IPv4-Only PE Design for IPv6-NLRI with IPv4-NH

As Enterprises and Service Providers upgrade their brown field or green field MPLS/SR core to an IPv6 transport such as MPLS LDPv6, SR-MPLSv6 or SRv6, Multiprotocol BGP (MP-BGP) now plays an important role in the transition of the Provider (P) core networks and Provider Edge (PE) edge networks from IPv4 to IPv6. Operators have a requirement to support IPv6 customers and must be able to support IPv6 address family and Sub-Address-Family Virtual Private Network (VPN)-IPv6, and Multicast VPN IPv6 customers. With this IPv4-only BGP peering design, only IPv4 is configured on the PE-CE interface, the Provider Edge (PE) - Customer Edge (CE), the IPv4 BGP peer is now used to carry IPv6 (Network Layer Reachability Information) NLRI over an IPv4 next hop using 4 byte IPv4 next hop encoding while continuing to forward both IPv4 and IPv6 packets. In the framework of this design the PE is no longer Dual Stacked. However in the case of the CE, PE-CE link CE side of the link is no longer Dual Stacked, however all other internal links within the CE domain may or maynot be Dual stacked. MP-BGP specifies that the set of usable next-hop address families is determined by the Address Family Identifier (AFI) and the Subsequent Address Family Identifier (SAFI). Historically the AFI/SAFI definitions for the IPv4 address family only have provisions for advertising a Next Hop address that belongs to the IPv4 protocol when advertising IPv4 or VPN-IPv4. specifies the extensions necessary to allow advertising IPv4 NLRI, Virtual Private Network Unicast (VPN-IPv4) NLRI, Multicast Virtual Private Network (MVPN-IPv4) NLRI with a Next Hop address that belongs to the IPv6 protocol. This comprises of an extended next hop encoding MP-REACH BGP capability exchange to allow the address of the Next Hop for IPv4 NLRI, VPN-IPv4 NLRI and MVPN-IPv4 NLRI to also belong to the IPv6 Protocol. defines the encoding of the Next Hop to determine which of the protocols the address actually belongs to, and a new BGP Capability allowing MP-BGP Peers to discover dynamically whether they can exchange IPv4 NLRI and VPN-IPv4 NLRI with an IPv6 Next Hop. With the IPv4-Only PE design, IPv6 NLRI will be carried over an IPv4 Next-hop. and specify how an IPv4 address can be encoded inside the next-hop IPv6 address field when IPv6 NLRI needs to be advertised with an IPv4 next hop. defines how the IPv4-mapped IPv6 address format specified in the IPv6 addressing architecture can be used for that purpose when the <AFI/SAFI> is IPv6-Unicast <2/1>, Multicast <2/2>, and Labeled Unicast <2/4>. defines how the IPv4-mapped IPv6 address format as well as a null Route Distinguisher as ::FFFF:192.168.1.1 (RD) can be used for that purpose when the <AFI/SAFI> is VPN-IPv6 <2/128> MVPN-IPv6 <2/129>. This IPv4-Only PE specification utilizes IPv6 NLRI over IPv4 Next hop encoding adopted by the industy to not use IPv4 mapped IPv6 address defined above, and instead use 4 byte IPv4 address for the next hop which ultimately set the precedence for the adoption of for 4to6 Softwire IPv4 NLRI over IPv6 next-hop. The IPv4 next hop encoding for cases where the NLRI advertised is different from the next hop encoding such as where IPv6 NLRI is advertied with IPv4 next hop for for <AFI/SAFI> is IPv6-Unicast <2/1>, Multicast <2/2>, and Labeled Unicast <2/4>. defines Null(RD) for <AFI/SAFI> is VPN-IPv6 <2/128> MVPN-IPv6 <2/129> but now with a an official new IANA Capability code TBD as value 10 "IPv4 Next Hop Encoding". The IETF standards have not been updated with an IANA allocation Capability code for the IPv4 next hop encoding so this specification fixes that with an IANA allocated codepoint which will now be used for this IPv4-Only PE design. With this IPv4-Only PE Design, BGP peer session can now be treated as a pure TCP transport and carry both IPv4 and IPv6 NLRI at the Provider Edge (PE) - Customer Edge (CE) over a single IPv4 TCP session. This allows for the elimination of dual stack from the PE-CE peering point, and now enable the peering to be IPv4-ONLY. The elimination of IPv6 on the PE-CE peering points translates into OPEX expenditure savings of point-to-point infrastructure links as well as /127 address space savings and administration and network management of both IPv4 and IPv6 BGP peers. This reduction decreases the number of PE-CE BGP peers by fifty percent, which is a tremendous cost savings for operators. This also translates into Major CAPEX savings as now operators do not have to migrate their underlay to IPv6 and can remain indefinitely on IPv4-Only Core. While the savings exists at the Edge eBGP PE-CE peering, on the core side PE to Route Reflector (RR) peering carrying <AFI/SAFI> IPv4 <2/1>, VPN-IPV4 <2/128>, and Multicasat VPN <2/129>, there is no savings as the Provider (P) Core is IPv4 Only and thus can only have an IPv4 peer standard 4 byte next hop encoding to carrying IPv4 NLRI IPV4 <2/1>, VPN-IPV4 <2/128>, and Multicasat VPN <2/129> over an IPv4 next hop. This core and edge IPv4-Only peering design paradigm change can apply to any eBGP peering, public internet or private, which can be either Core networks, Data Center networks, Access networks or can be any eBGP peering scenario. This document provides detailed vendor specific test cases and test results for the IPv4-Only peering design as well as successful test results between five major vendors stakeholders in the routing and switching indusrty, Cisco, Juniper, Arista, Nokia and Huawei. With the test results provided for the IPv4-Only Edge peering design, the goal is that all other vendors around the world that have not been tested will begin to adopt and implement this new best practice for eBGP IPv4-Only Edge peering.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminolgoy used in defining the IPv6-Only Edge specification. AFBR: Address Family Border Router Provider Edge (PE). Edge: PE-CE Edge Network Provider Edge - Customer Edge Core: P Core Network Provider (P) 4to6 Softwire : IPv4 edge over an IPv6-Only core 6to4 Softwire: IPv6 edge over an IPv4-Only core E2E: End to End

This specification addresses a real issue that has been discussed at many operator with extremely large core networks around the world related migration to IPv6 underlay transport which can be put off indefinitely. Operators around the world are clamoring for a solution that can help solve issues related to IPv4 address depletion at these large IXP peering points. With this solution, infrastructure networks such as Core networks, DC networks, Access networks as well as any PE-CE public or private network can now utilize this IPv4-Only Edge solution and reap the benefits immediately on IPv6 address space saving and CAPEX and OPEX savings.

Problem Statement Dual Stacked Dual Stacked CE PE +-------+ IPv4 BGP Peer +-------+ | |---------------| | | CE | IPv6 BGP Peer | PE | | |---------------| | +-------+ +-------+ IPv4 forwarding IPv4 forwarding IPv6 forwarding IPv6 forwarding

________ Dual Stacked _____ / \ Dual Stacked PE / CE / \__/ \___ PE / CE +----+ +----+ / \ +------+ +-----+ | | | | |0====VPN Overlay Tunnel ==0| | | | | | | | | | \ | | | | | CE |--| PE |--\ IPv6-Only Core |----| PE |---| CE | | | | | \0=========Underlay =======0| | | | | +----+ +----+ \ __/ +------+ +-----+ IPv4 IPv6 BGP peer \ IP / MPLS / SR domain / IPv4 and IPv6 BGP peer IPv4 forwarding \__ __ / IPv4 forwarding IPv6 forwarding \_______/ \_____/ IPv6 forwarding

The IPv4-Only Edge design solution provides a means of E2E single protocol design solution extension of Softwire Mesh framework from the PE-CE Edge to the Core from ingres so egress through the entire operators domain. This solution eliminates all IPv4 addressing from end to end while still providing the same Dual Stack functionality of IPv4 and IPv6 packet forwarding from a data plane perspective by leveraging the extended next hop encoding so that IPv4 NLRI can be advertised over a single IPv6 pure transport TCP session. This IPv4-Only E2E architecture eliminates all IPv4 peering and IPv4 addressing E2E from the ingress CE to ingress PE to egress PE to egress CE and all hops along the operator E2E path.

