Technical Whitepaper on Carrier Grade ... - ZTE Corporation · Technical Whitepaper on Carrier Grade NAT (CGN) 2 ZTE Confidential & Proprietary address and a public network address.

Technical Whitepaper on Carrier Grade NAT (CGN)

ZTE Confidential & Proprietary 1

Technical Whitepaper on

Carrier Grade NAT (CGN)

1 Basic Principle and Product Form of

CGN

1.1 Overview

On February 3rd

, 2011, ICANN announced that the last five groups of IP addresses are

allocated and no IPv4 address is available any more. June 8 each year is the IPv6 Day

across the world. IPv4 addresses are used up, but IPv6 network construction is not

completed. To protect the investment and save the cost, the carriers will not replace a

tremendous amount of IPv4 devices with IPv6 or IPv4/IPv6 devices in a short term. The

mass IPv4 application and service migration to IPv6 is also a large and complicated

project. It involves not only the carriers but also numerous software/content and service

providers. IPv4 and IPv6 will coexist for a very long period of time in the world. Carriers

must solve the issues of IPv4 & IPv6 exchange visits and insufficient IPv4 addresses to

reduce the effect on customer use and development. This provides a very broad stage for

the development of a variety of NAT technologies, and CGN (Carrier Grade NAT) comes

into being accordingly.

CGN is the NAT in nature. It translates and maps addresses like ordinary NAT. It is

divided into three types by address: NAT44, NAT64 and NAT46. NAT44 conducts the

translation and mapping from IPv4 addresses to IPv4 addresses, NAT64 from IPv6 to

IPv4, and NAT46 from IPv4 to Pv6. It is divided into three types by mapping: dynamic NAT,

static NAT and PAT (dynamic address port mapping). Static NAT creates a fixed

one-to-one mapping relationship between an internal private network address and an

external public network address, while dynamic NAT creates a dynamic one-to-one

mapping relationship between an internal private network address and an external public

network address and there is no fixed correspondence between a private network


2 ZTE Confidential & Proprietary

address and a public network address. The difference between PAT and dynamic NAT is

that the PAT uses the combination of a public network IP address and port No. to map the

addresses of different hosts.

CGN products from different vendors are not identical in dynamic mapping policy and

filtering policy. Dynamic mapping policy and filtering policy are divided into three types

respectively. Three types of dynamic mapping policies are shown as below:

Endpoint-independent mapping (EIM): NAT depends on private network source IP

and source port. Even if destination address and destination port are different,

private network source IP and source port are always mapped to the same public

network source IP and source port. Even if destination address is different, the same

source IP has the same mapping result.

Address-dependent mapping (ADM): NAT depends on private network source IP,

source port and destination address, in other words, a private network source IP, a

source port and a specific destination address are mapped to a public network

source IP and a source port. Even if private network source IP and source port are

the same but destination address is different, they are mapped to different public

network address and port.

Address and port-dependent mapping (APDM): NAT depends on private network

source IP, source port, destination address and destination port, in other words, the

packet from a private network source IP and source port to the same destination and

port is mapped to a specific public network source IP and source port. Even if private

network source IP, source port and destination IP are the same but destination port

is different, different mapping table items are available.

There are also three types of filtering policies corresponding to the above CGN mapping

policies.

Endpoint-Independent Filter (EIF): CGN just filters the traffic which is not sent to the

internal address X:x (meaning address : port), and does not care about source

address and source port of the traffic.

Address-Dependent Filter (ADF): If the internal address X:x does not send the traffic

to the external address Y, CGN filters the traffic from the external address Y to the

internal address X:x. In other words, Y can send the traffic to X:x only after X:x sends

the traffic to Y.



Address and Port-Dependent Filtering (APDF): If the internal address X:x does not

send the traffic to the external address Y:y, CGN filters the traffic from the external

address Y:y to the internal address X:x. In other words, Y:y can send the traffic to X:x

only after X:x sends the traffic to Y:y.

1.2 NAT444 CGN

NAT444 means two levels of IPv4 NAT, namely, IPv4 - NAT1 - IPv4 - NAT2 - IPv4. The

first-level NAT is between two private network IPv4 addresses, and the second-level NAT

is between private network IPv4 and public network IPv4. With NAT444, carriers can

reduce the demands for public network IPv4 addresses. If they deploy private network

addresses in the client and access network, a large number of public network IPv4

addresses will be saved. NAT444 is very important to a carrier with limited IPv4 addresses

because it greatly slows down the depletion of IPv4 addresses. NAT444 makes a small

change to existing networks and does not need to carry out the large-scale network

reconstruction. New users and access network can employ NAT444 CGN which is the

IPv4 mapping & translation technology and does not involve IPv6 & IPv4 exchange visits.

The first-level NAT is done by the CPE device of users or carriers, and the second-level

NAT by the CGN of carriers.

