Service Provider IPv6 Deployment

Salman Asadullah – Cisco Systems

Service Provider IPv6 DeploymentTXv6TF 2010 IPv6 SummitOctober 11-12, 2010

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Prerequisites: Session Abstract� This session focuses on SP IPv6 deployment techniques which will help network designers/administrators understand IPv6 operation and implementation options for native IPv4 and MPLS Core environments. This session will also cover IPv6 integration techniques in SP Broadband Access Networks (xDSL, ETTH, Cable, Wireless), IPv6 Provisioning techniques and SP Advanced Services. This session will highlight IPv6 integration options available for end-to-end SP networks (i.e. Access, Core and Provisioning Systems).

� Attendee must have a solid foundation of IPv6 basics (Addressing, Routing), MPLS, Multicast, IPv4 Broadband Access networks and Provisioning.


Agenda

� SP IPv6 Integration Strategy� IPv6 in Core Networks and Deployment Models

Native IPv4 Environments MPLS Environments

� IPv6 in Access Networks and Deployment ModelsIPv4 Translation (NAT444)IPv6 IntegrationDOCSIS 3.0 IPv6 Reference ArchitectureIPv6 Provisioning

� Conclusion

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4

SP IPv6 Integration Strategy


Internet-Enabled Devices2IPv4 Address Blocks Remaning1

The pool of IPv4 address blocks is dwindling rapidly

Today Sep 20110

25

Today 2015+5B

15B

While the number of new Internet devices is exploding

< 700 Days Remaining

1 – Geoff Huston, APNIC, www.potaroo.net, tracking /8 address-blocks managed by the Internet Assigned Numbers Authority2 – Cisco Visual Networking Index / Intel Embedded Internet Projections

The gap between supply and demand for IP addresses – the key Internet resource – is widening

The Growing Internet Challenge …


... and Internet EvolutionMoving to 3 IP Address Families: Public IPv4, Private IPv4, IPv6

PublicIPv4

PrivateIPv4IPv6

PublicIPv4

PrivateIPv4

2010 2012 2020+

Today v4 run out

Preserve IPv4

IPv4/IPv6 Coexistence Infrastructure

Services & Applications running over IPv6

IPv6 Internet


IPv6 in the SP: Drivers� External Drivers

SP customers that need access to IPv6 resources (for development or experimentation purposes)SP customers that need to interconnect their IPv6 sitesSP customers that need to interface with their own customers over IPv6 (ex: contractors for DoD)

� Internal DriversHandle some problems that are hard to fix with IPv4 (ex: managing large number of devices such as Cell phones, set-tops, IP cameras, sensors, etc.)

Public IPv4 address exhaustion (~2011/2012)Private IPv4 address exhaustion

� Strategic DriversLong term expansion plans and service offering strategiesPreparing for new services and gaining competitive advantage


IPv6 Integration and Co-Existence� Many ways to deliver IPv6 services to End Users, Most important is End to End IPv6 traffic forwarding as applications are located at the edge

� SPs may have different deployment needs and mechanisms but basic steps are common

IPv6 Addressing SchemeRouting Protocol(s)IPv6 Services - QoS, Multicast, DNS, …SecurityNetwork Management

� Resources are shared between the two protocols for both Control and Forwarding Plane. Evaluate processor utilization and memory needs

� Most vendors have good IPv6 HW forwarding performance


Today’s Network Infrastructure� SP Core Infrastructures – 2 Basic Paths

MPLS with its associated servicesMPLS/VPN, L2 services over MPLS, QoS, …

Native IPv4 core with associated servicesL2TPv3, QoS, Multicast, …

� IP Services Portfolio—AccessEnterprise: Leased linesHome Users/SOHO: ADSL, FTTH, DialData Center: Web hosting, servers, …

� Next step—The integration of IPv6 services


Service Provider: CORE


IPv6 Deployment Options — CORE� IPv6 in Native IPv4 Environments

Tunneling IPv6-in-IPv4Native IPv6 with Dedicated ResourcesDual-Stack IPv4 and IPv6

� IPv6 in MPLS Environments6PE6VPE


IPv6 in Native IPv4 Environments


IPv4 SP BB

Tunnelling IPv6 in IPv4

� Tunnelling OptionsManual Tunnels (RFC 2893), GRE Tunnels (RFC 2473), L2TPv3, …

� SP ScenariosConfigured Tunnels in Core Configured Tunnels or Native IPv6 to IPv6 Enterprise’s CustomersMP-BGP4 Peering with other IPv6 usersConnection to an IPv6 IX

IPv6 Site A

IPv6 Site B

IPv6 SP

IPv6 IX

U N I V E R S I T YU N I V E R S I T Y


Native IPv6 over Dedicated Data Link

� ISP ScenarioDedicated Data Links between Core routersDedicated Data Links to IPv6 CustomersConnection to an IPv6 IX

IPv6IPv4

Service Provider ATM Backbone with

IPv4 and IPv6 Services

IPv6 IXInternet

CampusIPv4 and IPv6 VLANs


Dual-Stack IPv4 and IPv6

� IPv6 transit services� IPv6 enabled on Core routers� Enterprise and consumer IPv6 access

802.11 Hot-Spot

Dual-Stack CoreIPv6 Broadband Users

DSL, Cable, FTTH, etc.

