evolution End Point Explosion

Smart Grid – Smart Meters

Smart Cities – Internet of Things

Cable – Set Top Boxes

Mobile Telephony

IPv6 OS, Content &

Applications

https://www.arin.net/knowledge/v4-v6.html


Google over IPv6

Challenged to deploy IPv6 by IETF 73

First production IPv6 router and “trusted tester” receives AAAA for www.google.com

Youtube, Maps, Mail etc all IPv6 enabled

Free Telecom

Developed „6rd‟ technology to bypass IPv6 limitations in DSL access layer

„Opt-in‟ service made available to 3M subscribers, 250K sign up right away

Deployed “telesite” (IPTV) IPv6-only service to all 3M subscribers

Monash University, Australia

Deployed IPv6 on Campus and Residences, Wired and WiFi

Interdepartmental traffic all on IPv6

Dual Stack network with native transit through AARNET

http://www.google.com/


IPv6 and IPv4 coexistence has been successfully demonstrated this year at following industry events:

Interop 2011

Cisco Live 2011


ipv6.google.com

http://[2001:440:fff9:100:202:b3ff:fea4:a44e]

http://[2001:252:0:1::2008:6]

http://[2a01:48:1:0:2e0:81ff:fe05:4658]

http://[2001:838:1:1:210:dcff:fe20:7c7c]

http://[2001:218:2001:3005::8a]

http://[2a01:e0c:1:1599::1]

http://[2001:9b0:1:104:230:48ff:fe56:31ae] http://[2001:4f8:fff6::21]

http://[2001:470:0:64::2]

http://[2a01:a8:0:5::26]

http://[2a02:250::6]

Yosemite

http://[2001:470:d:2ed::1]

http://[2001:b48:12:1::2]

http://[2001:2040:2000::6]

Helsingborg Dagblad

Sandviken Kommun

http://[2001:b48:10::3]

http://[2001:470:1:3a::13]

http://[2001:da8:200:200::4:28] http://[2405:5000:1:2::99]

http://[2607:f0d0:1000:11:1::2]

http://[2001:49f0:1000::3]

http://[2001:4830:20e0:1::5]

http://[2620:0:ef0:13::20]

http://[2620:0:1cfe:face:b00c::3]

http://[2607:f4e8:12:fffe:230:48ff:fe96:f99e]

http://[2406:0:6a:4::167]

http://[2001:558:1004:9:69:252:76:96]

http://[2402:6000:200:100::4]

http://[2607:f0d0:3001:62:1::53]

http://[2607:f238:2::51]

http://[2001:470:0:e6::4a52:2717]

http://[2001:470:1:1d::d8da:84ea]

http://[2001:44b8:8020:f501:250:56ff:feb3:6633]

http://en.beijing2008.cn/

http://www.euro6ix.org/

http://www.ipv6.sixxs.net/main/

http://www.ntt.com/

http://he.net/

http://[2001:2040:2000::6]/

http://keenspot.com/

http://www.axcelx.com/


World IPv6 Day Overview

• What was it?

A single day (24 hrs) where major content providers advertised a AAAA DNS record for their production service (e.g. www.cisco.com, www.facebook.com); coordinated by the Internet Society

• When was it?

June 8, 2011

• Who participated?

Google, Facebook, Yahoo!, Akamai , Cisco , Limelight Networks were among 434 participants that offered content from their main websites over IPv6 for a 24-hour "test drive“ (http://www.worldipv6day.org/participants/index.html)

• Why do this?

