Categories
Deploy360

12 Steps to enable IPv6 in an ISP Network

IPv6 BadgeHere’s an quick guide on how to enable IPv6 in an ISP from Jordi Palet (Consulintel), that’s just been published by LACNIC. It’s not intended to be a comprehensive technical digest of how to deploy IPv6 in a network that currently has IPv4, but rather an summary of the 12 fundamental steps, not including services (DNS, web, email, etc..) for enabling native IPv6 support as well as maintaining IPv4 as a transparent service.

  1. Work out how many customers (home+corporate) your network has, and your expected growth in the short-to-medium term. If the total is fewer than 50,000 customers, we recommend you request a /32 from your RIR, a /31 if you have up to 100, 000 customers, a /30 for up to 200, 000 customers, and so on. If you already have a /32 and have more than 50, 000 customers, you can request an upgrade of your actual prefix. To request your IPv6 prefix, you need to contact the RIR for your region: AfriNIC (Africa), APNIC (Asia-Pacific), ARIN (North America), LACNIC (Latin American) and RIPE NCC (Europe).
  2. Audit your network, as you need to know which equipment has the right IPv6 support, and which needs to be updated or replaced. It’s important to have a detailed inventory, from your upstream connections to the customer CPEs. If your vendors don’t provide the right support, you need to be pushing them for it as the market is big and free…
  3. Get professional training from companies that have demonstrable experience with IPv6 deployment in ISPs. IPv6 is not more difficult, but IPv4 and IPv6 are different and the difficulty can be changing your mindset and it’s necessary to ‘unlearn IPv4 in order to correctly understand IPv6. Possibly will be convenient that you agree on a consultancy service together with the training. It may seem excessive, however, you will save a lot of time, as the transition to IPv6 will become more important and urgent and that time will cost much more in terms of business losses and problems with IPv4 than the cost of that training and consultancy.
  4. Confirm with your upstream providers that they have IPv6 support, enable BGP4+ with them, and do the same for CDNs, caches and IXPs. If the upstream providers don’t have IPv6 support, then you need to be looking for other partners. This part of your network must be dual-stack, but if there is no way to get dual-stack from one or more of your upstream providers, you may need to use a tunnel. This is typically provided using 6in4 (protocol 41, manually configured) or GRE, but you should consider this only as a temporary solution.
  5. Review your security policies. These should be equivalent to what you apply with IPv4, but remember that you should not filter ICMP with IPv6 amongst other things, as this will prevent the correct flow of traffic across your network. Review also the IPv6 prefix filtering with your BGP peers – these policies are again conceptually equivalent to those for IPv4, but using different protocol.
  6. Configure IPv6 support in all your monitoring systems. IPv6 has the same importance as IPv4, so any system that allows you to view traffic quality, quantity, stability, visibility of prefixes, etc.., needs to support the same with IPv6.
  7. Now that you know the differences between IPv4 and IPv6, you’re ready to design your detailed addressing plan. This is the key to correct IPv6 deployment, and is very different from IPv4. For sure, you’ll need an IPAM (IP Address Management) device or tool, as it’s impossible to manage millions of IP addresses using the traditional text file or spreadsheet methods you used with IPv4.
  8. Deploy IPv6 in your core and distribution networks. Dual-stack is possibly sufficient in the first phase, but in the next phase it may be possible to remove IPv4 from certain parts of those networks so you can reuse the IPv4 addresses elsewhere.
  9. Start a small trial in your corporate network. Remember that /64 is the minimum for each LAN or VLAN, that the golden rule is to have dual-stack in the LAN/VLANs (even when using private IPv4 addresses), and that is easier to use SLAAC and RDNNS. DHCPv6 is another option, but is usually unnecessary and Android also doesn’t support it. In this pilot phase it may be interesting to involve some of your corporate customers, even some residential ones, and you can use manual provisioning for just a few users.
  10. Prepare your access network as well as the provisioning system, and your billing systems may be affected too. It’s time to define which transition mechanism is the right one, and my recommendation is 464XLAT[1], at least for the residential customers and mobile networks. It’s also essential to have good support from the CPE vendors, and for provisioning it’s best to use DHCPv6-PD. Use the RIPE BCOP in order to understand how to number your customers.
  11. Configure PLAT (NAT64+DNS64) in your network. Don’t use CGN as it’ll bring more problems and higher costs (not only for the CGN itself, but also the logging systems). If you’ve got a mobile network with PLAT deployment and you’re setting up an IPv6-only APN, most smartphones and other 3G/LTE devices will already support this. Android and Windows devices come with the CLAT, whilst Apple/iOS/ only use the PLAT because all their apps are required to support IPv6.
  12. Update the CPEs, and try again with some customers once they’re been updated them as this is the most critical and complex part of the process.  Once done, you’re ready for your mass IPv6 activation (maybe in phases or regions, etc.) and you can make your commercial announcement!

Your network is now ready for the future, and you can start considering how to profit from IPv6 through new services and applications. IoT is the key hint, but you’ll be sure to find other advantages.

[1] 464XLAT is one of the most recent transition mechanisms (and the most widely used one with millions of users in 3G/4G networks). It has the advantage of using IPv6-only in the access network so the ISP doesn’t require IPv4 addresses there, but provides private IPv4  addresses to the users (by means of the CLAT) so that devices and applications still work in a transparent manner.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC) Growing the Internet IPv6

NAT64check debuts at AFRINIC-25

AFRINIC-25 was held on 25-30 November 2016 in Flic-en-Flac, Mauritius and involved 240 participants from 48 countries. AFRINIC meetings are held twice per year and provide an opportunity for the African Internet community to come together to discuss governance, operational and infrastructure development issues, as well as attend training sessions that included IPv6, CERT management and network forensics on this occasion. The event was sponsored by Oracle, Mauritius Telecom, ICANN, SEACOM, ZA Central Registry, Rogers Capital, Emtel, Harel Mallac Technologies, along with the Internet Society.

Whilst much of the event was focused on policy and governance issues that are summarised on the AFRINIC-25 website, the Monday was set aside for technical presentations.

Our Deploy360 colleague Jan Žorž debuted a new presentation on NAT64/DNS64 experiments undertaken by Go6lab and IPv6-lab. As many mobile operators were moving to IPv6 only which is incompatible with IPv4 on the wire, it’s necessary to employ transition mechanisms such as 464XLAT or NAT64. The Go6lab NAT64/DNS64 testbed was therefore established so that operators, service providers, and hardware and software vendors can see how their solutions work in these environments. This has already generated significant interest, and instructions on how to participate are available on the Go6lab website.

When using NAT64 there are many things that need to be checked to ensure they work correctly. NAT64check has therefore been developed to allow websites to be checked for consistency over IPv4, IPv6-only and NAT64, as well to compare responsiveness using the different protocols. This allows network and system administrators to easily identify anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6 compatible elements on the website to be fixed. For example, even if a web server is not running IPv6 (why not?), hardcoded IPv4 addresses can cause NAT64 to fail.

There was also an interesting network measurement related presentation from Amreesh Phokeer (AfriNIC) and Agustín Formoso (LACNIC). The aim was to gain a good overview of the state of network connectivity in Africa and how it compared between the different sub-regions of the continent. 850 Speedchecker probes in different vantage points were used to collect data on 308 unique Autonomous Systems, that revealed there were four distinct clusters of connectivity within Africa. East and Southern Africa appeared well connected, with Northern Africa forming another reasonably well connected cluster. The situation was more variable in Western Africa, with poor connectivity in the centre of the continent. Within countries themselves, latency varied quite widely – for example in Zimbabwe, Gabon and Mauritius latency was in the 15-20ms range, whereas in Cameroon, Sierra Leone and DR Congo it was significantly worse at between 287 and 363ms.

On a related note, Gareth Tyson (Queen Mary University of London) discussed plans for an African Internet Measurement Observatory. The Internet in Africa is evolving fast and it is difficult to get a good picture of the status quo, as well as predict growth for planning and business case purposes. For example, where are the best locations to place web servers, cloud servers and other services, where should ISPs peer and with whom, and what sort of access do users have? The AIMO project was therefore looking to build a configurable measurement platform based on the BISmarck platform which would allow participants to share and analyse data based on user-definable metrics. A prototype was currently being built, and they were currently applying for funding to deploy this more widely.

In case you still haven’t heard it yet, ICANN will be rolling the Root Zone DNSSEC Key Signing Key in 2017. This time the honours fell to Subramanian Moonesamy to present the plans that we previously discussed in our reports from RIPE 73 and ENOG 12.

Finally on the IPv6 front, Alain Durand (ICANN) reprised his analysis of IPv6 as related to GDP per capita which we also covered in a previous blog. This correlates IPv6 deployment data from APNIC Labs and the Akamai State-of-the-Internet report with GDP per capita data from the World Bank, to see whether more affluent economies are more likely to deploy IPv6 than developing economies.

Recordings of the presentations are also available on the AFRINIC-25 website.

Categories
Deploy360

Is RPKI ready to ROA?

Securing BGPIt’s worth drawing attention to the Study and Measurements of the RPKI Deployment. This is a recently published thesis analysing the deployment of RPKI and the quality of the data, but is also worth reading for its comprehensive documentation of routing incidents, the problems they can cause, and mitigation measures that can be implemented.

The analysis reveals that the global percentage of IPv4 address space covered by a Route Origin Authorisation (ROA) was 6.03% in September 2015, although this figure varies widely between the RIR regions. The RIPE NCC and LACNIC lead the way with 18.67% and 13.87% respectively, AfriNIC comes close to the average at 5.31%, but ARIN registers just 1.98% and APNIC even further behind with just 0.40% .

Perhaps more interestingly though, an authentication analysis undertaken between March 2012 and September 2014 revealed issues with the registration of many RPKI resources, as well as a couple of RIR repositories. However, whilst the percentage of invalid RPKI-covered prefixes in 2012 was as high as 21%, this progressively dropped to just over 7% by September 2015 which indicates a decrease in problems as RPKI deployments has risen.

It’s also interesting to note that even where invalid prefixes were found, most of them were covered by another valid or not found prefix. This suggests that dropping invalid prefixes from the routing table may be less problematic than previously thought by network operators.

More Information

For more information on Securing BGP, please do look at our Start Here page to understand how you can get started transitioning your networks.

Categories
Growing the Internet

It's A Wrap: AFriNIC-21

As you may know, AFRINIC-21 meeting was held in Ebene, Mauritius, from 22 to 28 November 2014 under the theme ”AFRINIC-21: A Decade of Open and Community-Driven Number Resource Management in Africa”.  

Attended by more than 255 participants, the different meetings held under AFRINIC-21 provided a unique opportunity for Internet-related individuals and organizations to get together and talk about the policies governing Internet number resource distribution in the African region while enhancing their technical knowledge through attending workshops land tutorials.

The event was also a good occasion for Internet Society, which was represented by Dawit Bekele, Kevin Chege and Jan Zorz, to participate in various meetings and discussions including the African Government Working Group (AfGWG) where the IANA Stewardship Transition process was presented and discussed with various participants from African governments.

ISOC’s presented the latest on the:

You can find these and the other presentations made at AfriNIC here

This year AfriNIC’s meeting was quite special since it was the last one before the founding CEO, Adiel Akplogan, leaves his position. During the meeting Adiel received numerous recognition from the community for his contribution in establishing and growing AFRINIC over the last 10 years. Adiel will be leaving AFRINIC at the beginning of 2015.

Get more information at:

 

 

 

Categories
Deploy360 Events

AfriNIC meeting in Mauritius starts on Wednesday

logo_af21Operators and LIRs are meeting at Afrinic21 meeting in Mauritius – again to discuss the important topics of Internet development in Africa continent. Currently the workshops are underway – DNSSEC training, IPv6 for Engineers, Anycast DNS, IXP and so on – all interesting topics. The opening ceremony starts on Wednesday, followed by AfricaCert CyberSecurity day topic. On Thursday the day starts with ICANN Panel, continues with IANA oversight topic and technical presentations, where Douglas Onyango and myself will talk about BCOP developments in Africa and around the world.

Friday is packed with policy discussions throughout the day, finishing at 7pm with NRO NC/ICANN ASO/AC Elections.

If you are at the meeting, come and find me and let’s talk!

If you can’t be here, remote participation with video webcasting will appear on RP page.

 

Categories
Internet Exchange Points (IXPs)

Building cross-border Internet interconnection in the Eastern Africa Region

By Michuki Mwangi and Betel Hailu

The Internet Society, in partnership with AfriNIC, successfully conducted the inauguration of the Regional Internet Exchange Point (RIXP) and Regional Internet Carrier (RIC) best practice workshop under the AXIS Project, from 26- 30 May 2014 in Kigali, Rwanda. The workshop was organized by the African Union Commission (AUC) in collaboration with the Inter-Governmental Authority (IGAD), East African Community, East African Communications Organization (EACO), Ministry of Youth and ICT and the Rwanda Utilities Regulatory Agency (RURA).

