In a world out of IPv4 addresses but equipment still in use, ISPs need a mechanism for supporting IPv4 traffic over IPv6 networks. Learn how MAP-E helps and how to test it.
Internet service providers (ISPs) are running out of public IPv4 addresses and want to move away from IPv4 in their internal network. Mapping of Address and Port with Encapsulation (MAP-E), an IPv6 transition mechanism for transporting IPv4 packets across an IPv6 network using IP encapsulation, lets ISPs provide IPv4 services without deploying a full dual-stack network. MAP-E saves money on network upgrades and speeds the migration to IPv6. MAP-E also helps relieve the issue of IPv4 address exhaustion by letting multiple CPE’s share the same public IPv4 address through a form of Carrier-Grade NAT (CGN).
This article discusses the mechanisms that MAP-E needs to function, explains the MAP-E configuration options and how they can be provisioned, and describes what you should test when developing a MAP-E implementation.
IPv4 address sharing is a Carrier-Grade NAT (CGN) technique to allow sharing a single IPv4 address amongst multiple customer edge (CE) devices. MAP-E, defined in RFC 7597, enables this sharing by requiring each CE with the same IPv4 address to use different TCP/UDP ports. It is a mechanism to statelessly provide IPv4 connectivity via shared IPv4 addresses in an IPv6-only ISP network. DHCPv6 configuration options for MAP-E are defined in RFC 7598 to allow autoconfiguration of the use of MAP-E.
In MAP-E, IPv4 packets moving between the CE and the public IPv4 internet are encapsulated in IPv6 packets while transiting the IPv6-only ISP network. A MAP-enabled router inside the ISP network known as the MAP-E Border Relay (BR) receives MAP-E traffic from the CE and acts as the gateway between the ISP’s IPv6-only internal network and the public IPv4 internet. The IPv6-only internal network is known as the MAP domain. The IPv6 destination address for all outbound MAP-E traffic from the CE is set to the address of the BR.
The CE performs the normal Network Address and Port Translation (NAPT) processing on IPv4 packets prior to IPv6 encapsulation and after IPv6 decapsulation (Figure 1). NAPT maps private IPv4 addresses and UDP/TCP ports from the CE’s LAN clients onto the CE’s public IPv4 address. Thus, for outbound traffic, the CE rewrites the private source IPv4 address to be the CE’s public IPv4 address and rewrites the TCP/UDP source port from the list of available ports on the CE’s public IPv4 address. To do this, the CE maintains a table of NAPT bindings for all IPv4 traffic passing through the CE to its LAN clients.
Encapsulating IPv4 within a MAP domain
In MAP-E, multiple CE’s in a MAP domain share the same public IPv4 address. Each CE is assigned a Port Set Identifier (PSID) that determines the ports it’s allowed to use with its assigned public IPv4 address. Therefore, MAP-E requires that the CE’s NAPT implementation be aware of this additional restriction and only create NAPT bindings with port numbers on the public IPv4 address that are within the CE’s MAP-E port set.
Each CE is provisioned with a Basic Mapping Rule (BMR) and PSID offset, which can be provisioned via DHCPv6 options and must be the same for all CE’s within a MAP domain. The BMR contains a Rule IPv6 prefix, a Rule IPv4 prefix and a Rule Embedded Address bits (EA-bits) length. In addition to a BMR, each CE is assigned an End-user IPv6 prefix, most likely provisioned via DHCPv6 as an IA_PD prefix. The CE uses the End-user IPv6 prefix to determine its public IPv4 address and possibly its PSID, although this may be provisioned via DHCPv6 instead. As shown in Figure 2, the EA-bits of a CE’s End-user IPv6 prefix are the bits starting after the BMR Rule IPv6 prefix length, with the length being determined by the BMR EA-bit length.
A CE constructs its public IPv4 address by combining its BMR Rule IPv4 prefix with as many EA-bits as are required to create a complete 32-bit IPv4 address. If not already provisioned via DHCPv6, the remaining EA-bits are the CE’s PSID. The CE uses its public IPv4 address as the IPv4 source address for all MAP traffic. As shown in Figure 3, the CE constructs its full IPv6 address by combining its End-user IPv6 prefix with an interface ID that embeds its public IPv4 address and PSID. The CE then uses this as the IPv6 source address for all MAP traffic.
With this architecture, the BR in a MAP domain can statelessly process MAP traffic to and from MAP CE’s. On receiving a MAP packet from a CE, the BR first verifies that the IPv6 source address is within the BMR Rule IPv6 prefix of the MAP domain. Next, it extracts the public IPv4 address and PSID embedded in the interface ID of the source IPv6 address. It uses this information to verify that the source address of the encapsulated IPv4 packet is correct and that the UDP/TCP source port chosen by the CE is within its port set as determined by its PSID.
[Continue reading on EDN US: Port sets ]