NPTV6 AND NAT64 FOR IPV6

ENVIRONMENT

Adrien Desportes (adesportes@juniper.net)

Juniper Systems Engineer
AGENDA

NPTv6: purpose and standardization status

NAT64: practical use case

2 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

WHAT IS NPTV6?

One-to-one translation between inside and outside addresses

§  No attempt to conserve outside address space

Algorithmic translation
§  Overwrite high order bits

Stateless translation
Checksum neutral
No requirement for routing symmetry
By default, supports inbound connection requests

3 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

MOTIVATION FOR NPTV6

NPTv6 provides addressing independence for single homed sites

NPTv6 provides addressing independence for multi-homed sites
without injecting provider independent addresses into the global
routing system and causing excessive routing table growth

Presentation prepared with the help & courtesy of Ron Bonica

author of draft-bonica-v6-multihome-02 that updates Section 2.4
of RFC 6296

4 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

TOPOLOGY
PAB#1 PAB#2
Upstream Upstream
Provider #1 Provider #2
/ \ / \
/ \ / \
/ +------+ +------+ \
+------+ |Backup| |Backup| +------+
| PE | | PE | | PE | | PE |
CAB#2
| #1 | | #1 | | #2 | | #2 | (/127)
CAB#1
(/127) +------+ +------+ +------+ +------+
| |
| | CNB#2
(/64)
+------+ +------+
CNB#1
(/64) |NPTv6 | |NPTv6 |
| #1 | | #2 |
+------+ +------+ SAB
| | ULA…(/63)
| |
------------------------------------------------------
Internal Network

5 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

SITE NUMBERING

Hosts numbered from the lower half of the SAB normally receive
inbound traffic from Upstream Provider #1
Hosts numbered from the higher half of the SAB normally receive
inbound traffic from Upstream Provider #2
Selected hosts can receive inbound traffic from both Upstream
Provider #1 and Upstream Provider #2
§  These hosts have multiple SAB addresses
§  At least one address is drawn from the lower half of the SAB
§  At lease one address is drawn from the higher half of the SAB

6 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

TRANSLATION STATELESS 1:1 NAT
Same rules on both NPT devices

Inbound
•  If the 64 high-order bits of the destination address match the 64 high-order
bits of CNB #1, overwrite those bits with the 64 bits that identify the lower
half of the SAB
•  Same if 64 high-order bits match CNB#2
•  Else silently discard

Outbound
•  If the 64 high-order bits of the source address match the 64 bits that identify
the lower half of the SAB, overwrite those bits with the 64 high order bits of
CNB #1
•  Same if 64 high-order bits match higher half of SAB
•  Else silently discard

7 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

 ROUTING
ASBR

ISP #1
Backup Backup
PE #1 ISP #2
PE #2
PE #1 PE #2
Outside
Outside Multi-hop Multi-hop
interface
interface EBGP EBGP
NPTv6
NPTv6
#2
#1
Multi-homed Site

Two default routes circulate within the

site (inside interface of NPTv6 #1 and
inside interface of NPTv6 #2)

8 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

 ROUTING Advertise PAB#1
ASBR

iBGP
iBGP Advertise CNB#1
Next-hop self
Advertise CNB#1 Low Pref
ISP #1
Next-hop self
Backup Backup
High Pref ISP #2
PE #1 PE #2
PE #1 PE #2
Outside
Outside Multi-hop Multi-hop
interface
interface EBGP EBGP
NPTv6
NPTv6
#2
#1
Multi-homed Site

9 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

 RECOVERY Advertise PAB#1
ASBR

iBGP Advertise CNB#1

Next-hop self
ISP #1 Low Pref
Backup ISP #2
PE #1
PE #1 Dyn GRE Tunnel PE #2
Outside
Outside
interface
interface
NPTv6
NPTv6
#2
#1
Multi-homed Site

10 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

LOAD BALANCING

Outbound
§  Controlled by site
§  Traffic can exit through either NPTv6 gateway

Inbound: connections originating within site

§  Originating host selects one of its source addresses
§  Selected address determines path or return traffic

Inbound: connections originating outside of the site

§  Originating host selects one of the addresses advertised in DNS
§  Selected address determines traffic path