Workshop

The five-day workshop is a strategic follow-up of the agreement made between the AUC and the Internet Society under the AXIS project to conduct capacity building workshops in each of the five AUC geographical regions. This is the second workshop in the series. The first workshop for the Southern Africa region took place from 3 – 7 February 2014, in Gaborone, Botswana.

This AUC-led Eastern Africa RIXP and RIC Workshop aimed atfostering stakeholder discussions to support National Internet Exchange Points and Internet Service Providers to grow and become Regional Internet Exchange Points and Regional Internet Carriers to promote intra-Africa Internet traffic.

Attendees at the workshop included more than 70 delegates from the Ministries responsible for ICT, Regulators, Internet Exchange Points (IXPs), Internet Service Providers (ISPs) and Telecommunication Operators of the following Member States of the Eastern Africa Region of the African Union: Burundi, Comoros, Djibouti, Eritrea, Ethiopia, Kenya, Rwanda, Somalia, South Sudan, Sudan, Tanzania and Uganda.

The workshop was facilitated by Mr. Mike Jensen (ICT policy consultant),Mr. Samuel Triolet (expert from Lyon-IX), and Mr. Michuki Mwangi (expert from ISOC). The participants also benefited from special guest speakers from Teraco and AfriNIC who presented on Data Centre Infrastructure and IPv6 resources, respectively.

The Internet Society would like to thank AfriNIC, Lyon-IX and Teraco for their continued support on the delivery of AXIS Regional IXP and Regional Internet Carriers workshops.

Workshop Summary and Outcomes

Welcome Remarks

Mr. Jean Baptise Mutabazi, Director General of RURA, Mr. Godliving Kessy, Executive Secretary of EACO, Mr. Moctar Yedaly, Head of Information Society Division African Union Commission and Hon. Jean Philibert Nsengimana, Minister for Youth and ICT of Rwanda made welcome remarks. In his opening remarks, Hon Nsengimana reiterated the need to have statistical data on tromboning Internet traffic in Africa.He challenged the Internet Society to consider commissioning such a study.

Regional Internet Carriers (RICs) Conclusions

After exhaustive discussions, the participants approved the description of Regional Internet carriers in the context of the AXIS project as “an Internet Service Provider that spans across more than one IXP in different countries and/or at least one national border in the region.The participants also approved the proposalto establish a multi-stakeholder task force that will identify the key policy priorities that need to be implemented to facilitate the growth of national ISPs to become regional Internet carriers. In addition, the participants approved of the proposed guiding criteria to select national ISPs that would receive capacity building and mentorship to enable them grow into regional carriers, with the support from the African Union AXIS program.

Regional Internet Exchange Point (RIXP) Conclusions

Following extensive discussions, the participants approved the description of Regional Internet Exchange points in the context of the AXIS project as “a regional IXP is an IXP, where traffic between at least two other countries, in the same region, is exchanged via public or private peering.”The participants further approved the proposed guiding criteria for selecting IXPs that will receive grant support to grow and become regional IXPs from the African Union AXIS program.

Closing Remarks

Mr. Simon Mbugua ICT Specialist at IGAD, Mr. Hodge Semakula CEO of EACO and Mr. Moctar Yedaly, Head of Information Society Division African Union Commission gave the closing remarks.

Site Visit

After the workshop, the participants were treated to a site visit of the Rwanda Internet Exchange Point (RINEX) and the Kigali innovation Lab (K-lab).

Categories
Deploy360 IPv6 To archive Tutorials

Second Free IPv6 Webinar Tomorrow (Weds) – IPv6 Transition Technologies

Africa IPv6 Heat MapIf you missed today’s IPv6 webinar sponsored by AFRINIC, y0u still have a chance to join in tomorrow when the focus will be primarily on “IPv6 transition technologies” and how you can connect your network to IPv6.  More information and the registration link can be found here:

http://www.afrinic.net/en/library/news/946-ipv6-webinar

Tomorrow session starts again at 13:00 UTC (15:00 CEST in much of Europe and 09:00 US Eastern) and will pick up where today’s session ended.  I’ll be reviewing IPv6 Address Planning and then AFRINIC’s Hisham Ibrahim will pick up discussing various IPv6 transition technologies:

13:00 – 13:20 How to plan IPv6 resources (sub-netting & nibble boundaries) part 2
13:20 – 13:35 Dual Stack
13:25 – 13:35 Tunneling (manual and static)
13:35 – 13:55 Translation
13:55 – 14:10 Questions/Answers

The webinar is free but you need to register to get access to the event.

