"Echo of past years": How to solve the issue of lack of IPv4 addresses
IPv4 allows you to use about 4.3 billion addresses. However, the “capacity” of the Internet infrastructure, which was laid in the 70s of the XX century, today is not enough, because at that time no one expected such a rapid growth of consumers. Over the past 20 years, the number of Internet users has increased almost 60 times, largely due to the densely populated countries - India and China. Also contributed to the spread of mobile devices.
/ Flickr / Michael Pardo / CC
Address space management and distribution of IP addresses are handled by the IANA Internet address space administration and regional Internet registrars (ARIN, APNIC, AfriNIC, LACNIC, RIPE NCC). In early 2011, IANA allocated the last five of the remaining blocks of address space to regional operators.
')
Then the organization's experts predicted that the addresses would be exhausted over the next five years. And now these five years have come to an end and LACNIC announced the suspension of the issuance of addresses. Therefore, we decided to turn to this topic again and see where humanity has advanced in solving the current situation.
As one of the possible solutions, it is now proposed to strengthen control over addresses. Initially, the ranges were issued by huge blocks, but many organizations that have received them at their disposal, have now ceased to exist, and the registry was not kept at that time. Therefore, it is necessary to return all the addresses, break them into smaller clusters and distribute them again.
Another solution is to implement the IPv6 system, which is the latest version of IP with a virtually unlimited number of addresses (2 to the power of 128). However, there is a certain difficulty, because IPv6 is incompatible with IPv4, which slows down and complicates the transition.
There is a third option. Refer to Network Address Translation (NAT), which translates the organization’s many local addresses into a single external address. The mechanism of NAT is described in RFC 1631 , RFC 3022 .
There are several types of NAT. The first is static, which converts internal addresses to external "to scale" one to one. The second is a dynamic one translating one internal address to an external one from the range provided. The translation is the same as in static NAT, only the external address is selected randomly from those that were free at the time of conversion.
And finally, the third option - this is the so-called overloaded NAT (NAPT, NAT Overload, PAT) - is a form of dynamic NAT, in which several internal addresses are mapped to one external one. This option is able to help with the lack of public IP-addresses.
The maximum number of possible ports is 65 thousand, therefore, in theory, the same number of local addresses can be mapped to one external address. However, NAT has a number of drawbacks.
Since all user sessions access the Internet from a single white address, this will cause problems with sites that allow access to the service over IP — only one user will be able to work with it. Moreover, if many people access the site from the same address, the resource may decide that a DDoS attack is being carried out on it, and close access to all clients.
And in the future we are waiting for the next level of development of NAT - Carrier Grade NAT (CGN / CGNAT). The solution is designed for Internet providers and telecom operators, but is also suitable for replacing NAT devices in corporate networks. CGN allows you to assign local addresses to subscribers, centrally converting them to external ones.
CG-NAT has several advantages . It provides a transparent way to use NAT, thanks to Endpoint Independent Mapping (EIM) functions, which for each combination of private IP address and client port guarantee the same combination of public IP addresses, Endpoint Independent Filtering (EIF), discards packets that are not intended for internal addresses, and Hairpinning, which allows one machine to access another on the outside of the network.
Another important advantage of CGN is limiting the number of TCP and UDP ports available to the subscriber. This allows for efficient distribution of ports between users, and also protects against DDoS attacks from botnets.
Many operators are beginning to gradually transition to IPv6, because sooner or later everyone will have to use it. The Carrier-Grade NAT technology is able to ease the transition from IPv4 to IPv6. The following solutions are used for this: NAT64, DS-Lite, 6RD and NAT444.
NAT64 technology allows users of services on IPv6 to provide access to resources with IPv4 addresses, translating the addresses of the new protocol to the addresses of the old one.
DS-Lite technology DS Lite uses an IPv6 connection between the provider and the client. An IPv4 packet from a client going to an external network is encapsulated in IPv6 for transmission via the provider's network, and then converted back to IPv4 when it is transferred to the public Internet. In this case, the operator may deploy an IPv6 network, but continue to provide connection services for clients over IPv4.
6RD technology implements the provision of IPv6 services to customers through an existing IPv4 network. IPv6 addresses are allocated from the subnet assigned to the Internet service provider. An 6RD node wishing to send an IPv6 packet over the network encapsulates it into an IPv4 packet and checks to see if the recipient is in the same segment.
If so, the recipient's IP address is formed by adding the IPv4 prefix with the bits from the destination IPv6 that are not included in the 6RD prefix. If the recipient is in a different segment, the packet is sent to the provider's gateway, which retrieves the packet and then sends it further over IPv6 networks. The mechanism is described in RFC 5969 .
NAT444 technology allows you to translate the local address of the client to the local address of the provider, which is then transferred to the public Internet address. You do not have to change the client equipment or network structure.
To implement any of these technologies, you must either use special equipment for address translation or tunneling (A10 Thunder, F5 BIG-IP Carrier-Grade NAT), or upgrade existing network devices with additional service modules.
To realize all this allows a multifunctional device, such as DPI (Deep Packet Inspection) and Carrier-Grade NAT. Such solutions are a priori designed to work with huge loads when analyzing traffic, so they can easily cope with address translation (the NAT function).
/ Flickr / Michael Pardo / CC
Address space management and distribution of IP addresses are handled by the IANA Internet address space administration and regional Internet registrars (ARIN, APNIC, AfriNIC, LACNIC, RIPE NCC). In early 2011, IANA allocated the last five of the remaining blocks of address space to regional operators.
')
Then the organization's experts predicted that the addresses would be exhausted over the next five years. And now these five years have come to an end and LACNIC announced the suspension of the issuance of addresses. Therefore, we decided to turn to this topic again and see where humanity has advanced in solving the current situation.
What to do
As one of the possible solutions, it is now proposed to strengthen control over addresses. Initially, the ranges were issued by huge blocks, but many organizations that have received them at their disposal, have now ceased to exist, and the registry was not kept at that time. Therefore, it is necessary to return all the addresses, break them into smaller clusters and distribute them again.
Another solution is to implement the IPv6 system, which is the latest version of IP with a virtually unlimited number of addresses (2 to the power of 128). However, there is a certain difficulty, because IPv6 is incompatible with IPv4, which slows down and complicates the transition.
There is a third option. Refer to Network Address Translation (NAT), which translates the organization’s many local addresses into a single external address. The mechanism of NAT is described in RFC 1631 , RFC 3022 .
There are several types of NAT. The first is static, which converts internal addresses to external "to scale" one to one. The second is a dynamic one translating one internal address to an external one from the range provided. The translation is the same as in static NAT, only the external address is selected randomly from those that were free at the time of conversion.
And finally, the third option - this is the so-called overloaded NAT (NAPT, NAT Overload, PAT) - is a form of dynamic NAT, in which several internal addresses are mapped to one external one. This option is able to help with the lack of public IP-addresses.
The maximum number of possible ports is 65 thousand, therefore, in theory, the same number of local addresses can be mapped to one external address. However, NAT has a number of drawbacks.
Since all user sessions access the Internet from a single white address, this will cause problems with sites that allow access to the service over IP — only one user will be able to work with it. Moreover, if many people access the site from the same address, the resource may decide that a DDoS attack is being carried out on it, and close access to all clients.
What is the future of NAT?
And in the future we are waiting for the next level of development of NAT - Carrier Grade NAT (CGN / CGNAT). The solution is designed for Internet providers and telecom operators, but is also suitable for replacing NAT devices in corporate networks. CGN allows you to assign local addresses to subscribers, centrally converting them to external ones.
CG-NAT has several advantages . It provides a transparent way to use NAT, thanks to Endpoint Independent Mapping (EIM) functions, which for each combination of private IP address and client port guarantee the same combination of public IP addresses, Endpoint Independent Filtering (EIF), discards packets that are not intended for internal addresses, and Hairpinning, which allows one machine to access another on the outside of the network.
Another important advantage of CGN is limiting the number of TCP and UDP ports available to the subscriber. This allows for efficient distribution of ports between users, and also protects against DDoS attacks from botnets.
IPv6 transition
Many operators are beginning to gradually transition to IPv6, because sooner or later everyone will have to use it. The Carrier-Grade NAT technology is able to ease the transition from IPv4 to IPv6. The following solutions are used for this: NAT64, DS-Lite, 6RD and NAT444.
NAT64 technology allows users of services on IPv6 to provide access to resources with IPv4 addresses, translating the addresses of the new protocol to the addresses of the old one.
DS-Lite technology DS Lite uses an IPv6 connection between the provider and the client. An IPv4 packet from a client going to an external network is encapsulated in IPv6 for transmission via the provider's network, and then converted back to IPv4 when it is transferred to the public Internet. In this case, the operator may deploy an IPv6 network, but continue to provide connection services for clients over IPv4.
6RD technology implements the provision of IPv6 services to customers through an existing IPv4 network. IPv6 addresses are allocated from the subnet assigned to the Internet service provider. An 6RD node wishing to send an IPv6 packet over the network encapsulates it into an IPv4 packet and checks to see if the recipient is in the same segment.
If so, the recipient's IP address is formed by adding the IPv4 prefix with the bits from the destination IPv6 that are not included in the 6RD prefix. If the recipient is in a different segment, the packet is sent to the provider's gateway, which retrieves the packet and then sends it further over IPv6 networks. The mechanism is described in RFC 5969 .
NAT444 technology allows you to translate the local address of the client to the local address of the provider, which is then transferred to the public Internet address. You do not have to change the client equipment or network structure.
To implement any of these technologies, you must either use special equipment for address translation or tunneling (A10 Thunder, F5 BIG-IP Carrier-Grade NAT), or upgrade existing network devices with additional service modules.
To realize all this allows a multifunctional device, such as DPI (Deep Packet Inspection) and Carrier-Grade NAT. Such solutions are a priori designed to work with huge loads when analyzing traffic, so they can easily cope with address translation (the NAT function).
Source: https://habr.com/ru/post/316272/
All Articles