Aggregation

RelayCourtesy Service

EnterpriseDual-Stack orDedicated L2 Circuits



IPv6 over MPLS� Many ways to deliver IPv6 services to end users

Most important is end-to-end IPv6 traffic forwarding � Many service providers have already deployed MPLS in their IPv4 backbone for various reasons

� MPLS can be used to facilitate IPv6 integration� Multiple approaches for IPv6 over MPLS:

IPv6 over L2TPv3IPv6 over EoMPLS/AToMIPv6 CE-to-CE IPv6 over IPv4 tunnelsIPv6 Provider Edge Router (6PE) over MPLSIPv6 VPN Provider Edge (6VPE) over MPLSNative IPv6 MPLS


6PE Overview


v4

v6 v6

CE

CE

6PE

6PE 6PE

6PE

192.254.10.0

2001:CAFE::

2003:1::

192.76.10.0

145.95.0.0

2001:F00D::

2001:DB8::

Dual Stack IPv4-IPv6 RoutersDual Stack IPv4-IPv6 Routersv6

v4

v4

v6

CE

IPv6 Provider Edge Router (6PE) over MPLS

� IPv6 global connectivity over and IPv4-MPLS core� Transitioning mechanism for providing unicast IP� PEs are updated to support dual stack/6PE � IPv6 reachability exchanged among 6PEs via iBGP (MBGP)� IPv6 packets transported from 6PE to 6PE inside MPLS

iBGP (MBGP) Sessions

IPv4MPLS

P P

P P


6PE-1

6PE Routing/Label Distribution

6PE-2P1 P2

2001:F00D::2001:DB8::

200.10.10.1

200.11.11.1

IGPv4 Advertises Reachability of 200.10.10.1

IGPv6 or MP-BGP Advertising 2001:F00D::

IGPv6 or MP-BGP Advertising 2001:F00D::

6PE-2 Sends MP-iBGP Advertisement to 6PE-1 Which Says:2001:F00D:: Is Reachable Via BGP Next Hop = 200.10.10.1 (6PE-2)Bind BGP Label to 2001:F00D:: (*)IPv6 Next Hop Is an IPv4 Mapped IPv6 Address Built from 200.10.10.1

LDPv4 Binds Label to 200.10.10.1

LDPv4 Binds Label to 200.10.10.1

LDPv4 Binds Implicit-Null (i.e.

Pop) to 200.10.10.1


6PE-1

6PE-2

IPv6 Forwarding and Label Imposition:� 6PE-1 receives an IPv6 packet� Lookup is done on IPv6 prefix� Result is:

Label binded by MP-BGP to 2001:F00D::Label1 binded by LDP/IGPv4 to the IPv4 address of BGP next hop (6PE-2)

6PE Forwarding (6PE-1)

2001:F00D::2001:DB8::

LDP/v4 Label1 to 6PE-2

MP-BGP Label

IPv6 Packet

P1 P2

IPv6 Packetto 2001:F00D::1


6PE-2

2001:F00D::2001:DB8::

P1 P2

LDP/v4 Label2 to

6PE-2MP-BGP

Label IPv6 Packet

6PE Forwarding (P1)

6PE-1

IPv6-UNaware MPLS Label Switching:� P1 receives an MPLS packet� Lookup is done on Label1� Result is Label2


6PE-2

2001:F00D::2001:DB8::

P1 P2

6PE-1

MP-BGP Label

IPv6 Packet

6PE Forwarding (P2)

IPv6-UNaware MPLS Label Switching:�P2 receives an MPLS packet� Lookup is done on Label2�Result includes Pop label (PHP), if used


6PE-2

2001:F00D::2001:DB8::

P1 P2

6PE-1

6PE Forwarding (6PE-2)� MPLS label forwarding:� 6PE-2 receives an MPLS packet� Lookup is done on label� Result is:

Pop label and do IPv6 lookup on v6 destination


6PE-1 Configuration

200.10.10.1 Is the Remote 6PE2001:DB8:1::1 Is the Local CE

ipv6 cef!mpls label protocol ldp!router bgp 100no synchronizationno bgp default ipv4 unicastneighbor 2001:DB8:1::1 remote-as 65014neighbor 200.10.10.1 remote-as 100neighbor 200.10.10.1 update-source Loopback0!address-family ipv6neighbor 200.10.10.1 activateneighbor 200.10.10.1 send-labelneighbor 2001:DB8:1::1 activateredistribute connectedno synchronizationexit-address-family

6PE-1

2001:DB8::

6PE-2

iBGP Session

Send Labels Along with IPv6 Prefixes by Means ofMP-BGP Note: Will Cause Session to Flap


6PE Show Output

6PE-1#show ipv6 routeB 2001:F00D::/64 [200/0]

via ::FFFF:200.10.10.1, IPv6-mpls

6PE-1#show ipv6 cef internal #hidden command.. OUTPUT TRUNCATED .. 2001:F00D::/64,

nexthop ::FFFF:200.10.10.1fast tag rewrite with F0/1, 10.12.0.1, tags imposed {17 28}

6PE-1#show ip route 200.10.10.1 Routing entry for 200.10.10.1/32Known via "isis", distance 115, metric 20, type level-2

[snip]* 10.12.0.1, from 200.10.10.1, via FastEthernet1/0Route metric is 20, traffic share count is 1

Other Useful Output:show bgp ipv6 neighborsshow bgp ipv6 unicastshow mpls forwarding #more on this later


6PE Benefits/Drawbacks� Core network (Ps) untouched (no HW/SW upgrade, no configuration change)

� IPv6 traffic inherits MPLS benefits (wire-rate, fast re-route, TE, etc.)

� Incremental deployment possible (i.e., only upgrade the PE routers which have to provide IPv6 connectivity)

� Each site can be v4-only, v4VPN-only, v4+v6, v4VPN+v6

� P routers won’t be able to send ICMPv6 messages (TTL expired, traceroute)

� Cisco 6PE Documentation/Presentations:http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008052edd3.html


6VPE Deployment

� 6VPE ~ IPv6 + BGP-MPLS IPv4VPN + 6PE

� Cisco 6VPE is an implementation of RFC4659

� VPNv6 address:Address including the 64 bits route distinguisher and the 128 bits IPv6 address

� MP-BGP VPNv6 address-family:AFI “IPv6” (2), SAFI “VPN” (128)

� VPN IPv6 MP_REACH_NLRIWith VPNv6 next-hop (192bits) and NLRI in the form of <length, IPv6-prefix, label>

� Encoding of the BGP next-hop

VPN YELLOW

VPN YELLOW

VPN BLUE

v4 and v6 VPNVPN BLUE

v6 Only

v6 Only

v4 and v6 VPN

VPN YELLOW

VPN BLUE

v6 Only

v4 and v6 VPN

MPLS VPNs

P P

P P

iBGP (MBGP) Sessions

6VPE

6VPE

6VPE

6VPE


6VPE Example DesignAddressing/Routing

PE2

PE1

P1 P2

Lo0- 192.168.2.1CE1-BLUE

172.16.1.1172.16.1.2

IPv42001:DB8:CAFE:1::1

1::2IPv6

Lo0- 192.168.3.1 Lo0- 192.168.4.1 Lo0- 192.168.5.1

10.1.1.0/242001:DB8:BEEF:1::/64

10.1.2.0/242001:DB8:BEEF:2::/64

192.168.1.1-192.168.1.2IPv4

192.168.1.5 - 192.168.1.6IPv4

192.168.1.9 - 192.168.1.10IPv4

172.16.3.2172.16.3.1

IPv42001:DB8:CAFE:3::2

3::1IPv6

CE2-BLUE

MP-iBGP Session

EnterpriseIGP

EnterpriseIGP

MP-eBGPMP-eBGP


6VPE Configuration ExampleCE1-BLUE to PE1

router bgp 500bgp log-neighbor-changesno bgp default ipv4 unicastneighbor 2001:DB8:CAFE:1::2 remote-as 100neighbor 172.16.1.2 remote-as 100!address-family ipv4redistribute connectedredistribute eigrp 100neighbor 172.16.1.2 activateno auto-summaryno synchronizationexit-address-family!address-family ipv6neighbor 2001:DB8:CAFE:1::2 activateredistribute connectedredistribute rip BLUEno synchronizationexit-address-family

!ipv6 router rip BLUEredistribute bgp 500

PE1CE1-BLUE

10.1.1.0/242001:DB8:BEEF:1::/64Enterprise

IGP

ipv6 unicast-routingipv6 cef!interface Ethernet0/0description to PE1ip address 172.16.1.1 255.255.255.0ipv6 address 2001:DB8:CAFE:1::1/64

!interface Ethernet1/0description to BLUE LANip address 10.1.1.1 255.255.255.0ipv6 address 2001:DB8:BEEF:1::1/64ipv6 rip BLUE enable


6VPE Configuration ExamplePE1 Connections

� Standard MPLS configuration between PE-P

� Running IGP in the cloud (OSPF)

ipv6 unicast-routingipv6 cefmpls ldp router-id Loopback0!interface Loopback0ip address 192.168.2.1 255.255.255.255

!interface Ethernet0/0description to CE1-BLUEvrf forwarding BLUEip address 172.16.1.2 255.255.255.0ipv6 address 2001:DB8:CAFE:1::2/64

!interface Ethernet2/0description to P1ip address 192.168.1.1 255.255.255.252mpls ip

!router ospf 1log-adjacency-changesredistribute connected subnetspassive-interface Loopback0network 192.168.1.0 0.0.0.255 area 0

PE1

P1

CE1-BLUE


6VPE Configuration ExamplePE1 VRF Definitions

� Migration commands available for VPNv4 to multi-protocol VRF(config)#vrf upgrade-cli multi-af-mode {common-policies | non-common-policies} [vrf <name>]

� This command forces migration from old CLI for IPv4 VRF to new VRF multi-AF CLI

vrf definition BLUErd 200:1!route-target export 200:1route-target import 200:1! address-family ipv4exit-address-family!address-family ipv6exit-address-family

CE1-BLUEVRF

BLUE(RD - 200:1)

PE1/PE2 Will HoldCE1 RoutesCE2 Routes

VRF BLUE

CE1-BLUE

PE1


6VPE Configuration ExamplePE1 BGP Setup

PE2192.168.5.1

MP-iBGPSession

PE1

CE1-BLUE172.16.1.1CAFE:1::1

VRF BLUE

MP-eBGP

address-family vpnv6neighbor 192.168.5.1 activateneighbor 192.168.5.1 send-community

extendedexit-address-family

!address-family ipv4 vrf BLUEredistribute connectedneighbor 172.16.1.1 remote-as 500neighbor 172.16.1.1 activateno auto-summaryno synchronizationexit-address-family!address-family ipv6 vrf BLUEneighbor 2001:DB8:CAFE:1::1 remote-as

500neighbor 2001:DB8:CAFE:1::1 activateredistribute connectedno synchronizationexit-address-family

router bgp 100bgp log-neighbor-changesneighbor 192.168.5.1 remote-as 100neighbor 192.168.5.1 update-source

Loopback0!address-family ipv4neighbor 192.168.5.1 activateno auto-summaryno synchronizationexit-address-family!address-family vpnv4neighbor 192.168.5.1 activateneighbor 192.168.5.1 send-community

extendedexit-address-family


6VPE Configuration ExampleP Connections

mpls ldp router-id Loopback0!interface Loopback0ip address 192.168.3.1 255.255.255.255

!interface Ethernet0/0description to PE1ip address 192.168.1.2 255.255.255.252mpls ip



P1 P2

mpls ldp router-id Loopback0!interface Loopback0ip address 192.168.4.1 255.255.255.255


!interface Ethernet1/0description to PE2ip address 192.168.1.9 255.255.255.252mpls ip



MP-iBGP Tunnel

PE1 PE2CE2-BLUE

VRF BLUE

CE1-BLUE

VRF BLUE

Default TableBEEF:1::/649999::/64


Routing Table BLUE

IPv6 Routing TablesCE1-CE2

Routing Table BLUE

ce1-blue#show ipv6 routeC 2001:DB8:BEEF:1::/64 [0/0]

via Ethernet1/0, directly connectedL 2001:DB8:BEEF:1::1/128 [0/0]

via Ethernet1/0, receiveB 2001:DB8:BEEF:2::/64 [20/0]

via FE80::A8BB:CCFF:FE01:F600, Ethernet0/0C 2001:DB8:CAFE:1::/64 [0/0]

via Ethernet0/0, directly connectedL 2001:DB8:CAFE:1::1/128 [0/0]

via Ethernet0/0, receiveB 2001:DB8:CAFE:3::/64 [20/0]

via FE80::A8BB:CCFF:FE01:F600, Ethernet0/0B 8888::/64 [20/0]

via FE80::A8BB:CCFF:FE01:F600, Ethernet0/0R 9999::/64 [120/2]

via FE80::A8BB:CCFF:FE01:9000, Ethernet1/0L FF00::/8 [0/0]

via Null0, receive

ce2-blue#show ipv6 routeB 2001:DB8:BEEF:1::/64 [20/0]

via FE80::A8BB:CCFF:FE01:F901, Ethernet0/0C 2001:DB8:BEEF:2::/64 [0/0]

via Ethernet1/0, directly connectedL 2001:DB8:BEEF:2::1/128 [0/0]


via FE80::A8BB:CCFF:FE01:F901, Ethernet0/0C 2001:DB8:CAFE:3::/64 [0/0]


via Ethernet0/0, receiveR 8888::/64 [120/2]

via FE80::A8BB:CCFF:FE02:5800, Ethernet1/0B 9999::/64 [20/0]

via FE80::A8BB:CCFF:FE01:F901, Ethernet0/0L FF00::/8 [0/0]

via Null0, receive

BGP Table


MP-iBGP Tunnel

PE1 PE2CE2-BLUE

VRF BLUE

CE1-BLUE

VRF BLUE



Routing Table BLUE

Routing Table BLUE

BGP Table

IPv6 Routing TablesPE1-PE2

pe1#show ipv6 route vrf BLUEB 2001:DB8:BEEF:1::/64 [20/0]

via FE80::A8BB:CCFF:FE01:F400, Ethernet0/0B 2001:DB8:BEEF:2::/64 [200/0]

via 192.168.5.1%Default-IP-Routing-Table, indirectly connectedC 2001:DB8:CAFE:1::/64 [0/0]



via 192.168.5.1%Default-IP-Routing-Table, indirectly connectedB 8888::/64 [200/2]

via 192.168.5.1%Default-IP-Routing-Table, indirectly connectedB 9999::/64 [20/2]

via FE80::A8BB:CCFF:FE01:F400, Ethernet0/0L FF00::/8 [0/0]

via Null0, receive

pe2#show ipv6 route vrf BLUEB 2001:DB8:BEEF:1::/64 [200/0]

via 192.168.2.1%Default-IP-Routing-Table, indirectly connectedB 2001:DB8:BEEF:2::/64 [20/0]

via FE80::A8BB:CCFF:FE01:FA00, Ethernet1/0B 2001:DB8:CAFE:1::/64 [200/0]

via 192.168.2.1%Default-IP-Routing-Table, indirectly connectedC 2001:DB8:CAFE:3::/64 [0/0]


via Ethernet1/0, receiveB 8888::/64 [20/2]

via FE80::A8BB:CCFF:FE01:FA00, Ethernet1/0B 9999::/64 [200/2]

via 192.168.2.1%Default-IP-Routing-Table, indirectly connectedL FF00::/8 [0/0]

via Null0, receive


PE1 PE2CE2-BLUE

VRF BLUE

CE1-BLUE

VRF BLUE



Routing Table BLUE

Routing Table BLUE

BGP Table

IPv6 Routing TablesPE1 BGP Next-Hop

IPv4-MappedIPv6 Address(IPv4-Based LSP Setup)

pe1#show bgp vpnv6 unicast all #OUTPUT SHORTENED FOR CLARITYNetwork Next Hop Metric LocPrf Weight PathRoute Distinguisher: 200:1 (default for vrf BLUE)*> 2001:DB8:BEEF:1::/64

2001:DB8:CAFE:1::1 0 0 500 ?

*>i2001:DB8:BEEF:2::/64::FFFF:192.168.5.1

0 100 0 506 ?*>i2001:DB8:CAFE:3::/64

::FFFF:192.168.5.10 100 0 ?

*>i8888::/64 ::FFFF:192.168.5.12 100 0 506 ?

