4th IPv6 Council Meeting
11th of September 2013
Hosted by PWC in Brussels
20130911_IPv6_council_notes.pdf Notes taken by Eric Vyncke
PWC Welcome, Dirk Van Droogenbroeck
How does PWC handle IPv6 ? PWC has several departments and Dirk is part of the technology department (manage, transform, secure). IPv6 impacts those three focuses, so, the transition to IPv6 is important for PWC, as it allows the experts of each domain to work together to come to a good result and further learn from each other. Most organizations are thinking about IPv6 (and mainly IT shops) but not really doing it. The bottleneck factor is mainly about cost and organizational impact. PwC is currently mainly involved in impact analysis projects when it comes to IPv6, but we still see few implementations yet… We also notice that in some of our other services. E.g. penetration testing, where we notice that not all tools are ready yet to deal with a IPv6 set-up.
RIPE NCC, IPv6 Update, Nathalie Trenaman
BEcouncil-nathalie.pdfRIPE NCC gives out IPv4/IPv6 address to Europe and some other countries (this is a RIR), big uptake about IPv6 in the last 2/3 years. Nathalie works mainly in the training area of RIPE NCC. BTW, RIPE is about policy/community. Enterprises are becoming RIPE NCC members as LIR.
Everyone can ask Nathalie or RIPE for an Atlas probe (powered by USB and connected to wired Ethernet), this is used for ping/traceroute in a dual stack Internet.
Training is given only to members but the contents is under creative commons, they are about LIR, routing security, IPv6, RIPE database… Usually, face to face or by webinars. The IPv6 course started in 2009 (no demand before) and was ½ day, the goal was more on how to convince management. This year there were 43 courses given to about 900 trainees. Every training is different: in some courses, attendees are architects, in others support people. A big part of the training is about address planning.
How to get IPv6 addresses? PA or PI?
The size by default for LIR is /32 but a request to /29 will be done without any justification; shorter prefix length requires a lot of justification and are based on customer numbers. PI space is minimum a /48 but it has to be sponsored by a LIR (cost 50 EUR/year to compare with LIR membership which is 1800 EUR/year). PI block could have a shorter prefix upon justification but PI space cannot be sub-assigned to customers to save routing tables.
End customers could receive up to a /48 from PA block, without sending a request to NCC. Every assignment must be registered in the RIPE database (especially for business customers – main interest is about black list and address reputation). RIR allocates a block while LIR assigns a block (to be accurate).
There is no more IPv4 PI space 🙂
Multinational can have a /29 from RIPE and announces /32 (or whatever) from every region.
IPv6 RIPEness (a punt of course), up to 4 stars for each LIR (1 for a block, a 2Nd one for announcing it, …) but none about customers connectivity. RIPE policy for getting the last IPv4 /22 could require a 4 stars RIPEness, but this is no policy at the moment.
Work under progress is to get a 5th star, to measure about end-user or for content (different metric).
Regarding IPv4 address transfer, the duty of RIPE is to know who is the legitimate owner of IPv4 address. Since 2012, there were about 100 transfers between RIPE LIR.
Willem Delrue (John Cordier Academy) – Training Trends for IPv6
Willem_TrendsinIPv6Training.pdfWillem teaches IPv6, wireshark, DNS, Linux at JC Academy (formely known as Telindus High Tech Institute – vendor training but also their own developed trainings) see www.jcacademy.be. They have 4 IPv6 courses starting from high level 0.5 day to a 3-day course with extension for IPv6 security course (1 day) and a 5-day Cisco IPv6 course. Since 2005, the students are more and more coming (up to 300 in 2012).
Existing knowledge (previous to the course) about IPv6 is really various including mistakes (mainly about better security – mistake of course as IPsec is no more required and would not have helped anyway, NDP issues, …).
Raising awareness: IPv4 exhaustion is not impressing, no killer app even if IPv6 has a couple of nice good thing. Even worse when it comes to use IPv6 on the inside of the network, but are more open to external services. Another common misconception is that IPv6 replaces IPv4 but dual-stack is the way to go for many years. Big issue is also how to use the width of the IPv6 addressing space.
Sometimes you have to be a psychologist when training IPv6 (Nathalie agrees).
Big security risk is not so much about running IPv6 but rather the risk of running dual-stack hosts on an IPv4-only network without any IPv6 security policy => deploying IPv6 is one way to secure such a network. The IPv6 security training covers all NDP issues (rogue RA, RA flooding, …), scanning issues, automatic tunnels, and so on. IPv6 security training is quite hot for now (several security issues for now) with 5 sessions since June 2013 all fully booked 🙂
Trained customers about IPv6 are ISP, vendors/developers, NATO, EU, Belnet, FOD, …
It is still difficult to find in Belgium training about programming IPv6 sockets (a comment from the room: there is not even an API to handle privacy extension).
Students should ‘spread the love for IPv6’ 😉
Olivier Bonaventure (UCLouvain) – IPv6 course update
obonaventure.pdfRevisiting the basic networking course with the help of two students (Justin Vellemans and Florentin Rochet). Tanenbaum’s book relies on a bottom-up approach, Kurose’s book relies on a top-down approach.
