TechOnTip Weblog

Run book for Technocrats

Archive for the ‘IPv6’ Category

IPv6 Transition – DS-Lite

Posted by Brajesh Panda on January 3, 2013

Click here for other Direct Access related articles.

As promised in my last NAT/64/DNS64 article, in this article we will be discussing a technology called DS-Lite used for IPv6 Transition. This technology is used for IPv4 Communication over IPv6 network.

I found this nice article by Kapil Digani from Citrix Blog. I am going just re-blog the same original piece. He also wrote few other good articles. You may like to refer to the original
All Credit goes to him.


In IPv6 blog series we have covered transition technologies NAT64 – that allows IPv6 hosts to communicate with resources on IPv4 network and 6rd – that allows IPv6 traffic to be tunneled over IPv4 network. When service providers want to migrate their core network to IPv6, they need to ensure that existing IPv4 users continue to get access to IPv4 internet as before. This is where DS-Lite comes in – it is a tunneling technology that encapsulates IPv4 packets in IPv6 transport to be delivered to final IPv4 destination. DS Lite combines IPv4-in-IPv6 tunneling with NAT – NAT does the IPv4-IPv4 translation before sending packets to public IPv4 network.

DS-Lite enables service providers to natively allocate IPv6 addresses to new customers while continuing to support IPv4 customers. Main functional components involved in DS-Lite are B4 (Basic Bridging BroadBand) and AFTR (Address Family Translation Router) as shown in figure below:

In a DS Lite enabled network, customer premise device provides B4 functionality. Customer device allocates private IPv4 addresses to hosts in the home / customer networks. B4 connects with service provider access network using the IPv6 address allocated by service provider and uses this IPv6 address to establish tunnel with the AFTR device.

AFTR is usually deployed at the edge of service provider IPv6 network and terminates the tunnel created with customer B4 element. AFTR also provides IPv4-IPv4 NAT to translate customer private IPv4 address to public IPv4 address before sending packets out to the public network.

Following sequence describes the connection establishment process using DS Lite:

  1. Host with private IPv4 address initiates a connection to a resource on the public internet
  2. Traffic is sent to B4, which is the default gateway
  3. B4, using its service provider network facing IPv6 addresses establishes the tunnel with AFTR. Address of the AFTR can be pre-configured or can be discovered using DHCPv6
  4. B4 encapsulates the IPv4 packets in IPv6 transport and sends across to AFTR
  5. AFTR terminates the tunnel and de-capsulate the IPv4 packet
  6. AFTR device performs IPv4-IPv4 NAT before sending traffic to the destination IPv4 network

There are many benefits that DS Lite provides:

  1. A lightweight solution to allow IPv4 connectivity over IPv6 network
  2. Avoids the need of multiple levels of NAT as in case of LSN
  3. Allows service providers to move their core and access networks to IPv6 thus enabling them to benefit from IPv6 advantages
  4. Allows coexistence of IPv4 and IPv6
  5. Helps resolve IPv4 address scarcity issue
  6. Allows incremental migration to native IPv6 environment

But as always is the case, benefits don’t come without its own set of challenges:

  1. DS Lite does not provide IPv6 and IPv4 hosts to talk to each other
  2. Increases the size of traffic due to tunnel headers – requires MTU management to avoid fragmentation
  3. Need to manage and maintain bindings between customer addresses and public addresses used for translation in the AFTR device
  4. Brings in additional challenges for DPI in service provider network

Posted in Direct Access, IPv6 | Tagged: , , , | Leave a Comment »

Microsoft Direct Access – Basic Architecture Options

Posted by Brajesh Panda on December 29, 2012

Click here for other Direct Access related articles.

Microsoft  Direct Access 2012’s basic architecture options. Will add load balancer in next version. Let me know if I got something wrong or any other good suggestions.

Posted in Direct Access, IPv6 | Tagged: , , , , | 4 Comments »

Microsoft Direct Access – How DNS64 & NAT64 works?

Posted by Brajesh Panda on December 23, 2012

Click here for other Direct Access related articles.

As I said in my previous article Direct Access is an IPv6 only technology; Direct Access clients talk to Direct Access Server using IPv6 technologies. (Don’t forget this communication happens using IPv6 transition technologies i.e. IPV6 encapsulation in IPv4 packets.). As client to server communication happens using IPv6, Name lookup also happens using IPv6 & AAAA query. So if a internal server has IPv6 address it is easy for the client to start communication. But if internal server is only IPv4 configured, how it will communicate. This is where DNS64 and NAT64 come into the picture.  So NAT64/DNS64 are needed when you want to have IPv6 communication over IPv4 network. For other way round look forward to next article.

  • So IPv6 enabled DA Clients send an IPv6 host resolution query (AAAA Query- Quad A query) to Direct Access Server.
  • In Direct Access Server DNS64 (DNS 6 to 4 Proxy) accepts this query & contact internal corporate DNS server as per Direct Access Servers own internal DNS IP Address config.
  • Internal corporate DNS server hands over either IPv6 or IPv4 or both addresses for the internal destination application server to DNS64. This depends on what kind of address internal app server is registered with internal dns server.
  • If DNS64 receives both IPv6 & IPv4 address it hands over the IPv6 address to DA Client. DA Client starts communication to that IPv6 address of destine application server.
  • If DNS64 receives only IPv6 address from the internal Corporate Server, it hands over that IPv6 IP to the Direct Access Client. DA Client starts communication to that IPv6 address of destine application server.
  • If DNS64 receives only IPv4 address from the internal corporate server, it cannot hand over that to Direct Access client; because DA client is not aware of IPv4 address. So it handover that address to NAT64 service in the same server.
  • NAT64 service converts that IPv4 address to IPv6 by using it’s configured IPv6 Prefix
  • Then DNS64 hand over the translated IPv6 address to the DA Client
  • Then DA Client sends it’s communication to above IPv6 address thru Direct Access Server
  • In Direct Address server NAT64 captures the IPv6 communication packets as it is carrying it’s NAT64 prefix.
  • Then NAT64 removes its proxy and creates an IPv4 payload of same data and forwards to the destination application server.
  • When NAT64 receive a reply for that packet, again it creates IPv6 address using prefix & forward to Direct Access client & continues.
  • Just to remember; When Direct Access Server is load balanced, these translation packets carry same nodes address so reply come to the same node, which did the translation.
  • Here is a nice article about this functionality with some good picture;
  • In Windows 2008 R2 version Direct Access, DNS64 & NAT64 were not inbuilt so had to use UAG or any other 3rd party product and in UAG we have to configure NAT64 prefix.
  • But in Windows 2012 NAT64 &DNS64 are integrated, so we don’t need UAG, Also we don’t need to configure any separate prefix per say.

Other Direct Access Articles

Microsoft Direct Access & IPv6 Transition Technologies

Posted in Direct Access, IPv6 | Tagged: , , | 13 Comments »

16 Million Unused IPv4 Address

Posted by Brajesh Panda on September 18, 2012

The UK Department for Work And Pensions (DWP) is sitting on a hoard of 16 million unused Internet IPv4 addresses, which could be worth as much as £600 million because they are in short supply, a petition says. Here is the story;


Posted in IPv6 | Tagged: | 1 Comment »

%d bloggers like this: