DS-Lite Subnet Limitation

Junos OS enables you to limit the number of softwire flows from a subscriber’s basic bridging broadband (B4) device at a given point in time, preventing subscribers from excessive use of addresses within the subnet. This limitation reduces the risk of denial-of-service (DoS) attacks. This limitation is supported on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature.Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.Starting in Junos OS release 20.2R1, DS-Lite is supported for CGNAT Next Gen Services on MX240, MX480 and MX960 routers.

A household using IPv6 with DS-Lite is a subnet, not just an individual IP address. The subnet limitation feature associates a subscriber and mapping with an IPv6 prefix instead of an IPv6 address. A subscriber can use any IPv6 addresses in that prefix as a DS-Lite B4 address and potentially exhaust carrier-grade NAT resources. The subnet limitation feature enables greater control of resource utilization by identifying a subscriber with a prefix instead of a specific address.

The subnet limit provides the following features:

• Flows utilize the complete B4 address.

• Prefix length can be configured per service set under softwire-options for the individual service-set.

• Port blocks are allocated per prefix of the subscriber B4 device, and not on each B4 address (if the prefix length is less than 128). If the prefix length is 128, then each IPv6 address is treated as a B4. Port blocks are allocated per 128-bit IPv6 address.

• Session limit, defined under the DS-Lite softwire concentrator configuration, limits the number of IPv4 sessions for the prefix.

• EIM, EIF, and PCP mappings are created per softwire tunnel (full 128 bit IPv6 address). Stale mappings time out based on timeout values.

• If prefix length is configured , then PCP max-mappings-per-subscriber (configurable under pcp-server) is based on the prefix only, and not the full B4 address.

• SYSLOGS for PBA allocation and release contain the prefix portion of the address completed with all zeros. SYSLOGS for PCP allocate and release, flow creation and deletion will still contain the complete IPv6 address.

The show services nat mappings address-pooling-paired operational command output now shows the mapping for the prefix. The mapping shows the address of the active B4.

The show services softwire statistics ds-lite output includes a new field that displays the number of times the session limit was exceeded for the MPC.

For Next Gen Services on MX240, MX480, and MX960 routers, the subnet limit statistic is displayed in the Softwire session limit exceeded field.

show services softwire statistics (MX-SPC3)