Solution applicable to any Edge peering scenario - IXP, Core, DC, Access, etc +-------+ +-------+ | | IPv4 Only | | | CE |----------------| PE | | | IPv4 BGP Peer | | +-------+ +-------+ IPv4 forwarding IPv4 forwarding IPv6 forwarding IPv6 forwarding

The IPv4-Only Edge Peering design utilizes two key E2E Softwire Mesh Framework scenario's, 4to6 softwire and 6to4 softwire. The Softwire mesh framework concept is based on the overlay and underlay MPLS or SR based technology framework, where the underlay is the transport layer and the overlay is a Virtual Private Network (VPN) layer, and is the the tunneled virtualization layer containing the customer payload. The concept of a 6to4 Softwire is based on transmission of IPv6 packets at the edge of the network by tunneling the IPv6 packets over an IPv4-Only Core. The concept of a 4to6 Softwire is also based on transmission of IPv4 packets at the edge of the network by tunneling the IPv4 packets over an IPv6-Only Core. This document describes End to End (E2E) test scenarios that follow a packet flow from IPv4-Only attachment circuit from ingress PE-CE to egress PE-CE tracing the routing protocol control plane and data plane forwarding of IPv4 packets in a 4to6 softwire or 6to4 softwire within the IPv4-Only or IPv6-Only Core network. In both secneario we are focusing on IPv4 packets and the control plane and data plane forwarding aspects of IPv4 packets from the PE-CE Edge network over an IPv4-Only P (Provider) core network or IPv6-Only P (Provider) core network. With this IPv4-Only Edge peering design, the Softwire Mesh Framework is not extended beyond the Provider Edge (PE) and continues to terminate on the PE router.

6to4 softwire where IPv4-Edge eBGP IPv4 peering where IPv6 packets at network Edge traverse a IPv4-Only Core In the scenario where IPv6 packets originating from a PE-CE edge are tunneled over an MPLS or Segment Routing IPv4 underlay core network, the PE and CE only have an IPv6 address configured on the interface. In this scenario the IPv6 packets that ingress the CE from within the CE AS are over an IPv4-Only interface and are forwarded to an IPv6 NLRI destination prefix learned from the Pure Transport Single IPv4 BGP Peer. In the IPv4-Only Edge peering architecture the PE is IPv4-Only as all PE-CE interfaces are IPv4-Only. However, on the CE, the PE-CE interface is the only interface that is IPv4-Only and all other interfaces may or may not be IPv4-Only. Following the data plane packet flow, IPv4 packets are forwarded from the ingress CE to the IPv4-Only ingress PE where the VPN label imposition push per prefix, per-vrf, per-CE occurs and the labeled packet is forwarded over a 6to4 softwire IPv4-Only core, to the egress PE where the VPN label disposition pop occurs and the native IPv4 packet is forwarded to the egress CE. In the reverse direction IPv4 packets are forwarded from the egress CE to egress PE where the VPN label imposition per prefix, per-vrf, per-CE push occurs and the labeled packet is forwarded back over the 6to4 softwire IPv4-Only core, to the ingress PE where the VPN label disposition pop occurs and the native IPv4 packet is forwarded to the ingress CE. . The functionality of the IPv4 forwarding plane in this scenario is identical from a data plane forwarding perspective to Dual Stack IPv4 forwarding scenario.

