Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Many options for the Internet Edge – to – ISPDual LinksSingle ISP
Multi-HomedMulti-Region
Enterprise
ISP 1
DefaultRoute
Enterprise
POP1 POP2ISP 1
Enterprise
ISP 1 ISP2USA
ISP4
Europe
ISP3
BGP BGP
IPv6 Allocation PI versus PA space
• IPv6 addresses can be allocated in two ways
• Provider Assigned (PA)• Addresses and prefixes assigned to subscribers from prefix pool assigned to SP• PA provides prefix and route aggregation• This is good because Internet routing table size minimized
• Provider Independent (PI)• Addresses and prefixes assigned to subscribers independent of provider pool• PI allows subscriber to change between service providers• PA requires renumbering of subscriber network• Allows multi-homing with same address space• This is not so good – eventually we have same problem as IPv4
• Routing tables may grow excessively
Provider Assigned Addressing
• Organization works with the service provider to determine how large an address space the organization needs
• The advantage for the service provider is that they can aggregate several customer blocks into a single announcement
• Small to mid-size organizations using a single SP
IPv6 PA Allocation Hierarchy
Site/48Site
/48
ISP/32ISP
/32
IANA2001::/3
APNIC::/12 to::/23
AfriNIC::/12 to::/23
ARIN::/12 to::/23
LACNIC::/12 to::/23
RIPE NCC::/12 to::/23
ISP/32
Site/48
Site/48Site
/48
ISP/32ISP
/32ISP/32
Site/48
Site/48Site
/48
ISP/32ISP
/32ISP/32
Site/48
Site/48Site
/48
ISP/32ISP
/32ISP/32
Site/48
Site/48Site
/48
ISP/32ISP
/32ISP/32
Site/48
IPv6 PI Allocation Hierarchy
Site/48Site
/48
IANA2001::/3
APNIC::/12 to::/23
AfriNIC::/12 to::/23
ARIN::/12 to::/23
LACNIC::/12 to::/23
RIPE NCC::/12 to::/23
ORG/48
Site/48Site
/48ORG/48
Site/48Site
/48ORG/48
Site/48Site
/48ORG/48
Site/48Site
/48ORG/48
/48 Prefix Breakdown Example• High Level addressing plan. Indicative
only. Can be modified to suit needs
• /48 = 65536 x /64 prefixes
• Break up into functional blocks ( 4 x /50 in this case)
• Each functional block simplifies security policy
• Assumes up to 64 Branch networks
• Each Branch has access to 256 /64 prefixes for WAN, DMZ, & VLAN use
/48
/50Branch
/50WAN
/50DC
/50Lab
/56Branch 1
/56Branch 2
/56Branch 3
/56Branch4
/64Loop /64
WAN /64DMZ /64
VLAN4
....
/64VLAN…
/56MGMT.
/64Loop /64
WAN /64DMZ /64
VLAN4 /64VLAN…
Link Level – Prefix Length Considerations
64 bits
§ Considered bad practice
§ 64 bits offers more space for hosts than the media can support efficiently
< 64 bits > 64 bits
§ Address space conservation
§ Special cases:/126—valid for p2p/127—valid for p2p/128—loopback
§ Complicates management
§ Must avoid overlap with specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses
§ Recommended by RFC3177 and IAB/IESG
§ Consistency makes management easy
§ MUST for SLAAC(MSFT DHCPv6also)
§ Significant address space loss (18.466 Quintillion)
ULA, ULA + Global, or Global
• What type of addressing should I deploy internal to my network? It depends:
• ULA only— Need to do NAT66/NPTv6 or proxy when want to communicate with IPv6 internet.
• ULA + Global allows for the best of both worlds but at a price -- much more address management with DHCP, DNS, routing and security.
• Global-only—Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option
Source Address Selectionhttp://www.ietf.org/rfc/rfc3484.txt
1. Prefer same address
2. Appropriate Address pairs. Address pairs of the same scope or type (link-local, global) are preferred.
3. A preferred (non-deprecated) address is preferred.
4. In Mobile IP situations, home addresses are preferred over care-of addresses.
5. Prefer Outgoing Interface
6. Matching Label
7. Prefer Public Address.
8. If all criteria are similar, address pairs with the longest common prefix are preferred.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Source Address Selection Diagram - the fix case
RTR A which is it's default gateway.
Addressing with Unique Local Addresses
• Internal communication è ULA• Internet Access è use GUA• RFC3484 è Default Address
Selection for IPv6
Scenario where only ULA addresses are deployed
• RFC 6296, IPv6-to-IPv6 network prefix translation has been standardized è NPTv6
• Stateless IPv6<->IPv6 PrefixTranslation
• 1:1 relationship between the internal addresses and external addresses
• Multi-Homing, and redundancy and load sharing.
NPTv6 Characteristics
Some pointers and recommendations when considering ULAs:• ULAs are useful during a network wide re-numbering if globally unique addressing has to be changed • Use ULAs for internal network management functions, Use GUA for Path MTU Discovery (PMTUD)
No Per-Flow State
NPTv6 between Peer Networks
NPTv6Translator
Internal Prefix = FD01:4444:5555:/48
Internal Prefix = FD01:0203:0405:/48
External Prefix = 2001:0DB8:0001:/48
External Prefix = 2001:0DB8:6666:/48
NPTv6 Redundancy and Load Sharing
NPTv6Translator#1
External Network: Prefix = 2001:0DB8:0001:/48
Internal Network: Prefix = FD01:0203:0405:/48
NPTv6Translator#2
Parallel Translators
NPTv6 Multihoming
NPTv6Translator#1
External Network #1: Prefix = 2001:0DB8:0001:/48
Internal Network: Prefix = FD01:0203:0405:/48
NPTv6Translator#2
Parallel Translators
External Network #2: Prefix = 2001:0DB8:5555:/48
NPTv6 Supported on Cisco Routers• NPTv6 support on ASR1k/CSR1k/ISR4k
• NPTv6 Translator need not to rewrite transport layer headers
• NPTv6 does not interfere with encryption of the full IP payload
IPv6 Prefix Format
• The first 48 bits of the IPv6 address represents the IPv6 prefix
• The translation function first ensures that the internal and external prefixes are of the same length and if not,• extends the shorter of the two with zeroes
Example Configuration:enableconfigure terminalinterface GigabitEthernet0/0/0
nat66 insideinterface GigabitEthernet0/0/1
nat66 outsidenat66 prefix inside 2002:AB01::/64 outside 2002:AB02::/64
end
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
§ Addresses today combine location and identity semantics in a single 32-bit or 128-bit number
§ Separating Location and Identity changes this…• Provide a clear separation at the Network Layer between what we are looking for vs.
how best to get there• Translation vs Tunneling is a key question
§ Network Layer Identifier: “who” you are in the network• long-term binding to the thing that they name, does not change often at all
§ Network Layer Locator: “where” you are… and “where” you want to go in the Network• Think of the source and destination “addresses” used in routing and forwarding
Locator/ID Split and LISP• Routing and Addressing Architecture of the Internet Protocol…
23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LISP Overview
§ An over-the-top technology‒ Address Family agnostic‒ Incrementally deployable‒ End systems can be unaware of LISP
§ Deployment simplicity‒ No host changes‒ Minimal CPE changes‒ Some new core infrastructure components
§ Enables IP Number Portability‒ Never change host IP addresses;
No renumbering costs‒ No DNS changes; “name == EID” binding‒ Session survivability
§ An Open Standard‒ Being developed in the IETF‒ No Cisco Intellectual Property Rights
§ Uses pull vs. push routing‒ OSPF and BGP are push models; routing
stored in the forwarding plane‒ LISP is a pull model; Analogous to DNS;
massively scalable
• LISP – A Routing Architecture, Not a Feature…
§ LISP use-cases are complimentary‒ Simplified multi-homing with Ingress traffic
Engineering; no need for BGP‒ Address Family agnostic support‒ Virtualization support‒ End-host mobility without renumbering
24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LISP Operations
§ LISP “Level of Indirection” is analogous to a DNS lookup‒ DNS resolves IP addresses for URL Answering the “WHO IS” question
‒ LISP resolves locators for queried identities Answering the “WHERE IS” question
hostDNS Name-to-IPURL Resolution
[ who is lisp.cisco.com ] ? DNSServer
[153.16.5.29, 2610:D0:110C:1::3 ]
LISPIdentity-to-locatorMapping Resolution
LISP route
r
LISP Mapping System
[ where is 2610:D0:110C:1::3 ] ?
