You are on page 1of 25

HUAWEI NetEngine40E/80E Universal Service

Router
V600R006C00

Feature Description - IPv6 Transition

Issue 03
Date 2013-08-20

HUAWEI TECHNOLOGIES CO., LTD.


Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://www.huawei.com
Email: support@huawei.com

Issue 03 (2013-08-20) Huawei Proprietary and Confidential i


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition About This Document

About This Document

Purpose
This document describes the principles, applications and security features of IPv4 to IPv6
transition technologies.

CAUTION
Note the following precautions:
l Currently, the device supports the AES and SHA2 encryption algorithms. AES is reversible,
while SHA2 is irreversible. A protocol interworking password must be reversible, and a local
administrator password must be irreversible.
l If the plain parameter is specified, the password will be saved in plaintext in the configuration
file, which has a high security risk. Therefore, specifying the cipher parameter is
recommended. To further improve device security, periodically change the password.
l Do not set both the start and end characters of a password to "%$%$." This causes the
password to be displayed directly in the configuration file.

Related Versions
The following table lists the product versions covered by this document.

Product Name Version

HUAWEI NetEngine80E/40E V600R006C00


Router

Intended Audience
This document is intended for

l Network planning engineers

Issue 03 (2013-08-20) Huawei Proprietary and Confidential ii


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition About This Document

l Commissioning engineers
l Data configuration engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows:

Symbol Description

Indicates a hazard with a high level of risk, which if not


avoided, will result in death or serious injury.
DANGER

Indicates a hazard with a medium or low level of risk, which


if not avoided, could result in minor or moderate injury.
WARNING

Indicates a potentially hazardous situation, which if not


CAUTION avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.

NOTE Provides additional information to emphasize or supplement


important points of the main text.

Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.

Changes in Issue 03 (2013-08-20)


The third commercial release.

Changes in Issue 02 (2013-04-15)


The second commercial release.

Changes in Issue 01 (2012-11-10)


This issue is the first official release.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential iii


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition Contents

Contents

About This Document.....................................................................................................................ii


1 NAT444............................................................................................................................................1
1.1 Introduction....................................................................................................................................................................2
1.2 References......................................................................................................................................................................2
1.3 Principles........................................................................................................................................................................2
1.3.1 NAT444 Working Process/Principle...........................................................................................................................3
1.3.2 NAT Port Allocation Model........................................................................................................................................4
1.3.3 NAT Traversal.............................................................................................................................................................5
1.3.4 NAT Resource Protection............................................................................................................................................6
1.3.5 NAT Logs....................................................................................................................................................................7
1.4 Applications....................................................................................................................................................................8
1.4.1 NAT444 Deployment..................................................................................................................................................8
1.5 Terms, Acronyms, and Abbreviations..........................................................................................................................10

2 L2-Aware NAT.............................................................................................................................11
2.1 Introduction..................................................................................................................................................................12
2.2 References....................................................................................................................................................................12
2.3 Principles......................................................................................................................................................................12
2.3.1 L2-Aware NAT Principle..........................................................................................................................................12
2.3.2 Comparison of NAT Technologies............................................................................................................................14
2.4 Applications..................................................................................................................................................................14
2.4.1 L2-Aware NAT Deployment.....................................................................................................................................15
2.5 Terms, Acronyms, and Abbreviations..........................................................................................................................15

3 DS-Lite...........................................................................................................................................16
3.1 Introduction..................................................................................................................................................................17
3.2 References....................................................................................................................................................................17
3.3 Principles......................................................................................................................................................................17
3.3.1 Basic DS-Lite Principle.............................................................................................................................................17
3.3.2 CPE Obtaining Tunnel Destination Address.............................................................................................................18
3.4 Applications..................................................................................................................................................................18
3.4.1 DS-Lite Deployment..................................................................................................................................................19

Issue 03 (2013-08-20) Huawei Proprietary and Confidential iv


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition Contents

3.5 Terms, Acronyms, and Abbreviations..........................................................................................................................19

Issue 03 (2013-08-20) Huawei Proprietary and Confidential v


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

1 NAT444

About This Chapter

1.1 Introduction

1.2 References

1.3 Principles

1.4 Applications

1.5 Terms, Acronyms, and Abbreviations

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 1


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

1.1 Introduction
Definition
Network address translation (NAT) is an important technology used in the transition from IPv4
to IPv6 networks. NAT44 allows an IPv4 address to be translated into another IPv4 address.
NAT444 is NAT44 performed twice, once on a customer premises equipment (CPE) device and
the second time on a carrier-grade NAT (CGN) device. Because of its efficiency, NAT444, also
called large scale NAT (LSN), is utilized in situations where NAT is used on carrier networks
on a large scale.