Demonstrates commercial viability of IPv6

Helps identify areas of improvement in IPv6 functionality

http://www.cisco.com/

http://www.facebook.com/

http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.html

http://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919

http://www.yahoo.com/

http://www.akamai.com/ipv6

http://www.limelightnetworks.com/


IPv6 is the foundation of a lifecycle management discussion

Preserve the customer‟s existing investment • Audit and leverage existing IPv6 capabilities

Prepare a migration and deployment plan • Identify and enable critical IPv6 functional areas

Prosper through the transition to IPv6 Internet • Enable all systems with dual-stack capabilities • Grow seamlessly as customers transition to IPv6

Preserve

Prepare

Prosper


Internet Peering DMZ Switching SLB IPv4 only Servers

IPv4

IPv6

6:4

Tra

nsla

tion

Internet Peering DMZ Switching SLB IPv6 & IPv4

Servers

IPv4

IPv6

Tu

nn

elin

g

Internet Peering DMZ Switching SLB IPv6 & IPv4

Servers

IPv4

IPv6

Du

al-S

tack

IPv4-Only Network

IPv4-Only Network

Dual Stack Network

Tunnel


IPv6 & IPv4

IPv6

IPv4

Internet

Dual-Stack Network IPv6/IPv4 Translation,

BEHAVE working group

IPv6 over IPv4 & IPv4 over IPv6,

Softwire Working Group

IPv6 Internet

Internet

IPv4


Enterprise / Content Providers IPv4 / IPv6 Internet Enterprise / ISP Networks

Scenario 3 Scenario 1 Enterprise /ISP A

Having “green-

field” IPv6 only

Network.

DNS64

Server

DNS

Server

6:4

Scenario 2

Example-v4.com

Application

Servers in

“legacy” IPv4 only

network.

6:4

Example-v6.com

Application

Servers in “green-

field” IPv6 only

network.

Example.com

Application

Servers in

“legacy” IPv4 only

network.

Example-v4v6.com

Application

Servers in “dual-

stack” IPv4/IPv6

network.

Enterprise/ISP B

Having “legacy”

IPv4 only

Network.

4:6

IPv6 Internet

DNS(AAAA)

Authoritative

Server

IPv4 Internet

DNS (A)

Authoritative

Server


Scenarios for IPv4/IPv6

Translation

Applicability Example

Scenario 1: An IPv6 network to

the IPv4 Internet

Greenfield IPv6-only network

wanting to transparently access

both IPv6 and existing IPv4

content. Initiated from IPv6

hosts and network

ISPs rolling out new services

and networks for IPv6-only

smart phones (3G, LTE etc.)

Or , Enterprises deploying

IPv6-only network

Scenario 2: The IPv4 Internet to

an IPv6 network

Servers in greenfield IPv6-only

network wanting to

transparently serve both IPv4

and IPv6 usersInitiated from

IPv4 hosts and network

Upcoming or existing content

providers rolling out services in

IPv6-only environment


an IPv4 network

Servers in existing IPv4-only

network wanting to serve IPV6

Internet users. Initiated from

IPv6 hosts and network

Existing content providers

migrating to IPv6 and thus

wanting to offer services to

IPv6 Internet users as part of

coexistence strategy


Scenarios for IPv4/IPv6

Translation

Applicability Example


the IPv6 Internet

Not a viable case in the near

future; this scenario will

probably occur only some time

after the early stage of the

IPv6/IPv4 transition

None


an IPv4 network

Both an IPv4 network and an

IPv6 network are within the

same organization

Similar to scenario 1, catering

to Intranet instead of Internet


an IPv6 network

Same as above Similar to scenario 2, catering

to intranet instead of Internet


the IPv4 Internet

Would suffer from poor

throughput

None


the IPv6 Internet

No viable translation technique

to handle unlimited IPv6

address translation

None


Address Family Translation can be achieved by:

X NAT-PT (Deprecated by rfc 4966)

NAT64 (defined in rfc 6144, 6145, 6146 & 6052)

IPv4 IPv6


NAT-PT has been deemed deprecated by IETF because of its tight coupling with Domain Name System (DNS) and its general limitations in translation, all of which are documented in rfc 4966.

Defined in rfc 6145, is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses and vice-versa.

Like NAT44, it does not maintain any bindings or session state while performing translation, and it supports both IPv6-initiated and IPv4-initiated communications.

Defined in rfc 6146, is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses and vice-versa.

Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-

initiated* communications.

