Categories
Deploy360

SINOG 4.0 sheds light on the dark side of IPv6

The 4th meeting of the Slovenian Network Operators’ Group organised by Go6ARNES and LTFE was held on 23-24 May 2017 at the Brdo Technology Park in Ljubljana. This event was co-sponsored by the Internet Society and attended by 119 participants, being held over two days for the first time.

The first day was devoted to IPv6 issues and aims to replace the Slovenian IPv6 Summit. It’s felt that IPv6 is now sufficiently mainstream that the focus should now be on operational issues rather advocacy, hence the reason for incorporating it into the SINOG meeting itself. It featured for the first time, a panel on the ‘The Dark Side of the IPv6 Moon…’ to discuss some of the challenges of deploying IPv6 and how these can be addressed.

Setting the scene though, was the keynote provided by Ole Trøan (Cisco) who’s a Co-Chair of the IETF IPv6 Maintenance Working Group. He provided some interesting background on why IPv6 was designed, the reasons for particular architectural choices, and why particular compromises were made. For example, IPv6 was not made backwardly compatible with IPv4 because IPv4 did not offer any opportunity for forward compatibility, and many inefficient workarounds had needed to be implemented with IPv4 into order to make the Internet work as originally intended.

Whilst the primary aim of IPv6 was to vastly increase the available address space, it also aimed to simplify the evolution of how the Internet was supported, such as having fixed-sized headers with extension possibilities rather than IPv4 options, and putting host configuration into the network layer. At the same time though, the aim was to limit changes on the network layers whilst allowing transport protocols to remain unchanged.

However, there are many players involved in the Internet with interests directly at odds with each other, and the technical architecture needs to be flexible enough to support whilst retaining the ability to support new applications. This is the reason why compromises ended-up being made with address length, extension headers and host configuration, although with hindsight other design choices might have been made.

Nevertheless, the fact remained that IPv4 addresses were facing exhaustion and technical kludges were increasingly having to be used to eke them out further. IPv6 was a functional protocol and was increasingly becoming available as a native transport service, so whilst uptake in Slovenia was a bit low at 6.8% (according APNIC Labs), it had substantially increased over the past year which supported the assertion that there were no reasons not to deploy it.

Christian Teuschel (RIPE NCC) followed-up with some observations about IPv6 routing in Slovenia. The RIPEness IPv6 project rates how prepared Local Internet Registries (LIRs) in the RIPE Service Region are for IPv6 deployment, and awards up to 5 stars if they fulfil particular criteria. Of the 60 LIRs registered in Slovenia, 6 qualify for the 5-star rating by providing access or content via IPv6, with another 33% qualifying for 4-stars, 27% qualifying for 3-stars, and just 5% having no IPv6 capability.

Slovenia should therefore be well placed with its support for IPv6, although most IPv6 traffic appears to stay local, and there are less than half the number of unique AS paths via IPv6 compared to IPv4 of which 79% are via SIX-SI.  The use of 6to4 tunnels creates some long RTTs, and there appears to be just three native IPv6 paths, all running via DE-CIX. This is obviously an area for improvement, although if you read Slovenian, you might want to read about Telekom Slovenije’s efforts to deploy IPv6 in the country – presented by Saša Žbontar (Telekom Slovenije).

Next up was ‘Why IPv6 Security Is So Hard‘ which was presented by Ivan Pepelnjak (ipSpace) on behalf of Enno Rey (ERNW). We previously highlighted this in a RIPE 74 blog, but it covers the perceived failures with IETF IPv6 standards and offers some suggestions as to how to operational practices can be improved.

Our colleague Jan Žorž followed-up with some results from the NAT64/DNS64 testing being undertaken by the Go6lab and supported by the Internet Society. The NAT64check tool enables websites to be checked for consistency over IPv4, IPv6-only and NAT64, as well to compare responsiveness using the different protocols. This allows network and system administrators to easily identify anything is ‘broken’ and to pinpoint where the problems are occurring, thus allowing any non-IPv6 compatible elements on the website to be fixed.

And so to the main event, the ‘The Dark Side of the IPv6 Moon… panel chaired by Jan and featuring Ole Trøan (Cisco), Job Snijders (NTT), Ivan Pepelnjak (ipSpace) and Kevin Meynell (Internet Society). The focus was on the deployment and operational consequences of the IPv6 architectural and standardisation decisions about IPv6, and the real world challenges of using IPv6 in production networks.

It might seem a bit strange to be highlighting problems and issues with IPv6 when at the same time advocating its use, but the case for IPv6 is now well established and the protocol is sufficiently widely deployed that it’s reasonable to air this discussion. It should also not be forgotten there are issues with deploying IPv4 as well, but it’s just better understood how to workaround these and in many cases IPv6 can improve this situation.

The Deploy360 involvement didn’t end there. Jan presented the recently published BCOP on IPv6 prefix assignment for end-users which aims to provide guidance to ISPs as to what size IPv6 prefixes should be assigned to customers, when to choose static or dynamic assignment, and whether a /48 or /56 should be assigned to a particular customer.

