Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Overview of Dual-Stack Lite


Because IPv4 addresses are becoming depleted, broadband service providers (DSL, cable, and mobile) need new addresses to supply new customers. Providing IPv6 addresses alone is often not workable because most of the systems that make up the public Internet are still enabled to support only IPv4, and many customer systems do not yet fully support IPv6.

Dual-stack lite (DS-Lite) provides one solution to this problem for Internet service providers (ISPs). DS-Lite allows an ISP to migrate to an IPv6 access network without changing end-user software. The device that accesses the Internet remains the same.

The DS-Lite architecture uses IPv6-only links between the provider and the customer while maintaining the IPv4 (or dual-stack) hosts in the customer network.

When a customer’s device sends an IPv4 packet to an external destination, the IPv4 packet is encapsulated in an IPv6 packet for transport into the provider network. These IPv4-in-IPv6 tunnels are called softwires. Tunneling IPv4 over IPv6 is simpler than translation and eliminates performance and redundancy concerns.

The softwires terminate in a softwire concentrator in the service provider network, which decapsulates the IPv4 packets and performs Network Address Translation (NAT). The packets undergo source-NAT processing to hide the original source address.

IPv6 packets originated by hosts in the subscriber’s home network are transported natively over the access network.

The IPv4 packets originated by the end hosts have private (and possibly overlapping) IP addresses. Therefore, NAT must be applied to these packets. If end hosts have overlapping addresses, Network Address Port Translation (NAPT) is needed.

When using NAPT, the system uses an algorithm that takes the IPv6 packet's source address, private IPv4 address, and port to map the IPv4 packet to a unique combination of an IPv4 public address and port. Because each customer’s IPv6 address is unique, the combination of the IPv6 source address with the IPv4 source address and port creates an unambiguous mapping.

The system takes the following actions when it receives a responding IPv4 packet from outside the subscriber network:

  • Matches the IPv4 destination address and port for the packet to a specific customer based on the IPv6 address in the mapping table

  • Maps the packet’s IPv4 destination address and port to the IPv4 destination address and port inside the subscriber network

  • Encapsulates the IPv4 packet in an IPv6 packet using the mapped IPv6 address as the IPv6 destination address

  • Forwards the packet to the customer

For more information, see the following documents:

  • Internet draft draft-ietf-softwire-dual-stack-lite-06, Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion, August 2010.

  • RFC 2473, Generic Packet Tunneling in IPv6 Specification, December 1998.

  • RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations, August 1999.

  • RFC 4787, Network Address Translation (NAT) Behavioral Requirements for Unicast UDP, BCP 127, January 2007.

  • RFC 4925, Softwire Problem Statement, July 2007.

  • RFC 5382, NAT Behavioral Requirements for TCP, BCP 142, October 2008.

  • RFC 5508, NAT Behavioral Requirements for ICMP, BCP 148, April 2009.



DS-Lite Implementation

In Juniper Networks® Junos® operating systems (Junos OS) Release 10.4 and later, Juniper Networks has implemented an Address Family Transition Router (AFTR) in its Services Physical Interface Cards (PICs) and Services Dense Port Concentrators (DPCs). An AFTR consists of the combination of an IPv4-in-IPv6 tunnel end-point and an IPv4-IPv4 NAT implemented on the same device.

A Basic Bridging Broadband Elements (B4 or a softwire initiator) is a function implemented on a dual-stack capable node, either as a directly connected device or a home gateway that creates a tunnel to an AFTR. IPv6 packets destined for the softwire concentrator’s address are sent to a Services PIC, where the system creates a softwire according to the configuration. The system then extracts the IPv4 packets, performs NAT rule lookup and address translation, and sends the translated IPv4 packets to the Internet. The system performs these functions in a single pass through the Services PIC.

In the reverse path, the system sends IPv4 packets to the Services PIC, where the reverse translation is performed. The resulting packet is encapsulated in an IPv6 packet corresponding to the proper softwire and sent to the B4.

The system automatically creates softwires as IPv6 packets are received. IPv4 flows created by the encapsulated packets are associated with the specific softwire that initially carried them. When the last IPv4 flow associated with a softwire is completed, the softwire itself goes away. Thus, there is no need to create or manage tunnel interfaces, which simplifies the configuration.

The number of established softwires does not affect throughput, and scalability is independent of the number of interfaces.

Transition of IPv4 Traffic to IPv6 Addresses Using Dual-Stack Lite

ISPs can use DS-Lite to migrate over to an IPv6 access network without changing end-user software. Customers can still access the Internet using their current hardware. DS-Lite accomplishes this by encapsulating the IPv4 packets originated by the existing end hosts into IPv6 packets.

DS-Lite enables an IPv4 host to communicate with a NAT endpoint over an IPv6 network using softwires. DS-Lite configurations create the IPv6 softwires, which terminate on the Services PIC. You can also configure the Services PIC to apply other services such as NAT on the packets that exit from the softwire. The aim of this implementation is to enable packets to travel over softwires to a carrier-grade NAT endpoint where they undergo source-NAT processing to hide the original source address.

Currently, a NAT rule configuration is required with a softwire configuration. NAT processing from IPv4 to IPv6 address pools and vice versa is not currently supported. The application-level gateway (ALG) currently supports HTTP, FTP, RSTP, and ICMP.

DS-Lite is supported on Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers with Multiservices 100, 400, and 500 PICs and MX Series 3D Universal Edge Routers with Multiservices DPCs.