carrier grade nat

5/24/2018 Carrier Grade NAT

1/111

2010 Cisco and/or its affiliates. All rights reserved. 1

Carrier-Grade NATIPv4 Exhaust and IPv6 Transition in Internet

Josef Ungerman

Cisco, CCIE#6167


2/111

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Motivation

World IPv6 Launch 6/6/2012

Carrier-Grade NAT

Definition and design

Dual-stack

v4v6, v6-only, NAT64, 464

IPv6 in Mobile

Role in 3G and EPS

IPv6 in Wireline

PPPoE and IPoE sessions

Cisco CGN Products

ASR1000, ASR5000, ASR9000, CRS


3/111


RIR Pool

IANA Pool

Feb 3, 2011

*

Feb 6, 2012


4/111



5/111


Mar 23, 2011:$11.25 per IPv4

http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html

Need for SIDR (SecureInter-Domain Routing)

Distributed database andRPKI infrastructure forverifying PREFIX origin ASwith RIR
http://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.htmlhttp://blog.internetgovernance.org/blog/_archives/2011/3/23/4778509.html


6/111


Internet v6 Content

YouTube goes IPv6- DE-CIX: 30x increase

Google is 1/10th ofInternet

Netflix Video surpassesp2p in US (29.7%)

NIX.CZWorld IPv6 Day (June 8, 2011)NIC.CZcca 70.000 domains with AAAA


7/111 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

What was it?A single day (24 hrs) where major content providers advertised a AAAA DNSrecord for their production service (e.g. www.cisco.com, www.facebook.com);coordinated by the Internet Society

Who participated?

Google, Facebook, Yahoo!,Akamai, Cisco, Limelight Networkswere among434 participants that offered content from their main websites over IPv6 for a24-hour "test drive. Cross-industry community effort:http://www.worldipv6day.org/participants/index.html

Why do this?

Demonstrates commercial viability of IPv6Helps identify areas of improvement in IPv6 functionality

What happened? Nothing!

Only isolated issues reported

>3% of v6 traffic is v6-enabled countries like France
http://www.cisco.com/http://www.facebook.com/http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://www.yahoo.com/http://www.akamai.com/ipv6http://www.limelightnetworks.com/http://www.worldipv6day.org/participants/index.htmlhttp://www.worldipv6day.org/participants/index.htmlhttp://www.limelightnetworks.com/http://www.akamai.com/ipv6http://www.yahoo.com/http://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.facebook.com/http://www.cisco.com/



Example: Y!2.2M users served over IPv6, 10 support calls

Example: Akamai8M requests during W6D

Example: AAAA to everyone (incl. 2.5M FB-Connect websites)



What is it?www.worldipv6launch.org ; coordinated by the Internet Society

W6L: Turn it on, leave it on.

Since 6/6/12, IPv6 becomes part of a regular business!

Who will turn on IPv6 AAAA forever?Google, Facebook, Yahoo!,Akamai, Microsoft

CPE vendorsCisco, D-Link

Practical support: http://www.internetsociety.org/deploy360/

V6 World Congress, Feb 2012Motto links to W6L: Open The Floodgates
http://www.worldipv6launch.org/http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://www.yahoo.com/http://www.akamai.com/ipv6http://www.internetsociety.org/deploy360/http://www.internetsociety.org/deploy360/http://www.internetsociety.org/deploy360/http://www.internetsociety.org/deploy360/http://www.akamai.com/ipv6http://www.yahoo.com/http://www.facebook.com/notes/facebook-engineering/world-ipv6-day-solving-the-ip-address-chicken-and-egg-challenge/484445583919http://googleblog.blogspot.com/2011/01/world-ipv6-day-firing-up-engines-on-new.htmlhttp://www.worldipv6launch.org/



strategy alignment example


11/111Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 11

National IPv6 Strategies

Compliance: U.S. FederalMandate, IPv6 task force

Next Generation Internet(CNGI) project in Chinaand Japan

European CommissionRecommendation

IPv6

IPv4 Address space completion

Public or Private Space

Limiting network expansionand putting at risk businesscontinuity

Introducing Operationalchallenges

Infrastructure Evolution

Next generation Networkarchitecture require IPv6

DOCSIS 3.0,Quad Play Mobile SP

Networks in Motion

Networked Sensors, i.e.: AIRS

IPv6 in Client Software

IPv6 on in Microsoft Vista

Sensor Networks Apple's Back to My Mac

v6 over v4 OTT tunnelproviders


12/111 2011 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 12

AreCharacteristic Reason Example

Infrequent Use Maintaining NAT bindingsfor rare occurrence eventsis inefficient

Earthquake WarningserviceNTT IPv6

Smoke detectors: 6LoWPAN

UniversalConnectivity

Reachability of devices inthe home

Dozensof IPv6 Tunnelbrokers = unconstrained

Peer-to-peerGreen Network A PC with many networked

applications sends manykeep-alives. Each needspower across network.

Skype for iPhone drainsbatteriesfrom application viadata plane keep-alive

Scalable/GreenData Center

Persistent client/servertransport connection is

needed to keep NAT open

Facebook IM long polling

High bitRate+NAT

Smaller SP margin per bitfor AFT vs competitorswithout that cost

Netflix On-DemandsupportsIPv6.

Google 1/10thInternet traffic

FCB Internet: Faster, Cleaner, Better.



All IPv6IPv4 Private IP 6 over 4 4 + 6 4 over 6

= IPv4 = Private IP = IPv6

CGN (NAT44) Dual Stack

DS-Lite

6PE, 6rd,

MIP, PPP

NAT64, 4rd,

dIVI/MAP-T

Preserve

Prepare

Prosper

Dual-stack variationsCGNv4 needed anyway.



Motivation


Carrier-Grade NAT


Dual-stack


IPv6 in Mobile

Role in 3G and EPS

IPv6 in Wireline


Cisco CGN Products




Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)



Public IPv4 Deployment

Public IPv4 addresses used in Transport Network

Public IPv4 addresses used on Handset for Service access

Declining Adoption



NAT44

NAT44Central Large Scale NAT44

Limited IPv4 life extension

SP operates non overlapping private address space

UE obtains a IPv4 address from the private SP address space

CGN/CGv6 performs NAT(P)44 with high scalability

Many UEs are serviced by fewer Public IP-Address on LSNDynamically reuses available pool of Public IP-address/port bindings

PGWeNB

IPv4 IPv4

private IPv4 private IPv4

IPv4Public

public I Pv4

CGN/CGv6

SGW

Large Scale NAT44

O(10G) throughputO(20M) bindingsSome subscriber awareness

NAT

Private I Pv4 Addressassigned to UE

Public I Pv4 Address/port assigned by CGN

IPv4user plane with

3GPP defined tunneling:- GTP- PMIP/GRE- IPsec

v4Core Network:- native IPv4

v4 user plane:

- Native IPv4 forwardingto/from CGN

Evolution of current NAT solutions~70% of all mobile operatorsleverage NAT44

Many deployments implementNAT44 on Enterprise-ClassFirewalls:Scale & throughput challenges


18/111Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 18

Multiple customers multiplexed behind an SP

managed NAT device (a Large Scale NAT)LSN44 multiplexes several customers onto thesame public IPv4 address

Each customer has unique private IPv4 address

NAT44 can be deployed as centralized or distributed function.

CPE based NAT44 + LSN44 = NAT444 solution

NAT44

AAA

BRASAccessNode

HomeGateway

IPv4Internet

NAT44

IPv4-Private

NAT

CGN

IPv4-Private



Most of Broadband users are behind NAT today!

NAT

First described in 1991 (draft-tsuchiya-addrtrans), RFC1631

1:1 translation: Does not

conserve IPv4 addressesPer-flow stateless

Todays primary use is inside ofenterprise networks

Connect overlapping RFC1918

address space

Note: NAT66 is stateful orstateless, but it is not NAPT

NAPT

Described in 2001 (RFC3022)

1:N translation

Conserves IPv4 addresses

Allows multiple hosts to share oneIPv4 address

Only TCP, UDP, and ICMP

Connection has to be initiated frominside

Per-flow stateful

Commonly used in home gatewaysand enterprise NAT

When say NAT, they typically mean NAPT

NAT44 is used to differentiate IPv4-IPv4 NAPT fromAddress Family Translation, typically referred to as NAT64 and NAT46


20/111


Courtesy of Jason Fesler, Yahoo (V6 World Congress 2012)


21/111


CGN = IP Address Sharing

Inherent issuesdraft-ford-shared-addressing-issues

Servers must log also source port numbers

Shared IP address = shared suffering

Blacklisting, spam,

Tracking and Law Enforcement

draft-ietf-intarea-server-logging-recommendations

Requesting specific portsNot everyone can get port 80

Geo-Location issues (get me the nearest ATM) Complicates inbound access to media

Keepalivespower consumption, mobile battery drain

Adds transport cost [$/Gbps]
http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04http://tools.ietf.org/html/draft-ietf-intarea-server-logging-recommendations-04


22/111


ALG (Application Layer Gateway). L3 L4 L7

Fixup for applications that have problems with

Firewall (and Symmetric NAT)No Inbound connections (media, p2p,)

No problem with Full Cone NAT (ALG not needed)

Fixups for NAT-unaware applications

Applications that embed the IP-address in the payload or use itas user identity (did the developers respect the OSI model?)

Old applications, Enterprise-oriented applications

NoALGs for many applications

Encrypted or Integrity-protected protocols

eg. SIP over TLS, HTTPS://1.2.3.4 (with IPv4 addressliteral),

Modern Internet Apps work fine through NAT/FW

Why the world uses Skype and not SIP?

m/c=10.1.1.1/1234

m/c=161.44.1.1/5678

Internet

FW/NAT withSIP ALG


23/111


Operational headache

Undefined performance impact, numerous DoS attack vectors

Different application versions need different ALGs

Extensions, deviations eg. Microsoft NetMeeting different from Polycom H.323

ALGs from different vendors behave differently, tough upgrades

In case of a bugwhich vendor is guilty? How long will it take to get a fix?

Regulatory issues

ISPs cant sniff/modify Over The Top applications data using ALGs

eg. break location awareness in Vonage emergency calls

eg. break RTSP media streaming from NetFlix or Amazon

ALG interference with NAT traversal techniques SIP ICE, RTSP mmusic,

ALGs work fine in the closed Enterprise IT environment,but are ALGs desirable in Internet?

Are there any NAT-unaware Internet apps yet?


24/111


iTunes

Windows Live

Messenger

GoogleMaps

PlaystationNetwork

GoogleTalk

Temporary exceptions (old protocols)RTSPv1 (m.youtube.com) or MS PPTP

iPhoneAppStore


25/111


Firewalling behavior

Often implemented on Firewalls, CPE routers

User-A

User-B

User-C

NAT/PAT

Insidelocal

Insideglobal

Outsidelocal

Outsideglobal

192.168.1.1:5000

140.0.0.1:6000

150.0.0.1:6000

150.0.0.1:6000

Translates src-ip and src-port192.168.1.1:5000 140.0.0.1:6000

User-A sends packets to User-B

PAT device generates PATentry such as below.

150.0.0.1/24

160.0.0.1/24

192.168.1.1/24NAT POOL 140.0.0.1/24

User-B is only translated to go into inside network.

User-C can not reach User-A.

Symmetric NAT is

To: 140.0.0.1:6000

To: 140.0.0.1:6000

Symmetric NAT


26/111


Full cone NAT

Free NAT traversal requires Full cone NAT.

Full cone NAT is mentioned in RFC3489 Section-5.

What is Full cone NAT?.

User-A

User-B

NAT/PAT

Insidelocal Insideglobal Outsidelocal Outsideglobal

192.168.1.1:5000

140.0.0.1:6000

any any

Translates src-ip and src-port192.168.1.1:5000 140.0.0.1:6000

User-A sends packets to User-B

PAT device generates PATentry such as below.

150.0.0.1/24

160.0.0.1/24

192.168.1.1/24NAT POOL 140.0.0.1/24

Not only User-B but also User-C can reach to User-A

Full cone NAT is User-C

To: 140.0.0.1:6000

Match all !!

To: 140.0.0.1:6000


27/111


X:100

Y:200

A:1000 B:2000

B:2001

Endpoint Independent Address Dependent Address and port Dependent

A:1000 B:2000

B:2001

A:1000 B:2000

B:2001

IP Addres: Port Number

Inside Outside Dst

X:100 Y:200 -

Inside Outside Dst

X:100 Y:200 A:1000

X:100 Y:300 B:2000

X:100 Y:400 B:2001

Inside Outside Dst

X:100 Y:200 A:any

X:100 Y:300 B:any

Y:200 Y:300 Y:200 Y:300 Y:400

X:100 X:100


28/111


Endpoint Independent Address Dependent Address and Port Dependent

IP Addres: Port Number

Inside Outside from

X:100 Y:200 -

Inside Outside from

X:100 Y:200 A

Inside Outside from

X:100 Y:200 A:1000

X:100

Y:200

A:1000 B:2000A:1001

X:100

Y:200

A:1000 B:2000A:1001

X:100

Y:200

A:1000 B:2000A:1001


29/111


Filteringbehavior Independent Address

DependentAddress:PortDependent

Mapp

ing

Independent

Address

DependentAddress:PortDependent

RestrictedCGN

IOS Router

Full Cone NAT Address RestrictedNAT

Port RestrictedNAT

Symmetric NAT

LinksysWRT610N

IOS Router(enable-sym-port)

Classic STUN : simple traversal of UDP through NAT(RFC3489)now : Session Traversal Utilities for NAT(RFC5389)


30/111


FTP PASV, data connection always to server

ICE, STUN, TURN

NAT EIM/EIFIntelligence in endpoint

Useful for offer/answer protocols

(SIP, XMPP, probably more)Standardized in MMUSIC and BEHAVE

RTSPv1, effectively replaced with Flash over HTTP

RTSPv2, ICE-like solution

Skype, encrypted and does its own NAT traversal

Port 80/443 apps

STUN: Session Traversal Util ities for NAT RFC 5389ICE: Interactive Connectivity Establishment RFC 5245TURN: Traversal Using Relays around NAT RFC 5766


31/111


with EIM/EIF (Full Cone NAT)

Requirement: Endpoint Independence on ALG/fixups, Maximum application transparency

Use Case Example: This is for Session Traversal Utilities for NAT (STUN, ICE) and isused by P2P apps to advertise themselves such that others can contact from outside-in

* source: RFC4787, RFC5382, RFC5508

NATNAT

STUN Server

1) User-A connectsto STUN Server

1) User-B connectsto STUN Server

2) STUN Serv returns

User-As translated (src -ip, src-port) to User-B

2) STUN Serv returns

User-Bs translated (src-ip, src-port) to User-A

3) User-A and User-Bcan communicatewith each otherdirectly.


32/111


Session Traversal Utilities for NAT RFC 5389

Request/response protocol, used by:

STUN itself (to learn IP address)

ICE (for connectivity checks)

TURN (to configure TURN server)

The response contains IP address and port of request

Runs over UDP (typical) or TCP, port 3478

Think http://whatismyip.com
http://whatismyip.com/http://whatismyip.com/


33/111


Interactive Connectivity Establishment RFC 5245

Procedure for Optimizing Media Flows

Defines SDP syntax to indicate candidate addresses

Uses STUN messages for connectivity checks

Sent to RTP peer, using same ports as RTP

First best path wins

Basic steps:

1. Gather all my IP addresses

2. Send them to my peer3. Do connectivity checks

EXAMPLES

Google chat (XMPP)

Microsoft MSN (SIP inside of XML)

Yahoo (SIP)

Counterpath softphone (SIP)


34/111


Traversal Using Relays around NAT RFC 5766

Media Relay Protocol and Media Relay Server

Only used when:

Bothendpoints are behind Address and Port-Dependent FilteringNATs (rare, about 25% of NATs), or

One endpoint doesnt implement ICE, and is behind a Address andPort-Dependent Filtering NAT


35/111


New IP Infrastructure ElementSeparate Infrastructural Necessity from Services (firewalling, etc.)

No ALGs, no firewalling behavior

Focus on:

Transparencykeep just the necessary, endpoint independence

Scale & Performanceminimal cost

Securitylogging, port limits

IPv6 preparationNAT64, 6RD, etc.

