Carrier-Grade-NAT - (CGNAT) - Workshop - Day-1

11/11/15
Carrier-Grade-NAT-(CGNAT)-
Workshop-– Day-1
Professional-Services-Americas-
Renato-Florentino,-MSC,-JNCIERSP-772
1 Copy right-©-2014-J uniper-Networks ,-Inc .-
Agenda-– Day-One
• 1.1-R Protocol/Functionality-Highlights
• 1.1.1-CGNAT-Strategies
• 1.2-R Hardware-architecture-and-services-modules
• 1.2.1-R Basic-hardware-(MSRDPC-and-MSRMPC-NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-flow-
roles-[master/responder],-flow-creation-and-deletion,-timers-involved)
• 1.3-R NH-style,-interface-style
• 1.4-R Service-combination-(NAT+SFW+IDS)
• 1.4.1-R Interaction-with-SFW
• 1.4.2-R Interaction-with-IDS-protection
• 1.4.2.1-R IDS-applicability-to-“master”- flows-only
• 1.5-R Scaling-details
1
11/11/15
Agenda-– Day-One
• 2.1-R NAT-pools-and-NAT-prefixes.-Relationship-between-NAT-pool,-
serviceRset-and-SPR interface-
• 2.2-R Static-source-NAT-
• 2.3-R Static-destination-NAT-
• 2.4-R Port-overloading,-port-assignment-(range,-sequencing)-
• 2.5-R Dynamic-source-NAT-with-PAT-
• 2.5.1-R Port-allocation-mechanisms:-sequential-(default)-vs random
• 2.5.2-R Port-ranges-(default-1024R65535-vs custom)
• 2.5.3-R Behaviour when-no-free-ports-found-
Agenda-– Day-One
• 3.1-R Statefulness and-anomaly-detection
• 3.1.1- R SYN- cookies
• 3.1.2- R SYN- attacks
• 3.1.3- R ICMP- errors
• 3.1.4- R Protocol- header- errors
• 3.1.5- R TCP-tickles
• 3.2-R Application-Level-Gateways-(ALGs)
• 3.2.1- R Default- Junos definitions
• 3.2.2- R Customization- (reassignment- of-ports,-timers)
2
11/11/15
Introduction
• Initial-description-of-NAT-services-configuration,-HW-requirements-
and-basic-scaling-details.
Introduction
• 1.1#$ Protocol/Functionality# Highlights
• 1.1.1-CGNAT- Strategies
• 1.2.1-R Basic-hardware-(MSRDPC- and-MSRMPC- NPU)
• 1.2.2-R Basic-building-blocks-for-flow-processing-(flow,-conversation,-
flow-roles-[master/responder],- flow-creation-and-deletion,-timers-
involved)
– 1.4.2.1-R IDS-applicability-to-“master”- flows-only
6
• 1.5#$ Scaling#details Copy right-©-2014-J uniper-Networks ,-Inc .-
3
11/11/15
Protocol/Functionality- Highlights
• In-early-2011,-the-Internet-Assigned-Numbers-Authority-allocated-the-
last-of-its-inventory-of-large-block-IPv4-addresses,-and-service-
providers,-large-enterprises-and-universities,-cloud-providers,-eR
tailers,-and-federal-agencies-will-find-it-increasingly-difficult-to-acquire-
new-IPv4-addresses.
• Juniper-Networks'-Next-Generation-Network-Addressing-portfolio-
provides-a-comprehensive-set-of-technologies-that-mitigate-IPv4-
depletion-issues-while-ensuring-IPv4RIPv6-coRexistence-and-a-
pragmatic,-business-driven-transition-to-IPv6.
Protocol/Functionality- Highlights-(contd.)
• Network-Address-Translation-(NAT)-is-the-process-of-modifying-
network-address-and-port-information-inside-the-IP-packet-headers,-
while-it-transits-across-a-routing-device,-for-the-purpose-of-remapping-
a-given-address-space into-another.
4
11/11/15
• NAT-is-commonly-used-for:
– Concealing- a-set-of-host-addresses- on- a-private- network- behind- a-
pool- of-public-addresses.-
– A-security-measure- to-protect- the-host-addresses- from- direct-
targeting- in-network- attacks.
– Allowing- access-from-Internet- to-private- servers-or- applications
– Merge- or-Interconnecting- network- with-overlapped- addressing
– Migration- technique- from/to- IPv6
• Traditional-NAT,-specified-in-RFC-3022,-Traditional-IP-Network-
Address-Translator,-is-fully-supported-by-the-JUNOS-Software.-In-
addition,-network-address-port-translation-(NAPT)-is-supported-for-
source-addresses.
• The-following-types-of-NAT-are-supported-on-Juniper-Networks-
devices:
– Static-NAT
– Destination-NAT
– Source-NAT
5
11/11/15
Summary
• Depending-of-the-action-taken-when-the-packet-is-in-transit-on-the-
router-(fields-to-be-replaced-(src/dst),-internal/external-pool-
relationship),-there-are-different-kinds-of-translations.
• For-each-translation-a-flow-is-created-in-the-Service-PIC,-that-allows-
returning-traffic-to-be-processed
• Below-there-is-a-small-summary-about-the-most-common-type-of-NAT-
translations
Translation- Traffic- Mapping IP-field- TCP/UDP-
Type Initiated-from translated information
Static- Source- Nat Inside- 1:1,- n:n Source- Address Preserved
Dynamic-Source- Inside- m:n-- Source- Port- and- Source- port-
Nat (m>n) Address- translated
Static- Destination- Outside- 1:1,- n:n Destination- Preserved
Nat Address Copy right-©-2014-J uniper-Networks ,-Inc .-
12
6
11/11/15
Protocol/Functionality- Highlights (contd.)

• One-of-the-most-common-solution-right-now-adopted-by-the-ISPs-is-
CGNAT.-CGNAT-(sometimes-known-as-Large-Scale-NAT-or-LSN)-is-a-
highly-scalable-NAT-placed-between-the-customer-premises-
equipment-(CPE)-and-the-core-of-the-network-that-implements-(NAT-
for-UDP-[RFC-4787],-NAT-for-TCP-[RFC-5382]-and-NAT-for-ICMP-
[RFC-5508])-and-a-few-additional-requirements-discussed-in-
[NAT444][CGN][INCRCGN].-
• Juniper-recommends-technologies-that-extend-customers-current-
IPv4-address-pool-and-ensure-IPv4-and-IPv6-coRexistence-without-
imposing-forklift-upgrades-or-operational-penalties.-These-include-
technologies-such-as-NAT-44(4),-as-well-as-DSRLite-which-uses-
13
tunneling-in-combination-with-NAT. Copy right-©-2014-J uniper-Networks ,-Inc .-

• CGNAT-inherits-almost-all-concepts-presents-in-the-regular-NAT-(RFC-
2663)
• It’s-used-for-a-private-address-translation-to-a-public-mapping
• Used-to-give-to-IPv4-users-an-“extra-mile”-till-IPv6-be-largely-adopted
7
11/11/15

• Is-used-in-a-large-scale-solution,-AKA:
• CGNAT-(Carrier-Grade-NAT)
• LSN-(Large-Scale-NAT)
• Use-the-same-concepts-like-SourceNAT,-DestinationNAT,-TwiceNAT
and-Port-Forwarding
• The-concepts-of-Full-Cone,-Semi-Cone,-Restricted-Cone,-Restricted-
Port-Cone-are-also-used-in-CGNAT-solution
• A-dedicated-IP-block-is-reserved-for-the-CGNAT-operation-(RFC6598)
Introduction
• 1.1.1#CGNAT# Strategies
• 1.2.1-R Basic-hardware-(MSDPC- NPU)
involved)
16
8
11/11/15
CGNAT- Strategies
Carrier-Grade-NAT-services
• A-comprehensive-feature-rich-set-of-NAT-services.--
NAT#Type Options# Available
Basic$NAT44 • Source-Nat-pool-with-addressRrange/-prefix-
• translation-type-is-source-static-----------
Basic$NAT66# • Nat-pool-with-IPv6-addressRrange/prefix
• translation-type-source-static-
NAPT44 • Source-Nat-pool-with-addressRrange/-prefix-and-port-range
• Translation-type-is-source-dynamic
NAPT66# • Source-Nat-pool-with-IPv6-addressRrange/prefix-and-port-range
• Translation-type-is-source-dynamic
Dynamic$NAT44 • Source-Nat-pool-with-addressRrange/prefix
• translation-type-is-source-dynamic---------
Basic$NAT$PT • Source-Nat-pool-with-Ipv4-addressRrange/prefix
• Destination-Nat-pool-with-/96-prefix---------------
• NAT-match-condition-has-IPv6-address/addressRrange
• translation-type-is-source-dynamic-destination-static
NAPT$PT • Source-Nat-pool-with-Ipv4-addressRrange/prefix-and-portRrange
• Destination-Nat-pool-with-/96-prefix---------------
• NAT-match-condition-has-IPv6-address/addressRrange
Twice$NAT44 • Source-Nat-pool-with-addressRrange/prefix
• Destination-Nat-pool-with-addressRrange/prefix
Stateful$nat64 • Source'Nat'pool'with'address2range/'prefix'and'port'range
• Translation'type'is'source'dynamic
• Translate-between-address-families-v6-to-v4
9
11/11/15
NAT444:- Double-IPv4-NAT
• Extends-the-life-of-IPv4
• Little/No-customer-control-on-CGN-translations
• Customers-are-assigned-private-IPv4-addresses-(RFC1918)
• Least-impact-to-existing-infrastructure
RFC1918 RFC1918
v4'hosts
v4'Internet
UE/HG CGN
v4'host v4''
Access'
Router
v4'CPE
NAT
v4'Core'Network
IPv4%Exhaustion% Mitigation% technology% ONLY

CGN-(NAT444)-Internals
IPv4'packet IPv4'packet
IPv4'packet
IPv4'src:' 10.6.7.8 IPv4'src:' 1.2.3.4
IPv4'src:' 192.168.1.3
(ISP'RFC1918' internal) (from' the'pool' of'the' ISP)
IPv4'dst:'198.108.95.21 IPv4'dst:'198.108.95.21 IPv4'dst:'198.108.95.21
IPv4'src' port:'12345
IPv4'src' port:'23456 IPv4'src' port:'45678
IPv4'dst'port:' 80
IPv4'dst'port:' 80 IPv4'dst'port:' 80
CGN IPv4
192.168.1.3 IPv4&CPE
www.nanog.org
NAT NAT 198.108.95.21
CPE&NAT&Binding CGN&NAT&Binding
IN:% %%%%%192.168.1.3' +'port' 12345' '''''''''''IN:% %%%%10.6.7.8' +'port' 23456
OUT:% %10.6.7.8' +'port:' 23456' ''''''' OUT:% %%%%1.2.3.4' +'port:' 45678
10
11/11/15
NAT64:- IPv6-to-IPv4-NAT
• IPv6-access-network
• All-customers-devices-and-applications-MUST support-IPv6
• NAT64-and-DNS64-share-a-WellRKnown-Prefix-
v6-Internet
v 6-Serv ers
NAT64
UE/HG
v 6-Hos t
v6--
Access/Dist
ribution-
v4-Internet
Router DNS64
v6-Network
v6-Core-Network
Ideal&for& Greenfield&deployments& /&Mobile& Networks

NAT64- Internals
IPv6& packet IPv4& packet
IPv6'src:' 2001:db8::1 IPv4'src:' 1.2.3.4
IPv6'dst:'2009:db9:7 (from' the'pool' of'the' ISP)
(AAAA'generated'by'DNS64&to'match' www.nanog.org) IPv4'dst:'198.108.95.21
IPv6'src' port:'12345 IPv4'src' port:'45678
IPv6'dst'port:' 80 IPv4'dst'port:' 80
NAT64 IPv4
2001:db8::1 IPv6&CPE www.nanog.org
198.108.95.21
NAT
NAT64&NAT&Binding
IN: 2001:db8::1' +'port'12345

22 OUT:% 1.2.3.4'+'port:' 45678 Copy right-©-2014-J uniper-Networks ,-Inc .-
11
11/11/15
6rd:-Native-IPv4-+-IPv6-Overlay-Service
• Allows-for-rapid-deployment-of-IPv6-without-significant-infrastructure-
changes
– CPE-must-be-updated/replaced-to-add-support-for-6rd
– Devices-that-functions-as-a-6rd-relay-must-be-installed
• No-other-changes-to-infrastructure-are-required
6rd:-Native-IPv4-+-IPv6-Overlay-Service
RFC1918 RFC1918
v6'Internet
Dual2Stack
6rd&relay
UE/HG
v4'only
v4'Access'
Router
IPv4/NAT v4'Internet
v4'CPE
with' 6rd'Support
v4'Core'Network
6rd&is&for& rapid&deployment& of& v6&services&in&a&v4&network
12
11/11/15
6rd-Internals
IPv4& packet
IPv4'src:' CPE'IPv4'address
IPv6& packet IPv4'dst:'6rd' relay IPv6& packet
IPv6'src:' 2001:db8::1 IPv6'src:' 2001:db8::1
IPv6'dst:'2001:4860:8010::63 IPv6&packet IPv6'dst:'2001:4860:8010::63
IPv6'src' port:'12345 IPv6'src:'2001:db8::1 IPv6'src' port:'12345
IPv6'dst'port:' 80 IPv6'dst:'2001:4860:8010::63 IPv6'dst'port:' 80
IPv6'src'port:'12345
IPv6'dst'port:'80
6rd IPv6
2001:db8::1 IPv6&CPE
6rd ipv6.googl e.c om
2001:4860:8010: :63
No& binding& table& on& 6rd& relay

6rd%is%Stateless.
DSRLite:-Native-IPv6-+-IPv4-Overlay-Service
• Requires-a-IPv6-access-network
• CPE-must-be-upgraded/replaced-to-support-DSRLITE
• CPE-only-provisioned-with-IPv6
• Only-one-layer-of-NAT-– performed-on-AFTR
v6'Internet
Dual2Stack
IPv6
UE/HG
v6''
Access/Distri
bution'
AFTR v4'Internet
Router
v6'CPE/Device
with' DS2Lite'(B4)'Support
v6'Core'Network
For&deployment& in&a&network&that& is&already&native&v6&transport

13
11/11/15
DSRLite-Internals
IPv6& packet
IPv6'src:' CPE'IPv6'address IPv4& packet
IPv4& packet
IPv6'dst:'AFTR'IPv6' address IPv4'src:' 1.2.3.4
IPv4'src:' 192.168.1.3
IPv4&packet (from' the'pool' of'the' ISP)
IPv4'dst:'198.108.95.21
IPv4'src:'192.168.1.3 IPv4'dst:'198.108.95.21
IPv4'src' port:'12345
IPv4'dst:'198.108.95.21 IPv4'src' port:'45678
IPv4'dst'port:' 80 IPv4'src'port:'12345 IPv4'dst'port:' 80
IPv4'dst'port:'80
AFTR IPv4
192.168.1.3 IPv6&CPE www.nanog.org
DSOLite NAT 198.108.95.21
AFTR&NAT& Binding
IN: IPv6& WAN& address& of&CPE& +'192.168.1.3' +' port'12345
OUT:% 1.2.3.4' +'port:' 45678
27
CPE' using' Protocol:' IP' in'IP' [encapsulation] Copy right-©-2014-J uniper-Networks ,-Inc .-
The-evolution-of-high-speed-nat –
Why-inline-NAT?
Inline& (Trio)& Based& NAT
MSODPC& Based& NAT MX960
MX480
MX960 MX240
MX480
MX240
Modular& Port& Concentrator& (MPC)
MultiOService
Dense&Port&
Concentrator&(MSO
DPC)
MXO80
14
11/11/15
Summary-of-NAT/Transition- Methods
Access&
CPE&Network Destination Solution
Network
IPv4 IPv4 IPv4'Internet NAT44(4)
DS2LITE with'
IPv4/IPv6 IPv6 IPv4'Internet
NAT44
IPv4/IPv6 IPv4 IPv6'Internet 6rd'(6to4)
IPv6 IPv6 IPv4'Internet NAT64
RFC’s-supported-– growing-list
• RFC2663-– NAT44-and-NAPT44
• RFC4787-– UDP-Behave
• RFC5382-– TCP-Behave
• RFC5508-– ICMP-Behave
• RFC6146-– Stateful NAT64
• RFC5969-– 6rd
• RFC6333– DSRLite
15
11/11/15
RFC’s-supported-– growing-list
• RFC2766-– NATRPT
• RFC3056-6to4
• draftRkuarsinghRv6opsR6to4RproviderRmanagedRtunnel-– 6to4RPMT
• draftRietfRbehaveRlsnRrequirements-– Common-requirements-for-CGN-
devices
Introduction
• 1.2#$ Hardware#architecture#and#services#modules
involved)
32
16
11/11/15
Hardware-architecture
• In-modern-networking,-additional-services-have-been-moved-from-
dedicated-devices-into-a-single-box-(the-router).-For-this-purpose-
additional-hardware-is-required-to-avoid-any-degradation-in-packet-
forwarding-and-throughput.
• Service-is-a-broad-term-that-can-include-tasks-that-are-performed-at-
Layer-2-(such-as-link-bonding)-or-at-Layer-3-(such-as-Network-
Address-Translation-[NAT]).-
• Depending-on-the-type-of-service-required-and-the-size-of-the-
service,-different-PICs-can-be-used.-The-current-offerings-include:
– MultiServices DPC-(MSRDPC)
– MultiServices MPC-(MSRMPC)
Hardware-architecture
Separation of Control and Forwarding
Routing Engine
RT FT% The%
Junos% OS
Control Plane Internal Link
Forwarding Plane
FT
Frames/Packets In Frames/Packets Out
Packet&Forwarding& Engine
17
11/11/15
NAT-in-Control-plane-(RE)
• On-RE-side,-NAT-functionality-resides-in-NSD-and-USPINFO.
• In-NSD,-NAT-module-has-below-major-works:
• Do-sanity-check-on-NAT-configuration.
• Parser-NAT-configuration-and-generate-configuration-blob-and-push-them-
into-RE-kernel.-(RE-kernel-will-communicates-with-PFEs)
• Handle-asyncronous events(e.g.-interface-up/down)-from-kernel.
• In-USPINFO,-NAT-module-handles-NAT-related-operational-
commands.-USPINFO-retrieves-info-from-PFE-and-displays-in-
predefined-format.
Nat-in-the-Data-plane-(PFE)
• In-FLOWD,-packet-is-processed-and-forwarded.-Ukernel-serves-as-
control-plane-in-FLOWD,-and-forwardingRthreads-do-the-real-packet-
processing.-Below-are-the-major-works-of-NAT-in-Ukernal:
• Handling-configuration-blob-from-RE-kernel.
• Handling-operational-commands-from-USPINFO-on-RE.
• Handling-VTY-commands.
18
11/11/15
Introduction
• 1.2.1#$ Basic#hardware#(MSDPC# and# MS$MPC# NPU)
involved)
37
The-MultiService DPC- (MSRDPC)

• Extends-MSRPIC-capabilities-to-MXRseries-
• CLI-syntax-will-remain-the-same
• Hardware-based-on:
• 2-Network-Processor-Units-(NPU)-Per-DPC
• One-MSDPC-will-be-like-two-MSR500-PICS
• One-spR*-interface-is-created-per-NPU
• Two-Multiservices Processing-Units-(MSPUs)-per-DPC,-which-include-
two-1.1Ghz-multicore-CPUs,-each-with-4GB-of-memory-for-processing-
integrated-services.
• 4G-of-performance-per-NPU,-8G-for-full-DPC
• 8 MSDPCs-supported-per-chassis
• Supports-L3
• SFW,- NAT,-JFLOW,- IPSec,-GRE-Tunneling-with-keys-and-TCPR
MSS-Adjust,-RPM,-DAA,-full-IDP-with-signatures
19
11/11/15
Network-Address-Translation-(NAT)
• NAT-and-SFW-are-Statefull-directional-services
• A-notion-of- inside and-“outside”-needs-to-be-applied.-
• Conversations-are-initiated-from-one-side
• NAT-works-in-conjunction-with-the-Statefull-Firewall
• Share-ALGs
• Allows-the-SFW-to-manage-the-traffic-and-then-everything-can-be-
NATed
• Or-allow-a-SFW-rule-that-allows-all-legitimate-traffic-through-biR
directionally-and-NAT-accordingly
The-MultiService MPC-(MSRMPC)
• Extends-MSRDPC-capabilities-to-MXRseries-
• CLI-syntax-will-remain-the-same-with-minor-changes
• Hardware-based-on:
• 4 Network-Processor-Units-(NPU)-Per-MPC
• One-msR*-interface-is-created-per-NPU
• 4-XLP-832-8Rcore-processors-connected-in-2-pairs-via-InterRChipR
Interconnect-(ICI)
• An-XM-and-an-LU-complex-– with-40G-(4-X-XAUI)-biRdirectional-traffic-
to-each-XLP
• 32GB-of-DDR3-memory-per-XLP-processor
• 2-SGMII- ports-of-each-XLP-are-connected-to-the-GE-switches
• 8-MSRMPCs-are-supported-per-chassis-with-AMSR interface
• Supports-L3
• SFW,- NAT,-JFLOW,- IPSec,-GRE-Tunneling-with-keys-and-TCPR
40
MSS-Adjust,-RPM,-DAA,-full-IDP-with-signatures Copy right-©-2014-J uniper-Networks ,-Inc .-
20
11/11/15
New-CGNAT- features-available- only-on-MSRMPC
• Possibility#to#ignore#TCP#or#ALG#errors#or#both
interfaces*{
"<ms/*/[0/3]/0>"*{
services/options*{
ignore'errors)tcp alg;*
• Limit#ports#per#private#IP
root@bug#*set*services*nat pool*p1*limit/ports/per/address*?******
Possible*completions:
<limit/ports/per/address>**Limit*number*of*ports*allocated*per*host*(IP*address)
MSRMPC:-CGNAT- Roadmap
4Q#2014 1H2015 2H# 2015 1H# 2016 2H# 2016 1H# 2017
AMS& Support& for&IPv6 14.2
ALG&Performance& improvements& MSOMPC 14.1X55
PBA& on& MSOMPC 14.2R2
JFlow/IPFIX& Logging 15.1
Secure& EIF 15.1
Deterministic& NAT&– MSOMPC 15.2R2
Port& Forwarding& – MSOMPC 15.2R2
IKE&ALG ????
H.323&ALG&for& IPv4 15.1R1
CoS Support& – MSOMPC 15.2R1
6rd& on& MSOMPC 16.2'– In'planning
DSLite on& MSOMPC 16.2'– In'planning
PCP& on& MSOMPC 16.2'– In'planning
CLAT&aware& NAT64 16.2'– In'planning
Session& clearing& based& on& RADIUS&stop& msg 16.2'– In'planning
H.322&ALG&for& IPv6 16.2'– In'planning

21
11/11/15
NAT-on-MSRDPC- and-MSRMPC
• MSRDPC- and-MSRMPC- supports-following-NAT-standards:
– IPv4-to-IPv4-Traditional-NAT-(RFC-3022,-Traditional-IP-Network-Address-
Translator).-In-addition,-network-address-port-translation-(NAPT)-is-
supported-for-source-addresses.-
– Twice-NAT-(RFC-2663,-IP-Network-Address-Translator-(NAT)-Terminology-
and-Considerations)-– (MSRMPC-in-JUNOS-15.1-and-above)
– IPv6-to-IPv6-NAT-(NAT66),-defined-in-Internet-Draft-“draftRmrwRbehaveR
nat66R01”-– (only-MSRDPC)
– NATRPT-(RFC-2766,-Network-Address-Translation-R Protocol-Translation-
(NATRPT))-with-DNS-ALG
– DSRLite – (only-MSRDPC)
Packet-vs-Flow-Processing
• PacketRbased,-or-stateless,-packet-processing-treats-packets-
discretely.-Each-packet-is-assessed-individually-for-treatment.
• FlowRbased-packet-processing-treats-related-packets,-or-a-stream-of-
packets,-in-the-same-way.-Packet-treatment-depends-on-
characteristics-that-were-established-for-the-first-packet-of-the-packet-
stream,-which-is-referred-to-as-a-flow.
22
11/11/15
Flow
• A-flow-is-a-stream-of-related-packets-that-meet-the-same-matching-
criteria-and-share-the-same-characteristics.-
• JUNOS-Software-treats-packets-belonging-to-the-same-flow-in-the-
same-manner.
• Configuration-settings-that-determine-the-fate-of-a-packet—such-as-
the-security-policy-that-applies-to-it,-if-it-requires-an-Application-Layer-
Gateway-(ALG),-if-Network-Address-Translation-(NAT)-is-applied-to-
translate-the-packet’s-source-and/or-destination-IP-address—are-
assessed-for-the-first-packet-of-a-flow.
Flow
• To-determine-if-a-flow-exists-for-a-packet,-the-NPU-attempts-to-match-
the-packet’s-information-to-that-of-an-existing-session-based-on-the-
following-match-criteria:
• Source-address
• Destination-address
• Source-port
• Destination-port
• Protocol-(L4-options-needs-to-be-manually-enabled)
23
11/11/15
Flows-(CONTD.)
• UDP-and-ICMP-flows
• Since-UDP-is-uniRdirectional,-it-causes-one-flow.-
• ICMP-is-biRdirectional,-so-it-causes-two-flows.
• TCP-flows
• Establishing-a-TCP-connection-begins-with-a-threeRway-
handshake-and-creates-two-flows.-The-two-TCP-flows-end-with-a-
fourRway-handshake-or-a-timeRout.
Flows-(CONTD.)
• Other-protocols
• Packets-from-other-protocols-can-be-grouped-into-flows-as-well.-
There-are-other-transport-protocols,-and-some-protocols-use-layer-4-
as-a-transport.-E.g.-HTTP-traffic-is-carried-by-TCP/IP-and-creates-a-
flow-as-the-connection-is-built-and-torn-down.
• Flow-roles:
• “Master”-is-the-flow-initializing-the-session
• “Responder”-is-the-responding-flow
• Source:-http://en.wikipedia.org/wiki/Flow_(computer_networking)
24
11/11/15
Introduction
involved)
• 1.3#$ NH#style,#interface#style
ServiceRset
• Service-sets-are-the-main-building-block-when-configuring-JUNOS-
software-services.-This-set-of-services-are-a-list-of-service-interfaces,-
service-types,-and-service-rules-applied-to-either-an-interface-or-a-
routing-next-hop.-A-service-set-can-contain-one-type-of-Layer-3-
service-or-a-grouping-of-services-such-as-NAT,-IDS,-and-stateful-
firewall.
25
11/11/15
NH-style-vs.-interface-style
• When-creating-a-service-set,-you'll-need-to-decide-whether-it-
should-be-applied-as-an-interface-or-a-next-hop.-
• A-next-hopRstyle-service-set-makes-use-of-two-logical-service-
interfaces,-called-the-inside-and-outside-interfaces.-Traffic-is-
mapped-to-these-interfaces-as-a-result-of-a-routing-next-hop-
lookup.-The-traffic-can-enter-or-exit-either-the-inside-or-the-outside-
interface-depending-on-the-configuration,-which-depends-primarily-
on-the-routing-configuration-and-statefulRfirewall-rules.
• An-interfaceRstyle-service-set-is-applied-directly-to-the-interface-
affecting-traffic-as-it-leaves-and-enters-the-interface.
Service-SET’s
• InterfaceRStyle
• The-serviceRsets-are-generally-quicker-to-configure-and-deploy-than-nextR
hop-style.--
• Directly-applied-to-the-media-interfaces-and-appear-as-a-“bumpRinRtheRwire”-
between-the-media-interface-and-the-PFE.--
• All-traffic-entering-the-interface-and-exiting-the-interface-will-traverse-the-
MSRDPC/MPC-by-a-service-filter-applied-to-the-interface.--
• NextRHop-Style
• Use-the-routing-table-or-instance-to-steer-traffic-to-services.--
• Only-traffic-that-is-destined-for-a-specific-nextRhop-is-serviced-by-the-serviceR
set-by-use-of-firewall-filters.--
• Provide-more-flexibility-than-interfaceRstyle-but-care-must-be-taken-to-
ensure-traffic-symmetry-for-services-that-require-it.
26
11/11/15
Interface-style
• When-creating-the-service-rules,-one-item-you-must-configure-is-a-
direction-of-either-input-or-output.-The-direction-that-is-recorded-for-a-
packet-must-match-for-the-service-rule-to-match.-This-direction-is-
straightforward-for-an-interfaceRstyle-service-set,-as-input-is-for-
incoming-traffic-to-the-physical-interface,-and-output-is-for-traffic-
leaving-the-physical-interface.
• InterfaceRstyle-serviceRset-is-tied-to-a-single-spR*/rsp*-interface-unit-
and-traffic-is-directed-into-this-serviceRset-by-means-of-serviceRfilter Copy right-©-2014-J uniper-Networks ,-Inc .-
53
Life-of-a-Packet-– Interface-STYLE
Ingress&PFE& Egress&PFE&
Media& Media&
Interface& Interface&
& Input&BA& Input& Input& Input& Output& Output& Output& Output& Rewrite& &
Classifier& Filter& Policer& Service& Filter& Policer& Service& Scheduler& ToS&
ge.1/0/0.0& Filter& Filter& Ge.2/0/0.0&
1 2 3 4 8 9 & 10 11 12
Input&traffic&before&service&PIC& Services&PFE&
Input&traffic&aLer&service&PIC&
Input&traffic&when&output& Post& Route&
service&set&is&applied&to&the& Service& Table&
egress&interface& Filter& Lookup&
Traffic&aLer&a&service&is& 6 7 14
applied&from&an&output&
service&filter&
Services&
PIC&
&
5
sp.1/0/0.0& 13
&
27
11/11/15
NextRhop-style
• When-you-look-at-a-next-hopRstyle-service-set,-the-direction-is-more-
complex-because-the-next-hop-could-point-to-two-possible-logical-
interfaces.-If-the-next-hop-points-to-the-inside-interface,-the-direction-
is-input,-and-if-the-next-hop-points-to-the-outside-interface,-the-
direction-is-output
• NextRhopRstyle-serviceRset-is-tied-to-a-pair-of-spR*/rsp*-interface-units-
and-traffic-is-directed-into-this-serviceRset-by-means-of-static-or-
dynamic-routing
Life-of-a-Packet-– NextRHop-Style
Input-Traffic
Media& Media&
Route&
& Input&BA& Input& Input& Lookup& Output& Output& Output& Rewrite& &
ge.1/0/0.0& Classifier& Filter& Policer& Filter& Policer& Scheduler& ToS& Ge.2/0/0.0&
1 2 3 7 8 9 10
4
VRF1& Inet.0&
Input&traffic&before&service&PIC& Services&PFE&
Input&traffic&aNer&service&PIC&
Route& Route&
Lookup& Lookup&
VRF1& Inet.0&
6
Inside& Outside&
Unit&10& Unit&20&
5
Services&
PIC&
28
11/11/15
Life-of- Packet-– NextRHop-Style-(Cont’d)

Return-Traffic
Media& Media&
Route&
& Rewrite& Output& Output& Output& Lookup& Input& Input& Input&BA& &
ge.1/0/0.0& ToS& Scheduler& Policer& Filter& Policer& Filter& Classifier& Ge.2/0/0.0&
Inet.0& &
10 9 8 7 3 2 1
4
VRF1& Inet.0&
Return&traffic&aLer&service&PIC& Services&PFE&
Return&traffic&before&service&PIC&
Route& Route&
Lookup& Lookup&
VRF1& Inet.0&
6
Inside& Outside&
Unit&10& Unit&20&
5
Services&
PIC&
Interface-style-limitation
• An-interfaceRstyle-service-set-has-the-following-limitations:
– It-cannot-support-multicast-traffic-matched-through-the-service-set-(including-
IPSec-tunnels).
– It-cannot-have-overlapping-address-spaces-(such-as-RFC-1918)-that-need-
to-be-NATed.
– It-cannot-run-routing-protocols-over-the-service-sets,-such-as-IPSec-tunnels.
– Locally-generated-traffic-will-not-match-the-rules.
• So,-to-solve-any-of-those-four-general-limitations,-you-must-use-a-
next-hop-service-set.-!
29
11/11/15
Traffic-Direction-– InterfaceRStyle
Router$ Service'set*
Service$
Interface$
(sp32/0/0.0)$
Input$
Traffic$
Media$
Interface$ PFE$
(ge31/0/0.0)$
Output$
Traffic$
Next2Hop'Style
VRF1& Input& Input&
&
VRF2
Traffic& Traffic&
Service&
Domain&
Service'set* Service&
Domain&
Inside& Service&Interface& Outside&
(sp;2/0/0)&
Unit&10& Unit&20&
Output& Output&
Traffic& Traffic&
Life-of-a-Packet-– Interface-Style
Inline-NAT
Ingress PFE Egress PFE
Media Media
Interface Interface
Input BA Input Input Input Output Output Output Output Rewrite
Classifier Filter Policer Service Filter Policer Service Scheduler ToS
ge21/0/0.0 Filter Filter Ge22/0/0.0
1- 2- 3- 4- 7- 8- 9- 10- 11
Input traffic before service PIC Services PFE

Input traffic a er service PIC
Input traffic when output Route Table
service set is applied to the Lookup
egress interface
Traffic a er a service is 6- 13-
applied from an output
service filter
Inline
Services
Interface
5- 12-
si21/0/0.0
Post% Service%Filters% are%not% supported% on%inline% service%interfaces% (siHx/y/z)% –

All% other%processing% is%the%same.
30
11/11/15
Summary-of-serviceRstyle-feature-support
Introduction
involved)
• 1.4#$ Service#combination# (NAT+SFW+IDS)
31
11/11/15
Service-combination-(NAT+SFW+IDS)
• When-combining-multiple-services,-the-general-path-must-be-
remembered-in-the-forward-and-reverse-directions-(see-Figure-
below).-This-is-especially-true-when-NAT-is-deployed-to-determine-
whether-the-preR or-postRNAT-address-should-be-used-to-match-a-
rule.-In-the-forward-path-from-a-LAN-interface-to-a-WAN-interface,-
IDS-and-stateful firewall-are-performed-first,-then-NAT,-and-finally-
IPSec.-This-means-that-the-stateful firewall-must-match-on-a-preRNAT-
address-whereas-the-IPSec-tunnel-would-match-on-the-postRNAT-
address.
Introduction
involved)
• 1.4.1#$ Interaction# with# SFW
32
11/11/15
NAT-and-the-stateful-firewall
• A-stateful firewall-filter-inspects-traffic-flowing-between-a-trusted-
network-and-an-untrusted-network.-In-contrast-to-a-stateless-firewall-
filter-that-inspects-packets-in-isolation,-a-stateful firewall-filter-
provides-an-extra-layer-of-security-by-using-state-information-derived-
from-past-communications-and-other-applications-to-make-dynamic-
control-decisions.
• On-the-Services-Router-you-can-configure-Network-Address-
Translation-(NAT)-either-independently-or-with-a-stateful firewall-filter.
NAT-and-the-stateful-firewall
admin@MX-CGNAT-RE0# set services stateful-firewall rule CGNAT term 1 from ?
Possible completions:
application-sets Match one or more application sets
+ applications Match one or more applications
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
> destination-address-range Match IP destination address range
> destination-prefix-list One or more named lists of destination prefixes to match
> source-address Match IP source address
> source-address-range Match IP source address range
source-prefix-list One or more named lists of source prefixes to match
[edit]
admin@MX-CGNAT-RE0#
33
11/11/15
Introduction
involved)
• 1.4.2#$ Interaction# with# IDS# protection
NAT-and-the-IDS
• JUNOS-services-support-a-limited-set-of-IDSs-to-help-detect-attacks-
such-as-port-scanning-and-anomalies-in-traffic-patterns.-It-also-
supports-some-attack-prevention-by-limiting-the-number-of-flows,-
sessions,-and-rates.-In-addition,-it-protects-against-SYN-attacks-by-
implementing-a-SYN-cookie-mechanism.
34
11/11/15
NAT-and-the-IDS-(contd.)
• IDS-is-a-service-that-monitors-the-various-traffic-flows-permitted-by-
SFW-and-tries-to-recognize-patterns.-Once-a-specific-pattern-is-
matched-as-a-worthy-event,-the-device-can-send-a-notification-about-
this.--
• The-SFW/IDS-code-piece-does-/NOT/-do-“traditional”-IDS-
functionality-though--the-naming-convention-would-tell-customers-
otherwise.-
• Note:-There-is-a-signatureRbased-IDP-functionality-on-MSDPC
• IDS-can-be-called-"traffic-anomaly-subsystem"-since-it's-more-of-a-
SFW-log-anomaly-analyzer-system.--It-does-NOT-examine-the-
packets-directly.
• As-traffic-hits-the-NPU,-the-SFW-subRsystem-creates-various-internal-
events-which-may-or-may-not-be-syslogged.-The-IDS-subsystem-
aggregates-these-events-for-trend-analysis.--Upon-a-common-trend-
that-exceeds-the-configured-IDS-threshold,-the-subsystem-will-
identify-the-anomaly.
35
11/11/15
• IDS-can-be-used-to-limit-flows-per-each-subscriber-to-prevent-
“resource-exhaustion”-attack-targeting-MSDPC-NPU-itself
– IDS-rule-with-“matchRdirection-input”-and-“sessionRlimit-maximum”-is-
needed
• IDS-can-be-used-in-conjunction-with-EIM+EIF-to-rateRlimit-unsolicited-
traffic-destined-to-NAT-address-pool-_and_-matching-“pinhole(s)”-
created-by-EIM.
– A-separate-IDS-rule-with-“matchRdirection-output”-and-“sessionRlimit-rate”-is-
needed
• If-unsolicited-traffic-does-_not_-match-any-NAT-mappings/“pinhole(s)”-
then-it-is-dropped-by-SFW-anyway,-even-before-reaching-IDS-
processing.
admin@MX-CGNAT-RE0# set services ids rule CGNAT term 1 from ?
Possible completions:
application-sets Match one or more application sets
+ applications Match one or more applications
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
> destination-address-range Match IP destination address range
> destination-prefix-list One or more named lists of destination prefixes to match
> source-address Match IP source address
> source-address-range Match IP source address range
> source-prefix-list One or more named lists of source prefixes to match
[edit]
admin@MX-CGNAT-RE0#
36
11/11/15
Introduction
involved)
• 1.4.2#$ Interaction# with# IDS# protection
IDS-applicabitily to-“master”-flows-only
• Not-all-flows-can-be-rateRlimited-by-IDS,-as-per-design:
– IDS-_can_-rateRlimit-only-“master”-flows
• Useful-when-a-“master”-flow-was-initiated- by-unsolicited- internet-source-
towards-“pinholes”- opened-for-EIM-in-NAT-address-pool.
– IDS-can-_NOT_-rateRlimit-the-“responder”-flows.-
• This-means--if-“master”-flow-was-legitimately- established- from-subscriber-host-
to-internet- host-then-downloads- via-HTTP/HTTPS- initiated- by-subscriber-hosts-
cannot-be-rateRlimited- by-IDS
• There-is-a-caveat:-when-EIM-is-configured,- the-NAT-mappings- are-not-cleared-
when-“clear-services-statefulRfirewall- flows”-is-executed.-Therefore,-if-
bidirectional- traffic-(between-private-host-and-legit- internet- host,-initiated- by-
private-host)-is-present-when-flow-clearing- was-executed,-the-flow-pair-from/to-
legit- internet-host-can-be-reRestablished- as-EIM-flow-pair-thru-the-existing-NAT-
mapping.- If-this-happens,-the-flows-are-nonRdeterministically- swapping- roles.
37
11/11/15
Introduction
involved)
• 1.5#$ Scaling#details
Platform-Support
Hard MXO MXO MXO MXO MXO MXO MXO MXO
ware 5 10 40 80 240 480 960 2020
MS2 Y Y Y Y Y Y Y Y(Jflow
MIC only)
MS2 N N N N Y Y Y N
MPC
MS2 N N N N Y Y Y Y
DPC
Hardware&Facts
MS2MIC'CPU'Clock' Cycle'– 800'MHz MS2DPC'per'NPU'CPU'clock'Cycle'– 1.1GHz
MS2MPC'per'NPU'CPU'clock'Cycle'– 1.2GHz MS2DPC'has'2'NPUs'per'DPC
MS2MPC'has'4'NPUs'per'MPC
38
11/11/15
Services-Supported-during-FRS-(JUNOS-13.2R1)
Service Notes
CGN – NAT,'NAPT,'NAT64 Other CGN'flavors'like'Dslite,'PCP,' 6RD'are'
on'the' roadmap
CGN – AMS'with'NAT44 NAT64'not'yet'supported.' AMS'support' for'
other' services'like'Jflow,'IPSEC'are'on'the'
roadmap
CGN'2 ALGS SIP,'RTSP,'DNS etc.
SFW'– v4' only SFW'v6'support' is'on' the'roadmap
IPSEC'(v4, IKEv1,'IKEv2) IPSEC'V6'support' might'be'in'13.2R2. KMD'
on'PIC' will'come'in'14.x'release
Jflow V9'(IPv4,IPv6,' MPLS,' Version'V5'and'V8'will'not be'supported.'
MPLS2v4,'multi'collector' IPFIX'support' is'on' the'roadmap
77
and'multi'templates) Copy right-©-2014-J uniper-Networks ,-Inc .-
Scaling-and-Performance-Numbers-for-CGNAT
MS-DPC- 2 NPUs
Sparks – MIC - Sparks MPC-4 NPUs
Description per NPU (1.1 GHz) 16G(800 MHz) - Per NPU (1.2 GHz)
NAT44
Max flows*(Millions) 8.4 14 30
PPS(Mpps) 1.75 1.93 2.52
Throughput(Gbps) 8.23 9.07 12

Flow setup
rate*(flows/sec) 101K 102K 150K
NAT64
Max flows*(Millions) 8 14 30
PPS(Mpps) 1.606 1.5 2
Throughput(Gbps) 7.807 7.1 9.5

Flow setup
rate*(flows/sec) 96K 100K 150K
39
11/11/15
Scaling-and-Performance-Numbers-for-CGNAT- R
Detailed
CGNAT&PERFORMANCE
Test Service Card Build Packet Size(bytes) Feature PPS(Kpps) Throughput(Mbps) Num Of Flows Avg Latency (µ-sec)
16G MIC (800MHz) 13.3R1.6 1518 napt44 1602 19424 14000000 100
NAPT44 w/o syslog MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44 1994 24182 30000000 65
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44 858 10404 8400000 62
16G MIC (800MHz) 13.3R1.6 1518 nat64 1577 19121 14000000 99
NAT64 MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 nat64 1794 21755 30000000 70
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 nat64 858 10404 8000000 66
16G MIC (800MHz) 13.3R1.6 1518 sfw 1605 19461 14000000 99
SFW MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 sfw 1722 20883 30000000 61
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 sfw 858 10404 8400000 61
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw_slog 1602 19424 14000000 100
NAPT+SFW)w)syslog MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_slog 2263 27441 30000000 88
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_slog 858 10404 8400000 62
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw 1602 19425 14000000 100
NAPT+SFW)w/o)syslog MPC (Per NPU 1.2Ghz) 13.2R3.7 1518 napt44_sfw 2200 26682 30000000 81
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw 858 10404 8400000 62
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw_app 1602 19425 14000000 100
NAPT+SFW+APP MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_app 2235 27100 30000000 85
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_app 858 10404 7000000 62
16G MIC (800MHz) 13.3R1.6 1518 napt44_sfw_app_eim 1601 19406 14000000 99
NAPT+SFW+APP+EIM MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_app_eim 1997 24218 30000000 66
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_app_eim 858 10404 5800000 61
16G MIC (800MHz) 13.2R3.7 1518 napt44_sfw_app_eim_eif 1602 19424 14000000 99

NAPT+SFW+APP+EIM+EIFMPC (Per NPU 1.2Ghz) 13.3R1.6 1518 napt44_sfw_app_eim_eif 2251 27290 30000000 96
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 napt44_sfw_app_eim_eif 858 10404 5800000 62
16G MIC (800MHz) 13.3R1.6 1518 nat64_sfw 1571 19045 14000000 100
NAT64+SFW MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 nat64_sfw 2047 24825 30000000 74
MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 nat64_sfw 858 10404 8000000 66
16G MIC (800MHz) 13.3R1.6 1518 sfw_v6 1579 19140 14000000 100
SFW+V6Flows MPC (Per NPU 1.2Ghz) 13.3R1.6 1518 sfw_v6 1850 22437 30000000 65
79 MSDPC (Per NPU 1Ghz) 13.2R3.7 1518 sfw_v6 858 10404 7600000 63 Copy right-©-2014-J uniper-Networks ,-Inc .-
IANA-CGNAT-Address-Space
• RFC5735-R IANARReserved-IPv4-Prefix-for-Shared-Address-
Space-R 100.64.0.0/10
• RFC6598-R IANARReserved-IPv4-Prefix-for-Shared-Address-
Space-R 100.64.0.0/10
• 11111111-11000000-00000000-00000000-=-/10
• 4.194.302-hosts-per-space-address-(/10)
40
11/11/15
Review- of-Basic-NAT44- variants

• Description-of-basic-NAT44-types-in-Junos OS-so-as-to-ease-
understanding-of-CGNAT-implementation.

• 2.1#$ NAT#pools#and#NAT#prefixes.#Relationship#between#NAT#
pool,#service$set#and#SP$ interface#
41
11/11/15
NAT-pools
• Address-pool-is-an-IP-address-pool-used-for-IP-address/port-
translation.-The-pool-is-uniquely-identified-by-pool-name.-
One-can-configure-routing-instance-attached-with-this-pool-
to-perform-route-lookup-for-the-address-in-the-pool.
• There-are-two-kinds-of-pools-supported-in-NAT:
• source-pool
• destination-pool-
Source-Pools
• There-are-five-types-of-source-pool-defined:
• •-Source-Pool-without-PAT:-PAT-is-enabled-by-default-unless-the-
source-pool-is-defined-with-'noRportRtranslation'-option.-
• •-Source-Pool-with-PAT:-With-PAT-enabled,-up-to-about-64,500-hosts-
can-share-a-single-IP-address.-Hence,-source-NAT-pool-with-PAT-is-
hardly-exhausted.
42
11/11/15
Source-Pools
• Overflow-pool:-overflow-pool-is-actually-the-source-pool-with-PAT.-If-
all-the-IP-addresses-in-the-source-pool-without-PAT-are-exhausted,-
overflow-pool-specified-will-be-employed-where-PAT-is-always-
enabled.-
• Interface-pool:-interface-pool-is-one-special-source-pool-with-PAT.-In-
this-case-the-configured-interface-IP-address-is-used-for-source-IP-
translation.-
• AllowingRincoming-Table-Source-Pool:-AllowRincoming-table-can-also-
be-allocated-from-a-source-pool.
Destination-pools
• Destination-NAT-hierarchy-configures-destination-NAT-pool.-It-should-
also-be-noted-that-destination-NAT-with-port-mapping-does-NOT-
involve-dynamic-port-allocation/translation.-Instead,-it-is-mapped-to-a-
preRdefined-port-number.-
43
11/11/15
Relationship- between-NAT-pool,-serviceRset-and-
SPR interface
• Once-the-NAT rules (along-with-other-rules,-if-needed)-are-
configured,-a-service-set-with-all-relevant-rules-must-be-configured.-In-
case-of-interface-style-service-set,-the-service-set-must-be-applied-on-
the-media-interface.-In-case-of-nextRhop-style,-the-service-set-must-
be-applied-on-two-logical-service-interfaces,-called-the-inside-and-
outside-interfaces.

• 2.2#$ Static#source#NAT#
44
11/11/15
Static-Source-NAT
• Some-characteristics-of-Static-Source-NAT-are:
• Translate-sessions-initiated-from-Internal-network
• OneRtoRone-address-mapping-for-hosts-between-an-internal-network-and-a-
public-IP-pool-for-the-lifetime-of-NAT-operation.
• Support-source/destinationRprefix--(e.g translate-from-/24-to-/24)-
• TCP/UDP- port-information-is-preserved-during-translation.
• Pool-size-must-have-same- size-as-internal-network-that-require-access-to-external-
networks.
Internal'Network External'Network
192.168.0.0/24
S:'192.168.0.2:3333 S:'213.13.10.2:3333
D:'200.44.32.12:80 D:'200.44.32.12:80
IP'Pool:' 213.13.10.0/24

• 2.3#$ Static#destination#NAT#
45
11/11/15
Static-Destination-NAT
• Some-characteristics-of-Static-Destination-NAT-are:
• Translate-sessions-initiated-from-External-network
• 1:1-address-mapping-for-hosts-between-an-internal-network-and-a-public-IP-
pool-for-the-lifetime-of-NAT-operation.-
• TCP/UDP-port-information-is-preserved-during-translation.
• Used-to-allow-access-from-external-networks-to-internal-
applications/servers,-etc
192.168.0.0/24
S:'200.44.32.12:3333 S:'200.44.32.12:3333
D:&192.168.0.2:80 D:'213.14.3.1:80
Internal'Server'Public' IP'address:
213.14.3.1

• 2.4#– Port#assignment#(range,#sequencing)#
46
11/11/15
Port-Assignments
• The-port-statement-specifies-port-assignment-for-the-translated-
addresses.-To-configure-automatic-assignment-of-ports,-include-the-
port-automatic-statement-at-the-[edit services nat pool nat-
pool-name] hierarchy-level.-To-configure-a-specific-range-of-port-
numbers,-include-the-port range low minimum-value high
maximum-value statement-at-the-[edit-services-nat pool-natRpoolR
name]-hierarchy-level.-
• By-default,-the-JUNOS-software-allocates-NAT-ports-sequentially.-To-
configure-random-port-allocation,-include-the-randomRallocation-
statement.
Port-Assignments-(CONTD.)
• Here-an-example-why-port-randomRallocation-was-triggered-and-got-
recommended:
• A-DNS-server-can-be-tricked-into-accepting-and-caching-incorrect-
translations-of-network-names.-
• A-malicious-user-can-use-this-vulnerability-to-"hijack"-the-target,-
redirecting-all-accesses-to-a-substitute-network-host-or-service.-
• DNS-servers-that-cache-the-incorrect-results-will-continue-to-redirect-
all-clients-to-the-substitute-host-or-service-indefinitely.
47
11/11/15
Port-Assignments-(CONTD.)
• A-number-of-NAT/PAT-devices-effectively-defeat-the-DNS-source-port-
randomization-feature-that-was-implemented-to-address-DNS-Cache-
Poisoning-(CERT/CC-VU#800113,-CVER2008R1447).
• Network-Address-Translation-(NAT)-counteracted-the-random-
selection-of-source-ports:
• Mapping-the-source-port-to-a-staticallyRdefined-port,-sequentiallyR
assigned-port,-or-some-other-easilyRpredicted-NAT-port

• 2.5#$ Dynamic#source#NAT#with#PAT#
48
11/11/15
Dynamic-Source-NAT
• Some-characteristics-of-Dynamic-Source-NAT-are:
• Translate-sessions-initiated-from-Internal-network
• m:n address-mapping-for-hosts-between-an-internal-network-and-a-public-IP-
pool-for-the-lifetime-of-NAT-operation-(m>n).-
• TCP/UDP- port-information-is-not-preserved-during-translation-(NAPT).- NAT-ALG-
allows- specific-applications-to-work- in-this-scenario
• Pool-size-could-be-smaller- than-internal-network-that-require-access-to-external-
networks.
192.168.0.0/24
S:'192.168.0.2:3333 S:'213.13.10.2:1500
D:'200.44.32.12:80 D:'200.44.32.12:80
IP'Pool:' 213.13.10.2/32

• 2.5.1#$ Port#allocation# mechanisms:#sequential#(default)#vs random
49
11/11/15
Port-allocation- mechanisms
• With-static-source-NAT-and-dynamic-source-NAT-it’s-possible-to-specify:-
multiple-IPv4-or-IPv6-addresses-(or-prefixes)-and-IPv4-and-IPv6-address-
ranges.
• Up-to-10-prefixes-or-address-ranges-(or-a-combination)-can-be-
supported-within-a-single-pool.
• With-static-destination-NAT,-it’s-also-possible-to-specify-multiple-address-
prefixes-and-address-ranges-in-a-single-term.-
• Multiple-destination-NAT-terms-can-share-a-destination-NAT-pool.-
Port-allocation- mechanisms
• However,-the-netmask or-range-for-the-from-address-must-be-smaller-
or-equal-to-the-netmask or-range-for-the-destination-pool-address.-If-
you-define-the-pool-to-be-larger-than-required,-some-addresses-will-
not-be-used.-
• For-example,-if-you-define-the-pool-size-as-100-addresses-and-the-
rule-specifies-only-80-addresses,-the-last-20-addresses-in-the-pool-
are-not-used.
50
11/11/15
Port-allocation- mechanisms-(contd.)
• With-source-static-NAT,-the-prefixes-and-address-ranges-cannot-
overlap-between-separate-pools.-However,-source-dynamic-NAT-
(without-NAPT)-and-destination-static-NAT-allow-more-than-one-rule-
or-service-set-to-refer-to-the-same-pool,-and-allow-multiple-pools-to-
have-subnets-that-can-overlap.-A-prefix-pool-can-be-used-by-multiple-
rules-or-terms.
• Note:-When-you-configure-address-pools-for-NAT-and-user-access,-
these-address-pools-can-overlap-with-one-another.-To-configure-
overlapping-address-pools,-include-the-address-or-addressRrange-
statement-at-the-[edit-access-addressRpool-poolRname]-and-[edit-
services-nat pool-poolRname]-hierarchy-level.
Port-allocation- mechanisms-(contd.)
• In-an-address-range,-the-low-value-must-be-a-lower-number-than-the-
high-value.-When-multiple-address-ranges-and-prefixes-are-
configured,-the-prefixes-are-depleted-first,-followed-by-the-address-
ranges.
• When-you-specify-a-port-for-dynamic-source-NAT,-address-ranges-
are-limited-to-a-maximum-of-32-addresses,-for-a-total-of-
approximately-2,000-flows.-A-dynamic-NAT-pool-with-no-address-port-
translation-supports-up-to-65,535-addresses.-There-is-no-limit-on-the-
pool-size-for-static-source-NAT.
51
11/11/15

• 2.5.2#$ Port#ranges#(default#1024$65535#vs custom)
Port-Ranges
• The-port-statement-specifies-port-assignment-for-the-translated-
addresses.-
• To-configure-automatic-assignment-of-ports,-include-the-port-
automatic-statement-at-the-[edit-services-nat pool-natRpoolRname]-hierarchy-
level.-To-configure-a-specific-range-of-port-numbers,-include-the-port-
range-low-minimumRvalue-high-maximumRvalue-statement-at-the-
[edit services nat pool nat-pool-name] hierarchy-level.-
• By-default,-the-JUNOS-software-allocates-NAT-ports-sequentially.-To-
configure-random-port-allocation,-include-the-randomRallocation-
statement.
52
11/11/15

• 2.2#$ Static#source#NAT#
• 2.5.3#$ Behaviour when#no#free#ports#found#
NO-FREE- Ports-Behaviour
• If-a-free-port-cannot-be-allocated-for-an-initial-packet-establishing-a-
new-flow,-pkt is-dropped
• Such-behaviour is-actually-a-beneficial-one-since-does-not-cause-leaking-of-
packets-with-private-src.IP to-outside-(Netscreen does-allow-such-leaking)
53
11/11/15
NAT-statefulness,-anomaly-detection-
and-ALGs
• Deep-dive-into-Junos OS-NAT-implementation-details,-covering-
stetafulness mechanisms,-ALG-definition-and-application,-error-
generation-etc.
and-ALGs
• 3.1#$ Statefulness and#anomaly#detection
• 3.1.1-R SYN-cookies
• 3.1.2-R SYN-attacks
• 3.1.3-R ICMP-errors
• 3.1.4-R Protocol-header-errors
• 3.1.5-R TCP-tickles
• 3.2.1-R Default-Junos definitions
• 3.2.2-R Customization-(reassignment-of-ports,-timers)
54
11/11/15
Statefulness and-anomaly-detection
• The-stateful firewall-recognizes-the-following-events-as-anomalies-
and-sends-them-to-the-IDS-software-for-processing:
• IP-anomalies
• IP-address-anomalies
• IP-fragmentation-anomalies
• TCP-anomalies
• UDP-anomalies
• Anomalies-found-through-stateful TCP-or-UDP-checks
• Packets-dropped-according-to-stateful firewall-rules
Statefulness and-anomaly-detection
• If-you-employ-stateful anomaly-detection-in-conjunction-with-stateless-
detection,-IDS-can-provide-early-warning-for-a-wide-range-of-attacks,-
including-these:
• TCP-or-UDP-network-probes-and-port-scanning
• SYN-flood-attacks
• IP-fragmentationRbased-attacks-such-as-teardrop,-bonk,-and-boink
55
11/11/15
and-ALGs
• 3.1.1#$ SYN#cookies
SYN-cookies
SYN- Cookie- is-a-stateless- SYN- proxy- mechanism- you- can- use- in-conjunction- with- the- defenses- against- a-SYN-
flood- attack.
As-with- traditional- SYN- proxying,- SYN- Cookie- is-activated- when- the- SYN- flood- attack- threshold- is-exceeded.-
However,- because- SYN- Cookie- is-stateless,- it-does- not- setup- a-session- or-policy- and- route- lookups- upon- receipt-
of- a-SYN- segment,- and- it-maintains- no- connection- request- queues.- This- dramatically- reduces- CPU- and- memory-
usage- and- is-the- primary- advantage- of- using- SYN- Cookie- over- the- traditional- SYN- proxying mechanism.
When- SYN- Cookie- is-enabled- on- JUNOS- software- and- becomes- the- TCPRnegotiati ng- proxy- for-the- destination-
server,- it-replies- to-each- incoming- SYN- segment- with-a-SYN/ACK- containing- an- encrypted- cookie- as-its-Initial-
Sequenc e- Number- (ISN).- The- cookie- is-an- MD5-hash- of-the- original- source- address- and- port- number,- destination-
address- and- port- number,- and- ISN- from-the- original- SYN- packet.- After- sending- the- cookie,- JUNOS- software- drops-
the- original- SYN- packet- and- deletes- the- calculated- cookie- from- memory.- If-there- is-no- response- to- the- packet-
containing- the- cookie,- the- attack- is-noted- as-an- active- SYN- attack- and- is-effectively- stopped.
If-the- initiating- host- responds- with- a-TCP-packet- containing- the- cookie- +1-in-the- TCP-ACK- field,- JUNOS- software-
extracts- the- cookie,- subtracts- 1-from-the- value,- and- recomputes the- cookie- to-validate- that- it-is-a-legitimate- ACK.- If-
it-is-legitimate,- JUNOS- software- starts- the- TCP-proxy- process- by- setting- up- a- session- and- sending- a- SYN- to-the-
server- containing- the- source- information- from- the- original- SYN.- When- JUNOS- software- receives- a-SYN/ACK- from-
the- server,- it-sends- ACKs- to- the- server- and- to- the- initiation- host.- At-this- point- the- connection- is-established- and- the-
host- and- server- are-able- to- communicate- directly.
56
11/11/15
SYN-cookies-(contd.)
and-ALGs
• 3.1.2#$ SYN#attacks
57
11/11/15
SYN-attacks
• A-SYN-flood-attack-sends-TCP-connection-requests-faster-than-a-
machine-can-process-them.-The-flow-of-a-SYN-flood-attack-is-as-
follows:
• An-attacker-creates-a-random-source-address-for-each-packet.
• The-SYN-flag-set-in-each-packet-is-a-request-to-open-a-new-connection-to-
the-server-from-the-spoofed-IP-address.
• The-victim-responds-to-the-spoofed-IP-address-and-waits-for-confirmation-
that-never-arrives.
• The-connection-table-begins-to-fill-up-while-the-victim-waits-for-replies.
• After-the-table-fills-up,-all-new-connections,-including-legitimate-user-
requests,-are-ignored.
• In-IDP,-the-SYNRProtector-rulebase provides-the-ability-to-minimize-
115 and-prevent-these-types-of-attacks. Copy right-©-2014-J uniper-Networks ,-Inc .-
SYN-attacks-(contd.)
58
11/11/15
• You-can-set-the-following-parameters-for-proxying uncompleted-TCP-
connection-requests:
• Attack Threshold: This-option-allows-you-to-set-the-number-of-SYN-
segments-(that-is,-TCP-segments-with-the-SYN-flag-set)-to-the-same-
destination-address-and-port-number-per-second-required-to-activate-the-
SYN-proxying mechanism.
• Alarm Threshold: This-option-allows-you-to-set-the-number-of-proxied,-halfR
complete-TCP-connection-requests-per-second-after-which-JUNOS-software-
enters-an-alarm-in-the-event-log.
• Source Threshold: This-option-allows-you-to-specify-the-number-of-SYN-
segments-received-per-second-from-a-single-source-IP-address—regardless-
of-the-destination-IP-address-and-port-number—before-JUNOS-software-
begins-dropping-connection-requests-from-that-source.
• Destination Threshold: This-option-allows-you-to-specify-the-number-of-
SYN-segments-received-per-second-for-a-single-destination-IP-address-
before-JUNOS-software-begins-dropping-connection-requests-to-that-
destination.
• Timeout: This-option-allows-you-to-set-the-maximum-length-of-time-before-a-
halfRcompleted-connection-is-dropped-from-the-queue.-The-default-is-20-
seconds.
59
11/11/15
and-ALGs
• 3.1.3#$ ICMP#errors
ICMP-errors
• ICMP-protocol-errors:
• IP-data-length-less-than-minimum-ICMP-header-length-(8-bytes)—ICMP-
header-length-is-8-bytes.-This-counter-is-incremented-when-received-IP-
packets-contain-less-than-8-bytes.
• ICMP-error-length-inconsistencies—Minimum-length-of-an-ICMP-error-
packet-is-48-bytes,-and-the-maximum-length-is-576-bytes.-This-counter-is-
incremented-when-the-received-ICMP-error-falls-outside-this-range.
• Ping-duplicate-sequence-number—Received-ping-packet-has-a-duplicate-
sequence-number.
• Ping-mismatched-sequence-number—Received-ping-packet-has-a-
mismatched-sequence-number.
60
11/11/15
and-ALGs
• 3.1.4#$ Protocol#header#errors
Protocol-Header-Errors
• TCP-protocol-errors:
• TCP-header-length-inconsistencies—Minimum-TCP-header-length-is-
20 bytes,-and-the-IP-packet-received-does-not-contain-at-least-20-bytes.
• Source-or-destination-port-number-is-zero—TCP-source-or-destination-port-
is-zero.
• Illegal-sequence-number,-flags-combination—Dropped-because-of-TCP-
errors,-such-as-an-illegal-sequence-number,-which-causes-an-illogical-
combination-of-flags-to-be-set.
• SYN-attack-(multiple-SYN-messages-seen-for-the-same-flow)—Multiple-SYN-
packets-received-for-the-same-flow-are-treated-as-a-SYN-attack.-The-
packets-might-be-retransmitted-SYN-packets-and-therefore-valid,-but-a-large-
number-is-cause-for-concern.
61
11/11/15
Protocol-Header-Errors-(contd.)
• First-packet-not-SYN—First-packets-for-a-connection-are-not-SYN-packets.-
These-packets-might-originate-from-previous-connections-or-from-someone-
performing-an-ACK/FIN-scan.
• TCP-port-scan-(Handshake,-RST-seen-from-server-for-SYN)—In-the-case-of-
a-SYN-defender,-if-an-RST-(reset)-packet-is-received-instead-of-a-SYN/ACK-
message,-someone-is-probably-trying-to-scan-the-server.-This-behavior-can-
result-in-false-alarms-if-the-RST-packet-is-not-combined-with-an-intrusion-
detection-service-(IDS).
• Bad-SYN-cookie-response—SYN-cookie-generates-a-SYN/ACK-message-
for-all-incoming-SYN-packets.-If-the-ACK-received-for-the-SYN/ACK-
message-does-not-match,-this-counter-is-incremented.
Protocol-Header-Errors-(contd.)
• UDP-protocol-errors:
• IP-data-length-less-than-minimum-UDP-header-length-(8-bytes)—Minimum-
UDP-header-length-is-8-bytes.-The-received-IP-packets-contain-less-than-
8 bytes.
• Source-or-destination-port-is-zero—UDP-source-or-destination-port-is-0.
• UDP-port-scan-(ICMP-error-seen-for-UDP-flow)—ICMP-error-is-received-for-
a-UDP-flow.-This-could-be-a-genuine-UDP-flow,-but-it-is-counted-as-an-error.
62
11/11/15
and-ALGs
• 3.1.5#$ TCP#tickles
TCP-Tickles
• It-happens-if-the-TCP-flow-appears-to-be-idle-(no-traffic).-In-this-case,-
the-router-implements-a-TCP-tickle-by-sending-an-ACK-message-with-
the-last-seen-sequence-number,-minus-one-numeral,-to-the-end-host.-
This-verifies-whether-the-ports-are-open.-If-no-response-is-received,-
the-flow-is-marked-for-deletion-in-approximately-five-seconds.
• See-next-slide-for-more-details
63
11/11/15
TCP-Tickles- (contd.)
• TCP-tickles-as-liveness detection-mechanism
• Upon-reaching-inactivityRtimeout-values-without-TCP-traffic,-Services-
PIC-will-forge-the-last-ACK-packet-seen-with-the-last-sequence-
number-MINUS-ONE.-
• If-the-session-is-still-alive,-the-remote-speaker-will-reply-to-the-ACK-with-next-
available-sequence-number.--
• This-packet-will-be-received-by-the-other-remote-TCP/IP-stack-but-will-be-
dropped-as-a-duplicate-ACK-packet.-
• Traffic-created-by-this-interaction-will-keep-the-flow-in-the-Services-PIC's-
table.
• If-the-Services-PIC-sees-a-FINRflagged-packet,-conversation-is-to-be-
deleted
127 • Session-expired-from-cache-flow-after-4-nonRreplied-TCP-tickles Copy right-©-2014-J uniper-Networks ,-Inc .-
TCP-Tickles- (contd.)
Reaching'inactivityOtimeout
Client Translator Server
st st
1 TCP'tickle 1 TCP'tickle
2 n d TCP'tickle 2 n d TCP'tickle
Backoff 3 rd TCP'tickle 3 rd TCP'tickle
4 th TCP'tickle 4 th TCP'tickle
Flow'expiration'if'TCP'tickles'not'replied
64
11/11/15
and-ALGs
• 3.2#$ Application# Level#Gateways#(ALGs)
Application- Layer-Gateway
• Some-applications,-such-as-FTP,-H.323,-RTSP-used-by-RealAudio,-
and-SIP,-are-more-difficult-to-predict-because-the-application-may-
initiate-separate-connections-for-data-and-control-flows-or-may-
generate-new-protocol-flows-based-on-an-open-connection.
65
11/11/15
Example-of-why-an-ALG-is-needed?
• An-active-outgoing-FTP-uses-both-a-control-and-a-data-channel.-First,-
the-TCP-threeRway-handshake-is-established-between-the-client-
(84.10.113.0)-and-the-server-(84.10.113.1)-using-a-destination-port-of-
20:
02:21:00.500569- -In- IP-84.10.113.0.4290- >-84.10.113.1.20:- Syn
02:21:00.500627- Out- IP-84.10.113.1.20- >-84.10.113.0.4290:- Syn Ack
02:21:00.510683- -In- IP-84.10.113.0.4290- >-84.10.113.1.20:- .---Ack
• Then-the-server-initiates-a-new-connection-for-the-data-transfer-using-
a-new-source-port-of-21-and-a-destination-port-that-the-client-gives-to-
the-server-in-the-initial-connection-using-a-PORT-command-(56958,-
in-this-case):
02:26:28.024058- Out- IP-84.10.113.1.21- >-84.10.113.0.56958:- Syn
02:26:28.032298- -In- IP-84.10.113.0.56958- >-84.10.113.1.21:- Syn Ack
131 02:26:28.032362- Out- IP-84.10.113.1.21- >-84.10.113.0.56958:- .-Ack Copy right-©-2014-J uniper-Networks ,-Inc .-
Example-of-why-an-ALG-is-needed?
• So,-the problem with the active mode-FTP-application and standard-
firewall-rules is-that the connections are-initiated by both the server-
and the client,-and the connection initiated by the server-to the client
is-using an unpredictable port-number.
66
11/11/15
Example-of-why-an-ALG-is-needed?-(contd.)
• The-ALG-solves-this-problem-by-looking-deep-into-the-packets-during-
the-initial-connection-phase-for-the-PORT-command,-indicating-which-
port-number-the-client-will-be-expecting-from-the-server-during-the-
data-phase-and-allowing-the-firewall-to-create-a-predictable-pinhole-
for-the-serverRtoRclient-connection.
• Note:-If-passive-FTP-is-used,-all-connections-are-initiated-from-the-
client-to-the-server,-but-the-ALG-must-still-monitor-the-PORT-
command-from-the-server-to-open-the-data-connection.
Default-Junos Definitions
• The-JUNOS-Software-provides-a-default,-hidden-configuration-group-
called-junosRdefaults-that-is-automatically-applied-to-the-configuration-
of-your-router.-The-junosRdefaults-group-contains-preconfigured-
statements-that-contain-predefined-values-for-common-applications.-
Some-of-the-statements-must-be-referenced-to-take-effect,-such-as-
applications-like-FTP-or-Telnet.-Other-statements-are-applied-
automatically,-such-as-terminal-settings.-All-of-the-preconfigured-
statements-begin-with-the-reserved-name-junosR.
• To-view-the-full-set-of-available-preset-statements-from-the-JUNOS-
default-group,-issue-the-show-groups-junosRdefaults-configuration-
mode-command.
67
11/11/15
and-ALGs
• 3.2.1#$ Default#Junos definitions
Default-Junos Definitions
• Note:-You-can-override-the-JUNOS-default-configuration-values,-but-you-
cannot-delete-or-edit-them.-If-you-delete-a-configuration,-the-defaults-return-
when-a-new-configuration-is-added.
• You-cannot-use-the-applyRgroups-statement-with-the-JUNOS-defaults-
group.
68
11/11/15
and-ALGs
• 3.2.2#$ Customization#(reassignment#of#ports,#timers)
Customization-of-Application
• The-applications-allows-you-to-achieve-a-fine-tunning in-how-the-
applications-will-work
• Thru-applications,-is-choose-the-type-of-NAT-that-will-be-in-place-in-
the-configuration
• The-JUNOS-has-it-own-default-applications-and-those-can-be-used-as-a-default-
basis-or-changed
• Since-JUNOS-13.1-the-default-applications-cannot-be-changed,-where-if-any-
different-value-is-required,-a-new-application-must-be-created
69
11/11/15
Why-is-so-important-to-optimize-the-timers-?
• Imagine-a-mobile-Internet-services-provider
• You-are-the-client-and-is-using-the-Internet-on-you-smartphone-to-
suffer-in-the-Internet,-synchronize-mail,-access-social-networks,-etc
• All-accesses-should-use-a-DNS-server-to-get-te correspondent-IP-
address-of-the-desired-services
• The-DNS-creates-a-lot-of-requests-either-per-second,-minute
• Junos has-the-default-applications-timeRout,-that-age-the-port-
mapping-after-a-given-period-of-time
• To-avoid-that-a-port/mapping-keeps-open-consumig a-port-allocation,-
applications-must-age-shorter-than-other-to-provide-this-behavior-
Why-is-so-important-to-optimize-the-timers-?
• For-instance,-the-DNS-service-is-recommended-to-be-aged-in-5-
seconds,-avoiding-that-a-port-keep-in-use/mapped-with-no-service
70
11/11/15
Customization-of-ALG-
• A-Junos application-object-is-a-construct-to-define-an-network-
application-using-information-from-layer-3-and-above.-
• Arbitrary-ALGs-can-be-defined-and-applied-for-NAT-or-SFW-by-
specifying-the-applicationRprotocol-parameter ALG'name
application <application-name> {
application-protocol <application-protocol-name>;
protocol <number>; IP'protocol'number
destination-port [ <port> ];
source-port [ <port> ];
snmp-command [ <command> ]; GET,'GETNEXT,'TRAP
icmp-type [ <value> ];
icmp-code [ <value> ]; Traceroute'ttl2threshold'value,'used'to'
ttl-threshold <value>; control'the'acceptable'level'of'network'
rpc-program-number <number>; penetration'for'traceroute
uuid <hex-values>;
inactivity-timeout <timeout value>; Range'1000002400000'for'DCE'or'RPC
}
uuid'for'DCE'RPC'objects
Specific'inactivity'timeout'per&application
Allows'an'application'to'override'global'timeout'values'from'SP:
Default'for'UDP,'ICMP,'IP'and'TCP'(until'tickles)'is'30'seconds
141 NOTE:&Global'inactivityOtimeout&set'to'1500'at'APN'Multiservicio setup Copy right-©-2014-J uniper-Networks ,-Inc .-
Customization-of-ALG-(contd.)-
• The-following-example-shows-a-custom-configuration-for-DNS:
admin@MX-CGNAT-RE0> show configuration applications
application DNS {
application-protocol dns;
protocol udp;
destination-port 53;
inactivity-timeout 200;
}
71
11/11/15
Applications
• The-applications-allows-you-to-achieve-a-fine-tunning in-how-the-
applications-will-work
• Thru-applications,-is-choose-the-type-of-NAT-that-will-be-in-place-in-
the-configuration
• The-JUNOS-has-it-own-default-applications-and-those-can-be-used-as-a-default-
basis-or-changed
• Since-JUNOS-13.1-the-default-applications-cannot-be-changed,-where-if-any-
different-value-is-required,-a-new-application-must-be-created
Applications
• List-of-minimum-applications-recommended-for-CGNAT-
Implementation:
application-set ALG-SET-noEIM-noEIF { application appl-junos-ssh;
application appl-junos-sip; application appl-junos-talk-tcp;
application appl-junos-syslog; application appl-junos-telnet;
application appl-alt-http-tomcat; application appl-junos-icmp-all;
application appl-android-google-play; application appl-junos-ike;
application appl-apple-xmpp; application appl-junos-ipsec-esp;
application appl-ms-rdp; application appl-junos-talk-udp;
application appl-junos-ssmtp; application appl-junos-ntalk;
application appl-junos-ssmtp-ssl; application appl-junos-ntp;
application appl-squid-proxy; application appl-junos-snmp-get-next;
application appl-vnc-tcp; application appl-junos-snmp-get;
application appl-junos-citrix-winframe-udp; application appl-junos-snmp-response;
application appl-junos-citrix-winframe-tcp; application appl-junos-snmp-trap;
application appl-junos-dns-udp; application appl-junos-traceroute;
application appl-junos-ftp; }
application appl-junos-tftp;
application appl-junos-http;
application appl-junos-https;
application appl-junos-imap;
application appl-junos-imaps;
application appl-junos-ldap;
application appl-junos-nntp;
application appl-junos-pop3;
application appl-junos-spop3;
application appl-junos-pptp;
application appl-junos-printer;
application appl-junos-smtp;
72
11/11/15
NAT-Order-of-Operation
Configure' Configure'
Configure' Configure'
Service' NAT'Pool'
NAT'Rules Service2Set
Interfaces Information
• The-above-is-an-example-of-how-the-different-components-of-a-
service-set-can-be-configured-to-create-a-service-on-the-router.
• They-can-be-configured-in-any-order,-except-that-the-serviceRset-itself-
can’t-be-configured-completely-until-the-previous-3-components-have-
been-created.
Thank-You
73

Carrier-Grade-NAT - (CGNAT) - Workshop - Day-1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Carrier-Grade-NAT - (CGNAT) - Workshop - Day-1

Hochgeladen von

Copyright:

Verfügbare Formate

11/11/15

1 Copy right-©-2014-J uniper-Networks ,-Inc .-

3 Copy right-©-2014-J uniper-Networks ,-Inc .-

4 Copy right-©-2014-J uniper-Networks ,-Inc .-

5 Copy right-©-2014-J uniper-Networks ,-Inc .-

7 Copy right-©-2014-J uniper-Networks ,-Inc .-

8 Copy right-©-2014-J uniper-Networks ,-Inc .-

9 Copy right-©-2014-J uniper-Networks ,-Inc .-

11 Copy right-©-2014-J uniper-Networks ,-Inc .-

Protocol/Functionality- Highlights (contd.)

Protocol/Functionality- Highlights (contd.)

14 Copy right-©-2014-J uniper-Networks ,-Inc .-

Protocol/Functionality- Highlights (contd.)

15 Copy right-©-2014-J uniper-Networks ,-Inc .-

17 Copy right-©-2014-J uniper-Networks ,-Inc .-

IPv4%Exhaustion% Mitigation% technology% ONLY

Ideal&for& Greenfield&deployments& /&Mobile& Networks

IN: 2001:db8::1' +'port'12345

23 Copy right-©-2014-J uniper-Networks ,-Inc .-

6rd&is&for& rapid&deployment& of& v6&services&in&a&v4&network

24 Copy right-©-2014-J uniper-Networks ,-Inc .-

No& binding& table& on& 6rd& relay

For&deployment& in&a&network&that& is&already&native&v6&transport

MSODPC& Based& NAT MX960

Modular& Port& Concentrator& (MPC)

28 Copy right-©-2014-J uniper-Networks ,-Inc .-

29 Copy right-©-2014-J uniper-Networks ,-Inc .-

30 Copy right-©-2014-J uniper-Networks ,-Inc .-

31 Copy right-©-2014-J uniper-Networks ,-Inc .-

34 Copy right-©-2014-J uniper-Networks ,-Inc .-

35 Copy right-©-2014-J uniper-Networks ,-Inc .-

36 Copy right-©-2014-J uniper-Networks ,-Inc .-

The-MultiService DPC- (MSRDPC)

39 Copy right-©-2014-J uniper-Networks ,-Inc .-

New-CGNAT- features-available- only-on-MSRMPC

41 Copy right-©-2014-J uniper-Networks ,-Inc .-

ALG&Performance& improvements& MSOMPC 14.1X55

PBA& on& MSOMPC 14.2R2

JFlow/IPFIX& Logging 15.1

Secure& EIF 15.1

Deterministic& NAT&– MSOMPC 15.2R2

Port& Forwarding& – MSOMPC 15.2R2

H.323&ALG&for& IPv4 15.1R1

CoS Support& – MSOMPC 15.2R1

6rd& on& MSOMPC 16.2'– In'planning

DSLite on& MSOMPC 16.2'– In'planning

PCP& on& MSOMPC 16.2'– In'planning

CLAT&aware& NAT64 16.2'– In'planning

Session& clearing& based& on& RADIUS&stop& msg 16.2'– In'planning

H.322&ALG&for& IPv6 16.2'– In'planning

43 Copy right-©-2014-J uniper-Networks ,-Inc .-

44 Copy right-©-2014-J uniper-Networks ,-Inc .-

45 Copy right-©-2014-J uniper-Networks ,-Inc .-

46 Copy right-©-2014-J uniper-Networks ,-Inc .-

47 Copy right-©-2014-J uniper-Networks ,-Inc .-

48 Copy right-©-2014-J uniper-Networks ,-Inc .-

50 Copy right-©-2014-J uniper-Networks ,-Inc .-

51 Copy right-©-2014-J uniper-Networks ,-Inc .-

54 Copy right-©-2014-J uniper-Networks ,-Inc .-

55 Copy right-©-2014-J uniper-Networks ,-Inc .-

56 Copy right-©-2014-J uniper-Networks ,-Inc .-

Life-of- Packet-– NextRHop-Style-(Cont’d)

57 Copy right-©-2014-J uniper-Networks ,-Inc .-