TechWiseTV Deep Dive on Stateful NAT64 Technology: … · smart phones (3G, LTE etc.) Or ,...
Transcript of TechWiseTV Deep Dive on Stateful NAT64 Technology: … · smart phones (3G, LTE etc.) Or ,...
© 2011 Cisco and/or its affiliates. All rights reserved. 1
TechWiseTV Deep Dive on Stateful NAT64 Technology: Connecting IPv6 and IPv4 Networks
Prashant Jhingran
Senthil Sivakumar
© 2011 Cisco and/or its affiliates. All rights reserved. 2
Speakers
Prashant Jhingran
Technical Marketing Engineer, NOSTG
Senthil Sivakumar
Technical Leader, SRTG
Panelists
Cheryl Edwards
Technical Leader, ASR 1000
Dushyant Joshi
Software Engineer
SRTG
Muhammad Abid
Product Manager, ASR 1000
© 2011 Cisco and/or its affiliates. All rights reserved. 3
IPv6 Market Drivers
Recent IPv6 Successful Deployment
IPv6 Transition Technologies
IPv6/IPv4 Translation Scenarios
Technologies Facilitating IPv6/IPv4 Translation
Stateful NAT64 Implementation on ASR1000
Poll Survey
Day in the life of a NAT64 Packet on ASR1000
Configuration/Show Commands
Troubleshooting/Debugging
Summary
References
© 2011 Cisco and/or its affiliates. All rights reserved. 4
© 2011 Cisco and/or its affiliates. All rights reserved. 5
2010
Civilian US Government Agencies
mandated to provide external IPv6
connectivity
NOVEMBER, 2010
2012 2011
Globalization: 25% of the world‟s
population using 100% of IPv4 addresses
SEPTEMBER, 2012
FEB, 2011 Date the last IPv4 addresses was
allocated
© 2011 Cisco and/or its affiliates. All rights reserved. 6
Early
Adopters
Globalization
IPv6 Government
Mandate Deadlines
IPv4/IPv6
Co-existence
High Risk Low Risk Moderate Risk
2010 2012 2014
Transition
Planning
2011: Internet Evolution begins – “…IPv6 is important to all of us (…) to everyone around the world, It is crucial to our ability to tie together everyone and every device”. John Chambers
• 2012: Mandates take effect – Transition to IPv6 forces customers to acquire product or managed services to sustain business and customer reach
IPv6 Business Impact – The Cost of Waiting Goes Up
• 2010: Low Impact – Buying behavior shift
limited to mandated and early adopter sites
• 2014: IPv6 is mainstream – customers without transition
infrastructure experience reduced service levels, diminished
customer reach, increase operational complexity
© 2011 Cisco and/or its affiliates. All rights reserved. 7
Devices Connected to the Network,
50 BILLION In 2013….There Will Be
up from 35 BILLION in 2010
Mobile and the Internet of Things drive growth
Source: Forrester, Cisco IBSG
© 2011 Cisco and/or its affiliates. All rights reserved. 8
National IPv6 Strategies
US DoD, China NGI, EU
IPv6
IPv4 Address Run-Out
Infrastructure Evolution End Point Explosion
Smart Grid – Smart Meters
Smart Cities – Internet of Things
Cable – Set Top Boxes
Mobile Telephony
IPv6 OS, Content &
Applications
https://www.arin.net/knowledge/v4-v6.html
© 2011 Cisco and/or its affiliates. All rights reserved. 9
© 2011 Cisco and/or its affiliates. All rights reserved. 10
Google over IPv6
Challenged to deploy IPv6 by IETF 73
First production IPv6 router and “trusted tester” receives AAAA for www.google.com
Youtube, Maps, Mail etc all IPv6 enabled
Free Telecom
Developed „6rd‟ technology to bypass IPv6 limitations in DSL access layer
„Opt-in‟ service made available to 3M subscribers, 250K sign up right away
Deployed “telesite” (IPTV) IPv6-only service to all 3M subscribers
Monash University, Australia
Deployed IPv6 on Campus and Residences, Wired and WiFi
Interdepartmental traffic all on IPv6
Dual Stack network with native transit through AARNET
© 2011 Cisco and/or its affiliates. All rights reserved. 11
IPv6 and IPv4 coexistence has been successfully demonstrated this year at following industry events:
Interop 2011
Cisco Live 2011
© 2011 Cisco and/or its affiliates. All rights reserved. 12
ipv6.google.com
http://[2001:440:fff9:100:202:b3ff:fea4:a44e]
http://[2001:252:0:1::2008:6]
http://[2a01:48:1:0:2e0:81ff:fe05:4658]
http://[2001:838:1:1:210:dcff:fe20:7c7c]
http://[2001:218:2001:3005::8a]
http://[2a01:e0c:1:1599::1]
http://[2001:9b0:1:104:230:48ff:fe56:31ae] http://[2001:4f8:fff6::21]
http://[2001:470:0:64::2]
http://[2a01:a8:0:5::26]
http://[2a02:250::6]
Yosemite
http://[2001:470:d:2ed::1]
http://[2001:b48:12:1::2]
http://[2001:2040:2000::6]
Helsingborg Dagblad
Sandviken Kommun
http://[2001:b48:10::3]
http://[2001:470:1:3a::13]
http://[2001:da8:200:200::4:28] http://[2405:5000:1:2::99]
http://[2607:f0d0:1000:11:1::2]
http://[2001:49f0:1000::3]
http://[2001:4830:20e0:1::5]
http://[2620:0:ef0:13::20]
http://[2620:0:1cfe:face:b00c::3]
http://[2607:f4e8:12:fffe:230:48ff:fe96:f99e]
http://[2406:0:6a:4::167]
http://[2001:558:1004:9:69:252:76:96]
http://[2402:6000:200:100::4]
http://[2607:f0d0:3001:62:1::53]
http://[2607:f238:2::51]
http://[2001:470:0:e6::4a52:2717]
http://[2001:470:1:1d::d8da:84ea]
http://[2001:44b8:8020:f501:250:56ff:feb3:6633]
© 2011 Cisco and/or its affiliates. All rights reserved. 13
World IPv6 Day Overview
• What was it?
