Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres

Published byDwain Robinson Modified over 6 years ago

Similar presentations

Presentation on theme: "SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres"— Presentation transcript:

1 SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres
Tore Anderson Redpill Linpro AB Netnod Tech Meeting, Stockholm, October 2017

2 Incremental IPv6 deployment in DC
IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full dual-stack Dual-stacked public frontend, IPv6 BE IPv6-only + IPv4 via NAT/proxy/etc IPv6-only

3 IPv4 sucks Not enough addresses
Default route through stateful NAPT44 boxes Overlap with customer use of RFC1918 Renumbering/resizing server LANs No IPv6 for customers who want / require it (such as the entire Norw€gian pub£ic $ector)

4 Dual stack sucks MORE Needs IPv4 - see previous slide for why it sucks
Dual stack = Dual WORK and Dual COMPLEXITY 2x ACLs / firewall rules 2x monitoring targets 2x places where errors can occur (esp. human errs) 2x protocols the server and apps guys must learn Nx possible application commication patterns IPv4 becomes like a spreading cancer which it's almost impossible to safely remove later

5 What's realistic today? IPv4-only IPv4-only + IPv6 via NAT/proxy/etc
Dual-stacked public frontend, IPv4 BE Full dual-stack Dual-stacked public frontend, IPv6 BE IPv6-only + IPv4 via NAT/proxy/etc IPv6-only about 80% of end-users world-wide do not have IPv6! (source:

6 So let's take a shortcut... IPv4-only
IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full dual-stack Dual-stacked public frontend, IPv6 BE IPv6-only + IPv4 via NAT/proxy/etc IPv6-only

7 IPv6 data centre network
SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre environments (RFC 7755) The IPv4 Internet The IPv6 Internet IPv6 data centre network SIIT-DC Border relays

8 SIIT-DC operation in a nutshell
The IPv4 internet is mapped into an IPv6 translation prefix IPv /0 -> IPv6 2001:db8:: /96 [same as 2001:db8::/96] For example: > 2001:db8:: [same as 2001:db8::cb00:710a] A table of explicit 1:1 IPv4:IPv6 mappings determine which IPv6 addresses are reachable through which IPv4 addresses A pool of public IPv4 addresses is required - use your last /22, for example > 2001:db8:dc1::80 (“web server in data centre 1”) > 2001:db8:dc2::25 (“smtp server in data centre 2”) > 2001:db8:dc1::389 (“ldap server in data centre 1”) > 2001:200:dff:fff1:216:3eff:feb1:44d7 (kame.net - somewhere on the Internet) [...] IPv6 ::/0 (not to scale) IPv4 /0 IPv6-mapped IPv4 2001:db8:: /96

9 SIIT-DC packet flow IPv4-only IPv6-only 2001:db8:dc1::80 A completely normal IPv4-only client wants to connect to a web site hosted on an IPv6-only server A redundant pair of SIIT-DC Border Relays provides the glue between IPv4 and IPv6

10 The IPv4 client connecting
IPv4-only IPv6-only SRC: DST: HTTP GET /foo [...] 2001:db8:dc1::80 The IPv4 service address is published as a regular A record for the service in DNS It's routed to the provider's SIIT-DC border relay using standard IPv4 routing techniques IPv4 clients connect to it in a normal way

11 IPv4->IPv6 translation
IPv4-only IPv6-only SRC: DST: HTTP GET /foo [...] SRC: 2001:db8:: DST: 2001:db8:dc1::80 HTTP GET /foo [...] 2001:db8:dc1::80 The pre-defined /96 prefix is prepended to the IPv4 packet's SRC field by the SIIT-DC BR The DST address is swapped according to configured 1:1 IPv4:IPv6 mapping by the SIIT-DC BR Layer 4 payload is copied verbatim The packet is then routed to the server as a completely ordinary IPv6 packet

12 IPv6 server processing IPv4-only IPv6-only SRC: DST: HTTP GET /foo [...] SRC: 2001:db8:: DST: 2001:db8:dc1::80 HTTP GET /foo [...] 2001:db8:dc1::80 SRC: 2001:db8:dc1::80 DST: 2001:db8:: HTTP 200 OK [...] The server responds to the packet just as it would with any other IPv6 packet The original IPv4 source address isn't lost The /96 prefix (equivalent to the IPv4 default route) is routed to closest SIIT-DC BR

