The (Unofficial) CCNP-SP Study Guide
  • About
    • About the Author
    • About This Study Guide
  • MPLS
    • LDP
      • LDP Transport Address
      • LDP Conditional Advertisement
      • LDP Authentication
      • LDP/IGP Sync
      • LDP Session Protection
    • MPLS-TE
      • MPLS-TE Basics, Pt. 1 (TED)
      • MPLS-TE Basics, Pt.2 (RSVP)
      • MPLS-TE Basics, Pt.3 (CSPF)
      • MPLS-TE Basics, Pt.4 (Routing)
      • MPLS-TE Fast Reroute (FRR)
      • MPLS-TE with OSPF
    • Unified MPLS
    • Segment Routing
      • Introduction, Theory Pt.1
      • Introduction, Lab (OSPF) Pt.2
      • Introduction, Lab (ISIS) Pt. 3
      • Multi-Area/Level Segment Routing
      • Segment Routing using BGP
      • Migrating LDP to SR
      • LDP/SR Interworking
      • TI-LFA Pt. 1 (Theory)
      • TI-LFA Pt. 2 (Implementation)
      • TI-LFA Pt. 3 (Node and SRLG Protection)
      • SR-TE Pt. 1 (Overview)
      • SR-TE Pt. 2 (Creating an SR-TE Policy)
      • SR-TE Pt. 3 (Using a PCE)
      • SR-TE Pt. 4 (Automated Steering)
      • SR-TE Pt. 5 (On-Demand Nexthop)
      • SR-TE Pt. 6 (Flex Algo)
    • MPLS OAM
      • Classic Traceroute Behavior in MPLS Networks
      • LSP Ping
      • LSP Traceroute
  • Routing
    • BGP
      • BGP Synchronization
      • BGP Load Sharing (Multipath)
      • An Intuitive Look at Path Attributes
      • AS Path Prepending on XE and XR
      • RPL
    • BGP Security
      • BGP TTL Security, Pt. 1
      • BGP TTL Security, Pt. 2 (IOS-XE)
      • BGP TTL Security, Pt. 3 (IOS-XR)
      • BGP MD5 Authentication
      • BGP Maximum Prefixes
      • BGP RFD (Route Flap Dampening)
      • RTBH
      • Flowspec
      • BGPsec
    • L3VPN
      • An In-Depth Look at RD and RT, Pt. 1
      • An In-Depth Look at RD and RT, Pt. 2
      • An In-Depth Look at RD and RT, Pt. 3
      • An In-Depth Look at RD and RT, Pt. 4
      • Inter-AS L3VPN Pt. 1, Overview
      • Inter-AS L3VPN Pt. 2, Option A
      • Inter-AS L3VPN Pt. 3, Option B
      • Inter-AS L3VPN Pt. 4, Option C
      • CSC (Carrier Supporting Carrier)
      • PE NAT
    • OSPF
      • Type 7 to Type 5 Translation
      • OSPF Authentication
      • Troubleshooting OSPF Adjacencies
      • OSPFv3 LSA Types
      • OSPFv3 LSAs Example (Single Area)
    • ISIS
      • The Potential for Asymmetric Routing with Multi-Area ISIS
      • Interarea Routing is Distance-Vector
      • Basic ISIS - LSPDB
      • Multitopology
      • What is the role of CLNS and CLNP in ISIS?
      • Troubleshooting ISIS Adjacencies
    • IPv6 Transition
      • Overview
      • NAT64
      • 6to4
      • 6RD (IPv6 Rapid Deployment)
      • DS Lite (Dual Stack Lite)
      • MAP (Mapping of Address and Port)
      • Tunneling IPv6 Dynamic Routing Protocols over IPv4
    • Multicast
      • Introduction
      • IP and MAC Addressing
      • Tree Formation and Packet Forwarding
      • IGMP
      • PIM-DM (Dense Mode)
      • PIM-SM (Sparse Mode)
      • PIM-SM SPT Switchover
      • PIM-SM Tunnel Interfaces
      • PIM DR and the Assert Message
      • PIM-SM RP Discovery
      • PIM-BiDir
      • PIM-SSM (Source-Specific Multicast)
      • Interdomain Multicast (PIM-SM)
      • IPv6 Multicast
      • mVPN Introduction
      • mVPN Profile 0
      • mVPN Profile 1
      • Multicast Routing on IOS-XR
  • L2VPN & Ethernet
    • IOS-XE Ethernet Services
      • Service Instances
      • E-Line
      • E-LAN (VPLS)
      • E-Tree
      • E-Access
      • VPLS with BGP Autodiscovery
      • Martini/Kompella Circuits
    • EVPN
      • Introduction to EVPN
      • Learning EVPN VXLAN First
      • E-Line (EVPN VPWS)
      • E-Line (EVPN VPWS) on IOS-XR
      • E-Line (EVPN VPWS) Multi-Homed
      • E-LAN (EVPN Single-Homed)
    • Carrier Ethernet
      • 802.1ah (MAC-in-MAC)
      • 802.3ah (Ethernet OAM)
      • 802.1ag (CFM)
      • Cisco REP (Resilient Ethernet Protocol)
      • ITU G.8032 ERPS (Ethernet Ring Protection Switching)
  • Security
    • CoPP (Control Plane Policing)
    • LPTS (Local Packet Transport Services)
  • Misc
    • QoS
      • QoS Introduction (Part 1)
      • QoS Tools Overview and QoS Models (Part 2)
      • QoS Classification and Marking (Part 3)
      • QoS Queuing/Congestion Management (Part 4)
      • QoS Shaping and Policing (Part 5)
      • QoS for IPv6
      • MPLS QoS Basics
      • MPLS QoS Modes
      • MPLS TE QoS (DS-TE)
      • MPLS TE CBTS/PBTS
    • Automation and Assurance
      • NSO
      • NSO Command Cheat Sheet
      • Intro to YANG/NETCONF
      • YANG In-Depth
      • NETCONF In-Depth
      • RESTCONF
      • Model-Driven Telemetry
      • Automation Tool Comparison
      • Netflow
      • SNMP
    • Virtualization
      • NFV (Network Function Virtualization)
      • OpenStack
    • Transport
      • xPON
      • SONET/SDH
      • WDM
      • 4G and 5G RAN
    • High Availability (HA)
      • NSF/GR
      • NSR
      • NSF/NSR Whitepapers
      • BFD
      • Link Aggregation on IOS-XE
      • Link Aggregation on IOS-XR
    • IOS Software Overview
  • Labs
    • Lab Challenges
      • How to Use These Labs
      • Basic LDP
      • Advanced LDP
      • BGP Security
      • Unified MPLS
      • BGP Fundamentals
      • Ethernet Services
      • L3VPN Extranet
      • Multicast
      • Inter-area OSPF
      • ISIS
      • MPLS-TE
      • Control Plane Policing
      • QoS
Powered by GitBook
On this page
  • Theory
  • How it works
  • Conclusion
  • Further Reading
  1. Routing
  2. IPv6 Transition

