tunneling, cgn and 6rd

© 2006 Cisco Systems, Inc. All rights reserved. 1

Tunneling, CGN and 6RD

Stefan Kollar Consulting Systems Engineer CCIE #10668 [email protected]


Agenda

  IPv6 tunnels   IPv6 CGN   6RD introduction   6RD deployment  Perform basic 6RD troubleshooting  DEMO


Tunnels: IPv6-over-IPv4

6to4   Stateless 6-over-4 encap using WK 2002::/16 prefix   Public IPv4 only   Asymmetric routing problem

6rd   Stateless 6-over-4 encap using SP IPv6 prefix   Works over public/private IPv4   RFC5969

Softwires H/S   RFC5571; uses L2TPv2/IPv4 infra

Public IPv4

6to4

Public/ Private

IPv4

6rd BR

6rd

Public/ Private

IPv4

LAC

LNS

IPv4 Internet IPv6

Internet

6to4

v4 v4/6 v4 v4/6 v4 v4/6


Tunnels: IPv4-over-IPv6

Softwires H/S   RFC5571; leverages   L2TPv2/IPv6 infra

Dual-Stack Lite   4over6 tunnels terminate in   CGN NAT44 on AFTR   Stateful IPv4 address sharing

4rd   Stateless IPv4-over-IPv6   tunnel encap/decap   Can do stateless IPv4   address sharing by allocating   per-CPE port ranges   CPE does NAT44+4rd encap/decap   draft-despres-intarea-4rd-xx

IPv6

4rd

4rd

IPv6

v4 V4/6

LAC

LNS

IPv4 Internet

IPv6

B4

DS-Lite AFTR

CGN+ 4ov6

TC

v4 V4/6 v4 V4/6


What about DS-Lite?

Not deployable due to lack of IPv6-only access network(s) and missing B4 elements

Solves same problem(s) as CGN + 6rd which is deployable right now using existing IETF standards and multi-vendor equipment

AFTR coverage limited to IPv6-only reachability to remote B4 elements

IPv6 Access Network

IPv4 Internet

CGN NAT44 AFTR

4

4

6

B4

IPv6 Internet

Softwire 4over6


IPv6 Transition Solutions – deployable today

Customer Network

IPv4 Access Network

IPv4 Internet

CPE CGN

NAT44 4

IPv6

IPv6 Internet

6

XLAT 1:1/ N:1

1.  CGN NAT44 to address IPv4 Run-Out same IPv4 access network 2.  6rd for IPv6 access to IPv6 Internet same IPv4 access network 3.  Controlled deployment of native IPv6 hosts/apps plus NAT64 (XLAT)

4

6

6rd 6rd 6rd Tunnel

1.

1.

2.

2. 2.

3.

3.


CGv6 – Carrier Grade NAT (1.) CGN NAT44 to address IPv4 Address Run-Out   Deployed and is foundation for future SP-class translation

solutions (including NAT64)

(2.) 6rd for IPv6 subscriber access to native IPv6 Internet (3.) for native IPv6 interworking with IPv4   Stateless XLAT (1:1) for controlled deployments available now (supported already in ASR1k – IOS XE 3.2)   Stateful XLAT (N:1) NAT64/DNS64 available in 2H2011 Why Stateful XLAT (NAT64) ? Performs IPv4 address sharing Based on IETF BEHAVE WG standards Compliments and completes standards-based XLAT portfolio


CGv6 – Carrier Grade NAT - Logging NAT binding records

1)  Preferably Netflow9 (or its standardized successor IPFIX) with format (11)

2)  Syslog - consume more resources (e.g. CPU, bandwidth, memory) , less scalable and lower throughput


CGv6 – Carrier Grade NAT – PCP (Port Control Protocol)

Why Stateful XLAT (NAT64) ? PCP protocol enables home network subscribers to create a port forwarding entry on the CGN

https://datatracker.ietf.org/wg/pcp/


6RD - Introduction

 IPv6 Rapid Deployment  Defined in draft-ietf-softwire-ipv6-6rd-10.txt and was approved on May 20, 2010, by the IESG for publication as a standards track RFC (RFC5969)  Mechanism for Service Providers to deliver IPv6 via their IPv4 network  6rd firstly deployed in Free Telecom and is fully supported by Google

