Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

Slides:

Advertisements

Similar presentations

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Advertisements

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

IUT– Network Security Course 1 Network Security Firewalls.

Chapter 7: Transport Layer

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Chapter 12 Network Security.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Data Communications and Networks

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

4V6 – aka stateless 4Via6 stateless-4v6-00 W. Dec 1.

Chapter 6: Packet Filtering

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

Chapter 13 – Network Security

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

Sharing a single IPv4 address among many broadband customers

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Junos Intermediate Routing

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.

1 SPEERMINT Use Cases for Cable IETF 66 Montreal 11 JULY 2006 Presented by Yiu L. Lee.

The necessity of 4-over-6 stateless address sharing mechanism Satoru Matsushima Jie Jiao Chunfa Sun 0.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

Security fundamentals Topic 10 Securing the network perimeter.

W&L Page 1 CCNA CCNA Training 3.4 Describe the technological requirements for running IPv6 in conjunction with IPv4 Jose Luis Flores /

Chapter 4: Implementing Firewall Technologies

IETF 81 th Multicast Extensions to DS-Lite Technique in Broadband Deployments draft-qin-softwire-dslite-multicast-04 Wang, Q., Qin, J., Boucadair, M.,

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj

CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)

Deploying Dual-Stack Lite in IPv6 Network draft-boucadair-dslite-interco-v4v6-04 Mohamed Boucadair

Lightweight 4over6: An Extension to DS-Lite Architecture draft-cui-softwire-b4-translated-ds-lite-09 Y. Cui, Q. Sun, M. Boucadair, T. Tsou, Y. Lee and.

IETF 80 th Lightweight Address Family Transition for IPv6 draft-sunq-v6ops-laft6-01 Chongfeng Xie( China Telecom ) Qiong Sun( China Telecom)

IETF 85 Use cases for MAP-T draft-maglione-softwire-map-t-scenarios-01 R. Maglione.

Security fundamentals

IPv6 Deployment: Business Cases and Development Options

Instructor Materials Chapter 9: NAT for IPv4

Routing and Switching Essentials v6.0

Introducing To Networking

Unit 27: Network Operating Systems

* Essential Network Security Book Slides.

Instructor Materials Chapter 9: NAT for IPv4

Firewalls Jiang Long Spring 2002.

دیواره ی آتش.

Chapter 11: Network Address Translation for IPv4

Presentation transcript:

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair

DS-lite Deployment Considerations Based on preliminary experimental deployment, this work describes deployment and operation considerations for DSLITE.

DS-lite Architecture It is recommended that the AFTR addressing architecture should consist of two individual interfaces (i.e. one dedicated for IPv4 and one dedicated for IPv6) to segregate the functions.

MTU Considerations With DS-lite (as with tunneling protocols) comes additional header overhead that implies that the tunnel's MTU is smaller than the raw interface MTU. The issue that the end user will experience is that they cannot download Internet pages or transfer files using File Transfer Protocol (FTP) but may be able to ping successfully.

Lawful Intercept Considerations RFC 2804, "IETF Policy on Wiretapping", says that the IETF will NOT work on wiretapping functionality in IETF standards documents. However, the IETF does encourage the publication of wiretapping mechanisms for broad community review.

Lawful Intercept Considerations Interception in DS-lite architecture could be performed on the AFTR itself. Time-stamped logging of the address and port mappings at the AFTR should be maintained, which in turn can add resource burden to the AFTR devices.

AFTR The time-stamped logging is also important for tracing back specific users when a problem is identified from the outside of the AFTR. Policies applying to incoming sources must be implemented on the outside of the AFTR. Once the packets are translated, they cannot be easily identified by IPv4 address without some correlation with the AFTR mapping table.

AFTR Policies Policies applying on the NAT-ed addresses should be implemented on the external interface of the AFTR. Once the packets are translated, they cannot be easily identified by IPv4 address without some correlation with the AFTR mapping table. Policies applying to outgoing sources should be implemented on the customer-facing side of the AFTR for the same reason. In order to be able to deploy different services offers, multiple set of policies can be configured on the AFTR: each set of policies can then be applied to a different logical tunnel interface on the ATFR.