MAP (Mapping of Address and Port)

PreviousDS Lite (Dual Stack Lite)NextTunneling IPv6 Dynamic Routing Protocols over IPv4

Last updated 11 months ago

Theory

MAP is an evolution of DS Lite. The idea behind MAP is that the NAT44 function moves to the CPE. Using algorithmic mapping of IPv4 into IPv6 (MAP-T), or encapsulation of IPv4 into IPv6 (MAP-E), the NATed IPv4 traffic is tunneled in an IPv6-only network to the BR (border relay). The BR knows the algorithm that is being used, so the BR is now stateless.

Both DS Lite and MAP allow a service provider to phase out IPv4 in their internal network, or deploy greenfield IPv6-only networks. Customers using IPv4 must still traverse the IPv6-only network during the transition period. DS Lite and MAP transport the customer IPv4 traffic over an IPv6-only service provider access network.

  • MAP with Encapsulation mode. This is very similar to DS Lite, except the NAT44 function moves from the BR to the CPE. The BR forwards statelessly.

MAP-T (Translation)

In this transport mode, the IPv4 traffic is translated into IPv6 in a similar manner to 6RD. It is an algorithmic translation so that the BR can statelessly translate from IPv6 to the IPv4 address and vice versa on return traffic. This adds 20 bytes to the packet (IPv6 header is 40 bytes and IPv4 is 20 bytes. By translating the IPv4 header into IPv6 you add 20 bytes).

MAP-E (Encapsulation)

In this transport mode, the IPv4 traffic is encapsulated in an IPv6 header. This adds 40 bytes to the packet. The BR extracts the original IPv4 packet and forwards it natively. For return traffic, the BR algorithmically determines the IPv6 destination and tunnels the packet back to the CPE.

