IPv6 Transition for Broadband
Access
Eric Ku, ericku@cisco.com
CSA, APAC SP CTO Office
Cisco Confidential
© 2010 Cisco and/or its affiliates. All rights reserved.
1
Establishing Focus
!  IPv6 technology is an 'enabler' of business
expansion and new business opportunities.
The technology itself is not a 'market driver'.
!  IPv6 is NOT a feature. It is about the
fundamental IP network layer model
developed for end-to-end services and
network transparency.
!  With the exhaustion of the IPv4 free pool,
IPv6 deployment enables business
continuity.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
“346”: A 3 Tier Transition Framework for
Moving from IPv4 to IPv6
IPv6
Services & Applications running over IPv6
IPv4/IPv6 Coexistence Infrastructure
IPv6
Internet
IPv4
Presentation_ID
Preserve IPv4
Today
IPv4
Run-Out
2010
2012
© 2006 Cisco Systems, Inc. All rights reserved.
2020+
3
Cisco Confidential
You Have Run Out of IPv4. Choices?...
!  Buy a Company to take
their IP Addresses
!  IPv4 Subnet Trading
→ A contractual right to
announce addresses
are yours (for now)
→ But viability requires
widespread adoption
of Routing Security
!  Additional addresses
are too expensive, now
what?...
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
NAT 444 Re-Enables Subscriber Growth
!  Large Scale NAT
→ Public IP Exhaust
!  AFT NAT 444
absorption into SP’s L3
Edge
→ Cost/Ops Optimize
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
5
Cisco Confidential
IPv6 Is Already Running over Access
+ others
!  IPv6 Over the Top (OTT)
Application Providers
Tunnel Brokers
!  AFT will speed up OTT
Bypasses binding limits
!  Even if you have IPv4 addresses,
there is risk in delaying IPv6
Equipment, behavior, & practices
leave you behind
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Establishing an IPv6 Infrastructure
!  Stand-alone IPv6 islands
are of limited value
!  IPv6 Peering
Direct IPv6 peering
Tunnel IPv6 packets
thru the IPv4 cloud
!  Eventually, equivalent
requirements as for IPv4
aggregation
MPLS/VPN
Business connectivity
!  Must support IPv4
services
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
7
Cisco Confidential
Connecting IPv6 Devices to the Internet
!  v6 PC (native/dual stack)
→  P2P addressability
→  NAT mitigated
→  Someday reduces
application keep-alives
v6
!  6rd
6rd
→  Reuse legacy
DSLAMs &
aggregation
!  Stateful AFT 6→4
→  Access v4 content
from v6 only CPE
→  Incentives for content
providers to go v6
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Migrating Applications to IPv6
And the Incentives for the Change
!  Internet VoD
→  AFT costs avoided
!  Internet VoIP
v6
→  AFT binding limit (911
calls refused?)