*> 9999::/64 2001:DB8:CAFE:1::12 0 500 ?

MP-iBGP Tunnel


MP-iBGP Tunnel

PE1

MPLS ForwardingPE1

PE2CE2-BLUE

VRF BLUE

CE1-BLUE

VRF BLUE


pe1#show mpls forwardingLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 Pop Label 192.168.1.4/30 0 Et2/0 192.168.1.2 17 16 192.168.1.8/30 0 Et2/0 192.168.1.2 18 Pop Label 192.168.3.1/32 0 Et2/0 192.168.1.2 19 18 192.168.4.1/32 0 Et2/0 192.168.1.2 20 19 192.168.5.1/32 0 Et2/0 192.168.1.2 21 No Label 10.1.1.0/24[V] 0 Et0/0 172.16.1.1 22 Aggregate 172.16.1.0/24[V] 570 BLUE 25 No Label 2001:DB8:BEEF:1::/64[V] \

570 Et0/0 FE80::A8BB:CCFF:FE01:F40026 Aggregate 2001:DB8:CAFE:1::/64[V] \

35456 BLUE 27 No Label 9999::/64[V] 570 Et0/0 FE80::A8BB:CCFF:FE01:F400


A Look at Forwarding

PE2

PE1

P1 P2

Lo0-192.168.2.1

CE1-BLUE Lo0-192.168.3.1 Lo0-192.168.4.1 Lo0-192.168.5.1

192.168.1.1-192.168.1.2IPv4 192.168.1.5-192.168.1.6

IPv4192.168.1.9-192.168.1.10

IPv4

CE2-BLUE

2001:DB8:BEEF:1::1

pe1#show mpls forwardingLocal Outgoing Prefix Outgoing Next Hop Label Label interface 25 No Label 2001:DB8:BEEF:1::/64 Et0/0 FE80::A8BB:CCFF:FE01:F400

p2#show mpls forwardingLocal Outgoing Prefix Outgoing Next Hop Label Label interface18 17 192.168.2.1/32 Et0/0 192.168.1.5pe2#sh ipv6 cef vrf BLUE2001:DB8:BEEF:1::/64nexthop 192.168.1.9 Ethernet0/0 label 18 25

p1#show mpls forwardingLocal Outgoing Prefix Outgoing Next Hop Label Label interface17 Pop Label 192.168.2.1/32 Et0/0 192.168.1.1


6VPE Summary� RFC4659: BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN

� 6VPE simply adds IPv6 support to current IPv4 MPLS VPN offering

� For end-users: v6-VPN is same as v4-VPN services (QoS, hub and spoke, internet access, etc.)

� For operators: Same configuration operation for v4 and v6 VPNNo upgrade of IPv4/MPLS core (IPv6 unaware)

� Cisco 6VPE Documentation:http://www.cisco.com/en/US/docs/net_mgmt/ip_solution_center/5.2/mpls_vpn/user/guide/ipv6.html


Service Provider: Access


IPv6 Deployment Options – ACCESS� IPv6 in IPv4 Access Environments

IPv4 Translation (NAT444)IPv6 Integration

Dual-Stack IPv4 and IPv6Dual-Stack with TunnelingIPv6-Only to IPv4-Only Translation

IPv6 ProvisioningDOCSIS 3.0 IPv6 Reference Architecture


Cisco IOS IPv6 Broadband Access Solutions

VideoIPv6 Multicast

DistributedComputing (GRID)

Enterprise

Internet

ISP APSTN

Dial

DSLAMDSL

802.11

AccessEthernet

DOCSIS 3.0Cable

Mobile RAN

NAS

BAS

Head-End

ATM RFC 1483 Routed or Bridged (RBE)PPP, PPPoA, PPPoE, Cable, CGNv6, 6rd, ds-lite, etc.

Dual-Stack or MPLS (6PE/6VPE) Core IPv4/IPv6

IPv4/IPv6Firewall

PIX®, Cisco IOS® FW

IPv6 Prefix PoolsIPv6 RADIUS(Cisco VSA and RFC 3162)DHCPv6 Prefix DelegationStateless DHCPv6DHCPv6 RelayGeneric Prefix

SiSi

Layer 2 Encapsulations


IPv4 Translation (NAT444)


Public IPv4 Exhaustion with NAT444 Solution

� When Subscriber uses NAT44 (i.e. IPv4 NAT) in addition to the SP using CGN with NAT44 within its network

� CGN NAT44 multiplexes several customers onto the same public IPv4 address� CGN performance and capabilities should be analyzed in planning phase� Short-term solution to public IPv4 exhaustion issues without any changes on RG and SP

Access/Aggregation/Edge infrastructure� Long-term solution is to have IPv6 deployed

Core Edge AggregationAccess IP/MPLS

Residential

Private IPv4 (SP Assigned domain)Private IPv4 (Subs.) Public IPv4

NAT44 CGN NAT44

NAT44


Dual-Stack IPv4 and IPv6


Core Edge AggregationAccess

PPP Model (WT-187)Dual PPP Session with Dual-stack IPv4/IPv6

IP/MPLS

Residential

� Native Dual-Stack IPv4/IPv6 service on RG LAN side� NO changes in existing Access/Aggregation Infrastructure� One PPP session per Address Family (IPv4 or IPv6)

• As an option IPv6 PPP session from Host and bridged (PPPoE) on RG• Double amount of selected BNG resources (states, Subscriber plane, memory)

