DS-Lite Softwires—IPv4 over IPv6 for Next Gen Services
Junos OS enables service providers to transition to IPv6 by using softwire encapsulation and decapsulation techniques. A softwire is a tunnel that is created between softwire customer premises equipment (CPE). A softwire CPE can share a unique common internal state for multiple softwires, making it a very light and scalable solution. When you use softwires, you need not maintain an interface infrastructure for each softwire, unlike a typical mesh of generic routing encapsulation (GRE) tunnels that requires you to do so. A softwire initiator at the customer end encapsulates native packets and tunnels them to a softwire concentrator at the service provider. The softwire concentrator decapsulates the packets and sends them to their destination. A softwire is created when a softwire concentrator receives the first tunneled packet of a flow and prepares the packet for flow processing. The softwire exists as long as the softwire concentrator is providing flows for routing. A flow counter is maintained; when the number of active flows is 0, the softwire is deleted. Statistics are kept for both flows and softwires.
This topic contains the following sections:
DS-Lite Softwires—IPv4 over IPv6
When an ISP begins to allocate new subscriber home IPv6 addresses and IPv6-capable equipment, dual-stack lite (DS-Lite) provides a method for the private IPv4 addresses behind the IPv6 customer edge WAN equipment to reach the IPv4 network. DS-Lite enables IPv4 customers to continue to access the Internet using their current hardware by using a softwire initiator, referred to as a Basic Bridging Broadband (B4), at the customer edge to encapsulate IPv4 packets into IPv6 packets and tunnel them over an IPv6 network to a softwire concentrator, referred to as an Address Family Transition Router (AFTR), for decapsulation. DS-Lite creates the IPv6 softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them.
Starting in Junos OS release 20.2R1, DS-Lite is supported Next Gen Services on MX240, MX480 and MX960 routers with the MX-SPC3.
For more information on DS-Lite softwires, see the IETF draft Dual Stack Lite Broadband Deployments Following IPv4 Exhaustion.
The most recent IETF draft documentation for DS-Lite uses new terminology:
The term softwire initiator has been replaced by B4.
The term softwire concentrator has been replaced by AFTR.
The Junos OS documentation generally uses the original terms when discussing configuration in order to be consistent with the command-line interface (CLI) statements used to configure DS-Lite.
DS-Lite and NAT in Next Gen Services
In Next Gen Services, DS-Lite changes the way NAT works with
respect to the address-pooling-paired
statement for the
endpoint independent mapping (EIM), endpoint independent filtering
(EIF), and port block allocation (PBA) features. In the earlier Adaptive
Services implementation, all of these NAT features are subscriber-based
and the subscriber is either a B4 IP address or an IPv6 prefix. In
addition, for Adaptive Services, the address-pooling-paired
association is between internal IPv4 address and NAT pool address.
However in Next Gen Services DS-Lite, the address-pooling-paired
pairing is between either the subscriber (B4 IPv6 address or IPv6
prefix) and a NAT pool address. Otherwise, the address-pooling-paired
functionality remains the same for Next Gen Services.
For CGNAT Next Gen Services on the MX-SPC3 security services card, when you configure DS-Lite use the following rules:
For non-prefix based DS-Lite subscriber softwires, specify the B4 IPv6 address as the softwire concentrator.
For prefix-based DS-Lite subscriber softwires, specify the IPv6 prefix address as the softwire concentrator. In addition for prefix-based subscriber DS-Lite softwires, you must specify the subscriber prefix length per service-set under the
[edit softwire-options dslite-ipv6-prefix-length dslite-ipv6-prefix-length
configuration hierarchy.
You create EIM mappings on a per-softwire basis and they are
bound to B4 address; which means the rule matching criteria includes
B4 address. For Next Gen Services DS-Lite softwires, there is no special
mapping timeout for softwire sessions, instead, they take the value
of inactivity-non-tcp-timeout
as their timeout value.
When a subscriber requires a port to be assigned for the first time, Port Block Allocation (PBA) ensures a block of ports is allocated to that particular subscriber. All subsequent requests from this subscriber use ports from the assigned block. A new port block is allocated when the current active block is exhausted, or after the active port block timeout interval has expired.
DS-Lite and AMS
AMS groups several PICs together and load balances traffic across all PICs that are part of the same group. In a standalone PIC configuration, all softwire sessions originated from any B4, which are destined to a softwire concentrator, are serviced on the same PIC where the softwire concentrator is configured. In the case of a DS-Lite in an AMS configuration, the softwire concentrator is hosted on all PICs in AMS group, however, softwire sessions from various B4 devices are distributed across member PICs. Thus, a softwire session originated from one B4 to the softwire concentrator, is assigned to one member PIC and all packets (IPv4-in-IPv6 and inner IPv4) in both directions (originated from B4 and destined to B4) related to that softwire session are serviced in the same PIC.
For prefix-based DS-Lite subscribers you need to configure the
IPv6-prefix for DS-Lite traffic. When a prefix-based subscriber is
active, the configured prefix length is taken from the B4 address
and is completed with trailing zeros to form a 128-bit IPv6 NAT subscriber.
This means that all B4 entities with a matching prefix and all IPv4
networks behind those matching B4 entities, are all identified as
a single subscriber. An option is provided to configure the subscriber
prefix length per service-set under the [edit softwire-options
dslite-ipv6-prefix-length dslite-ipv6-prefix-length
. hierarchy.
For CGNAT Next Gen Services on the MX-SPC3 security services card, when you configure prefix-based DS-Lite subscribers always specify the IPv6 prefix address for the softwire concentrator.
With the prefix-based subscriber feature enabled, only one subscriber
context is maintained per-prefix. Hence, the Port Block Allocation
(NAT PBA) function would account for port blocks per each subscriber,
instead of every single B4 address. Session limits configured under
the softwire concentrator, limit the number of IPv4 sessions per subscriber,
instead of per softwire/B4 address. Enabling the address-pooling-paired
option in prefix-based subscriber configurations results in one
public IP address for the subscriber instead of per B4 address.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.