Professional Documents
Culture Documents
Router
V600R006C00
Issue 03
Date 2013-08-20
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
This document describes the principles, applications and security features of IPv4 to IPv6
transition technologies.
CAUTION
Note the following precautions:
l Currently, the device supports the AES and SHA2 encryption algorithms. AES is reversible,
while SHA2 is irreversible. A protocol interworking password must be reversible, and a local
administrator password must be irreversible.
l If the plain parameter is specified, the password will be saved in plaintext in the configuration
file, which has a high security risk. Therefore, specifying the cipher parameter is
recommended. To further improve device security, periodically change the password.
l Do not set both the start and end characters of a password to "%$%$." This causes the
password to be displayed directly in the configuration file.
Related Versions
The following table lists the product versions covered by this document.
Intended Audience
This document is intended for
l Commissioning engineers
l Data configuration engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows:
Symbol Description
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Contents
2 L2-Aware NAT.............................................................................................................................11
2.1 Introduction..................................................................................................................................................................12
2.2 References....................................................................................................................................................................12
2.3 Principles......................................................................................................................................................................12
2.3.1 L2-Aware NAT Principle..........................................................................................................................................12
2.3.2 Comparison of NAT Technologies............................................................................................................................14
2.4 Applications..................................................................................................................................................................14
2.4.1 L2-Aware NAT Deployment.....................................................................................................................................15
2.5 Terms, Acronyms, and Abbreviations..........................................................................................................................15
3 DS-Lite...........................................................................................................................................16
3.1 Introduction..................................................................................................................................................................17
3.2 References....................................................................................................................................................................17
3.3 Principles......................................................................................................................................................................17
3.3.1 Basic DS-Lite Principle.............................................................................................................................................17
3.3.2 CPE Obtaining Tunnel Destination Address.............................................................................................................18
3.4 Applications..................................................................................................................................................................18
3.4.1 DS-Lite Deployment..................................................................................................................................................19
1 NAT444
1.1 Introduction
1.2 References
1.3 Principles
1.4 Applications
1.1 Introduction
Definition
Network address translation (NAT) is an important technology used in the transition from IPv4
to IPv6 networks. NAT44 allows an IPv4 address to be translated into another IPv4 address.
NAT444 is NAT44 performed twice, once on a customer premises equipment (CPE) device and
the second time on a carrier-grade NAT (CGN) device. Because of its efficiency, NAT444, also
called large scale NAT (LSN), is utilized in situations where NAT is used on carrier networks
on a large scale.
Purpose
With NAT444, a large number of private source IP addresses can share a small number of public
source IP addresses, alleviating the stress of IPv4 address resource exhaustion.
Benefits
Benefits to carriers
1.2 References
Document Document Name Remarks
No.
draft-nishitani- - -
cgn
draft-shirasaki- - -
nat444
draft-shirasaki- - -
nat444-isp-
shared-addr
1.3 Principles
The flexible card versatile service unit VSUF-/80/160 cannot support the No-PAT mode.
IP packet IP packet
Source address: Source address:
(1) 1.1.1.1:5000 (2) 2.2.2.1:2000
Destination address: Destination address:
2.2.2.2:5000 2.2.2.2:5000
IP packet IP packet
User (4) Router (3) Server
Source address: Source address:
2.2.2.2:5000 2.2.2.2:5000
Destination address: Destination address:
1.1.1.1:5000 2.2.2.1:2000
1. The user sends a packet with the source address of 1.1.1.1:5000 and destination address of
2.2.2.2:5000 to the server.
2. The source address of the packet sent from the user to the server is translated from
1.1.1.1:5000 to 2.2.2.1:2000 by the router.
3. After receiving the packet, the server sends a reply packet with the source address of
2.2.2.2:5000 and destination address of 2.2.2.1:2000.
4. The destination address of the packet sent from the server to the user is translated from
2.2.2.1:2000 back to the original 1.1.1.1:5000 by the router.
NAT444 principle
NAT444 is the NAT44 performed twice, once on a CPE device and the other on a CGN device,
as shown in Figure 1-2.
NOTE
A VPN-NAT user can not log in to the CGN device by telnet in NAT444 scenarios. If you have to, please
configure filtering based on ACL rules.
IP packet
Source
IP packet IP packet
Address
Source Address Source Address
(3)
(1) (2)
100.0.0.1:1100
192.168.0.1:8000 10.0.0.1:9000
0
Destination Destination
Destination
Address: Address:
Address:
128.0.0.1:80 128.0.0.1:80
128.0.0.1:80
1. The PC sends a packet with the source IP address of 192.168.0.1:8000 and the destination
IP address of 128.0.0.1:80 to the server. The source IP address is a private network IPv4
address.
2. The packet is first translated on the CPE device, and the source IP address is translated into
10.0.0.1:9000. The source IP address is a private network IPv4 address.
3. The packet is then translated on the CGN device, and the source IP address is translated
into 100.0.0.1:11000. The source IP address is a public network IPv4 address.
Port pre-allocation
In port pre-allocation (port range) model, a public IP address and port segment are pre-allocated
to a private IP address when a CGN device is mapping both. The public IP address and ports in
the port segment are used in the mapping of the private IP address.
CGN device allocates an extended port segment. The maximum number of times of extension
indicates the number of times extended port segments can be allocated.
destination port when the private network host initiates the request for accessing the public
network.
NAT Server
NAT can mask internal hosts. However, in real-world situations, the public hosts need to access
the internal server. In this situation, a WWW or an FTP server must be available to the public
hosts.
Address translation allows internal servers to be variously deployed. For example, 202.110.10.10
or even addresses such as 202.110.10.12:8080 can be used as a WEB server public address, and
202.110.10.11 can be used as an FTP server public address. In addition, multiple servers of the
same type, such as WEB servers, can be offered to public users.
After internal servers are deployed, the corresponding public addresses and ports can be mapped
on the internal server, allowing public hosts to access the internal server.
When a public host initiates a request for accessing the internal server, the NAT device checks
the destination of the public packet based on the user's static configurations. If the destination
is an internal server, the address is translated into the private address and port of the internal
server. When an internal server sends a packet to a public host, the NAT device searches the
source address to check whether the packet is sent by an internal server. If the packet is sent by
an internal server, the source address is translated into the corresponding public address.
Port Forwarding
NAT often allows only internal users of a private network to initiate access requests to public
networks, whereas public network users cannot initiate access requests to private networks. NAT
server provides a mechanism that allows public network users to initiate access requests to
private networks. However, NAT server applies to a centralized deployment scenario for static
mapping configuration. Static mapping cannot be used in a distributed deployment scenario.
Users are assigned private IP addresses during login, and therefore mappings between public
and private IP addresses cannot be configured using NAT server.
Port forwarding configures static mapping during user login, allowing public network users to
access private network users using public IP addresses and ports.
During user login, port forwarding rules are delivered from the OSS system or RADIUS server
to a CGN device to establish static mappings between public and private IP addresses and ports.
After traffic from public networks arrives, the CGN device checks destination IP addresses and
ports of packets against static mappings. When matching static mappings are found, these
destination IP addresses and ports are translated according to the matching static mappings, and
the packets are sent to private users. As a next step, a session table is generated. Subsequent
packets of the traffic are then sent according to the session table.
The public IP address of an internal server is fixed, whereas the public IP address used in the
port forwarding mechanism is statically specified or dynamically bound.
On the other hand, when the number of TCP, UDP, ICMP, or all protocol ports utilized by a
user is lower than the configured threshold, additional ports can be accessed.
Session limit
Because NAT444 is a stateful address translation technology, session tables are key resources
of a CGN device. If a user launches a DoS attack, such as an SYN Flood attack, flow table
resources of the CGN device may be exhausted. Users are therefore prevented from creating
flow tables and consequently fail to get online. To help prevent this situation, the number of
TCP, UDP, or ICMP sessions established at each IP address needs to be monitored. When the
number of TCP, UDP, or ICMP sessions from a source IP address or to a destination address
reaches the preset threshold, the system suppresses new connections from either address.
When the number of TCP, UDP, or ICMP sessions from a source IP address or to a destination
address falls below the preset threshold, the system allows new connections from the source
address or to the destination address.
NAT logs can address this problem. NAT logs record the mapping between the private and public
network addresses and trace the private source address of a packet based on the public network
address. Therefore, network activities and operations can be identified accurately, improving
network security and availability.
A CGN device offers three types of NAT logs: RADIUS, SYSLOGs, and traffic logs.
RADIUS Log
RADIUS logs are used on CGN devices in distributed deployment mode to record information
about user table entry creation and aging, and additional port allocation and reclamation.
RADIUS logs are recorded during user login and logout, and during allocation and reclamation
of additional ports. RADIUS logs recording mappings between private and public IP addresses
are carried in accounting packets, which are then sent to a RADIUS server. You can trace users
on a RADIUS server using RADIUS logs.
sysLog
sysLogs can be used on CGN devices in distributed and centralized deployment modes to record
information about user table entry creation and aging, and additional port allocation and
reclamation. sysLogs are recorded during user login and logout, and during additional port
allocation and reclamation. Mappings between private and public IP addresses are carried in
sysLogs, which are then sent to a RADIUS server in syslog format.
Session Log
Session logs can be used on CGN devices in distributed and centralized deployment modes to
record information about session entry creation and aging. Source IP addresses, source ports,
destination IP addresses, translated source IP addresses, translated source ports, and protocol
numbers are carried in session logs, which are then sent in binary format to a log server. A session
log contains much more data than a RADIUS log or sysLog. Session logs record user network
behaviors, so these logs are used not only for source tracing but also user behavior monitoring.
NOTE
Because a session log contains a large volume of data that can adversely affect performance, use sysLogs
when you only need to trace users.
1.4 Applications
Distributed deployment
In distributed deployment, NAT is performed on a BRAS which also functions as a CGN device.
The distributed networking is shown in Figure 1-3.
In distributed deployment, the CGN device is associated with the user's online processes using
the BRAS device. Relying on its mature mechanism for managing RADIUS users, the BRAS/
CGN device traces sources and delivers user NAT policies. In addition, the CGN device is
located physically closer to users and has, consequently, better expandability than in an
integrated deployment. The CGN device will not, therefore, become a performance bottleneck
and is a primary CGN deployment mode.
PC1
CPE1
IP v 4
PC2 n e tw o rk
BRAS
/C G N
PC3
CPE2
PC4
Integrated deployment
In integrated deployment, a CGN card is inserted or a CGN device is attached to a CR to perform
NAT. The integrated networking is shown in Figure 1-4.
Integrated deployment was used in the earlier phase, and a CGN device was attached to a CR.
The integrated deployment mode was used in the scenario where there were only a small number
of sparsely located users.
NOTE
In the access scenario of Layer 2 or Layer3 leased line users, the integrated deployment mode must be
used.
PC1
BRAS
CR
PC2 CPE1 IPv4 network
BRAS
PC3
CPE2 SR/CGN
PC4
2 L2-Aware NAT
2.1 Introduction
2.2 References
2.3 Principles
2.4 Applications
2.1 Introduction
Definition
L2-Aware NAT is a special NAT technology that translates private network IP addresses and
port IDs into public network IP addresses and port IDs. In L2-Aware NAT, user location
information (PPP session ID, MAC address, and user VLAN ID), private network IP addresses,
and port IDs are translated into public network IP addresses and port IDs.
Purpose
Like NAT444, L2-Aware NAT also addresses IPv4 address exhaustion.
Benefits
Benefits to carriers
l Compared with NAT444, NAT is performed once in L2-Aware NAT, reducing NAT
translation delays.
l L2-Aware NAT is mature and easy to deploy.
l CPE devices do not need to be upgraded, saving the cost.
2.2 References
Document Document Name Remarks
No.
2.3 Principles
MAC:00-24-7E-0F-3C-01
IP:192.168.1.1
Port:5172 MAC:00-24-7E-0F-4D-01
IP:192.168.1.1
Port:5172
PC1 <00-24-7E-0F-4D-
01+192.168.1.1,5172>
CPE1 <69.1.1.1,7007> MAC:00-24-7E-0F-5E
IP:69.1.1.1
Port:7007
PC2
CGN
MAC:00-24-7E-0F-5E
IP:69.1.1.1
<00-24-7E-0F-4D- Port:8008
02+192.168.1.1,5172>
PC3
<69.1.1.1,8008>
CPE2
MAC:00-24-7E-0F-4D-02
IP:192.168.1.1
PC4
Port:5172
MAC:00-24-7E-0F-3C-04
IP:192.168.1.1
Port:5172
1. PC1 and PC4 access the network. The source MAC address of the packet sent by PC1 is
00-24-7E-0F-3C-01, IP address is 192.168.1.1, and port ID is 5172. The source MAC
address of the packet sent by PC4 is 00-24-7E-0F-3C-04, IP address is 192.168.1.1, and
port ID is 5172.
2. CPE1 and CPE2 forward the packets at Layer 3. The source MAC address of the packet
forwarded by CPE1 is 00-24-7E-0F-4D-01, IP address is 192.168.1.1, and port ID is 5172.