* IPv4 initiated communication using static

or manual mappings


Stateless

• 1:1 translation

• “NAT”

• Any protocol

• No IPv4 address savings

Just like dual-stack

Stateful

• 1:N translation

• “NAPT”

• TCP, UDP, ICMP

• Saves IPv4 addresses


IPv4 Internet

stateful stateless

IPv6 Internet

IPv4 Network

IPv6 Network

IPv4 Network

IPv6 Internet

IPv4 Internet

IPv6 Network

IPv4 Network

IPv6 Network

IPv4 Network

IPv6 Network

1.

2.

3.

4.

5.

6.

Not viable because too few IPv4 addresses

With Static v6v4

mappings

With Static v6v4

mappings


Cisco Router Benefits

NAT64 to provide IPv4 preservation via PAT

Bring up additional customers/sites with IPv6

Concurrently run NAT64 with PE features without

performance degradation

2M translations and 40G throughput for high BW apps

Dual-stack solutions to run multiple services

QoS Policies aggregation for bandwidth

reservation and prioritization

IPv4 preservation. Support ICMP, UDP, TCP Apps.

IPv6 Network Adoption and Acceleration

Integrated Services, NAT64 at Provider Edge

Large selection of I/O and High Throughput

Concurrent support for IPv4 & IPv6 Services

Customer segmentation using VLANs with QoS to

implement SLAs

Solution Characteristics

OLT

Content Farms

VOD TV SIP GGSN HA PDN

GW

WiMAX

DSLAM

WiFi Mesh

Mobile

Residential

Business

Corporate

IPv6 Subscribers Access IP Edge Core

Core

Network

MPLS /IP

Ethernet/

MPLS/IP

Internet

Internet

Applications

& Services

v4 v6

NAT64


Cisco Router Benefits Solution Characteristics

IPv4 Internet

ISR 2900/3900

Branch Offices/

Customers Public Internet Services

V6 Enabled CPEs

ASR1K Stateful NAT64

Translator

IPv4 Network

Services

IPv6 Prefix IPv4 addr suffix

Any type of IPv6 Prefix is allowed

IPv4 addr IPv6 Address

V6 Network

Branch/

Customer

Enterprise Edge/

SP Edge

Solutions that help preserve IPv4 addresses

IPv6 Network Adoption and Acceleration

Reduced cost of ownership with integrated

Services, NAT64, IPsec, FW & CE

Suitable for various price and network

deployment insertion points

Concurrent support for IPv4 & IPv6 Services

Customer segmentation using VLANs with QoS

to implement SLAs

NAT64 to provide IPv4 preservation via PAT

Bring up additional customers/sites with IPv6

Concurrently run NAT64 with CE, IPsec, and

Firewall features without performance degradation

40/20/10/5/2.5G throughput, 250K/1M/2M scale to

meet Enterprise and High End Branch needs

Dual-stack solutions to run multiple services

QoS Policies aggregation for bandwidth

reservation and prioritization


• Cisco ASR1000

3rd Party Partner

• Netflow v9

Netflow Collector

• Security event correlation and reduction for multi-gigabit traffic

Introducing NetFlow v9 capabilities on ASR1000

Extends 10+ years of NetFlow innovation

Enables compliance auditing

• Support Logging of:

Source and Destination IP/Ports

Translated Source and Destinations IP/Ports

VRF-ID

Translation is not a long-term support strategy; it is a medium-term coexistence strategy that can be used to facilitate a long-term program of IPv6 transition by both Enterprises and ISPs.


See Poll Panel on the right hand side


IPv4-Only Network

192.0.2.0/24

Server Farm

Example-v6.com

203.0.113.1

IPv4 Header Src

Addr Dest

Addr

IPv4 Address IPv6 Header Src

Addr Dest

Addr

6:4

IPv4 Server Farm

Example.com

IPv6-Only Network

2001:db8:cafe::/48

IPv6 NAT64 NAT64

DNS64

Server

Host

2001:db8:cafe:3::2/64

203.0.113.1 IPv4 Header

Src

Addr Dest

Addr

IPv4 Address

2001:db8:cafe:3::2

IPv6 Header Src

Addr Dest

Addr Perf64::/96

IPv4

Addr

1

2 4

7

8

9

12

NAT64 Translations:

tcp

192.0.2.1:80 [2001:db8:cafe::c000:0201]:80

203.0.113.1:1024 [2001:db8:cafe:3::2]:9187

DNS(A)

