Categories
Deploy360 IETF IPv6

RFC 8215: Local-Use IPv4/IPv6 Translation Prefix published

IPv6 BadgeRFC 8215 “Local-Use IPv4/IPv6 Translation Prefix” was recently published, reserving the IPv6 prefix 64:ff9b:1::/48 for local use within domains enabling IPv4/IPv6 translation mechanisms.

This allows the coexistence of multiple IPv4/IPv6 translation mechanisms in the same network, without requiring the use of a Network-Specific Prefix assigned from an allocated global unicast address space.

The well-known prefix 64:ff9b::/96 was originally reserved by RFC6052 for IPv4/IPv6 translation, but several new translation mechanisms such as those in RFCs 6146 and 7915 have subsequently been defined that target different use cases. It’s therefore possible that a network operator may wish to make use of several of these simultaneously, hence why a larger address space has been defined to accommodate this.

The shortest translation prefix being deployed in a live network was observed as being a /64, hence /48 was chosen as being on a 16-bit boundary whilst being able to accommodate multiple instances of /64.

If you’re interested in finding out more about IPv4/IPv6 translation mechanisms, there’s a few Deploy360 blogs on NAT64 and 464XLAT amongst others.

Categories
Deploy360 IPv6

NAT64check proves popular

We’ve already mentioned this a few times this year, but we’ve just published an more in-depth article about NAT64check over on the RIPE Labs and APNIC websites.

NAT64check is a tool developed by the Internet Society, Go6, SJM Steffann and Simply Understand that allows you to enter the URL of a particular website, and then run tests over IPv4, IPv6 and NAT64 in order to check whether the website is actually reachable in each case, whether identical web pages are returned, and whether all the resources such as images, stylesheets and scripts load correctly. The rationale behind NAT64check is also explained, how it works, and how you can use it.

If you just want to take a look at the tool, then please go to either https://nat64check.go6lab.si/ or https://nat64check.ipv6-lab.net/, type the URL you wish to check into the box at the top of the page, and the result should be returned within a few seconds. It’s simple and easy, and will help you identify what needs to be done to make your website accessible with IPv6.

Deploy360 also want to help you deploy IPv6, so please take a look at our Start Here page to learn more.

 

Categories
Deploy360 IPv6

RIPE NCC Hackathon Version 6

The RIPE NCC will be holding its sixth Hackathon on 4-5 November 2017 in Copenhagen, Denmark, and by no coincidence at all, will be focusing on IPv6. This will be part of Danish IPv6 Week that’s being hosted by DKNOG and sponsored by Comcast Cable, and which will also have Deploy360 involvement in the shape of our colleague Jan Žorž.

Hackathons are opportunities for network operators, coders and hackers to get together to develop new tools, as well as exchange knowledge and experience with others. Some possible projects for this hackathon include improving IPv6 measurements such as IPv6 RIPEness, improving the IXP Country Jedi tool. that compares traceroutes between IPv4 and IPv6, and developing tools to advance IPv6 deployment.

The RIPE NCC are specifically looking for UX and UI experts including graphic designer, developers familiar with Python, Node.js, Perl and Go, Internet measurement researchers, and network and hosting operators who have experience of deploying IPv6.

If you’re interested in participating, then you need to apply before 10 October 2017.

Travel funding of EUR 500 per person is also available to six participants, with preference given to applicants from “least developed countries”, those working for not-for-profit organisations, and those with previous contributions to free and open-source software and projects. Please note though, the deadline for applicants who require require funding is 9 September 2017.

Further Information

Categories
Deploy360 Events Internet of Things (IoT) IPv6

Deploy360 @ SdNOG 4

Our colleague Jan Žorž will be presenting at the 4th Sudan Network Operators Group meeting (SdNOG 4) on 16-17 August 2017 in Khartoum, Sudan. This is being preceded by an IPv6 Workshop.

Jan will be talking about his real life experiences with NAT64/DNS64 on the Thursday, which will be followed by an IPv6 Security 101 by Stephan Musa (AfriNIC), and then a talk on Testing IPv6 Firewalls using THC-IPv6 by Mohamed Alhafez (Canar).

Our ISOC Board colleague Walid al-Saqaf will also be presenting the keynote presentation on Blockchain Technology, whilst other Deploy360-relevant topics include presentations on Securing Web Traffic using TLS from Khalid Elmansor (University of Khartoum), and on Web Security from Hiba Alamin (NCTR).

Additionally worth checking out are the IoT presentations on Zigbee and the Unique Identifier System, the SDN session covering OpenFlow and NFV technologies, and overviews of Internet rollout in Sudan.

More Information

Categories
Deploy360

Save The Date! ION Belgrade with RSNOG in November

I’m thrilled to announce our last ION Conference of 2017 – ION Belgrade will be held on Thursday, 23 November, alongside the Republic of Serbia Network Operators’ Group. We sincerely thank RSNOG for their enthusiasm and hard work to bring all the pieces together. Also, as usual, this ION has generous support from our ION Conference Series Sponsor Afilias.

We’ll have a full-day program and cover some combination of our favorite topics including IPv6, DNSSEC, Securing BGP, and TLS for Applications. We’re working on a draft agenda and will soon be filling the speaker slots, so if you’ll be in Belgrade in November or are already planning to attend RSNOG and you think you might make a good candidate, please speak up in the comments below or via our social media channels. A quick preview of some potential session titles:

  • IPv6 Success Stories – Network Operators Tell All!
  • Deploying DNSSEC: A Case Study
  • Lock it Up: TLS for Network Operators
  • DANE: The Future of Transport Layer Security (TLS)
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
  • Collaborative Security: Routing Resilience Manifesto and MANRS

We’re still working out the logistics and registration details, so stay tuned to the ION Belgrade website or this blog for more information. We’re also hoping to live stream the ION, so even if you can’t be there in person you’ll be able to follow along online. (Stay tuned for more information on that as we get closer.)

We’re also working on locations for ION Conferences in 2018. Are you part of something that might lend itself to co-locating with an ION? Let us know! We hold several events each year in locations all over the world, and we are open to all sorts of opportunities. Contact us to discuss co-location possibilities, or how your company could sponsor an existing ION Conference.

Categories
Deploy360 IETF IPv6

Deploy360@IETF99, Day 5: Kdo se moc ptá, moc se dozví

There’s a couple of sessions of interest on the last day of IETF 99 before we say na shledanou to the City of a Hundred Spires.

Both sessions are running in parallel on the Friday morning starting at 09.30 CEST/UTC+2. ACME will continue to discuss the ACME specification, as well as the addition of CAA checking for compliance with CA/B Forum guidelines. There’s also new drafts specifying how to issue certificates for telephone numbers, how to issue certificates for VoIP service providers to Secure Telephony Identity, and ACME extensions to enable the issuance of short-term and automatically renewed certificates, certificates for e-mail recipients that want to use S/MIME, and certificates for use by TLS e-mail services.


NOTE: If you are unable to attend IETF 99 in person, there are multiple ways to participate remotely.


Alternatively you can check out LPWAN that’s working on enabling IPv6 connectivity with very low wireless transmission rates between battery-powered devices spread across multiple kilometres. This will be discussing five drafts related to IPv6 header fragmentation and compression, as well as ICMPv6 usage over LPWANs.

That brings this IETF to an end, so it’s goodbye from us in Prague. Many thanks for reading along this week… please do read our other IETF 99-related posts … and we’ll see you at IETF 100 on 12-17 November 2017 in Singapore!

Relevant Working Groups

Categories
Deploy360 Events IETF IPv6

Deploy360@IETF99, Day 3: IPv6 & TLS

After a packed first couple of days, Wednesday at IETF 99 in Prague is a bit quieter for us. Each day we’re bringing you blog posts pointing out what Deploy360 will be focusing on.

There’s just the three working groups to follow today, starting at 09.30 CEST/UTC+2 with TLS. A couple of very important drafts up for discussion though, with both the TLS 1.3 and DTLS 1.3 specifications in last call. There’s also a couple of other interesting drafts relating to DANE record and DNSSEC authentication chain extension for TLS, and Data Center use of Static DH in TLS 1.3.