The source MAC address of the packet forwarded by CPE2 is 00-24-7E-0F-4D-02, IP
address is 192.168.1.1, and port ID is 5172. The source MAC address of the packet is
changed to the MAC address of a WAN port of the CPE device.
3. The CGN performs L2-Aware NAT for packets forwarded by CPE1 and CPE2. Based on
the source MAC address 00-24-7E-0F-4D-01, source IP address 192.168.1.1, and port ID
5172, the source IP address of the packet forwarded by PC1 is translated to 69.1.1.1, and
the port ID is translated to 7007 after the L2-Aware NAT process.
4. The CGN replaces the source MAC address with the MAC address of its WAN port and
forwards the packet.
1. If the destination IP address of the packet from the external network is one of the IP
addresses in the NAT public address pool, the CGN changes the destination IP address and
port ID to the private network IPv4 address and port ID based on the mapping.
2. Based on the Layer 2 forwarding information recorded in the mapping, the CGN forwards
the packet to the CPE device.
3. The CPE device searches for the route and sends the packet to the PC based on the
destination IPv4 address.
NAT Compared with DS-Lite, For protocols, such as the Carrier's network supports
444 CPE devices do not need Session Initiation only IPv4 networks.
to be upgraded. NAT444 Protocol (SIP), IP Residential terminals
networks are compatible addresses are carried at the support only the IPv4
with existing IPv4 application layer, and stack. Carriers allocate
networks. NAT may be performed IPv4 addresses to
On a NAT444 network, an twice. residential terminals.
IP address family does not Universal Plug and Play Residential terminals
need to be translated and (UPnP) will not work in support NAT.
DNS does not need to be scenarios where NATs are
changed. performed twice.
In NAT444, no tunneling
technology is used and no
packet needs to be
fragmented additionally.
L2- Compared with NAT444, NAT444 is more popular Carrier's network supports
Awar NAT is performed once in and maturer than L2- IPv4 networks.
e L2-Aware NAT, reducing Aware NAT. NAT is Residential terminals
NAT NAT translation delays. widely used in residential support only the IPv4
terminals and is easier to stack. Carriers allocate
upgrade to NAT444. IPv4 addresses to
residential terminals.
Residential terminals
support routing, and NAT
can be disabled.
2.4 Applications
3 DS-Lite
3.1 Introduction
3.2 References
3.3 Principles
3.4 Applications
3.1 Introduction
Definition
Dual-Stack Lite (DS-Lite) is an IPv6 transition technology. DS-Lite enables an IPv4 in an IPv6
tunnel to be established between the CPE and CGN devices. Also, a private IP address can be
encapsulated for NAT on the CGN. And, a private IP address can be translated to a public
network IPv4 address.
Purpose
IPv6 replacing IPv4 is a trend of network development. The transition from IPv4 to IPv6 is a
long process and IPv4 networks will exist for a long time. Carriers still therefore need to support
IPv4 networks and endeavor to alleviate the consequences of IPv4 address exhaustion.
DS-Lite offers a solution to carriers using tunneling and NAT. User terminals using private
network IPv4 addresses can access public IPv4 networks through an IPv6 network between the
CPE and CGN devices.
Benefits
Benefits to carriers
l DS-Lite allows the setup of IPv6 networks to carry the existing IPv4 service when the
number of IPv4 addresses is insufficient.
l DS-Lite provides a technical plan for the transition from IPv4 to IPv6 and protects the
investment of carriers.
3.2 References
Document Document Name Remarks
No.
draft-ietf- DS-Lite -
software-dual-
stack-lite-04t
3.3 Principles
1. An IPv4 host accesses the IPv4 network using the private IPv4 address as the source IP
address.
2. After receiving the IPv4 packet, the CPE adds an IPv6 header to the packet and generates
an IPv4 in IPv6 tunnel packet. The source address of the IPv6 header is the address of the
CPE, and the destination address is the address of the CGN.
3. After receiving the tunnel packet from the CPE, the CGN removes the tunnel information,
translates the source IP address of the IPv4 packet to the source public IP address using
NAT44, and sends the packet to the IPv4 public network.
1. After receiving a packet from the network, the CGN performs NAT44 on the packet,
replaces the destination IP address with the private IP address, encapsulates a tunnel to the
packet, and sends the packet to the CPE.
2. After receiving the tunnel packet from the CGN, the CPE removes the tunnel information,
obtains the IPv4 packet, and sends the packet to the host.
In the integrated scenario, the destination address of the tunnel can only be configured manually
on the CPE device.
3.4 Applications