A single day (24 hrs) where major content providers advertised a AAAA DNS record for their production service (e.g. www.cisco.com, www.facebook.com); coordinated by the Internet Society
• When was it?
June 8, 2011
• Who participated?
Google, Facebook, Yahoo!, Akamai , Cisco , Limelight Networks were among 434 participants that offered content from their main websites over IPv6 for a 24-hour "test drive“ (http://www.worldipv6day.org/participants/index.html)
• Why do this?
Demonstrates commercial viability of IPv6
Helps identify areas of improvement in IPv6 functionality
© 2011 Cisco and/or its affiliates. All rights reserved. 14
© 2011 Cisco and/or its affiliates. All rights reserved. 15
IPv6 is the foundation of a lifecycle management discussion
Preserve the customer‟s existing investment • Audit and leverage existing IPv6 capabilities
Prepare a migration and deployment plan • Identify and enable critical IPv6 functional areas
Prosper through the transition to IPv6 Internet • Enable all systems with dual-stack capabilities • Grow seamlessly as customers transition to IPv6
Preserve
Prepare
Prosper
© 2011 Cisco and/or its affiliates. All rights reserved. 16
Internet Peering DMZ Switching SLB IPv4 only Servers
IPv4
IPv6
6:4
Tra
nsla
tion
Internet Peering DMZ Switching SLB IPv6 & IPv4
Servers
IPv4
IPv6
Tu
nn
elin
g
Internet Peering DMZ Switching SLB IPv6 & IPv4
Servers
IPv4
IPv6
Du
al-S
tack
IPv4-Only Network
IPv4-Only Network
Dual Stack Network
Tunnel
© 2011 Cisco and/or its affiliates. All rights reserved. 17
IPv6 & IPv4
IPv6
IPv4
Internet
Dual-Stack Network IPv6/IPv4 Translation,
BEHAVE working group
IPv6 over IPv4 & IPv4 over IPv6,
Softwire Working Group
IPv6 Internet
Internet
IPv4
© 2011 Cisco and/or its affiliates. All rights reserved. 18
© 2011 Cisco and/or its affiliates. All rights reserved. 19
Enterprise / Content Providers IPv4 / IPv6 Internet Enterprise / ISP Networks
Scenario 3 Scenario 1 Enterprise /ISP A
Having “green-
field” IPv6 only
Network.
DNS64
Server
DNS
Server
6:4
Scenario 2
Example-v4.com
Application
Servers in
“legacy” IPv4 only
network.
6:4
Example-v6.com
Application
Servers in “green-
field” IPv6 only
network.
Example.com
Application
Servers in
“legacy” IPv4 only
network.
Example-v4v6.com
Application
Servers in “dual-
stack” IPv4/IPv6
network.
Enterprise/ISP B
Having “legacy”
IPv4 only
Network.
4:6
IPv6 Internet
DNS(AAAA)
Authoritative
Server
IPv4 Internet
DNS (A)
Authoritative
Server
© 2011 Cisco and/or its affiliates. All rights reserved. 20
Scenarios for IPv4/IPv6
Translation
Applicability Example
Scenario 1: An IPv6 network to
the IPv4 Internet
Greenfield IPv6-only network
wanting to transparently access
both IPv6 and existing IPv4
content. Initiated from IPv6
hosts and network
ISPs rolling out new services
and networks for IPv6-only
smart phones (3G, LTE etc.)
Or , Enterprises deploying
IPv6-only network
Scenario 2: The IPv4 Internet to
an IPv6 network
Servers in greenfield IPv6-only
network wanting to
transparently serve both IPv4
and IPv6 usersInitiated from
IPv4 hosts and network
Upcoming or existing content
providers rolling out services in
IPv6-only environment
Scenario 3: The IPv6 Internet to
an IPv4 network
Servers in existing IPv4-only
network wanting to serve IPV6
Internet users. Initiated from
IPv6 hosts and network
Existing content providers
migrating to IPv6 and thus
wanting to offer services to
IPv6 Internet users as part of
coexistence strategy
© 2011 Cisco and/or its affiliates. All rights reserved. 21
Scenarios for IPv4/IPv6
Translation
Applicability Example
Scenario 4: An IPv4 network to
the IPv6 Internet
Not a viable case in the near
future; this scenario will
probably occur only some time
after the early stage of the
IPv6/IPv4 transition
None
Scenario 5: An IPv6 network to
an IPv4 network
Both an IPv4 network and an
IPv6 network are within the
same organization
Similar to scenario 1, catering
to Intranet instead of Internet
Scenario 6: An IPv4 network to
an IPv6 network
Same as above Similar to scenario 2, catering
to intranet instead of Internet
Scenario 7: The IPv6 Internet to
the IPv4 Internet
Would suffer from poor
throughput
None
Scenario 8: The IPv4 Internet to
the IPv6 Internet
No viable translation technique
to handle unlimited IPv6
address translation
None
© 2011 Cisco and/or its affiliates. All rights reserved. 22
© 2011 Cisco and/or its affiliates. All rights reserved. 23
Address Family Translation can be achieved by:
X NAT-PT (Deprecated by rfc 4966)
NAT64 (defined in rfc 6144, 6145, 6146 & 6052)
IPv4 IPv6
© 2011 Cisco and/or its affiliates. All rights reserved. 24
NAT-PT has been deemed deprecated by IETF because of its tight coupling with Domain Name System (DNS) and its general limitations in translation, all of which are documented in rfc 4966.
Defined in rfc 6145, is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses and vice-versa.
Like NAT44, it does not maintain any bindings or session state while performing translation, and it supports both IPv6-initiated and IPv4-initiated communications.
Defined in rfc 6146, is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses and vice-versa.
Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-
initiated* communications.
* IPv4 initiated communication using static
or manual mappings
© 2011 Cisco and/or its affiliates. All rights reserved. 25
Stateless
• 1:1 translation
• “NAT”
• Any protocol
• No IPv4 address savings
Just like dual-stack
Stateful
• 1:N translation
• “NAPT”
• TCP, UDP, ICMP
• Saves IPv4 addresses
© 2011 Cisco and/or its affiliates. All rights reserved. 26
© 2011 Cisco and/or its affiliates. All rights reserved. 27
IPv4 Internet
stateful stateless
IPv6 Internet
IPv4 Network
IPv6 Network
IPv4 Network
IPv6 Internet
IPv4 Internet
IPv6 Network
IPv4 Network
IPv6 Network
IPv4 Network
IPv6 Network
1.
2.
3.
4.
5.
6.
Not viable because too few IPv4 addresses
With Static v6v4
mappings
With Static v6v4
mappings
© 2011 Cisco and/or its affiliates. All rights reserved. 28
Cisco Router Benefits
NAT64 to provide IPv4 preservation via PAT
Bring up additional customers/sites with IPv6
Concurrently run NAT64 with PE features without
performance degradation
2M translations and 40G throughput for high BW apps
Dual-stack solutions to run multiple services
QoS Policies aggregation for bandwidth
reservation and prioritization
IPv4 preservation. Support ICMP, UDP, TCP Apps.
IPv6 Network Adoption and Acceleration
Integrated Services, NAT64 at Provider Edge
Large selection of I/O and High Throughput
Concurrent support for IPv4 & IPv6 Services
Customer segmentation using VLANs with QoS to
implement SLAs
Solution Characteristics
OLT
Content Farms
VOD TV SIP GGSN HA PDN
GW
WiMAX
DSLAM
WiFi Mesh
Mobile
Residential
Business
Corporate
IPv6 Subscribers Access IP Edge Core
Core
Network
MPLS /IP
Ethernet/
MPLS/IP
Internet
Internet
Applications
& Services
v4 v6
NAT64
© 2011 Cisco and/or its affiliates. All rights reserved. 29
Cisco Router Benefits Solution Characteristics
IPv4 Internet
ISR 2900/3900
Branch Offices/
Customers Public Internet Services
V6 Enabled CPEs
ASR1K Stateful NAT64
Translator
IPv4 Network
Services
IPv6 Prefix IPv4 addr suffix
Any type of IPv6 Prefix is allowed
IPv4 addr IPv6 Address
V6 Network
Branch/
Customer
Enterprise Edge/
SP Edge
Solutions that help preserve IPv4 addresses
IPv6 Network Adoption and Acceleration
Reduced cost of ownership with integrated
Services, NAT64, IPsec, FW & CE
Suitable for various price and network
deployment insertion points
Concurrent support for IPv4 & IPv6 Services
Customer segmentation using VLANs with QoS
to implement SLAs
NAT64 to provide IPv4 preservation via PAT
Bring up additional customers/sites with IPv6
Concurrently run NAT64 with CE, IPsec, and
Firewall features without performance degradation
40/20/10/5/2.5G throughput, 250K/1M/2M scale to
meet Enterprise and High End Branch needs
Dual-stack solutions to run multiple services
QoS Policies aggregation for bandwidth
reservation and prioritization
© 2011 Cisco and/or its affiliates. All rights reserved. 30
• Cisco ASR1000
3rd Party Partner
• Netflow v9
Netflow Collector
• Security event correlation and reduction for multi-gigabit traffic
Introducing NetFlow v9 capabilities on ASR1000
Extends 10+ years of NetFlow innovation
Enables compliance auditing
• Support Logging of:
Source and Destination IP/Ports
Translated Source and Destinations IP/Ports
VRF-ID
Translation is not a long-term support strategy; it is a medium-term coexistence strategy that can be used to facilitate a long-term program of IPv6 transition by both Enterprises and ISPs.