 Why not 6to4 6to4 service is "over the top" - operating without the SP really controlling who uses the service and who doesn't. IPv6 community to try and kill/deprecate 6to4


6RD – Variation of 6to4

 Use SP’s own IPv6 address prefix instead of 2002::/16  Operational domain is limited to the SP’s network and is under its direct control  Not all 32 bits from the IPv4 destination address be carried in the IPv6 payload header


6RD Deployment

 6RD SP Prefix – The IPv6 prefix selected by the SP for the given 6RD deployment  6RD Delegated Prefix – The IPv6 prefix derived from the SP prefix and the IPv4 address bits . Used by the CE for hosts within its site.


6RD Prefix Delegation

IPv4 Address Bits SP Prefix Subnet ID Interface ID

6RD delegate prefix

0-32 bits

16 bits

64 bits

Ipv4 Common Prefix

IPv4 Address Bits

Ipv4 common Suffix

IPv4 Destination Address 8 bits 8 bits

0-32 bits

Users Address Space

SP v6 Prefix: 2001:B000::/32 v4 common prefix 10.1.0.0/16 v4 common suffix 0.0.0.1/8


6RD Prefix Delegation

BR IPv6 Internet

SP IPv4 Network CE1

CE2 Site 1

Site 2

SP v6 Prefix: 2001:B000::/32

10.1.1.1

10.1.4.1 10.1.2.1 6RD CE LAN Multipoint Tunnel

IPv4 Common Prefix: 10.1.0.0/16 IPv4 Common Suffix: 0.0.0.1/8

CE3 10.1.3.1 Site 3

SP Prefix 2001:B000::/32

V4 Common Prefix 10.1.0.0/16

V4 Common Suffix 0.0.0.1/8

CE1: Delegated 6RD prefix 2001:B000:0100::/40

CE2: Delegated 6RD prefix 2001:B000:0200::/40

BR: Delegated 6RD prefix 2001:B000:0400::/40

CE1 (V4) tunnel transport source 10.1.1.1

CE2 (V4) tunnel transport source 10.1.2.1

BR (V4) tunnel transport source 10.1.4.1


6RD Tunnel Security

 For packets received on 6RD tunnel interface

•  IPv4 tunnel source must match the configured IPv4 common prefix and suffix.

•  IPv4 source address must match the IPv4 address embedded in the IPv6 source address for packets received from CEs.

 Packets not matching this criteria are dropped


Configuration


6RD Configuration Steps

interface Tunnel0 ipv6 address 2001:B000:200::1/124 tunnel source GigabitEthernet1/1/7 tunnel mode ipv6ip 6rd tunnel 6rd prefix 2001:B000::/32 tunnel 6rd ipv4 prefix-len 16 suffix-len 8 interface GigabitEthernet1/1/7 ip address 100.1.2.1 255.255.255.0

 6RD Tunnel Mode  Service Provider IPv6 Prefix  Common IPv4 prefix and suffix


CE-specific CLI

router(config-if)# tunnel 6rd br <ipv4-address>

  Optional CLI configured when router is used as CE   Skip security check for packets with the configured IPv4 address as their

source IPv4 address.


IPv6 General-Prefix

ipv6 general-prefix <name> 6rd tunnel <tunnel-interface-number>

  Used to define an IPv6 general-prefix computed from a 6rd tunnel interface

asr1k(config)#ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0 *May 23 11:12:05.644: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state asr1k(config)# asr1k(config)#do sh run int tun 0 Building configuration...

Current configuration : 40 bytes ! interface Tunnel0 no ip address end

asr1k(config)#


Cisco IOS Configuration_related to 6RD only Loopbacks(/32) 6RD-BR Anycast Routing

6RD-CE

6RD-BR

IPv4 access network

6RD-BR

6RD-CE (CPE)

! interface Loopback0 ip address 10.11.12.13 255.255.255.255 ! interface Tunnel0 no ip address no ip redirects ipv6 address DELEGATED_PREFIX 2001:1000::/128 anycast tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:1000::/32 ! ipv6 route 2001:1000::/32 Tunnel0 !

10.11.12.13

10.11.12.13

FE0 vlan 10 ! interface Tunnel0 no ip address no ip redirects ipv6 enable tunnel source FastEthernet0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:1000::/32 tunnel 6rd br 10.11.12.13 ! interface FastEthernet0 ip address dhcp duplex auto speed auto ! interface Vlan10 no ip address ipv6 address DELEGATED_PREFIX 2001:1000::/64 eui-64 ! ipv6 route 2001:1000::/32 Tunnel0 ipv6 route ::/0 Tunnel0 2001:1000:B0C:D00::


6RD Deployment

tunnel 6rd ipv4 prefix-len 8 (32-8) tunnel 6rd prefix 2011:1000::/32


Debugging


6RD IOS Show Commands

show ipv6 interface tunnel <n> show tunnel 6rd tunnel <n> show tunnel 6rd destination <SP-v6prefix> tunnel <n> show tunnel 6rd prefix <v4-destination> tunnel <n>


Sample IOS Show Command output asr1k#sh ipv6 int tun 0 Tunnel0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::A0B:C0D No Virtual link-local address(es): General-prefix in use for addressing Global unicast address(es): 2001:1000:B0C:D00::, subnet is 2001:1000:B0C:D00::/128 [ANY] Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:0 FF02::1:FF0B:C0D MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent Post_Encap features: Tunnel 6RD ND DAD is not supported ND reachable time is 30000 milliseconds (using 30000) ND RAs are suppressed (periodic) Hosts use stateless autoconfig for addresses. asr1k#


Sample IOS Show Command output

asr1k#sh tunnel 6rd tunnel 0 Interface Tunnel0: Tunnel Source: 10.11.12.13 6RD: Operational, V6 Prefix: 2001:1000::/32 V4 Prefix, Length: 8, Value: 10.0.0.0 V4 Suffix, Length: 0, Value: 0.0.0.0 General Prefix: 2001:1000:B0C:D00::/56

isr1812#sh tunnel 6rd tunnel 0 Interface Tunnel0: Tunnel Source: 10.10.20.2 6RD: Operational, V6 Prefix: 2001:1000::/32 V4 Prefix, Length: 8, Value: 10.0.0.0 V4 Suffix, Length: 0, Value: 0.0.0.0 Border Relay address: 10.11.12.13 General Prefix: 2001:1000:A14:200::/56

6RD Border Relay Router

6RD Customer Edge - CPE


Sample IOS Show Command output

routerasr1k#sh tunnel 6rd destination 2001:1000:B0C:D00:: tunnel 0 Interface: Tunnel0 6RD Prefix: 2001:1000:B0C:D00:: Destination: 10.11.12.13

asr1k#sh tunnel 6rd prefix 10.10.20.2 tunnel 0 Interface: Tunnel0 Destination: 10.10.20.2 6RD Prefix: 2001:1000:A14:200::


Sample QFP show platform output router# show platform hardware qfp active statistics drop ---------------------------------------------------------------- Global Drop Stats Packets Octets --------------------------------------------------------------- TunnelDecapSecChkFail 5 690


6RD Statistics

router# show interfaces tunnel 0 stats Tunnel0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 0 0 0 0 Distributed cache 100 11200 100 13200 Total 100 11200 100 13200


IOS 15.1(3)T for 800, 1800, 1900, 2800, 2900, 3800, 3900, 7200

IOS XE Release 3.1S Series for ASR 1K

IOS 15.1(3)S 7600 (come ~ July 2011)

IOS-XR 3.9.3 CGSE (CGNv6) blade in CRS

6RD on CPE : Linksys Pirelli and many other CPE vendors

Software Release and platforms

tunneling, cgn and 6rd

Documents