13 IPv6->IPv4 translation
IPv4-only IPv6-only SRC: DST: HTTP GET /foo [...] SRC: 2001:db8:: DST: 2001:db8:dc1::80 HTTP GET /foo [...] 2001:db8:dc1::80 SRC: DST: HTTP 200 OK [...] SRC: 2001:db8:dc1::80 DST: 2001:db8:: HTTP 200 OK [...] The /96 prefix is stripped from the IPv6 packet's DST field 1:1 IPv4:IPv6 mapping is used to swap SRC field Again, layer 4 payload is untouched The resulting IPv4 packet is returned to the client which processes it normally

14 SIIT-DC features / highlights
No special software needed on endpoints (IPv4 client thinks he's talking to a IPv4 server; IPv6 server thinks he's talking to an IPv6 client) IPv4 SRC address not lost (think if server/app wants to do geo-loc, logging, etc.) It's STATELESS! Anycast, ECMP, no session tables or connection tracking. Server admins, monitoring, ACLs - IPv6 only Super easy to eventually decommission

15 What about IPv4-only apps?
The v4->v6 translation can easily be undone by the server before passing payload to the application (it's stateless, remember) Provides a network adapter with a public IPv4 address and default route for the app to use This makes legacy API calls like socket(AF_INET, ...), gethostbyname(...), ping , etc. work RFC 7756 «SIIT-DC dual translation mode» Essentially the same as RFC XLAT, only that IPv4 addresses are preserved e2e (no NAT44!)

16 It's really, really simple to set up (use the coffee break!)
A complete Cisco ASR/CSR example config to the right Other implementations exist Brocade ADX, F5 BIG-IP LTM, Linux/TAYGA, Linux/Jool, Linux/fd.io/VPP On server: Linux/clatd/TAYGA Incremental deployment It doesn't require an IPv6-only network, just an IPv6 one (dual-stack networks like the Internet included) ! interface GigabitEthernet1 ip address nat64 enable nat64 settings mtu minimum 1500 ipv6 address 2001:db8::2/64 ip route ip route Null0 ipv6 route ::/0 2001:db8::1 nat64 prefix stateful 2001:db8:46::/96 nat64 v6v4 static 2001:db8:dc1:: nat64 v6v4 static 2001:db8:dc2:: nat64 v6v4 static 2001:db8:dc1:: nat64 v6v4 static 2001:200:dff:fff1:216:3eff:feb1:44d nat64 settings fragmentation header disable nat64 settings flow-entries disable [Never mind the «stateful», it's really stateless because of «flow-entries disable». The 10 lines that are directly related to SIIT-DC are highlighted in bold, the rest are just standard IPv4/IPv6 network connectivity. Note that /24 and 2001:db8:46::/96 must be routed to the ASR/CSR box somehow.]

Download ppt "SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Mapping Service Templates to Concrete Network Semantics Some Ideas.

Mapping Service Templates to Concrete Network Semantics Some Ideas.
10: ICMPv6 Neighbor Discovery

10: ICMPv6 Neighbor Discovery
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
IPv6 at NCAR 8/28/2002. Overview What is IPv6? What’s wrong with IPv4? Features of IPv6 IPv6 will soon be available at NCAR How to use IPv6.

IPv6 at NCAR 8/28/2002. Overview What is IPv6? What’s wrong with IPv4? Features of IPv6 IPv6 will soon be available at NCAR How to use IPv6.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CMPSC-358 (CCNA 4 ) Spring 2007.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CMPSC-358 (CCNA 4 ) Spring 2007.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Notes for IPv6 Terrance Lee. Transition Mechanisms for IPv6 Hosts and Routers (RFC 2893)

Notes for IPv6 Terrance Lee. Transition Mechanisms for IPv6 Hosts and Routers (RFC 2893)
IPv4/IPv6 Translation: Framework Li, Bao, and Baker.

IPv4/IPv6 Translation: Framework Li, Bao, and Baker.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker 2008-11-17.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Network Address Translation (NAT) CS-480b Dick Steflik.

Network Address Translation (NAT) CS-480b Dick Steflik.

Similar presentations

Ads by Google