© 2011 Cisco and/or its affiliates. All rights reserved. 32
See Poll Panel on the right hand side
© 2011 Cisco and/or its affiliates. All rights reserved. 33
IPv4-Only Network
192.0.2.0/24
Server Farm
Example-v6.com
203.0.113.1
IPv4 Header Src
Addr Dest
Addr
IPv4 Address IPv6 Header Src
Addr Dest
Addr
6:4
IPv4 Server Farm
Example.com
IPv6-Only Network
2001:db8:cafe::/48
IPv6 NAT64 NAT64
DNS64
Server
Host
2001:db8:cafe:3::2/64
203.0.113.1 IPv4 Header
Src
Addr Dest
Addr
IPv4 Address
2001:db8:cafe:3::2
IPv6 Header Src
Addr Dest
Addr Perf64::/96
IPv4
Addr
1
2 4
7
8
9
12
NAT64 Translations:
tcp
192.0.2.1:80 [2001:db8:cafe::c000:0201]:80
203.0.113.1:1024 [2001:db8:cafe:3::2]:9187
DNS(A)
Authoritative
Server
DNS “A” Resource Query/Response
DNS “AAAA“ Query/Response
Traffic Flow Initiated by IPv6
Network
6
11
IPv6
DNS(AAAA)
Authoritative
Server
5
3
10
Perf64::/96 IPv4
Addr
2001:db8:cafe:3::2
Key Steps Summarized – IPv6 Network to IPv4 Internet Translation
Step 1: IPv6 only hosts triggers DNS query (AAAA: example.com) Step 6: DNS64 synthesizes the IPv6 DNS AAAA record by embedding
the IPv4 address in this network‟s NAT64 prefix (WKP or NSP)
Step 2 : DNS64 server receives AAAA query to resolve example.com Step 7: IPv6 only host connects to the service at example.com by using
the IPv6 address received in the AAAA DNS response
Step 3: DNS64 triggers AAAA query to the internet authoritative server
to resolve the example.com. DNS64 receives an empty AAAA response
Step: 8 ASR1000 receives the IPv6 packet (default router for IPv6
hosts) and perform the translation
Step 4: Upon receiving an empty AAAA response, DNS64 triggers a
DNS A record query for the example.com to authoritative server
Step 9: ASR1000 sends the IPv4 packet to example.com (in v4
Internet)
Step 5: DNS64 receives DNS A record for the example.com (A:
example.com – 192.0.2.1)
Step 10: The service hosted at example.com receives, processes the
request and the communication is established
© 2011 Cisco and/or its affiliates. All rights reserved. 34
2001:db8:abcd:2::1/64 DNS
Server
Server
Farm
6:4
192.0.2.0/24
2001:db8:cafe:1::1/64
172.16.1.0/24 192.168.2.1/24
IPv6
10.0.1.0/28
10.0.2.0/30 10.0.3.0/30 IPv4
Bi-directional Traffic Flow
Initiated by IPv6 Network
Bi-directional Traffic Flow
Initiated by IPv4 Network
IPv4-Only Network
192.0.2.0/24
Also Representing IPv6
Network
2001:db8:cafe::/48
Enterprise/ Content Provider / Content Enabler
Example-v4.com
Key Steps Summarized – IPv6 Internet to IPv4 Translation
Step 1: Content Provider advertise the ASR1K‟s public facing IPv6 address that represents the Example-v4.com to an authoritative
server
Step 2 : IPv6 only host connects to the service at Example-v4.com by using the IPv6 address received in the AAAA DNS response
from an authoritative server in the v6-Internet
Step 3: ASR1000 receives the IPv6 packet and perform the translation
Step 4: ASR1000 sends the IPv4 packet to Example-v4.com
Step 5: The service hosted at Example-v4.com receives, processes the request and the communication is established
Content
Provider
Edge
DNS (AAAA)
Authoritative
Server
© 2011 Cisco and/or its affiliates. All rights reserved. 35
A stateful translation mechanism for translating v6 packets to v4 and vice versa.