Purpose
With NAT444, a large number of private source IP addresses can share a small number of public
source IP addresses, alleviating the stress of IPv4 address resource exhaustion.

Benefits
Benefits to carriers

l NAT is mature and easy to deploy.


l CPE devices do not need to be upgraded, saving the cost.

1.2 References
Document Document Name Remarks
No.

draft-nishitani- - -
cgn

draft-shirasaki- - -
nat444

draft-shirasaki- - -
nat444-isp-
shared-addr

1.3 Principles

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 2


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

1.3.1 NAT444 Working Process/Principle

NAT Working Process/Principle


NAT is a process in which the IP address in an IP header is translated into another IP address.
NAT has two modes: port address translation (PAT) and no-port address translation (No-PAT).
PAT is used in NAT444 scenarios. Figure 1-1 shows how NAT works in the PAT mode.
NOTE

The flexible card versatile service unit VSUF-/80/160 cannot support the No-PAT mode.

Figure 1-1 Address translation based on NAT PAT

IP packet IP packet
Source address: Source address:
(1) 1.1.1.1:5000 (2) 2.2.2.1:2000
Destination address: Destination address:
2.2.2.2:5000 2.2.2.2:5000

IP packet IP packet
User (4) Router (3) Server
Source address: Source address:
2.2.2.2:5000 2.2.2.2:5000
Destination address: Destination address:
1.1.1.1:5000 2.2.2.1:2000

1. The user sends a packet with the source address of 1.1.1.1:5000 and destination address of
2.2.2.2:5000 to the server.
2. The source address of the packet sent from the user to the server is translated from
1.1.1.1:5000 to 2.2.2.1:2000 by the router.
3. After receiving the packet, the server sends a reply packet with the source address of
2.2.2.2:5000 and destination address of 2.2.2.1:2000.
4. The destination address of the packet sent from the server to the user is translated from
2.2.2.1:2000 back to the original 1.1.1.1:5000 by the router.

NAT444 principle
NAT444 is the NAT44 performed twice, once on a CPE device and the other on a CGN device,
as shown in Figure 1-2.
NOTE
A VPN-NAT user can not log in to the CGN device by telnet in NAT444 scenarios. If you have to, please
configure filtering based on ACL rules.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 3


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

Figure 1-2 NAT444 principle

IP packet
Source
IP packet IP packet
Address
Source Address Source Address
(3)
(1) (2)
100.0.0.1:1100
192.168.0.1:8000 10.0.0.1:9000
0
Destination Destination
Destination
Address: Address:
Address:
128.0.0.1:80 128.0.0.1:80
128.0.0.1:80

PC CPE CGN Server

1. The PC sends a packet with the source IP address of 192.168.0.1:8000 and the destination
IP address of 128.0.0.1:80 to the server. The source IP address is a private network IPv4
address.
2. The packet is first translated on the CPE device, and the source IP address is translated into
10.0.0.1:9000. The source IP address is a private network IPv4 address.
3. The packet is then translated on the CGN device, and the source IP address is translated
into 100.0.0.1:11000. The source IP address is a public network IPv4 address.

1.3.2 NAT Port Allocation Model


In a distributed scenario, port allocation takes place during the user's login. In an integrated
scenario, port allocation takes place when the CGN device receives the first effective IP packet
from a private network.

Port pre-allocation
In port pre-allocation (port range) model, a public IP address and port segment are pre-allocated
to a private IP address when a CGN device is mapping both. The public IP address and ports in
the port segment are used in the mapping of the private IP address.

Semi-dynamic port allocation


The port semi-dynamic-allocation (Semi-Dynamic) model is an extension of the port range
model. Semi-Port Dynamic allocation extends the parameters of the port range model into three
parameters: the initial port segment size, extended port segment size, and maximum number of
times of extension. When users go online, a CGN device allocates an initial port segment and
ports in the segment to users. If the number of ports exceeds the initial port segment size, the

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 4


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

CGN device allocates an extended port segment. The maximum number of times of extension
indicates the number of times extended port segments can be allocated.

Dynamic port allocation


With dynamic port allocation (Port Dynamic), a port is allocated each time a flow entry is created,
and ports that have an IPv4 public network address are fully used. Dynamic port allocation is
applicable to the scenario where IPv4 public network addresses are scarce. However, each time
a port is allocated, a log message is generated. As a result, a large number of log messages have
to be sent. In this situation, a specialized log server is needed.

1.3.3 NAT Traversal


NAT ALG
NAT can be used to translate only IP addresses and the port information in a TCP/UDP packet
header. For special protocols, such as ICMP and FTP, the Data field of a packet can carry IP
addresses or port information. Inconsistency and errors occur if the IP address or port information
in the Data field of a packet is translated. For example, when an FTP server that uses an internal
IP address communicates with a public network host, the server must send its IP address to the
host. The address information is carried in the Data field of an IP packet, and NAT cannot
translate the address. If the host uses this private address to communicate with the FTP server,
the server is unreachable.
A good way to solve the NAT issue for these special protocols is to use the application level
gateway (ALG) function. As a special conversion agent for application protocols, the ALG
interacts with the NAT device to establish states. The ALG uses NAT state information to change
the specific data in the Data field of IP packets so that application protocols can run across
internal and public networks.
For example, when an error occurs in packet A sent from a host on a private network to a public
network, an ICMP packet is returned indicating the destination is unreachable. The ICMP packet
carries the heading of the error packet A. Because the address is translated by a NAT device
before sending packet A, the source address is not the actual address of the host. If ICMP ALG
is enabled, the ALG interacts with the NAT device before the ICMP packet is forwarded. The
ALG translates the address in the Data field of packet A to the actual address of the host and
completes other necessary work, so that the NAT device can send the ICMP packet to the host.
A CGN device can function as an ALG for ICMP, SIP, RTSP, PPTP, and FTP.

Triplet and Quintuple


The triplet, is also called full cone NAT. With the triplet, when a host on the private network
initiates a request for accessing the public network, only IP packets of the same source address,
port, and protocol type (TCP/UDP/ICMP) can be mapped to the same public address and port
by a NAT device. Any public host can access the address and port on the private network.
The quintuple is also called the symmetric NAT. With the quintuple, when a host on the private
network initiates a request for accessing the public network, only IP packets of the same source
address, port, protocol type (TCP/UDP/ICMP), destination address, and port can be mapped to
the same public address and port by a NAT device. Only the public host with the same address
as the destination address of the private network host can access the address and port on the
private network. In addition, the source port of the public host packets must be the same as the

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 5


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

destination port when the private network host initiates the request for accessing the public
network.

NAT Server
NAT can mask internal hosts. However, in real-world situations, the public hosts need to access
the internal server. In this situation, a WWW or an FTP server must be available to the public
hosts.

Address translation allows internal servers to be variously deployed. For example, 202.110.10.10
or even addresses such as 202.110.10.12:8080 can be used as a WEB server public address, and
202.110.10.11 can be used as an FTP server public address. In addition, multiple servers of the
same type, such as WEB servers, can be offered to public users.

After internal servers are deployed, the corresponding public addresses and ports can be mapped
on the internal server, allowing public hosts to access the internal server.

When a public host initiates a request for accessing the internal server, the NAT device checks
the destination of the public packet based on the user's static configurations. If the destination
is an internal server, the address is translated into the private address and port of the internal
server. When an internal server sends a packet to a public host, the NAT device searches the
source address to check whether the packet is sent by an internal server. If the packet is sent by
an internal server, the source address is translated into the corresponding public address.

Port Forwarding
NAT often allows only internal users of a private network to initiate access requests to public
networks, whereas public network users cannot initiate access requests to private networks. NAT
server provides a mechanism that allows public network users to initiate access requests to
private networks. However, NAT server applies to a centralized deployment scenario for static
mapping configuration. Static mapping cannot be used in a distributed deployment scenario.
Users are assigned private IP addresses during login, and therefore mappings between public
and private IP addresses cannot be configured using NAT server.

Port forwarding configures static mapping during user login, allowing public network users to
access private network users using public IP addresses and ports.

During user login, port forwarding rules are delivered from the OSS system or RADIUS server
to a CGN device to establish static mappings between public and private IP addresses and ports.
After traffic from public networks arrives, the CGN device checks destination IP addresses and
ports of packets against static mappings. When matching static mappings are found, these
destination IP addresses and ports are translated according to the matching static mappings, and
the packets are sent to private users. As a next step, a session table is generated. Subsequent
packets of the traffic are then sent according to the session table.

The public IP address of an internal server is fixed, whereas the public IP address used in the
port forwarding mechanism is statically specified or dynamically bound.

1.3.4 NAT Resource Protection


Sessions' address resources and CPU resources are critical to a CGN device when NAT is
performed. Therefore, they should be protected against attacks.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 6


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

Port Number Limiting


To prevent individual users from occupying excessive port resources and causing connection
failures for other users, the NAT port number limiting function can be enabled to save port
resources in IP address pools. Devices can check whether the number of TCP, UDP, ICMP, or
all protocol ports monopolized by a user exceeds the threshold; if so, additional connection
requests can be denied.

On the other hand, when the number of TCP, UDP, ICMP, or all protocol ports utilized by a
user is lower than the configured threshold, additional ports can be accessed.

Session limit
Because NAT444 is a stateful address translation technology, session tables are key resources
of a CGN device. If a user launches a DoS attack, such as an SYN Flood attack, flow table
resources of the CGN device may be exhausted. Users are therefore prevented from creating
flow tables and consequently fail to get online. To help prevent this situation, the number of
TCP, UDP, or ICMP sessions established at each IP address needs to be monitored. When the
number of TCP, UDP, or ICMP sessions from a source IP address or to a destination address
reaches the preset threshold, the system suppresses new connections from either address.

When the number of TCP, UDP, or ICMP sessions from a source IP address or to a destination
address falls below the preset threshold, the system allows new connections from the source
address or to the destination address.

Traffic Creation Rate Limiting


A CGN device uses the multi-core architecture. Traffic creation and forwarding share CPU
resources. To ensure normal operation, a CGN device dynamically detects the volume of traffic
to be created to restrict the traffic creation rate and resources.

1.3.5 NAT Logs


Compared with the ordinary access mode through a BRAS device, the source IP address of a
packet of users who access the network through a CGN device is a translated address. The host
or user that initiates this access operation is hard to identify accurately, reducing network
security.

NAT logs can address this problem. NAT logs record the mapping between the private and public
network addresses and trace the private source address of a packet based on the public network
address. Therefore, network activities and operations can be identified accurately, improving
network security and availability.

A CGN device offers three types of NAT logs: RADIUS, SYSLOGs, and traffic logs.

RADIUS Log
RADIUS logs are used on CGN devices in distributed deployment mode to record information
about user table entry creation and aging, and additional port allocation and reclamation.
RADIUS logs are recorded during user login and logout, and during allocation and reclamation
of additional ports. RADIUS logs recording mappings between private and public IP addresses
are carried in accounting packets, which are then sent to a RADIUS server. You can trace users
on a RADIUS server using RADIUS logs.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 7


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

sysLog
sysLogs can be used on CGN devices in distributed and centralized deployment modes to record
information about user table entry creation and aging, and additional port allocation and
reclamation. sysLogs are recorded during user login and logout, and during additional port
allocation and reclamation. Mappings between private and public IP addresses are carried in
sysLogs, which are then sent to a RADIUS server in syslog format.