11 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

CONCLUSION

Targets SME who want to achieve multi-homing with the following

architectural goals:

§  Redundancy
§  Transport-layer survivability
§  Load balancing
§  Address independence
§  Prevent excessive growth of global routing tables

12 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

AGENDA

NPTv6: purpose and standardization status

NAT64: practical use case

13 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

CLOUD TRANSLATOR ARCHITECTURE

IPv4 address of
www.example.com
IPv4
IPv6
IPv6 clients

www.example.com
DNS AAAA 2001:…

NAT 64

Translator

Cloud

14 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

LAB TOPOLOGY – NAT64

ISP v6 Global Public Network

IPv6 IPv6
IPv6 IPv6/IPv4 IPv6/IPv4

2001:db8:0200:0002::/96
Host IPv6
DNS64
IPv6 IPv6 IPv6

2001:db8:0200:0001::/64 IPv6 IPv6

NAT64
10.2.1.0/24

IPv4 10.1.1.2/30 Web Content v4

IPv4

x.x.x.x

15 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net

 LAB TOPOLOGY – NAT64

ISP v6 Global Public Network

IPv6 IPv6
IPv6 IPv6/IPv4 IPv6/IPv4

2001:db8:0200:0002::/96
Host IPv6
DNS64
IPv6 IPv6 IPv6

2001:db8:0200:0001::/64 IPv6 IPv6

NAT64
10.2.1.0/24
{master}[edit interfaces]
lab@re0.lab-mx480.lab.boe# show ge-5/0/0.0
family inet;
IPv4 10.1.1.2/30 Web Content v4
family inet6 {
service {
input { IPv4
service-set NAT64_npu1 service-filter NAT64_only;
}
output {
service-set NAT64_npu1 service-filter NAT64_only; x.x.x.x
}
}
address 2001:db8:0200:0001::1/64;
}
16 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net
 LAB TOPOLOGY – NAT64

ISP v6 Global Public Network

IPv6 IPv6
IPv6 IPv6/IPv4 IPv6/IPv4

2001:db8:0200:0002::/96
Host IPv6
DNS64
IPv6 IPv6 IPv6

2001:db8:0200:0001::/64 IPv6 IPv6

{master}[edit services]
 

NAT64
  lab@re0.lab-mx480.lab.boe# show service-set NAT64_npu1
  syslog { 10.2.1.0/24
  host local {
  class { IPv4 10.1.1.2/30 Web Content v4
  nat-logs;
  }
  }
  } IPv4
  nat-rules NAT64_npu1;
  interface-service {
  service-interface sp-1/0/0.0; x.x.x.x
  }

  {master}[edit interfaces]
  lab@re0.lab-mx480.lab.boe# show sp-1/0/0.0
  family inet;
 
17 inet6;
family Copyright © 2011 Juniper Networks, Inc. | www.juniper.net
 LAB TOPOLOGY – NAT64

ISP v6 Global Public Network

IPv6 IPv6
IPv6 IPv6/IPv4 IPv6/IPv4
{master}[edit services nat]
lab@re0.lab-mx480.lab.boe# show
pool NAT64_npu1 { 2001:db8:0200:0002::/96
address-range low 10.2.1.1 high 10.2.1.250;
Host IPv6
port {
automatic; DNS64
} IPv6 IPv6 IPv6
}
rule NAT64_npu1 {
2001:db8:0200:0001::/64
match-direction input; IPv6 IPv6
term 1 {
from { NAT64
destination-address { 10.2.1.0/24
2001:db8:0200:0002::/96;
}
}
IPv4 10.1.1.2/30 Web Content v4
then {
translated {
source-pool NAT64_npu1; IPv4
destination-prefix 2001:db8:0200:0002::/96;
translation-type {
stateful-nat64;
} x.x.x.x
}
}
}
}
18 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net
LOG OPTIMIZATION TECHNIQUES

By default 2 logs are generated by v6 user accessing v4 through

NAT64

Optimization with the use of

§  PBA (one log per ports group)

§  Deterministic (no log at all)

§  XFF

19 Copyright © 2011 Juniper Networks, Inc. | www.juniper.net