Figure 1-1 NAT444

Service Provider

CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT

Service Provider

CGN CGN CGN CGN

IPv4 Network

Public IPv4

Private IPv4

Private IPv4



1.3 DS-Lite CGN

It is an irreversible trend for a carrier to deploy an IPv6 network, and there will be ever

more IPv6 access networks and backbone networks DS-Lite CGN, the dual-stack CGN,

allows an IPv4 end-user to access IPv4 network and service via IPv6 access network. The

dual-stack CGN supports IPv4 and IPv6 at the same time.

A dual-stack CPE device forwards the user IPv4 traffic to a DS-Lite CGN via a

4in6 tunnel, and the DS-Lite CGN terminates the 4in6 tunnel and translates a

private network address into a public network address. The NAT444 CGN

conducts two NATs while the DS-Lite CGN makes only one NAT. The DS-Lite

CGN supports the IPv6 or IPv4/IPv6 access network, while NAT444 CGN

supports the IPv4 access network.

Figure 1-2 DS-Lite CGN principle

IPv4 Network

CPE

CGN

IPv6 Tunnel EndPoint（IPv6 SA）

10.1.1.1

SA 10.1.1.1

Dual Stack Lite tunnels IPv4 packets over IPv6 between the user and the CGN

IPv6 Link

Address MappingInside: ipv6 SA+ipv4 SA+ PortOutSide:ipv4 Outside Address+ Port

OutSide Address 201.15.12.1

SA 201.15.12.1

The user traffic is forwarded to a DS-Lite CGN via a 4in6 tunnel of a CPE device,

translates a private network address into a public network address (from IPv4 source

address and source port to public network IPv4 and port), and finally reaches a public

network. When the user traffic from the public network passes the DS-Lite CGN, the CGN

selects the proper CPE device to send the traffic to a customer. CPE devices cannot be



distinguished by IPv4 source address because the users of these CPE devices may have

the same private network IPv4 addresses. The DS-Lite CGN can add an IPv6 address of

CPE device to the address translation entry, namely, the source address that the CPE

device originates a IPv6 tunnel. The unique IPv6 source address identifies the CPE

device, and the DS-Lite CGN sends the traffic to the proper CPE device.

1.4 NAT64 CGN

NAT64 is a stateful IPv6-IPv4 mapping technology, and the CGN maintains the IPv6-IPv4

address translation table. NAT64 has an obvious characteristic: It only allows an IPv6 host

to take the initiative to send a connection request to an IPv4 server. NAT64 also involves

an issue about DNS64. Before accessing IPv4, IPv6 needs to query a DNS64 so as to find

the legal IPv6 address of a domain name. DNS64 may need to query an IPv4 DNS and

translate an IPv4 address into an IPv6 address. This requires that DNS working with

NAT64 has the DNS64 functionality to translate A record into AAAA record.

Figure 1-3 NAT64 CGN principle

CGN(NAT64)

DNS with DNS64

IPV6 Network IPv4 network

NAT64:2001:db8:1c8:0:1:: 200.0.0.12001:db8:1c0::2:21 192.0.2.33

IPV4:Src 200.0.0.1Dst 192.0.2.33

IPV6:Src 2001:db8:1c8:0:1::dst 2002:db8:1c0:2:21::

NAT64: Client and server communication process is as below:



Figure 1-4 Principle of NAT64 CGN Ipv6 network access to Ipv4 network

NAT64

①

②③

⑥

⑦

⑧

Ipv6 client

DNS query AAAA example.com

DNS64AUTH DNS Server

DNS query AAAA example.com

DNS response NS Domain

④DNS query A example.com

⑤

DNS response A 80.1.1.1

DNS response AAAA2001:db8:8000::80.1.1.1

Dst 2001:db8:8000::80.1.1.1 port 80Src 2002:db8::200 port 10001

Dst 80.1.1.1 port 80Src 202.1.1.1 port 5000

Dst 202.1.1.1 port 5000Src 80.1.1.1 port 80

IPv4 Server

⑨⑩

Dst 2002:db8::200 port 10001Src 2001:db8:8000::80.1.1.1 port 80

Procedure:

An IPv6 host initiates a AAAA domain name request to its IPv6 DNS.

After receiving the domain name request from the V6 host, DNS64 server queries

the local DNS. If it finds the AAAA record, it sends the address of the domain name

to the V6 host, otherwise it initiates a AAAA request to the upper-level DNS. If no

AAAA record is found in the entire system, it initiates a domain name A request to the

IPv4 network. After receiving the response of domain name A, it embeds the IPv4

address into the configured Prefix64 address to translate A record into AAAA record

and send the AAAA record to the V6 host.

After getting the AAAA record, the V6 host embeds the IPv4 of the IPv4 server into

the IPv6 address to initiate a connection request.

