Deploy360 5 June 2017

SINOG 4.0 sheds light on the dark side of IPv6

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

The 4th meeting of the Slovenian Network Operators’ Group organised by Go6ARNES and LTFE was held on 23-24 May 2017 at the Brdo Technology Park in Ljubljana. This event was co-sponsored by the Internet Society and attended by 119 participants, being held over two days for the first time.

The first day was devoted to IPv6 issues and aims to replace the Slovenian IPv6 Summit. It’s felt that IPv6 is now sufficiently mainstream that the focus should now be on operational issues rather advocacy, hence the reason for incorporating it into the SINOG meeting itself. It featured for the first time, a panel on the ‘The Dark Side of the IPv6 Moon…’ to discuss some of the challenges of deploying IPv6 and how these can be addressed.

Setting the scene though, was the keynote provided by Ole Trøan (Cisco) who’s a Co-Chair of the IETF IPv6 Maintenance Working Group. He provided some interesting background on why IPv6 was designed, the reasons for particular architectural choices, and why particular compromises were made. For example, IPv6 was not made backwardly compatible with IPv4 because IPv4 did not offer any opportunity for forward compatibility, and many inefficient workarounds had needed to be implemented with IPv4 into order to make the Internet work as originally intended.

Whilst the primary aim of IPv6 was to vastly increase the available address space, it also aimed to simplify the evolution of how the Internet was supported, such as having fixed-sized headers with extension possibilities rather than IPv4 options, and putting host configuration into the network layer. At the same time though, the aim was to limit changes on the network layers whilst allowing transport protocols to remain unchanged.

However, there are many players involved in the Internet with interests directly at odds with each other, and the technical architecture needs to be flexible enough to support whilst retaining the ability to support new applications. This is the reason why compromises ended-up being made with address length, extension headers and host configuration, although with hindsight other design choices might have been made.

Nevertheless, the fact remained that IPv4 addresses were facing exhaustion and technical kludges were increasingly having to be used to eke them out further. IPv6 was a functional protocol and was increasingly becoming available as a native transport service, so whilst uptake in Slovenia was a bit low at 6.8% (according APNIC Labs), it had substantially increased over the past year which supported the assertion that there were no reasons not to deploy it.

Christian Teuschel (RIPE NCC) followed-up with some observations about IPv6 routing in Slovenia. The RIPEness IPv6 project rates how prepared Local Internet Registries (LIRs) in the RIPE Service Region are for IPv6 deployment, and awards up to 5 stars if they fulfil particular criteria. Of the 60 LIRs registered in Slovenia, 6 qualify for the 5-star rating by providing access or content via IPv6, with another 33% qualifying for 4-stars, 27% qualifying for 3-stars, and just 5% having no IPv6 capability.

Slovenia should therefore be well placed with its support for IPv6, although most IPv6 traffic appears to stay local, and there are less than half the number of unique AS paths via IPv6 compared to IPv4 of which 79% are via SIX-SI.  The use of 6to4 tunnels creates some long RTTs, and there appears to be just three native IPv6 paths, all running via DE-CIX. This is obviously an area for improvement, although if you read Slovenian, you might want to read about Telekom Slovenije’s efforts to deploy IPv6 in the country – presented by Saša Žbontar (Telekom Slovenije).

Next up was ‘Why IPv6 Security Is So Hard‘ which was presented by Ivan Pepelnjak (ipSpace) on behalf of Enno Rey (ERNW). We previously highlighted this in a RIPE 74 blog, but it covers the perceived failures with IETF IPv6 standards and offers some suggestions as to how to operational practices can be improved.

Our colleague Jan Žorž followed-up with some results from the NAT64/DNS64 testing being undertaken by the Go6lab and supported by the Internet Society. The NAT64check tool enables websites to be checked for consistency over IPv4, IPv6-only and NAT64, as well to compare responsiveness using the different protocols. This allows network and system administrators to easily identify anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6 compatible elements on the website to be fixed.

And so to the main event, the ‘The Dark Side of the IPv6 Moon… panel chaired by Jan and featuring Ole Trøan (Cisco), Job Snijders (NTT), Ivan Pepelnjak (ipSpace) and Kevin Meynell (Internet Society). The focus was on the deployment and operational consequences of the IPv6 architectural and standardisation decisions about IPv6, and the real world challenges of using IPv6 in production networks.

It might seem a bit strange to be highlighting problems and issues with IPv6 when at the same time advocating its use, but the case for IPv6 is now well established and the protocol is sufficiently widely deployed that it’s reasonable to air this discussion. It should also not be forgotten there are issues with deploying IPv4 as well, but it’s just better understood how to workaround these and in many cases IPv6 can improve this situation.

The Deploy360 involvement didn’t end there. Jan presented the recently published BCOP on IPv6 prefix assignment for end-users which aims to provide guidance to ISPs as to what size IPv6 prefixes should be assigned to customers, when to choose static or dynamic assignment, and whether a /48 or /56 should be assigned to a particular customer.

Kevin meanwhile presented on ‘Two Good Years of MANRS‘ which is the routing security initiative defining four concrete actions that network operators should implement to promote a culture of collaborative responsibility, and the next steps to develop a MANRS certification programme as well as partnerships with IXPs.

Although not Deploy360-related, you might also want to check out some of the other excellent presentations over the two days. Ole Trøan gave a presentation about his day job which is developing VPP – The Universal Fast Dataplane, Alexander Holzer (NextGen Firewalls) covered Large Scale Firewall management, whilst Job Snijders (NTT Communications) explained the problem of Large BGP communities, the recent RFC 8092 that aims to address this, and provided some information on how to get started.

Be sure though to check out the presentation on securing network automation from Ivan Pepelnjak who always provides excellent value, and on LibreNMS from Uroš Berglez (FERI MB).

So that’s it from Ljubljana for this year, but all the presentations and videos of the talks can be found on SINOG website. If you’re inspired to deploy IPv6 after this,, then please take a look at our Start Here page to understand how you can get started.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...