IPv6: Launching Our New Internet Protocol
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1
IPv6: Launching Our New Internet Protocol
Andrew Yourtchenko
Technical Leader
IPv4
4,000,000,000
PortsTags
>
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Sources: IMS Research, Intel, Ericsson, Cisco
Today
IPv4
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
CGN
IPv4
Cisco Services Study of over 800 Enterprises
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Jan2011
Feb2011
Mar2011
Apr2011
Aug2011
Sep2011
Oct2011
Nov2011
No plans
“When are you planning to deploy IPv6 in production”
July 2010
No plans
April 2011
40% 25%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
0 10 20 30 40 50 60
In Progress
6 months
12 months
24 months
0 10 20 30 40 50 60
In Progress
6 months
12 months
24 months
32% 56%
100%
50%
78.39%
66.91%
52.05%
34.42%
18.41%
6.92%1.49%
2008 2009 2010 2011 2012 2013 2014
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
0%Retail
+
100%
50%80%
85%
90%
95%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
0%
70%
75%
2011 2012 2013 2014 2015 2016
100%
50%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
0%Retail
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Feb-11 Feb-12 Dec-12
Large
Un-named
ISP
CGN Only 6rd + CGN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
2011 2013 2015 2011 2013 2015
100%
50%
LTE
7%
LTE
7%
W-CDMA
44%
W-CDMA
44%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
0%
GSM
40%
GSM
40%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IPv6 InternetIPv6 Internet
Stateful
NAT64
Stateful
NAT64
Stateful NAT64 allows the hosts on the IPv6 network connect to the IPv4 Internet, by dedicating an IPv6 prefix
which will represent the translated IPv4 Internet. This allows a twofold use:
-IPv6-enable the internal IPv4-only services
-allow internal IPv6-only network to talk(*) to IPv4 Internet
In this example, it is possible to model both. We need “stateful” translation because the initiators are on IPv6side – so after translation the addresses “shrink” – thus IPv6 is mapped into much smaller IPv4 global pool.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IPv6 InternetIPv6 Internet
IPv4 InternetIPv4 Internet
NAT64NAT64
4:64:6
6:46:4
IPv6 hostsIPv6 hosts
Stateful
NAT64
Stateful
NAT64
nat64 prefix stateful 2610:d0:1208:cafe::/96
nat64 v4 pool NAT64GLOBAL 153.16.17.82 153.16.17.82
nat64 v6v4 list NAT64LIST pool NAT64GLOBAL overload
nat64 logging translation flow-export v9 udp dest 192.168.0.2 9995
ipv6 access-list NAT64
permit ipv6 any 2610:d0:1208:cafe::/96
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IPv6 hostsIPv6 hosts
IPv4 hostsIPv4 hosts
NAT64NAT64
4:64:6
6:46:4
Gig0/0/0Gig0/0/0
Gig0/0/1Gig0/0/1
interface Gig0/0/1
nat64 enable
interface Gig0/0/0
nat64 enable
IPv6 InternetIPv6 Internet
IPv4-only servers
IPv6
IPv6-only client
s: 153.17.16.82:1056
2
asr1knat64-xtr#sh nat64 trans
tcp 72.163.4.161:80 [2610:d0:1208:cafe::48a3:4a1]:80
153.16.17.82:1056 [2607:f128:42:73::2]:37897
s: [2610:d0:1208:cafe::72.163.4.161]:80
d: [2607:f128:42:73::2]:37897
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
IPv6 InternetIPv6 Internet
IPv4
72.163.4.161
Gig0/0/1Gig0/0/1
1
s: [2607:f128:42:73::2]:37897
d: [2610:d0:1208:cafe::72.163.4.161]:80 Gig0/0/0Gig0/0/0
3
d: 72.163.4.161:80
4
s: 72.163.4.161:80
d: 153.17.16.82:1056
5
1. IPv4 translated traffic is “router-originated” routing-wise, based on IPv6 traffic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
2. IPv4 and IPv6 security policies need to be consistent!
IPv6 InternetIPv6 Internet
DNS64 creates synthetic AAAA record for the host based on A record if no real AAAA record exists in DNS.
This allows to automatically direct IPv6-only clients to the correct address within NAT64 prefix.
