Dual-Stack Lite

Dual-Stack Lite, also knows as DS-Lite, is mechanism which facilitates large scale IPv4 NAT by encapsulating IPv4 packets inside IPv6 packets for delivery to a Carrier-Grade NAT (CGN) endpoint. This allows providers to provision end users with only a routed IPv6 address, and any IPv4 traffic is carried through IPv6 to a CGN device. Once the IPv6 packet reaches the CGN device, the IPv4 packet is extracted, has NAT applied, and is forwarded. The CGN device will apply NAT using one of its routable IPv4 addresses, shared between DS-Lite users.

By using encapsulation, DS-Lite avoids multiple layers of NAT between the customer and the Internet. An end-user network which connects to a DS-Lite provider should not perform any IPv4-IPv4 NAT on the traffic before it reaches a router configured for DS-Lite.

DS-Lite is considered an IPv6 transition mechanism as it allows providers to reduce their dependence on scarce IPv4 routable addresses, while still giving clients full access to IPv4 and IPv6 resources. It also removes the need to use potentially conflicting IPv4 private address space for IPv4 routing inside a provider network.

There are two endpoints to DS-Lite connections:

  • DS-Lite Basic Bridging BroadBand (B4) element on the customer end
  • DS-Lite Address Family Transition Router (AFTR) element at the provider end

From a customer perspective, their side is before (B4) DS-Lite and the ISP side is after (AFTR) DS-Lite.

TNSR can operate in either capacity: As a CPE DS-Lite B4 client endpoint, or as an AFTR endpoint providing DS-Lite connectivity and IPv4 NAT to clients.

Acting as a B4 Endpoint

For a customer premise equipment (CPE) role which connects to an ISP offering DS-Lite service, the following steps are required:

First, configure IPv6 connectivity to the ISP.

Next, configure the local IPv6 address TNSR will use for its DS-Lite B4 endpoint. For example, this might be the IPv6 WAN interface address:

tnsr(config)# dslite b4 endpoint <ip6-address>

Finally, configure the remote IPv6 DS-Lite AFTR endpoint address given by the ISP:

tnsr(config)# dslite aftr endpoint <ip6-address>

Acting as an AFTR Endpoint

For a provider role as a DS-Lite AFTR endpoint serving customers, the following steps are required:

First, configure IPv6 and IPv4 connectivity such that this TNSR instance has both IPv6 and IPv4 connectivity to the Internet.

Next, configure the local AFTR IPv6 address TNSR will use to receive DS-Lite encapsulated packets from customer equipment:

tnsr(config)# dslite aftr endpoint <ip6-address>

Next, configure one or more routable (“public”) IPv4 addresses for the DS-Lite NAT pool. These addresses are used by TNSR to apply NAT to outgoing IPv4 traffic which arrived via DS-Lite:

tnsr(config)# dslite pool address <ipv4-addr-first> [- <ipv4-addr-last>]

IPv4 packets arriving through DS-Lite from a customer will be removed from the encapsulation, have NAT applied, and then be forwarded upstream (e.g. to the Internet). Reply packets will come back, and then go back through NAT and DS-Lite to reach customers.

DS-Lite Status

To view active DS-Lite sessions, use the following command:

tnsr# show dslite