AFTR Impacts on Accounting Process in Broadband Access The accounting process at the AFTR level is only necessary if the Service Provider requires separate per user accounting records for IPv4 and IPv6 traffic. If the per user IPv6 accounting records, collected by the BNAS, are sufficient, the additional complexity to be able to implement IPv4 accounting at the ATFR level is not required.

Reliability Considerations of AFTR (1/3) The service provider can use several techniques to achieve high availability such as various types of clusters to ensure availability of the IPv4 service. DS-lite HA techniques include cold standby mode: – When the Primary AFTR fails, all the existing established sessions will be flushed out. The internal hosts are required to re-establish sessions to the external hosts.

Reliability Considerations of AFTR (2/3) DS-lite Hot standby mode: – AFTR keeps established sessions while failover happens. AFTR states are replicated from the Primary AFTR to the Backup AFTR. When the Primary AFTR fails, the Backup AFTR will take over all the existing established sessions. – In the DS-lite Hot standby mode, the internal hosts are not required to re-establish sessions to the external hosts.

Reliability Considerations of AFTR (3/3) Combo mode is a method to deploy DS-lite between these two whereby only selected sessions such as critical protocols are replicated. – Criteria for sessions to be replicated on the backup would be explicitly configured on the AFTR devices of a redundancy group.

Placement of AFTR (1/2) The AFTR architecture design is the strategic placement of each AFTR to best use the capacity of each public IPv4 address without oversubscribing the address or overtaxing the AFTR itself.

Placement of AFTR (2/2) It is important to centralize the public IPv4 addresses where each address no longer represents a single machine, a single household, or a single small office. The address now represents multiple machines, homes, and offices related only in that they are behind the same AFTR. An issue of the placement of AFTR is the identification by IP address as it becomes difficult and thus applications that assume such geographic information may not work as intended.

Geographic aware applications… It is important to locate the AFTR so that various applications and services will place their servers in such a way to locate them near sets of user so that this will lessen the latency on the client end. Having sufficient geographical coverage can indirectly improve end-to-end latency.

DS-lite impacts on QoS As with tunneling in general there are challenges with deep packet inspection with DS-Lite for purposes of QoS. Service Providers commonly uses DSCP to classify and prioritize packets. – It is recommended the AFTR and B4 should copy the DSCP value in the IPv4 header to the IPv6 header after the encapsulation.

Port Forwarding Considerations Some applications require accepting incoming UDP or TCP traffic. Some applications rely on ALGs, UPnP IGD, or manual port configuration. Port Control Protocol (PCP) [I-D.wing-pcp-design- considerations] is designed to address this issues.

B4 Deployment Considerations In order to configure the IPv4-in-IPv6 tunnel, the B4 element needs the IPv6 address of the AFTR element. – This IPv6 address can be configured via an out-of- band mechanism, manual configuration or a variety of DHCPv6 options. It is recommended that in order to have interoperability that the B4 element should implement the DHCPv6 option defined in [I- D.ietf-softwire-ds-lite-tunnel-option].

DNS B4 B4 should contain a DNS proxy resolver and forward DNS queries to an external recursive resolver over IPv6. Alternately, the B4 proxy resolver can be statically configured with the IPv4 address of an external recursive resolver. – Here the DNS traffic to the external resolver will be tunneled through IPv6 to the AFTR which will consume NAT resources (NOT Recommended)

Security issues Some of the security issues with carrier-grade NAT result directly from the sharing of the routable IPv4 address apply with DS-lite. – I.E… Devices on the customers side may try to carry out general attacks against systems on the global Internet or against other customers by using inappropriate IPv4 source addresses inside tunneled traffic. In short, the AFTR entity must protect against such attacks.

Summary Deployment considerations of the B4, AFTR and DNS have been discussed and recommendations for their usage have been discussed. It is the goal that this document and discussion can be a reference for service providers and network providers deploying DS-lite.