NOTE: If you are unable to attend IETF 99 in person, there are multiple ways to participate remotely.


Alternatively, there’s DMM that will be discussing at least one IPv6-relevant draft on the Applicability of Segment Routing IPv6 to the user-plane of mobile networks.

During the first afternoon session at 13.30 CEST/UTC+2, there’s DHC. This will continue to discuss four DHCPv6 related drafts, as well as hear about the DHCPv6 deployment experiences at Comcast.

Don’t forget that from 17.10 CDT/UTC-6 onwards will be the IETF Plenary Session. This is being held in Congress Hall I/II.

For more background, please read the Rough Guide to IETF 99 from Olaf, Dan, Andrei, Mat, Karen and myself.

Relevant Working Groups

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF IPv6

Deploy360@IETF99, Day 2: IoT, IPv6, DNSSEC, DPRIV & TLS

Tuesday is another hectic day at IETF 99 in Prague with a lot of relevant sessions for us. Each day we’re bringing you blog posts pointing out what Deploy360 will be focusing on.

The morning starts at 09.30 CEST/UTC+2 with a very full V6OPS meeting (which continues on Thursday afternoon). There’s a couple of deployment case studies up first – on turning IPv4 off in the Microsoft enterprise network, followed by some experiences of using dual-stacked websites with Happy Eyeballs – before a presentation on the current status of IPv6 deployment.

There are ten drafts being discussed, including requirements for IPv6 routers that aims to document a set of IPv6 requirements for routers, switches and middle boxes based on design and architectural experiences; specifying requirements for zero-configuration IPv6 CPEs; and using conditional router advertisements for connecting an enterprise network to multiple ISPs using address space assigned by an ISP. Version 2 of Happy Eyeballs is also being proposed, tweaking the algorithm whereby a dual-stack host tries to establish connections with both IPv4 and IPv6; and there’s an interesting draft proposing deployment of IPv6-only Wi-Fi at IETF meetings.


NOTE: If you are unable to attend IETF 99 in person, there are multiple ways to participate remotely.


Running in parallel is DPRIVE, which will be discussing the DNS over the QUIC protocol, measuring the usage of DNS-over-TLS, as well as next steps. At the same time, PERC will be discussing a draft related to DTLS tunnelling.

First up in the afternoon at 13.30 CEST/UTC+2 is T2TRG which is reviewing the outcome of the Workshop on IoT Semantic/Hypermedia Interoperability (WISHI), and will discuss what its future activities and deliverables should be.

In the late afternoon session starting at 15.50 CEST/UTC+2, there’s DNSOP (which continues on Thursday afternoon). There doesn’t look to be much DNSSEC-wise on the agenda today, although there is a draft to enhance the automatic updating of DNSSEC trust anchor process (as specified in RFC 5011).

Also running in parallel is CFRG, which discusses and reviews cryptographic mechanisms for network security. There are five drafts being discussed, including on the transition from classical to post-quantum cryptography. In addition, there are two proposals for new cryptographic techniques.

If you’re interested in the Internet-of-Things, then you can also check-out 6LO. This group focuses on facilitating IPv6 connectivity over node networks with limited power, memory and processing resources, and will be discussing drafts on Neighbour Discovery, IPv6 over low-power Bluetooth mesh networks, and transmission of IPv6 over electrical power lines.

For more background, please read the Rough Guide to IETF 99 from Olaf, Dan, Andrei, Mat, Karen and myself.

Relevant Working Groups

Categories
Deploy360 IETF IPv6

Deploy360@IETF99, Day 1: IoT, IPv6 & SIDR

It’s another busy week at IETF 99 in Prague, and we’ll be bringing you daily blog posts that highlight what Deploy360 will be focused on during that day. And Monday sees a packed agenda with three working groups on the Internet-of-Things, a couple on routing, one on encryption, and an important IPv6 Maintenance WG session.

The day kicks off at 09.30 CEST/UTC+2 with 6MAN, and the big development is the move of the IPv6 specification to Internet Standard Status, as despite being widely deployed, IPv6 has remained a ‘Draft Standard’ since its original publication in 1998. There are also two working group drafts on updating the IPv6 Addressing Architecture as currently defined in RFC 4291, and on IPv6 Node Requirements as currently defined in RFC 6434. Other existing drafts up for discussion include recommendations on IPv6 address usage and on Route Information Options in Redirect Messages.

There are three new drafts being proposed, including one that covers scenarios when IPv6 hosts might not be able to properly detect that a network has changed IPv6 addressing and proposes changes to the Default Address Selection algorithm defined in RFC6724; another that proposes a mechanism for IPv6 hosts to retrieve additional information about network access through multiple interfaces; whilst the remaining draft defines the AERO address for use by mobile networks with a tethered network of IoT devices requiring a unique link-local address after receiving a delegated prefix.


NOTE: If you are unable to attend IETF 99 in person, there are multiple ways to participate remotely.


Running in parallel is ACE which is developing authentication and authorization mechanisms for accessing resources on network nodes with limited CPU, memory and power. Amongst the ten drafts on the agenda, there’s one proposing a DTLS profile for ACE.

Also at the same time is CURDLE which is chartered to add cryptographic mechanisms to some IETF protocols, and to make implementation requirements including deprecation of old algorithms. The agenda isn’t very comprehensive at the moment, but nine drafts were recently submitted to the IESG for publication, and what will certainly be discussed today is a draft on key change methods for SSH.

In the afternoon, Homenet is meeting from 13.30 CEST/UTC+2. This is developing protocols for residential networks based on IPv6, and will continue to discuss updated drafts relating to a name resolution and service discovery architecture for homenetshow the Babel routing protocol can be used in conjunction with the HNCP protocol in a Homenet scenario, and the use of .homenet as a special use top-level domain to replace .home. There are also three new drafts relating to the service discovery and registration aspects of Homenet.

Running in parallel is 6TiSCH. There will be summaries of the 1st F-Interop 6TiSCH Interoperability Event and OpenWSN Hackathon, followed by discussions on the updated drafts related to the 6top protocol that enables distributed scheduling, as well as a draft related to security functionality.

The later afternoon session sees SIDROPS meeting from 15.50 CEST/UTC+2. This is taking the technology developed by SIDR and is developing guidelines for the operation of SIDR-aware networks, as well as providing operational guidance on how to deploy and operate SIDR technologies in existing and new networks. One particularly interesting draft proposes to use blockchain technology to validate IP address delegation, whilst another describes an approach to validate the content of the RPKI certificate tree. A couple of other drafts aim to clarify existing approaches to RPKI validation.

Concluding the day is GROW during the evening session. This group looks at the operational problems associated with the IPv4 and IPv6 global routing systems, and whilst theres’s no agenda for this meeting yet, four new and updated drafts were recently published on more graceful shutting down of BGP sessions, how to minimise the impact of maintenance on BGP sessions, and extensions to the BGP monitoring protocol.

For more background, please read the Rough Guide to IETF 99 from Olaf, Dan, Andrei, Mat, Karen and myself.

Relevant Working Groups

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Events IETF IPv6

Our Hot Topics @ IETF 99

Next week is IETF 99 in Prague which will be the fourth time the IETF has been held in the city. The Deploy360 team will be represented by Megan Kruse and Dan York, along with ISOC’s Chief Internet Technology Officer Olaf Kolkman. We’ll once again be highlighting the latest IPv6, DNSSEC, Securing BGP and TLS related developments.

Our colleagues are planning to cover the following sessions, so please come and say hello!

Monday, 17 July 2017

Tuesday, 18 July 2017

Wednesday, 19 July 2017

Thursday, 20 July 2017

Friday, 21 July 2017

The Internet Society has also put together its latest Rough Guide to the IETF 99, and will again be covering wider developments over on the Tech Matters Blog.  In particular, see:

If you can’t get to Prague next week, you can attend remotely!  Just visit the IETF 99 remote participation page or check out http://www.ietf.org/live/ for more options.