This functionality is provided by bind since 9.8.0 – and in our example bind runs on a linux vm in a container on asr1k
CNR’s DNS server can also be used to perform the same function.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
IPv6 InternetIPv6 Internet
IPv4 InternetIPv4 Internet
DNS64DNS64
100%
50%
15%LTE
7%
LTE
7%
W-CDMA
44%
W-CDMA
44%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
0%
GSM
40%
GSM
40%
IPv6 “What Works” in Apps IPv6 “Brokenness” in Apps
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
1. Full Spectrum Internet
2. CGN bypass
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
2. CGN bypass
3. IPv6-only mobile devices
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
*top 50 .si sites from Alexa rating;Source: http://www.vyncke.org/ipv6status/
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Server Load Balancer
http proxyStateful NAT64
IPv6 IPv6
Software Proxy
Web Tier
IPv6
-Apache-MSFT PortProxy
IPv6 Internet
IPv6 Internet
IPv6 Internet
ACE-30 ASR1000
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
IPv4-only Host
IPv4
IPv4-only Host
IPv4
IPv4-only Host
IPv4PortProxy
Dualstackclients
Dualstackservers
IPv4
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Dualstackclients
IPv6-onlyservers
IPv4
IPv6
Stateless
NAT64
Stateless
NAT64
4:64:6
6:46:4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
IPv6::/0IPv6::/0
RFC6052
RFC6145
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
::/0::/0IPv4
0.0.0.0/0IPv4
0.0.0.0/0
IPv6-mapped2001:db8::/96IPv6-mapped2001:db8::/96
2001:db8::192.0.2.1IPv4
Stateless
NAT64
Stateless
NAT64
4:64:6
6:46:4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
DNSDNS
A: 192.0.2.1AAAA: 2001:db8::192.0.2.1
1
s: 1.1.1.1:1056
d: 192.0.2.1:80
s: 2001:db8::1.1.1.1:1056
2
d: 2001:db8::192.0.2.1:80
• No IPv4 on the server
• IPv4 clients served as IPv6
• Original IPv4 remains known (geolocation, etc)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• Original IPv4 remains known (geolocation, etc)
• Stateless: easy redundancy, flow count does not matter
• Need to inject /128s
IPv6::/0IPv6::/0
Public IPv4192.0.2.1/32Public IPv4192.0.2.1/32
IPv6-mapped IPv4 address2001:db8:c001::1/64
IPv6-mapped IPv4 address2001:db8:c001::1/64
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
::/0::/0IPv4
0.0.0.0/0IPv4
0.0.0.0/0IPv6-mapped IPv4
2001:db8::/96IPv6-mapped IPv4
2001:db8::/96
2001:db8::192.0.2.1IPv4
Stateless
NAT64
Stateless
NAT64
4:64:6
6:46:4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
DNSDNS
A: 192.0.2.1AAAA: 2001:db8:c001::1
1
s: 1.1.1.1:1056
d: 192.0.2.1:80
s: 2001:db8::1.1.1.1:1056
2
d: 2001:db8:c001::1:80
• IPv4 header overhead != IPv6 header overhead
• Beware potential MTU issues
• Fragmentation in IPv4 and IPv6 done differently
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
• => Test extensively in the lab if it works for your traffic!
Cisco Public© 2010 Cisco and/or its affiliates. All rights reserved. 32
• Demo of WLC 7.2 code
• 30 APs, ~1400 clients
• Fully up by 3 people in
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
• Fully up by 3 people in less than a day
• Dualstack SSID and IPv6-only SSID with NAT64+DNS64
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
• 114 IPv6-only / (706+701+114) = 7.5%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
7.5% IPv6-only
• IPv6-only works, but need to wait till DHCPv4 times out
• Temporary addresses:
New association = new address!
WLC cache = 8 addrs. Tune the timers !
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
timers !
• Users complained about:
Apple Facetime
Most of the VPNs
• What worked well:
Everyday browsing
Facebook ☺
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
• NOC management VM host short on IPv4 addresses
• Instead of getting extra IPv4, configured static NAT64 on ASR1k
• It worked and noone noticed
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Remote user
NOC stats (IPv6 only)ASR1001 (NAT64)
• Join the IPv6 launch
• Help fix the 15%
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
• Help fix the 15%