→  Lawful intercept by prefix
→  Addressability without
keepalive
!  Mobile Nodes (Handsets)
→  Handset internet access
→  RFC 1918 exhaust
→  AFT avoidance
!  Access Provider Settops
→  RFC 1918 exhaust
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Prepare
Plan
Optimize
Operate
Design
Implement
Cisco Confidential
9
Menu of IPv4 Exhaust
Technologies
Method
1
Method
2
Method
3
Method
4
Method
5
Method
6
IPv6 Hosts (& Dual Stack)
Large Scale NAT 44
Large Scale NAT 64
IPv6 Tunnelling / IPv6 over IPv4 tunnelling
IPv4 Tunnelling over IPv6
IPv4 Subnet Trading / Exchange
Interworking / coexistence will be necessary
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
IPv6 Strategy in Broadband Access
IPv6
Internet
IPv4
Internet
IPv4 core
P
NAT44
NAT44
Subscriber
Network
Translator: NAT444
< 2010
CPE
PE
6rd RG
Automatic Tunnel:
6RD or L2TP
Subscriber
Network
Dual Stack: IPv6 Native
(Dual Stack)
2011
2012
ISP
dual stack Core
NAT64
PE
IPv6 Access
Network
IPv6 Access
Network
PE
PE
CPE
CPE
Subscriber
Network
PE
IPv4 over IPv6
CPE
IPv4 Access
Network
PE
PE
Dual stack
Access/Core
6rd BR
P
6RD or L2TP
IPv4 Access
Network
ISP
dual stackCore
ISP
Dual stack Core
CPE
Subscriber
Network
Automatic Tunnel:
DS-Lite or 4rd
2013
Subscriber
Network
Translator: NAT64
2014+
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
NAT Terminology
!  NAT – Network Address Translation
!  NAPT – Network Address and Port Translation
!  NAT44 – NA(P)T from IPv4 to IPv4
!  NAT64 – NA(P)T from IPv6 to IPv4
!  NAT46 – NA(P)T from IPv4 to IPv6
!  NAT66 – NAT from IPv6 to IPv6
!  NAT is often spoken/written instead of NAPT
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Network Address Translation (NAT)
!  First described in 1991 (draft-tsuchiya-addrtrans)
!  1:1 translation
Does not conserve IPv4 addresses
!  Per-flow stateless
!  Today s primary use is inside of enterprise
networks
Connect overlapping RFC1918 address space
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Network Address and Port Translation
(NAPT)—The Touter in Your Home
!  Described in 2001 (RFC3022)
!  1:N translation
Multiple hosts share one IPv4 address
!  Only TCP, UDP, and ICMP
!  Connection initiated from inside
!  Per-flow stateful
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
15
Cisco Confidential
Application Layer Gateway (ALG)
!  Application awareness inside the NAT
!  ALG functions:
1.  Modify IP addresses and ports in application payload
2.  Creates NAT mapping
!  Each application requires a separate ALG
FTP, SIP, RTSP, RealAudio,…
Internet
m/c=10.1.1.1/1234NAT with
SIP ALG
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
m/
c=161.44.1.1/5678
16
Problems With ALGs
!  Requires ALG for each application
!  Requires ALG that understands this particular
application s nuance
Proprietary extensions / deviations
New standards
!  ALG requires:
Un-encrypted signaling (!!)
Seeing application s signaling and media/data
SIP
server
easy with stub network; harder with mesh network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Large Scale NAT (LSN)
!  Essentially, just a big NAPT44
!  Used with DS-Lite (called AFTR )
!  Needs per-subscriber TCP/UDP port limits
Prevent denying service to other subscribers
If too low, can interfere with applications
Classic example: Google maps
!  How to number network between subscriber and
LSN?
RFC1918 conflicts with user s space, breaks some NATs
Using routable IPv4 addresses is … wasteful
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Applications Break With Insufficient Ports
Source: Shin Miyakawa, NTT Communications
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
IP Address Sharing Issues
!  Most noticeable with Large Scale NAT
!  Reputation and abuse reporting are based on IPv4
address
Shared IP address = shared suffering (e.g., spammers)
Law Enforcement
Which subscriber posted on www.example.com at 8:23pm?
Requires LSN log source port numbers
Requires web servers log source port numbers
draft-ford-shared-addressing-issues
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
NAT44 Summary
Pros
Cons
•  ISPs can reclaim global IPv4
addresses from customers,
replacing with non-routable
private addresses and NAT
•  Addresses immediate IPv4
exhaust problem
•  No change to subscriber CPE
•  No IPv4 re-addressing in home
•  Dense utilization of Public IP
address/port combinations
•  SP NAT results in margin &
competitive implications
•  Does not solve address
exhaust problem in the long
term
•  Sharing IPv4 addresses could
have user behavioral and
liability implications
•  User control over NAT
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
What is 6rd?
!  6rd = IPv6 Rapid Deployment (RFC 5969)
!  Incremental method for deploying IPv6
!  Service to subscriber is production-quality
– Native IPv6 + IPv4 dual-stack
!  Reuses IPv4 in the SP
!  No IPv6 support needed in Access and Aggregation
!  No DHCPv6 servers, no IPv6 Neighbor Discovery, etc.
!  Similar to 6PE as it provides a native dual-stack service
to a subscriber site by using existing infrastructure,
operations, etc.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
23
Cisco Confidential
Tunneling
IPv6 Rapid Deployment (6rd)
!  A form of v6/v4 which traverses the aggregation cloud without added IPv6 provisioning
For IPv6 traffic destined for the Home, the 6rd Relay pulls the
RG’s IPv4 from within the destination IPv6 address
For IPv6 traffic destined to a nearby
6rd user, the RG pulls the target
IPv4 tunnel endpoint from within the
destination IPv6 address
6rd Relay
RG IPv4 Address
6rd RG
Residence’s IPv6 Subnet is constructed from:
ISP’s IPv6 Prefix + RG IPv4 Address
/56
+ SLA
/128
For IPv6 traffic destined to the backbone, the RG uses the destination IPv4 of the 6rd Relay.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Comparing IPv6 Tunneling Technologies
Technologies Based
Transport
Prefix From
Topology
RG IPv6
Prefix
6PE/6VPE
MPLS
ISP
Multipoint
Provisioned
6rd
IPv4
ISP
Multipoint
From IPv4
6to4
IPv4
2002::/16
Multipoint
From IPv4
DS lite
IPv6
ISP
Pt-to-Pt
Provisioned
GRE
IPv4 or IPv6
ISP
Pt-to-Pt
Provisioned
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
25
Cisco Confidential
6rd in one slide
Subscriber IPv6 prefix
derived from IPv4
address
“One line” global
config for IPv6
Gateway
6rd
6rd
IPv4 + IPv6
6rd
IPv4 + IPv6
Core
IPv4 + IPv6
IPv4 + IPv6
6rd Border
Relays
RG
6rd
IPv4
!  Native dual-stack IPv4/IPv6 in the home or office
!  Simple, stateless, automatic IPv6-in-IPv4 encap and decap functions
!  IPv6 traffic automatically follows IPv4 Routing between CPE and BR
!  BRs placed at IPv6 edge, addressed via anycast for load-balancing and resiliency
!  Standardized in RFC 5969
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
6rd Residential Gateway
LAN-Side:
Production Native IPv6 Service +
Global or Natted IPv4
WAN-Side:
Global or Natted IPv4
IPv4 SP
Network
IPv6 +
IPv4 Dual
Stack
IPv6 Internet Access delivered to
home, subscriber IPv6 prefix
derived from WAN IPv4 address
6rd lives
here
IPv4-only SP Access Network
Most RG can support 6rd thru open source, e.g. DD-WRT and OpenWrt
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
6rd RG Configuration
!  6rd RG configuration, 3 main parameters
1  ISP 6rd IPv6 Prefix and length
2  IPv4 common bits
3  6rd Border Relay IPv4 address
•  All these parameters need to be defined by SP. One set of such
configurations is considered as one 6rd domain.
•  Configuration can be pushed via
TR-69
DHCP option 212
PPP IPCP option
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
6rd RG IPv6 Prefix derived from IPv4 address
ISP$6rd$IPv6$Prefix$
Customer$IPv4$address$(v4$common$bits=0)$
Interface ID
810A:0B0C
2011:1001
64
32
0
BR$=$64.98.1.1$
129.10.11.12$
2011:1001::/32$
Customer$IPv6$prefix$=$2011:1001:810A:B0C::/64$
!  RG need to get an IPv4 address first, from SP assignment
!  RG will generate IPv6 prefix from 6rd prefix and ipv4 address
!  RG configured exactly as for any native IPv6 connectivity to LAN side
SLACC or DHCPv6
!  LAN station use ipv6 prefix to generate ipv6 address.
!  Most browsers will prefer to use ipv6 if they can get AAAA record.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
29
Cisco Confidential
6rd Domains Example (2)
ISP$6rd$IPv6$Prefix$
Customer$IPv4$address$(v4$common$bits=16)$
2011:1001:200::/40$
20:30
2011:1001:02
0
BR$=$64.98.1.1$
64.98.32.48$
40
Subnet-ID
Interface ID
56 64
Customer$IPv6$prefix$=$2011:1001:220:3000::/56$
!  By carrying less ipv4 bits in ipv6 prefix, SP can have more room to
assign shorter prefix to customer.
!  Each domain will have a mapping of 6rd prefix and ipv4 address
block, defined by BR address and common bits.
!  Configuration for each domain is different, SP may have operation
overhead to due with the complexity
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
6rd BR Setup and Provisioning
IPv4-only AAA
and/or DHCP
NAT44
+ 6rd
IPv6 + IPv4
NAT
IPv4-Private + IPv6
Native Dual Stack
to Customer
RG
IPv4
Access
Node
(IPv4)
6rd
Border
Relay
BNG
(IPv4)
1.  BR must have IPv6 reachability (Native, 6PE, GRE Tunnel, etc).
2.  An access-network-facing IPv4 address (BR address configured in RG)
3.  ISP 6rd IPv6 Prefix and Length
*One BR may serve one or more 6rd domains
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
31
Cisco Confidential
6rd Packet Encapsulation out of domain
IPv6
Packet
Dual Stack Network
IPv6
Packet
6rd
IPv4
Header
IPv4 Access Network
IPv6
Packet
Dual Stack Network
6rd
IPv4 + IPv6
6rd
IPv4 + IPv6
Core
IPv4 + IPv6
IPv4 + IPv6
6rd Border
Relays
RG
6rd
IPv4
ISP$6rd$IPv6$Prefix$=$2001:1001:100:/40$$IPv4$common$bits=8,$BR$=$10.1.1.1$
IPv6 Header
(Src)
2001:1001:10A:B0C::10
(Dst)
2404:6800:8005::68
IPv4 Header
(Src)
10.10.11.12
(Dst)
10.1.1.1
If$(dstv6)$not$match$ISP$6rd$IPv6$Prefix,$then$(dstv4)$=$BR$$
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
6rd Packet Encapsulation within domain
IPv6
Packet
Dual Stack Network
IPv6
Packet
6rd
IPv4
Header
IPv6
Packet
IPv4 Access Network
Dual Stack Network
6rd
IPv4 + IPv6
6rd
IPv4 + IPv6
Core
IPv4 + IPv6
IPv4 + IPv6
6rd Border
Relays
RG
6rd
IPv4
ISP$6rd$IPv6$Prefix$=$2001:1001:100:/40$$IPv4$common$bits=8,$BR$=$10.1.1.1$
IPv6 Header
(Src)
2001:1001:10A:B0C::1
IPv4 Header
(Dst)
2001:1001:180:E0F::1
(Src)
10.10.11.12
(Dst)
10.120.14.15
If$(dstv6)$match$ISP$6rd$IPv6$Prefix,$then$(dstv4)$derived$from$(dstv6)$
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
33
Cisco Confidential
Combining NAT44 and 6rd
Home Network
NAT44
w/6rd Border Relay
IPv4 NAT +
w/6rd Home Gateway
NAT44
NAT44
IP4-only
IPv4IPv6
IPv4
Internet
Private IPv4
Access Network
IPv6
Internet
6rd
IPv6 packets
!  Addresses IPv4 run-out and enables incremental IPv6 subscriber
connectivity over existing IPv4 infrastructure
!  6rd connectivity becomes a NAT44 offload
– as more and more IPv4 content becomes IPv6-accessible
!  Carrier, Content Provider, and User benefit when traffic runs over IPv6
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
6rd Summary
Pros
Cons
•  It enables a v6 service to a routed CPE
user
•  IPv6 can traverse existing IPv4
infrastructure. No new access CAPEX
to enable v6.
