📜 ⬆️ ⬇️

We solve the shortage of addresses with the help of CGNAT



The Internet has come to all aspects of our life. From the knowledge of which devices have ports for connecting to the network, you can go crazy. Meanwhile, the number of IP addresses decreases in direct proportion.

A simple example: I am quite conservative in this respect, but I have already hooked it up:


Next in line:


And in the future, a lot of things. At home, at work, in the car, in public transport, in the country - everywhere there is access to the Internet. It is easier to say where it is not ... Although, rather the opposite is more difficult, since the Internet is everywhere.

The number of "connected" devices is growing at an exorbitant rate. Statistics and forecasts for the growth of hardware that needs an IP address cannot be analyzed, but all sources agree that the growth is exponential and this trend will continue in the next 5-10 years.

With the next expansion of the network, the next block of IP addresses went into production, and almost no more of them remained ... LIR PI does not give out (which is already predictable for 5 years), and PA rises every year, and renting such a critical resource is frightening with considerable risks. Almost the last chance to get LIR status is cherished / 22, and, judging by the latest news from RIPE, soon there will be no such chance at all: the European registrar distributed more than half of the last / 8 block.



And the whole stock of addresses is running out:



Looking at the graph it becomes clear that the forecasts of the recorders come true. Despite all the efforts of RIPE to prolong the agony, in 2017 about 4 million addresses were issued, and only 11 million of them remained. And this suggests that by 2020 they will not be at all. And operators will have to make a choice: hard to save IPv4 or switch to IPv6.

Reflecting on the future network architecture, I come to the conclusion that, judging by the pace of IPv6 implementation, the next (at least) 10-15 years, the main traffic will still remain on 4 versions of the Internet protocol. In Russia today, in BGP announcements, only about 15% of AS have IPv6, and in the world - just over 25%,



IPv6 traffic in MSK-IX is less than 1% of IPv4 (Source),





according to Google, just over 20% of users in the world (and only 1.34% in Russia) log in from IPv6.



There is an increase in IPv6 traffic, but it is not so significant as to be seriously worried and in a hurry with its implementation. This is due to the fact that native support for IPv6 is still not implemented in all client devices! Even new ones, even in super-modern pieces, claiming a new generation of IoT devices. So, as rightly noted in the article of one of Google employees, Avery Pennarun, after the total transition of networks to IPv6, we will still need ... NAT. So that outdated IPv4-bulbs could get to the Internet.

Articles on the implementation of IPv6 can be found enough. Averaging megabytes of read text and our own experiments, the conclusion at the end of 2017 is this: you need to implement IPv6, but be careful. There will be a lot of rake, and everyone will have their own. With the support of v6, everything is still bad even on camera equipment (you can read about the implementation rake at least here ). You need to implement DualStack, i.e. provide the client with IPv6 and IPv4 addresses simultaneously. This means that the remaining IPv4 still needs to be distributed to customers, and soon they will be worth their weight in gold, and they need to be saved. Consequently, in the next (at least) 10 years NAT will not go anywhere, which means planning the development of networks is necessary with regard to the implementation of the Dual Stack, or simply buy new pieces of hardware only with v6 support in order to subsequently get as few problems as possible.

Predicting the growth of traffic and the number of subscribers, I am convinced that the existing hardware, which implements NAT, will soon run out of resources and will have to expand. It is necessary to solve the following tasks:


What solutions does the market offer us?



The choice of hardware solutions is the choice of a brand, and the hope of stability and reliability. This is about how the choice of a top car - Ferrari, Lamborghini, McLaren ... All of them are certainly good, but the budget for their acquisition is very large, and operation requires highly skilled engineering staff. And this qualification, in addition to being very expensive, should be sharpened for a particular manufacturer. For example, Juniper is ready to teach your admin to configure NAT on his equipment for a little more than 700 USD (here), and only if he has an AJSPR certificate. Thus, if you have Cisco ASR already working in the core of the network, then, of course, it makes no sense to consider, for example, Ericcsson to place a single function on it.