IETF BEHAVE working group

Behavior Engineering for Hindrance Avoidance

IETF target is to promote IPv6, not to prolong IPv4 forever


36/111


RFC4787 (July 2007)

A CGN is defined by constrained behavior:

NAT Behavior Compliance (RFC4787, RFC5382, RFC5508)

Endpoint Independent Mapping and Filtering (Full Cone NAT)

Paired IP address pooling behavior

Port Parity preservation for UDP

Hairpinning behavior

Static Port Forwarding (PCP)

Current ALGs: RTSPv1, sometimes PPTP

Management

Port Limit per subscriber

Mapping RefreshNAT logging

Redundancy (Intra-box Active/Standby, Inter-box Active/Active)


37/111


Paired (recommended) : use the sameexternal IP address mapping for allsessions associated with the sameinternal IP address

Some peer to peer applications dontnegotiate the IP address for multiplesessions (eg. apps that are not able tonegotiate the IP address for RTP andRTCP separately)

X:102

A:202

Inside

Outside

Inside Outside

X:100 A:200

X:101 A:201

X:102 A:202Y:100 B:200

Y:101 B:201

Y:102 B:202

X:101

X:100

A:201A:200

Y:102

B:201

Y:100

Y:101

B:202B:200


38/111


Use Case: Allow communicationsbetween two endpoints behind thesame NAT when they are tryingeach other's external IP addresses

Inside

Outside Inside OutsideX:100 A:200

Y:100 B:200

X:100

A:200

Y:100

B:200

Notation X:100 IPv4 address:Port *

*TCP/UDP port or Query ID for ICMP


39/111


Requirement: Ability to configure, a fixed private (internal) IPaddress:port associated with a particular subscriber while CGNallocates a free public IP address:port

Future: PCP (Port Control Protocol) for users

Delegate port numbers to requesting applications/hosts to avoid requirement for ALGs

draft-ietf-pcp-base

Option 1:Handset/Hostwith PCP Client

Option 2:

PCP Client,UPnP IGD proxy;NAT-PMP proxy

PCP Server

NAT-PMP

UPnP IGD

Option 2:PCP client

on CPE

PCP
http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12http://tools.ietf.org/html/draft-ietf-pcp-base-12


40/111


No Port Overloading

A NAT must not have a "Port assignment" behavior of "Portoverloading( i.e. use port preservation even in the case of collision).Most applications will fail if this is used.

Port Parity Preservation

An even port will be mapped to an even port, and an odd port will bemapped to an odd port. This behavior respects the [RFC3550] rulethat RTP use even ports, and RTCP use odd ports.

Port Limit Per Subscriber

Configurable port limit per subscriber for the system (includes TCP,UDP and ICMP). NAT SecurityDoS attack/virus exhaust prevention.

* source: RFC4787, RFC5382


41/111


Example: GoogleMaps with Max 30 ConnectionsExample/Slides Courtesy of NTT, See Also:Hiroshi Esaki: www2.jp.apan.net/meetings/kaohsiung2009/presentations/ipv6/esaki.ppt


42/111



43/111



44/111



45/111



46/111


Courtesy of NTT, see also Hiroshi Esaki:

www2.jp.apan.net/meetings/kaohsiung209/presentations/ipv6/esaki.ppt

See also An Experimental Study of Home Gateway Characteristics

https://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdf

Source:Application behaviors in in terms of port/session consumptions on NAThttp://opensourceaplusp.weebly.com/experiments-results.html
https://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://opensourceaplusp.weebly.com/experiments-results.htmlhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttp://www.ietf.org/proceedings/78/slides/behave-8.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdfhttps://fit.nokia.com/lars/papers/2010-imc-hgw-study.pdf


47/111


IOS XR: per CGN instance, default is 100service cgn CGN1

portlimit 300

RP/0/RP0/CPU0:R#show cgn demo stat sum

Statistics summary of cgn: 'demo'

Number of active translations: 86971

Translations create rate: 0

Translations delete rate: 0Inside to outside forward rate: 101

Outside to inside forward rate: 4

Inside to outside drops port limit exceeded: 5

Inside to outside drops system limit reached: 0

Inside to outside drops resource depletion: 0

Outside to inside drops no translation entry: 6216513

Pool address totally free: 507

Pool address used: 69

XR: When Port limit is exceeded, the Pktis dropped and an ICMP with Type3:

Destination Unreachable, Code13:Communication Administratively

Prohibited is returned to the Sender

Classic IOS: per box, default is none, ASR1K since 3.4S

ip nat translation max-entries all-host 300


48/111


NAT Session Setup Rate [sps]sessions per second

Average # of New Sessions per User, during peak hours

Huge load during a failover scenarios or after a power blackout

Failing to cope with SPS = huge TCP delays, timeouts/retransmissions

Session limit per user

Maximum # of Concurrent Sessions per User

AJAX-based applications with tens/hundreds of TCP sessions

Eg. Relaunching Firefox with Tabs opens hundreds of sessions

Maximum Number of Sessions per CGN

Average # of Concurrent Sessions per User, during peak hours

UDP must not expire in less than 2 minutes (RFC4787)

UDP/TCP timers for Initializing and Established sessions should be configurable


49/111


L (Low-scale) Scenario3G mobile users, smart-phones

M (Medium-scale) ScenarioADSL subscribers, PC users with 3G/4G dongles,Tablets, WiFi and top smart-phone users

H (High-scale) Scenarioheavy Broadband users, Internet sharing

100K BB users = up to 100Ksps and 10Mcs during peak hour!


50/111


Type Default ValueICMP 60 sec

UDP init 30 sec

UDP active 120 sec

TCP Init 120 sec

TCP active 30 min

*) Default Refresh Direction is Bidirectional (configurable to OutBound only)

timeout:86,400 seconds (24 hours)

udp-timeout:300 seconds (5 minutes)

dns-timeout:60 seconds (1 minute)tcp-timeout:86,400 seconds (24 hours)

finrst-timeout: 60 seconds (1 minute)

icmp-timeout:60 seconds (1 minute)

pptp-timeout:86,400 seconds (24 hours)

syn-timeout:60 seconds (1 minute)

IOS XR

IOS XE (ASR1000)


51/111


High Availability scenarios

Intra-chassis, Inter-chassis

Active/Standby, Active/Active

Stateful or statelessMillions of short-lived Layer-4 session

Stateful sync makes no sense for suchephemeral state (memory & CPU)eg.

ASR1000 does not sync http

Stateless redundancy

1Msps = 100K active users (10Mcs) are up in 10s minimal loss

Load-sharing = simple ECMP routing

Best Practice: Simple Non-Revertive 1:1 Warm Standby


52/111


Data Retention Law compliance, user trackability

Who posted a content to a server on Tue at 8:09:10pm? Global IP:portCGN Log Private IP:portMSISDN

Directive 2006/24/EC - Data Retention

Logging Format

Must be fast and efficient (binary format) Syslogvery chatty, inefficient ASCII encoding

1 Msps = cca 176 Mbps, 14.7 Kpps

Netflow v9 or IPFIX

21B add-event, 11B delete-event

Compare to ASCII syslog (113B for add-event)!

Up to 68 add-events per 1500B export packet

Dynamic, template-based format
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTMLhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML


53/111


Field ID Attribute Value

234 Incoming VRF ID 32 bit ID

235 Outgoing VRF ID 32 bit ID

8 Source IP Address IPv4 Address

225 Translated Source IP

Address

IPv4 Address

7 Source Port 16 bit port

227 Translated Source Port 16 bit port

4 Protocol 8bit value

Delete EventTemplate 257(11B)





4 Protocol 8bit value

Add EventTemplate 256(21B)

Tip: IsarFlowtested CGN NFv9 Collector


54/111


Collector Performance100K users, average and peak

Reality check: 100K CGN users would consume 3.5TB storage per year(compressed, fully SQL searchable data)

E-Shop: 4TB disk, 300 Euro

Storage Capacityincludes per-day user behavior

No need to bother with logging reduction


55/111


and data analytics

Destination Based LoggingKeep and log destination IP:port

Just like in a Symmetric NAT/Firewall, but still keep EIM/EIF

Usage

Servers that do not log port (Apache default)

Data Analytics (Full Netflow like info)

Per-user functions (Firewall, LI, AAA) still

must be done on private IP (before NAT).