Olivier has developed a open and free (creative commons) top-down book http://inl.info.ucl.ac.be/CNP3
Previously all examples were about IPv4, then, Olivier and his students did a major rewrite: starting with principles (reliable data transmission, networks, transport layer, resource sharing) which is 1/3 of the course; then, it goes over detailed coverage of specific protocols (HTTP, but also TCP, UDP, SCTP and RIP, OSPF, BGP and only IPv6 and no IPv4). Legacy IPv4 is moved to the advanced network class!
Practical exercises by giving an IPv6-enabled OpenWRT router for each student (donated by Technicolor) with either native IPv6 or with tunnels terminated at UCLouvain plus other labs using netkit www.netkit.org (it relies on user-mode Linux to run multiple Linux on a single Linux, each ‘VM’ requires about 64 MB of RAM).
The two students also show a real-time demo of their labs about OSPFv3 using the netkit and wireshark. The labs are also on-line under Creative Commons. The labs will be integrated in the second edition of the ebook and be publicly available.
Eric Vyncke, Cisco & IPv6 Council
ipv6_belgium.pdf No note taken as Eric was the note taker 😉
Marc Neuckens, Belgacom
Marc works in remote operations of the business network, Explore, which is already IPv6 for 1 year. Since May 2013, internal and friendly users have tested with the new CPE BBOX3 (as BBOX2 simple cannot do it). Since July 2013, they are shipping BBOX3 by default to new customers. The BRAS are also IPv6 enabled. Today Belgacom is running a field trial in production on 10000 customers all over the country. When a BBOX3 starts, it is detected by Belgacom and RADIUS is updated to enable IPv6 for the subscriber. This limited deployment did not cause any problem and it will not increase in size the coming weeks. The subscribers receive a /56. There is no official date to go further to the deployment but this should be before the end of the year.
Beware that only new customers will get a BBOX3; broken BBOX2 will be replaced by a new BBOX2.
For existing dual-stack customers, 25-50% of the traffic is IPv6.
Telenet Status, Wim Roggeman
Telenet has about 0,9 million IPv6-ready DOCSIS 3.0 HGW and we should see some changes before the end of the year. For a couple of years, their product life cycle strategy has replaced the DOCSIS 2.0 CPE by new DOCSIS 3.0 (on any product change, speed/performance upgrades or defect CPE replacement).
They are ready to go, but are not going wide scale yet. They are training their help desk (mainly to solve potential in home problems on the dual-stack LAN).
Their trial is 5,000 customers growing to 15,000: this includes of course performance test in the cable routers (just to be sure that this goes as well as in the lab).
The security posture is to block the same ports for IPv4 as for IPv6 and to block all incoming connections on the HGW firewall.
Bart Hanssens (Fedict) – IPv6 update
Fedict is the Federal Public Service for ICT.
For the last year, it was mainly about building IPv6 awareness, including training (Belnet) and a paragraph to be included in all RFPs.
For instance, the RFP for Fedict’s new data centre has an IPv6 requirement.
Fedict exchanges information with other Governments, some of them already succeeded in deploying IPv6 (e.g. www.vlaanderen.be).
FPS Economy and Fedict will have an IPv6 status meeting with the other Federal Public Services next week.
Still pending issues with web sites and services, as they are also outsourcing a big part of their web sites.
In the Fedict building, the WiFi is dual-stack 😉 and 15% of the traffic over this WiFi is IPv6.
Mike Mattheus (Vinck & Thys Systems) – IPv6 in small business
Mike_IPv6_migration_status_for_Small_Businesses-pptx.pdfTheir customers are really small SMB (constructions, accountancy firms…) around Lier. None of their customers request IPv6, they just want a network that runs. In their customers: 56% have an IPv6 capable router else no web/mail servers that are IPv6 capable. The good news is that 80% of non-IPv6-capable router are out of warranty and need to be replaced.
In most deployments, there is a single Windows server and several Windows 7 or 8 (nearly neither XP nor Vista anymore). The missing IPv6 parts are printers and ISP.
Andrew Yourtchenko (Cisco) – Run your next CGN on a $20 OpenWRT box?
Andrew-Yourtchenko-20_dollar_cgn.pdfAndrew talks about turning off IPv4, i.e., how can we transport IPv4 traffic over an IPv6-only network. One approach has historically been DS-lite where the SP head-end does the stateful NAT44. With MAP (mapping address + port), the stateful NAT is done in the CPE while the SP head-up simply does encapsulation and does not maintain any state.
Andrew then explained how to build an OpenWRT CPE with the CERNET MAP implementation. The configuration line was too complex, so, Andrew wrote a DHCPv6 patch in order to parse a DHCPv6 offer containing the MAP parameters in order to configure the CERNET MAP.
There is a demo where the IPv6-only network was implemented over an IPv6 tunnel over 3G 😉 and Skype, the IPv4-only application, was running.
___ end of the meeting ___
PwC was kind enough to sponsor a drink with bubbles and appetizers.