Technical White Paper for IPv6 CGN Solution Issue 1.0 Date 2011-11-30 HUAWEI TECHNOLOGIES CO., LTD. Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i Technical White Paper for IPv6 CGN Solution Contents Contents 1 Introduction to the CGN ......................................................................................................................... 2 2 CGN Solution .......................................................................................................................................... 4 2.1 CGN Principles ........................................................................................................................... 4 2.2 CGN Packet Processing Procedure .............................................................................................. 5 2.3 CGN Technological Requirements............................................................................................... 6 2.4 CGN Application Scenarios......................................................................................................... 7 2.5 Impact of the CGN on the Network ............................................................................................. 8 3 Key Technologies for Deploying the CGN .............................................................................................10 3.1 Classification of CGN Forms .....................................................................................................10 3.2 Classification of CGN Access..................................................................................................... 11 3.2.1 Mode 1: Access Through the L3 Tunnel ............................................................................. 11 3.2.2 Mode 2: Access Through the L2 Tunnel (NAT444) ............................................................12 3.2.3 Mode 3: Access Through the L2 Tunnel (NAT44 and Access with Any Address) ................12 3.2.4 Mode 4: Access Through the L2 Tunnel (NAT44 and Address Management and Allocation) ..................................................................................................................................................14 3.3 Controlling the NAT User Policy with BNG/CGN Convergence .................................................14 3.4 Management of Ordering Port Pre-Allocation .............................................................................17 3.5 NAT Traversal ............................................................................................................................18 3.6 High Reliability..........................................................................................................................20 4 Conclusion ..............................................................................................................................................23 A References ..............................................................................................................................................24 B Acronyms and Abbreviations ................................................................................................................25 Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ii Technical White Paper for IPv6 CGN Solution Figures Figures Figure 2-1 Basic principle and packet processing flow of the NAPT mode........................................ 4 Figure 2-2 CGN packet processing procedure. .................................................................................. 6 Figure 3-1 CGN access mode by through the L3 tunnel ...................................................................12 Figure 3-2 CGN access mode through the L2 tunnel (NAT444) .......................................................12 Figure 3-3 CGN access mode through the L2 tunnel (NAT44 and access with any address) .............13 Figure 3-4 CGN access mode through the L2 tunnel (NAT44 and address management and allocation) ........................................................................................................................................................14 Figure 3-5 User policy control when the BNG and CGN are converged ...........................................15 Figure 3-6 Management of ordering port pre-allocation ...................................................................18 Figure 3-7 Large-scale deployment of CGN services to support NAT traversal ................................19 Figure 3-8 Backup mechanism between CGN devices .....................................................................21 Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii Technical White Paper for IPv6 CGN Solution Tables Tables Table 3-1 Comparison of the stand-alone CGN and integrated CGN ................................................10 Table 3-2 Comparison of the centralized CGN and distributed CGN ................................................ 11 Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iv Technical White Paper for IPv6 CGN Solution Technical White Paper for IPv6 CGN Solution Keywords NAT, CGN, IPv6, transition technology, BNG, carrier grade NAT, source tracing, hot backup Summary CGN refers to the carrier grade NAT. The CGN (number of concurrent users, performance, and source tracing) must be greatly improved to enable large-scale commercial deployment. The CGN can be used in multiple scenarios such as the NAT444 and DS-Lite. This document describes the NAT principles, NAT packet processing flow, CGN tunnel mode, and CGN deployment solutions. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1 Technical White Paper for IPv6 CGN Solution 1 Introduction to the CGN 1 Introduction to the CGN IPv4 address exhaustion represents a complex barrier that blocks carriers as they seek to aggressively deploy mobile Internet, increase subscribers, and drive the convergence of the Triple Play. As of February 3, 2011, all IANA IPv4 addresses across the globe had been allocated, plunging global carriers into the crisis of IP address exhaustion. At present, two major solutions can solve this problem: Deploying IPv6: This solution can resolve the above problem once and for all. However, as most contents and applications are based on IPv4, current services may not be inherited if networks running IPv4 are forcibly evolved to IPv6. NAT: To inherit IPv4 services, the large-scale deployment of private network IPv4 addresses can implement statistical multiplexing on public network IPv4 addresses, which resolves the problem of IPv4 address exhaustion for a long time. Carriers must consider both solutions. The NAT solution greatly reduces investment costs as the home gateway device does not need to be replaced. Carrier investment is further protected if legacy devices are reconstructed and reused. In the early phase, the mature commercial NAT444 solution can resolve address exhaustion. Evolution from IPv4 to IPv6 is a relatively long process in which the NAT444 is currently the best solution for exploring IPv4 address space and smoothly developing IPv4 services based on user experience, technological maturity, and deployment complexity. Carrier Grade NAT (CGN) is also referred to as the Large Scale NAT (LSN). The CGN greatly improves the features of the common NAT including concurrent user capacity, performance, and source tracing. The CGN enables large-scale commercial deployment, Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2 Technical White Paper for IPv6 CGN Solution 1 Introduction to the CGN resolves IPv4 address exhaustion, and can be deployed in multiple scenarios such as NAT444 and DS-Lite. Deployment of the CGN, however, faces certain problems, such as packet transmission delays caused by address translation, difficulties in user source tracing, and the NAT traversal of certain applications. These, of course, must be resolved. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3 Technical White Paper for IPv6 CGN Solution 2 CGN Solution 2 CGN Solution 2.1 CGN Principles Two address translation modes exist: NAT mode and Network Address and Port Translation (NAPT) mode. NAT mode can be used to translate the IP address in an IP packet but not the port number; NAPT mode enables the NAT device to translate both. Therefore, NAPT mode is used in actual configuration as NAT mode wastes addresses because each private network IP address requires a public network IP address. Figure 2-1 Basic principle and packet processing flow of the NAPT mode The NAT device receives the packet for accessing the public network sent by the private network user. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4 Technical White Paper for IPv6 CGN Solution 2 CGN Solution If the private network user initiates another connection, the NAT device chooses an idle public network IP address and a port number from the address pool to create the NAT table items. Based on the source and destination IP addresses as well as source and destination port numbers of the private network, the NAT device searches the NAPT table items, translates the packet based on the search result, and sends the translated packet to the public network. After receiving a response packet from the public network, the NAT device searches the reverse NAPT table items based on the destination IP address and port number, translates the packet based on the search result, and sends the translated packet to the private network. NAPT mode translates both the IP address and port number, which fully utilizes IP address resources and enables multiple hosts on the internal network to simultaneously access the Internet. 2.2 CGN Packet Processing Procedure To process packets sent from the private network to the public network, the ACL is enabled on the interface card for all streams. Currently, TCAM searches the ACL without affecting forwarding performance. Line rate forwarding is available. Figure 2-2 shows the CGN packet processing procedure. 1. On the incoming interface card, search for the ACL/UCL table. If streams require translation, sends the streams to the NAT board. 2. On the NAT board, check the IPv4 forward session table based on the triplet (source IP address, source port number, and protocol number) or quintuple elements (source and destination IP addresses, source and destination port numbers, and protocol number). The packet’s IP address and port number are translated on the NAT board. The system checks the FIB and forwards the packet to the downlink of the interface card. The mapping conditions of a quintuplet are stricter than those of a triplet. The quintuplet is used when security is an issue. 