Similar to NAT44, databases for translations are maintained based on traffic. Hence the name “stateful”
NAT64 is a separate feature from NAT44 and two are expected to have no direct interaction
Does not require changes to IPv6 hosts (unlike Stateless NAT64)
Supports multiple IPv6 hosts sharing a single IPv4 address
© 2011 Cisco and/or its affiliates. All rights reserved. 36
Static, dynamic and PAT for IPv6 to IPv4 traffic
Static mapping for IPv4 initiated traffic
End-point Independent mapping
High speed logging
Limits
FTP ALG
© 2011 Cisco and/or its affiliates. All rights reserved. 37
IPv6 to IPv4 1to1 static mappings and static with port mappings
IPv6 to IPv4 1to1 dynamic mappings with a pool of IPv4 addresses
IPv6 to IPv4 N to1 dynamic overload support with a pool of IPv4 addresses
IPv4 to IPv6 1to1 static mappings and static with port mappings
© 2011 Cisco and/or its affiliates. All rights reserved. 38
For a given {IPv6Address, port, Proto} pair a unique mapping to {IPv4Address, Port, Proto} is created
Irrespective of the destination address the same pairing will be used
Applicable only for PAT/Overload configuration
© 2011 Cisco and/or its affiliates. All rights reserved. 39
Logging of translations using Netflow v9 format
Requires a netflow collector with special support.
Events logged
Session creation/deletion
Bind creation/deletion
Pool Exhaustion
© 2011 Cisco and/or its affiliates. All rights reserved. 40
© 2011 Cisco and/or its affiliates. All rights reserved. 41
6:4
IPv6-only
Network Gig 0/1/0
NAT64 NAT64
IPv4-only
Network Gig 0/1/1
IPv6 Only Network
2001::1/64
IPv4 Only Network
112.1.1.12/16
© 2011 Cisco and/or its affiliates. All rights reserved. 42
• Assigning IPv4 addresses to v4 interface of the router.
Interface g0/1/0
ip address 112.1.1.12 255.255.0.0
• Make sure that both the v4 host and v4 interface of the NAT64 box are able to ping each other
© 2011 Cisco and/or its affiliates. All rights reserved. 43
• Assigning IPv6 addresses to IPv6 host and v6 interface of the router.
Interace g0/1/1
ipv6 enable
ipv6 address 2001::1/64
• Make sure that both the v6 host and v6 interface of the NAT64 box are able to ping each other.
© 2011 Cisco and/or its affiliates. All rights reserved. 44
• Enabling nat64 on both the interface of the router.
Interface g0/1/0
nat64 enable
Interface g0/1/1
nat64 enable
• As soon nat64 is enabled for the first time, a non-configurable NVI0 (NAT virtual interface) interface is created on the router.
© 2011 Cisco and/or its affiliates. All rights reserved. 45
• A well-known prefix 64:ff9b::/96 is allocated by IANA for NAT64. Packets with this destination prefix will be handled by NAT64. But they MUST be routed to the NAT64 device
• Optional - Specify a stateful prefix. This creates a static route such that all v6 traffic with a destination address in the subnet is handled by NAT64.
nat64 prefix stateful 3001::/96
© 2011 Cisco and/or its affiliates. All rights reserved. 46
• To translate a v4 source address to a v6 address, configure a v4v6 static mapping. Note that the v6 address must be contained w/i a configured NAT64 stateful prefix.
nat64 v4v6 static 2.2.2.2 3001::1
• To translate a v6 source address to a v4 address, configure a v6v4 static mapping. Note that the v4 address must be unique and routable to NAT64 from the IPv4 side.
nat64 v6v4 static 2001::100 5.5.5.5
© 2011 Cisco and/or its affiliates. All rights reserved. 47
• A well-known prefix 64:ff9b::/96 is allocated by IANA for NAT64. Packets with this destination prefix will be handled by NAT64.
• Specify a stateful prefix. This creates a static route such that all v6 traffic with a destination address in the subnet is handled by NAT64.
nat64 prefix stateful 3001::/96
© 2011 Cisco and/or its affiliates. All rights reserved. 48
• Only v6 to v4 initiated translation is currently supported for dynamic mappings.
• Configure a named pool of v4 addresses.
nat64 v4 pool POOL1 20.1.1.1 20.1.1.100
• Configure an ACL to match v6 traffic.
ipv6 access-list V6ACL1
permit ipv6 any any
• Configure a mapping to match v6 traffic and translate to a v4 address.
nat64 v6v4 list V6ACL1 pool POOL1
• Add “overload” keyword to do PAT
nat64 v6v4 list V6ACL1 pool POOL1overload
© 2011 Cisco and/or its affiliates. All rights reserved. 49
• Translation timeouts
nat64 translation timeout { udp | tcp | tcp-transient | icmp } <seconds>
• Translation limits
nat64 translation max-entries <number of entries>
• High-speed logging
nat64 logging translations flow-export v9 udp destination <v4 address> <port>
• ALGs (only FTP64 is supported). On by default, but can be turned off.
[no] nat64 service ftp
© 2011 Cisco and/or its affiliates. All rights reserved. 50
• Prefix length should be between <9-96>
• Only one global level prefix and one stateful prefix per interface can be defined.
• All interfaces on which nat64 in enabled will use global prefix by default.
• If interface prefix is configured it will have precedence over global level prefix.
© 2011 Cisco and/or its affiliates. All rights reserved. 51
• Static routes are used to get NAT64 packets to the NVI0 interface where they can be translated. Can use “sh ip route” and “sh ipv6 route” to verify the routes are setup correctly.