In today’s session, Hisham started out with a brief review of the status of IPv6 in Africa. The image in this post is an example of the information he posted – in this case it was showing requests for allocations of IPv6 addresses from across Africa.  After that my Internet Society colleague Kevin Chege began with the basics of IPv6 addresses as well as the different types of addresses.  I then followed with a lengthy discussion of the kinds of things to think about when coming up with an IPv6 address plan and gave a number of examples.   I’ll be reviewing that tomorrow  and then speaking a bit more about IPv6 address planning at an ISP level.

If you missed today’s sessions, both the slides and the recordings of the sessions will be made available in the next week.  I’ll post information back here when they are online.

Today was an enjoyable event and I’m expecting tomorrow to be even more so given that transition technologies are typically among the topics people have the most interest in and questions about. I hope to see you there!

 

Categories
Deploy360 IPv6 To archive Tutorials

Free “Learning IPv6” Webinars TOMORROW (on Sept 24/25) Sponsored by AFRINIC and ISOC – Sign Up Now!

AfriNIC logoWant to learn about IPv6? Would you like to know more about how IPv6 works, the basics of IPv6 addressing as well as what transition mechanisms are available to help move from IPv4 to IPv6?

If so, you can take part in a set of two free webinars happening tomorrow, Tuesday, September 24, 2013, and then Wednesday, September 25.  The webinars start at 13:00 UTC  (15:00 in much of Europe (CEST) and 9:00 in US Eastern) and more information is at:

http://www.afrinic.net/en/library/news/946-ipv6-webinar

Our friends at AFRINIC have worked with the Internet Society regional staff in Africa and also France Telecom – Orange to create this series of webinars.  The first set in French already took place on September 10 and 11.  The English versions start tomorrow.   While there is some content related to Africa at the very beginning, the majority of the session is about IPv6 in general and the organizers said they would welcome anyone who is interested in attending from anywhere in the world.  As noted on the page I linked to above, the course plan is:

Webinar themes on 24 September

13:00 – 13:05 Overview of where Africa is on IPv4 and IPv6 use
13:05 – 13:25 IPv6 address basics – notation and representation
13:25 – 13:35 IPv6 addressing types
13:35 – 13:55 How to plan for IPv6 resources (sub-netting and nibble boundaries) part 1
13:55 – 14:10 Questions/Answers

Webinar themes on 25 September

13:00 – 13:20 How to plan IPv6 resources (sub-netting & nibble boundaries) part 2
13:20 – 13:35 Dual Stack
13:25 – 13:35 Tunneling (manual and static)
13:35 – 13:55 Translation
13:55 – 14:10 Questions/Answers

If you would like to attend these sessions, YOU NEED TO REGISTER TO ATTEND THESE WEBINARS! The links to register can be found on the page on AfriNIC’s site.  Note that you need to register for each day individually, i.e. if you want to go to both days you need to register for both days separately.

Thanks to the teams at AFRINIC, the Internet Society’s Africa Regional Bureau and France Telecom – Orange for making these webinars available for free.  We’re looking forward to seeing how these help more people within the African region (and anyone who attends from elsewhere) get started with IPv6!

P.S. In full disclosure I’ll also mention that I’ll be one of the presenters during the webinars talking about part of IPv6 addressing.

Categories
Deploy360 Events

IP Best Current Operational Practices (IPBCOP) Project Launches New Website

Are you looking for “best practices” within the operations community?  If so, our friends over at the IP Best Current Operational Practices (IPBCOP) effort have just launched a new website to help make their information more accessible and available. The IPBCOP project, led by Aaron Hughes and Richard Donaldson, emerged out of a series of operator meetings such as NANOG where it became clear that a need existed to collect operational best practices within the operator community and capture those in a series of documents and templates that others can use.

The project has been working via a mailing list for the past while and currently has three drafts under active consideration:

More drafts are in development and a BCOP template is available for those interested in submitting their own best practices document for consideration.  The IPBCOP project is very much a community effort and all communication really happens through their mailing list, which is open for anyone interested to join.  You can also connect with IPBCOP on Twitter, Facebook and Google+.

We think this is a great effort that will only help the operations community move forward with technologies like IPv6 and we encourage you all to check it out and if possible get involved!