TEXT SIZE:

Deploying Sandvine in Carrier-Grade NAT (CGN)

Today’s communications service provider (CSP) is working on, or planning, the transition to IPv6. The last blocks of IPv4 addresses were allocated by the Internet Assigned Numbers Authority (IANA) in February 2011. By using Network Address Translation (NAT), CSPs can meet the demands of applications and devices that are expected to continue to use IPv4 addressing for the foreseeable future. Using NAT allows a CSP to translate one public IPv4 address into many private addresses that are closed within a specific sector of the network. But there are consequences to employing NAT in the network to deal with the temporary problem of IPv4 address exhaustion, especially when a CSP has or plans to deploy a modern network policy control solution. NAT breaks the end-to-end addressing required by many applications, and eliminates the network policy control's ability to be continuously aware of subscribers in real-time. In terms of network policy control, subscriber-awareness is crucial for anything but the most basic business intelligence, service creation, and traffic optimization policies.

Intelligent NAT Integration

This paper explores Sandvine’s approach to enabling modern Layer-7 use cases with full subscriber-awareness in the presence of NAT and overlapping IPv4 addresses through seamless integration.

Read Technology Showcase

Sandvine Before NAT (CGN)

Beneath the product policy layer, Sandvine uses a reference point called a “session qualifier” that is configured in the field secure subscriber awareness. The session qualifier is a component of the Sandvine Policy Engine that expands the session model used for baseline subscriber awareness in policy. A session qualifier is an expressed value that commonly represents, though is not limited to, a site number or a VLAN tag mapped to a site number. This value is permanently stored, and then referenced along with an IPv4 address in real-time by control and data plane elements to identify unique subscriber sessions in the presence of overlapping IP addresses. 

The session qualifier operates as a component of the Sandvine Policy Engine.

Sandvine before NAT

Signal flow

  1. Networks of subscribers are using the overlapping IPv4 space.
  2. The subscriber traffic comes in via multiple access networks. The subscriber is mapped to a private IPv4 address using RADIUS, DHCP or GTP-C at the time the subscriber joins the network. The different networks are on distinct VLANs when the traffic passes through the PTS.
  3. The SDE receives the RADIUS or DHCP message and processes it to determine the private IPv4 address, username and site. Any RADIUS or DHCP fields can be combined with arbitrary SandScript logic to determine the site. The SDE may receive the traffic from the multiple access network, or via a “tee” (real-time mirrored copy) from the PTS.
  4. The SDE passes on the private IPv4 address, username and site number to the SPB, which stores the information in its database and forwards the information to the PTS.
  5. The VLAN-tagged packets come into the PTS cluster. The PTS translates the VLAN tags into site numbers according to the PTS element’s configuration. The PTS uses the private IPv4 address and site number to uniquely identify subscribers, and then performs subscriber-aware policy. If the PTS does not know to which subscriber the IP address/site number mapping belongs, it looks up the information on the Subscriber Policy Broker (SPB – the solution storage layer).
  6. One or more NAT routers translate the traffic to public IPv4 addresses.
  7. Packets continue on to their Internet destinations.

Sandvine After NAT (CGN)

When the PTS is deployed outside the NAT, the source and destination IP of traffic has changed. For internet-bound packets, source IP and source port are changed by the NAT before PTS inspection, and for subscriber-bound packets, the destination IP and destination port are altered after the PTS element inspects traffic. In this case Sandvine’s SDE and PTS elements achieve subscriber awareness using the subscriber’s private IPv4 address, network identifier and a unique TCP port number referenced from a lookup table on the NAT device. Sandvine supports multiple NAT routers and both private and public addresses, with the subscriber mapping again occurring beneath the policy layer to facilitate consistent policy across the network.

To accommodate a post-NAT environment, the network policy control solution must have the ability to integrate with the address translation architecture. Sandvine’s SDE supports SandScript policies that can negotiate with the NAT device to segregate IP addresses according to the network’s translation architecture, such as unique port numbers assigned to blocks of IPs. Figure 2 shows Sandvine's post-NAT deployment.

Sandvine after NAT

Signal flow

  1. Networks of subscribers are using the overlapping IPv4 space.
  2. The subscriber traffic comes in via multiple access networks. The subscriber is mapped to a private IPv4 address using RADIUS, DHCP or GTP-C at the time the subscriber joins the network.
  3. The following steps can happen in either order: (A) One or more NATs translate the traffic to public IPv4 addresses - the unique identifier for subscriber traffic from here is an IP address with an assigned port range. (B) An SDE receives the RADIUS or DHCP message from the AAA server and processes it to determine the private IPv4 address and subscriber username mapping.
  4. An SDE receives the public NAT address and port range mapping from the CGN (can be a different SDE). The SDE maps the subscriber’s private IPv4 address with the public NAT address and port range.
  5. The SDE passes information to the Sandvine persistence layer (SPB) in two streams: (A) the mapping of qualified private IPv4 address to subscriber user name (B) the mapping of qualified private IPv4 address to public NAT address/port range mapping.
  6. The data streams and their associated relationships are stored separately, but the SPB joins the two data streams if and when necessary to notify the PTS of conditions requiring subscriber-specific actions.
  7. The PTS uses the state information from the SPB to uniquely identify subscribers and perform subscriber-aware policy (e.g., metering, congestion management, service tiers).
  8. Packets continue on to their Internet destinations.
UPDATED : 2017-04-13 15:49:24