MAP-T is a NAT technique defined in RFC 7599. Its key advantage is the decentralization of stateful NAT while enabling the sharing of public IPv4 addresses among the customer edge (CE) devices. In a nutshell, the CE performs the stateful NAT44 function and translates the resulting IPv4 packet into an IPv6 packet. The IPv6 packet is transported over the IPv6 network to the Border Router (BR), which then translates the IPv6 packet to IPv4 and sends it into the public domain.
As multiple CEs can share a single public IPv4 address, MAP-T must rely on an algorithm (A+P algorithm running on the CEs and BR) to ensure that each CE is assigned a unique port-range on a shared IPv4 public address. In this way, each CE can be uniquely identified at the BR by a combination of the shared IPv4 public address and unique port-range. A set of CEs and BR that share a common set of MAP algorithm rules constitutes a MAP domain. Figure: MAP-T network level view shows a network-level view of Map-T.
MAP-T offers the following advantages mainly as a result of its stateless BR operation:
improved scaling
State maintenance is decentralized, which enables better scaling.
simplified redundancy
There are no sessions synchronized between redundant BRs and this translates to simplified redundancy.
reduced logging
As there are no NAT resources in the BR that require logging, only configuration changes in the BR are logged, which reduces the volume of logging data.
simpler communication
MAP-T simplifies user-to-user communication.
higher throughput
MAP-T offers higher throughput than a stateful solution, with less processing required in the BR.
Mapping of address and port (MAP) is a generic function, regardless of the underlying transport mechanism (MAP-T or MAP-E) used. Each MAP CE is assigned as follows:
a shared public IPv4 address with a unique port-range on the shared IPv4 address
Although a shared IPv4 address is used in most cases, the CE is sometimes assigned a unique IPv4 address or even an IPv4 prefix. This information is used for stateful NAT44 at the CE.
an IPv6 prefix (IA-PD)
A ‟subnet” from the IPv6 prefix is allocated to the CE as a MAP prefix. The MAP prefix is used to encode public IPv4 information and identify the CE in a MAP domain. The remainder of the IA-PD is used on the LAN side of the CE.
an IPv6 address (IA-NA)
The IPv6 address is independent of MAP and is a regular IPv6 address on the WAN side. The address is used for native end-to-end IPv6 communication (it can participate in forming routing adjacencies and other tasks).
The CE and BR perform the following functions in the MAP-T domain:
CE upstream direction (IPv4→IPv6)
Perform stateful NAT44 function (private→public).
Translate the public IPv4 address and port into an assigned IPv6 MAP source address.
Send the IPv6 packet with encoded IPv4 information toward the BR.
BR upstream direction (IPv6→IPv4)
Perform an anti-spoof check on the received IPv6 packet to ensure that it is coming from a trusted source (CE).
Anti-spoofing is achieved by checking the source IPv6 MAP address against the configured MAP rules and making sure that the correct public IPv4 address and port-range of the CE are encoded in the CE's source IPv6 MAP address.
Translate the IPv6 packet into an IPv4 packet and forward it into the public domain.
BR downstream direction (IPv6<--IPv4)
Translate the IPv4 packet into an IPv6 packet according to MAP rules.
The IPv4 destination address of the received packet is translated into an IPv6 MAP address of the CE.
Send the IPv6 packet toward the CE.
CE downstream direction (IPv4 <-- IPv6)
Perform the anti-spoofing function using the destination IPv6 address to verify that the packet is destined for the CE.
MAP rules are used to verify that the public IPv4 address and the port-range of the CE is encoded in the IPv6 destination IP address of the received packet (IPv6 MAP address of the CE).
Translate the IPv6 packet into an IPv4 packet.
Perform the NAT44 function (public→private).
Forward the packet into the private IPv4 network.
Each device (CE and BR) is also responsible for fragmentation handling and ICMP error reporting (MTU to small, TTL expired, and so on).