On the other hand, the implementation of NAT on pure hardware (ASIC) is rather exotic, and as proof of this, the CGSE module for Cisco is nothing but x.86 server with proprietary software based on FreeBSD, adapted to work in hardware router. And in this sense, its price seems quite transcendental. But the most desirable functionality of branded hardware solutions is “tuned and forgotten”, it’s a pity, only that it hasn’t been implemented by 100% by anyone yet. It would be worthwhile to bring virtualized platforms such as NFWare Virtual Carrier Grade NAT, Juniper vSRX / vMX and other NFV solutions for which NAT is an interesting case for the concept of distributed NFV (dNFV) when network functions are logically centralized (we have a single pool). addresses and resources, and a single point of control), but at the same time geographically distributed . But this topic deserves a separate and rather capacious review.

There is an opinion that for the NFV is the future, it’s not for nothing that well-known brands that traditionally occupy top positions in the market of carrier iron, and large investors who actively finance everything related to virtualization, including network functions (for example, Systems and NFWare). But NFV, within the framework of this article, I will not touch more.

Also, Mikrotik stands somewhat apart, which can be implemented on the x.86 and not x.86 (CCR) platforms, and in the virtualized environment (CHR), but, nevertheless, this is a pure watering software router that processes almost all functions identical processors. But, in view of the fact that CCR, this is a complete device with proprietary software - I also referred it to the hardware section (by the way, this is one of the few solutions for small networks - the performance limit in the NAT + shaper mode is about 4-5 Gbit / s for model CCR-1036), and RouterOs for x.86 is software - it fell into section x.86.

Self-collecting on Linux / FreeBSD is, if you go back to automotive topics, a rally car. It is necessary to take the platform, originally intended for civilian purposes, competent mechanics, and saw, twist, tune, rebuild and hope that in the end all of this can very quickly go to meet victory ... It all depends on 90% of those who will implement and maintain. As a rule, such a person in the company is one. And he builds a system based on his understanding of the process. And it supports the system. And what will happen if he leaves? How well is the functionality documented? Maintaining someone else's system of this kind is also expensive, as well as writing it from scratch.

An alternative to self-collecting and eminent brands are pure software solutions, such as RDP.ru, Carbon Soft, VAS Experts, etc. In autotermines - this is a tuning studio, which for a certain amount of money, from a civilian car can make a very impressive sports car, in many respects not inferior to eminent brands. At the moment, for medium and even large networks, this option is captivating with a mass of merits. Namely: x.86 - a common platform, the components of which can be bought in almost any large city, and they are often in stock at the supplier. The hardware is much cheaper than the same modules for Cisco or Juniper, which allows you to keep them in the ZIP. You can upgrade the platform by replacing the hardware with a more productive one by purchasing licenses, and using the released equipment for other purposes. Those. reservation issues are easily solved and the concept of pay-as-you-grow is visible in all its glory. In addition, software solutions, such as SCAT DPI from VAS Experts, perform a number of other tasks, which in the case of hardware solutions will have to be implemented separately. These are traffic caching, DDOS protection, and other high-grade DPI charms, such as blocking in accordance with Federal Law 139, blocking and replacing advertising, logging broadcasts and exporting data to SORM-3, collecting statistics on the types of traffic, the ability to implement some add. services, such as "Children's Internet", etc. What is important, in the market of software solutions domestic manufacturers are very well represented, and this, apart from pride in the homeland, is also Russian-language support, which has no language barrier with the developers.

The disadvantages of x.86 solutions are also obvious - first of all it concerns the proper selection of hardware components. Errors are fraught with problems with performance and fault tolerance. Installation of the system (if the manufacturer does not provide such a service) can be extremely nontrivial. However, an adequate software vendor should always help with the choice of hardware, as well as with installation and commissioning. Separately, it is worth noting that the decision should be certified, here I think the questions “why” and “why” should not arise.

In conclusion, I can say that for me the choice is obvious - NAT and DPI in one box is the optimal solution for the aggregate requirements for cost, functionality, scalability and maintainability.

Source: https://habr.com/ru/post/410325/

More articles: