DS Lite (Dual Stack Lite)
Last updated
Last updated
DS Lite uses IPv4 in IPv6 tunneling along with NAT44 to allow a service provider to conserve IPv4 public address space, and also use IPv6-only in their core. While 6in4, 6to4, and 6RD involve tunneling IPv6 in an IPv4 network, DS Lite is the opposite. In DS-Lite you have a need to tunnel IPv4 customer traffic in an IPv6-only service provider access network.
The CPE is dual-stacked with a public IPv6 address and any private IPv4 address (RFC1918) on the client LAN side. Instead of the CPE preforming NAT44, a single CGNAT router preforms NAT44 or CGNAT. The CPE simply tunnels the un-NATed IPv4 traffic to the CGNAT router in IPv6.
The CGNAT router must create state not only for the NAT of the client’s IPv4 source address, but also needs to remember the IPv6 source address it received the tunneled packet from, in order to tunnel return traffic back to the CPE.
IPv4 traffic is tunneled through the IPv6 core. The CGNAT router will NAT the IPv4 RFC1918 traffic to a public IPv4 address. Multiple subscribers will share this single public IPv4 address.
IPv6 traffic flows natively
This the name for the function on the CPE which creates an IPv6 tunnel to the CGNAT router.
The CPE is dual-stack, and IPv6 internet traffic flows natively. IPv4 traffic from the customer will be any RFC1918 address. The CPE encapsulates the IPv4 traffic in an IPv6 packet and sends it to the CGNAT router. The CPE device does not preform NAT. A single CGNAT router, which is called the AFTR, preforms the NAT for all customers in the pool.
This is the endpoint of the IPv4-in-IPV6 tunnel. The AFTR preforms NAT for IPv4 traffic. This is the formal name for the CGNAT router in DS Lite.
The AFTR must keep state for the NAT it preforms and coorelate the NAT translation to the IPv6 source address. Return traffic must be NATed back to the RFC1918 address and then tunneled to the CPE (the B4 element).
Yes, the terms literally mean “before” (B4) and “after” (AFTR)!
Step 1.
Source IP
Destination IP
10.0.0.10
8.8.8.8
Step 2. (Tunneling IPv4 in IPv6 across the core)
Source IPv6 addr (outer)
Destination IPv6 addr (outer)
Source IPv4 addr
Destination IPv4 addr
CPE (2001:db8::100)
AFTR (2001:db8::50)
10.0.0.10
8.8.8.8
Step 3. (CGNAT)
Source IP
Destination IP
192.0.2.100
8.8.8.8
The AFTR router keeps state for:
Source IP 10.0.0.10
Source Port
Source IPv6 address (2001:db8::100)
DS Lite allows a service provider to deploy IPv6 in the access network instead of using the CGNAT /10 space. A very large service provider can easily run out of /10 space.
The CPE in DS Lite does not preform any NAT. It’s only requirements are to be dual stack, and to tunnel the IPv4 traffic directly to the AFTR device.
The AFTR device does the heavy lifting. The AFTR device must do stateful NAT, and in addition to the normal stateful NAT of remembing the source IP and port, also needs to remember the source IPv6 address in order to tunnel return traffic back to the CPE.
In the next article we will look at MAP, which is very similar to DS Lite but moves the NAT function off the AFTR device and onto the CPE.
https://www.rfc-editor.org/rfc/rfc6333
RFC6333 is quite concise and readable. I would highly suggest reading through it.
https://www.networkworld.com/article/2232181/understanding-dual-stack-lite.html