•  Derives IPv6 from IPv4 addresses,
eliminating need for much of IPv6 OSS
•  Efficient local routing of user-user
traffic
•  Continuing to use public IPv4
doesn’t solve IPv4 exhaustion.
Solution may need to be combined
with NAT44.
•  Doesn’t currently support IPv6
multicast
•  Extra encapsulation overhead
•  Stateless = easier to scale & operate
•  Easily combined with NAT44 to solve
IPv4x. In this mode dual stack
•  Makes operational models of v4 and v6
similar
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Native IPv6 and IPv4 dual stack
NAT44
IPv4
Internet
IPv4 & IPv6
IPv4-Private
IPv6-Public
Home
Gateway
Access
Node
BRAS
LSN
IPv6
Internet
!  Classic RFC 4213 solution
– Logical deployment choice when one has little control over end-point
!  In the short term deploying IPv6 in dual stack does not solve IPv4
exhaust; IPv4 shortage is expected before full deployment
– Can be easily combined with NAT44 solution, while allowing IPv6
deployment ramp-up.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
Tunneling
Dual Stack PPP
!  SPs would love to have their embedded access infrastructure
support IPv6
!  However legacy DSLAMs often cannot pass IPv6
!  These DSLAMs can pass PPP or IPv4, so
it is possible to tunnel IPv6. This means
massive investment reused
!  Tunnels can originate from RG or CPE.
When on CPE, no coordination with RG or
Access Provider required!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
38
Native IPv6 and IPv4 dual stack
!  Broadband PPP Access
PPP Session
– Dual-stack IPv6 and IPv4 supported over a
shared PPP session with v4 and v6 NCPs
running as ships in the night.
– Should not consume extra BRAS session
state nor require Access-Node upgrades
IPv4
IPv6
!  Broadband IPoE Access
– Form of supporting in “session” form remains
to be determined. Possibilities include.
- Two IP session model, IPv4 and IPv6
independent sessions.
-  An L2 session model, IPv4 and IPv6 running
on common L2/MAC session
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
VLAN
IPv4 Session
IPv6 Session
L2 Session
IPv4
IPv6
39
Cisco Confidential
Deploying IPv6 Access
!  Production-level IPv6 service to a subscriber, using IPv4 SP
infrastructure
– Prepare IPv6 Internet Peering and IPv6 core network.
– Prepare IPv6 addressing plan
– Deploy/Upgrade essential infrastructure (AAA, DHCPv6)
– Deploy IPv6 enabled BNG.
– Deploy dual-stack CEs. Keep IPv4 “as is”
Access
Accounting
Access
Authentication
User
Profile
DB
Policy
Server
NMS/
OSS
IPv4 and IPv6 Policy, Control and
Configuration Interfaces
NAT44
+ IPv6
NAT
IPv4-Private + IPv6
Native Dual Stack
to Customer
Presentation_ID
RG
© 2006 Cisco Systems, Inc. All rights reserved.
IPv6 + IPv4 Public
L2 Access
Node
Cisco Confidential
BNG
IPv4 and
IPv6
40
Deploying IPv6 with PPPoE Access
!  Broadband PPP Access
– Dual-stack IPv6 and IPv4 supported over a shared PPP session
with v4 and v6 NCPs running as ships in the night.
