HP VPN Firewall Appliances VPN Configuration Guide
65
{ Customer Premises Equipment (CPE)
Resides at the customer's premise, connects the customer's network to an Internet Service
Provider (ISP) network, and typically serves as the gateway of the customer's network. As a
tunnel end, the CPE encapsulates IPv4 packets of the customer's network into IPv6 packets and
sends them to the other end of the tunnel, and de-encapsulates IPv6 packets into IPv4 packets
and sends them to the customer's network. Some hosts can serve as the CPE. Such hosts are
referred to as DS-Lite hosts.
{ Address Family Transition Router (AFTR)
Resides in the ISP network and serves as both an IPv4 over IPv6 tunnel end and the NAT device.
After IPv6 packets are de-encapsulated into IPv4 packets, the AFTR translates the source
private IPv4 address of each packet into a public IPv4 address and sends the packet to the
destination IPv4 host. The AFTR also translates the destination public IPv4 address of each
response packet into a private IPv4 address, encapsulates the packet into an IPv6 packet, and
forwards the packet to the CPE. In addition, the AFTR records the NAT entries and the IPv6
address of each CPE so that IPv4 networks connected to different CPEs can use the same
address space.
{ DS-Lite tunnel
The IPv4 over IPv6 tunnel between the CPE and AFTR which carries IPv4 packets over an IPv6
network.
Figure 62 Packet forwarding process in DS-Lite
When a gateway serves as the CPE, the changes of source and destination IP addresses and port
numbers are illustrated in Figure 62. The entire process is summarized as follows:
{ The CPE and AFTR encapsulate and de-encapsulate packets.