After reaching the NAT64, the request undergoes the IPv6-IPv4 address translation

and protocol conversion, and then the translated IPv4 packet is sent to the IPv4

network and finally the IPv4 server.

IPv4 server responds to the connection request.



After the IPv4 response packet from the Pv4 server reaches the NAT64, the NAT64

identifies the destination address as a NAT64 address, searches for the NAT64

mapping, and conducts the IPv4-IPv6 address translation and IPv4-IPv6 protocol

conversion for the IPv4 packet. Then the IPv6 packet is sent to the IPv6 network and

finally the IPv6 client. The connection is created in this way.

1.5 CGN Product Form

CGN generally has three product forms: stand-alone, CR insertion-card and BRAS

insertion-card. Their definitions are as follows:

A stand-alone CGN means that a device only deals with the CGN service rather than

other services such as access or routing. It can be attached to CR or the BRAS.

A CR insertion-card CGN means a CR is inserted with a card special for CGN to integrate

routing and CGN functions and provide CGN for all users in metro networks connected to

the CR.

A BRAS insertion-card CGN means a BRAS is inserted with a processing card special for

CGN to integrate access and CGN functions and provide CGN for all users accessed via

the BRAS.

As they needs to support a variety of services, the insertion-card products have high

requirements for performance and reliability of CR and BRAS, and occupy extra service

slots, which will affect the future capacity expansion of CR and BRAS. The stand-alone

CGN is recommended. Several stand-alone CGNs can be attached to CR or BRAS for

backup and load balance.



Figure 1-5 CGN product form

CGN

Stand-

alone

CR card-

insertin

BRAS card-

insertin

NAT444

DS_Li t e

NAT_64

Technology form

Product form

Deployment form Centralized Distributed

2 CGN Application Scenario and Analysis

There is no better or worse for three mainstream CGN technologies which are adopted at

different stages in the transition from IPv4 to IPv6. When IPv6 network is completed and

IPv4 addresses are close to depletion, NAT444 can meet the needs of new users and

IPv6 network deployment should be considered. When IPv6 access network is

established and users are not forced to change their configuration & habits, DS-Lite can

be adopted. When IPv6 networks and users reach a certain size but a certain number of

IPv4 services and applications are still available in the network, NAT64 enables IPv6

users to access IPv4 networks.

CGN deployments of different technologies are centralized or distributed, but their

application scenarios are similar. Take NAT444 CGN for example to discuss the

distributed and centralized deployments.



2.1 Distributed Deployment of Stand-alone NAT444

CGN

A stand-alone CGN is attached to a BRAS and works with the metro network BRAS for the

distributed deployment. An ordinary user is allocated with a private network IPv4 address

by BRAS through PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user

side via a CPE. After BRAS configures the proper policy route to lead the user traffic into

the stand-alone CGN, the CGN translates the private network source address and source

port of the traffic into the public network address and port according to some mapping

rules. The translated user traffic is sent from the CGN to the BRAS, and then is forwarded

from the BRAS network side to a metro network SR/CR, as shown below:

Figure 2-1 Distributed deployment of stand-alone NAT444 CGN

CPE

IPv4 network

BRAS

BRAS

BRAS

Stand-

aloneNAT444 CGN

AAA server NM server Log server

Stand-

aloneNAT444 CGN

Stand-

aloneNAT444 CGN

2.2 Distributed deployment of BRAS insertion-card

NAT444 CGN

A special CGN card is inserted into a BRAS and works with the metro network BRAS for

the distributed deployment. Different from a stand-alone CGN, an insertion-card CGN is

integrated with BRAS, and does not need a new rack and line resources to save the



equipment room space. An ordinary user is allocated with a private network IPv4 address

by BRAS through PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user

side via a CPE. After the BRAS leads the user traffic into the special CGN card, the card

translates the private network source address and source port of the traffic into the public

network address and port according to some mapping rules. The translated user traffic is

sent from the CGN card to the BRAS, and then is forwarded from the BRAS network side

to a metro network SR/CR, as shown below:

Figure 2-2 Distributed deployment of BRAS insertion-card NAT444 CGN

CPE

IPv4 network

BRAS


BRAS

insertion-

cardNAT444 CGN

BRAS

insertion-

cardNAT444 CGN CPE

BBRAS

insertion-

cardNAT444 CGN

2.3 Centralized Deployment of Stand-alone NAT444

CGN

A stand-alone NAT444 CGN is attached to a CR and works with the CR for the centralized

deployment. The centralized CGN deployment facilitates the network management, but it

has high performance and stability requirements for the CGN device which needs to

translate addresses in the entire metro network. The deployment of the hot-standby

CGNs is recommended. A user is allocated with an IPv4 private network address through

PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user side via a CPE

and then the metro network CR via the BRAS network side. After CR configures the

proper policy route to lead the user traffic into the stand-alone CGN, the CGN translates



the private network source address and source port of the traffic into the public network

address and port according to some mapping rules. The translated user traffic is sent from

the CGN to the CR.

It should be noticed that a private network route is planned on the devices except CR

when the traffic is sent from a user to a CR, as shown below:

Figure 2-3 Centralized deployment of stand-alone NAT444 CGN

CPE

IPv4 private network

BRAS

BRAS

CRBRAS


CPEIPv4 private network

BRAS

BRAS

CR

BRAS

CR stand-

alone NAT444 CGN

CR stand-

alone NAT444 CGN

2.4 Centralized Deployment of CR Insertion-card

NAT444

A special CGN card is inserted into an extra CR slot and works with the CR for centralized

deployment. Different from a stand-alone CGN, an insertion-card CGN is integrated with

CR, and does not need a new rack and line resources to save the equipment room space.

An ordinary user is allocated with a private network IPv4 address by BRAS through

PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user side via a CPE

and then the metro network CR via the BRAS network side.. After the CR leads the user

traffic into the special CGN card, the card translates the private network source address

and source port of the traffic into the public network address and port according to some

mapping rules. The translated user traffic is sent from the CGN card to the CR, as shown

below:



Figure 2-4 Centralized deployment of CR insertion-card NAT444

CPE


BRAS

BRAS

CR

BRAS


CPEBRAS

BRAS

CR

BRAS

CR insertion-

card NAT444 CGN

CR insertion-

card NAT444 CGN


2.5 CGN Deployment Analysis

Centralized and distributed deployments have different characteristics. The distributed

deployment prevents a single-point failure from affecting the whole system, while the

centralized deployment is easier to control and manage than the distributed deployment.

CGN deployment also has a great relationship with BRAS/CR in an existing network. For

example, the insertion-card CGN needs the support of BRAS or CR, or the stand-alone

CGN is selected. Many factors have to be taken into account in the actual CGN

deployment.

The insertion-card CGN occupies a service slot. Generally, traffic ratio should be

considered between service card and CGN card. If CGN cards need to backup each

other, more service slots will be occupied.

A CGN service may be overlaid with DS-Lite, NAT444 and NAT64. In this case, a

insertion-card CGN service is very complicated. The CGN service is still in the pilot

phase. If it needs to support different ALGs for upgrade, version upgrade may be

quite frequent, and insertion-card upgrade and maintenance will be very difficult.

Taking into account the overlay of the hot-standby CR/BRAS together on the

hot-standby CGN, the situation is more complex, and management and

maintenance more difficult.

The centralized deployment of the stand-alone CGN has less investment and fast

effect, is quick to deploy and easy to set up a customer pilot, and just conducts small



transformation of the existing network device. One CGN can set up a customer pilot.

As long as the CGN service is deployed, NAT444, NAT64 and DS-Lite can be

The stand-alone CGN is easy to deploy the hot standby while balancing the load. It

has stronger protection than the inter-card backup. It protects link failure,

single-device failure and card failure, while the inter-card backup only protects the

card failure.

It is easy to upgrade and maintain the stand-alone CGN. The CGN can upgrade the

ALG by upgrading itself. In the hot standby, CGN can upgrade services without any

interruption.

Table 2-1 Different CGN deployments

Deployment mode Investment

analysis

CGN deployment

difficulty CGN reliability

CNG

maintainability

Distributed deployment

of stand-alone NAT444

CGN

High (Each

BRAS is

configured

with a

stand-alone

device.)

Difficult (Each

is configured with a

stand-alone device.)

High (CGN hot

standby)

Simple upgrade

and maintenance

Distributed deployment

of BRAS insertion-card

CGN

High (Each

BRAS is

configured

with a new

CGN card.)

Difficult (Occupy

BRAS slot)

Low (CGN card

hot standby)

Complex

upgrade and

maintenance

Centralized

deployment of

stand-alone NAT444

CGN

Low (A

stand-alone

device is

added.)

Easy (attached to

CR)

High (CGN hot

standby)

Simple upgrade

and maintenance

Centralized

deployment of CR

insertion-card NAT444

CGN

Low (CR is

configured

with a new

CGN card.)

Easy (Occupy CR

slot)

Low (CGN card

hot standby)

Complex

upgrade and

maintenance



3 Abbreviations

Table 3-1 Abbreviations

Abbreviation Full name

CGN Carrier Grade NAT

BRAS Broad Remote Access Server

CR Core Router

SR Services Router

NAT Net work Address Translate

ICANN Internet Corporation for Assigned Names

and Numbers

Technical Whitepaper on Carrier Grade ... - ZTE Corporation · Technical Whitepaper on Carrier Grade NAT (CGN) 2 ZTE Confidential & Proprietary address and a public network address.

Documents