Stateless Nature

The beauty of MAP is its stateless nature. DS Lite requires a CGNAT device that has to hold a lot of state for all the translations it performs. In contrast, the BR in MAP simply does stateless translation. Due to the algorithmic nature of the mapping between IPv4 and IPv6 there is no state for the BR to hold. This is similar to 6to4 and 6RD.

Shared IPv4 Addresses

How do multiple separate CPEs preform NAT using a single shared IPv4 address?

The answer is that each CPE only uses a defined set of source ports. 50 different CPEs can share a single public IPv4 address as long as each one only uses a unique range of source ports when source NATing customer traffic.

The port range each CPE uses are also algorithmically determined in order to keep everything stateless. The port range is called the PSID (port set indentifier) which we will see in more detail soon.

Customer IPv6 traffic

Just like in DS Lite, customer IPv6 traffic flows natively.

How it works

Let’s dive into how this algorithmic stateless mapping actually works. In order to keep everything stateless, there are “rules” that the CPE and BR use to base everything off of algorithmic calculation instead of keeping state.

MAP Domain

Each deployment needs a MAP domain. A MAP domain includes the following parameters. These are learned by the CPE via DHCPv6.

  • Rule IPv6 Prefix

    • This is the overall IPv6 block that is used to assign end user prefixes.

  • Rule IPv4 Prefix

    • This is the pool of public IPv4 addresses that will be shared among the CPEs. This is essentially just the IPv4 source NAT pool.

  • EA (Embedded Address)

    • This is used in the algorithm to determine the mapping of the address and the ports. This is just a value representing the number of bits to use in the algorithm. This is how the CPE determines what public IPv4 address to use out of the pool, and which source ports to use for NAT.

  • BR Address or Prefix

    • For MAP-E, this is the BR address. IPv4 traffic is encapsulated in IPv6 with the BR as the destination.

    • For MAP-T, this is the BR prefix. This is very similar to the prefix used for translation in 6RD. In 6to4 it is the well-known prefix of 2002::/16. The IPv4 destination address is embedded into an IPv6 address using the BR prefix.

Port range calculation:

  • This is done using the PSID (Port Set ID). The PSID is determined algorithmically based on the IPv6 prefix delegation which we will see below. This is not advertised in DHCPv6. The PSID is used in a formula to determine which ports are available to the CPE for source NAT.

Example CPE scenario

  • IPv6 prefix delegation (via DHCPv6) = 2001:db8:819::/48

  • Rule IPv6 Prefix = 2001:db8::/32

  • Rule IPv4 Prefix = 192.0.2.0/24

  • EA length = 16

Notice that the PD is a /48 and the rule IPv6 prefix is a /32. There are 16 extra bits in the PD compared to the rule prefix. This is our EA. The 16 extra bits of the PD (0x819) are used to calculate the public IPv4 index and the PSID value.

Because the IPv4 prefix is a /24, which leaves us with 8 host bits, the first 8 bits of the “extra bits” in the PD is the index of the IPv4 address. The remaining bits are the PSID value.

  • 819 in binary is 0000 1000 0001 1001

  • 0000 1000 = 8, the CPE calculates that the IPv4 address is 192.0.2.8 (192.0.2.0/24 with an index of 8)

  • 0001 1001 = 31 which is the PSID value

The PSID value is then used to determine the available source ports to use. The math behind this is a little more complicated and not really worth going into, but the RFCs do detail this if you’d like to see.

Conclusion

MAP uses somewhat complex formulas to algorithmically map between IPv4 and IPv6. MAP moves the NAT44 function off the BR (as it is in DS Lite) and onto the CPE.

Multiple CPEs share a single public IPv4 address, so each CPE receives a port mapping of available source ports they can use for NAT.

The BR is aware of the formula to determine the port mapping, and can therefore do stateless translation between IPv4 and IPv6.

This topic was quite complex for me. I had to spend 2-3 days reading the RFCs and watching Jordan Gottlieb’s presentations. I highly recommend multiple readings and viewings to really understand how this works.

Further Reading

https://www.youtube.com/watch?v=l9xI83vwCBg&ab_channel=RockyMountainIPv6Taskforce
https://www.youtube.com/watch?v=ZmfYHCpfr_w&t=497s&ab_channel=NANOG
https://datatracker.ietf.org/doc/html/rfc7597
https://datatracker.ietf.org/doc/html/rfc7599