Kevin meanwhile presented on ‘Two Good Years of MANRS‘ which is the routing security initiative defining four concrete actions that network operators should implement to promote a culture of collaborative responsibility, and the next steps to develop a MANRS certification programme as well as partnerships with IXPs.

Although not Deploy360-related, you might also want to check out some of the other excellent presentations over the two days. Ole Trøan gave a presentation about his day job which is developing VPP – The Universal Fast Dataplane, Alexander Holzer (NextGen Firewalls) covered Large Scale Firewall management, whilst Job Snijders (NTT Communications) explained the problem of Large BGP communities, the recent RFC 8092 that aims to address this, and provided some information on how to get started.

Be sure though to check out the presentation on securing network automation from Ivan Pepelnjak who always provides excellent value, and on LibreNMS from Uroš Berglez (FERI MB).

So that’s it from Ljubljana for this year, but all the presentations and videos of the talks can be found on SINOG website. If you’re inspired to deploy IPv6 after this,, then please take a look at our Start Here page to understand how you can get started.

Categories
Deploy360

SINOG 3.0 in Ljubljana

SINOG

The 3rd meeting of the Slovenian Network Operators’ Group organised by Go6ARNES and LTFE was held on 22 June 2016 at the Brdo Technology Park in Ljubljana. This was held the day after the Slovenian IPv6 Summit and was co-sponsored by the Internet Society; attracting another good audience of around 110 participants.

The keynote was provided by Ivan Pepelnjak (ipSpace) who continued the theme of network automation whereby any well-defined repeatable task can be automated. This is commonly applied to device and service provisioning, as well as VLANs, ACLs and firewall rules, but it can also be used for troubleshooting, consistency checks, routing and failure remediation.

Ivan PepanjakIvan went onto discuss the tools for automated network and service provisioning such as Chef and Puppet, along with automation frameworks such as Ansible, and workflow tools such as Gerrit and Jenkins. Network remediation though, was the holy grail of automation whereby networks could identify faults or degraded performance and have the ability to fix themselves. Nevertheless, development scenarios need to be avoided whereby effort is expended to improve automation, but instead additional time is spent on debugging, rethinking and improving the code to the detriment of the original labour saving reason for doing it.

Anand Buddhev (RIPE NCC) continued the automation theme with his overview of Ansible. This is a open source software platform written in Python for configuring and managing multiple Linux and Windows computers that combines multi-node software deployment, ad-hoc task execution, and configuration management. It utilises a controlling machine, with nodes being managed over SSH using modules that communicate through a JSON protocol.

Anand BuddhevThe RIPE NCC was using it to automate tasks on 585 hosts using a series of ‘playbooks’ written in YAML that provides data-oriented but human readable scripts defining the necessary tasks. It’s a lightweight yet powerful framework which is well documented on the Ansible website. Following the SINOG meeting, Uroš Bajželj also ran a hands-on workshop for those interested in using Ansible.

Tit Petrič and Marko Ambrož went on to to discuss the Docker software containerisation platform. This essentially allows a piece of software to run in a complete filesystem that contains the necessary code, executables, system tools and system libraries and thereby ensures it will run the same regardless of environment. However, Docker containers differ from virtual machines in that they share the same operating system kernel and resources which allows them to make more efficient use of memory and disk resources. Docker containers are based on open standards, enabling containers to run on all major Linux distributions and Microsoft Windows, whilst isolating applications from each other and the underlying infrastructure and providing an added layer of protection.

SINOG roomThere was an interesting presentation on the security implications of the Internet-of-Things from Milan Gabor (Viris). This focused on the vulnerabilities of devices in industrial control systems, vehicles, unmanned aerial vehicles and retail applications which often involves a multiplicity of hardware architectures, operating systems and protocols in often closed systems. There were already examples of everyday ‘intelligent’ systems being hacked such as electronic door locks, toilets, baby monitors and smart lightbulbs, as well as bigger infrastructure that included nuclear reactors and power grids. This leads to the issue of how to secure things that you can’t update, and the ongoing implications of this.

Also worth checking out was the LTE in Public Safety presentation from Maurizio Moroni (Cisco) who discussed the evolution of incompatible narrowband transmission systems used by different public safety organisations (e.g. police, fire and rescue, medical and security services) towards using common LTE based data services. Whilst this is expected to take a number of years, the LTE can offer better use of existing public infrastructure, improved interoperability and quality of service, as well as the ability to use data communication as well as voice.

SINOG PCFinally, for those interested in network traffic telemetry, Paolo Lucente (pmacct) discussed pmacct. This is open source software that correlates different data sources including BGP, BMP and IGP and builds multiple views of network traffic for analytic, modelling or forensic purposes, and which can sent to message brokers. However, this was somewhat hampered by the availability of data and a lack of standardised mechanisms for collecting and aggregating it. He therefore appealed for network operators to take more of an interest in supporting this initiative as it had great potential for traffic engineering, capacity planning, peering and security.

All the presentations from the meeting can be found on the SINOG website.