F5 BIG-IP Carrier-Grade NAT
Manage IPv4 Address Depletion and Seamlessly Migrate to IPv6

Overview:

The worldwide proliferation of wireless and Internet-enabled devices has led to the rapid depletion of IPv4 addresses. One of the five RIRs (Regional Internet Registries) has exhausted its IPv4 allocations, and the rest are expected to deplete their pools within a few years; meanwhile, IPv6 adoption has been slower than predicted. Service providers need a solution that will help them manage IPv4 address depletion and increase network optimization by seamlessly migrating to IPv6.

F5 BIG-IP Carrier-Grade NAT (CGNAT) offers a broad set of tools that enables service providers to successfully migrate to IPv6 while continuing to support and interoperate with existing IPv4 devices and content. BIG-IP CGNAT offers service providers tunneling solutions with Dual-Stack Lite capabilities as well as native network address translation solutions, such as NAT44 and NAT64. It provides carrier-grade scalability by offering a very high number of IP address translations, very fast NAT translation setup rates, high throughput, and high-speed logging.

Key Benefits

Optimize network performance with carrier-grade performance and scalability
Ensure optimal, carrier-grade network performance during IPv6 migration. BIG-IP CGNAT has the ability to scale to tens of millions of IP address translations, translation setup rates in the order of a million per second, and tens of gigabits of performance. It further improves performance with high-speed logging (HSL) capabilities. This enables you to reduce spending as you can handle your migration needs with fewer servers in the network.

Reduce servers and management costs
Achieve lower CapEx, OpEx, and power and cooling costs by optimizing your existing network infrastructure and consolidating core elements, including policy enforcement management, firewall, TCP optimization, and intelligent traffic steering with a unified, easy-to-manage platform.

Manage address depletion and IPv6 migration with flexible deployment options
Ensure compatibility in the network between legacy IPv4 and new IPv6 devices and content while having multiple ways to manage IPv4 address depletion and IPv6 migration. BIG-IP CGNAT offers greater flexibility to choose which migration strategy best fits your timeline.

Network Address Translation:

Network address translation in BIG-IP CGNAT enables you to continue delivering IPv4 connectivity and to handle high amounts of concurrent sessions as you manage IPv4 address depletion and plan for a seamless migration to IPv6.

NAT44

If you have yet to implement IPv6 and are primarily focused on extending the usage of IPv4, the NAT44 feature of BIG-IP CGNAT enables endpoints to continue to use their own private IPv4 addresses behind the customer premises equipment (CPE). NAT44 translates those private IPv4 addresses that get allocated in the access network into public IPv4 addresses from a public IPv4 pool on the CGN platform. In addition, BIG-IP CGNAT provides Deterministic NAT to reduce logging size and requirements.

With endpoint-independent mapping, BIG-IP CGNAT supports tethered devices that require reuse of the same private IPv4 address by the public IPv4 address. It does this by assigning the same external address and port for all connections from a given host using the same internal port. Endpoint-independent filtering determines who can connect to an internal host.

NAT64

For service providers that have IPv6-only endpoints deployed in their network, BIG-IP CGNAT provides NAT64. The NAT64 feature enables service providers with IPv6 endpoints to seamlessly and transparently access IPv4 content and destinations by translating between IPv6 and IPv4 addresses.

464XLAT

While networks and devices migrate to IPv6, there are many applications and services that will continue to support only IPv4. This causes many interoperability challenges, especially with peer-to-peer communication services, even with the use of NAT64 and DNS64 technologies. With 464XLAT support, which builds on NAT64, service providers can deploy a simple and scalable technique that provides access to IPv4 services for mobile and wireline IPv6-only networks without encapsulation. BIG-IP CGNAT supports PLAT, which is the provider-side stateful translator that translates N:1 global IPv6 addresses to IPv4 addresses.

Port Control Protocol (PCP)

Because applications use peer-to-peer networks as well as multiplayer gaming services, they need to communicate through home and business gateways to operate. However, with service providers deploying NAT solutions within their networks, these applications, which use protocols such as UPnP, may break in the presence of carrier-grade NAT. The PCP functionality in BIG-IP CGNAT allows these applications to operate seamlessly. PCP enables UPnP traffic to continue working by using PCP to translate and relay UPnP messages to the PCP server. PCP initiates an explicit dialog between the applications and the CGNAT device to open up or forward TCP or UDP ports, regardless of the CGNAT device’s location. The PCP client can be used by applications to directly dialog with the CGNAT device running a PCP server.