Session Log
Session logs can be used on CGN devices in distributed and centralized deployment modes to
record information about session entry creation and aging. Source IP addresses, source ports,
destination IP addresses, translated source IP addresses, translated source ports, and protocol
numbers are carried in session logs, which are then sent in binary format to a log server. A session
log contains much more data than a RADIUS log or sysLog. Session logs record user network
behaviors, so these logs are used not only for source tracing but also user behavior monitoring.

NOTE

Because a session log contains a large volume of data that can adversely affect performance, use sysLogs
when you only need to trace users.

1.4 Applications

1.4.1 NAT444 Deployment

Distributed deployment
In distributed deployment, NAT is performed on a BRAS which also functions as a CGN device.
The distributed networking is shown in Figure 1-3.

In distributed deployment, the CGN device is associated with the user's online processes using
the BRAS device. Relying on its mature mechanism for managing RADIUS users, the BRAS/
CGN device traces sources and delivers user NAT policies. In addition, the CGN device is
located physically closer to users and has, consequently, better expandability than in an
integrated deployment. The CGN device will not, therefore, become a performance bottleneck
and is a primary CGN deployment mode.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 8


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

Figure 1-3 Distributed deployment

PC1

CPE1
IP v 4
PC2 n e tw o rk
BRAS
/C G N

PC3
CPE2

PC4

Integrated deployment
In integrated deployment, a CGN card is inserted or a CGN device is attached to a CR to perform
NAT. The integrated networking is shown in Figure 1-4.

Integrated deployment was used in the earlier phase, and a CGN device was attached to a CR.
The integrated deployment mode was used in the scenario where there were only a small number
of sparsely located users.
NOTE

In the access scenario of Layer 2 or Layer3 leased line users, the integrated deployment mode must be
used.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 9


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 1 NAT444

Figure 1-4 Integrated deployment

PC1
BRAS
CR
PC2 CPE1 IPv4 network

BRAS
PC3

CPE2 SR/CGN

PC4

1.5 Terms, Acronyms, and Abbreviations


Abbreviations
Abbreviations Full Name

NAT Network Address Translation

ALG Application Layer Gateway

CPE Customer-premises equipment

CGN Carrier Grade NAT

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 10


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 2 L2-Aware NAT

2 L2-Aware NAT

About This Chapter

2.1 Introduction

2.2 References

2.3 Principles

2.4 Applications

2.5 Terms, Acronyms, and Abbreviations

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 11


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 2 L2-Aware NAT

2.1 Introduction
Definition
L2-Aware NAT is a special NAT technology that translates private network IP addresses and
port IDs into public network IP addresses and port IDs. In L2-Aware NAT, user location
information (PPP session ID, MAC address, and user VLAN ID), private network IP addresses,
and port IDs are translated into public network IP addresses and port IDs.

Purpose
Like NAT444, L2-Aware NAT also addresses IPv4 address exhaustion.

Benefits
Benefits to carriers
l Compared with NAT444, NAT is performed once in L2-Aware NAT, reducing NAT
translation delays.
l L2-Aware NAT is mature and easy to deploy.
l CPE devices do not need to be upgraded, saving the cost.

2.2 References
Document Document Name Remarks
No.

draft-miles- Layer2-Aware NAT -


behave-l2nat

2.3 Principles

2.3.1 L2-Aware NAT Principle


L2-Aware NAT is a special NAT technology. Unlike a NAT444 CPE, an L2-Aware CPE device
only forwards packets based on routes but does not perform NAT. Based on the MAC address
of a CPE device (or layer 2 user information) and source IP address in a packet, the CGN device
performs NAT and translates the private network address and port ID into a public network
address and port ID.
Figure 2-1 shows the L2-Aware NAT address translation process. As shown in the figure, IP
addresses of PC1 and PC2 are allocated by CPE1, and IP addresses of PC3 and PC4 are allocated
by CPE2. Therefore, IP addresses of the PCs under the same CPE device are different, while IP
addresses of the PCs under different CPE devices can overlap. When a packet reaches the CGN,
the CGN uses the MAC address of the CPE and IP address of the PC to uniquely identify a PC,
and then performs NAT.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 12


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 2 L2-Aware NAT

Figure 2-1 L2-Aware NAT address translation process

MAC:00-24-7E-0F-3C-01
IP:192.168.1.1
Port:5172 MAC:00-24-7E-0F-4D-01
IP:192.168.1.1
Port:5172
PC1 <00-24-7E-0F-4D-
01+192.168.1.1,5172>
CPE1 <69.1.1.1,7007> MAC:00-24-7E-0F-5E
IP:69.1.1.1
Port:7007
PC2

CGN
MAC:00-24-7E-0F-5E
IP:69.1.1.1
<00-24-7E-0F-4D- Port:8008
02+192.168.1.1,5172>
PC3
<69.1.1.1,8008>
CPE2
MAC:00-24-7E-0F-4D-02
IP:192.168.1.1
PC4
Port:5172
MAC:00-24-7E-0F-3C-04
IP:192.168.1.1
Port:5172

Address translation process from a PC to the network:

1. PC1 and PC4 access the network. The source MAC address of the packet sent by PC1 is
00-24-7E-0F-3C-01, IP address is 192.168.1.1, and port ID is 5172. The source MAC
address of the packet sent by PC4 is 00-24-7E-0F-3C-04, IP address is 192.168.1.1, and
port ID is 5172.
2. CPE1 and CPE2 forward the packets at Layer 3. The source MAC address of the packet
forwarded by CPE1 is 00-24-7E-0F-4D-01, IP address is 192.168.1.1, and port ID is 5172.
The source MAC address of the packet forwarded by CPE2 is 00-24-7E-0F-4D-02, IP
address is 192.168.1.1, and port ID is 5172. The source MAC address of the packet is
changed to the MAC address of a WAN port of the CPE device.
3. The CGN performs L2-Aware NAT for packets forwarded by CPE1 and CPE2. Based on
the source MAC address 00-24-7E-0F-4D-01, source IP address 192.168.1.1, and port ID
5172, the source IP address of the packet forwarded by PC1 is translated to 69.1.1.1, and
the port ID is translated to 7007 after the L2-Aware NAT process.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 13


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 2 L2-Aware NAT

4. The CGN replaces the source MAC address with the MAC address of its WAN port and
forwards the packet.

Address translation process from the network to a PC

1. If the destination IP address of the packet from the external network is one of the IP
addresses in the NAT public address pool, the CGN changes the destination IP address and
port ID to the private network IPv4 address and port ID based on the mapping.
2. Based on the Layer 2 forwarding information recorded in the mapping, the CGN forwards
the packet to the CPE device.
3. The CPE device searches for the route and sends the packet to the PC based on the
destination IPv4 address.

2.3.2 Comparison of NAT Technologies


Nam Advantages Disadvantages Usage Scenarios
e

NAT Compared with DS-Lite, For protocols, such as the Carrier's network supports
444 CPE devices do not need Session Initiation only IPv4 networks.
to be upgraded. NAT444 Protocol (SIP), IP Residential terminals
networks are compatible addresses are carried at the support only the IPv4
with existing IPv4 application layer, and stack. Carriers allocate
networks. NAT may be performed IPv4 addresses to
On a NAT444 network, an twice. residential terminals.
IP address family does not Universal Plug and Play Residential terminals
need to be translated and (UPnP) will not work in support NAT.
DNS does not need to be scenarios where NATs are
changed. performed twice.
In NAT444, no tunneling
technology is used and no
packet needs to be
fragmented additionally.

L2- Compared with NAT444, NAT444 is more popular Carrier's network supports
Awar NAT is performed once in and maturer than L2- IPv4 networks.
e L2-Aware NAT, reducing Aware NAT. NAT is Residential terminals
NAT NAT translation delays. widely used in residential support only the IPv4
terminals and is easier to stack. Carriers allocate
upgrade to NAT444. IPv4 addresses to
residential terminals.
Residential terminals
support routing, and NAT
can be disabled.

2.4 Applications

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 14


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 2 L2-Aware NAT

2.4.1 L2-Aware NAT Deployment


L2-Aware NAT can be deployed in distributed mode only.

2.5 Terms, Acronyms, and Abbreviations


Abbreviations
Abbreviations Full Name

NAT Network Address Translation

ALG Application Layer Gateway

CPE Customer-premises equipment

CGN Carrier Grade NAT

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 15


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 3 DS-Lite

3 DS-Lite

About This Chapter

3.1 Introduction

3.2 References

3.3 Principles

3.4 Applications

3.5 Terms, Acronyms, and Abbreviations

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 16


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 3 DS-Lite

3.1 Introduction
Definition
Dual-Stack Lite (DS-Lite) is an IPv6 transition technology. DS-Lite enables an IPv4 in an IPv6
tunnel to be established between the CPE and CGN devices. Also, a private IP address can be
encapsulated for NAT on the CGN. And, a private IP address can be translated to a public
network IPv4 address.

Purpose
IPv6 replacing IPv4 is a trend of network development. The transition from IPv4 to IPv6 is a
long process and IPv4 networks will exist for a long time. Carriers still therefore need to support
IPv4 networks and endeavor to alleviate the consequences of IPv4 address exhaustion.

DS-Lite offers a solution to carriers using tunneling and NAT. User terminals using private
network IPv4 addresses can access public IPv4 networks through an IPv6 network between the
CPE and CGN devices.

Benefits
Benefits to carriers

l DS-Lite allows the setup of IPv6 networks to carry the existing IPv4 service when the
number of IPv4 addresses is insufficient.
l DS-Lite provides a technical plan for the transition from IPv4 to IPv6 and protects the
investment of carriers.

3.2 References
Document Document Name Remarks
No.

draft-ietf- DS-Lite -
software-dual-
stack-lite-04t

3.3 Principles

3.3.1 Basic DS-Lite Principle


The basic DS-Lite principle is shown in the following figure. An IPv4 in IPv6 tunnel is
established between the CPE and CGN devices, the private IP address is encapsulated for NAT
on the CGN, and the private IP address is translated to a public network IPv4 address.

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 17


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 3 DS-Lite

Figure 3-1 Diagram for the basic DS-Lite principle

Packet translation process from a PC to the network:

1. An IPv4 host accesses the IPv4 network using the private IPv4 address as the source IP
address.
2. After receiving the IPv4 packet, the CPE adds an IPv6 header to the packet and generates
an IPv4 in IPv6 tunnel packet. The source address of the IPv6 header is the address of the
CPE, and the destination address is the address of the CGN.
3. After receiving the tunnel packet from the CPE, the CGN removes the tunnel information,
translates the source IP address of the IPv4 packet to the source public IP address using
NAT44, and sends the packet to the IPv4 public network.

Packet translation process from the network to a PC:

1. After receiving a packet from the network, the CGN performs NAT44 on the packet,
replaces the destination IP address with the private IP address, encapsulates a tunnel to the
packet, and sends the packet to the CPE.
2. After receiving the tunnel packet from the CGN, the CPE removes the tunnel information,
obtains the IPv4 packet, and sends the packet to the host.

3.3.2 CPE Obtaining Tunnel Destination Address


In the distributed scenario, the Broadband Remote Access Server (BRAS) delivers the
destination (the CGN) name of a tunnel to the CPE device based on the DHCP or PPPoE protocol,
and the CPE device obtains the destination (the CGN) address of the tunnel using DNS.

In the integrated scenario, the destination address of the tunnel can only be configured manually
on the CPE device.

3.4 Applications

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 18


Copyright Huawei Technologies Co., Ltd.
HUAWEI NetEngine40E/80E Universal Service Router
Feature Description - IPv6 Transition 3 DS-Lite

3.4.1 DS-Lite Deployment


Like NAT444, DS-Lite can be deployed in distributed and integrated modes. For details about
DS-Lite deployment, see the NAT444 deployment chapter.

3.5 Terms, Acronyms, and Abbreviations


Abbreviations
Abbreviations Full Name

NAT Network Address Translation

ALG Application Layer Gateway

CPE Customer-premises equipment

CGN Carrier Grade NAT

DS-Lite Dual-Stack Lite

Issue 03 (2013-08-20) Huawei Proprietary and Confidential 19


Copyright Huawei Technologies Co., Ltd.