DS-Lite Subnet Limitation
DS-Lite Per Subnet Limitation Overview
Junos OS enables you to limit the number of softwire flows from a subscriber’s basic bridging broadband (B4) device at a given point in time, preventing subscribers from excessive use of addresses within the subnet. This limitation reduces the risk of denial-of-service (DoS) attacks. This limitation is supported on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature.Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.Starting in Junos OS release 20.2R1, DS-Lite is supported for CGNAT Next Gen Services on MX240, MX480 and MX960 routers.
A household using IPv6 with DS-Lite is a subnet, not just an individual IP address. The subnet limitation feature associates a subscriber and mapping with an IPv6 prefix instead of an IPv6 address. A subscriber can use any IPv6 addresses in that prefix as a DS-Lite B4 address and potentially exhaust carrier-grade NAT resources. The subnet limitation feature enables greater control of resource utilization by identifying a subscriber with a prefix instead of a specific address.
The subnet limit provides the following features:
Flows utilize the complete B4 address.
Prefix length can be configured per service set under softwire-options for the individual service-set.
Port blocks are allocated per prefix of the subscriber B4 device, and not on each B4 address (if the prefix length is less than 128). If the prefix length is 128, then each IPv6 address is treated as a B4. Port blocks are allocated per 128-bit IPv6 address.
Session limit, defined under the DS-Lite softwire concentrator configuration, limits the number of IPv4 sessions for the prefix.
EIM, EIF, and PCP mappings are created per softwire tunnel (full 128 bit IPv6 address). Stale mappings time out based on timeout values.
If prefix length is configured , then PCP max-mappings-per-subscriber (configurable under pcp-server) is based on the prefix only, and not the full B4 address.
SYSLOGS for PBA allocation and release contain the prefix portion of the address completed with all zeros. SYSLOGS for PCP allocate and release, flow creation and deletion will still contain the complete IPv6 address.
The show services nat mappings address-pooling-paired operational command output now shows the mapping for the prefix. The mapping shows the address of the active B4.
The show services softwire statistics ds-lite output includes a new field that displays the number of times the session limit was exceeded for the MPC.
For Next Gen Services on MX240, MX480, and MX960 routers, the subnet limit statistic is displayed in the Softwire session limit exceeded field.
show services softwire statistics (MX-SPC3)
user@host> show services softwire statistics vms-2/0/0 Total Session Interest events :3 Total Session Destroy events :2 Total Session Public Request events :0 Total Session Accepts :1 Total Session Discards :0 Total Session Ignores :0 Total Session extension alloc failures :0 Total Session extension set failures :0 Softwire statistics Total Softwire sessions created :1 Total Softwire sessions deleted :2 Total Softwire sessions created for reverse packets :1 Total Softwire session create failed for reverse pkts :0 Total Softwire rule match success :1 Total Softwire rule match failed :0 Softwire session limit exceeded :0 Softwire packet statistics Total Packets processed :1 Total packets encapsulated :1 Total packets decapsulated :1 Encapsulation errors :0 Decapsulation errors :0 Encapsulated pkts re-inject failures :0 Decapsulated pkts re-inject failures :0 DS-Lite ICMPv4 Echo replies sent :0 DS-Lite ICMPv4 TTL exceeded messages sent :0 ICMPv6 ECHO request messages received destined to AFTR :0 ICMPv6 ECHO reply messages sent from AFTR :0 ICMPv6 ECHO requests to AFTR process failures :0 V6 untunnelled packets destined to AFTR dropped :1 Softwire policy add errors :0 Softwire policy delete errors :0 Softwire policy memory alloc failures :0 Softwire Untunnelled packets ignored :0 Softwire Misc errors DS-Lite ICMPv4 TTL exceed message process errors :0
Configuring DS-Lite Per Subnet Session Limitation to Prevent Denial of Service Attacks
You can configure the DS-Lite per subnet limitation on MX Series routers equipped with MS-DPCs. Starting in Junos OS Release 18.2R1, MS-MPCs and MS-MICs also support the subnet limitation feature. Starting in Junos OS Release 20.2R1, the Next Gen Services MX-SPC3 security services card supports the subnet limitation feature.
Starting in Junos OS Release 19.2R1, MX Virtual Chassis and MX Broadband Network Gateway (BNG) routers also support the subnet limitation feature.
To configure DS-Lite per subnet session limitation:
- Configure the size of the subnet
prefix to which limiting is applied. Specify a prefix length of 56,
64, 96, or 128.[edit}user@host# set services service-set service-set-name softwire-options dslite-ipv6-prefix-length dslite-ipv6-prefix-length
Ensure that all mappings are cleared before changing the prefix length.
- If you are using a next-hop service set on an AMS interface
for DS-Lite, set the AMS inside interface’s IPv6 source prefix
length to the same value you use for the subnet prefix in Step 1.[edit interfaces interface-name unit interface-unit-number load-balancing-options hash-keys]user@host# set ipv6-source-prefix-length ipv6-source-prefix-length
- Configure the maximum number of subscriber sessions allowed
per prefix. You can configure from 0 through 16,384 sessions.[edit}user@host# set services softwire softwire-concentrator dslite dslite-concentrator-name session-limit-per-prefix 12
For Next Gen Services DS-Lite, MAP-E and V6rd softwires, configure the maximum number of subscriber sessions allowed per prefix:[edit}user@host# set services softwires softwire-types ds-lite | map-e | v6rd session-limit-per-prefix limit
You cannot use flow-limit and session-limit-per-prefix in the same dslite configuration.