Deploy360 IPv6

NAT64check proves popular

We’ve already mentioned this a few times this year, but we’ve just published an more in-depth article about NAT64check over on the RIPE Labs and APNIC websites.

NAT64check is a tool developed by the Internet Society, Go6, SJM Steffann and Simply Understand that allows you to enter the URL of a particular website, and then run tests over IPv4, IPv6 and NAT64 in order to check whether the website is actually reachable in each case, whether identical web pages are returned, and whether all the resources such as images, stylesheets and scripts load correctly. The rationale behind NAT64check is also explained, how it works, and how you can use it.

If you just want to take a look at the tool, then please go to either or, type the URL you wish to check into the box at the top of the page, and the result should be returned within a few seconds. It’s simple and easy, and will help you identify what needs to be done to make your website accessible with IPv6.

Deploy360 also want to help you deploy IPv6, so please take a look at our Start Here page to learn more.


Deploy360 IPv6

How RIPE are you for IPv6?

The RIPE NCC has just published its latest report on IPv6 RIPEness for 2017. Since 2010, its IPv6 RIPEness project has rated how prepared Local Internet Registries (LIRs) in the RIPE Service Region are for IPv6 deployment, and awards up to 5 stars if they fulfil particular criteria. This system is explained more in an older post on the RIPE Labs website.

By virtually all measures, IPv6 deployment increased significantly during 2016, so you’d also expect this to be reflected in the RIPEness rating of the RIPE LIRs. In fact, the figures show the percentage of LIRs with a 4-star rating to have increased from 8% in 2010 to 20% in 2017, which translates to 2,412 LIRs having becoming fully IPv6 capable in principle. However, a 4-star rating does not actually indicate that IPv6 has been deployed, which is a requirement for the full 5-star rating.

The RIPE community agreed that a 16% deployment threshold would be required for 5-stars in 2016, but this would be increased each year. So for 2017 the threshold has been increased to 32%, based on several measurements of access and content networks. The measurements being used are the APNIC IPv6 Measurement System using Google Ads, the Alexa Top 1 million websites, and Cisco’s alternative Umbrella 1M.

Whilst these different measurements tend to focus on different providers, they collectively indicate that a total of 7,075 LIRs have IPv6 deployed to some extent, representing nearly 47% of the total. And 4.3% of LIRs meet or exceed the 32% threshold required for a 5-star rating, which compared to 5.6% of those meeting the former 16% threshold in 2016, demonstrates the ongoing commitment to IPv6 deployment.

This is quite positive news, although it still needs to be pointed out that 3,829 LIRs (or 24%) of the total still have no IPv6 capability whatsoever, and over 50% of LIRs have apparently not deployed IPv6 in production.

So if you haven’t already done so, we’d like to join with the RIPE NCC in encouraging you to make the inevitable step to IPv6 sooner rather than later. Deploy360 is here to help, and you can take a look at our Start Here page to understand how you can get started with IPv6.



Deploy360 Domain Name System Security Extensions (DNSSEC)

DNSSEC Algorithm Roll-over

ripelabs_128RIPE Labs have just published an interesting article about their experiences of rolling over the algorithm used to sign a DNSSEC zone. The RIPE NCC was one of the first organisations to sign its zones with DNSSEC which meant using RSA/SHA1 as this was the only defined algorithm at the time.

In recent years it’s been demonstrated that SHA1 has certain vulnerabilities which is why RFC 5072 standardised the use of SHA2, even though many validators did not support it at the time. Since then, SHA2 has has become better supported by validators, and this combined with the fact that the root zone is now signed with SHA2, was the reason for the RIPE NCC to roll over the ‘’ domain to the stronger algorithm.

This proved less than straightforward as firstly their original signer software could only sign the zone with either SHA1 or SHA2 but not both. A new version of the signer was therefore required, but after setting up a test system and introducing SHA2, it became apparent that BIND and Google DNS were able to validate the zone, whereas Unbound and Verisign DNS did not.

Further investigation traced this to the use of separate Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs) and expectation of some validators that the algorithm signalled by the Delegation Signer (DS) record is used to sign all records in the zone. This is a more strict interpretation of RFC 6840, and whilst the latest version Unbound does now have an option to relax this validation requirement, implementors should be aware of this issue.

The recommendation of RIPE Labs is that the KSK and ZSK should be rolled at the same time, and the old ZSK should not be withdrawn until the KSK roll-over is complete. NLnet Labs have also published an article on rolling DNSSEC algorithms on OpenDNSSEC as the current version of OpenDNSSEC does not directly support this.


IPv6 To archive

RIPE Labs – Internet Tools, Ideas, and Statistics

Editor’s Note: This is a guest post by Mirjam Kuehne from the RIPE NCC. We cover RIPE Labs content on Deploy360 regularly, so we thought we’d give Mirjam a chance to explain what RIPE Labs are all about and how to get more out of the site. 

How did hurricane Sandy affect the Internet? How much filtering is still going on in previously reserved IPv4 address space? How many IPv6 prefixes are announced per country? You can find answers to all these questions on RIPE Labs.

RIPE Labs is a website maintained by the RIPE NCC that serves as a platform for network operators, researchers and developers to expose and discuss Internet-related tools, ideas and analyses. It is a place to keep up to date about technical developments, announce your latest results, share comments or start a discussion.

The RIPE NCC uses RIPE Labs to propose new services, describe prototypes of new tools, and announce new functionality of existing tools and services. In this way, the Internet community can get involved early on in the process and provide us with feedback and direction. RIPE Labs provides regular updates on the wide range activities we are currently involved with, from the development of RIPE Atlas and RIPEstat, to our involvement in Internet governance. Some of these projects are featured on separate pages so you can follow the developments and updates more easily (e.g. RIPE Database, RIPEstat, RIPE Atlas).

Stats-DashboardRIPE Labs also contains timely analyses, such as the impact of certain events on the Internet. During the Olympics and other sport events, we teamed up with Euro-IX and published a series of graphs that showed the change in traffic for IXPs during such events. Another example was superstorm Sandy, when we used RIPE Atlas to analyse the way traffic was rerouted once the storm made landfall. (

RIPE Labs is also used by external contributors to present their ideas or any tools that might be of use to others in the community. A recent example is the announcement of an IPv6 toolkit.

Providing statistics and analyses of the data the RIPE NCC maintains is an important part of RIPE Labs. Now all of these different graphs and statistics are in one place, the Statistics Dashboard: There you can find the most up-to-date number of RIPE NCC members, statistics on IPv6 deployment in our service region, country-specific graphs, and much more. Some of these statistics are also highlighted on the homepage of RIPE Labs.

In the coming year, we are planning to expand the Statistics Dashboard and will continue to add graphs. We also plan to make it easier to provide feedback to the RIPE NCC, for example by running short polls and by frequently updating and publishing a roadmap for all our technical projects that are still under development.

If you would like to see any specific statistics or any other topics covered on RIPE Labs, please do not hesitate to contact us at labs [at] ripe [dot] net. We are looking forward to your ideas and suggestions.