Authoritative

Server

DNS “A” Resource Query/Response

DNS “AAAA“ Query/Response

Traffic Flow Initiated by IPv6

Network

6

11

IPv6

DNS(AAAA)

Authoritative

Server

5

3

10

Perf64::/96 IPv4

Addr

2001:db8:cafe:3::2

Key Steps Summarized – IPv6 Network to IPv4 Internet Translation

Step 1: IPv6 only hosts triggers DNS query (AAAA: example.com) Step 6: DNS64 synthesizes the IPv6 DNS AAAA record by embedding

the IPv4 address in this network‟s NAT64 prefix (WKP or NSP)

Step 2 : DNS64 server receives AAAA query to resolve example.com Step 7: IPv6 only host connects to the service at example.com by using

the IPv6 address received in the AAAA DNS response

Step 3: DNS64 triggers AAAA query to the internet authoritative server

to resolve the example.com. DNS64 receives an empty AAAA response

Step: 8 ASR1000 receives the IPv6 packet (default router for IPv6

hosts) and perform the translation

Step 4: Upon receiving an empty AAAA response, DNS64 triggers a

DNS A record query for the example.com to authoritative server

Step 9: ASR1000 sends the IPv4 packet to example.com (in v4

Internet)

Step 5: DNS64 receives DNS A record for the example.com (A:

example.com – 192.0.2.1)

Step 10: The service hosted at example.com receives, processes the

request and the communication is established


2001:db8:abcd:2::1/64 DNS

Server

Server

Farm

6:4

192.0.2.0/24

2001:db8:cafe:1::1/64

172.16.1.0/24 192.168.2.1/24

IPv6

10.0.1.0/28

10.0.2.0/30 10.0.3.0/30 IPv4

Bi-directional Traffic Flow

Initiated by IPv6 Network

Bi-directional Traffic Flow

Initiated by IPv4 Network

IPv4-Only Network

192.0.2.0/24

Also Representing IPv6

Network

2001:db8:cafe::/48

Enterprise/ Content Provider / Content Enabler

Example-v4.com

Key Steps Summarized – IPv6 Internet to IPv4 Translation

Step 1: Content Provider advertise the ASR1K‟s public facing IPv6 address that represents the Example-v4.com to an authoritative

server

Step 2 : IPv6 only host connects to the service at Example-v4.com by using the IPv6 address received in the AAAA DNS response

from an authoritative server in the v6-Internet

Step 3: ASR1000 receives the IPv6 packet and perform the translation

Step 4: ASR1000 sends the IPv4 packet to Example-v4.com

Step 5: The service hosted at Example-v4.com receives, processes the request and the communication is established

Content

Provider

Edge

DNS (AAAA)

Authoritative

Server


A stateful translation mechanism for translating v6 packets to v4 and vice versa.

Similar to NAT44, databases for translations are maintained based on traffic. Hence the name “stateful”

NAT64 is a separate feature from NAT44 and two are expected to have no direct interaction

Does not require changes to IPv6 hosts (unlike Stateless NAT64)

Supports multiple IPv6 hosts sharing a single IPv4 address


Static, dynamic and PAT for IPv6 to IPv4 traffic

Static mapping for IPv4 initiated traffic

End-point Independent mapping

High speed logging

Limits

FTP ALG


IPv6 to IPv4 1to1 static mappings and static with port mappings

IPv6 to IPv4 1to1 dynamic mappings with a pool of IPv4 addresses

IPv6 to IPv4 N to1 dynamic overload support with a pool of IPv4 addresses

IPv4 to IPv6 1to1 static mappings and static with port mappings


For a given {IPv6Address, port, Proto} pair a unique mapping to {IPv4Address, Port, Proto} is created

Irrespective of the destination address the same pairing will be used

Applicable only for PAT/Overload configuration


Logging of translations using Netflow v9 format

Requires a netflow collector with special support.

