Deploy360 9 July 2017

ION Costa Rica: The future is IPv6

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

The Deploy360 team organised the second ION Conference of the year on 3 July 2017 at the Intercontinental Hotel in San José, Costa Rica. This was co-located with the TICAL Conference 2017, the annual event for Latin American National Research and Education Networks, as well as the Latin American eScience Meeting 2017. It attracted 85 participants and we again thank our sponsor Afilias for making this possible.

It was the turn of Megan Kruse to chair this event, and she opened proceedings with an overview of the Deploy360 programme, before handing over to Kevin Meynell who discussed what was happening at the IETF and how to get involved. He encouraged the Latin American networking community to check out the IETF Fellowship and IETF Policy programmes, and pointed out this had provided opportunities for participants from Costa Rica at both the last and forthcoming IETF meetings.

We were lucky enough to have Fred Baker, the Co-Chair of the IETF IPv6 Operations Working Group and former IETF Chair, to talk about the results of the Internet Society report on the State of IPv6 that was published in June. He pointed out that all Regional Internet Registries were now approaching IPv4 exhaustion, with only small quantities of addresses available to new entrants, whilst there had been rapid IPv6 growth over the past year. This was especially the case in the Latin American region where around 37% of AS numbers were now announcing IPv6 address prefixes, IPv6 traffic was over 10%, and reached nearly 20% in some countries.

It was clear that IPv4 would not be able to accommodate future growth in the Internet, and whilst surplus IPv4 addresses were being traded, the cost was expected to reach USD 20 per address over the next couple of years before dropping substantially as IPv6 deployment approaches 50%. This cannot be considered an long-term investment, so question marks were now being raised by accounts departments as to why they were paying for something that could be provided for free. In fact, MIT had just sold a surplus IPv4 /9 in order to fund their IPv6 deployment, major service providers were moving to IPv6 dominant data centres, and there was also substantial IPv6 deployment in mobile networks.

So the takeaway is that network operators need to be deploying IPv6 now, in order to ensure their equipment and applications have been tested and are able to support it, as well as giving their staff experience of using it. Is paying for something you can provision for free a good business model, and are you willing to sustain the ever greater complexity and cost of Carrier Grade NAT to meet future growth?

This message was reinforced by Guillermo Cicileo (LACNIC) who provided an overview of IPv6 Deployment in Costa Rica and Latin America (in Spanish). Several countries in the region were amongst the world leaders in IP6 deployment, including Trinidad and Tobago (21%), Brazil (18%), Ecuador (18%) and Peru (17%), but most of the others substantially lagged behind. Unfortunately. Costa Rica had very low rates of IPv6 deployment, although the example of Trinidad and Tobago that went from 0% to 21% in only 3 years demonstrated what was possible in small countries.

Following the break, Kevin led a panel discussion on MANRS and Routing Security that included Erika Vega (RENATA) and Glenn Peace (ix.CR). The Boundary Gateway Protocol (BGP) underpins the Internet routing system, but is substantially based on global trust and there is little validation of the legitimacy of routing updates. So the panel discussed techniques to help improve the security and resilience of the global routing system, as well as how to promote a culture of collective responsibility.

Kevin firstly presented the MANRS initiative and Routing Resilience Manifesto that encourages network operators to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation, and has developed resources to help them implement these. This includes the MANRS Best Current Operational Practice which is a technical document providing step-by-step instructions, along with a set of online training modules.

Erika followed-up with a presentation on a LACNIC-sponsored collaboration with RENATA (in Spanish), the Columbian NREN. RPKI is a specialised Public Key Infrastructure that allows cryptographic verification of the holders of particular AS numbers and IP addresses, and therefore provides a framework for securing the routing infrastructure. RENATA is aiming to deploy RPKI to at least 50% of its connected institutions, in order to provide a demonstration of how extensive deployment can improve routing security, and potentially offer a large testbed for BGPSEC when this becomes available.

Turning to a different subject, Mauricio Oviedo (NIC.CR) offered an introduction to DNSSEC and why we need it (in Spanish). He outlined the problems that DNSSEC aims to solve, whereby end users are assured that information returned from a DNS query is the same as that provided by the domain name holder; running through examples of how the DNS can be compromised such as cache poisoning and query interception. These assurances are established using cryptographic principles through a chain-of-trust originating from the root DNS servers, and propagated through signed Top-Level Domain (TLD) and subsequent sub-domain zones.

All major DNS resolvers support DNSSEC validation and 87% of TLDs were now signed, including .cr which validated around 31% of queries. However, very few Second-Level Domains (SLDs) were validated in the country, which meant there was substantial room for improvement amongst DNS operators.

Rounding off the conference was a panel discussion on IPv6 success stories chaired by our colleague Christian O’Flaherty from ISOC’s Latin America & Caribbean Bureau. This involved Fred Baker, Claudio Chacon (CEDIA) and Elidier Moya (Costa Rican Ministry of Telecommunications) who discussed topics such as how the CEDIA research and education network was an early adopter of IPv6 which encouraged deployment elsewhere in Ecuador, the deployment experiences of the CERNET2 IPv6-only network in China, and the project to promote IPv6 in Costa Rica. Fred also outlined how the IETF was putting IPv6 examples into RFCs and Internet Drafts to encourage uptake, and highlighted the Chinese experience of running more than 256 users per IPv4 addresses that had a measurable detrimental influence on performance. 

The very positive outcome of the conference was the launch of the Costa Rican Network Operators Group (NOGCR). This aims to bring together the approximately 40 active ISPs in the country for the first time, and an IPv6 workshop was organised the following day at the NIC.CR premises with Fred Baker and the Deploy360 team that involved 25 representatives of the ISPs.

Deploy360 would like to thank TICAL for hosting and supporting this ION. Thanks also to the speakers and everyone else who contributed towards making the event a successful and productive one.

Further Information

The proceedings from ION Costa Rica are available here, and the webcast will  also be available on our YouTube channel shortly.

If you’re inspired by what you see and read, then please check out our Start Here page to understand how you can get started with IPv6 and DNSSEC.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...