• One static route per stateful prefix (global or interface)
S 3001::/96 [1/0] via ::100.0.0.1, NVI0
• One static route for the well-known prefix
S 64:FF9B::/96 [1/0] via ::100.0.0.1, NVI0
© 2011 Cisco and/or its affiliates. All rights reserved. 52
© 2011 Cisco and/or its affiliates. All rights reserved. 53
Total active translations: 2 (0 static, 2 dynamic; 1 extended)
Sessions found: 8
Sessions created: 1
Expired translations: 0
Global Stats:
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 5
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 5
© 2011 Cisco and/or its affiliates. All rights reserved. 54
Interface Statistics
GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 5
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 0
Packets dropped: 0
© 2011 Cisco and/or its affiliates. All rights reserved. 55
Dynamic Mapping Statistics
v6v4
access-list V6ACL1 pool POOL1 refcount 2
pool POOL1:
start 20.1.1.1 end 20.1.1.100
total addresses 100, allocated 1 (1%)
address exhaustion packet count 0
Limit Statistics
© 2011 Cisco and/or its affiliates. All rights reserved. 56
Lots of filters to show specific sections or specific objects.
Router#sh nat64 statistics ?
failure Show stats lookup failures
global Global stats
interface Stats for a specific interface
limit Limit stats
mapping Mapping stats
prefix Stats for a specific prefix
| Output modifiers
<cr>
© 2011 Cisco and/or its affiliates. All rights reserved. 57
Corresponding clear CLI with lots of filters.
Router#clear nat64 statistics ?
failure Clear stats failure counts
global Global stats
interface Stats for a specific interface
limit Stats for a specific limit
pool Stats for a specific pool
prefix Stats for a specific prefix
<cr>
© 2011 Cisco and/or its affiliates. All rights reserved. 58
Similar to NAT44 CLI
Router#sh nat64 translations
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
----------------------------------------------------------------------------
--- --- ---
20.1.1.1 2001::1b01:10a
icmp 2.2.2.2:419 [3001::202:202]:419
20.1.1.1:419 [2001::1b01:10a]:419
Total number of translations: 2
© 2011 Cisco and/or its affiliates. All rights reserved. 59
Lots of filters to limit search given database may be large.
Router#sh nat64 translations ?
entry-type Show translations filtered by entry type
port Show translations filtered by port
protocol Show translations filtered by protocol
time Show translations filtered by time
total Show translation count for query
v4 Show translations based on an IPv4 address
v6 Show translations based on an IPv6 address
verbose Show verbose translation info
| Output modifiers
<cr>
© 2011 Cisco and/or its affiliates. All rights reserved. 60
Corresponding clear CLI with some filters.
Router#clear nat64 translations ?
all All translations
tcp TCP translations
udp UDP translations
© 2011 Cisco and/or its affiliates. All rights reserved. 61
Info on configuration in platform dependent BinOS
Router#sh pl so nat64 statistics
IOS-shim layer
Router#sh pl so nat64 rp a …
FMAN-RP
Router#sh pl so nat64 fp a …
FMAN-FP
© 2011 Cisco and/or its affiliates. All rights reserved. 62
© 2011 Cisco and/or its affiliates. All rights reserved. 63
MCP4RU-16#debug platform hardware qfp active feature nat64 datapath ?
alg Enable ALG DP debugs
all Enable all DP debugs
bind Enable bind DP debugs
detailed Enable detailed DP debugs
door Enable door DP debugs
hsl Enable HSL DP debugs
limit Enable limit DP debugs
map Enable map DP debugs
nopkt Enable no packet DP debugs
pkt Enable packet DP debugs
pool Enable pool DP debugs
port Enable port DP debugs
sess Enable session DP debugs
time Enable time DP debugs
© 2011 Cisco and/or its affiliates. All rights reserved. 64
MCP4RU-16#debug platform hardware qfp active feature nat64 client ?
all Enable All logs
error Enable Error logs
info Enable Info logs
trace Enable Trace logs
warning Enable Warning logs
time Enable time DP debugs
© 2011 Cisco and/or its affiliates. All rights reserved. 65
Router#debug platform hardware qfp active feature nat64 datapath detailed
CPP NAT64 datapath logs debugging is on
Router(config)#platform shell
Router#request platform software system shell fp active
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
[Router_ESP_0:/]$ tail -f /tmp/fp/trace/cpp_cp_F0-0.log
In this file you can see how nat64 is processing the packets, why are they getting dropped, etc.
