Upload
duongkhanh
View
235
Download
4
Embed Size (px)
Citation preview
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 1
Technical Whitepaper on
Carrier Grade NAT (CGN)
1 Basic Principle and Product Form of
CGN
1.1 Overview
On February 3rd
, 2011, ICANN announced that the last five groups of IP addresses are
allocated and no IPv4 address is available any more. June 8 each year is the IPv6 Day
across the world. IPv4 addresses are used up, but IPv6 network construction is not
completed. To protect the investment and save the cost, the carriers will not replace a
tremendous amount of IPv4 devices with IPv6 or IPv4/IPv6 devices in a short term. The
mass IPv4 application and service migration to IPv6 is also a large and complicated
project. It involves not only the carriers but also numerous software/content and service
providers. IPv4 and IPv6 will coexist for a very long period of time in the world. Carriers
must solve the issues of IPv4 & IPv6 exchange visits and insufficient IPv4 addresses to
reduce the effect on customer use and development. This provides a very broad stage for
the development of a variety of NAT technologies, and CGN (Carrier Grade NAT) comes
into being accordingly.
CGN is the NAT in nature. It translates and maps addresses like ordinary NAT. It is
divided into three types by address: NAT44, NAT64 and NAT46. NAT44 conducts the
translation and mapping from IPv4 addresses to IPv4 addresses, NAT64 from IPv6 to
IPv4, and NAT46 from IPv4 to Pv6. It is divided into three types by mapping: dynamic NAT,
static NAT and PAT (dynamic address port mapping). Static NAT creates a fixed
one-to-one mapping relationship between an internal private network address and an
external public network address, while dynamic NAT creates a dynamic one-to-one
mapping relationship between an internal private network address and an external public
network address and there is no fixed correspondence between a private network
Technical Whitepaper on Carrier Grade NAT (CGN)
2 ZTE Confidential & Proprietary
address and a public network address. The difference between PAT and dynamic NAT is
that the PAT uses the combination of a public network IP address and port No. to map the
addresses of different hosts.
CGN products from different vendors are not identical in dynamic mapping policy and
filtering policy. Dynamic mapping policy and filtering policy are divided into three types
respectively. Three types of dynamic mapping policies are shown as below:
Endpoint-independent mapping (EIM): NAT depends on private network source IP
and source port. Even if destination address and destination port are different,
private network source IP and source port are always mapped to the same public
network source IP and source port. Even if destination address is different, the same
source IP has the same mapping result.
Address-dependent mapping (ADM): NAT depends on private network source IP,
source port and destination address, in other words, a private network source IP, a
source port and a specific destination address are mapped to a public network
source IP and a source port. Even if private network source IP and source port are
the same but destination address is different, they are mapped to different public
network address and port.
Address and port-dependent mapping (APDM): NAT depends on private network
source IP, source port, destination address and destination port, in other words, the
packet from a private network source IP and source port to the same destination and
port is mapped to a specific public network source IP and source port. Even if private
network source IP, source port and destination IP are the same but destination port
is different, different mapping table items are available.
There are also three types of filtering policies corresponding to the above CGN mapping
policies.
Endpoint-Independent Filter (EIF): CGN just filters the traffic which is not sent to the
internal address X:x (meaning address : port), and does not care about source
address and source port of the traffic.
Address-Dependent Filter (ADF): If the internal address X:x does not send the traffic
to the external address Y, CGN filters the traffic from the external address Y to the
internal address X:x. In other words, Y can send the traffic to X:x only after X:x sends
the traffic to Y.
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 3
Address and Port-Dependent Filtering (APDF): If the internal address X:x does not
send the traffic to the external address Y:y, CGN filters the traffic from the external
address Y:y to the internal address X:x. In other words, Y:y can send the traffic to X:x
only after X:x sends the traffic to Y:y.