Events logged

Session creation/deletion

Bind creation/deletion

Pool Exhaustion


6:4

IPv6-only

Network Gig 0/1/0

NAT64 NAT64

IPv4-only

Network Gig 0/1/1

IPv6 Only Network

2001::1/64

IPv4 Only Network

112.1.1.12/16


• Assigning IPv4 addresses to v4 interface of the router.

Interface g0/1/0

ip address 112.1.1.12 255.255.0.0

• Make sure that both the v4 host and v4 interface of the NAT64 box are able to ping each other


• Assigning IPv6 addresses to IPv6 host and v6 interface of the router.

Interace g0/1/1

ipv6 enable

ipv6 address 2001::1/64

• Make sure that both the v6 host and v6 interface of the NAT64 box are able to ping each other.


• Enabling nat64 on both the interface of the router.

Interface g0/1/0

nat64 enable

Interface g0/1/1

nat64 enable

• As soon nat64 is enabled for the first time, a non-configurable NVI0 (NAT virtual interface) interface is created on the router.


• A well-known prefix 64:ff9b::/96 is allocated by IANA for NAT64. Packets with this destination prefix will be handled by NAT64. But they MUST be routed to the NAT64 device

• Optional - Specify a stateful prefix. This creates a static route such that all v6 traffic with a destination address in the subnet is handled by NAT64.

nat64 prefix stateful 3001::/96


• To translate a v4 source address to a v6 address, configure a v4v6 static mapping. Note that the v6 address must be contained w/i a configured NAT64 stateful prefix.

nat64 v4v6 static 2.2.2.2 3001::1

• To translate a v6 source address to a v4 address, configure a v6v4 static mapping. Note that the v4 address must be unique and routable to NAT64 from the IPv4 side.

nat64 v6v4 static 2001::100 5.5.5.5


• A well-known prefix 64:ff9b::/96 is allocated by IANA for NAT64. Packets with this destination prefix will be handled by NAT64.

• Specify a stateful prefix. This creates a static route such that all v6 traffic with a destination address in the subnet is handled by NAT64.

nat64 prefix stateful 3001::/96


• Only v6 to v4 initiated translation is currently supported for dynamic mappings.

• Configure a named pool of v4 addresses.

nat64 v4 pool POOL1 20.1.1.1 20.1.1.100

• Configure an ACL to match v6 traffic.

ipv6 access-list V6ACL1

permit ipv6 any any

• Configure a mapping to match v6 traffic and translate to a v4 address.

nat64 v6v4 list V6ACL1 pool POOL1

• Add “overload” keyword to do PAT

nat64 v6v4 list V6ACL1 pool POOL1overload


• Translation timeouts

nat64 translation timeout { udp | tcp | tcp-transient | icmp } <seconds>

• Translation limits

nat64 translation max-entries <number of entries>

• High-speed logging

nat64 logging translations flow-export v9 udp destination <v4 address> <port>

• ALGs (only FTP64 is supported). On by default, but can be turned off.

[no] nat64 service ftp


• Prefix length should be between <9-96>

• Only one global level prefix and one stateful prefix per interface can be defined.

• All interfaces on which nat64 in enabled will use global prefix by default.

• If interface prefix is configured it will have precedence over global level prefix.


• Static routes are used to get NAT64 packets to the NVI0 interface where they can be translated. Can use “sh ip route” and “sh ipv6 route” to verify the routes are setup correctly.

• One static route per stateful prefix (global or interface)

S 3001::/96 [1/0] via ::100.0.0.1, NVI0

• One static route for the well-known prefix

S 64:FF9B::/96 [1/0] via ::100.0.0.1, NVI0


Total active translations: 2 (0 static, 2 dynamic; 1 extended)

Sessions found: 8

Sessions created: 1

Expired translations: 0

Global Stats:

Packets translated (IPv4 -> IPv6)

Stateless: 0

Stateful: 5


Stateless: 0

Stateful: 5


Interface Statistics

GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):


Stateless: 0

Stateful: 5


Stateless: 0

Stateful: 0

Packets dropped: 0


Dynamic Mapping Statistics

v6v4

access-list V6ACL1 pool POOL1 refcount 2

pool POOL1:

start 20.1.1.1 end 20.1.1.100

total addresses 100, allocated 1 (1%)

address exhaustion packet count 0

Limit Statistics


Lots of filters to show specific sections or specific objects.

Router#sh nat64 statistics ?

failure Show stats lookup failures

global Global stats

interface Stats for a specific interface

limit Limit stats

mapping Mapping stats

prefix Stats for a specific prefix

| Output modifiers

<cr>


Corresponding clear CLI with lots of filters.

Router#clear nat64 statistics ?

failure Clear stats failure counts

global Global stats

interface Stats for a specific interface

limit Stats for a specific limit

pool Stats for a specific pool

prefix Stats for a specific prefix

<cr>


Similar to NAT44 CLI

Router#sh nat64 translations

Proto Original IPv4 Translated IPv4

Translated IPv6 Original IPv6

----------------------------------------------------------------------------

--- --- ---

20.1.1.1 2001::1b01:10a

icmp 2.2.2.2:419 [3001::202:202]:419

20.1.1.1:419 [2001::1b01:10a]:419

Total number of translations: 2


Lots of filters to limit search given database may be large.

Router#sh nat64 translations ?

entry-type Show translations filtered by entry type

port Show translations filtered by port

protocol Show translations filtered by protocol

time Show translations filtered by time

total Show translation count for query

v4 Show translations based on an IPv4 address

v6 Show translations based on an IPv6 address

verbose Show verbose translation info

| Output modifiers

<cr>


Corresponding clear CLI with some filters.

Router#clear nat64 translations ?

all All translations

tcp TCP translations

udp UDP translations


Info on configuration in platform dependent BinOS

Router#sh pl so nat64 statistics

IOS-shim layer

Router#sh pl so nat64 rp a …

FMAN-RP

Router#sh pl so nat64 fp a …

FMAN-FP


MCP4RU-16#debug platform hardware qfp active feature nat64 datapath ?

alg Enable ALG DP debugs

all Enable all DP debugs

bind Enable bind DP debugs

detailed Enable detailed DP debugs

door Enable door DP debugs

hsl Enable HSL DP debugs

limit Enable limit DP debugs

map Enable map DP debugs

nopkt Enable no packet DP debugs

pkt Enable packet DP debugs

pool Enable pool DP debugs

port Enable port DP debugs

sess Enable session DP debugs

time Enable time DP debugs


MCP4RU-16#debug platform hardware qfp active feature nat64 client ?

all Enable All logs

error Enable Error logs

info Enable Info logs

trace Enable Trace logs

warning Enable Warning logs

time Enable time DP debugs


Router#debug platform hardware qfp active feature nat64 datapath detailed

CPP NAT64 datapath logs debugging is on

Router(config)#platform shell

Router#request platform software system shell fp active

Activity within this shell can jeopardize the functioning of the system.

Are you sure you want to continue? [y/n] y

[Router_ESP_0:/]$ tail -f /tmp/fp/trace/cpp_cp_F0-0.log

In this file you can see how nat64 is processing the packets, why are they getting dropped, etc.


• Check if both IPv4 & IPv6 facing interfaces have nat64 enabled

• IPv6 unicast routing is enabled

• Ping the IPv4 host from the nat64 router and the ipv6 host from the nat64 router

• Make sure the show ipv6 route/show ipv4 route points to the NVI0 interface for the nat64 packets


• Common issue

Packets are not translated by NAT64

Packets may not even be hitting NAT64. Check IP/IPv6 routing, the WKP should point to NVI0, the IPv4 address of the IPv6 host should also point to NVI0