56/111




235 Outgoing VRF ID 32 bit ID


225 Translated Source IP Address IPv4 Address


227 Translated Source Port 16 bit port

12 Destination Address IPv4 Address

11 Destination Port 16 bit port

4 Protocol 8 bit valueNAT44: Add Event, Template 271 (27B) Delete Event, Template 272 (17B)

NAT64: Add Event, Template 260 (47B)

Delete Event, Template 261 (37B)

Add EventTemplate 271(27B)

Tip: IsarFlowtested CGN NFv9 Collector


57/111


Syslog (ASCII) cannot really log at full speed

Example (RFC5424 compliant):

1 2011 May 31 10:30:45 192.168.2.3 - - NAT44[UserbasedA - 10.1.32.45 INVRFA100.1.1.2812544 12671]

Huge load (compare 113 or 250 B for syslog and 21 B for Netflow v9)

Both Syslog and Netflow are UDP, but syslog misses the sequence #

Solution: Bulk port range allocation

Pre-allocates a port-set per user (eg. 512 ports)

PROS: Log size reduction (is it a problem in today?)

CONS: breaks randomization (port guessing attacks), cannot log the destination

SDNAT (Staleless Deterministic NAT), aka. Algorithmic NAT

No logging at all, but

Unrealistic requirements (eg. control of host stack and A+P routing changes)


58/111


Normal non-bulk port allocation is random

Random ports, prefer IP address with at least 1/3 rdfree ports

The first 1024 ports are reserved (never allocated)

Paired pooling behavior and port parity preservation during allocation

Problem: bulk port alloc may break TCP port randomization

Algorithms in host stacks preventing guessing for TCP hijacking

Implementation

When subscriber creates first connection, N contiguous outside ports are pre-allocated (additional connections N will use one of the pre-allocated ports).

Bulk-allocation message is logged for the port-range, bulk-delete logged if nomore sessions in this range.

Example:bulk-port-alloc size 512


59/111


Field ID Field Size234 Incoming VRF ID 4 bytes

235 Outgoing VRF ID 4 bytes

8 Incoming/Inside Source IPv4 Address 4 bytes

225 Translated Source IPv4 Address 4 bytes295 Translated Source Port Start 2 bytes

296 Translated Source Port End 2 bytes

Field ID Field Size

234 Incoming VRF ID 4 bytes

8 Incoming/Inside Source IPv4 Address 4 bytes

295 Translated Source Port Start 4 bytes

Add Event, Template 265

Delete Event, Template 266

NOTE: Bulk Port Allocation is mutually exclusive with Destination Based Logging (DBL).


60/111


PGWeNB

IPv4

private IPv4

IPv4Public

public I Pv4

SGW

NAT44

PGWeNB

IPv4 IPv4


IPv4Public

public I Pv4

CGN/CGv6

SGW

NAT

NAT44

NAT

Option 1: NAT on BNG/PGW/GGSN (per-subscriber)

Option 2: NAT on Internet Gateway (as far from subscribers as possible)

Key Benefits:Subscriber aware NAT

- per subscriber control- per subscriber accounting

Large Scale (furtherenhanced by distribution)

Highly available

(incl. geo-redundancy)Cisco ASR5000

Key Benefits:Integrated NAT for multiple

administrative domains

(operational separation)Large ScaleOverlapping private IPv4

domains (e.g. w/ VPNs)Cisco Internet Gateways:

CRS, GSR, ASR9K, ASR1K

BEST PRACTICE

On PGW put revenue-generating services (charging, firewall,)

On Internet Gateway put infrastructural functions (BGP, CGN,)


61/111


NAT Firewall

Firewall motivation is inbound filtering

ALGs are required; NAT can be used or not

CGN motivation is IPv4 exhaust solution

Maximum simplicity, transparency, massive logging

NAT44

PGWeNB

IPv4 IPv4


IPv4Public

public I Pv4

CGN/CGv6

SGW

NAT

DPI, LI, AAA, Firewalling

must be done on private address space after NAT, it would be too late (NAT hides users L3 identity) CGN is one of the last operation before packet goes to Internet


62/111


IGW

PDP,LI, DPI

IPv4

private IPv4

IPv4Public

public I Pv4

CGN,logging

Gi Firewall

Protects against overcharging for usage-billed (non flat-fee) APNs Protects against network scans waking phones from fast dormancy state (battery drain) CGN does not do help, real firewall is needed

private IPv4

Gi FW

Firewall,ALGs (no NAT)

PGW, GGSN

IGW

PDP, LI, DPI, ALGPer-PDP Firewall (no NAT)

IPv4

private IPv4

IPv4

Public

public I Pv4

CGN,logging

private IPv4

PGW, GGSN

Solution 1

Solution 2

Solution 3 IGW

PDP, LI, DPI, ALG

Per-PDP Firewall & NAT

IPv4

private IPv4

IPv4Public

public I Pv4

PGW, GGSN

NAT

NAT

NAT

BGP


63/111


Current Situation

Massive growth of number of mobile datatraffic andnumber of mobile end-points

IPv4 run out: Most Operators started to

deploy NAT44

Offload NAT44 Infrastructure

IPv6 traffic bypasses NAT44

After W6L, IPv6 content and video comes

Regulation and New Standards

IPv6 will become cheaper (eg. Biggervolume quotas or no FUP for v6)

Ultimately: IPv4 space pollution IPv6Faster, Cleaner and Better Internet


64/111


Motivation


Carrier-Grade NAT


Dual-stack

v4v6, v6-only, NAT64, 464IPv6 in Mobile

Role in 3G and EPS

IPv6 in Wireline


Cisco CGN Products



65/111


Dual-Stack: The classic RFC 4213 solution

Logical deployment choice when one has little control over end-point

3GPP/3GPP2 architectures support Dual-Stack, as well as Wireline (Broadband/DSL Forum, DOCSIS)

IPv6 endpoint enablementHandset upgrade often required to get IPv6 or Dual-Stack (both stacks active at a time)

DSL/FTTH/Cable CPEno s/w upgrades new RFP needed

IMS/VoIP mass market (80% of all phones are still voice-focused handsets)

Deploying IPv6 in dual stack does not solve IPv4 address exhaustion: CGN needed

IPv4

Private

IPv4

IPv4

IPv6

IPv6

IPv6

IPv4IPv4

IPv6CGN


66/111


I get AAAA, I have IPv6 configured locally (SLAAC).But what if IPv6 network is broken?

Behavior of atypical Web-

Browser

draft-ietf-v6ops-happy-eyeballs http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02


67/111


Slide courtesy of Teemu Savolainen (presented at v6ops, IETF 80)

draft-ietf-v6ops-happy-eyeballssuggest to send 2 TCP SYNs IPv4 and IPv6
http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02


68/111


Happy Eyeballsimproving end user experience

draft-ietf-v6ops-happy-eyeballs http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.html

NOTEthis impacts CGN44:

high session setup rate [sps]

Implementations: Firefox 10 Chrome (last stable) OSX 10.7 Lion

getaddrinfo() Safari

iPhone iOS 4.3.1
http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_he.htmlhttp://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-02


69/111

Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 69

IPv6/MPLS Core is easy. The Access is difficult.

Access Node

DHCPv6 snooping

LDRA/Opt37

ICMPv6 snooping IPv6 NMS

IPv6 Security

User

OS v6 Stack

RG

IPv6 LAN

IPv6 WAN

IPv6 NMS

Aggregation

ICMPv6 snooping

IPv6 NMS

Core

IPv6 Routing

MPLS 6PE/6VPE

Aggregation

IPv6 Stack

IPv6 PE/VPE

IPv6 Routing

IPv6 NMS

AAA/DHCP

BNGAccess NodeDSLAM, MSAN, OLT...

RG

IPv6 IPv4L2

Why cant todays broadband user just access IPv6 Internet?

NMS/Addressing

IPv6 Parameters

DHCPv6

Key problem with native v6: Access Node (DSLAM, MSAN, OLT, FTTX switch),CPE (new box needed), sometimes BRAS/GGSN (no dual-stack sessions)

Tunneling IPv6 over existing PPPoE (dual-stack pppoe) or IPv4 infrastructure

(6RD) provides a transition solution with minimal number of touch points


70/111


Broadband PPP Access

Dual-stack IPv6 and IPv4 supported over a shared PPPsession with v4 and v6 NCPs running as ships in the night.