1.2 NAT444 CGN
NAT444 means two levels of IPv4 NAT, namely, IPv4 - NAT1 - IPv4 - NAT2 - IPv4. The
first-level NAT is between two private network IPv4 addresses, and the second-level NAT
is between private network IPv4 and public network IPv4. With NAT444, carriers can
reduce the demands for public network IPv4 addresses. If they deploy private network
addresses in the client and access network, a large number of public network IPv4
addresses will be saved. NAT444 is very important to a carrier with limited IPv4 addresses
because it greatly slows down the depletion of IPv4 addresses. NAT444 makes a small
change to existing networks and does not need to carry out the large-scale network
reconstruction. New users and access network can employ NAT444 CGN which is the
IPv4 mapping & translation technology and does not involve IPv6 & IPv4 exchange visits.
The first-level NAT is done by the CPE device of users or carriers, and the second-level
NAT by the CGN of carriers.
Figure 1-1 NAT444
Service Provider
CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT CPE NAT
Service Provider
CGN CGN CGN CGN
IPv4 Network
Public IPv4
Private IPv4
Private IPv4
Technical Whitepaper on Carrier Grade NAT (CGN)
4 ZTE Confidential & Proprietary
1.3 DS-Lite CGN
It is an irreversible trend for a carrier to deploy an IPv6 network, and there will be ever
more IPv6 access networks and backbone networks DS-Lite CGN, the dual-stack CGN,
allows an IPv4 end-user to access IPv4 network and service via IPv6 access network. The
dual-stack CGN supports IPv4 and IPv6 at the same time.
A dual-stack CPE device forwards the user IPv4 traffic to a DS-Lite CGN via a
4in6 tunnel, and the DS-Lite CGN terminates the 4in6 tunnel and translates a
private network address into a public network address. The NAT444 CGN
conducts two NATs while the DS-Lite CGN makes only one NAT. The DS-Lite
CGN supports the IPv6 or IPv4/IPv6 access network, while NAT444 CGN
supports the IPv4 access network.
Figure 1-2 DS-Lite CGN principle
IPv4 Network
CPE
CGN
IPv6 Tunnel EndPoint(IPv6 SA)
10.1.1.1
SA 10.1.1.1
Dual Stack Lite tunnels IPv4 packets over IPv6 between the user and the CGN
IPv6 Link
Address MappingInside: ipv6 SA+ipv4 SA+ PortOutSide:ipv4 Outside Address+ Port
OutSide Address 201.15.12.1
SA 201.15.12.1
The user traffic is forwarded to a DS-Lite CGN via a 4in6 tunnel of a CPE device,
translates a private network address into a public network address (from IPv4 source
address and source port to public network IPv4 and port), and finally reaches a public
network. When the user traffic from the public network passes the DS-Lite CGN, the CGN
selects the proper CPE device to send the traffic to a customer. CPE devices cannot be
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 5
distinguished by IPv4 source address because the users of these CPE devices may have
the same private network IPv4 addresses. The DS-Lite CGN can add an IPv6 address of
CPE device to the address translation entry, namely, the source address that the CPE
device originates a IPv6 tunnel. The unique IPv6 source address identifies the CPE
device, and the DS-Lite CGN sends the traffic to the proper CPE device.
1.4 NAT64 CGN
NAT64 is a stateful IPv6-IPv4 mapping technology, and the CGN maintains the IPv6-IPv4
address translation table. NAT64 has an obvious characteristic: It only allows an IPv6 host
to take the initiative to send a connection request to an IPv4 server. NAT64 also involves
an issue about DNS64. Before accessing IPv4, IPv6 needs to query a DNS64 so as to find
the legal IPv6 address of a domain name. DNS64 may need to query an IPv4 DNS and
translate an IPv4 address into an IPv6 address. This requires that DNS working with
NAT64 has the DNS64 functionality to translate A record into AAAA record.
