Extend IPv4 and Ease the Transition to an IPv6 World
Transcript of Extend IPv4 and Ease the Transition to an IPv6 World
Confidential | Do Not Distribute 3
Exponential Rise in Devices, Users & Traffic
Extend IPv4 & Mitigate
to IPv6
I N T E R N E T T R A F F I C
D I G I T A L C O N T E N T
I P V 6 C O N T E N T
I N T E R N E T O F T H I N G S
by 2025. 70% of global population
5.8 Billion
Mobile Subscribers
IPv6 ADOPTION
30%Access Google via IPv6
Of Users
As of Dec. 2019
Source: Google
TOTAL OF CONNECTED DEVICES
3XBy 2025, monthly traffic will be 560 EB
Larger than 2019
IP TRAFFIC PER MONTH
Source: Ericsson Mobility Report, Q4 2019
By 2025, the total IoT devices connected to the Internet will reach
25 BillionSource: GSMA, Mobile Economy 2020
Source: GSMA, Mobile Economy 2020
Confidential | Do Not Distribute 4
• ARIN’s free pool of IPv4 addresses depleted in September 2015• Waiting list for IPv4 addresses
• Allocation of maximum-size aggregate limited to /22
• Average price increased over 4X in last five years
Depletion of IPv4 Address Space
Confidential | Do Not Distribute 4
$6
$17 $18
$20-$25
2015 2018 мар.19 апр.20
Average Price of IPv4 Address
Source: Heficed, IPv4Marketgroup
“Field experts and RIRs I have been talking to predict that one IPv4 address might be sold for as much as 35 dollars in the future.”
Vincentas Grinius, CEO of Heficed, an IP address-centric company
Confidential | Do Not Distribute 5
Status of IPv6 Adoption
• Percentage of users that accessed Google over IPv6: • <1% (Jan 2012)
• 29.85% (April 5, 2020)
Confidential | Do Not Distribute 6
IoT – Ultimate Driver for IPv6 Global Adoption
B Y O D I N
E NTE RP RI S E
& I NTE RNE T
CONNECTED
CAR
EBOOK
GAME CONSOLE
MOBILE
DIGITAL WEIGHT
SCALE
SURVEILLANCE
CAMERA
DIGITAL DVD
RECORDER
HEART
RATE
MONITOR
TV ANYWHERE
• IP Address Proliferation:• More users, devices & applications• BYOD in enterprise & smart homes
• Internet of Things Adoption• 93% of enterprise will adopt IoT Technology• Every second, 127 ADDITIONAL IoT devices are
connected to The Internet
• Massive acceleration towards IPv6• 80% of US smartphones use IPv6• IPv6 advantages for IoT
• 340 undecillion addresses available• Preserves battery life of IoT devices• Reduces administrative and maintenance
burden
Confidential | Do Not Distribute 7
What Network Operators Want
Extend the Life of IPv4 Network Infrastructure
Flexible Deployment Options for IPv6 Migration
Integrated DDoS Security
Efficient Network Transformation
Confidential | Do Not Distribute 9
Carrier Grade Networking
High-Performance IPv4 Preservation and IPv6 Transition Technologies
Extend the Life of IPv4 Network Infrastructure
Application Reliability & Security
Flexible Deployment Options for IPv6 Migration
Secure, Always-on Experience With Lower Total Cost of Ownership (TCO)
Confidential | Do Not Distribute 10
A10 CGN Capabilities
High-Performance IPv4 Preservation and IPv6 Transition Technologies
Carrier Grade Networking
Extend IPv4Application Reliability & Security
IPv6 Transition
Visibility - sFlow, Netflow, aXAPI, CGN Logging, CEF, Analytics, One-DDoS Detection
Comprehensive Feature Set
• Standardized CGNAT
• Comprehensive IPv6 migration techniques
• Integrated DDoS protection
• Application & Subscriber awareness
High Performance
• 384M concurrent sessions
• 385 Gbps throughput
• Cluster of up to 3.08 Tbps
Efficient & Flexible Form Factors
• Physical, Containers, Bare Metal & Virtual
• Scaleout cluster
• Best industry footprint: 1-3 RU
• All inclusive license
Confidential | Do Not Distribute 11
A10 Thunder CGN Portfolio
Flex ible Deployment OptionsCGN
Note: For the complete range of CGN products refer to the Datasheet
200 Mbps to 100 Gbps
VirtualBare MetalAppliances
5 Gbps to 385 Gbps 10 Gbps to 60 Gbps
Containers
Up to 180 Gbps
• High-performance appliance for your most demanding requirements
• Thunder SPE Appliances: Security and Policy Engine (SPE) delivers ultra-high-speed security and policy enforcement
• Container native deployment (Docker, Kubernetes)
• FlexPool licensing
• Customer choice of off-the-shelf hardware
• FlexPool licensing
• VMware, Hyper-V & KVM hypervisors
• KVM: DPDK, SR-IOV, PCI Passthrough
• FlexPool licensing
Advanced Core Operating System (ACOS)
Confidential | Do Not Distribute 13
IPv4 Preservation – Leverage Existing IPv4 Infrastructure
• Uses CGNAT (Carrier-Grade NAT) feature
• Allows oversubscribing limited IPv4 addresses
• Transparent IPv4 connectivity
• Enables providers to limit ports per subscriber
• Seamless user experience
Thunder CGN
Consumer NAT/Private IPv4 Address
Private/CGN Scoped IPv4 Address
EnterpriseNAT44
Service ProviderNAT444
Mobile ProviderNAT44
Service Provideror EnterpriseIPv4 Network
Public IPv4Address
IPv4 Internet
Confidential | Do Not Distribute 14
IPv6 Migration – Broad Transition Options
• Ensures IPv6 <-> IPv4 communication with various encapsulation or translation mechanisms
• Interplay for phased transition
• Seamless user experience
• Preservation and migration solutions: • 6rd, Stateful NAT64/DNS64, Stateless
NAT46, DS-Lite/LW4o6, MAP-T and MAP-E
Clients6rd
6rd/DS-Lite/NAT64/DNS64/MAP-T/MAP-E
ClientsMAP-T MAP-E
DS-Lite/LW4o6
ClientsNAT64/DNS64
Internet
Thunder CGN
Confidential | Do Not Distribute 15
IPv6 Migration – Supported Technologies
Encapsulation
• Encapsulation:• 6rd
• DS-Lite
• LW4o6
• MAP-E
• Translation:• NAT64/DNS64
• NAT46
• MAP-T
IPv6 Internet
IPv4
6rd
IPv4 Internet
IPv6
NAT64/DNS64(Stateful)
IPv6
IPv6 Internet
IPv4
Stateless NAT46
IPv6
IPv4
IPv4 Internet
Subscriber Access/Core Translation Destination
DS-Lite/LW4o6
MAP-T / MAP-E
Confidential | Do Not Distribute 16
Integrated DDoS Protection for CGNAT IP Pools
• Protect network infrastructure and CGN device• Volumetric traffic to the network device
and public/IP NAT pools
• Attackers target well known ports
• Protect against attacks from outside• Traffic to internal host and service
behind NAT
• Need to inspect good and bad traffic destined to internal hosts and services
• Protect against attacks from inside• Traffic from compromised internal host
Confidential | Do Not Distribute 17
Application Integrity
ALG support for legacy and emerging apps• Encapsulating Security Payload (ESP)
• File Transfer Protocol (FTP) Enabled by default
• H.323 standard (H323)
• Media Gateway Control Protocol (MGCP)
• Point-to-Point Tunneling Protocol (PPTP) Generic Routing Encapsulation (GRE)
• Real Time Streaming Protocol (RTSP)
• Session Initiation Protocol (SIP)
• Trivial File Transfer Protocol (TFTP)
Provides necessary visibility into packet payload
Protocols carrying apps remain functional
Confidential | Do Not Distribute 18
Superior Logging Capability
• Logging and LEA Compliance• Compliance with Law Enforcement Agency (LEA) requests
• Tools for high-speed logging that dramatically minimize log volume
• Security: Identity hackers by IP
• Traffic mirroring
• High Availability for Business Continuity• Stateful session synchronization
• Ensures active sessions maintained during failover
• Meet Service Level Agreements (SLA) and user satisfaction
Confidential | Do Not Distribute 19
CGNAT Scaleout – Traffic Distribution
• “Add as you grow” capability
• Cluster of up to 8 devices
• Expand NAT pool capacity
• Increase performance and scale
• Built-in high availability with seamless failover without service interruption
CGNAT Cluster
Outbound traffic distribution by upstream node using ECMP hash
Inbound traffic arrives on a specific cluster node based on advertised NAT address route
Users/ Subscribers
Internet
BGP is used to send traffic to upstream
Confidential | Do Not Distribute 20
Ease of Use & Management
Command Line Interface (CLI)
DevOps/NetOps Ready
Graphical User Interface
Harmony Controller Centralized Management & Visibility
• Fewer screens and steps for tasks
• Intuitive and easy to use
• Familiar command structure
• Easy to use, comprehensive help
• Extensive APIs and full operations management tools
• For control, programmability and troubleshooting
Confidential | Do Not Distribute 21
A10 Harmony Controller
Alerts and Events
CGN Analytics
Traffic Metrics
Infrastructure Health
Data Center Private Cloud Public Cloud
HARMONY CONTROLLER
APIDevice Configuration
Monitoring Rules
Traffic Policies
Security Policies
Thunder CGN
Centralized Management
CGN Service Analytics
Workflow Automation
Orchestration
Confidential | Do Not Distribute 22
Harmony: CGNAT Real-Time Analytics
Subscriber Session Insights
• Average number of active subscribers
• Session opening/closing rates - Behavioral indicators of potential DDoS attack
• Traffic throughput and packet rate for both uplink and downlink traffic
CGNAT & Infrastructure Resource Tracking
• Mappings per protocol & technology - Behavioral indicators of potential botnet DDoS attack
• Utilization of Control CPU, Data CPU & Memory over period of time along with peak values
• Real-time analytics summarizing key performance indicators
Quick Summary
Confidential | Do Not Distribute 23
Harmony: CGNAT Troubleshooting Simplified
Top Consumers of Network Resources
• Top subscribers with IPv4 addresses in Uplink or Downlink sorted by volume, packets, and sessions, calculated using sampled logs sorted as per time and percentage.
• User Quota Exceeded: The time series and histogram for user session quota exceeded by quota types: TCP, UDP, ICMP, Extended, Data Sessions or Session Rate.
Port Mapping Analytics
Throughput Time Series
• Throughput time series for total traffic or protocol traffic filtered by Uplink or Downlink measured on subscriber side.
Confidential | Do Not Distribute 24
The Synergy in Deploying ADC, CGN & Firewall Together
All-inclusive License with Thunder CFW
• Operational Simplification & Accelerated Rollout- Reduced TCO
• Flexible CGN deployment by Reducing Spares - Cost Effective
• Single-Vendor Solution – Troubleshooting Made Easier
Data Center
Thunder CFW
Confidential | Do Not Distribute 25
Competitive OverviewA10 Alternatives
Basic CGNAT
Advanced CGNAT (Sticky NAT, User quotas, EIM/EIF, Hairpinning, Protocol Port Overloading, Fixed-NAT etc.)
