Migrating from IPv4 to IPv6: Translation Methods Ahmad Hijazi se Univerity, Université Toulouse III - Paul Sabatier Systèmes de Télécommunications & Réseaux Informatiques 18 October 2016 Directed by Dr. Khaled Dasouki 1
1
Migrating from IPv4 to IPv6: Translation Methods
Ahmad Hijazi Lebanese Univerity, Université Toulouse III - Paul Sabatier
M2 - Systèmes de Télécommunications & Réseaux Informatiques
18 October 2016
Directed by Dr. Khaled Dasouki
2
What will be discussed? • Native Dual Stack• Dual-Stack Lite (DS-Lite)• Nat64• 6RD
3
Native Dual Stack - IntroductionDual stack means that devices are able to run IPv4 and IPv6 in parallel. It allows hosts to simultaneously reach IPv4 and IPv6 content, so it offers a very flexible coexistence strategy.
4
Native Dual Stack - Introduction• Deploying IPv6 services as native dual stack is the best case approach for
most operators and subscribers. However, it is the most difficult.
• No special encapsulation or tunneling is required.
• Native IPv4 and IPv6 services are offered in parallel in the same subscriber session.
5
Native Dual Stack - Problems• Deployment complexity levels vary in different environments.
- Some networks with minimal or no legacy equipment may find deploying native dual stack services very easy.- Other networks with older or legacy equipment may find dual stack is not possible due to equipment constraints.- Transition is made from the core to the edge.
• What’s the impact of running two parallel stacks on the network? Twice the monitoring, reporting, etc…
6
Native Dual Stack – Domain Impact
DOMAIN IMPACT
ACCESS • Zero impact in PPPoE environments .
SUBSCRIBEREDGE
• High impact – need to support IPv6 services.• Scaling may be impacted when enabling IPv6 in BNG.
Equivalency of features in the subscriber edge node is required – IPv4 & IPv6 should feel the same.
HOMENETWORK
• Still the most complex domain to manage.• Customer Gateway most likely needs to be replaced.• Home network components need to support IPv6.• Internal addressing structure for the home network needs to be considered too.
7
Dual Stack Lite (DS-Lite) - Introduction• IPv6 dual-stack lite (DS-Lite) is a technology that enables Internet service providers to
move to an IPv6 network while simultaneously handling IPv4 address depletion.
• DS-Lite allows service providers to migrate to an IPv6 access network without changing end-user software. The device that accesses the Internet remains the same, thus allowing IPv4 users to continue accessing IPv4 internet content with minimum disruption to their home networks, while enabling IPv6 users to access IPv6 content.
8
DS-Lite - ComponentsThe DS-Lite deployment model consists of the following components:
• Softwire initiator for the DS-Lite home router--Encapsulates the IPv4 packet and transmits it across an IPv6 tunnel.
• Softwire concentrator for DS-Lite carrier-grade Network Address Translation (NAT)–Decapsulates the IPv4-in-IPv6 packet and also performs IPv4-IPv4 NAT translationsusing unique IPv6 transport address for NAT mapping (LSNAT).
9
DS-Lite - Topology
• B4 = Basic Bridging Broadband element (“Before”) - Home Router• CPE = Customer Premise Equipment • AFTR = Address Family Transition Router Element (“After”) - ISP to internet router• LSN = Large Scale Nat
Softwire Initiator Softwire Concentrator
10
DS-Lite Scenario 1: Existing IPv4 Customer• DS-lite tunnels Ipv4 packets over Ipv6 from the CPE to LSN
IPv4 Internet
LSN
CPE
Service Provider
10.1.1.1
IPv6 Tunnel Endpoint
IPv6 Link
Address MappingInside: IPv4 SA + IPv6 SA + Port
Outside: IPv4 Outside Address + Port
Outside Address201.15.12.1
11
DS-Lite Scenario 2: Dual IP Customer• IPv6 packets are routed normally while IPv4 packets are routed to the LSN
IPv4 Internet
LSN
Service Provider
10.1.1.1
IPv6 Link
IPv6 Internet
Home Gateway
2001:db8:1:2::abcd:1234
12
DS-Lite – Domain Impact
DOMAIN IMPACT
ACCESS• Access network becomes single stack IPv6 only.