Figure 1-3 NAT64 CGN principle
CGN(NAT64)
DNS with DNS64
IPV6 Network IPv4 network
NAT64:2001:db8:1c8:0:1:: 200.0.0.12001:db8:1c0::2:21 192.0.2.33
IPV4:Src 200.0.0.1Dst 192.0.2.33
IPV6:Src 2001:db8:1c8:0:1::dst 2002:db8:1c0:2:21::
NAT64: Client and server communication process is as below:
Technical Whitepaper on Carrier Grade NAT (CGN)
6 ZTE Confidential & Proprietary
Figure 1-4 Principle of NAT64 CGN Ipv6 network access to Ipv4 network
NAT64
①
②③
⑥
⑦
⑧
Ipv6 client
DNS query AAAA example.com
DNS64AUTH DNS Server
DNS query AAAA example.com
DNS response NS Domain
④DNS query A example.com
⑤
DNS response A 80.1.1.1
DNS response AAAA2001:db8:8000::80.1.1.1
Dst 2001:db8:8000::80.1.1.1 port 80Src 2002:db8::200 port 10001
Dst 80.1.1.1 port 80Src 202.1.1.1 port 5000
Dst 202.1.1.1 port 5000Src 80.1.1.1 port 80
IPv4 Server
⑨⑩
Dst 2002:db8::200 port 10001Src 2001:db8:8000::80.1.1.1 port 80
Procedure:
An IPv6 host initiates a AAAA domain name request to its IPv6 DNS.
After receiving the domain name request from the V6 host, DNS64 server queries
the local DNS. If it finds the AAAA record, it sends the address of the domain name
to the V6 host, otherwise it initiates a AAAA request to the upper-level DNS. If no
AAAA record is found in the entire system, it initiates a domain name A request to the
IPv4 network. After receiving the response of domain name A, it embeds the IPv4
address into the configured Prefix64 address to translate A record into AAAA record
and send the AAAA record to the V6 host.
After getting the AAAA record, the V6 host embeds the IPv4 of the IPv4 server into
the IPv6 address to initiate a connection request.
After reaching the NAT64, the request undergoes the IPv6-IPv4 address translation
and protocol conversion, and then the translated IPv4 packet is sent to the IPv4
network and finally the IPv4 server.
IPv4 server responds to the connection request.
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 7
After the IPv4 response packet from the Pv4 server reaches the NAT64, the NAT64
identifies the destination address as a NAT64 address, searches for the NAT64
mapping, and conducts the IPv4-IPv6 address translation and IPv4-IPv6 protocol
conversion for the IPv4 packet. Then the IPv6 packet is sent to the IPv6 network and
finally the IPv6 client. The connection is created in this way.
1.5 CGN Product Form
CGN generally has three product forms: stand-alone, CR insertion-card and BRAS
insertion-card. Their definitions are as follows:
A stand-alone CGN means that a device only deals with the CGN service rather than
other services such as access or routing. It can be attached to CR or the BRAS.
A CR insertion-card CGN means a CR is inserted with a card special for CGN to integrate
routing and CGN functions and provide CGN for all users in metro networks connected to
the CR.
A BRAS insertion-card CGN means a BRAS is inserted with a processing card special for
CGN to integrate access and CGN functions and provide CGN for all users accessed via
the BRAS.
As they needs to support a variety of services, the insertion-card products have high
requirements for performance and reliability of CR and BRAS, and occupy extra service
slots, which will affect the future capacity expansion of CR and BRAS. The stand-alone
CGN is recommended. Several stand-alone CGNs can be attached to CR or BRAS for
backup and load balance.
Technical Whitepaper on Carrier Grade NAT (CGN)
8 ZTE Confidential & Proprietary
Figure 1-5 CGN product form
CGN
Stand-
alone
CR card-
insertin
BRAS card-
insertin
NAT444
DS_Li t e
NAT_64
Technology form
Product form
Deployment form Centralized Distributed
2 CGN Application Scenario and Analysis
There is no better or worse for three mainstream CGN technologies which are adopted at
different stages in the transition from IPv4 to IPv6. When IPv6 network is completed and
IPv4 addresses are close to depletion, NAT444 can meet the needs of new users and
IPv6 network deployment should be considered. When IPv6 access network is
established and users are not forced to change their configuration & habits, DS-Lite can
be adopted. When IPv6 networks and users reach a certain size but a certain number of
IPv4 services and applications are still available in the network, NAT64 enables IPv6
users to access IPv4 networks.