IPCP assigns IPv4, IPv6CP + DHCP-PD assignsIPv6

ASR1000dual-stack pppoe (16-64k sessions), no extraBRAS sessions required, ISGv6 supported

Broadband IPoE AccessCurrently 2 sessions are neededv4 and v6

ASR1000ISGv6 supports IPv6 Sessions(unclassified ipv6 prefix based)

-Future: dual-stack v4v6 session is being worked on inBBF (Broadband Forum, ex DSL Forum)

Mobile AccessFour types of PDP/PDN contexts: PPP (legacy), IPv4,IPv6, new IPv4v6 (introduced in 3GPP Rel 9)

ASR5000Ciscos Packet Core solution

Dual-stack capable UEs are to request IPv4v6 PDN(MIPv6, complex roaming scenarios, etc.)

PPP Session

IPv4IPv6

VLAN

IPv6 Session

L2 Session

IPv4IPv6

IPv4 Session

IPv4v6 PDN

IPv4IPv6


71/111


CoreEdgeAggregationAccess

IP/MPLS

Customer

Native Dual-Stack IPv4/IPv6 service on RG LAN side

NO changes in existing Access/Aggregation Infrastructure

One PPPoE session per Address Family (IPv4 or IPv6) or one PPPoE session carryingboth IPv4 and IPv6 NCPs running as ships in the night

Dual stack must not consume extra BNG session state

SLAAC or DHCPv6 can be used to number the WAN link with a Global address

DHCPv6-PD is used to delegate a prefix for the Home Network

PPPoE Tag Line-id authentication, Radius IPv6 attributes as per rfc3162

BNG

Dual-stack PPPoE support in hardwareASR1000 (32K+ sessions with features)ASR9000 (end of 2012)

X

Use Dual-stack PPPoE


72/111


CPE6rd RG(Remote Gateway)

6rd

IGW6rd BR(Border Relay)

IPv4+ IPv6

IPv4

IPv4 + IPv6Core / Internet

IPv4+ IPv6

IPv4+ IPv6

6rd

IPv6 Destination = Inside 6rd Domain- encapsulate in IPv4, protocol 41 (addressextracted from v6 prefix that contains v4 part)

IPv6 Destination = Outside 6rd Domain- encapsulate in IPv4 for the BR

6rd (Rapid Deployment)

Automatic tunneling of 6 in 4Simple and stateless CPE, uses /32 prefix of the ISP

Large deployments (Free France, AT&T US, DSL and Cable)

Linksys CPE supporthttp://home.cisco.com/en-us/ipv6

Replaces classic 6to4 tunneling (2002::/16 being obsoleted by IETF)

6RD BR support in hardware7600 ES+, ASR1000, CRS CGSE

CGN

+ RG IPv4 Address + Subnet ID + Interface ID

/56 /64 /128

Residences IPv6 Subnet is constructed from:

ISPs IPv6 Prefi x

Use 6RDRapid Deployment (RFC5969)
http://home.cisco.com/en-us/ipv6http://rfc5969/http://rfc5969/http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6


73/111


The One-Stack View

Operations&Deployment

Cost/Complexity

IPv4 IPv6

CGN6rd

Dual-Stack

Dual-Stack

Lite

Stateful

NAT64 Stateless

NAT64/DIVI

Stateless

4o6/4RD

Majority IP inOperator Network

One Network.Addresses Run-Out

and enables IPv6connectivityover IPv4 infra

Two Networks!! Big CGN in IPv6

network. IPv6 cant talk to

IPv4

One Network. SP-class XLAT

is IPv6 transitionvehicle for 6-4 and4-6-4 cases

Where we are right now

Being asked to go here next


74/111


IPv6 and Large Scale Address Family Translation

AFT64 technology is only applicable in case where there areIPv6 only end-points that need to talk to IPv4 only end-points.

NAT64 for going from IPv6 to IPv4.

NAT64 and DNS64 is the solution

NAT-PT is obsoleted by IETF (due to stateful DNS)

See also draft-ietf-behave-v6v4-framework, draft-ietf-behave-v6v4-xlate, draft-ietf-behave-

v6v4-xlate-stateful (now RFC6144, 6145, 6146)

PGWServing

GatewayeNB

NAT64

IPv4Public

NAT

IPv6Public

IPv6Public


75/111


NAT64

LSN64

NAT

NAT64

LSN64

NATNAT

*Note: ALGs for NAT64 and NAT44 are not necessarily the same, should be avoided in CGN

IPv4Public

IPv6

IPv6UE

Any IPv6 address

IPv6 addresses representing IPv4 hosts

IPv4 Mapped IPv6 AddressesFormatPREFIX :IPv4 Portion:(optional Suffix)

PREFIX::announced inIPv6 IGP

N:1 Multiple IPv6 addressesmap to single IPv4

LSN IPv4 address

announced

DNS64

Responsible for SynthesizingIPv4-Mapped IPv6 addresses

A Records with IPv4 address

AAAA Records with synthesized Address:

PREFIX:IPv4 Portion

Stateful AFT64AFT keeps binding statebetween inner IPv6 addressand outer IPv4+port

Application dependent,just like NAPTv4*

AFT64

AFT64


76/111


IPv6

IPv6 addresses assigned to IPv6hosts

IPv4 Translatable IPv6 addresses

FormatPREFIX:IPv4 Portion:(SUFFIX)

IPv6 addresses representing IPv4 hosts

IPv4 Mapped IPv6 Addresses

FormatPREFIX:IPv4 Portion:(SUFFIX)

0::0announced inIPv6 IGP

1:1 Single IPv6 addressesmap to single IPv4

ISPs IPv4 LIR

address

announced

DNS64

Responsible for SynthesizingIPv4-Mapped IPv6 addresses

Incoming Responses: A Records with IPv4 address

AAAA Records with synthesized address:PREFIX:IPv4 Portion:(SUFFIX)

NAT64

Stateless

LSN64

NATNAT

Outgoing Responses: A Records with IPv4 Portion

Stateless AFT64AFT keeps no binding stateIPv6 IPv4 mapping

computed algorithmically

Application dependent still

AFT64

AFT64

IPv4Public

IPv6UE

*USAGE: 464 DIVI (MAP-T) or v6 DataCenter (Internet-v4 accesses v6 content)


77/111


draft-mdt-softwire-map-translation-00 (MAP-T)

Demo code ready (ASR1000World V6 Congress demo)

Employs port restricted NAT44 + stateless NAT46 for allowing IPv4-only hostaccess to IPv4 internet. Also Enables IPv6-only devices to access IPv4 internet.

Algorithmic mapping (based on configured or well known schema) of IPv4 ports

to/from IPv6 address Encapsulation employs IPv4-embedded IPv6 addresses

Stateless NAT64. Can also be enabled in stateful mode for other IPv6 only clients

IPv6 hosts use native addressing and IPv6 routing to public IPv6 internet

CPE

NATe

Gateway(IPv6)

IPv6

IPv6 + IPv4IPv4-Public

IPv6

StatefulNAT46

+ port-setStateless

NAT64

IPv4-Only Private

IPv6

Stateless NAT64 applied (dIVIdual46, or 464)

F t h i IETF t


78/111


CPE

NATe

Gateway(IPv6)

IPv6IPv6 + IPv4IPv4-Public

IPv6

Stateful NAT44port-restricted

+ v6 encaps

StatelessRelay

IPv4-Only Private

IPv6BR

CPE(B4)

Gateway(IPv6)

IPv6

IPv6 + IPv4

IPv4-PublicIPv6

No NAT,v6 tunneling

StatefulNAT44

IPv4-Only Private

IPv6 CGN44(AFTR)

DS-Lite (draft-ietf-softwire-dual-stack-lite)it is available today (CRS/ASR9K, some CPEs)

Removes NAT44 from CPE where it is today, and moves it to central CGN

Dumb tunneling, no user-to-user v4 traffic (everything must go to central AFTR)

Future, no rough consensus in IETF yet

4RD(draft-despres-softwire-4rd-u)header mapping from 4 to 6 (with fragment hdr)

MAP-E (draft-mdt-softwire-map-encapsulation)tunneling 4 over 6

Keep NAT44 on CPE where it is today, just adds port restriction to tackle the v4 exhaust

Avoids central stateful CGN


79/111


Concept (draft-ietf-softwire-gateway-init-ds-lite)

PublicIPv4

Internet

NA(P)T 44Flow

Association

Access Tunnel

PGW

UE

Carrier Grade NAT (CGN)

VPN1/10.1.1.1Tunnel1/CID-1

VPN2/10.1.1.1Tunnel2/CID2

VPN110.1.1.1

TCP/4444

VPN210.1.1.1

TCP/5555

134.95.166.10TCP/7777

134.95.166.10TCP/8888

Inner portion of NAT-bindingidentified by combination ofCID, Tunnel-Identifier, and

optionally other identifiers

DS-Lite is not for Mobileit would require PhoneOS changes (unrealistic)

GI-DS-LiteGateway tunnels traffic which requires NAT44 towards CGN(Selective Extension of Access-Tunneling)

Gateway and CGN use Context-ID (e.g. Private IP address) for Flow-Identification

No changes to UE (Phone OS) & Access & Roaming Architecture

Tunnel Encapsulations: MPLS (typical today) or IPinIP, GRE in future

IP/MPLS


80/111


Motivation


Carrier-Grade NAT


Dual-stack

v4v6, v6-only, NAT64, 464IPv6 in Mobile

Role in 3G and EPS

IPv6 in Wireline


Cisco CGN Products



81/111


Recommendation (clause 10)

3GPP specifications recognize two main

strategies to provide IPv6 connectivity toUEs.

For the first strategy, the operator may provideIPv4 and IPv6 connectivity for the UE.According to the scenario considered, the

operator will assign a public IPv4 address or aprivate IPv4 address in addition to an IPv6prefix. The operator can select one of thetechnical solutions described in clause 7 of thisdocument.

The second strategy, consisting of providing the

UE with IPv6-only connectivity, can beconsidered as a first stage or an ultimate targetscenario for operators. The operator can useNAT64/DNS64 capability to access to IPv4-onlyservices if access to IPv4 services is needed.

Note: Clause 7 lists 3 solutions1) NAPT44

2) GI-DS-lite (encapsulationsdefined in 3GPP:GRE and MPLS VPN)

3) Stateful NAT64


82/111


Already being done byT-Mobile USA

Their reason make perfectly goodsense

And they are proving it can work

Problem: v4-only apps (eg. Skype)

Source: Google IPv6 Implementors Conference,

https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-

Mobile_IPv6GoogleMeeting.pdf?attredirects=0

http://www.networkworld.com/community/blog/testing-nat64-and-dns64

..Busiest day for a NAT64 box is the

day you turn it on for the first time..Cameron Byrne, T-Mobile
https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64http://www.networkworld.com/community/blog/testing-nat64-and-dns64https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0https://sites.google.com/site/ipv6implementors/2010/agenda/13_Byrne_T-Mobile_IPv6GoogleMeeting.pdf?attredirects=0


83/111


IPv4-Public

IPv6-Public

PDP Types: IPv4, IPv6 and IPv4v6 IPv4v6 (duals stack)

introduced in EPC from 3GPP Release 8

in 2G/3G SGSN/GGSN from 3GPP Release 9

PCRF/AAA/DHCP

PGWSGW

0

eNodeB


84/111


Create PDP Context Reply(UE IP-address,

Protocol config options(e.g. DNS-server list,),

cause)

AAA DHCPGGSNSGSN

Attach Request

Attach Accept

Router Solicitation

Router Advertisement

UE

DHCPv6Information Request

DHCPv6 PDOption 3

DHCPv6Reply

DHCPv6Relay Forward

DHCPv6Relay Reply

DHCPv6Reply DHCPv6Relay Reply

Prefix RetrievalOption 2

Option 1 /64 prefix allocation from local pool

SLAAC

Prefix communicated toSGSN

empty UE IP-address

for dynamic allocation

/64 prefix allocation:3 Options: Local Pool, AAA, DHCP

Create PDP Context Request(APN, QoS, PDP-type=IPv6,)

Select GGSN for given APN


85/111


IPv6 Config: 1 MethodSLAAC after the bearer setup (/64prefix)

Rel-10: DHCP-PD (enables MobileRouter)

Create Session Request(APN, QoS,PDN-type=IPv6,)

Create SessionResponse(UE IP-address,Protocol config options(e.g. DNS-server list,),cause)

Create SessionResponse

HSS/AAA DHCPPGWSGWMME

Attac h Request

Router Solicitation

Router Advertisement

UE

DHCPv6Information Request

DHCPv6 PDOption 3

DHCPv6Relay Forward

DHCPv6 Relay Reply DHCPv6Reply

Prefix Retrieval from AAAOption 2

Option 1 /64 prefix allocation from local pool

SLAAC

Prefix communicated toSGW/MME

/64 prefix all ocation:3 Options: Local Pool, AAA, DHC P

eNB

Attac h RequestAuthentic ation of UE

Create SessionRequest

Attac h Accept/Initial ContextSetup request

ReconfigureRadio Bearer(per MME params)

Initial ContextResponseDirect Transfer(incl. AttachComplete)

Attac hComplete

Uplink Data

Downlink DataModify Bearer Request/Res ponse

empty UE IP-addressfor dynamic allocation

IPv4 Config: 2 MethodsWithin EPS bearer setup signaling (typical)

DHCPv4 (DHCP optional on UE and PGW)


86/111


ChargingGateway

Data

SGSNGa(GTP) Ga (GTP)

GnGn/Gp (GTP)

InternetDMZ

Core Network

Billing System

Ga (GTP)IXC

Roamingpartners

GRX

RNC

NodeBFemto HNB

RAN

RADIUS

DNS

DPI

GGSN

Policy

NAT

WAP

Signaling

Content providers

IMS Core

DHCP

QS

3G MS

2G MS

Element Design consideration (If IPv6 is used for internet & internal Apps) Impact

eNodeB Radio layer. Can use IPv4 backhaul No

RNC Iu-CS/Iu-PS can use IPv4 backhaul No

SGSN Initiate mobile APN query & authentication Yes

HLR/HSS IPv6 capable YesGGSN IPv6 PDP, standards IPv6 features, prefix allocation Yes

Billing Mediation and processing of IPv6 CDR Yes

DPI, Quote Server Pre-paid implementation, IPv6 parsing & CDR capability Yes

WAP, Data Accelerator IPv6 packet compressions, cache capability Yes

Firewalls IPv6 rules capability, performance Yes

DNS IPv6 DNS capability Yes


87/111


Two IPv6 Deployment Domains

Enable IPv6 customer applications

IPv6 for user plane interfaces

IPv6 related attributes for control plane interfaces

IPv6 related attributes for policy/charging/control

interfacesNote: Protocol choi ce analysis in TR 29.80 3

E-UTRAN

PCRF

S11(GTP-C)

S1-U

(GTP-U)

S2b(PMIPv6,GRE)

S5 (PMIPv6, GRE)

S6a

(DIAMETER)

S1-MME

(S1-AP)

GERAN

S4(GTP-C, GTP-U)

UTRAN

S3(GTP-C)

S12 (GTP-U)

S10(GTP-C)

S5 (GTP-C, GTP-U)

Gx(Gx+)

Gxb(Gx+)

SWx (DI AMETER)

SWn(TBD)

S6b(DIAMETER)

SWm(DIAMETER)

SGi

SWa(TBD)

Gxa(Gx+)

Rx+

UE

S2a(PMIPv6, GRE

MIPv4 FACoA)

Trusted Non-3GPP

IP AccessUntrusted Non-3GPP

IP Access

STa(RADIUS,DIAMETER)

SWu (IKEv2,MOBIKE, IPSec)

Operators

IP ServicesPDN-GW

S-GWeNB

MME

SGSN

x-CSCF

ePDG

HSS

3GPP

AAA

Gxc(Gx+)

Enable IPv6 transport

IPv6 Home-PLMN

IPv6 Visted-PLMN

IPv6 Interconnect-PLMN

Initial Deployment Objective / Driver

1 2


88/111


Transport OptionsGTP or PMIPv6 (since R8)

E-UTRAN

PCRF

S11(GTP-C)

S1-U(GTP-U)

S2b(PMIPv6,GRE)

S5 (PMIPv6, GRE)

S6a(DIAMETER)

S1-MME(S1-AP)