DNS64

Complementing NAT64 is DNS64, provided by F5 BIG-IP Global Traffic Manager (GTM). DNS64 allows IPv6 hosts to see IPv4 destinations as IPv6 addresses. For DNS servers that receive requests for a domain’s AAAA records (IPv6) but only find A records (IPv4), DNS64 synthesizes the AAAA records from the A records and forwards them to the user, enabling networks with IPv6-only endpoints to continue accessing IPv4 and IPv6 content. In addition to DNS64, BIG-IP CGNAT interoperates with external DNS64 gateways, providing flexible deployment options in your network.

Application layer gateway support

In many IP applications such as VoIP, webcam, and other SIP/RTSP services, the SIP and/or RTSP message in the control plane contains IP addresses to set up the media flows. During NAT with the SIP or RTSP service, if these IP addresses are not translated, it will cause a disruption in the sending and receiving of messages and result in voice and video session errors. BIG-IP CGNAT offers application layer gateway (ALG) support by modifying IP addresses and ports in the control plane messages, and it will open the associated pinholes for the media streams carrying the application payload by creating the necessary NAT mapping. This enables you to seamlessly translate SIP/RTSP-based services without disruptions in video and voice calls.

BIG-IP CGNAT also offers ALG support for point-to-point tunneling protocol (PPTP). This feature allows data to be sent across NAT without being broken up and without an F5 iRules or iApps Template extension.

Logging

Legal and regulatory standards that require you to log all NAT entries can result in an excess of logging data to store. BIG-IP CGNAT offers extensive and flexible logging capabilities and can store information such as private-to-public IP address translation, URL/URI destination addresses, port numbers, times of day, and other session details that can be customized to meet your requirements and minimize logging storage.

BIG-IP CGNAT now supports Internet Protocol Flow Information Export (IPFIX), a more compressed NAT logging method than syslog. By using IPFIX, service providers can reduce the amount of data they have per log entry, thus minimizing their overall costs.

In addition, certain information, such as MSISDN, can be extracted from RADIUS accounting messages and inserted into logs. BIG-IP CGNAT can scale to support generating millions of logging records and exporting them to a system logging server, as well as providing load balancing and UDP monitoring of high-speed logging servers.

Port block allocation (PBA)

To decrease the amount of necessary logging, BIG-IP CGNAT offers port block allocation (PBA). PBA sets aside a set of ports for a private IP address and only needs to store logs twice for each set of ports—when the set is created and when it is closed.

Deterministic NAT

Logging records can place a significant burden on your infrastructure. While BIG-IP CGNAT can scale to support millions of logging records, it provides deterministic NAT to reduce logging infrastructure needs. With deterministic NAT, public IP addresses and ports are predetermined and defined for a given endpoint, and port allocation for a session is performed dynamically out of assigned blocks. This results in a minimum number of logs you have to generate and save.

Hairpinning

Endpoints located behind the same NAT that are communicating with each other are required to be translated at the CGNAT to prevent blocking of private addresses. Hairpinning enables two endpoints behind the NAT to communicate with each other by allowing packets arriving at the NAT from the private network to be translated and then looped back to the private network rather than being passed through to the public network, which also reduces traffic to the downstream infrastructure such as routers.

Tunneling:

For service providers that have implemented an IPv6 network, yet need to support legacy IPv4 endpoints, BIG-IP CGNAT offers tunneling technologies such as Dual-Stack Lite. This ensures that IPv4 users can continue to access IPv4 content.

Dual-Stack Lite (DS-Lite)

DS-Lite enables you to deploy an IPv6-only access and aggregation network while still providing service to IPv4 endpoints and destinations. It’s a tunneling solution in which endpoint IPv4 packets are encapsulated in an IPv6 tunnel and sent via the AFTR (Address Family Transition Router) to an external IPv4 destination through your network. Within the AFTR, the tunnel packet is decapsulated and a NAT44 function is applied to the tunneled private IPv4 traffic before delivering it to the public IPv4 destination. At the other end of the DS-Lite tunnel, the DS-Lite B4 (Basic Bridging Broadband) functionality occurs at the CPE device, such as the home gateway. In all other cases with IPv6 endpoints, IPv6 traffic is routed over IPv6 links to the IPv6 destination.

IPv6 rapid deployment (6RD)

BIG-IP CGNAT offers 6RD, a tunneling service for networks with IPv4. With 6RD, networks on IPv4 can communicate with IPv6 addresses without needing to upgrade any hardware. This feature makes it easier for service providers on IPv4 networks to make the transition to IPv6.