All upgrades that a native dual-stack scenario requires are also required for DS-Lite.• All CPE attaching to the network must support DS-Lite and IPv6 attachment.
SUBSCRIBEREDGE
• AFTR node(s) are needed in the network.• May be collocated in the BNG or a dedicated element.• LSNAT and support infrastructure is required.
• BNG must support all requisites for implementing IPv6 subscriber management.• Older equipment that does not support IPv6 will need to be replaces.
HOMENETWORK
• Still the most complex domain to manage.• Customer Gateway (DSL modem/router, cable modem, etc) most likely needs to be replaced,
must support IPv6-only WAN, IPv4 NAT at the customer gateway is removed.• Internal addressing structure for the home network needs to be considered too.
13
Nat64 - Introduction• Addresses operators who want IPv6-only access networks, but providing support for
IPv4-only servers or content.• Minimal set of applications.• Does not support IPv4-only hosts attaching to the network.
• CPE/UE connects to hosts through a synthesized IPv6 address, provided by a DNS64 engine.
• Well known prefix 64:ff9b::/96 is used to map IPv4 server addresses.• Any client that cannot use a DNS64 server or provide local DNS64 resolution will not be able to
connect to the IPv4 server, e.g. no more connecting by IP address.
14
Nat64 - Introduction• Significant impact in the CPE domain as the CPE must be upgraded to support IPv6 WAN and
all associated connectivity (management, VoIP, IPTV, etc), however NAT function is removed from CPE which potentially reduces cost (CPU/memory) in maintaining NAT state in the CPE.
• NAT64 provides an interesting and easy approach to an IPv6-only network by simply turning IPv4 off in the future when it is no longer required.
• NAT64 typically assumes an IPoE deployment but could be used in the PPP case as well.
• Debate over SLAAC vs. DHCPv6 in the access attachment continues, however general recommendation and approach is DHCPv6 based to align with DHCPv4 model in existing networks.
15
DNS64 In Action
Q: AAAA for example.com
Q: AAAA for example.com
R: Name Error
Q: A for example.com
R: example.com (A) = 192.0.2.23
DNS translation for WKP
R: example.com (AAAA) = 64:FF9B::192.0.2.23
Well-Known Prefix
DNS64 –NAT64 Nat64 Prefix: 64:FF9B::
16
NAT64 In Action
TCP SYN S=C-v6 D=64:FF9B::192.0.2.23
TCP SYN S=NP-v4 D=S-v4
TCP ACK S=S-v4 D=NP-v4
Translation NP-v4 + port into C-v6
TCP Ack S=WKP-v6 D=C-v6
Translation WKP-v6 into IPv4, pick free IPv4 addr/port from pool, build
NAT session entry
17
NAT64 – Domain Impact
DOMAIN IMPACT
ACCESS• Access network becomes single stack IPv6 only.
All upgrades that a native dual-stack scenario requires are also required for NAT64.• All devices attaching to the network must support IPv6, including in-home.
SUBSCRIBEREDGE
• NAT64 is needed in the network.• May be collocated in the BNG or a dedicated element.
• DNS64 node must also be deployed.• BNG must support all requisites for implementing IPv6 subscriber management.
HOMENETWORK
• Customer Gateway (DSL modem/router, cable modem, etc) most likely needs to be replaced, must support IPv6-only WAN.
• IPv4 NAT at the customer gateway is removed, and direct IPv4 support may be removed.• Home network components must support IPv6.• Internal addressing structure for the home network needs to be considered too.
18
6 Rapid Deployment (6RD) - Intro • 6rd is a stateless tunneling mechanism which allows a Service Provider to rapidly
deploy IPv6 in a lightweight and secure manner without requiring upgrades to existing IPv4 access network infrastructure.
• 6rd specifically targets the case where operators wish to immediately deploy IPv6 to their subscriber base, but cannot enable it in the native access. As 6rd encapsulates IPv6 in IPv4, it can be deployed across any existing IPv4 network.
• Access network and subscriber management edge face no changes.
19
6RD - Components 6rd consists of two main hardware components, the CE (Customer Equipment) router and the BR (Border Relay) router:
• Customer Edge RouterThe CE router sits at the edge of the service provider IPv4 access infrastructure and provides IPv6 connectivity to this end user's network. The native IPv6 traffic coming from the end user hosts is encapsulated in IPv4 by the CE router and tunneled to the BR router or directly to other CE routers in the same 6rd domain. Conversely, encapsulated 6rd traffic received from the Internet through the BR router and 6rd traffic from other CE routers will be de-capsulated and forwarded to the end-user nodes.
• Border Relay RouterThe BR router provides connectivity between the CE routers and the IPv6 network (public or private Internet). Both the CE and BR routers are dual-stack devices, and the devices between the BR and CE routers can be IPv4 only.
20
6RD - Topology• The 6rd CE LAN-side interface
carries traffic to and from IPv6 hosts.
• The multipoint tunnel interface carries tunnel encapsulated traffic to and from IPv6 hosts.
• The encapsulation used for the 6rd tunnel is a direct IPv6-in-IPv4 encapsulation.
• Device-to-device traffic may be routed directly, and not through the BR when staying within a 6rd domain.
21
6RD – Domain Impact
DOMAIN IMPACT
ACCESS • No impact for 6rd – access network remains exactly the same.
SUBSCRIBEREDGE
• Border relay (BR) is needed in the network May be collocated in the BNG or a dedicated element.
• No change to the subscriber management at the BNG.
HOMENETWORK
• Customer Gateway (DSL modem/router, cable modem, etc) most likely needs to be replaced, or upgraded – must support 6RD.
• IPv4 NAT at the customer gateway is still present.• Home network components need to support IPv6 for native services.
22
Methods of TransitionHome Device Access Network Destination Solutions
IPv4 IPv4 IPv4 Internet Dual Stack
IPv6 IPv6 IPv6 Internet
IPv4/6 IPv6 IPv4 Internet DS-Lite
IPv6 IPv6 IPv4 Internet NAT64 Stateful
IPv4/6 IPv4 IPv4/6 Internet 6RD
23
Summaries and ComparisonNative Dual Stack DS-Lite NAT64 6RD
CPE Almost always CPE change CPE change and support for DSLite
CPE change(IPv6 only) CPE change
End-user Impact OK – not much changes OK – not much changesNOK – any IPv4-only devices are impacted. No non-DNS64
support.OK – not much changes
Pros‘Simple’ technology with no
transition or tunneling involved.
Single address family in the access network
Single address family in the access network
• Single address family in the access network
• Quick to deploy
Cons• Cost of supporting dual-
stack networks• Device support• Deployment time
• All the effort of deploying dual-stack
• Extra DS-Lite AFTR needed
• Device support
• Application brokeness with IPv4-literals
• NAT logging required• Will only work for IPv6-
supporting hosts.
• Device support• Not necessarily a ‘long
term’ solution
Most Suitable For
Deployment everywhere!Best long term option that
gives the widest support for both
address families Wireline, Wireless
New build environments where both removing IPv4
from and deploying IPv6-only access is feasible.
Wireline
New build environments where IPv6-only access is
acceptable and the majority of content will work through
NAT64/DNS64 Wireless environments
Legacy environments that cannot support native IPv6 access, and are willing to
trade-off multi-stage migrations over the long term
Wireline environments
24
Thank You !