3. On the outgoing interface card, forward the streams of translated packets. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5 Technical White Paper for IPv6 CGN Solution 2 CGN Solution For the return streams, the destination IP address of the packet is the public network IPv4 address on the NAT. The packet is routed to the NAT unit and reverse NAT processing is performed. Figure 2-2 CGN packet processing procedure. 2.3 CGN Technological Requirements Performance capacity: On carriers' networks, the NAT can support hundreds of thousands of users, each of whom generates an average traffic flow of hundreds of kilobits per second. Tests show that dozens of TCP connections are generated when a Web2.0 page is clicked, while a P2P application generates over one hundred sessions. Generally, a reservation of 1,000 ports per user meets common requirements. The NAT device requires a forwarding capability of at least 100 Gbit/s and must be able to establish millions of sessions per second and maintain tens of millions of active sessions. Reliability: NAT network reliability can be improved by deploying redundant NAT devices with board-level backup for automatic switchover if an active device fails. Unlike common services, NAT sessions are configured with states, and session generation and aging are rapid. On the CGN, millions of sessions may change states each second. Protocol interaction is required to back up sessions, so this is not particularly reliable. As the time-to-live for most NAT sessions is short and backup is not required, only sessions with a long time-to-live are currently backed up. User management: Port reservation management is necessary in the CGN application scenario so that users with the same IP address can still access a network normally if other users using that address abuse network resources. The CGN is also manageable to guarantee various features such as unique external addresses and port parity or to prevent special-purpose ports such as ports identified as viruses. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6 Technical White Paper for IPv6 CGN Solution 2 CGN Solution Address source tracing: As a part of NAT deployment, source tracing requires the support of the application layer. For example, the access log must record not only IP addresses but also port information. Logs are recorded based on common implementation and sessions. In the CGN environment, log traffic may reach tens of megabytes per second, which necessitates high performance log-processing and storage systems and also increases maintenance costs. The CGN can reserve hundreds of ports for users at one time using port pre-allocation technology, which reduces the NAT log size to at least 1/1000 of its original size. NAT traversal: For certain TCP/UDP applications such as end-to-end applications, including multimedia sessions, file sharing, and games, IP address or port information may exist in payloads. The application program fails to traverse NAT if IP address or port information in the payloads is not processed. For details on resolving this problem, see section 3.5 "NAT Traversal." 2.4 CGN Application Scenarios The CGN is jointly used with other technologies in multiple scenarios, including the NAT444, DS-Lite, and NAT64. NAT444: The NAT is performed twice in the NAT444 scenario: once on the CPE and again on the CGN. DS-Lite: In this scenario, two NEs are introduced: B4 (basic bridging broadband element) and AFTR (address family transition router). The B4 is identical to the CPE and performs tunnel encapsulation and decapsulation. The AFTR is the DS-Lite gateway and performs tunnel encapsulation, decapsulation, and address translation. The single stack IPv6 network exists between the CPE and AFTR. The B4 allocates the private network IPv4 address to the user to support IPv4 services. The uplink IPv4 packets are encapsulated in the IPv6 channel by the B4. After the packet is transmitted to the DS-Lite gateway, the external IPv6 packet header is removed and the private network IPv4 address is translated to the public network IPv4 address. The flow for processing the IPv4 packet sent from the public network is reversed. The public network IPv4 address is translated into the private network IPv4 address, and then the packet is transmitted through the IPv6 tunnel to the B4. The B4 decapsulates and then forwards the packet to the destination host. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7 Technical White Paper for IPv6 CGN Solution 2 CGN Solution NAT64: In this scenario, both the network address and protocol are translated between the IPv6 and IPv4 networks. The NAT64 generally enables only IPv6 network users to access IPv4 network resources. If the static mapping relationship is configured manually, the NAT64 also enables IPv4 network users to access the IPv6 network. The NAT64 can translate the network address and protocol between the IPv6 and IPv4 networks when the TCP, UDP, and ICMP are used. The DNS64 must be jointly used with the NAT64. Record A (the IPv4 address) in the DNS query information is synthesized to the record AAAA (the IPv6 address). The synthesized record AAAA is then sent to the IPv6 user. 2.5 Impact of the CGN on the Network Impact on network equipment: Deploying the NAT adds the address translation function to the network, which requires little adjustment on the live network. However, certain application systems need to be modified based on the private network address. The NAT increases processing delays and the complexity of networks and routes. As the NAT is a traffic convergence point, it is difficult to back up sessions on carriers' networks. When a fault occurs, sessions may need to be re-established, which reduces network reliability. Impact on network maintenance: User source tracing requires the NAT log server to store users' network access records. Log traffic of each NAT may reach tens of megabits per second, which requires high-performance log servers with huge storage capacities. Network maintenance complexity and workloads are increased due to more and more NAT devices, fault location difficulties, user complaints, and source tracing. Impact on services and applications: NAT-created processing delays and the restricted NAT traversal affecting certain applications lower user experience and may influence the launch of carrier services; for example, if the NAT is deployed between a user and the DPI, the DPI function is unavailable. The NAT affects value added services that obtain user information from IP addresses as an IP address is shared by multiple users; for instance, VoIP applications require the addition of an application-layer gateway. These disadvantages do not affect widespread NAT deployment in commercial networks because address exhaustion exists over a large range and only NAT Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8 Technical White Paper for IPv6 CGN Solution 2 CGN Solution technology can protect existing IPv4 investment. New applications must support NAT, and related standards are currently being improved. New applications can use nascent technologies to bypass the limitations of the network layer by increasing the complexity of the application layer. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9 Technical White Paper for IPv6 CGN Solution 3 3 Key Technologies for Deploying the CGN Key Technologies for Deploying the CGN 3.1 Classification of CGN Forms The CGN can be either a stand-alone or integrated device. The stand-alone CGN is an independent device that provides the CGN function. The integrated CGN is also called the plug-in CGN because the board that provides the CGN function is inserted into another device; for example, the BNG, SR, or CR. The stand-alone CGN is used only for address translation and does not affect BNG services. However, the BNG forwarding port is occupied with transmitting streams to the CGN. The integrated CGN can be combined with the BNG user management function to optimally utilize the CGN’s management capabilities. For details, see Table 3-1. Table 3-1 Comparison of the stand-alone CGN and integrated CGN Stand-Alone CGN Characteristics Issue 1.0 (2011-11-30) Integrated CGN Excellent performance with a multi-core CPU for processing. The overall system is used for CGN processing. A stand-alone device is not required. The integrated CGN saves space, consumes minimal power, meets heat dissipation requirements, and requires a small investment. High capacity and extensibility. Extensibility can be realized through cascading or cross-chassis. The excellent coordination capabilities of the network and application layers enable various routing protocols, convergence access, and CGN information management. Easy to deploy. Requires a BNG forwarding port for drainage. Excellent extensibility. The CGN can be deployed online and extended without limitation. Occupies the BNG service slot. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN The CGN can be deployed in either centralized or distributed mode: Centralized: Usually deployed on the CR on an upper-layer network, for example, P router of the metropolitan area network (MAN) in China and P router of the backbone network in other countries. The CGN can be either a stand-alone device attached to the CR or integrated into the CR. Distributed: Deployed in a relatively low network position, usually with the BNG or SR. The CGN can be stand-alone or integrated. Table 3-2 Comparison of the centralized CGN and distributed CGN Centralized CGN Characteristics Distributed CGN Applicable when CGN users are scattered on the MAN. Applicable when CGN users are centralized. Easy to deploy with few extra nodes. Places high requirements on device performance. Device fault scope is large. Scattered user scenarios require many nodes. Device fault scope is small. Integrating the CGN and SR/BNG provides the SR/BNG with both user and CGN information. User-based management more effectively solves CGN-based problems such as source tracing. Requires private network routes on the uplink network of the SR/BNG on the MAN. Poor sustainable evolution capability; must evolve to distributed mode as users increase. Reduces address pool fragments and enhances address usage. 3.2 Classification of CGN Access 3.2.1 Mode 1: Access Through the L3 Tunnel As shown in Figure 3-1, a terminal user can access the CGN through the IPv6 tunnel. The CPE encapsulates the IPv4 packet and transmits it through the IPv6 tunnel to the CGN gateway. The CGN removes the IPv6 packet header and translates the IPv4 address. The CPE is used as the DHCP server of the IPv4 private network address and allocates IPv4 private network addresses to user terminals on the home network. The CPE forwards the IPv4 addresses instead of translating them and DS-Lite is typically used in this scenario. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN Figure 3-1 CGN access mode by through the L3 tunnel IPv4 DHCP server IPv4 private IPv6 L3 DS-LITE Tunnel Private IPv4 IPv6 L3 CPE CGN&BNG 3.2.2 Mode 2: Access Through the L2 Tunnel (NAT444) As Figure 3-2 shows, the CPE functions as the DHCP server for the IPv4 private network address and allocates IPv4 private network addresses to user terminals. The CPE provides level-1 NAT processing and the CGN gateway provides level-2 NAT processing. The CPE connects to the CGN through an L2 tunnel (VLAN/PPPoE) in which only one IP session exists. The private network address can be a shared address for level-2 NAT. Figure 3-2 CGN access mode through the L2 tunnel (NAT444) IPv4 private IPv4 DHCP server IPv4 NAT L2 Tunnel (PPPoE/VLAN) Private IPv4 IPv4 private L3 CPE CGN&BNG 3.2.3 Mode 3: Access Through the L2 Tunnel (NAT44 and Access with Any Address) As shown in Figure 3-3, a terminal user can access the CGN through the L2 tunnel (VLAN/PPPoE). The IPv4 packet sent by the user is transmitted through the L2 tunnel to the CGN gateway for NAT processing. The CPE functions as the DHCP server of the IPv4 private network address and allocates IPv4 private network addresses to user terminals. The CPE does not provide the NAT function, and all packets containing a private network address on the terminal network are transmitted at L2. Multiple IP sessions exist in the L2 tunnel. Terminal network users are differentiated by L2 tunnel information such as the PPP session ID or VLAN. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN Figure 3-3 CGN access mode through the L2 tunnel (NAT44 and access with any address) IPv4 DHCP server IPv4 private L2 Tun nel (VLAN) Private IPv4 IPv4 private Issue 1.0 (2011-11-30) L3 CPE Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. CGN&BNG 13 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN 3.2.4 Mode 4: Access Through the L2 Tunnel (NAT44 and Address Management and Allocation) As shown in Figure 3-4, a terminal user can access the CGN through the L2 tunnel (VLAN/PPPoE). The IPv4 packet sent by the user is transmitted through the L2 tunnel to the CGN gateway for NAT processing. The CPE cannot allocate addresses. The BNG functions as the DHCP server of the IPv4 private network address and allocates IPv4 private network addresses to user terminals. The CPE does not provide the NAT function, and all packets containing a private network address on the terminal network are transmitted at L2. Multiple IP sessions exist in the L2 tunnel. Terminal network users are differentiated by L2 tunnel information such as the PPP session ID or VLAN. Figure 3-4 CGN access mode through the L2 tunnel (NAT44 and address management and allocation) IPv4 DHCP server IPv4 private L2 Tunnel (VLAN) Private IPv4 IPv4 private L2 CPE CGN&BNG 3.3 Controlling the NAT User Policy with BNG/CGN Convergence NAT resources can be managed and controlled for the CGN by incorporating user-based defined policy control, which enables the carrier-class operation and allocation of addresses and NAT resources. The CGN’s management system architecture implements policy control on a user group based on the source address network segment or CGN instance. The BNG management system architecture performs management based on user accounts (single users) or control domains (user groups). The BNG and CGN are converged to implement consistent control system architectures. The BNG network system architecture implements the user CGN control policy with optimum compatibility. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 14 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN As shown in Figure 3-5, the CGN control policy includes the NAT port allocation policy/port segment range, number of NAT sessions, legal interception policy, ALG, QoS/SLA service quality, and the ACL. Management of the CGN control policy is performed through the control policy instances contained in the profile, and the control policy’s profile content can be configured on the device locally or delivered by the policy server or the RADIUS authentication system. Figure 3-5 shows the user policy control when the BNG and CGN are converged. Figure 3-5 User policy control when the BNG and CGN are converged P P P oE or IP oE user access IPv4 authentication Radius Server DNS Server IPv4 Private Address L2 or L3 Tunnel IPv4 Pr i vate IPv4 CPE + CGN BNG BNG User P rofile from Radius CGN Profile Policy Control Template: NAT port range allocation NAT session number ALG capabilities Lawful inspection QoS/SLA ALG CGN P rofile Name CGN Profile local configuration Bind BNG Subscriber BNG User Group Control Dom ain CGN P rofile Content CGN User Tunnel ID Bind CGN User Group Instance Single users: The CGN can identify a user based on the unique user identifier and the user can be bound to the user identifier during BNG access authentication. The CGN control policy acts on the access user through the user account policy. Each user must maintain the user management control table item to bind the user access identifier and control policy. The CGN policy can be obtained during BNG/CGN user access by using authority authentication or it can be delivered to the BNG/CGN device by the RADIUS or policy server. Control policy delivery can directly deliver policy content to the device or deliver the policy profile name. If the policy profile name is delivered, policy content can be obtained in the local profile instances on the device. User groups: The CGN correlates the CGN instances with the BNG control domains, and users with a specific BNG user property belong to the same control domain. The control domain binds to the corresponding CGN instance to implement the binding relationship between the user group and control policy. During BNG/CGN user Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 15 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN access, the related control policy can be obtained by using authority authentication or by finding the bound CGN instance based on the homing relationship of the control domain. Convergence of the CGN policy architecture and BNG user policy architecture provides operable control capabilities on the NAT management policy and implements the ordering management and allocation of user addresses and port resources. This maximizes resource usage and implements the central management of differentiated NAT services and policies, which reduces O&M costs and achieves carrier grade NAT operation capabilities. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 16 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN 3.4 Management of Ordering Port Pre-Allocation Statistical multiplexing of IP addresses is implemented by multiple users sharing the same IP address to maximize the usage of limited public network address resources. The conventional NAT mechanism causes multiple management problems as addresses are allocated by requirement. For example, as user port resources are not effectively controlled, a few users can occupy a large number of public network ports. After all ports are allocated, IP addresses must be changed, which causes service access problems. In addition, ports are not allocated in succession and user source tracing is difficult. In this case, the system load increases and a large number of logs are required to record user port allocation. The ordering port pre-allocation mechanism effectively increases port usage and improves operation and management efficiency. When the user accesses the network, the public IP address is allocated based on the control policy bound to the user, and the public network address and port range are specified. All information is recorded in the user management control table. As shown in Figure 3-6, the two HGWs are allocated with the private network IPv4 addresses of 192.168.1.1 and 192.168.1.2. The two HGWs share the same public network IPv4 address of 211.1.10.88. HGW packets are differentiated based on the TCP/UDP port segment. The public network IP address 211.1.10.88 and port segments 3001-4000 and 6001-7000 map the private network address 192.168.1.1. The public network IP address 211.1.10.88 and port segments 4001-5000 and 7001-8000 map the private network address 192.168.1.2. Figure 3-6 shows the management of ordering port pre-allocation. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 17 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN Figure 3-6 Management of ordering port pre-allocation IPv4 IPv4 Private Address IPv4 Radius P riv ate IP v 4 HGW IPv4 DNS Address 211.1.10.88 IPv4 Private Address Port 4001-5000 P riv ate IP v4 IPv4 IPv4 Public Address Port 3001-4000 CGN&BNG … HGW BRAS, Radius and CGN inter-working User Identif y Private IPv4 Prof ile Public IPv4 Start port 1 End port 1 Start port 2 End port 2 … Tunnel ID 1 192.168.1.1 Prof ile 1 211.1.10.88 3001 4000 6001 7000 … Tunnel ID 2 192.168.1.2 Prof ile 2 211.1.10.88 4001 5000 7001 8000 … When a user accesses services using a private network address, the NAT is performed based on the public network address and port segment allocated for the user, who is identified by the unique user access channel. The terminals belonging to that user share the allocated address and port resources, and limitations are specified by the user’s CGN control policy. External ports with the public network IPv4 address are allocated to users or user groups in sequence based on the port segment. If all ports in a certain port segment are allocated, extra ports can be increased for allocation. Port segment allocation implements the ordering allocation management of IP addresses and port resources. Abuse of both by a few users is prevented and user source tracing management is simplified. CGN session logs are greatly reduced and system loads are lowered. 3.5 NAT Traversal Though the NAT effectively resolves the IP address resource issues, address translation problems arise. The NAT can translate IP layer addresses and UDP/TCP ports, but the address information is carried in the TCP/UDP payloads for certain applications and the standard NAT device does not modify information in the TCP/UDP payloads. After the NAT is performed, the IP layer address in the packet is inconsistent with the address information carried in the UDP/TCP payloads, causing the application program to be faulty. This problem occurs in scenarios with protocols such as the FTP, RTSP, SIP, and DNS. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 18 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN Two solutions are provided to resolve the problem. Solution one: The introduction of the application layer gateway (ALG) enables the NAT device to resolve specific application protocols. When address of an application program is filled in the application payloads, the ALG module of the NAT can change the address to the NAT external address. This ensures consistency between the packet IP header and the address in the application payloads and enables the application program to run normally. Solution two: The application program pre-obtains the corresponding external NAT address of the application address, and then fills the external NAT address in the payloads so that the NAT is not required to modify payload content. If the STUN protocol is configured, the application program can resolve the NAT traversal problem using the second solution. Figure 3-7 shows the large-scale deployment of CGN services to support NAT traversal. Figure 3-7 Large-scale deployment of CGN services to support NAT traversal Radius IPv4 Portal Server Pre-allocated port range IPv4 Private Address Tunnel IPv4 DNS IPv4 Public Address P rivate IPv4 HGW CGN&BNG IPv4 Internet App request open ex ternal s ervice ports Port Open Request Port Ope n Request P rox y •PMP •UPNP •PCP •WEB PORTAL Terminal applications request CGN to open outside service IP and port by conic NAT model dynamically. Applications using the STUN protocol for traversal require the NAT device to support the asymmetry NAT. However, the STUN protocol is not suitable for TCP mode. Consequently, most current P2P stream media applications require the NAT device to be able to open external address ports in UPNP/PMP mode during which control information is sent to the NAT gateway to add port mapping. In this way, the NAT can be accessed externally and NAT traversal is implemented. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 19 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN To enable communication of two nodes on which the NAT is performed, certain application software is required for NAT traversal based on port probation or speculation given that both parties do not know the external service port of the peer device. However, as efficiency is low and the success rate cannot be guaranteed, a relay server is required to establish a connection for transferring both parties’ information. The NAT is generally performed for both parties when deployed on a large scale, though relay server performance is lowered and cannot be used to transfer information. However, external port open protocols can dynamically open external ports. In this scenario, NAT server with the asymmetry NAT is necessary to ensure security. Both parties can directly connect to each other and information transfer by using the relay server is no longer required. The CGN must support most applications to dynamically open ports. Applications must support dynamic port mapping open modes such as PMP, UPNP, and PCP. When used jointly with the STUN mode, service NAT traversal in the context of large-scale NAT deployment is implemented. This combination enables P2P single-/multi-channel services to support the NAT and can also be selected for application programs that do not support ALG. PCP and Web Portal modes can also be used to coordinate and manage external ports and meet the specific requirements of certain applications. 3.6 High Reliability In the DS-Lite scenario, the CGN is the core of the network and as such must feature high reliability and extensibility. High availability (HA) redundancy is necessary to achieve carrier-class reliability for uninterrupted services. A single CGN device can use multiple CGN service cards to implement inter-card load sharing and redundancy backup, and enhance the processing performance and extensibility of the overall system. The redundancy backup mechanism can be implemented between multiple devices to implement redundancy backup and load sharing. Figure 3-8 shows the backup mechanism between CGN devices. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 20 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN Figure 3-8 Backup mechanism between CGN devices Loopback Loopback 1.1.1.1 User 1 Active SPU/NAT LPU User 2 MPU VRRP group 2 CGN2 Backup SPU/NAT Internet v4 SPU/NAT HRP 2.2.2.1 Ba ckup LPU BFD MPU VRRP group1 CGN1 Active Loopback 1.1.1.2 TCP1(RUI): ins 1 session//NAT table NAT NAT instance instance TCP1(RUI):ins 2 1 2 session/NAT table NAT instances 1+2 The reliability backup mechanism of the CGN is based on the extended VRRP function, and manages the active/standby status of the device. Patented by Huawei Technologies, the extended VRRP is used for interface backup when multiple access interfaces exist between devices/cards. Unlike the device-level backup provided by a conventional VRRP, the extended VRRP provides interface-level backup and enables multiple interfaces on the same device to be configured into the same backup group. Therefore, the backup granularity of the extended VRRP is smaller than that of a conventional VRRP, and the backup modes benefit from greater flexibility. The conventional VRRP is an L3 protocol whereas the extended VRRP is an L2 protocol that can be used in L2 user access scenarios without a virtual IP address for the access interface. The CGN uses the extended VRRP to implement inter-device or inter-card backup. User services are switched to the backup interface if faults occur in the active interface, on links connected to the active interface, or on the board housing the active interface. CGN user information must be synchronized in real time on the active and standby devices or cards. User management control table items created on the active device or card must be synchronized to the backup device or card. The active and standby VRRPs are switched if the interface or interface link managed by the VRRP is faulty. Users bound to this VRRP are immediately switched to the standby device to prevent service interruptions and packet loss. The information backup mechanism between the devices uses the HRP protocol patented by Huawei Technologies to synchronize status information in real time. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 21 Technical White Paper for IPv6 CGN Solution 3 Key Technologies for Deploying the CGN The CGN uses VRRP-based BFD technology to manage the active/standby status detection on the VRRP group and to implement carrier-class management of the device or link faults. The BFD is applied between the active and standby VRRP entities to ensure that the fault detection duration is less than 50 milliseconds. This achieves smooth switching between the active and standby devices, and the user is unaware a fault has occurred as services are not interrupted. However, the number of VRRP groups is limited within the system. Therefore, management granularity must be fractionized as much as possible to maximize operation and management flexibility. The backup relationship of the VRRP groups can be correlated to related user groups by correlating CGN instances or BNG control domains to CGN instances. If the CGN user groups are bound to the VRRP groups, the correlated CGN user group is switched to the standby device or card once active/standby switchover is performed for the VRRP backup group. The standby device then takes over the subsequent services. Sessions of a CGN user are synchronized between the devices as hot backup, and fault detection is performed in real time. The backup relationship supports 1:1 or N:1 mode to meet the reliability and extensibility requirements of CGN services. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 22 Technical White Paper for IPv6 CGN Solution 4 Conclusion 4 Conclusion The CGN is the most mature and economical solution for resolving IPv4 address exhaustion during the lengthy evolutionary process from IPv4 to IPv6. The high-performance CGN device developed by Huawei supports a large number of concurrent users, provides an effective user source tracing mechanism, and is suitable for large-scale commercial deployment. With high deployment flexibility, the Huawei CGN device can be deployed independently or integrated into the BRAS or CR in either centralized or distributed mode. Its inter-device and inter-card hot backup ensures high reliability and uninterrupted services, while CGN/ BNG convergence provides a range flexible user control policies. The Huawei CGN solution ensures the smooth transition of carriers' networks to IPv6 and the seamless continuity of IPv4 services. Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 23 Technical White Paper for IPv6 CGN Solution A References A References 1. RFC2663: IP Network Address Translator (NAT) Terminology and Considerations 2. RFC2709: Security Model with Tunnel-mode IPsec for NAT Domains 3. RFC2993: Architectural Implications of NAT 4. RFC3022: Traditional IP Network Address Translator (Traditional NAT) 5. RFC3235: Network Address Translator (NAT)-Friendly Application Design Guidelines 6. RFC3519: Mobile IP Traversal of Network Address Translation (NAT) Devices 7. RFC4008: Definitions of Managed Objects for Network Address Translators (NAT) 8. RFC4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP 9. RFC5135: IP Multicast Requirements for a Network Address Translator (NAT) and a Network Address Port Translator (NAPT) 10. RFC5382: NAT Behavioral Requirements for TCP 11. RFC5508: NAT Behavioral Requirements for ICMP 12. RFC5597: Network Address Translation (NAT) Behavioral Requirements for the Datagram Congestion Control Protocol 13. RFC6264: An Incremental Carrier Grade NAT (CGN) for IPv6 Transition Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 24 Technical White Paper for IPv6 CGN Solution B B Acronyms and Abbreviations Acronyms and Abbreviations Acronym and Abbreviation Full Name CGN Carrier Grade NAT CPE Customer Premises Equipment DHCP Dynamic Host Configuration Protocol DS-Lite Dual Stack Lite NAT Network Address Translation Native IPv6 Native IPv6 Radius Remote Authentication Dial-In User Service VRRP Virtual Router Redundancy Protocol Issue 1.0 (2011-11-30) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 25