� IPCPv6 for Link-Local address� SLAAC or DHCPv6 for Global address

IP v 4oP P P

I P v 4 o P P P

IP v 6oP P P

I P v 6 o P P PBNG


PPP Model (WT-187)Single PPP Session with Dual-Stack IPv4/IPv6

� Native Dual-Stack IPv4/IPv6 service on RG LAN side� NO changes in existing Access/Aggregation Infrastructure� Dual-stack IPv6 and IPv4 supported over a shared PPP session with IPv4 and

IPv6 NCPs running as ships in the night.• Limited impact on PPP control plane• Limited impact on BNG data plane

� IPCPv6 for Link-Local address� SLAAC or DHCPv6 for Global address


Residential

IP v 4| v 6oP P P

I P v 4 | v 6 o P P PBNG


IPv6oE Model (WT-177)IPv6 over Ethernet with 1:1 VLAN

� IPv6oE with 1:1 VLANs vs PPPoE - What’s different? � Line-identifier used for 1:1 VLAN mapping= (S-TAG, C-TAG)� At L2 IPv6oE with 1:1 VLANs does resemble PPPoE

• Effectively point-point broadcast domain does not require any special L2 forwarding constraints on Access Node• SLAAC and Router Discovery work the same

� However 1:1 VLANs and IPoE do require some extra BNG functionality• Neighbour Discovery needs to be run (along with some security limits)

Customer 1

BNG

802.1Q,802.1ad

Access Node

Customer 21:1 VLANs


IPv6oE Model (WT-177)IPv6 over Ethernet with N:1 VLAN

Customer 1

BNG

802.1Q,

Access Node

Customer 2 N:1 VLANs

� Requires changes in existing Access Node • Security requirements: IPv6 anti-spoofing, RA snooping, DHCPv6 snooping (etc.)• Multicast requirements: MLDv2, MLDv2 snooping

� Subscriber line identification• VLAN no longer provides a unique subscriber line identifier• Lightweight DHCP Relay Agent on the Access Node to convey subscriber line-identifier

� N:1 challenges due to NBMA nature• Risk of duplicate LL address if shared IPv6 subnet between RGW and BNG (proxy DAD)



Residential

� Dual-Stack IPv4/IPv6 service on RG LAN side� PPPoE or IPv4oE Termination on IPv4-only BNG� L2TPv2 softwire between RG and IPv6-dedicated LNS� Stateful architecture on LNS, offers dynamic control and granular accounting of IPv6 traffic� Limited investment & impact on existing infrastructure

IPv4oPPPoE or IPv4oEIPv6oPPPoL2TPv2

IPv6 over TunnelIPv6 over L2TP softwire

IPv4 BNG IPv6 LNS


� Introduction of two Components: 6rd CE (Customer Edge) and 6rd BR (Border Relay)� Automatic Prefix Delegation on 6rd CE� Simple, stateless, automatic IPv6-in-IPv4 encap and decap functions on 6rd (CE & BR)� IPv6 traffic automatically follows IPv4 Routing� 6rd BRs addressed with IPv4 anycast for load-balancing and resiliency� Limited investment & impact on existing infrastructure� draft-ietf-softwire-ipv6-6rd-10.txt (RFC Soon)


Residential

IPv6 over TunnelIPv6 over IPv4 via 6rd (RFCXXX)

6rd BR

6rd BR

6rd CE

6rd CE

IPv4/v6 IPv4/v6IPv4


3 Key Components of 6rd� IPv6 Prefix Delegation Derived from IPv4

• No need for DHCPv6 on 6rd CE WAN interface• No need for DHCPv6 server in the network• Supports Global IPv4 or NATed IPv4 in same deployment

� Stateless Mapping and Encapsulation of IPv6 over IPv4 (RFC4213)

• IPv4 encapsulation automatically determined from each packet’s IPv6 destination

• No per-subscriber tunnel state or provisioning, hence single dimension scaling (data-plane) on 6rd BR

� IPv4 Anycast to Reach BR• Simplify network 6rd BR placement, load-balancing and/or

redundancy across multiple 6rd BRs


IPv4 via IPv6 using Dual-Stack Lite (w/NAT44)

� Access, Aggregation, Edge and Core migrated to IPv6. NMS/OSS and network services migrated to IPv6 as well (DNS, DHCP)

� IPv4 Internet service still available and overlaid on top of IPv6-only network.� Introduction of two Components: B4 and AFTR (Address Family Translation Router)

– B4 typically sits in the RG– AFTR is located in the Core infrastructure

� Assumption: IPv4 has been phased out, IPv6 only Access/aggregation network


Residential

IPv6IPv4/v6

B4

B4

AFTR


IPv6-Only to IPv4-Only Translation


Connecting IPv4-only with IPv6-only: AFT64

� AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4)

� AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required� Key components includes NAT64 and DNS64� Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4

has been phased out


Residential

IPv6 ONLY connectivity

NAT64

IPv4 ONLY

DNS64

Public IPv4 Internet

IPv4 Datacenter


DOCSIS 3.0 IPv6 Reference Architecture


Drivers for IPv6 in Cable� Use IPv6 for managing large number of devices

Exponential growth in number of IP devices connected to CMTSCable MSOs in the US would like to use IPv6 to manage CM/MTACurrently RFC1918 addresses assigned to CM for management

� RFC 1918 provides 16 million 10.net addresses, plus: 1M addresses under 172.16.0.0/1265K addresses under 192.168/16

� Moreover, address utilization efficiency for large numbers decreases with topology hierarchies*

6.5M addresses for 4M CMsOnly 61.5% efficient use Density of only 9.8M CMs exhausts all 16M RFC1918 addresses

*See HD Ratio, RFC1715 and RFC3194


CableLabs IPv6 Decision and Approach� CableLabs put IPv6 in consideration for DOCSIS 3.0

Cisco responded with proposal for IPv6 architecture and featuresIPv6 identified as one of top three ranked order priorities by MSOs

� Decision: DOCSIS 3.x MUST fully support IPv6Cisco primary author for DOCSIS 3.0 IPv6 and enhanced IPv4/v6 Multicast specifications

� RationaleIncreased address space for CM managementNew CPE services

� Proposed phasesPhase 1—CM hardware impacting features, CM provisioning and management over IPv6, embedded IPv6 router in CMPhase 2—remaining IPv6 features for CPE services, for example IPv6 CPE provisioning and IPv6 service support


Management Prefix: 2001:DB8:FFFF:0::/64Service Prefix: 2001:DB8:FFFE:0::/64Customer 2 Prefix: 2001:DB8:2::/48Customer 3 Prefix: 2001:DB8:3::/48

HFC Link; Assigned 2001:DB8:FFFF:0::/64 (Mgmt) and 2001:DB8:FFFE:0::/64 (Serv)Customer 2 Premises Link; Assigned 2001:DB8:2:0::/64Customer 3 Premises Link; Assigned 2001:DB8:3:0::/64

To InternetCMTS

RouterCM2Bridge

Access Model 1

Access Model 2

Access Model 3

CPE1

CPE2

CPE3

CPERouter

eRouter

MSO Admin DomainCustomer Admin DomainServers• DHCP, DNS• TFTP• TOD• Management

CM1Bridge

IPv6 Deployment Models for DOCSIS 3.0

HFC CORE

HOME/ SMB

HOME/ SMB

Routers Span Customer and MSO Administrative Domains


Provisioning in IPv6 Access Environments


DHCPv6 Overview� Operational model based on DHCPv4� Details are different

Client uses link-local address for message exchangesServer can assign multiple addresses per client through identityassociationsClients and servers identified by DUIDAddress assignmentPrefix delegationMessage exchanges similar, but will require new protocol engineServer-initiated configuration, authentication part of the base specificationExtensible option mechanismRelay-agents

� Allows both statefull and stateless configuration� RFC 3315 (DHCPv6)

Additional options:DNS configuration—RFC 3646Prefix delegation—RFC 3633NTP serversStateless DHCP for IPv6—RFC 3736


DHCPv6 OperationClient Server

Relay-Replyw/Advertise

Request

Relay-Reply w/Reply

Relay

Advertise

Relay-Fwd w/SolicitSolicit

Reply

Relay-Fwd w/Request

� All_DHCP_Relay_Agents_and_Servers (FF02::1:2) � All_DHCP_Servers (FF05::1:3)� DHCP Messages: Clients listen UDP port 546. Servers and relay agents listen on UDP port 547


DHCPv6 PD: RFC 3633� Media independence

xDSL, FTTH, …Only knows identity of requesting router

� Leases for prefixes� Flexible deployments

Client/relay/server model� Requesting router includes

request for prefixes in DHCP configuration request

� Delegating router assigns prefixes in response along with other DHCP configuration information

ADSL

FTTHDHCPv6 Server(s)

DHCPv6 Client

DHCPv6 Relay

/48

/64


Router Advertisement

Stateless (RFC2462)RS Are Sent by Booting Nodes to Request RAs for Configuring the Interfaces; Host Autonomously Configures Its Own Link-Local Address

Source of RA

User of RA

A Bit M/O BitsA Operation M/O Operation

PE CPEE1 0 Don’t Do Stateless

Address Assignment 11 Use Dhcpv6 for Address + Other Config. (i.e., Stateful Dhcpv6)

CPE Router Host 1 Do Stateless Address

Assignment 01 Use Dhcpv6 for Other Config. (i.e., Stateless Dhcpv6)

CPE Host

ISP Provisioning SystemDHCP Client DHCP Server

E0E1PE

ISP


Prefix/Options Assignment

DHCP ND/DHCPAAA

1. CPE Sends DHCP Solicit with ORO = PD

2. PE Sends RADIUS Request for the User

3. RADIUS Responds with User’s Prefix(es)

4. PE Sends DHCP REPLY with Prefix Delegation Options

5. CPE Configures Addresses from The Prefix on Its Downstream Interfaces, and Sends an RA. O-bit Is Set to On

6. Host Configures Addresses Based on the Prefixes Received in the RA. As the O-bit Is on, It Sends a DHCP Information-request Message, with an ORO = DNS7. CPE Sends a DHCP REPLY

Containing Request Options

Host

ISP Provisioning System

E0E1PE

ISP

DHCP Client DHCP Server

CPE


PE Configuration!hostname PE_Router!interface GigabitEthernet3/1ipv6 address 2001:420:3800:800:0:1:0:1/96ipv6 enableipv6 nd ra-interval 5ipv6 nd prefix default no-advertiseipv6 nd managed-config-flagipv6 nd other-config-flagipv6 rip PE_Router enableipv6 mld static-group FF0E:0:0:1::1000ipv6 dhcp relay destination 2001:420:8:1:5::2 GigabitEthernet0/1!interface GigabitEthernet0/1ip address 10.89.240.235 255.255.255.248ip pim sparse-modenegotiation autoipv6 address 2001:420:3800:800::12/124ipv6 enableipv6 router isisipv6 mld static-group FF0E:0:0:1::1000hold-queue 2048 in!