Packets are hitting NAT64 – but are dropped – Check the drop codes

No resources - IPv4 pool may be exhausted, no more ports to allocate


Check for the ASR1K drop counters

Router#show platform hardware qfp active statistics drop

--------------------------------------------------------

Global Drop Stats Packets Octets

--------------------------------------------------------

Nat64v6tov4 4 320


To check for nat64 drops :-

Router#sh platform hardware qfp active feature nat64 datapath statistics

v6v4 xlated pkts 10005

v4v6 xlated pkts 10005

generated tcp csum 0

generated udp csum 0

NAT64_DROP_SC_INVALID_ICMPV6 0

NAT64_DROP_SC_INVALID_ICMPV4 0

NAT64_DROP_SC_V6_FORMAT_ERR 0

NAT64_DROP_SC_BAD_DGLEN 0

NAT64_DROP_SC_PROCESS_V6_ERR 4

NAT64_DROP_SC_FORM_V4_ERR 0

NAT64_DROP_SC_SETUP_V4_ERR 0

NAT64_DROP_SC_PROCESS_V4_ERR 0

NAT64_DROP_SC_FORM_V6_ERR 0


• Fragmented ICMPv4 and ICMPv6 packets will be dropped.

• IPv6 UDP packet with 0 checksum will be dropped.

• IGMP packets will be dropped.

• Fragmented UDP packets with 0 checksum will be dropped.

• IPv4 packet with df-bit set and size>1280 will be dropped.

• Packets prefix should match the stateless prefix defined on the interface/global.


• A maximum of 1K stateful prefixes are supported.

• A maximum of 4K dynamic mappings and pools are supported.

• A maximum of 16k static mappings are supported.


• IPv4 initiated traffic is not supported – requires static mapping

• Protocol Translation cannot preserve all the fields – Flow labels, Destination options, Source routing etc

• Requires ALGs for certain applications eg SIP, RTSP etc

• End-point Independent filtering is not supported


NAT64 facilitates a gradual migration to IPv6 by allowing “green-field” IPv6 networks to connect with the existing “legacy” IPv4 internet/networks.

Stateful NAT64 facilitates seamless internet experience to users accessing the existing IPv4 internet services via a “green-field” IPv6-only network.

SPs/Enterprises/Content providers or enablers can provide the IPv4 services seamlessly to IPv6 internet users by using stateful NAT64 technology, with minimal or no changes in the existing network infrastructure and thus maintaining IPv4 business continuity.

Translation is not a long-term support strategy; it is a medium-term coexistence strategy that can be used to facilitate a long-term program of IPv6 transition by both Enterprises and SPs.


For more information about IPv6, visit http://www.cisco.com/go/ipv6

For more information about Cisco service provider solutions, visit http://www.cisco.com/go/sp

For more information about Cisco enterprise solutions, visit http://www.cisco.com/go/enterprise

Whitepaper - NAT64 Technology: Connecting IPv6 and IPv4 Networks http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676278.html

Whitepaper - NAT64 Stateless versus Stateful http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676277.html

For additional white papers on IPv6, visit http://www.cisco.com/en/US/products/ps6553/prod_white_papers_list.html

http://blogs.cisco.com/news/world-ipv6-day-working-together-towards-a-new-internet-protocol/

http://www.cisco.com/go/ipv6

http://www.cisco.com/go/sp

http://www.cisco.com/go/enterprise

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676278.html








http://www.cisco.com/en/US/products/ps6553/prod_white_papers_list.html




















Thank you.


Backup Slides


Translation Details


• If fragment header is not there then df-bit will be set.

• Version – 4

• Internet Header Length: 5 (no IPv4 options)

• Type of Service (TOS) Octet: By default, copied from the IPv6 Traffic Class (all 8 bits).

• Total Length: Payload length value from IPv6 header, plus the size of the IPv4 header.

• Identification: All zero.

• Flags: The More Fragments flag is set to zero. The Don't Fragments flag is set to one.

• Fragment Offset: All zero.


• Protocol: For ICMPv6 (58) changed to ICMP (1), otherwise Next Header field copied from IPv6 header.

• Header Checksum: Computed once the IPv4 header has been created.

• Source Address: The IPv4 source address is derived from the IPv6 address.

• Destination Address: The IPv4 destination address is derived from the IPv6 destination address of the datagram being translated.


• If any of an IPv6 options header is present in the IPv6 packet, they are ignored i.e., there is no attempt to translate them.

• If a routing header with a non-zero Segments Left field is present then the packet must not be translated, and an ICMPv6 "parameter problem/erroneous header field encountered" (Type 4/Code 0) error message should be returned to the sender.