Categories
Deploy360

Announcing ION Durban with South Africa iWeek in September

After two great ION Conferences so far this year in Islamabad and Costa Rica, we are very pleased to announce that we’re hard at work on ION Durban, which will take place on Thursday, 7 September, alongside the South Africa iWeek.

We’re lucky to once again have a full-day program so we can cover all our favorite topics including IPv6, DNSSEC, Securing BGP, and TLS for Applications. As usual, this ION has generous support from our ION Conference Series Sponsor Afilias.

We’re working on the agenda and speakers now, so if you’ll be attending iWeek and you think you might make a good candidate, please speak up in the comments below or via our
social media channels. A quick preview of some of our draft session titles:

  • Why Implement DNSSEC?
  • Deploying DNSSEC: A Case Study
  • IPv6: Are We There Yet?
  • What’s Happening at the IETF? Internet Standards and How to Get Involved
  • Collaborative Security: Routing Resilience Manifesto and MANRS
  • Best Current Operational Practices – An Update
  • IPv6 Success Stories – Network Operators Tell All!

iWeek is South Africa’s leading annual Internet industry conference, and has been held each year since 2001. iWeek brings together all of South Africa’s major Internet organizations for a series of presentations, workshops, training programs, and social events. The event partners are:

  • The Internet Service Providers’ Association (ISPA)
  • The ZA Central Registry (ZACR)
  • The ZA Domain Name Authority (ZADNA)
  • The South African Internet Exchange (INX-ZA)

We’re still working out the logistics and registration details, so stay tuned to the ION Durban website or this blog for more information. We’re also planning to live stream the ION, so even if you can’t be there in person you’ll be able to follow along online.

We’re also still working on more ION Conference locations for for 2017, as well as our 2018 and beyond locations. Are you part of something that might lend itself to co-locating with an ION? Let us know! We hold several events each year in locations all over the world, and we are open to all sorts of opportunities. Contact us to discuss co-location possibilities, or how your company could sponsor an existing ION Conference.

We hope to see you in Durban, or at a future event!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

ION Costa Rica: The future is IPv6

The Deploy360 team organised the second ION Conference of the year on 3 July 2017 at the Intercontinental Hotel in San José, Costa Rica. This was co-located with the TICAL Conference 2017, the annual event for Latin American National Research and Education Networks, as well as the Latin American eScience Meeting 2017. It attracted 85 participants and we again thank our sponsor Afilias for making this possible.

It was the turn of Megan Kruse to chair this event, and she opened proceedings with an overview of the Deploy360 programme, before handing over to Kevin Meynell who discussed what was happening at the IETF and how to get involved. He encouraged the Latin American networking community to check out the IETF Fellowship and IETF Policy programmes, and pointed out this had provided opportunities for participants from Costa Rica at both the last and forthcoming IETF meetings.

We were lucky enough to have Fred Baker, the Co-Chair of the IETF IPv6 Operations Working Group and former IETF Chair, to talk about the results of the Internet Society report on the State of IPv6 that was published in June. He pointed out that all Regional Internet Registries were now approaching IPv4 exhaustion, with only small quantities of addresses available to new entrants, whilst there had been rapid IPv6 growth over the past year. This was especially the case in the Latin American region where around 37% of AS numbers were now announcing IPv6 address prefixes, IPv6 traffic was over 10%, and reached nearly 20% in some countries.

It was clear that IPv4 would not be able to accommodate future growth in the Internet, and whilst surplus IPv4 addresses were being traded, the cost was expected to reach USD 20 per address over the next couple of years before dropping substantially as IPv6 deployment approaches 50%. This cannot be considered an long-term investment, so question marks were now being raised by accounts departments as to why they were paying for something that could be provided for free. In fact, MIT had just sold a surplus IPv4 /9 in order to fund their IPv6 deployment, major service providers were moving to IPv6 dominant data centres, and there was also substantial IPv6 deployment in mobile networks.

So the takeaway is that network operators need to be deploying IPv6 now, in order to ensure their equipment and applications have been tested and are able to support it, as well as giving their staff experience of using it. Is paying for something you can provision for free a good business model, and are you willing to sustain the ever greater complexity and cost of Carrier Grade NAT to meet future growth?

This message was reinforced by Guillermo Cicileo (LACNIC) who provided an overview of IPv6 Deployment in Costa Rica and Latin America (in Spanish). Several countries in the region were amongst the world leaders in IP6 deployment, including Trinidad and Tobago (21%), Brazil (18%), Ecuador (18%) and Peru (17%), but most of the others substantially lagged behind. Unfortunately. Costa Rica had very low rates of IPv6 deployment, although the example of Trinidad and Tobago that went from 0% to 21% in only 3 years demonstrated what was possible in small countries.

Following the break, Kevin led a panel discussion on MANRS and Routing Security that included Erika Vega (RENATA) and Glenn Peace (ix.CR). The Boundary Gateway Protocol (BGP) underpins the Internet routing system, but is substantially based on global trust and there is little validation of the legitimacy of routing updates. So the panel discussed techniques to help improve the security and resilience of the global routing system, as well as how to promote a culture of collective responsibility.

Kevin firstly presented the MANRS initiative and Routing Resilience Manifesto that encourages network operators to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation, and has developed resources to help them implement these. This includes the MANRS Best Current Operational Practice which is a technical document providing step-by-step instructions, along with a set of online training modules.

Erika followed-up with a presentation on a LACNIC-sponsored collaboration with RENATA (in Spanish), the Columbian NREN. RPKI is a specialised Public Key Infrastructure that allows cryptographic verification of the holders of particular AS numbers and IP addresses, and therefore provides a framework for securing the routing infrastructure. RENATA is aiming to deploy RPKI to at least 50% of its connected institutions, in order to provide a demonstration of how extensive deployment can improve routing security, and potentially offer a large testbed for BGPSEC when this becomes available.

Turning to a different subject, Mauricio Oviedo (NIC.CR) offered an introduction to DNSSEC and why we need it (in Spanish). He outlined the problems that DNSSEC aims to solve, whereby end users are assured that information returned from a DNS query is the same as that provided by the domain name holder; running through examples of how the DNS can be compromised such as cache poisoning and query interception. These assurances are established using cryptographic principles through a chain-of-trust originating from the root DNS servers, and propagated through signed Top-Level Domain (TLD) and subsequent sub-domain zones.

All major DNS resolvers support DNSSEC validation and 87% of TLDs were now signed, including .cr which validated around 31% of queries. However, very few Second-Level Domains (SLDs) were validated in the country, which meant there was substantial room for improvement amongst DNS operators.

Rounding off the conference was a panel discussion on IPv6 success stories chaired by our colleague Christian O’Flaherty from ISOC’s Latin America & Caribbean Bureau. This involved Fred Baker, Claudio Chacon (CEDIA) and Elidier Moya (Costa Rican Ministry of Telecommunications) who discussed topics such as how the CEDIA research and education network was an early adopter of IPv6 which encouraged deployment elsewhere in Ecuador, the deployment experiences of the CERNET2 IPv6-only network in China, and the project to promote IPv6 in Costa Rica. Fred also outlined how the IETF was putting IPv6 examples into RFCs and Internet Drafts to encourage uptake, and highlighted the Chinese experience of running more than 256 users per IPv4 addresses that had a measurable detrimental influence on performance. 

The very positive outcome of the conference was the launch of the Costa Rican Network Operators Group (NOGCR). This aims to bring together the approximately 40 active ISPs in the country for the first time, and an IPv6 workshop was organised the following day at the NIC.CR premises with Fred Baker and the Deploy360 team that involved 25 representatives of the ISPs.

Deploy360 would like to thank TICAL for hosting and supporting this ION. Thanks also to the speakers and everyone else who contributed towards making the event a successful and productive one.

Further Information

The proceedings from ION Costa Rica are available here, and the webcast will  also be available on our YouTube channel shortly.

If you’re inspired by what you see and read, then please check out our Start Here page to understand how you can get started with IPv6 and DNSSEC.