– Should not consume extra BRAS session state nor require
Access-Node upgrades
– Note: Not all PC PPPoE clients support IPv6 (eg WinXP)
– PPP Session remains the point of enforcement for subscriber
policies
PPP Session
IPv4
IPv6
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
41
Cisco Confidential
High Speed Internet Service – PPPoE
BRAS IPv6 ready
Residential
Access
Aggregation
Edge
Core
IP/MPLS
IPv4oPPPoE
oE
IPv6oPPP
Dual
Stack
BRAS
(PTA)
!  Service Provider side
Dual stack BRAS – may have scalability & performance issue
!  Subscriber Side
V6 PPPoE client for PC or Mac
V6 PPPoE capable CPE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
High Speed Internet Service – PPPoE
BRAS not IPv6 ready
Residential
Access
Aggregation
Edge
Core
IP/MPLS
IPv4
BRAS
(PTA/LAC)
BRAS
(v6 LNS)
IPv4oPPPoE
IPv6oPPPoE
IPv6oPPPoL2TP
!  L2TP LAC + IPv6 LNS , similar to wholesales service model
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
Deploying IPv6 with Ethernet Access
1:1 VLANs
!  IPv6(oE) with 1:1 VLANs vs PPPoE - What’s different?
1:1 VLAN
IPv4 Session
IPv6 Session
!  At L2 IPv6(oE) with 1:1 VLANs does resemble PPP(oE)
– Effectively Point-point broadcast domain requiring no special L2 forwarding
constraints
– Line-identifier = 1:1 VLAN
– SLAAC and Router Discovery work the same
!  However 1:1 VLANs and IPoE do require some extra BNG functionality
– PPP layer is gone -> For performing AAA, DHCP Auth may be used.
http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-06
– Neighbour Discovery Needs to be run (along with some security limits)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
Deploying IPv6 with Ethernet Access
N:1 VLAN - Unique subnet per subscriber with routed CPE
Ethernet or DSL Access Node
Customer
1
Subnet
X/56
BNG
Internet Service Router
N:1 VLAN
Link-locals or NMS subnet only
Customer 2
Subnet Y/56
802.1Q
!  From an IP routing perspective, each customer CPE is assigned
a delegated prefix (DHCP PD). BNG acts as the default
gateway/router for all CPEs.
!  Routes to X and Y need to be installed at the BNG
!  Shared NBMA subnet can remain un-addressed (LL only) or use
DHCPv6 assigned addresses
!  Use the Lightweight DHCP Relay Agent on the Access-Node to
convey line-id as the interface-id:
http://tools.ietf.org/html/draft-miles-dhc-dhcpv6-ldra-02
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
45
Cisco Confidential
Native Dual Stack Summary
Pros
Cons
•  Classic standard solution
model
•  Continuing to use public IPv4
doesn’t solve IPv4 exhaustion
•  Supports legacy (IPv4)
applications
•  IPv6 alongside existing IPv4
infrastructure might cost extra
in terms of opex and hardware
changes
•  Flexible: can be combined with
NAT44 deployment for
addressing IPv4 exhaustion
•  Once services are on IPv6,
IPv4 can simply be
discontinued
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
•  Some forms of dual-stack
deployments or
implementations can lead to
double user sessions and
decreased network scalability
46
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
47
Cisco Confidential
Dual Stack Lite – IPv4 in IPv6
!  Tunneling IPv4 using IPv6 transport.
!  Two common options allowed by:
http://tools.ietf.org/html/draft-ietf-softwiredual-stack-lite-02
!  Dual-stack Lite with NAT44
– Tunnel from CPE is to a LSN NAT44 device.
– LSN NAT44 is stateful. No CPE NAT44
NAT44 or A+P Routing
!  Dual-stack Lite Address+Port (A+P)
–  Tunnel is between CPE and A+P Router
– CPE is doing port restricted NAT44
CMTS
CPE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
DS-lite with LSN44
IPv6-only AAA
and/or DHCP
ds-lite
NAT
IPv4-Private + IPv6
Dual Stack
Customer
Route
IPv6
CPE
! 
IPv6
CMTS/BNG
(IPv6)
IPv6 + IPv4
IPv4-Public
DS-Lite
LSN44
CPE configuration.
1. 
ISP IPv6 Prefix (DHCPv6 or SLAAC assigned)
2. 
DS-Lite Tunnel Gateway address (IPv6)
3. 
CPE has a dummy IPv4 address (eg 0.0.0.1). NAT44 is disabled
! 
