NPTV6 AND NAT64 FOR IPV6 ENVIRONMENT

Adrien Desportes (adesportes@juniper.net) Juniper Systems Engineer

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 2

AGENDA

NPTv6: purpose and standardization status

NAT64: practical use case

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 3

WHAT IS NPTV6?

One-to-one translation between inside and outside addresses §  No attempt to conserve outside address space

Algorithmic translation §  Overwrite high order bits

Stateless translation

Checksum neutral

No requirement for routing symmetry

By default, supports inbound connection requests

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 4

MOTIVATION FOR NPTV6

NPTv6 provides addressing independence for single homed sites

NPTv6 provides addressing independence for multi-homed sites without injecting provider independent addresses into the global routing system and causing excessive routing table growth

Presentation prepared with the help & courtesy of Ron Bonica author of draft-bonica-v6-multihome-02 that updates Section 2.4 of RFC 6296

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 5

TOPOLOGY

Upstream Upstream Provider #1 Provider #2 / \ / \ / \ / \ / +------+ +------+ \ +------+ |Backup| |Backup| +------+ | PE | | PE | | PE | | PE | | #1 | | #1 | | #2 | | #2 | +------+ +------+ +------+ +------+ | | | | +------+ +------+ |NPTv6 | |NPTv6 | | #1 | | #2 | +------+ +------+ | | | | ------------------------------------------------------ Internal Network

PAB#1 PAB#2

CNB#1 (/64)

CNB#2 (/64)

SAB ULA…(/63)

CAB#2 (/127) CAB#1

(/127)

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 6

SITE NUMBERING

Hosts numbered from the lower half of the SAB normally receive inbound traffic from Upstream Provider #1

Hosts numbered from the higher half of the SAB normally receive inbound traffic from Upstream Provider #2

Selected hosts can receive inbound traffic from both Upstream Provider #1 and Upstream Provider #2

§  These hosts have multiple SAB addresses

§  At least one address is drawn from the lower half of the SAB

§  At lease one address is drawn from the higher half of the SAB

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 7

TRANSLATION STATELESS 1:1 NAT

Inbound •  If the 64 high-order bits of the destination address match the 64 high-order

bits of CNB #1, overwrite those bits with the 64 bits that identify the lower half of the SAB

•  Same if 64 high-order bits match CNB#2

•  Else silently discard

Outbound •  If the 64 high-order bits of the source address match the 64 bits that identify

the lower half of the SAB, overwrite those bits with the 64 high order bits of CNB #1

•  Same if 64 high-order bits match higher half of SAB

•  Else silently discard

Same rules on both NPT devices

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 8

ROUTING

ISP #1

NPTv6 #1

PE #1

Backup PE #1 ISP #2

NPTv6 #2

PE #2

Backup PE #2

Multi-hop EBGP

Multi-homed Site

Multi-hop EBGP

Outside interface

Outside interface

Two default routes circulate within the site (inside interface of NPTv6 #1 and inside interface of NPTv6 #2)

ASBR

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 9

ROUTING

ISP #1

NPTv6 #1

PE #1

Backup PE #1 ISP #2

NPTv6 #2

PE #2

Backup PE #2

Multi-hop EBGP

Multi-homed Site

Multi-hop EBGP

Outside interface

Outside interface

Advertise CNB#1 Next-hop self High Pref

Advertise CNB#1 Next-hop self Low Pref

iBGP iBGP

Advertise PAB#1

ASBR

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 10

RECOVERY

ISP #1

NPTv6 #1

PE #1

Backup PE #1

ISP #2

NPTv6 #2

PE #2 Dyn GRE Tunnel

Multi-homed Site

Outside interface

Outside interface

Advertise CNB#1 Next-hop self Low Pref

iBGP

Advertise PAB#1

ASBR

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 11

LOAD BALANCING

Outbound §  Controlled by site

§  Traffic can exit through either NPTv6 gateway

Inbound: connections originating within site §  Originating host selects one of its source addresses

§  Selected address determines path or return traffic

Inbound: connections originating outside of the site §  Originating host selects one of the addresses advertised in DNS

§  Selected address determines traffic path

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 12

CONCLUSION

Targets SME who want to achieve multi-homing with the following architectural goals:

§  Redundancy

§  Transport-layer survivability

§  Load balancing

§  Address independence

§  Prevent excessive growth of global routing tables

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 13

AGENDA

NPTv6: purpose and standardization status

NAT64: practical use case

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 14

Cloud

Translator

NAT 64

IPv4 IPv6

IPv4 address of www.example.com

IPv6 clients

CLOUD TRANSLATOR ARCHITECTURE

www.example.com DNS AAAA 2001:…

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 15

IPv6

LAB TOPOLOGY – NAT64

IPv6 IPv6

IPv4

IPv6

IPv6 IPv6

IPv4

DNS64

NAT64

IPv6 IPv6 IPv6/IPv4 IPv6/IPv4

ISP v6 Global Public Network

2001:db8:0200:0001::/64

x.x.x.x

10.1.1.2/30 Web Content v4

Host IPv6

10.2.1.0/24

2001:db8:0200:0002::/96

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 16

IPv6

LAB TOPOLOGY – NAT64

IPv6 IPv6

IPv4

IPv6

IPv6 IPv6

IPv4

DNS64

NAT64

IPv6 IPv6 IPv6/IPv4 IPv6/IPv4

ISP v6 Global Public Network

2001:db8:0200:0001::/64

x.x.x.x

10.1.1.2/30 Web Content v4

Host IPv6

10.2.1.0/24

2001:db8:0200:0002::/96

{master}[edit interfaces] lab@re0.lab-mx480.lab.boe# show ge-5/0/0.0 family inet; family inet6 { service { input { service-set NAT64_npu1 service-filter NAT64_only; } output { service-set NAT64_npu1 service-filter NAT64_only; } } address 2001:db8:0200:0001::1/64; }

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 17

IPv6

LAB TOPOLOGY – NAT64

IPv6 IPv6

IPv4

IPv6

IPv6 IPv6

IPv4

DNS64

NAT64

IPv6 IPv6 IPv6/IPv4 IPv6/IPv4

ISP v6 Global Public Network

2001:db8:0200:0001::/64

x.x.x.x

10.1.1.2/30 Web Content v4

Host IPv6

10.2.1.0/24

2001:db8:0200:0002::/96

  {master}[edit services]   lab@re0.lab-mx480.lab.boe# show service-set NAT64_npu1   syslog {   host local {   class {   nat-logs;   }   }   }   nat-rules NAT64_npu1;   interface-service {   service-interface sp-1/0/0.0;   }

  {master}[edit interfaces]   lab@re0.lab-mx480.lab.boe# show sp-1/0/0.0   family inet;   family inet6;

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 18

IPv6

LAB TOPOLOGY – NAT64

IPv6 IPv6

IPv4

IPv6

IPv6 IPv6

IPv4

DNS64

NAT64

IPv6 IPv6 IPv6/IPv4 IPv6/IPv4

ISP v6 Global Public Network

2001:db8:0200:0001::/64

x.x.x.x

10.1.1.2/30 Web Content v4

Host IPv6

10.2.1.0/24

2001:db8:0200:0002::/96

{master}[edit services nat] lab@re0.lab-mx480.lab.boe# show pool NAT64_npu1 { address-range low 10.2.1.1 high 10.2.1.250; port { automatic; } } rule NAT64_npu1 { match-direction input; term 1 { from { destination-address { 2001:db8:0200:0002::/96; } } then { translated { source-pool NAT64_npu1; destination-prefix 2001:db8:0200:0002::/96; translation-type { stateful-nat64; } } } } }

Copyright © 2011 Juniper Networks, Inc. | www.juniper.net 19

LOG OPTIMIZATION TECHNIQUES

By default 2 logs are generated by v6 user accessing v4 through NAT64

Optimization with the use of §  PBA (one log per ports group)

§  Deterministic (no log at all)

§  XFF