GERAN

S4 (GTP-C, GTP-U)

UTRAN

S3(GTP-C)

S12 (GTP-U)

S10(GTP-C)

S5 (GTP-C, GTP-U)

Gx

(Gx+)

Gxb

(Gx+)

SWx (DIAMETER)

SWn(TBD)

S6b(DIAMETER)

SWm(DIAMETER)

SGi

SWa(TBD)

Gxa

(Gx+)

Rx+

UE

S2a(PMIPv6, GREMIPv4 FACoA)

Trusted Non-3GPP

IP Access Untrusted Non-3GPP

IP Access

STa (RADIUS,

DIAMETER)

SWu (IKEv2,MOBIKE, IPSec)

Operators

IP ServicesPDN-GW

S-GWeNB

MME

SGSN

x-CSCF

ePDG

HSS

3GPP

AAA

Gxc(Gx+)

UDP

GTPv1/v0-U

IPv4 IPv6

IPv4 IPv6

IPv4 IPv6

GTP-based Architecture (3G/4G)

User-PlaneGGSN/PGWSGSN/SGW

GRE IPv4 IPv6

IPv4 IPv6

IPv4 IPv6

MIP-based Architecture (SAE, 23.402)

User-PlanePGWSGW

IPsec

IPv4 IPv6

IPv4 IPv6

UDPGRE

IPv4 IPv6

IPv4 IPv6

non-3GPP access (SAE, 23.402)

User-Plane

PGWePDGAP(e.g. Femto-AP)

SP WiFi Offload uses PMIP too

Hardware-based implementation: MAG/LMA in ASR1000, LMA in ASR5000


89/111


Motivation


Carrier-Grade NATDefinition and design

Dual-stack


IPv6 in Mobile

Role in 3G and EPS

IPv6 in Wireline


Cisco CGN Products


b i A th ti ti /A th i ti DHCP PD


90/111


PPPoE

RADIUSAccess-Request

RADIUSAccess-Accept

PPP LCP

"user1Line-id

Framed-Protocol PPP

User-Name user1Service-Type Framed(Optional) framed-ipv6-prefixPPP IPv6CP

ICMPv6 RA

RA with O-bi t(Optional) Prefix

Routed RG

RadiusAAA

BNG

Ethernet or DSL Access Node

DHCPv6

Link Lo calSLAAC +Default ro uteto BNGinstalled

DHCPv6 SolicitPD + DNS

DHCPv6 Reply*PD=2001:DB8:AAAA::/56

DNS server = 2001:DB8:BB ::1

DHCPv6 RequestDNS

RA with O-bi tPrefix=2001:DB8:AA

AA::/64

DHCPv6 ResponseDNS=2001:DB8:BB::1

SLAAC2001:DB8:AAAA

::1 + Defaultroute installed

ICMPv6 Router Advertisement

* Assuming DHCPv6 rapidcommit is in effect

DHCPv6 Relay ForwardRelay- fwd

DHCPv6 Relay Reply

Relay-Reply

basic Authentication/Authorization + DHCP-PD


91/111


At L2, IPv6oE with 1:1 VLANs resembles PPPoE

Moderate changes to Access Node to support IPv6need to forward v6 ethertype

Point-to-point broadcast domain does not require any special L2 forwardingconstraints on Access Node, and SLAAC and Router Discovery work the same

Line-identifier used for 1:1 VLAN mapping= (S-TAG, C-TAG)

However 1:1 VLANs and IPoE dorequire some extra BNG functionalityStatically pre-configured VLAN subinterfaces with IPv6 parameters (eg RA + services)ND + ND Cache limitDHCPv6 PD Server or Relay

DHCPv6-PD or DHCPv6 server capabilities can be used at BNG to delegate a prefixfor the Home Network

Customer 1

BNGAccess Node

Customer 2

1:1 VLANs

1:1 VLAN (QinQ)


92/111


Customer 1X::/56

802.1Q

N:1 VLAN


Customer 2Y::/56

Split-horizon L2 forwarding rule

User-user traffic is blocked at L2 (NBMA network behavior)

BNG is the default-gw for CPEs (all traffic goes via BNG), no proxy-ND

Subscriber line identification

VLAN no longer provides a mapping of the subscriber lineLDRA (Lightweight DHCP Relay Agent) on the Access-Node to convey Opt.37 line-idas the circuit and remote-id (draft-ietf-dhc-dhcpv6-ldra-03)

DHCPv6 is needed, SLAAC is not enough

SLAAC has no line-id insertion, problems with failure recovery with RA, no DNS

BNG

Shared subnet (split-horizon)- Just link local, or NMS /64

1:1 VLAN (QinQ)

N 1 VLAN DHCP PD AAA


93/111


ICMPv6 RA

RAwith O-bit

Routed RG

RadiusAAA

BNG


DHCPv6

ICMPv6 RA

DHCPv6 SolicitPD + DNS

DHCPv6 ReplyPD=2001:DB8:AAAA:: /56

DNS server = 2001:DB8:B B:: 1

DHCPv6 RequestDNS

RAwith O-bitPrefix=2001:DB8:AA

AA::/64

DHCPv6 ResponseDNS=2001:DB8:BB::1

SLAAC2001:DB8:AAAA

::1 + Defaultroute installed

DHCPv6 Relay ForwardSOLICIT + Interfa ce-id RADIUS

Access-RequestDUID,

Interface-id

RADIUSAccess-Accept

DHCPv6 Relay ForwardRelay- fwd

PD Route installed

DHCPv6 Relay ReplyRelay-Reply

DHCPv6 Relay ReplyReply + Inter face- id

Circuit-id Inserted andDHCP r elayed

N:1 VLAN + DHCP-PD + AAA


94/111


Features RP2+ESP20

PPPoEoQinQ Dual-stack Sessions (PTA) 32,000

QinQ sub-interfaces 32,000

H-QoS on PTA Sessions 32,000

Per User ACL 1 ACE per ACL, input ACL only

Downstream Unicast Traffic 2Gbps (64 byte)

Upstream Unicast Traffic 2Gbps (64 byte)

uRPF Enabled per-session

AAA Accounting Start-Stop Accounting

PPP Keepalives (seconds) 30

High Availability SSO

Today (3.6S) we can do much more: Per-session CGN NAT44, IPv6 uplink AVC (DPI), ISGv6, 6VPE VRF, 48K/64K sessions


95/111


2011:1000 1.1.1 Interface ID

Subnet-

ID

0 32 56 64

6rd IPv6 Prefix Customer IPv6 Prefix

Customers IPv4 prefix, without the 10. (24 bits)

In this example, the

6rd Prefix is /32

Any number of bits may be masked off, as long as they are common forthe entire domain. This is very convienent when deploying with a CGSE ,but is equally applicable to aggregated global IPv4 space.


96/111


CE

6rd

6rd BorderRelays

IPv4 + IPv6

IPv4

IPv4 + IPv6Core /Internet

IPv4 + IPv6

IPv4 + IPv6

6rd

Not 2001:100 Interface ID

2001:100 8101:0101 Interface ID

THEN Encap in IPv4 with

embedded address (using

normal 6to4 encap)

IF 6rd IPv6 Prefix

Positive Match

ELSE (6rd IPv6 Prefix

Negative Match)

ENCAP with BR IPv4

Anycast Address

Dest = Inside 6rd Domain

IPv6 Dest = Outside 6rdDomain

Between Subscriber and Internet Private IPv4 Addr


97/111


IPv4 AccessNetwork

Between Subscriber and Internet, Private IPv4 Addr

IPv6 Internet

ISPIPv6 Core

ISPIPv4 Core

SubscriberNetwork(v4+v6)

BNG

6rd RG

6rd BR

10.100.100.1 2001:4860:0:1001::68

Destination

IPv4 Ad dressDestina tion IPv6 Ad dress Payload

Payload

(2001:4860:0:1001::68)

