Dive into Lightweight 4over6

Lightweight 4over6 is a new IETF proposed standard that seeks to facilitate the deployment IPv6 networks, while still providing IPv4 connectivity. It also greatly helps to mitigate IPv4 public address exhaustion. Everything runs on IPv6.

Posted by Diego Pino García on June 5, 2017

In the previous articles I took a look at the status of the IPv4 address exhaustion problem. I also reviewed the current state of IPv6 adoption as well as covering some of the transition technologies that could ease the adoption of IPv6. One of these transition technologies is Lightweight 4over6 (RFC 7596), often abbreviated as lw4o6, an extension to the Dual-Stack Lite Architecture (RFC 6333).

In this article I explain the Lightweight 4over6 standard and its main concepts. I will discuss its implementation in another article.

lw4o6 in a nutshell

Lightweight 4over6 is an extension to the Dual-Stack Lite architecture. As a reminder, a DS-Lite architecture enables a carrier to provide IPv4 connectivity to its customers over an IPv6-only network. The main components of a DS-Lite architecture are two:

  • B4 (Basic Bridging BroadBand). Runs at the customer’s home router.
  • AFTR (Address Family Transition Router). Runs in the carrier’s network.

The B4 element tunnels the customer’s IPv4 packets, sending them over an IPv6 network (the carrier’s network). The AFTR runs a Carrier-Grade NAT function on the decapsulated IPv6 packets. The Carrier-Grade NAT function allows sharing of the carrier’s public IPv4 address pool, enlarging the potential total number of IPv4 connections.

Lightweight 4over6 inheres these main two components of DS-Lite. However, they’re rebranded as lwB4 (pronounced as “lightweight before”) and lwAFTR (pronounced as “lightweight after”) in lw4o6. However, they’re slightly different than their DS-Lite counterparts.

Lightweight 4over6 mainly differs from DS-Lite on moving the Carrier-Grade NAT function back to the customer’s home router. One of the main disadvantages of DS-Lite is that the AFTR works as a centralized element in the network which can cause escalation problems.

Instead of NATP, lw4o6 uses a technique called A+P (“The Address plus Port (A+P) Approach to the IPv4 Address Shortage”, RFC 6346) to enable sharing of a single IPv4 public address. This technique partitions the port space of a single IPv4 public address among different customers, in other words, the port is used as part of the addressing schema. Every customer is assigned an IPv4 public address and a port range. Example:

Customer’s ID IPv4 public address Port-range
Customer 1 198.51.100.1 0-1023
Customer 2 198.51.100.1 1024-2047
Customer 64 198.51.100.1 64512-65535

This partition guarantees that the customer’s connections are uniquely identified and won’t overlap within the carrier’s network. A+P represents a stateless alternative to NAPT as the A+P gateway does need to keep track of every network flow. However, it requires A+P software on the customer’s side, capable of limiting the source port to the assigned range.

The diagram below summarizes how an lw4o6 deployment looks like:

lw4o6 chart
lw4o6 chart
  • Red arrows represent IPv4 packet flows.
  • Blue arrows represent IPv6 packet flows. They’re actually IPv4-in-IPv6 packets flows.
  • The carrier’s network is an IPv6 network. It only handles IPv4 traffic at its ends (Customer’s PC and Border-Router’s Internet facing side).
  • The home router executes the lwB4 network function. This function performs a NAPT on the customer’s packets, encapsulated them into an IPv6 tunnel and gets them forwarded to the carrier’s network.
  • The border router executes the lwAFTR network function. This function maintains a table of softwires. Softwires are mappings between IPv6 address and IPv4 public address + IPv4 port-set (binding-table). Each softwire represents a customer’s network flow.

Life of a packet in lw4o6

Let’s take a look at how a packet would be routed over an lw4o6 network. I take as an use-case outgoing packets originated at the customer’s PC.

  • Like in most environments, a customer’s PC gets an IPv4 private address assigned by its home router. In networking jargon, a home router is more generally called a CPE (Customer’s Premise Equipment). When a packet leaves the customer’s PC, it first reaches its CPE.
  • The CPE runs the lwB4 network function. This function performs a NAPT44 on the customer’s IPv4 packet source address and source port. That’s possible because every CPE of the carrier’s network is provisioned with a public IPv4 address and a port-set. CPE’s are also assigned an unique IPv6 address.
  • In addition to NAPT44, the lwB4 function also encapsulates the customer’s packets into an IPv6 tunnel. The result is an IPv4-in-IPv6 packet where the encapsulated IPv4 packet’s source address is actually an IPv4 public address. The CPE forwards this packet to its next hop so it reaches the carrier’s network.
  • IPv4-in-IPv6 packets get routed within the carrier’s network and eventually reach a networking element called a Border-Router. The Border-Router is the Internet facing side of an lw4o6 network and it runs the lwAFTR function.
  • The lwAFTR function inspects incoming IPv4-in-IPv6 packets arriving onto its internal interface (the interface facing the carrier’s network) and tries to find a matching softwire for each packet.
  • A softwire is a mapping between IPv6 address and IPv4 address + IPv4 port-set. If there’s a match for the incoming IPv4-in-IPv6 packet, the packet gets decapsulated and forwarded onto the Border-Router external interface getting out of the carrier’s network into the Internet realm.

Similarly, the opposite process happens for incoming packets from the Internet:

  • Incoming IPv4 packets from the Internet firstly reach the Border-Router external interface.
  • The lwAFTR’s function inspects incoming packets and performs a softwire look up using the packet’s IPv4 destination address and port as a key.
  • If there’s a matching softwire, the packet gets IPv6 encapsulated using the matching softwire’s IPv6 address as destination address.
  • Eventually the encapsulated IPv4-in-IPv6 packet reaches the targeted CPE.
  • The lwB4 function at the CPE decapsulates the packet, resolves the NAPT44 and forwards the incoming IPv4 packet to its final destination: the customer’s PC.

Softwires data-model

One of the core elements of lw4o6 is the lwAFTR’s binding-table. Basically, this table consists of a collection of softwires. A softwire defines a mapping between an IPv4 address and an IPv6 address. They’re a key concept for the connection of IPv4 networks across IPv6 networks and viceversa.

The IETF Softwire Working Group has proposed a YANG data model for IPv4-in-IPv6 softwires. This data-model is not only used by lw4o6 but by other A+P mechanisms such as MAP-E (RFC 7597) or MAP-T (RFC 7599). It defines a softwire configuration as:

+--rw softwire-config
|  +--...
|  +--rw binding {binding}?
|     +--rw br {br}?
|     |  +--rw enable?                          boolean
|     |  +--rw br-instances
|     |     +--rw br-instance* [id]
|     |        +--rw binding-table
|     |           +--rw binding-entry* [binding-ipv6info]
|     |              +--rw binding-ipv6info     union
|     |              +--rw binding-ipv4-addr    inet:ipv4-address
|     |              +--rw port-set
|     |              |  +--rw psid-offset       uint8
|     |              |  +--rw psid-len          uint8
|     |              |  +--rw psid              uint16
|     |              +--rw br-ipv6-addr         inet:ipv6-address
|     |              +--rw lifetime?            uint32

An instance of this data-model would look something like this:

sofwire-config {
  binding {
    br-instances {
      br-instance {
        binding-table {
          binding-entry {
            binding-ipv6info fc00:1:2:3:4:5:3:1;
            binding-ipv4-addr 198.51.100.1;
            port-set {
              psid-len 6;
              psid 1;
            }
            br-ipv6-addr fc00::100;
          }
        }
      }
    }
  }
}

A softwire-config file can contain several binding-tables. Each binding-table is composed of several binding-entry elements. Each of these entries represent a mapping between an IPv4 address and port and an IPv6 address, in other words, a softwire. Let’s look in detail at each of a softwire’s elements:

  • binding-ipv6info: it’s the IPv6 address of the lwB4. It can be written as an IPv6 address or and IPv6 address plus CIDR.
  • binding-ipv4-addr: it’s a shared public IPv4 address.
  • port-set: it identifies a range of ports. In this case the port-set defined is 1024-2047. I’ll take a closer look at port-set definition later.
  • br-ipv6-addr: it’s the IPv6 address of the lwAFTR. It’s not used for a softwire lookup.

Imagine an IPv4-in-IPv6 packet with address fc00:1:2:3:4:5:3:1 arrives at the lwAFTR’s internal interface. If the source address of the encapsulated IPv4 packet is 198.51.100.1 and its source port is in the [1024-2047] range, then there’s a match. The lwAFTR’s function will decapsulate the packet and forward it through its external interface out into the Internet realm.

In addition to the definition of softwires, the proposed YANG data model also defines the relevant parameters for provisioning a lwB4.

Port-mapping

lw4o6 uses the same port-mapping algorithm as MAP-E (RFC 7597 - Section 5.1).

A simple way of defining a port-set could be expressing it as a [min, max] pair where min and max are a 16-bit positive integer number. For instance, [0, 63] defines a port-set between 0 and 63 inclusive. However, crafting port sets by hand would be error-prompt, hard to maintain and would difficult automatic provisioning.

Another way of expressing a port-set is using a similar approach to CIDR (Classless Inter-Domain Routing). In CIDR notation, an IPv4 address is expressed as a value between 0 and 32. This value represents a number of contiguous bits. For instance:

IPv4 address CIDR notation
255.255.255.0 24
255.255.0.0 16
255.0.0.0 8

Following this approach, a port-set could be defined as a number between 0 and 16. This value represents the number of port-sets computed as 2^n. All the remaining bits are used to express the number of ports available per port-set, usually 2^(16-n).

In the example above:

port-set {
  psid-len 6;
  psid 1;
}
  • psid-len: represents the number of available port-sets. Since its value is 6, the total number of port-sets is 64 (2^6).
  • psid: it’s the port-set identifier in the softwire.

All the remaining bits (16 - 6 = 10) are the number of ports available per port-set. Since in the example above psid-len was 6 the number of ports per port-set is 1024 (2^10).

Considering the configuration above, what’s the actual port-set for PSID 1? Taking a look at this table would help to figure it out:

PSID port-set
0 0 - 1023
1 1024 - 2047
63 64512 - 65535

So [1024, 2047] is the actual port-set for PSID 1 when psid-len is 6 and psid-offset is 10.

The YANG model also specifies another attribute called port-offset. In lw4o6 this attribute is zero by default. If set, port-offset excludes some bits from psid-len. In MAP-E or MAP-T, port-offset is generally used to exclude the system ports. In lw4o6 excluding the system ports means mostly to not use PSID 0 in a softwire configuration.

Summary

In this article I introduced lw4o6 and explained how it works at a high-level view. I also took a look at IETF’s YANG softwire data-model for the definition of softwires, a key element of lw4o6. Lastly, we learned how port-sets are defined in lw4o6.

In the next article, I will discuss the implementation of a lwAFTR function using Snabb, a toolkit for the development of high-performance network functions.


igalia networking