Partial
Rich IPv6 migration options (NAT64/DNS64, 6rd, DS-Lite, LW4o6, EM/EIF etc.) Partial
High performance/price Partial
Flexible deployment options (physical, container, bare-metal, virtual) Partial
Small footprint, power & cooling
Integrated DDoS protection for NAT pools
Large number of partitions without additional licensing cost Partial
Confidential | Do Not Distribute 26
• Largest MNO in South Korea• First to launch 5G in April 2019• All 5G Traffic goes through A10• Worked with A10 for CGNAT in 4G LTE network
• Challenges for 5G Launch• Support devices that still used IPv4 addressing, while
providing a clear migration path to IPv6 at the edge.• Needed consolidated CGN and security solution that
would seamlessly integrate with its new vEPC
• Stringent Functional Requirements• Consolidated CGNAT and Security (NAT64/464XLAT)• Seamless integration with vEPC• 200 Gbps + 135M CPS• Stringent low latency• Support 1M subs/square kilometer
• Solution Elements• CGN (with CFW)• GiFW (with CFW)• Harmony Controller• Thunder ADC
A10 HELPS SKT ACHIEVE 5G LEADERSHIP
“A10 Networks’ high reliability, which was proven
in our 4G/LTE service network over the past years
has shown the best performance in handling not
only NAT44 but also NAT64 traffic with no service
interruptions. A10 Networks was the only solution
that satisfied 100 per cent of our requirements.”
Se Wook KimDirector of the Core Engineering Team, SK Telecom
“The higher performance and more advanced features
of the A10 Networks Thunder CFW PNF were a key
part of our conclusion so we could guarantee the
quality of services”
Confidential | Do Not Distribute 28
Summary: Comprehensive IPv4 Preservation & IPv6 Migration Options
• Extend the life of IPv4 network
infrastructure
• Provides flexible deployment options for
IPv6 migration
• Security with integrated DDoS protection
• Superior logging capability
• Best-in-class performance scalability
• Efficient & flexible form factors
Flexible IPv6 Migration Options
Integrated DDoS
Protection
Extend IPv4 @scale
Efficient & Flexible Form
Factors
Confidential | Do Not Distribute 31
Use Case: Stadium Wireless/Mobile Offload
DNS Load Balancing for IP address management (IPAM)
Subscriber authentication and authorization, Logging
Carrier Grade Network Address Translation (CGNAT)
Confidential | Do Not Distribute 32
Use Case: Client Security Camera Access
Port Control Protocol / Layer 7 URL switching
Carrier Grade Network Address Translation (CGNAT)
Confidential | Do Not Distribute 33
Use Case: Smart Meter Telemetry (IoT Utility)
Ensure IPv6 only smart meters access to IPv6 server nodes over IPv4 cloud
Secure tunneling mechanism for IPv6 end-points to talk over an IPv4 infrastructure
IPv6
On
lySm
art
Met
ers
IPv6 ServersThunder CFW6in4 Tunneling Support over IPsec
Confidential | Do Not Distribute 35
Why A10?
• Small footprint (1RU), lower power
consumption: 30% OPEX reduction
• Higher NAT session capacity
• HA session synchronization
– no service interruptions
• Feature rich
• Dynamic deep packet buffer for
micro-burst traffic flows
• Highly reliable and stable
• < 0.1% of field failure rate
Largest Mobile Network Operator in Korea
Challenges• Future proof IPv6 migration solution
• Preparing for 5G services launch
• Procure cost effective network infrastructure
Results• Deployed 64-bit 1U appliances with standard CLI, intuitive GUI
• Proposed “Thunder 4430S for Mid-Range” & “Thunder 6430 for Large Capacity”
• HA pair with stateful and fast failover ensures constant connectivity
• Utilized A10 CGN for NAT44 & NAT64/464XLAT
• QPS Provider (Quadruple Play Services: Voice, Broadband, IPTV & Mobile)
• 25M smart device subscribers
INTERNAL ONLYCASE STUDY
Confidential | Do Not Distribute 36
Largest Mobile Network Operator in Korea
Challenges• Future proof IPv6 migration solution
• Preparing for 5G services launch
• Procure cost effective network infrastructure
Results• Deployed 64-bit 1U appliances with standard CLI, intuitive GUI
• Proposed “Thunder 4430S for Mid-Range” & “Thunder 6430 for Large Capacity”
• HA pair with stateful and fast failover ensures constant connectivity
• Utilized A10 CGN for NAT44 & NAT64/464XLAT
• QPS Provider (Quadruple Play Services: Voice, Broadband, IPTV & Mobile)
• 25M smart device subscribers
INTERNAL ONLYCASE STUDY
IPv4 Preservation / IPv6 Migration Solution
PGW PGW PGW PGW
SGi-BB
HA
Confidential | Do Not Distribute 37
One of the Largest Mobile Network Operator in Asia
Challenges• Required reliable security SGi Firewall System to protect
Mobile Core
• Consistent 60 Gbps+ throughput with advanced features
Why A10?• Met SGi Firewall RFP requirements for advanced HA, firewall Logging, integrated security and v4/v6 Support
• Customer tests showed superior performance vs two leading competitors
• Including ~60/~80% lower latency, ~40/~80% less CPU Utilization
• All-inclusive license and converged functionality for lower TCO
INTERNAL ONLY
Business Profile• Tens of millions of Smart Phone Subscribers
(4G LTE + 3G)
• Quad-Play Services Provider (Voice + Broadband + IPTV + Mobile)
CASE STUDY
Confidential | Do Not Distribute 38
Why A10?
