ADC

Dual-Stack Lite

Because of the shortage of IPv4 addresses, and the advantages of IPv6 over IPv4, many ISPs have started transitioning to IPv6 infrastructure. But during the transition, ISPs must continue to support IPv4 along with IPv6, because most of the public Internet still uses only IPv4, and many subscribers do not support IPv6.

Dual Stack Lite (DS-Lite) is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv4 subscribers to the Internet. DS-Lite uses IPv4-in-IPv6 tunneling to send a subscriber’s IPv4 packet through a tunnel on the IPv6 access network to the ISP. The IPv6 packet is decapsulated to recover the subscriber’s IPv4 packet and is then sent to the Internet after NAT address and port translation and other LSN related processing. The response packets traverse through the same path to the subscriber.

The Citrix ADC appliance implements the AFTR component of a DS-Lite deployment and is compliant with RFC 6333.

Architecture

The Dual-Stack Lite architecture for an ISP consists of the following components:

  • Basic Bridging Broadband (B4). Basic Bridging broadband, or B4, is a device or component that resides in the subscriber premises. Typically, B4 is a component in the CPE devices in the subscriber premises.  IPv4 subscribers are connected to the IPv6-only ISP access network through the CPE device containing the B4 component. The main function of the B4 is to initiate an IPv6 tunnel between B4 and an address family transition router (AFTR) in order to send or receive subscriber IPv4 request or response packets over the tunnel.  B4 includes an IPv6 address known as the B4 tunnel endpoint address. B4 uses this address to source IPv6 packets to AFTR and receive packets from AFTR.
  • Address family transition router (AFTR).  AFTR is a device or component residing in the ISP’s core network. AFTR terminates the IPv6 tunnel from the B4 device. In other words, the IPv6 tunnel is formed between B4 in the subscriber premise and AFTR in ISP core network. AFTR decapsulates IPv6 packets received from B4 to recover the subscribers’ original IPv4 packets.  AFTR sends the IPv4 packets to the LSN device or component. LSN routes the IPv4 packets to their destination after performing NAT address and port translation (NAT 44) and other LSN related processing. AFTR includes an IPv6 address known as the AFTR tunnel endpoint address. AFTR uses this address to source IPv6 packets to B4 and receive IPv6 packets from B4. The Citrix ADC appliance implements the AFTR component.
  • Softwire. The IPv6 tunnel created between B4 and AFTR is called a softwire.

localized image

The DS-Lite architecture of an ISP using a Citrix ADC appliance consists of subscribers in private address spaces accessing the Internet through a Citrix ADC appliance deployed in ISP’s core network. IPv4 subscribers are connected to a CPE device that includes the DS-Lite B4 functionality. The CPE device is connected to the ISP core network through ISP’s IPv6-only access network. The Citrix ADC appliance contains the DS-Lite AFTR and LSN functionality.

IPv4 subscribers connected to the CPE device are assigned private IPv4 addresses either manually or through DHCP server running on the CPE device. On the CPE device, the AFTR tunnel endpoint address is specified manually or through DHCPv6. Configuration of CPE devices is vendor specific and therefore outside the scope of this documentation.

Upon receiving a request packet that is from an IPv4 subscriber and destined to a location on the Internet, the B4 component of the CPE device encapsulates the IPv4 packet in an IPv6 packet and sends it to the Citrix ADC appliance in the ISP core network.  The Citrix ADC appliance‘s AFTR functionality decapsulates the IPv6 packet to recover the subscriber’s original IPv4 packet. The LSN functionality of the Citrix ADC appliance translates the source IP address and port of the IPv4 packet to an NAT IP address and NAT port selected from the configured NAT pool, and then sends the packet to its destination on the Internet.

The appliance maintains a record of all active sessions that use the AFTR and LSN functionalities. These sessions are called DS-Lite sessions. The Citrix ADC appliance also maintains the mappings between B4 IPv6 address, subscriber IPv4 address and port, and NAT IPv4 address and port, for each DS-Lite session. These mappings are called DS-Lite LSN mappings. From DS-Lite session entries and DS-Lite LSN mapping entries, the Citrix ADC appliance recognizes a response packet (received from the Internet) as belonging to a particular DS-Lite session.

When the Citrix ADC appliance receives a response packet belonging to a particular DS-Lite session, the appliance’s LSN functionality translates the destination IP address and port of the response packet from NAT IP address and port to the subscriber IP address and port, the AFTR functionality encapsulates the resulting packet in an IPv6 packet and sends it to the CPE device. The B4 functionality of the CPE device decapsulates the IPv6 packet to recover the IPv4 response packet, and then sends the IPv4 packet to the subscriber.

Example

Consider an example of a DS-Lite deployment consisting of Citrix ADC NS-1 in an ISP’s core network, CPE device B4-CPE-1 in a subscriber premise, and a single IPv4 subscriber SUB-1. B4-CPE-1 supports the B4 functionality of DS-Lite feature.

localized image

The following table lists the settings used in this example.

Entity Name Details
IPv4 address of subscriber SUB-1 192.0.2.51
IPv6 address of softwire endpoint on the B4 device (B4-CPE-1) 2001:DB8::3:4
IPv6 address of the softwire endpoint on the AFTR device (NS-1) 2001:DB8::5:6

Settings on Citrix ADC appliance NS-1:

Entity Name Details
LSN client LSN-DSLITE-CLIENT-1 Network6 (Identifying traffic from B4 devices) = 2001:DB8::3:0/100
LSN pool LSN-DSLITE-POOL-1 LSN IPs (NAT IP) = 203.0.113.61 - 203.0.113.70
IPv6 Profile LSN-DSLITE-PROFILE-1 Type = DS-LITE; IPv6 address (AFTR IPv6 address) = One of the Citrix ADC owned IPv6 address of type SNIP6 = 2001:DB8::5:6
LSN group LSN-DSLITE-GROUP-1 LSN client = LSN-DSLITE-CLIENT-1; LSN pool = LSN-DSLITE-POOL-1;IPv6 profile = LSN-DSLITE-PROFILE-1

Following is the traffic flow in this example:

1.    IPv4 subscriber SUB-1 sends a request to (http://www.example.com/). The IPv4 packet has:

  • Source IP address = 192.0.2.51
  • Source port = 2552
  • Destination IP address =  198.51.100.250
  • Destination port = 80

2.    Upon receiving the IPv4 request packet, B4-CPE-1 encapsulates it in the payload of an IPv6 packet and then sends the IPv6 packet to NS-1. The IPv6 packet has:

  • Source IP address = 2001:DB8::3:4
  • Destination IP address =  2001:DB8::5:6

3.    When NS-1 receives the IPv6 packet, the AFTR module decapsulates the packet by removing the IPv6 headers. The resulting packet is SUB-1’s original IPv4 request packet.

4.    The LSN module of NS-1 translates the source IP address and port of the packet to an NAT IP address and NAT port selected from the configured NAT pool. The translated IPv4 packet has:

  • Source IP address = 203.0.113.61
  • Source port = 3002
  • Destination IP address =  198.51.100.250
  • Destination port = 80

5.    The LSN module also creates an LSN mapping and session entry for this DS Lite session. The mapping includes the following information:

  • Source IP address of the IPv6 packet (B4-CPE-1’s IPv6 address) = 2001:DB8::3:4
  • Source IP address of the IPv4 packet (SUB-1’s IPv4 address) = 192.0.2.51
  • Source port of the IPv4 packet = 2552
  • NAT IP address = 203.0.113.61
  • NAT port = 3002

6.    NS-1 sends the resulting IPv4 packet to its destination on the Internet.

7.    The server for www.example.com processes the request packet and sends a response packet. The IPv4 response packet has:

  • Source IP address = 198.51.100.250
  • Source port = 80
  • Destination IP address = 203.0.113.61
  • Destination port = 3002

8.    Upon receiving the IPv4 packet, NS-1 examines the LSN mapping and session entries and finds that the IPv4 response packet belongs to a DS Lite session. The LSN module of NS-1 translates the destination IP address and port. The IPv4 packet now has:

  • Source IP address = 198.51.100.250
  • Source port = 80
  • Destination IP address = 192.0.2.51
  • Destination port = 2552

9.    The AFTR module of NS-1 encapsulates the IPv4 packet in an IPv6 packet and then sends the IPv6 packet to B4-CPE-1. The IPv6 packet has:

  • Source IP address = 2001:DB8::5:6
  • Destination IP address = 2001:DB8::3:4

10.  Upon receiving the packet, B4-CPE-1 decapsualtes the IPv6 packet by removing the IPv6 headers, and then sends the resulting IPv4 packet to CL-1.

Dual-Stack Lite