[ locator is 128.107.81.169 ]
• LISP :: Mapping Resolution “Level of Indirection” DNS analog…
25
IPv4 Internet
Site 1
Site 2
Site 3
eBGP64.1.0.0/1764.1.0.0/16
Tier 1 SP64.1.0.0/17
64.1.0.0/16
Transit SP
Commodity SPeBGP64.1.128.0/1764.1.0.0/16
64.1.128.0/17
64.1.0.0/16
13.1.1.2/30
AS 30013. 0/8
13.0/8
Enterprise
DFZ Routing Table
AS 10064.1.0.0/16
Identity
AS 20012. 0/8
12.0/8
12.1.1.2/30Location
LISP Overview• Identity and Location :: an Overloaded Concept in Routing Today…
26
IPv4 Internet
Tier 1 SP
LISP Overview• Identity and Location :: an Overloaded Concept in Routing Today…
Site 1
Site 2
AS 10064.1.0.0/16
Site 3
AS 20012. 0/8
12.1.1.2/30Location
Enterprise
DFZ Routing Table
Transit SP
Commodity SP
LISP Mapping System
• Let’s put ID address and Locator address in different databases
• Let’s create a “level of indirection” between ID and LOCATION in the network!
Clear Separation at the Network Layer::•who/what you are looking for
vs. …•how to best get there
Two Approaches::•Translations (e.g. NAT)
vs. …•Tunnels (e.g. GRE, IPsec, MPLS)
What is needed is Locator/ID Separation on a GLOBAL Scope, and that doesn’t carry all routing in the Forwarding Plane!
Identity13.1.1.2/30
AS 30013. 0/8
27
IPv4 Internet
Tier 1 SP
Site 1
Site 2
AS 10064.1.0.0/16
Site 3
AS 20012. 0/8
12.1.1.2/30
Enterprise
DFZ Routing Table
LISP Mapping System
• Let’s scale the ID address databases to 1010 and allow it to hold any prefix length (e.g. /32)
• Let’s provide a mechanism to provide on-the-fly resolution of ID and locator
• High scale design, and ability to change locator for fixed ID enables Mobility!
LISP Overview• Identity and Location :: an Overloaded Concept in Routing Today…
Identity
Transit SP
Commodity SP
13.1.1.2/30
AS 30013. 0/8
Location
28
Enterprise Low-Opex Multi-Homing
Provider A10.0.0.0/8
Provider B11.0.0.0/8
S1 S2
1.0.0.0/8
• Active/active multi-homing• Low-Opex switchover (no BGP)
• More efficient bandwidth use by site• Use all the bandwidth you pay for
• New link revenue for ISP• At the benefit of keeping site’s routes out of their resources
• Decoupling addressing from ISP• Site has flexibility to change providers
LISP Packet Forwarding
Provider A10.0.0.0/8
Provider B11.0.0.0/8
S
ITR
DITR
ETR
ETR
Provider Y13.0.0.0/8
Provider X12.0.0.0/8S1
S2
D1
D2
PI EID-prefix 1.0.0.0/8 PI EID-prefix 2.0.0.0/8
DNS entry:D.abc.com A 2.0.0.2 EID-prefix: 2.0.0.0/8
Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1)13.0.0.2, priority: 1, weight: 50 (D2)
MappingEntry
1.0.0.1 -> 2.0.0.2
1.0.0.1 -> 2.0.0.2
11.0.0.1 -> 12.0.0.2
1.0.0.1 -> 2.0.0.2
11.0.0.1 -> 12.0.0.2
1.0.0.1 -> 2.0.0.2
Policy controlledby destination site
Mapping Service Interface
Provider A10.0.0.0/8
Provider B11.0.0.0/8
S
ITR
DITR
ETR
ETR
Provider Y13.0.0.0/8
Provider X12.0.0.0/8S1 D1
PI EID-prefix 1.0.0.0/8 PI EID-prefix 2.0.0.0/8
Map-Reply13.0.0.2 -> 11.0.0.1
1.0.0.1 -> 2.0.0.2
EID-prefix: 2.0.0.0/8Locator-set:
12.0.0.2, priority: 1, weight: 5013.0.0.2, priority: 1, weight: 50
Map-Cache Entry
Map-Cache lookup miss!