All user sourced IPv4 traffic is routed by the CPE onto point-point ds-lite IPv6 tunnel
towards LSN
! 
LSN44 performs NAT44 function on each subscriber s IPv6 tunnel.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
49
Cisco Confidential
DS-lite with A+P
DHCPv6
and DHCPv4
ds-lite
+PNAT44
IPv4-Private + IPv6
Dual Stack
Customer
IPv6 + IPv4
NAT
Same IPv4
address
but different port
range
IPv4-Private + IPv6
Dual Stack
Customer
! 
IPv4-Public
IPv6
CMTS/BNG
(IPv6)
DS-Lite
A+P
Router
NAT
CPE
CPE configuration.
1. 
ISP IPv6 Prefix (DHCPv6 or SLAAC assigned)
2. 
DS-Lite Tunnel Gateway address (IPv6)
3. 
CPE is dynamically assigned a public IPv4 address and a restricted range of
IPv4 ports. Port restricted NAT44 is enabled.
! 
All user sourced IPv4 traffic is NAT ed by the CPE into the restricted IPv4 port
space and passed onto IPv6 tunnel
! 
A+P Router performs per user IPv4 port range routing.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
DS-Lite Summary
Pros
Cons
•  In theory: Single IPv6 stack
network operation streamlined
by limited exposure to IPv4
•  In practice: Operation of IPv4
stack in the network will still
continue…
•  Consumers can transition from
IPv4 to IPv6 without being
aware of any differences in the
protocols
•  …And it will need to change
due to IPv6.
•  “A+P” model retains user
control of NAT44
•  Requires full IPv6 production
grade network. Works well for
those already there
•  “LSN44” Model has remaining
drawbacks of NAT44 model
•  “A+P” model likely to have
lower address saving
characteristics
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Large Scale AFT64 (NAT64)
!  AFT64 technology is only applicable in case where there
are IPv6 only end-points that need to talk to IPv4 only
end-points.
!  AFT64 for going from IPv6 to IPv4.
IPv4
IPv6
IPv4-only hosts
IPv6-only hosts
!  AFT64:= stateful v6 to v4 translation or stateless translation
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
See also draft-baker-behave-v4v6-framework,
draft-bagnulo-behave-nat64, draft-bagnulo-behave-dns64, and
related
53
AFT64 Translation Framework Terminology
!  Stateful
– Each flow creates state in the translator. Supports only IPv6 host
initiated communication
– Amount of state based on O(# of translations)
– N:1 mappings (like NAPT with NAT44) (1:1 Mappings are also of
course possible)
!  Stateless
– Flow DOES NOT create any state in the translator
– Algorithmic operation performed on packet headers
– 1:1 mappings (one IPv4 address used for each translation to an
IPv6 host).
– For internet access public IPv4 address pool is required for each
IPv6 host.
– Supports both IPv6 and IPv4 host initiated communication
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
AFT64 Stateful Translators
• Any IPv6 address
• IPv6 addresses representing
IPv4 hosts
•  IPv4 Mapped IPv6 Addresses
Format is:
PREFIX (/96):IPv4 Portion:
(optional Suffix)
NAT64
IPv6
PREFIX::
announced in
IPv6 IGP
IPv6
UE
Stateful AFT64
•  AFT keeps binding state between
inner IPv6 address and outer IPv4+port
(full cone)
• NAT64 ALGs are still required
LSN IPv4 address
IPv4
announced
Public
NAT
AFT64
LSN64
N:1 Multiple IPv6 addresses
map to single IPv4
Responsible for Synthesizing
IPv4-Mapped IPv6 addresses
A Records with IPv4 address
AAAA Records with synthesized
Address:
DNS64
PREFIX:IPv4 Portion
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
55
Cisco Confidential
AFT64 Stateless Translators
• IPv6 addresses
assigned to IPv6 hosts
•  IPv4 Translatable IPv6
addresses
• Format is:
PREFIX:IPv4 Portion:
(SUFFIX)
• IPv6 addresses representing
IPv4 hosts
•  IPv4 Mapped IPv6 Addresses
• Format is:
PREFIX:IPv4 Portion:(SUFFIX)
NAT64
IPv6
IPv6
UE
0::0
announced in
IPv6 IGP
Stateful AFT64
•  AFT keeps no binding state
•  IPv6 <-> IPv4 mapping computed
Algorithmically
• NAT64 ALGs are still required
ISP s IPv4 LIR
address
IPv4
announced Public
NAT
Stateless
Stateless
LSN64
AFT64
Responsible for Synthesizing
IPv4-Mapped IPv6 addresses
1:1 Single IPv6 addresses
map to single IPv4
Incoming Responses: A Records with IPv4 address
AAAA Records with synthesized
Address:
PREFIX:IPv4 Portion:(SUFFIX)
DNS64
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Outgoing Responses: A Records with IPv4 Portion
56
AFT64: Two Scenarios
!  Connecting an IPv6 network to the IPv4 Internet
You built an IPv6-only network, and want to access servers
on the IPv4 Internet
Example: IPv6-only 3G handsets
!  Connecting the IPv6 Internet to an IPv4 network
You have IPv4 servers, and want them available to the IPv6
Internet
Example: IPv4-only datacenter (HTTP servers)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
57
Cisco Confidential
Connecting an IPv6 Network
to the IPv4 Internet
IPv6
Internet
DNS64
IPv6/IPv4
Translator
IPv6-only clients
( NAT64 )
An IPv6 network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
IPv4
Internet
Internet
58
DNS64
!  Synthesizes AAAA records when not present
With IPv6 prefix of NAT64 translator
DNS64
Internet
IPv6-only host
AAAA?
AAAA?
(sent
simultaneously)
2001:DB8:ABCD::192.0.2.1
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Empty answer
A?
192.0.2.1
Cisco Confidential
59
DNS64
!  Works for applications that do DNS queries
http://www.example.com
!  Well over 80%!
!  Breaks for applications that don t do DNS queries
http://1.2.3.4
SIP, RTSP, H.323, etc. – IP address literals
!  Solutions:
Application-level proxy for IP address literals (HTTP proxy)
IPv6 application learns NAT64 s prefix
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
60
IPv6/IPv4 Translation Issues
!  IPv4 address literals
http://1.2.3.4, SIP, RTSP, etc.
!  Application Layer Gateway, or application proxy
FTP (EPSV, PASV)
RTSP in mobile environments (3G)
Others applications?
draft-ietf-behave-ftp64
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
61
Cisco Confidential
AFT64 Summary
Pros
Cons
•  Allows IPv6 only clients access
to IPv4 content
•  IPv6 services and applications
offered natively to consumers
•  SP network runs IPv6 only,
avoiding IPv4 support costs
•  Stateless technique can be
used for IPv4 to IPv6 access
•  Technical viability of IPv6 only
service (IPv6 stack not enabled
on all hosts)
•  Does not address IPv4
customer base
•  ALGs required
•  DNS infrastructure must be
modified to support NAT64
•  Operations & troubleshooting of
transient issues
•  Stateful NAT has many of the
same implications as NAT44
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
62
Summary: Selecting Techniques based on
Core and Application Scenarios
Presentation_ID
Scenario
Potential Techniques
Content and Applications
move to IPv6
IPv6 only network; Dual-Stack and
DS-lite as migration techniques
Content and Applications on
IPv4 and IPv6
Dual-Stack (if enough IPv4); SP
IPv4-NAT; DS-lite (for greenfield)
Users are IPv6 only
Stateful/Stateless AFT to get to
IPv4 content
No change (double NAT)
SP IPv4-NAT
No change (no double NAT)
Do nothing
© 2006 Cisco Systems, Inc. All rights reserved.
Thank you.
Cisco Confidential
63