Carrier-Grade NAT (CGNAT)
Dual Stack Lite
DS-Lite tunnels packets directly to the AFTR in the service provider’s network. The AFTR is where the service provider allows users to share IPv4 addresses. DSLite is basically the shitty version of regular dual stack. You *can* forward ports on the AFTR but you're going to get a different port every time, so… don't
how it works
- An IPv6 tunnel is created. The IPv6 tunnel source is the router WAN interface, which has a globally scoped IPv6 WAN address allocated. It is configured via the DS-Lite “upstream interface” command option. The IPv6 tunnel destination used is the IPv6 address of the AFTR device located within the ISP network. Only one DS-Lite tunnel is supported.
- A connection is established between the router and the AFTR.
- An IPv4 default route is configured by the network engineer to transport IPv4 traffic via the IPv6 tunnel.
- All IPv4 traffic whose destination IP address matches the IPv4 (default) route, ingresses an internal virtual tunnel interface (or VTI) whose destination IP address matches the IPv4 default route. It is sent to the service provider encapsulated in an IPv6 RFC2473 tunnel.
- Within the service provider network, the AFTR device performs Carrier Grade NAT, translating private IPv4 addresses to public IPv4 addresses.
Linux
ip -6 tunnel add tun0 mode ipip6 remote AFTR_IP local OWN_IP dev eth2 encaplimit none ip link set tun0 up ip addr add 192.0.0.2 peer 192.0.0.1 dev tun0 ip r add default via 192.0.0.1
in Ubiquiti EdgeRouter
Supposedly this should work, but doesn't:
[edit interfaces ipv6-tunnel v6tun0] +encapsulation ipip6 +local-ip OWN_IP +mtu 1460 +remote-ip AFTR_IP [edit protocols static interface-route 0.0.0.0/0] +next-hop-interface v6tun0
The Linux version works, though.
further information
- PDFs from Allied Telesis:
- Hacking together a dual-stack lite AFTR: (ab)using connmarks and policy routing (April 17th, 2018, Tim Stallard. Archive.org, Archive.today)
Glossary
AFTR | Address Family Transition Router in the service provider’s network (softwire concentrator) DS-Lite implementation. This is an IPv6 tunnel (RFC 2473) endpoint which implements NAT functionality (RFC 6333). |
---|---|
B4 | Basic Bridging Broadband (softwire initiator) DS-Lite implementation. This is the CPE equipment, that creates an IPv6 tunnel (RFC 2473) to an AFTR at the service provider. |
CPE | Customer Premise Equipment |
see also: network glossary