?
Map-Request11.0.0.1 -> 2.0.0.2
S2 D2
Interworking with PITRs
• When a non-LISP site initiates a connection to a LISP site
Provider A10.0.0.0/8
Provider B11.0.0.0/8
S D
ETR
ETR
Provider Y13.0.0.0/8
Provider X12.0.0.0/8S1
S2
D1
D2
Site prefix 128.1.0.0/16 PI EID-prefix 2.2.0.0/16
128.1.1.1 -> 2.2.2.2
2.2.2.2
128.1.1.1 -> 2.2.2.2
PITRPITR
PITR
2.0.0.0/8
64.0.0.1
128.1.1.1 -> 2.2.2.2
64.0.0.1 -> 13.0.0.2
128.1.1.1 -> 2.2.2.2
Non-LISP Site LISP Site
Interworking with PETRs• When a LISP site initiates a connection to a non-LISP site
Provider X12.0.0.0/8
D1
D2
Site prefix 128.1.0.0/16
128.1.1.1
S
ITR
ITR
S1
S2
PI EID-prefix:1.0.0.0/8
2001:2610:1111::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
D6E1
E2
2001:128::1
Provider Y13.0.0.0/8
2001:128::/32(IPv6 provider)
PETRPETR 64.0.0.1
1.0.0.1 -> 128.1.1.1 D4
Site prefix 2001:128::/32
2001:2610:1111::1 -> 2001:128::1
2001:2610:1111::1 -> 2001:128::1
11.0.0.1 -> 64.0.0.1
IPv6 LISP site talks to IPv6 non-LISP site over IPv4 core
1.0.0.1 -> 128.1.1.110.0.0.1 -> 64.0.0.1
1.0.0.1 -> 128.1.1.1 Non-LISP Site
LISP Site
Non-LISP Site
2001:2610:1111::1 -> 2001:128::1
LISP Operations• LISP IPv4 EID / IPv4 RLOC Data Packet Header Example
IPv4 Outer Header:
ITR supplies RLOCs
IPv4 Inner Header:
Host supplies EIDs
LISP Header:
UDP Header:
34
LISP Operations• LISP Encapsulation Combinations – IPv4 and IPv6 Supported
IPv6/IPv4
IPv6 Outer
Header
IPv4 Inner
Header
UDPLISP
IPv6/IPv6
IPv6 Outer
Header
IPv6 Inner
Header
UDPLISP
IPv4/IPv6
IPv4 Outer
Header
IPv6 Inner
Header
UDPLISP
IPv4/IPv4
IPv4 Outer
Header
IPv4 Inner
Header
UDPLISP
Q: Doesn’t encapsulation cause MTU issues?
A: It can… But preparation limits issues… ‒Encapsulation overhead is 36B IPv4 and 56B IPv6‒ LISP supports “stateful” (PMTUD) and “stateless”
(fragmentation) options‒Tunnel/MTU issues are well known (GRE, IPsec, etc.)
and are usually operationally tractable
35