Mapping of address and port (MAP)

MAP is a stateless solution for mapping private IPv4 addresses to public addresses and transporting them over an IPv6 infrastructure. A key benefit of MAP is that it is a stateless implementation, enabling it to scale as well as eliminating the translation logging required for stateful NAT44 or NAT64 implementations. This reduces the cost and complexity associated with expensive logging solutions.

Architecture:

The advanced architecture of the BIG-IP system gives you total flexibility so you can control application delivery without creating traffic bottlenecks.

TMOS

At the heart of BIG-IP CGNAT is the F5 TMOS operating system. TMOS understands the intricacies between applications, the network, and your subscribers to give you intelligent control over application delivery and total visibility, flexibility, and control across all services. TMOS also enables integration between BIG-IP CGNAT and other F5 products so that BIG-IP CGNAT can intelligently adapt to the diverse and evolving requirements of applications and networks.

iRules

F5 iRules is a TCL-based scripting language you can use to control the behavior of BIG-IP devices and flexibly handle application traffic within the application transaction or flow. With complete payload inspection and transformation capabilities, event-driven iRules, and session-aware switching, the BIG-IP system offers an intelligent control point from which to address diverse application delivery issues at network speed.

iApps

F5 iApps is a powerful set of features that provides a new way to architect and provision application delivery. iApps can unify, simplify, and control your entire Application Delivery Network with a contextual view and advanced statistics about the application services supporting your business, including configuration for translation, tunneling, and dual stack configurations. An application-centric view means deploying application services that reside in the network—such as authentication, data protection, traffic management, and acceleration—and aligning them to the applications for which they’re being used.

iControl

F5 iControl is an open API that enables applications to work in concert with the underlying network. Utilizing SOAP/XML to ensure interoperability between systems, iControl helps you create new levels of automation and configuration management efficiencies. iControl enables you to monitor network-level traffic statistics, automate network configuration and management, and facilitate next-generation service-oriented architectures. iControl gives you the power and flexibility to ensure that applications and the network work together for increased reliability, security, and performance.

High-performance services fabric

The BIG-IP system consolidates multiple service functions into a single platform. Built on the modular TMOS architecture, it is a very fast, low latency, full proxy that supports firewall capabilities, advanced defense against more than 30 distributed denial-of-service (DDoS) attack types, traffic load balancing, advanced network health monitoring, and traffic steering with preset policies based on server availability—resulting in improved service availability and reliability in the network.

A complement to BIG-IP CGNAT, BIG-IP Local Traffic Manager (LTM) provides intelligent traffic steering capabilities that allow you to inspect and steer traffic to VAS servers and route based on subscriber profiles. BIG-IP CGNAT can be an add-on module to both BIG-IP LTM and BIG-IP Policy Enforcement Manger (PEM). BIG-IP PEM offers a comprehensive set of traffic classification capabilities that ensure you can accurately determine what subscribers are doing in the network, and based on that information, offer differentiated service plans— ultimately leading to increased revenues and regulated network usage.

In addition, BIG-IP Advanced Firewall Manager (AFM) coupled with BIG-IP CGNAT provides a high-performance network firewall designed to guard networks against incoming threats that enter the network on the most widely deployed protocols. BIG-IP AFM also provides network-layer and session-layer DDoS mitigation to prevent sophisticated network target attacks.

BIG-IP CGNAT provides seamless support for both IPv4 and IPv6 networks, so you can manage IPv4 depletion and migrate to IPv6 while transparently managing application delivery, availability, performance, and security between both network topologies in a single location.

BIG-IP CGNAT Platforms:

BIG-IP CGNAT offers best-in-class performance and scalability for total concurrent sessions, traffic throughput, and transactions per second. It is NEBS-compliant and scales up to 320 Gbps of throughput at Layer 7 with over 480 million concurrent sessions. The high-availability platform includes sophisticated health monitoring, fast system failovers, and comprehensive connection mirroring to ensure service uptime and at-peak performance.

SuperVIP simplifies the network

Rather than requiring that a single, demanding application be segmented, BIG-IP CGNAT, running on the F5 VIPRION platform, uses F5 SuperVIP, a virtual IP that can span multiple blades within the VIPRION chassis. A demanding application will use SuperVIP to harness the processing power of all the blades in the chassis.

Performance Specifications
Throughput L7	320 Gbps
Connections per second	10.4 million
Concurrent connections	480 million

F5 Global Services:

F5 Global Services offers world-class support, training, and consulting to help you get the most from your F5 investment. Whether it’s providing fast answers to questions, training internal teams, or handling entire implementations from design to deployment, F5 Global Services can help ensure your applications are always secure, fast, and reliable.

Documentation:

Download the F5 BIG-IP Carrier-Grade NAT Datasheet (.PDF)