3456:789:0003:0101::1

Source IPv6 Address

10.3.1.1

Source

IPv4 Ad dress

10.100.100.1 2001:4860:0:1001::683456:789:0003:0101::110.3.1.1

2001:4860:0:1001::683456:789:0003:0101::1

2001:4860:0:1001::68Payload3456:789:0003:0101::1

2001:4860:0:1001::68Payload3456:789:0003:0101::110.100.100.110.3.1.1

2001:4860:0:1001::68Payload3456:789:0003:0101::110.100.100.110.3.1.1

2001:4860:0:1001::68Payload3456:789:0003:0101::1

Payload

Payload

Encapsulation Legend

Address Legend

10.100.100.1 6RD BR An ycast Address

10.3.1.1 RG Private IPv4 Add ress, obtai ned vi a DHCPv4

2001:4860:0:1001::68 www.google.com IPv6 Address

3456:789:0003:0101::1RG IPv6 Address, SP IPv6 Prefi x 3456:78 9/28obtained via DHCPv4 new option or TR69

v6 prefix derived from v4 addr

copy v4 addr from v6

Between Subscribers Private IPv4 Addr


98/111



IPv4 AccessNetwork

Between Subscribers, Private IPv4 Addr

IPv6 Internet

ISPIPv6 Core

ISPIPv4 Core


BNG

6rd RG2

6rd BR

10.3.2.1 3456:789:0003:0201::1 Payload3456:789:0003:0101::110.3.1.1

3456:789:0003:0101::1Payload3456:789:0003:0201::110.3.1.110.3.2.1

3456:789:0003:0101::1Payload3456:789:0003:0201::1

Address Legend

10.3.2.1 RG2 Private IPv4 Ad dress

10.3.1.1 RG1 Private IPv4 Add ress

3456:789:0003:0202::1RG2 IPv6 Address, SP IPv6 Prefix 345 6:789/2 8

3456:789:0003:0201::1RG1 IPv6 Address, SP IPv6 Prefix 345 6:789/2 8

6rd RG1

10.3.2.1 3456:789:0003:0201::1 Payload3456:789:0003:0101::110.3.2.1

BNG

v6 prefix derived from v4 addrv6 prefix derivedfrom v4 addr


99/111


Security

Anti-spoofing - 6RD BR checks if IPv6 source addr matches the encapsulatedIPv4 address

6RD RG (CPE) also verifies if the BR anycast address matches IPv6 source

QoS

V6 DSCP is automatically copied into V4

QoS pre-classify supported

HA

6RD is statelessno SSO needed at 6RD BR

We use Anycast (same /32s in IGP, nearest is BR chosen)

Scale and Performance

ASR1000, 7600 (ES+ since 15.1(3)S)

512 6RD Tunnel interfaces (meaning 512 6RD domains)

VRF awareness


100/111


Source: http://home.cisco.com/en-us/ipv6

Goal is a universal dual-stack home gateway (6RD on by default).
http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6http://home.cisco.com/en-us/ipv6


101/111


Motivation


Carrier-Grade NATDefinition and design

Dual-stack


IPv6 in Mobile

Role in 3G and EPS

IPv6 in Wireline


Cisco CGN Products



102/111


CRS

CGSE PLIM + FP40 (NAT44, NAT64, 6RD, DS-Lite)

20M xlates, 1Msps, 20Gbps

ASR9000

ISM Module (NAT44, DS-Lite); BNG NAT44 for PPPoE sessions

20M xlates, 1Msps, 15Gbps

ASR5000Per-subscriber GGSN/PGW NAPT, Gi Firewall, DPI, charging

120M xlates, 1Msps

ASR1000

Integrated (NAT44, NAT64, 6RD); BNG NAT44 for PPPoE sessions

2M xlates, 100Ksps, 20Gbps

XR12000

CGN Daughter Card for the PRP-3 (NAT44, future NAT64)

10M xlates, 250Ksps, 6Gbps

CGSE Carrier Grade Services Engine


103/111


CGSECarrier Grade Services Engine

Introducing the new engine for massive Cisco CGv6 deployments

CGSE PLIM

20+ million sessions

1+ million sessions per second [sps]

20Gb/sof throughput

Up to 240M xlates (12 CGSEs per chassis) 64K global IPs (100s of thousands of users)

Intra- or Inter-Chassis Redundancy

CGN featuresSubscriber port limitPer L4 protocol/port timersStatic port forwardingNetflow v9 loggingRTSPv1 ALG

IPv6 preparation6rd BR (XR 3.9.3)Stateless NAT64 (XR 3.9.3)Stateful NAT64 (XR 4.1.2)DS-Lite, bulk ports alloc and syslog (4.2.1)Destination based logging (4.2.1, 4.3)Future: PCP, PPTP ALG, MAP


104/111


Inside Outside

Entry1 10.12.0.29:334 100.0.0.221:18808

Entry2 10.12.0.29:856 100.0.0.221:40582

Entry..

OutsideVRF

Interface

VLAN

Private IPv4Subscribers

Public IPv4

VRFs to Separate the Private andPublic Routing Table.Interfaces are associated with a VRF.ServiceAPP interfaces are used tosend packets to/from CGSE

Dest 0.0.0.0/0 -> AppSVI1 Dest NAT Pool-> AppSVI2

InsideVRF

App Int

CGSEApp int

Interface

VLAN

VLAN

Timers (per cgn) Default Value

ICMP 60 sec

UDP init 30 sec

UDP active 120 sec

TCP Init 120 sec

TCP active 30 min

Uses a Line Card slotpaired with FP40


105/111


p

MIDPL

ANE FabQsEgressQ

AccelFPGA

Accel

FPGA

PLA

iPSE

ePSE

IngressQ MIDPL

ANE

FABRIC

Modular Services CardFP40, MSC20, MSC40

Service Engine PLIM

Octeon CPUs

Supports 20 Gbps aggregate bandwidth

20M NAT44 Translations

15M NAT64 Translations

1M sps

Uses a line card slotconnects via fabric


106/111


ISM supports 10 Gbps aggregate bandwidth

20M NAT44 Translations (today)

15M NAT64 Translations (planned)

1M sps

BACKPL

ANE

I/OHub

Bridge

ApplicationCPUs(Intel)

24Gb

24Gb

Application

Memory

Bridge

FabricASIC

ModularExpansionCards (2)

ISM Mgmt CPU

daugther card on GSR PRP-3


107/111


SMDC supports 10 Gbps aggregate bandwidth (~6Gbps NAT)

10M NAT44 Translations (today) 7M NAT64 Translations (planned)

250K sps

g

SMDC (Service Module Daughter Card)

PRP-3 (fast CPU, 8GB DRAM, 80GB HD)

SMDC is field replacable

Dual PRP-31:1 redundancy


108/111


Above number are based on few nat pools.

The maximum number of nat pools supported is 1200 on a ESP20/ESP40, 600 on ESP10,300 on ESP5, but session scalability is unknown when nat pools scale.

ASR 1000 support up to 16k static NAT entriesin single RP system or inter-box HA

ASR 1000 support up to 4k static NAT entries in redundant RP system

Support up to 1K VRFs for VRF aware NAT

Maximum interfaces support is not limited by NAT

Maximum ACL is not limited by NAT, but by standard TCAM ACL limit

Route-map scaling maximum is 1024

ESP Type SessionScalability

ForwardingPerformance

Translation Setup/TeardownRate (xlat/sec)

ESP5/ASR1001

256k 3Mpps 50k

ESP10 1M 6Mpps 100k

ESP20 2M 8Mpps 200k

ESP40 2M 9Mpps 200k


109/111


ESP Type SessionScalability

ForwardingPerformance

TranslationSetup/Teardown Rate(xlat/sec)

ESP5 /ASR 1001

256k 2Mpps 70k

ESP10 1M 4.2Mpps 100kESP20 2M 5.5Mpps 175k

ESP40 2M 5.5Mpps 180k

Support maximum 16k static entries

Maximum interfaces support is not limited by NAT64

Maximum ACL is not limited by NAT64, but by standard TCAM ACL limit.

Stateful HA possible, by default disabled for short-lived port http tcp/80

nat64 switchover replicate http enable port 80


110/111


World IPv6 Launch6/6/12

IPv4 exhaust business continuity

CGN role and definition, RFC4787

CGN performanceSPS, # of sessions, logging

Dual-stack in Mobile and Wireline networks

NAT64Avoiding Dual-Stack

Future 464 traversal technologies

Related Cisco Products


111/111

Thank you.

carrier grade nat

Documents

cisco andor

cisco confidential

aaaa5242018 carrier

h carrier grade nat

crs5242018 carrier grade

carriergrade natdefinition

carriergrade natipv4

ipv6 transition