© 2011 Cisco and/or its affiliates. All rights reserved. 66
© 2011 Cisco and/or its affiliates. All rights reserved. 67
• Check if both IPv4 & IPv6 facing interfaces have nat64 enabled
• IPv6 unicast routing is enabled
• Ping the IPv4 host from the nat64 router and the ipv6 host from the nat64 router
• Make sure the show ipv6 route/show ipv4 route points to the NVI0 interface for the nat64 packets
© 2011 Cisco and/or its affiliates. All rights reserved. 68
• Common issue
Packets are not translated by NAT64
Packets may not even be hitting NAT64. Check IP/IPv6 routing, the WKP should point to NVI0, the IPv4 address of the IPv6 host should also point to NVI0
Packets are hitting NAT64 – but are dropped – Check the drop codes
No resources - IPv4 pool may be exhausted, no more ports to allocate
© 2011 Cisco and/or its affiliates. All rights reserved. 69
Check for the ASR1K drop counters
Router#show platform hardware qfp active statistics drop
--------------------------------------------------------
Global Drop Stats Packets Octets
--------------------------------------------------------
Nat64v6tov4 4 320
© 2011 Cisco and/or its affiliates. All rights reserved. 70
To check for nat64 drops :-
Router#sh platform hardware qfp active feature nat64 datapath statistics
v6v4 xlated pkts 10005
v4v6 xlated pkts 10005
generated tcp csum 0
generated udp csum 0
NAT64_DROP_SC_INVALID_ICMPV6 0
NAT64_DROP_SC_INVALID_ICMPV4 0
NAT64_DROP_SC_V6_FORMAT_ERR 0
NAT64_DROP_SC_BAD_DGLEN 0
NAT64_DROP_SC_PROCESS_V6_ERR 4
NAT64_DROP_SC_FORM_V4_ERR 0
NAT64_DROP_SC_SETUP_V4_ERR 0
NAT64_DROP_SC_PROCESS_V4_ERR 0
NAT64_DROP_SC_FORM_V6_ERR 0
© 2011 Cisco and/or its affiliates. All rights reserved. 71
• Fragmented ICMPv4 and ICMPv6 packets will be dropped.
• IPv6 UDP packet with 0 checksum will be dropped.
• IGMP packets will be dropped.
• Fragmented UDP packets with 0 checksum will be dropped.
• IPv4 packet with df-bit set and size>1280 will be dropped.
• Packets prefix should match the stateless prefix defined on the interface/global.
© 2011 Cisco and/or its affiliates. All rights reserved. 72
• A maximum of 1K stateful prefixes are supported.
• A maximum of 4K dynamic mappings and pools are supported.
• A maximum of 16k static mappings are supported.
© 2011 Cisco and/or its affiliates. All rights reserved. 73
© 2011 Cisco and/or its affiliates. All rights reserved. 74
• IPv4 initiated traffic is not supported – requires static mapping
• Protocol Translation cannot preserve all the fields – Flow labels, Destination options, Source routing etc
• Requires ALGs for certain applications eg SIP, RTSP etc
• End-point Independent filtering is not supported
© 2011 Cisco and/or its affiliates. All rights reserved. 75
© 2011 Cisco and/or its affiliates. All rights reserved. 76
NAT64 facilitates a gradual migration to IPv6 by allowing “green-field” IPv6 networks to connect with the existing “legacy” IPv4 internet/networks.
Stateful NAT64 facilitates seamless internet experience to users accessing the existing IPv4 internet services via a “green-field” IPv6-only network.
SPs/Enterprises/Content providers or enablers can provide the IPv4 services seamlessly to IPv6 internet users by using stateful NAT64 technology, with minimal or no changes in the existing network infrastructure and thus maintaining IPv4 business continuity.
Translation is not a long-term support strategy; it is a medium-term coexistence strategy that can be used to facilitate a long-term program of IPv6 transition by both Enterprises and SPs.
© 2011 Cisco and/or its affiliates. All rights reserved. 77
For more information about IPv6, visit http://www.cisco.com/go/ipv6
For more information about Cisco service provider solutions, visit http://www.cisco.com/go/sp
For more information about Cisco enterprise solutions, visit http://www.cisco.com/go/enterprise
Whitepaper - NAT64 Technology: Connecting IPv6 and IPv4 Networks http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676278.html
Whitepaper - NAT64 Stateless versus Stateful http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676277.html
For additional white papers on IPv6, visit http://www.cisco.com/en/US/products/ps6553/prod_white_papers_list.html
http://blogs.cisco.com/news/world-ipv6-day-working-together-towards-a-new-internet-protocol/
Thank you.
© 2011 Cisco and/or its affiliates. All rights reserved. 79
Backup Slides
© 2011 Cisco and/or its affiliates. All rights reserved. 80
Translation Details
© 2011 Cisco and/or its affiliates. All rights reserved. 81
• If fragment header is not there then df-bit will be set.
• Version – 4
• Internet Header Length: 5 (no IPv4 options)
• Type of Service (TOS) Octet: By default, copied from the IPv6 Traffic Class (all 8 bits).
• Total Length: Payload length value from IPv6 header, plus the size of the IPv4 header.
• Identification: All zero.
• Flags: The More Fragments flag is set to zero. The Don't Fragments flag is set to one.
• Fragment Offset: All zero.
© 2011 Cisco and/or its affiliates. All rights reserved. 82
• Protocol: For ICMPv6 (58) changed to ICMP (1), otherwise Next Header field copied from IPv6 header.
• Header Checksum: Computed once the IPv4 header has been created.
• Source Address: The IPv4 source address is derived from the IPv6 address.
• Destination Address: The IPv4 destination address is derived from the IPv6 destination address of the datagram being translated.
© 2011 Cisco and/or its affiliates. All rights reserved. 83
• If any of an IPv6 options header is present in the IPv6 packet, they are ignored i.e., there is no attempt to translate them.
• If a routing header with a non-zero Segments Left field is present then the packet must not be translated, and an ICMPv6 "parameter problem/erroneous header field encountered" (Type 4/Code 0) error message should be returned to the sender.
© 2011 Cisco and/or its affiliates. All rights reserved. 84
• If the IPv6 packet contains a Fragment header the header fields are set as above with the following exceptions:
Total Length: Payload length value from IPv6 header, minus 8 for the Fragment header, plus the size of the IPv4 header.
Identification: Copied from the low-order 16-bits in the Identification field in the Fragment header.
Flags: The More Fragments flag is copied from the M flag in the Fragment header. The Don't Fragments flag is set to zero allowing this packet to be fragmented by IPv4 routers.
Fragment Offset: Copied from the Fragment Offset field in the Fragment header.
Protocol: For ICMPv6 (58) changed to ICMP (1), otherwise Next Header field copied from Fragment header.
© 2011 Cisco and/or its affiliates. All rights reserved. 85
• An IPv6 UDP packet with UDP checksum as 0 will be dropped and no attempt will be made to translate it.
© 2011 Cisco and/or its affiliates. All rights reserved. 86
• Algorithm will be applied twice, once for the outer header and then for the inner header.
• A sanity test will be done for the packet and malformed packets will be dropped.
• Fragmented ICMPv6 packets will be dropped.
© 2011 Cisco and/or its affiliates. All rights reserved. 87
ICMPv6 Type and Code ICMPv4 type and code
Type 128 Type 8
Type 129 Type 0
Type 130-137 Silently Drop
Unknown Type Silently Drop
Type 1; Code 0,2,3 Type 3; Code 1
Type 1; Code 1 Type 3; Code 10
Type 1; Code 4 Type 3; Code 3
© 2011 Cisco and/or its affiliates. All rights reserved. 88
ICMPv6 Type and Code ICMPv4 type and code
Type 2 Type 3; Code 4
Type 3 Type 11
Type 4; Code 0 Type 12; Code 0
Type 4; Code 1 Type 3; Code 2
Type 4; Code 2 Silently Drop
© 2011 Cisco and/or its affiliates. All rights reserved. 89
• Fragment header will be added if df bit is not set.
• If df-bit is set and packet exceeds 1280 bytes then it will be dropped and an ICMP packet too big message will be sent to IPv4 sender.
© 2011 Cisco and/or its affiliates. All rights reserved. 90
• Version – 6
• Traffic class - copied from IP Type Of Service octet
• Flow Label: 0 (all zero bits)
• Payload Length: Total length value from IPv4 header, minus the size of the IPv4 header and IPv4 options
• Next Header: For ICMP (1) changed to ICMPv6 (58), otherwise protocol field copied from IPv4 header
© 2011 Cisco and/or its affiliates. All rights reserved. 91
• Hop Limit: TTL value copied from IPv4 header –(minus) 1
• Source Address: The IPv6 source address is derived from the IPv4 source address.
• Destination Address: The IPv6 destination address is derived from the IPv4 destination address.
• If IPv4 options are present in the IPv4 packet, they are ignored i.e., there is no attempt to translate them
© 2011 Cisco and/or its affiliates. All rights reserved. 92
• If fragment header is added :-
Payload length : Total length field from IPv4 + 8 – IPv4 header and option length
Next Header: Fragment Header (44)
Fragment Offset: Fragment Offset copied from the IPv4 header.
Identification The low-order 16 bits copied from the Identification field in the IPv4 header. The high-order 16 bits set to zero.
© 2011 Cisco and/or its affiliates. All rights reserved. 93
• If an unfragmentd IPv4 UDP packet with zero checksum is received then NAT64 will calculate the complete checksum and will keep a record of the counters.
• When a fragmented UDP packet with zero checksum is received it will be dropped and message will be generated for the first fragment.
© 2011 Cisco and/or its affiliates. All rights reserved. 94
• Algorithm will be applied twice, once for the outer header and then for the inner header.
• A sanity test will be done for the packet and malformed packets will be dropped.
• Fragmented ICMP packets will be dropped.
© 2011 Cisco and/or its affiliates. All rights reserved. 95
ICMPv4 type ICMPv6 type
8 128
0 129
9,10,13,14,15,16,17,18 Silently drop
Unknown type Silently drop
© 2011 Cisco and/or its affiliates. All rights reserved. 96
ICMPv4 type and code ICMPv6 type and code
Type 3; Code 0,1,5,6,7,8,11,12 Type 1;Code 0
Type 3;Code 2 Type4;Code1
Type 3; Code 3 Type1; Code 4
Type 3; Code 4 Type 2; Code 0
Type 3; Code 9,10,13,15 Type 1; Code 1
Type 3; Code 14 Silently Drop
Type 4,5,6 Silently Drop
© 2011 Cisco and/or its affiliates. All rights reserved. 97
ICMPv4 type and code ICMPv6 type and code
Type 11 Type 3
Type 12; Code 0,2 Type 4; Code 0
Type 12; Code 1 Silently Drop
Type 12; Other codes Silently Drop
Unknown ICMPv4 types Silently Drop
IGMP messages Silently Drop
Thank you.