ISP Provisioning System

PEISP GigE3/1


CPE Router Configurationip dhcp pool CPEv4network 192.168.51.0 255.255.255.0dns-server 80.10.0.1 domain-name cisco.comdefault-router 80.10.0.1!ip multicast-routing ipv6 unicast-routingipv6 dhcp pool v6transfer-pooldns-server 2001:420:3800:801:A00:20FF:FEE5:63E3domain-name v6.cisco.com!interface Ethernet0ip address 192.168.51.1 255.255.255.0ip pim sparse-modeip virtual-reassemblyload-interval 30ipv6 address v6Prefix 0:0:0:1::/64 eui-64ipv6 enableipv6 nd other-config-flagipv6 nd ra interval 5ipv6 dhcp server v6transfer-poolhold-queue 2048 out

interface Ethernet1ip pim sparse-modeip virtual-reassemblyload-interval 30ipv6 address autoconfig defaultipv6 enableipv6 nd ra suppressipv6 dhcp client pd v6Prefixipv6 rip RIP enableno keepalivehold-queue 2048 in!ip pim rp-address 10.89.240.226!ipv6 router rip RIPredistribute connected

HostE0E1

DHCP Client DHCP Server

CPE


IPv6 Provisioning Tools


AAA/RADIUS� RADIUS attributes and IPv6 (RFC3162)—Cisco IOS 12.3(4)T� RADIUS Server support requires an upgrade (supporting

RFC3162) Few RADIUS solutions support RFC3162 functionality today

� Prefix pools and pool names are configurable through AAA � The following RADIUS attributes as described in RFC 3162 are

supported for IPv6: Framed-Interface-Id, Framed-IPv6-Prefix, Login-IPv6-Host, Framed-IPv6-Route, Framed-IPv6-Pool

� IPv6 AAA/RADIUS Configuration Examples on CCO

Auth-Type = Local, Password = “foo”User-Service-Type = Framed-User,Framed-Protocol = PPP,cisco-avpair = “ipv6:prefix=2001:DB8:1:1::/64”

Interface-Id = “0:0:0:1”,

RADIUS Configuration with Permanently Assigned /64:

Interface Identifier Attribute (Framed-Interface-Id) Can Be Used:


CNR 7.x Supports DHCPv6 (since 6.2 release)

� DHCPv6 extensions: Existing extension points to be used for DHCPv4, DHCPv6, or both. New DHCPv6 only extension point to allow an extension to control lease address and delegated prefix generation � Implements DOCSIS 3.0 options: CNR 7.0 supports DHCPv6 CableLabs Vendor-specific Information Options� DNS Enhanced Searching: Server wide search also performs auto-translation of IPv4 and IPv6 addresses to PTR record names as part of the search.� DHCPv6 DNS Updates: CNR 7.0 DHCP server supports DHCPv6 DNS updates (over IPv4 only) and DHCPv6 Client FQDN option� DHCPv6 and DHCPv4 Leasequery Control: New “expert”mode DHCP server attribute ‘leasequery’ allows overall control of both DHCPv4 and DHCPv6 leasequery processing� DHCPv6 SNMP Monitoring: DHCPv6 SNMP Monitoring, SNMP queries/traps only supported over IPv4� http://www.cisco.com/en/US/docs/net_mgmt/network_registrar/7.0/release/notes/CNR70ReleaseNotes.html#wp56332


Conclusion


ConclusionMultiple technologies are available to serve various IPv6 migration strategies:

6rd: start offering IPv6 services, over the top of an IPv4-only networkAdd IPv6 capabilities to the network: TR-187, WT-177, 6rdDS-Lite: save IPv4 addresses, maintain IPv4 services over the top of an IPv6

capable networkAvoid any multiplication of NAT (i.e. NAT444)

IPv6-enabledendpoints

IPv4-enabled endpoints

time


Conclusion (cont.)� Start now rather than later:

Purchase for the future and test, test and then test some moreStart moving legacy application towards IPv6 supportDon’t assume your favorite vendor/app/gear has an IPv6 planFull parity between IPv4 and IPv6 is still a ways off

� Things we did not talk about, but they are very important to consider:ISP Multihoming solutions (Multi6 WG)—“Goals for IPv6 Site-MultihomingArchitectures” (RFC 3582)IPv6 Addressing Considerations (RFC 5375)Provider Assigned (PA) vs. Provider Independent (PI)IPv4-IPv6 and IPv6-IPv6 Interworking: draft-mrw-behave-nat66, draft-arkko-townsley-coexistence, draft-wing-nat-pt-replacement-comparison, draft-durand-softwire-dual-stack-lite, draft-ietf-softwire-ipv6-6rdIETF WG Activities: v6ops, 6man, shim6 and Behave and Softwires


Reference Materials� “Deploying IPv6 in Broadband Access Networks” Adeel Ahmed, Salman

Asadullah – ISBN0470193387, John Wiley & Sons Publications®� “Deploying IPv6 Networks” Ciprian Popoviciu, Patrick Grossetete, Eric

Levy-Abegnoli, ISBN1587052105 - Cisco Press®� “IPv6 Security” Scott Hogg, Eric Vyncke, ISBN1587055945 – Cisco Press®� www.cisco.com/go/ipv6 - CCO IPv6 Main Page� www.cisco.com/go/srnd - Cisco Network Design Central� www.ietf.org� www.ipv6forum.org� www.ipv6.org� www.nav6tf.org/� www.6net.org


Q and A

Documents

Service Provider IPv6 Deployment