+--------+ +--------+ | IPv4 | | IPv4 | | Client | | Client | | Network| | Network| +--------+ +--------+ | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | +--------+ +--------+ | AFBR | | AFBR | +--| IPv4/6 |---| IPv4/6 |--+ | +--------+ +--------+ | +--------+ | | +--------+ | IPv4 | | | | IPv4 | | Client | | | | Client | | Network|------| IPv4 |-------| Network| +--------+ | only | +--------+ | | | +--------+ +--------+ | +--| AFBR |---| AFBR |--+ | IPv4/6 | | IPv4/6 | +--------+ +--------+ | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | +--------+ +--------+ | IPv6 | | IPv4 | | Client | | Client | | Network| | Network| +--------+ +--------+

4to6 softwire where IPv4-Edge eBGP IPv4 peering where IPv6 packets at network Edge traverse a IPv6-Only Core In the scenario where IPv6 packets originating from a PE-CE edge are tunneled over an MPLS or Segment Routing IPv4 underlay core network, the PE and CE only have an IPv4 address configured on the interface. In this scenario the IPv6 packets that ingress the CE from within the CE AS are over an IPv4-Only interface and are forwarded to an IPv6 NLRI destination prefix learned from the Pure Transport Single IPv4 BGP Peer. In the IPv4-Only Edge peering architecture the PE is IPv4-Only as all PE-CE interfaces are IPv4-Only. However, on the CE, the PE-CE interface is the only interface that is IPv4-Only and all other interfaces may or may not be IPv4-Only. Following the data plane packet flow, IPv6 packets are forwarded from the ingress CE to the IPv4-Only ingress PE where the VPN label imposition push per prefix, per-vrf, per-CE occurs and the labeled packet is forwarded over a 4to6 softwire IPv6-Only core, to the egress PE where the VPN label disposition pop occurs and the native IPv6 packet is forwarded to the egress CE. In the reverse direction IPv6 packets are forwarded from the egress CE to egress PE where the VPN label imposition per prefix, per-vrf, per-CE push occurs and the labeled packet is forwarded back over the 4to6 softwire IPv6-Only core, to the ingress PE where the VPN label disposition pop occurs and the native IPv6 packet is forwarded to the ingress CE. . The functionality of the IPv4 forwarding plane in this scenario is identical from a data plane forwarding perspective to Dual Stack IPv4 / IPv6 forwarding scenario.

+--------+ +--------+ | IPv4 | | IPv4 | | Client | | Client | | Network| | Network| +--------+ +--------+ | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | +--------+ +--------+ | AFBR | | AFBR | +--| IPv4/6 |---| IPv4/6 |--+ | +--------+ +--------+ | +--------+ | | +--------+ | IPv6 | | | | IPv6 | | Client | | | | Client | | Network|------| IPv6 |-------| Network| +--------+ | only | +--------+ | | | +--------+ +--------+ | +--| AFBR |---| AFBR |--+ | IPv4/6 | | IPv4/6 | +--------+ +--------+ | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | +--------+ +--------+ | IPv4 | | IPv4 | | Client | | Client | | Network| | Network| +--------+ +--------+

This section describes next hop encoding updates to applicability to this specification. IPv4-Only eBGP Edge PE-CE peering to carry IPv4 Unicast NLRI <AFI/SAFI> IPv4 <1/1> over an IPv6 next hop BGP capability extended hop encoding IANA capability codepoint value 5 defined is applicable to both and as IPv4 Unicast NLRI <AFI/SAFI> IPv4 <1/1> does not change in the RFC updates. IPv4 packets over an IPv6-Only core 4to6 Softwire E2E packet flow is part of the IPv6-Only PE design and this same style next hop encoding applies to 6to4 Softwire IPv6 NLRI over IPv4 next hop with 4 byte Next hop encoding and not IPv4 mapped IPv6 address. updates for <AFI/SAFI> VPN-IPV4 <1/128>, and Multicasat VPN <1/129>

This section describes the next hop encoding updates to In when AFI/SAFI 1/128 is used, the next-hop address is encoded as an IPv6 address with a length of 16 or 32 bytes. This document modifies how the next-hop address is encoded to accommodate all existing implementations and bring consistency with VPNv4oIPv4 and VPNv6oIPv6. The next-hop address is now encoded as a VPN-IPv6 address with a length of 24 or 48 bytes (see Sections 3 and 6.2 of this document). This change addresses Erratum ID 5253 (Err5253). As all known and deployed implementations are interoperable today and use the new proposed encoding, the change does not break existing interoperability. Updates to is applicable to the IPv6-Only PE-CE edge design for the IPv6 next hop encoding E2E test case of IPv4 packets over and IPv6-Only core 4to6 Softwire. In this test case IPv4 Unicast NLRI <AFI/SAFI> IPv4 <1/1> is advertised over the PE to RR core peering 4to6 softwire in <AFI/SAFI> VPN-IPV4 <1/128>. In this test case label allocation mode comes into play which is discussed in section 8.9. next hop encoding of MP_REACH_NLRI with: NLRI= NLRI as per current AFI/SAFI definition Advertising with [RFC4760] MP_REACH_NLRI with: AFI = 1 SAFI = 128 or 129 Length of Next Hop Address = 16 or 32 NLRI= NLRI as per current AFI/SAFI definition next hop encoding of MP_REACH_NLRI with: NLRI= NLRI as per current AFI/SAFI definition Advertising with [RFC4760] MP_REACH_NLRI with: AFI = 1 SAFI = 128 or 129 Length of Next Hop Address = 24 or 48 Next Hop Address = VPN-IPv6 address of next hop with an 8-octet RD set to zero (potentially followed by the link-local VPN-IPv6 address of the next hop with an 8-octet RD is set to zero). NLRI= NLRI as per current AFI/SAFI definition

Proof of conept interoperability testing of the 4 test cases between the 5 vendors Cisco, Juniper, Arista, Nokia and Huawei.

________ IPv4-Only _____ / \ IPv4-Only PE / CE / \__/ \___ PE / CE +----+ +----+ / \ +------+ +-----+ | | | | | |_ | | | | | | | | | \ | | | | | CE |--| PE |--\ IPv4-Only Core |----| PE |---| CE | | | | | \0=========Underlay =======0| | | | | +----+ +----+ \ __/ +------+ +-----+ IPv4 BGP peer \ MPLS / SR domain / IPv4 BGP peer IPv4 forwarding \__ __ / IPv4 forwarding IPv6 forwarding \_______/ \_____/ IPv6 forwarding Cisco, Juniper, Arista, Nokia, Huawei code and platform and test results. Cisco: Edge Router- XR ASR 9910 IOS XR 7.4.1, Core Router- NCS 6000 7.2.2, CRS-X 6.7.4 Juniper: Edge Router- MX platform MX480, MX960, Core Router- PTX Platform PTX5000, PTC10K8 (JUNOS and EVO) Release 20.4R2 Arista: Nokia: Edge and Core-7750 Service Router, Release R21 Huawei: Edge and Core-VRPv8, Release VRP-V800R020C10

________ IPv4-Only _____ / \ IPv4-Only PE / CE / \__/ \___ PE / CE +----+ +----+ / \ +------+ +-----+ | | | | | 0====VPN Overlay Tunnel ==0| | | | | | | | | | \ | | | | | CE |--| PE |--\ IPv4-Only Core |----| PE |---| CE | | | | | \0=========Underlay =======0| | | | | +----+ +----+ \ __/ +------+ +-----+ IPv4 BGP peer \ MPLS / SR domain / IPv4 BGP peer IPv4 forwarding \__ __ / IPv4 forwarding IPv6 forwarding \_______/ \_____/ IPv6 forwarding Cisco, Juniper, Arista, Nokia, Huawei code and platform and test results. Cisco: Edge Router- XR ASR 9910 IOS XR 7.4.1, Core Router- NCS 6000 7.2.2, CRS-X 6.7.4 Juniper: Edge Router- MX platform MX480, MX960, Core Router- PTX Platform PTX5000, PTC10K8 (JUNOS and EVO) Release 20.4R2 Arista: Nokia: Edge and Core-7750 Service Router, Release R21 Huawei: Edge and Core-VRPv8, Release VRP-V800R020C10

Ping CE to PE when destination prefix is withdrawn Traceroute CE to PE and test all ICMPv4 and ICMPv6 type codes +-------+ +-------+ | | IPv4 Only | | | CE |----------------| PE | | | IPv4 BGP Peer | | +-------+ +-------+ IPv4 forwarding IPv4 forwarding IPv6 forwarding IPv6 forwarding Cisco, Juniper, Arista, Nokia, Huawei code and platform and test results. Cisco: Edge Router- XR ASR 9910 IOS XR 7.4.1, Core Router- NCS 6000 7.2.2, CRS-X 6.7.4 Juniper: Edge Router- MX platform MX480, MX960, Core Router- PTX Platform PTX5000, PTC10K8 (JUNOS and EVO) Release 20.4R2 Tested v4 edge over v6 core in a virtual setup using vMX platforrm and 20.4R2 and LDPv6 as underlay, but there were some data plane forwarding issues. Tested same setup on latest release 21.4 and it worked. Investigating what the minimum version is for this setup to work. Arista: Nokia: Edge and Core-7750 Service Router, Release R21 Huawei: Edge and Core-VRPv8, Release VRP-V800R020C10

With a single IPv4 Peer carrying both IPv4 and IPv6 NLRI there are some operational considerations in terms of what changes and what does not change. What does not change with a single IPv6 transport peer carrying IPv4 NLRI and IPv6 NLRI below: Routing Policy configuration is still separate for IPv4 and IPv6 configured by capability as previously. Layer 1, Layer 2 issues such as one-way fiber or fiber cut will impact both IPv4 and IPv6 as previously. If the interface is in the Admin Down state, the IPv6 peer would go down, and IPv4 NLRI and IPv6 NLRI would be withdrawn as previously. Changes resulting from a single IPv4 transport peer carrying IPv4 NLRI and IPv6 NLRI below: Physical interface is no longer dual stacked. Any change in IPv4 address will impact both IPv4 and IPv6 NLRI exchange. Single BFD session for both IPv4 and IPv6 NLRI fate sharing as the session is now tied to the transport, which now is only IPv4 address family. Both IPv4 and IPv6 peer now exists under the IPv4 address family configuration. Fate sharing of IPv4 and IPv6 address family from a logical perspective now carried over a single physical IPv4 peer. From an operations perspective, prior to elimination of IPv6 peers, an audit is recommended to identify and IPv4 and IPv6 peering incongruencies that may exist and to rectify them. No operational impacts or issues are expected with this change. With MPLS VPN overlay, per-CE next-hop label allcoation mode where both IPv4 and IPv6 prefixes have the same label in no table lookup pop-n-forward mode should be taken into consideration.

There are not any IANA considerations.

The extensions defined in this document allow BGP to propagate reachability information about IPv6 prefixes over an MPLS or SR IPv4-Only core network. As such, no new security issues are raised beyond those that already exist in BGP-4 and the use of MP-BGP for IPv6. Both IPv4 and IPv6 peers exist under the IPv6 address family configuration. The security features of BGP and corresponding security policy defined in the ISP domain are applicable. For the inter-AS distribution of IPv4 routes according to case (a) of Section 4 of this document, no new security issues are raised beyond those that already exist in the use of eBGP for IPv6 .

Thanks to Kaliraj Vairavakkalai, Linda Dunbar, Aijun Wang, Eduardfor Vasilenko, Joel Harlpern, Michael McBride, Ketan Talaulikar for review comments.

The following people contributed substantive text to this document: