DS-Lite Subnet Limitation

Junos OS enables you to limit the number of softwire flows from a subscriber’s basic bridging broadband (B4) device at a given point in time, preventing subscribers from excessive use of addresses within the subnet. This limitation reduces the risk of denial-of-service (DoS) attacks. This limitation is supported on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature.Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.Starting in Junos OS release 20.2R1, DS-Lite is supported for CGNAT Next Gen Services on MX240, MX480 and MX960 routers.

A household using IPv6 with DS-Lite is a subnet, not just an individual IP address. The subnet limitation feature associates a subscriber and mapping with an IPv6 prefix instead of an IPv6 address. A subscriber can use any IPv6 addresses in that prefix as a DS-Lite B4 address and potentially exhaust carrier-grade NAT resources. The subnet limitation feature enables greater control of resource utilization by identifying a subscriber with a prefix instead of a specific address.

The subnet limit provides the following features:

• Flows utilize the complete B4 address.

• Prefix length can be configured per service set under softwire-options for the individual service-set.

• Port blocks are allocated per prefix of the subscriber B4 device, and not on each B4 address (if the prefix length is less than 128). If the prefix length is 128, then each IPv6 address is treated as a B4. Port blocks are allocated per 128-bit IPv6 address.

• Session limit, defined under the DS-Lite softwire concentrator configuration, limits the number of IPv4 sessions for the prefix.

• EIM, EIF, and PCP mappings are created per softwire tunnel (full 128 bit IPv6 address). Stale mappings time out based on timeout values.

• If prefix length is configured , then PCP max-mappings-per-subscriber (configurable under pcp-server) is based on the prefix only, and not the full B4 address.

• SYSLOGS for PBA allocation and release contain the prefix portion of the address completed with all zeros. SYSLOGS for PCP allocate and release, flow creation and deletion will still contain the complete IPv6 address.

The show services nat mappings address-pooling-paired operational command output now shows the mapping for the prefix. The mapping shows the address of the active B4.

The show services softwire statistics ds-lite output includes a new field that displays the number of times the session limit was exceeded for the MPC.

For Next Gen Services on MX240, MX480, and MX960 routers, the subnet limit statistic is displayed in the Softwire session limit exceeded field.

show services softwire statistics (MX-SPC3)

user@host> show services softwire statistics
vms-2/0/0
    Total Session Interest events			    :3
    Total Session Destroy events                            :2
    Total Session Public Request events                     :0
    Total Session Accepts                                   :1
    Total Session Discards                                  :0
    Total Session Ignores                                   :0
    Total Session extension alloc failures                  :0
    Total Session extension set failures                    :0
Softwire statistics
    Total Softwire sessions created                         :1
    Total Softwire sessions deleted                         :2
    Total Softwire sessions created for reverse packets     :1
    Total Softwire session create failed for reverse pkts   :0
    Total Softwire rule match success                       :1
    Total Softwire rule match failed                        :0
    Softwire session limit exceeded                         :0
Softwire packet statistics
    Total Packets processed                                 :1
    Total packets encapsulated                              :1
    Total packets decapsulated                              :1
    Encapsulation errors                                    :0
    Decapsulation errors                                    :0
    Encapsulated pkts re-inject failures                    :0
    Decapsulated pkts re-inject failures                    :0
    DS-Lite ICMPv4 Echo replies sent                        :0
    DS-Lite ICMPv4 TTL exceeded messages sent               :0
    ICMPv6 ECHO request messages received destined to AFTR  :0
    ICMPv6 ECHO reply messages sent from AFTR               :0
    ICMPv6 ECHO requests to AFTR process failures           :0
    V6 untunnelled packets destined to AFTR dropped         :1
    Softwire policy add errors                              :0
    Softwire policy delete errors                           :0
    Softwire policy memory alloc failures                   :0
    Softwire Untunnelled packets ignored                    :0
Softwire Misc errors
    DS-Lite ICMPv4 TTL exceed message process errors        :0