• If the IPv6 packet contains a Fragment header the header fields are set as above with the following exceptions:

Total Length: Payload length value from IPv6 header, minus 8 for the Fragment header, plus the size of the IPv4 header.

Identification: Copied from the low-order 16-bits in the Identification field in the Fragment header.

Flags: The More Fragments flag is copied from the M flag in the Fragment header. The Don't Fragments flag is set to zero allowing this packet to be fragmented by IPv4 routers.

Fragment Offset: Copied from the Fragment Offset field in the Fragment header.

Protocol: For ICMPv6 (58) changed to ICMP (1), otherwise Next Header field copied from Fragment header.


• An IPv6 UDP packet with UDP checksum as 0 will be dropped and no attempt will be made to translate it.


• Algorithm will be applied twice, once for the outer header and then for the inner header.

• A sanity test will be done for the packet and malformed packets will be dropped.

• Fragmented ICMPv6 packets will be dropped.


ICMPv6 Type and Code ICMPv4 type and code

Type 128 Type 8

Type 129 Type 0

Type 130-137 Silently Drop

Unknown Type Silently Drop

Type 1; Code 0,2,3 Type 3; Code 1

Type 1; Code 1 Type 3; Code 10



ICMPv6 Type and Code ICMPv4 type and code

Type 2 Type 3; Code 4

Type 3 Type 11



Type 4; Code 2 Silently Drop


• Fragment header will be added if df bit is not set.

• If df-bit is set and packet exceeds 1280 bytes then it will be dropped and an ICMP packet too big message will be sent to IPv4 sender.


• Version – 6

• Traffic class - copied from IP Type Of Service octet

• Flow Label: 0 (all zero bits)

• Payload Length: Total length value from IPv4 header, minus the size of the IPv4 header and IPv4 options

• Next Header: For ICMP (1) changed to ICMPv6 (58), otherwise protocol field copied from IPv4 header


• Hop Limit: TTL value copied from IPv4 header –(minus) 1

• Source Address: The IPv6 source address is derived from the IPv4 source address.

• Destination Address: The IPv6 destination address is derived from the IPv4 destination address.

• If IPv4 options are present in the IPv4 packet, they are ignored i.e., there is no attempt to translate them


• If fragment header is added :-

Payload length : Total length field from IPv4 + 8 – IPv4 header and option length

Next Header: Fragment Header (44)

Fragment Offset: Fragment Offset copied from the IPv4 header.

Identification The low-order 16 bits copied from the Identification field in the IPv4 header. The high-order 16 bits set to zero.


• If an unfragmentd IPv4 UDP packet with zero checksum is received then NAT64 will calculate the complete checksum and will keep a record of the counters.

• When a fragmented UDP packet with zero checksum is received it will be dropped and message will be generated for the first fragment.


• Algorithm will be applied twice, once for the outer header and then for the inner header.

• A sanity test will be done for the packet and malformed packets will be dropped.

• Fragmented ICMP packets will be dropped.


ICMPv4 type ICMPv6 type

8 128

0 129

9,10,13,14,15,16,17,18 Silently drop

Unknown type Silently drop


ICMPv4 type and code ICMPv6 type and code

Type 3; Code 0,1,5,6,7,8,11,12 Type 1;Code 0

Type 3;Code 2 Type4;Code1

Type 3; Code 3 Type1; Code 4


Type 3; Code 9,10,13,15 Type 1; Code 1


Type 4,5,6 Silently Drop


ICMPv4 type and code ICMPv6 type and code

Type 11 Type 3

Type 12; Code 0,2 Type 4; Code 0


Type 12; Other codes Silently Drop

Unknown ICMPv4 types Silently Drop

IGMP messages Silently Drop

Thank you.

TechWiseTV Deep Dive on Stateful NAT64 Technology: … · smart phones (3G, LTE etc.) Or ,...

Documents

Transcript of TechWiseTV Deep Dive on Stateful NAT64 Technology: … · smart phones (3G, LTE etc.) Or ,...