• Proven Install base of CGN
customers worldwide
• Throughput of 75Gig at 50% CPU
utilization with CPS at150K
• Efficient scaling to support large
and growing subscriber base
• Better price performance over F5
demonstrated with Thunder 6630
Largest LTE Operator in APAC
Challenges• Scale existing IPv4 services for growing smartphone usage
• Overcome exhaustion of public IPv4 addresses
• LSN deployment for LTE & Wi-Fi Subscribers
• Installed F5 VIPRION 2400 Chassis for CGN did not deliver on committed throughputs
Results• Solution deployed in Active-Active with N+M Architecture (N = Active & M =
Backup)
• NAT 44 (LSN) will be deployed today & IPv6 Migration will be deployed in future (NAT 64, XLAT)
• MAP-T planned for next phase FFTX deployment
• NAT session logging as per government regulations
• All-IP Network providing high speed mobile internet services including video, email and web
INTERNAL ONLYCASE STUDY
Confidential | Do Not Distribute 39
Largest LTE Operator in APAC
Challenges• Scale existing IPv4 services for growing smartphone usage
• Overcome exhaustion of public IPv4 addresses
• LSN deployment for LTE & Wi-Fi Subscribers
• Installed F5 VIPRION 2400 Chassis for CGN did not deliver on committed throughputs
Results• Solution deployed in Active-Active with N+M Architecture (N = Active & M =
Backup)
• NAT 44 (LSN) will be deployed today & IPv6 Migration will be deployed in future (NAT 64, XLAT)
• MAP-T planned for next phase FFTX deployment
• NAT session logging as per government regulations
• All-IP Network providing high speed mobile internet services including video, email and web
INTERNAL ONLYCASE STUDY
EPC IMS/OTT
Switch 1 Switch 2
Service Router 1
Service Router 2
A10-1 (N)
A10-2 (N)
A10-3 (N)
A10-4 (N)
A10-5 (N)
IBR
AggregationRouter
CGN Syslog Server
Nexus Switch
Confidential | Do Not Distribute 40
SKYCable CGNAT
Challenges• Address imminent IPv4 address exhaustion
• Procure cost effective network infrastructure
• Future proof solution for future IPv6 migration
• Required small datacenter footprint
Results• Deployed 64-bit 1U appliances with standard CLI, intuitive GUI
• Utilized A10 CGN to secure needed IPv4 address expansion
• Subsequently added A10 ADC offerings for server load balancing
• Largest cable provider in the Philippines with 500K subscribers
• Introduced SKYBroadband Internet service with 200Mbps speeds
INTERNAL ONLYCASE STUDY
Confidential | Do Not Distribute 41
Large North American Mobile Carrier
Challenges• Scale existing IPv4 services for growing smartphone usage
• Overcome exhaustion of public IPv4 addresses
• Ensure smooth migration to IPv6
• Provide app transparency for peer-to-peer and streaming
Results• HA pair with stateful and fast failover ensures constant connectivity
• Reduced required public IPv4 usage by 90 percent
• Transparent apps support enabled P2P and client/server apps
• 10X scalability advantage with 256 million concurrent sessions
• Plans to implement NAT64/DNS64 for IPv6 clients/IPv4 content
