IPv6 Multi WAN 相關技術淺談 · 2016-06-20 · /48 Prefix Breakdown Example • High Level addressing plan. Indicative only. Can be modified to suit needs • /48 = 65536 x /64

IPv6 Multi WAN相關技術淺談NPTv6LISP

Andrew Yang 楊吳禧 [email protected]產品與技術經理

2016/6/22

IPv6 PI vs PA Address

Many options for the Internet Edge – to – ISPDual LinksSingle ISP

Multi-HomedMulti-Region

Enterprise

ISP 1

DefaultRoute

Enterprise

POP1 POP2ISP 1

Enterprise

ISP 1 ISP2USA

ISP4

Europe

ISP3

BGP BGP

IPv6 Allocation PI versus PA space

• IPv6 addresses can be allocated in two ways

• Provider Assigned (PA)• Addresses and prefixes assigned to subscribers from prefix pool assigned to SP• PA provides prefix and route aggregation• This is good because Internet routing table size minimized

• Provider Independent (PI)• Addresses and prefixes assigned to subscribers independent of provider pool• PI allows subscriber to change between service providers• PA requires renumbering of subscriber network• Allows multi-homing with same address space• This is not so good – eventually we have same problem as IPv4

• Routing tables may grow excessively

Provider Assigned Addressing

• Organization works with the service provider to determine how large an address space the organization needs

• The advantage for the service provider is that they can aggregate several customer blocks into a single announcement

• Small to mid-size organizations using a single SP

IPv6 PA Allocation Hierarchy

Site/48Site

/48

ISP/32ISP

/32

IANA2001::/3

APNIC::/12 to::/23

AfriNIC::/12 to::/23

ARIN::/12 to::/23

LACNIC::/12 to::/23

RIPE NCC::/12 to::/23

ISP/32

Site/48

Site/48Site

/48

ISP/32ISP

/32ISP/32

Site/48

Site/48Site

/48

ISP/32ISP

/32ISP/32

Site/48

Site/48Site

/48

ISP/32ISP

/32ISP/32

Site/48

Site/48Site

/48

ISP/32ISP

/32ISP/32

Site/48

IPv6 PI Allocation Hierarchy

Site/48Site

/48

IANA2001::/3

APNIC::/12 to::/23

AfriNIC::/12 to::/23

ARIN::/12 to::/23

LACNIC::/12 to::/23

RIPE NCC::/12 to::/23

ORG/48

Site/48Site

/48ORG/48

Site/48Site

/48ORG/48

Site/48Site

/48ORG/48

Site/48Site

/48ORG/48

/48 Prefix Breakdown Example• High Level addressing plan. Indicative

only. Can be modified to suit needs

• /48 = 65536 x /64 prefixes

• Break up into functional blocks ( 4 x /50 in this case)

• Each functional block simplifies security policy

• Assumes up to 64 Branch networks

• Each Branch has access to 256 /64 prefixes for WAN, DMZ, & VLAN use

/48

/50Branch

/50WAN

/50DC

/50Lab

/56Branch 1

/56Branch 2

/56Branch 3

/56Branch4

/64Loop /64

WAN /64DMZ /64

VLAN4

....

/64VLAN…

/56MGMT.

/64Loop /64

WAN /64DMZ /64

VLAN4 /64VLAN…

Link Level – Prefix Length Considerations

64 bits

§ Considered bad practice

§ 64 bits offers more space for hosts than the media can support efficiently

< 64 bits > 64 bits

§ Address space conservation

§ Special cases:/126—valid for p2p/127—valid for p2p/128—loopback

§ Complicates management

§ Must avoid overlap with specific addresses:Router Anycast (RFC3513)Embedded RP (RFC3956)ISATAP addresses

§ Recommended by RFC3177 and IAB/IESG

§ Consistency makes management easy

§ MUST for SLAAC(MSFT DHCPv6also)

§ Significant address space loss (18.466 Quintillion)

ULA, ULA + Global, or Global

• What type of addressing should I deploy internal to my network? It depends:

• ULA only— Need to do NAT66/NPTv6 or proxy when want to communicate with IPv6 internet.

• ULA + Global allows for the best of both worlds but at a price -- much more address management with DHCP, DNS, routing and security.

• Global-only—Recommended approach but the old-school security folks that believe topology hiding is essential in security will bark at this option

Source Address Selectionhttp://www.ietf.org/rfc/rfc3484.txt

1. Prefer same address

2. Appropriate Address pairs. Address pairs of the same scope or type (link-local, global) are preferred.

3. A preferred (non-deprecated) address is preferred.

4. In Mobile IP situations, home addresses are preferred over care-of addresses.

5. Prefer Outgoing Interface

6. Matching Label

7. Prefer Public Address.

8. If all criteria are similar, address pairs with the longest common prefix are preferred.

Source Address Selection Diagram - The problem:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Source Address Selection Diagram - the fix case

RTR A which is it's default gateway.

IPv6-to-IPv6 Network Prefix Translation (NPTv6)

Addressing with Unique Local Addresses

• Internal communication è ULA• Internet Access è use GUA• RFC3484 è Default Address

Selection for IPv6

Scenario where only ULA addresses are deployed

• RFC 6296, IPv6-to-IPv6 network prefix translation has been standardized è NPTv6

• Stateless IPv6<->IPv6 PrefixTranslation

• 1:1 relationship between the internal addresses and external addresses

• Multi-Homing, and redundancy and load sharing.

NPTv6 Characteristics

Some pointers and recommendations when considering ULAs:• ULAs are useful during a network wide re-numbering if globally unique addressing has to be changed • Use ULAs for internal network management functions, Use GUA for Path MTU Discovery (PMTUD)

No Per-Flow State

NPTv6 between Peer Networks

NPTv6Translator

Internal Prefix = FD01:4444:5555:/48

Internal Prefix = FD01:0203:0405:/48

External Prefix = 2001:0DB8:0001:/48

External Prefix = 2001:0DB8:6666:/48

NPTv6 Redundancy and Load Sharing

NPTv6Translator#1

External Network: Prefix = 2001:0DB8:0001:/48

Internal Network: Prefix = FD01:0203:0405:/48

NPTv6Translator#2

Parallel Translators

NPTv6 Multihoming

NPTv6Translator#1

External Network #1: Prefix = 2001:0DB8:0001:/48

Internal Network: Prefix = FD01:0203:0405:/48

NPTv6Translator#2

Parallel Translators

External Network #2: Prefix = 2001:0DB8:5555:/48

NPTv6 Supported on Cisco Routers• NPTv6 support on ASR1k/CSR1k/ISR4k

• NPTv6 Translator need not to rewrite transport layer headers

• NPTv6 does not interfere with encryption of the full IP payload

IPv6 Prefix Format

• The first 48 bits of the IPv6 address represents the IPv6 prefix

• The translation function first ensures that the internal and external prefixes are of the same length and if not,• extends the shorter of the two with zeroes

Example Configuration:enableconfigure terminalinterface GigabitEthernet0/0/0

nat66 insideinterface GigabitEthernet0/0/1

nat66 outsidenat66 prefix inside 2002:AB01::/64 outside 2002:AB02::/64

end

Locator/ID Separation Protocol (LISP) Overview


§ Addresses today combine location and identity semantics in a single 32-bit or 128-bit number

§ Separating Location and Identity changes this…• Provide a clear separation at the Network Layer between what we are looking for vs.

how best to get there• Translation vs Tunneling is a key question

§ Network Layer Identifier: “who” you are in the network• long-term binding to the thing that they name, does not change often at all

§ Network Layer Locator: “where” you are… and “where” you want to go in the Network• Think of the source and destination “addresses” used in routing and forwarding

Locator/ID Split and LISP• Routing and Addressing Architecture of the Internet Protocol…

23


LISP Overview

§ An over-the-top technology‒ Address Family agnostic‒ Incrementally deployable‒ End systems can be unaware of LISP

§ Deployment simplicity‒ No host changes‒ Minimal CPE changes‒ Some new core infrastructure components

§ Enables IP Number Portability‒ Never change host IP addresses;

No renumbering costs‒ No DNS changes; “name == EID” binding‒ Session survivability

§ An Open Standard‒ Being developed in the IETF‒ No Cisco Intellectual Property Rights

§ Uses pull vs. push routing‒ OSPF and BGP are push models; routing

stored in the forwarding plane‒ LISP is a pull model; Analogous to DNS;

massively scalable

• LISP – A Routing Architecture, Not a Feature…

§ LISP use-cases are complimentary‒ Simplified multi-homing with Ingress traffic

Engineering; no need for BGP‒ Address Family agnostic support‒ Virtualization support‒ End-host mobility without renumbering

24


LISP Operations

§ LISP “Level of Indirection” is analogous to a DNS lookup‒ DNS resolves IP addresses for URL Answering the “WHO IS” question

‒ LISP resolves locators for queried identities Answering the “WHERE IS” question

hostDNS Name-to-IPURL Resolution

[ who is lisp.cisco.com ] ? DNSServer

[153.16.5.29, 2610:D0:110C:1::3 ]

LISPIdentity-to-locatorMapping Resolution

LISP route

r

LISP Mapping System

[ where is 2610:D0:110C:1::3 ] ?

[ locator is 128.107.81.169 ]

• LISP :: Mapping Resolution “Level of Indirection” DNS analog…

25

IPv4 Internet

Site 1

Site 2

Site 3

eBGP64.1.0.0/1764.1.0.0/16

Tier 1 SP64.1.0.0/17

64.1.0.0/16

Transit SP

Commodity SPeBGP64.1.128.0/1764.1.0.0/16

64.1.128.0/17

64.1.0.0/16

13.1.1.2/30

AS 30013. 0/8

13.0/8

Enterprise

DFZ Routing Table

AS 10064.1.0.0/16

Identity

AS 20012. 0/8

12.0/8

12.1.1.2/30Location

LISP Overview• Identity and Location :: an Overloaded Concept in Routing Today…

26

IPv4 Internet

Tier 1 SP


Site 1

Site 2

AS 10064.1.0.0/16

Site 3

AS 20012. 0/8

12.1.1.2/30Location

Enterprise

DFZ Routing Table

Transit SP

Commodity SP

LISP Mapping System

• Let’s put ID address and Locator address in different databases

• Let’s create a “level of indirection” between ID and LOCATION in the network!

Clear Separation at the Network Layer::•who/what you are looking for

vs. …•how to best get there

Two Approaches::•Translations (e.g. NAT)

vs. …•Tunnels (e.g. GRE, IPsec, MPLS)

What is needed is Locator/ID Separation on a GLOBAL Scope, and that doesn’t carry all routing in the Forwarding Plane!

Identity13.1.1.2/30

AS 30013. 0/8

27

IPv4 Internet

Tier 1 SP

Site 1

Site 2

AS 10064.1.0.0/16

Site 3

AS 20012. 0/8

12.1.1.2/30

Enterprise

DFZ Routing Table

LISP Mapping System

• Let’s scale the ID address databases to 1010 and allow it to hold any prefix length (e.g. /32)

• Let’s provide a mechanism to provide on-the-fly resolution of ID and locator

• High scale design, and ability to change locator for fixed ID enables Mobility!


Identity

Transit SP

Commodity SP

13.1.1.2/30

AS 30013. 0/8

Location

28

Enterprise Low-Opex Multi-Homing

Provider A10.0.0.0/8

Provider B11.0.0.0/8

S1 S2

1.0.0.0/8

• Active/active multi-homing• Low-Opex switchover (no BGP)

• More efficient bandwidth use by site• Use all the bandwidth you pay for

• New link revenue for ISP• At the benefit of keeping site’s routes out of their resources

• Decoupling addressing from ISP• Site has flexibility to change providers

LISP Packet Forwarding



S

ITR

DITR

ETR

ETR

Provider Y13.0.0.0/8

Provider X12.0.0.0/8S1

S2

D1

D2

PI EID-prefix 1.0.0.0/8 PI EID-prefix 2.0.0.0/8

DNS entry:D.abc.com A 2.0.0.2 EID-prefix: 2.0.0.0/8

Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1)13.0.0.2, priority: 1, weight: 50 (D2)

MappingEntry

1.0.0.1 -> 2.0.0.2

1.0.0.1 -> 2.0.0.2

11.0.0.1 -> 12.0.0.2

1.0.0.1 -> 2.0.0.2

11.0.0.1 -> 12.0.0.2

1.0.0.1 -> 2.0.0.2

Policy controlledby destination site

Mapping Service Interface



S

ITR

DITR

ETR

ETR


Provider X12.0.0.0/8S1 D1

PI EID-prefix 1.0.0.0/8 PI EID-prefix 2.0.0.0/8

Map-Reply13.0.0.2 -> 11.0.0.1

1.0.0.1 -> 2.0.0.2

EID-prefix: 2.0.0.0/8Locator-set:

12.0.0.2, priority: 1, weight: 5013.0.0.2, priority: 1, weight: 50

Map-Cache Entry

Map-Cache lookup miss!

?

Map-Request11.0.0.1 -> 2.0.0.2

S2 D2

Interworking with PITRs

• When a non-LISP site initiates a connection to a LISP site



S D

ETR

ETR


Provider X12.0.0.0/8S1

S2

D1

D2

Site prefix 128.1.0.0/16 PI EID-prefix 2.2.0.0/16

128.1.1.1 -> 2.2.2.2

2.2.2.2

128.1.1.1 -> 2.2.2.2

PITRPITR

PITR

2.0.0.0/8

64.0.0.1

128.1.1.1 -> 2.2.2.2

64.0.0.1 -> 13.0.0.2

128.1.1.1 -> 2.2.2.2

Non-LISP Site LISP Site

Interworking with PETRs• When a LISP site initiates a connection to a non-LISP site

Provider X12.0.0.0/8

D1

D2

Site prefix 128.1.0.0/16

128.1.1.1

S

ITR

ITR

S1

S2

PI EID-prefix:1.0.0.0/8

2001:2610:1111::/48



D6E1

E2

2001:128::1


2001:128::/32(IPv6 provider)

PETRPETR 64.0.0.1

1.0.0.1 -> 128.1.1.1 D4

Site prefix 2001:128::/32

2001:2610:1111::1 -> 2001:128::1

2001:2610:1111::1 -> 2001:128::1

11.0.0.1 -> 64.0.0.1

IPv6 LISP site talks to IPv6 non-LISP site over IPv4 core

1.0.0.1 -> 128.1.1.110.0.0.1 -> 64.0.0.1

1.0.0.1 -> 128.1.1.1 Non-LISP Site

LISP Site

Non-LISP Site

2001:2610:1111::1 -> 2001:128::1

LISP Operations• LISP IPv4 EID / IPv4 RLOC Data Packet Header Example

IPv4 Outer Header:

ITR supplies RLOCs

IPv4 Inner Header:

Host supplies EIDs

LISP Header:

UDP Header:

34

LISP Operations• LISP Encapsulation Combinations – IPv4 and IPv6 Supported

IPv6/IPv4

IPv6 Outer

Header

IPv4 Inner

Header

UDPLISP

IPv6/IPv6

IPv6 Outer

Header

IPv6 Inner

Header

UDPLISP

IPv4/IPv6

IPv4 Outer

Header

IPv6 Inner

Header

UDPLISP

IPv4/IPv4

IPv4 Outer

Header

IPv4 Inner

Header

UDPLISP

Q: Doesn’t encapsulation cause MTU issues?

A: It can… But preparation limits issues… ‒Encapsulation overhead is 36B IPv4 and 56B IPv6‒ LISP supports “stateful” (PMTUD) and “stateless”

(fragmentation) options‒Tunnel/MTU issues are well known (GRE, IPsec, etc.)

and are usually operationally tractable

35


Thank You

Documents

IPv6 Multi WAN 相關技術淺談 · 2016-06-20 · /48 Prefix Breakdown Example • High Level addressing plan. Indicative only. Can be modified to suit needs • /48 = 65536 x /64