CGN deployments of different technologies are centralized or distributed, but their
application scenarios are similar. Take NAT444 CGN for example to discuss the
distributed and centralized deployments.
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 9
2.1 Distributed Deployment of Stand-alone NAT444
CGN
A stand-alone CGN is attached to a BRAS and works with the metro network BRAS for the
distributed deployment. An ordinary user is allocated with a private network IPv4 address
by BRAS through PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user
side via a CPE. After BRAS configures the proper policy route to lead the user traffic into
the stand-alone CGN, the CGN translates the private network source address and source
port of the traffic into the public network address and port according to some mapping
rules. The translated user traffic is sent from the CGN to the BRAS, and then is forwarded
from the BRAS network side to a metro network SR/CR, as shown below:
Figure 2-1 Distributed deployment of stand-alone NAT444 CGN
CPE
IPv4 network
BRAS
BRAS
BRAS
Stand-
aloneNAT444 CGN
AAA server NM server Log server
Stand-
aloneNAT444 CGN
Stand-
aloneNAT444 CGN
2.2 Distributed deployment of BRAS insertion-card
NAT444 CGN
A special CGN card is inserted into a BRAS and works with the metro network BRAS for
the distributed deployment. Different from a stand-alone CGN, an insertion-card CGN is
integrated with BRAS, and does not need a new rack and line resources to save the
Technical Whitepaper on Carrier Grade NAT (CGN)
10 ZTE Confidential & Proprietary
equipment room space. An ordinary user is allocated with a private network IPv4 address
by BRAS through PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user
side via a CPE. After the BRAS leads the user traffic into the special CGN card, the card
translates the private network source address and source port of the traffic into the public
network address and port according to some mapping rules. The translated user traffic is
sent from the CGN card to the BRAS, and then is forwarded from the BRAS network side
to a metro network SR/CR, as shown below:
Figure 2-2 Distributed deployment of BRAS insertion-card NAT444 CGN
CPE
IPv4 network
BRAS
AAA server NM server Log server
BRAS
insertion-
cardNAT444 CGN
BRAS
insertion-
cardNAT444 CGN CPE
BBRAS
insertion-
cardNAT444 CGN
2.3 Centralized Deployment of Stand-alone NAT444
CGN
A stand-alone NAT444 CGN is attached to a CR and works with the CR for the centralized
deployment. The centralized CGN deployment facilitates the network management, but it
has high performance and stability requirements for the CGN device which needs to
translate addresses in the entire metro network. The deployment of the hot-standby
CGNs is recommended. A user is allocated with an IPv4 private network address through
PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user side via a CPE
and then the metro network CR via the BRAS network side. After CR configures the
proper policy route to lead the user traffic into the stand-alone CGN, the CGN translates
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 11
the private network source address and source port of the traffic into the public network
address and port according to some mapping rules. The translated user traffic is sent from
the CGN to the CR.
It should be noticed that a private network route is planned on the devices except CR
when the traffic is sent from a user to a CR, as shown below:
Figure 2-3 Centralized deployment of stand-alone NAT444 CGN
CPE
IPv4 private network
BRAS
BRAS
CRBRAS
AAA server NM server Log server
CPEIPv4 private network
BRAS
BRAS
CR
BRAS
CR stand-
alone NAT444 CGN
CR stand-
alone NAT444 CGN
2.4 Centralized Deployment of CR Insertion-card
NAT444
A special CGN card is inserted into an extra CR slot and works with the CR for centralized
deployment. Different from a stand-alone CGN, an insertion-card CGN is integrated with
CR, and does not need a new rack and line resources to save the equipment room space.
An ordinary user is allocated with a private network IPv4 address by BRAS through
PPPOE or IPOE. The IPv4 traffic from the user reaches the BRAS user side via a CPE
and then the metro network CR via the BRAS network side.. After the CR leads the user
traffic into the special CGN card, the card translates the private network source address
and source port of the traffic into the public network address and port according to some
mapping rules. The translated user traffic is sent from the CGN card to the CR, as shown
below:
Technical Whitepaper on Carrier Grade NAT (CGN)
12 ZTE Confidential & Proprietary
Figure 2-4 Centralized deployment of CR insertion-card NAT444
CPE
IPv4 private network
BRAS
BRAS
CR
BRAS
AAA server NM server Log server
CPEBRAS
BRAS
CR
BRAS
CR insertion-
card NAT444 CGN
CR insertion-
card NAT444 CGN
IPv4 private network
2.5 CGN Deployment Analysis
Centralized and distributed deployments have different characteristics. The distributed
deployment prevents a single-point failure from affecting the whole system, while the
centralized deployment is easier to control and manage than the distributed deployment.
CGN deployment also has a great relationship with BRAS/CR in an existing network. For
example, the insertion-card CGN needs the support of BRAS or CR, or the stand-alone
CGN is selected. Many factors have to be taken into account in the actual CGN
deployment.
The insertion-card CGN occupies a service slot. Generally, traffic ratio should be
considered between service card and CGN card. If CGN cards need to backup each
other, more service slots will be occupied.
A CGN service may be overlaid with DS-Lite, NAT444 and NAT64. In this case, a
insertion-card CGN service is very complicated. The CGN service is still in the pilot
phase. If it needs to support different ALGs for upgrade, version upgrade may be
quite frequent, and insertion-card upgrade and maintenance will be very difficult.
Taking into account the overlay of the hot-standby CR/BRAS together on the
hot-standby CGN, the situation is more complex, and management and
maintenance more difficult.
The centralized deployment of the stand-alone CGN has less investment and fast
effect, is quick to deploy and easy to set up a customer pilot, and just conducts small
Technical Whitepaper on Carrier Grade NAT (CGN)
ZTE Confidential & Proprietary 13
transformation of the existing network device. One CGN can set up a customer pilot.
As long as the CGN service is deployed, NAT444, NAT64 and DS-Lite can be
The stand-alone CGN is easy to deploy the hot standby while balancing the load. It
has stronger protection than the inter-card backup. It protects link failure,
single-device failure and card failure, while the inter-card backup only protects the
card failure.
It is easy to upgrade and maintain the stand-alone CGN. The CGN can upgrade the
ALG by upgrading itself. In the hot standby, CGN can upgrade services without any
interruption.
Table 2-1 Different CGN deployments
Deployment mode Investment
analysis
CGN deployment
difficulty CGN reliability
CNG
maintainability
Distributed deployment
of stand-alone NAT444
CGN
High (Each
BRAS is
configured
with a
stand-alone
device.)
Difficult (Each
is configured with a
stand-alone device.)
High (CGN hot
standby)
Simple upgrade
and maintenance
Distributed deployment
of BRAS insertion-card
CGN
High (Each
BRAS is
configured
with a new
CGN card.)
Difficult (Occupy
BRAS slot)
Low (CGN card
hot standby)
Complex
upgrade and
maintenance
Centralized
deployment of
stand-alone NAT444
CGN
Low (A
stand-alone
device is
added.)
Easy (attached to
CR)
High (CGN hot
standby)
Simple upgrade
and maintenance
Centralized
deployment of CR
insertion-card NAT444
CGN
Low (CR is
configured
with a new
CGN card.)
Easy (Occupy CR
slot)
Low (CGN card
hot standby)
Complex
upgrade and
maintenance
Technical Whitepaper on Carrier Grade NAT (CGN)
14 ZTE Confidential & Proprietary
3 Abbreviations
Table 3-1 Abbreviations
Abbreviation Full name
CGN Carrier Grade NAT
BRAS Broad Remote Access Server
CR Core Router
SR Services Router
NAT Net work Address Translate
ICANN Internet Corporation for Assigned Names
and Numbers