• Provide high value services including video, email and web
INTERNAL ONLY
A10 consolidates private IPs to a
fraction of public IPv4 addresses
IPv4 Internet
Thousand of private IPv4
addresses
Mobile carrier’s private IPv4
network
IPv6 addresses
Mobile carrier’s private IPv6 network
A10 translates to IPv4 addresses
IPv4 Internet
192.0.n.n
2001:0DB8:AC10:FE012001:0DB8:AC10:FE022001:0DB8:AC10:FE03
2001:0DB8:AC10:FFFE
CASE STUDY
Confidential | Do Not Distribute 44
How CFW Protects Mobile Environment
• Gi/SGi Firewall to protect attacks from internet to
the mobile core
• GTP, SCTP Firewall to protect of EPC/MME
infrastructure
• GTP Firewall to protect mobile core from attacks
originating from mobile devices (rate-limiting)
• IPsec to enforce Securing cell-site traffic for Mobile
Backhaul Protection
• IPsec to enforce Wi-Fi offload interconnect
protection
• High performance firewall with integrated CGN,
DDoS protection & high-scale IPsec VPN termination
• Low Footprint
• High Throughput
• Higher Connections Per Sec
(CPS) and concurrent
connections
• CGNAT with ALG support
• Fast connections with low
latency & lower CPU utilization
• GTP, STCP protocol support
• IPsec VPN support
THE NEED
Carrier-class Firewall with
the following:
KEY METRICS
Confidential | Do Not Distribute 45
Efficient Gi-LAN with GiFW
SUBSCRIBER AWARENESS
INTELLIGENT TRAFFIC STEERING
THUNDER CFWGi/SGi LAN ConsolidationEPC
InternetSGW PGW
MME
eNB, gNB
DPIFIREWALLCGNAT
Gi/SGi FIREWALL
THUNDER CFW WITH INTEGRATED FIREWALL, CGNAT, DDoS PROTECTION & APPLICATION VISIBILITY
ADC
EPDG
Confidential | Do Not Distribute 46
Advantages of Consolidation
• Compute: Single Lookup
• Memory: Single Session table
• Increases performance
• Optimum use of hardware platforms
Optimized Infrastructure
Lower TCO (1) Lower Latency
• Lower CapEx: - Higher performance/device
(thus fewer devices)- Flex pricing (bandwidth,
subscriber)- up to 15%
• Lower OpEx: - via consolidation of NF’s & automation (ML): 35%
• Single hop network
• Consolidated ALG application
(1) Note: Reference White Paper by Ericsson “Dual Mode Core: TCO Benefits”, Consolidation of NF into one VNF yields up to 15% capex reduction and 35% in opex
Confidential | Do Not Distribute 47
Orion 5G Security Suite
Gi-LAN
gNB
eNB
GRX/IPX
MEC(Edge Cloud)
Virtual Evolved
Packet Core
Confidential | Do Not Distribute 48
Continuous Leadership In Cloud Native Technology
• 2019 Product Announcements• 180 GBPS Firewall Container• 100 GBPS Virtual DDoS Protection• Zap – behavioral • High Performance VNFs across Portfolio• Expanded CFW Suite - Now Shipping
• Carrier Class Firewalls– SGi, GTP/Roaming, EPC• Security Gateway• GTP Director
Confidential | Do Not Distribute 49
FlexPool – Capacity Pool Licensing
• Flexible Allocation• Shared capacity pool
• Dynamically scale capacity (no reboot requires)
• User defined Instance sizes
• Investment Protection• License portability
• Eliminate overprovisioning
• Software upgrades & maintenance included
Aligns Consumption with Business Needs