SlideShare a Scribd company logo

Mat Ford - ISOC

IPv6 Summit 2010
IPv6 Summit 2010

Issues with large scale address sharing - ISOC

1 of 20
Download to read offline
Large-scale address sharing issues ‘There must be some way out of here,’ said the joker to the thief. Bob Dylan Mat Ford Irish IPv6 Summit 2010, Dublin 1
Address sharing @ @ @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 2
Large-scale address sharing @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 3
Address Sharing • Current practice: give a unique IPv4 public address to each subscriber – this address can be shared into the residential/office LAN through a NAPT device (in the CPE) • With IPv4 free-pool allocation completion this is no longer possible for new subscribers – Scalability of RFC1918 space also creating problems • A possible solution: allocate the same IPv4 public address to several subscribers at the same time – this is what we call large-scale address sharing 2010-05-19 Irish IPv6 Summit 2010 4
Port multiplexing • Q: How is it possible to differentiate between multiple subscribers all sharing a single address? • A: Use the transport layer port field to multiplex 2010-05-19 Irish IPv6 Summit 2010 5
Background • Long-tail of subscribers requiring >median number of ports Source: http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html 2010-05-19 Irish IPv6 Summit 2010 6
30 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 7
20 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 8
15 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 9
5 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 10
It’s your problem now • Introduction of large-scale address sharing creates potentially serious issues for third parties: – Some applications will fail to operate – Reverse DNS will be affected – Inbound ICMP will fail in many cases – Amplification of security issues – Service usage monitoring and abuse logging will be impacted – Penalty boxes will no longer work – Spam blacklisting will be affected – Geo-location and geo-proximity mechanisms will be impacted – Load balancing algorithms may be impacted – Authentication mechanisms may be impacted – Traceability of network usage and abusage will be affected 2010-05-19 Irish IPv6 Summit 2010 11
Impact on applications • Breaks applications that – Establish inbound communications – Carry address and/or port information in their payload – Use fixed ports – Do not use any port (ICMP) – Assume uniqueness of source address – Explicitly prohibit concurrent connections from identical addresses 2010-05-19 Irish IPv6 Summit 2010 12
ICMP • ICMP is problematic for address sharing mechanisms as it does not carry any port information • Responses to outbound ICMP can be handled relatively easily • Inbound ICMP sourced off-net will not be routable • ICMP attacks – Malicious user could send Packet Too Big reducing the MTU down to 68 octets – Value will be cached by server for all subscribers sharing the IP of the malicious user – Could lead to a DoS condition for the server and the NAT 2010-05-19 Irish IPv6 Summit 2010 13
Geo-proximity, geo-location • Conforming with regional content licensing restrictions • Targeting advertising • Customising content • Emergency services • Shared addressing may reduce level of confidence and location granularity • Application performance may be affected in the presence of highly centralised CGN 2010-05-19 Irish IPv6 Summit 2010 14
Tracking service usage • Monitoring unique users of a service no longer possible by simply counting connections from discrete IP addresses • CPE NAT complicates this today, large-scale address sharing will make it a more widespread and severe issue • In general, all elements that monitor usage or abusage in the chain between a service provider that has deployed address sharing and a content provider will need to be upgraded to take account of the port value in addition to IP addresses 2010-05-19 Irish IPv6 Summit 2010 15
Traceability • Address sharing solutions must record and store all mappings they create – Potentially very large volume of data – Pre-allocating groups of ports mitigates – Trade-offs between • size of pre-allocated groups • ratio of public addresses to subscribers • Impact on logging requirements • Port randomisation security • Need for timestamping and accurate timekeeping – Densely populated CGN could mean even small amounts of clock skew result in misidentification of subscribers – Alternatively SPs start logging destinations, giving rise to privacy concerns, 2010-05-19 Irish IPv6 Summit 2010 16
Security-related issues • Port randomisation • Abuse logging, penalty boxes – Need to log source port as well as source address • Spam • IPsec • Authentication 2010-05-19 Irish IPv6 Summit 2010 17
Load balancing • Deterministic algorithms based on IP addresses may see sudden imbalances in load as address sharing is enabled • Growth of address sharing will require re-evaluation of load balancing algorithm designs 2010-05-19 Irish IPv6 Summit 2010 18
Other issues • Fragmentation • Multicast • Mobile-IP • Single Point of Failure • Reverse DNS – Reverse DNS strings no longer sufficient to identify a discrete subscriber 2010-05-19 Irish IPv6 Summit 2010 19
Conclusions • Large-scale address sharing will make many existing address sharing issues more severe and more widespread • Large-scale address sharing will also create new technical and business issues • Third-parties, content providers, LEAs, will be impacted • IPv6 is the only way to avoid this 2010-05-19 Irish IPv6 Summit 2010 20

Recommended

IPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIvan Pepelnjak
 
HKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 Years
HKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 YearsHKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 Years
HKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 YearsAPNIC
 
Evolution of Mobile Networks and IPv6 - APEC TEL49
Evolution of Mobile Networks and IPv6 - APEC TEL49Evolution of Mobile Networks and IPv6 - APEC TEL49
Evolution of Mobile Networks and IPv6 - APEC TEL49APNIC
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGPAPNIC
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleIPv6no
 
IPv6 - The Time Is Now: Latif Ladid, President, IPv6 forum
IPv6 - The Time Is Now: Latif Ladid, President, IPv6 forumIPv6 - The Time Is Now: Latif Ladid, President, IPv6 forum
IPv6 - The Time Is Now: Latif Ladid, President, IPv6 forumIPv6no
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
 

Recommended

IPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIvan Pepelnjak
 
HKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 Years
HKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 YearsHKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 Years
HKNOG 10.0: 30 Years of Internet in HK – A Quick Look Back at the First 20 YearsAPNIC
 
Evolution of Mobile Networks and IPv6 - APEC TEL49
Evolution of Mobile Networks and IPv6 - APEC TEL49Evolution of Mobile Networks and IPv6 - APEC TEL49
Evolution of Mobile Networks and IPv6 - APEC TEL49APNIC
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGPAPNIC
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleIPv6no
 
IPv6 - The Time Is Now: Latif Ladid, President, IPv6 forum
IPv6 - The Time Is Now: Latif Ladid, President, IPv6 forumIPv6 - The Time Is Now: Latif Ladid, President, IPv6 forum
IPv6 - The Time Is Now: Latif Ladid, President, IPv6 forumIPv6no
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
 
IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksAPNIC
 
Protecting your Peering Edge
Protecting your Peering EdgeProtecting your Peering Edge
Protecting your Peering EdgeInternet Society
 
I pv6
I pv6I pv6
I pv6Udi Ghosh
 
IX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionIX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionMaksym Tulyuk
 
Dead Men Walking: IPv6 and DNSSEC
Dead Men Walking: IPv6 and DNSSECDead Men Walking: IPv6 and DNSSEC
Dead Men Walking: IPv6 and DNSSECDeploy360 Programme (Internet Society)
 
IPv6 @ Cloudflare
IPv6 @ CloudflareIPv6 @ Cloudflare
IPv6 @ CloudflareInternet Society
 
WINS: Peering and IXPs
WINS: Peering and IXPsWINS: Peering and IXPs
WINS: Peering and IXPsAPNIC
 
IPv6 deployment in Telekom Malaysia, PTC17
IPv6 deployment in Telekom Malaysia, PTC17IPv6 deployment in Telekom Malaysia, PTC17
IPv6 deployment in Telekom Malaysia, PTC17APNIC
 
Voice over Ethernet - SIP Trunk Service for Large Enterprises
Voice over Ethernet - SIP Trunk Service for Large EnterprisesVoice over Ethernet - SIP Trunk Service for Large Enterprises
Voice over Ethernet - SIP Trunk Service for Large EnterprisesTalkTalk Business
 
IPv6 Enabled WiFi: Planning, Deployment and Best Practices
IPv6 Enabled WiFi: Planning, Deployment and Best PracticesIPv6 Enabled WiFi: Planning, Deployment and Best Practices
IPv6 Enabled WiFi: Planning, Deployment and Best PracticesNetwork Utility Force
 
The Gateway Known as Johor Bahru
The Gateway Known as Johor BahruThe Gateway Known as Johor Bahru
The Gateway Known as Johor BahruAPNIC
 
IPv6: Early Mover Advantage?
IPv6: Early Mover Advantage?IPv6: Early Mover Advantage?
IPv6: Early Mover Advantage?Tata Communications
 
IPV6 Deployment for Broadband Internet by Azura Mat Salim
IPV6 Deployment for Broadband Internet by Azura Mat SalimIPV6 Deployment for Broadband Internet by Azura Mat Salim
IPV6 Deployment for Broadband Internet by Azura Mat SalimMyNOG
 
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™Multapplied Networks
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT TelecomAPNIC
 
The Case for IPv6: Paving the Way for the Internet of Things
The Case for IPv6: Paving the Way for the Internet of ThingsThe Case for IPv6: Paving the Way for the Internet of Things
The Case for IPv6: Paving the Way for the Internet of ThingsNetwork Utility Force
 
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNSIPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNSNetwork Utility Force
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC
 
Gaurab Ixp Tutorial
Gaurab Ixp TutorialGaurab Ixp Tutorial
Gaurab Ixp TutorialTariq Mustafa
 
Getting The World IPv6 Enabled
Getting The World IPv6 EnabledGetting The World IPv6 Enabled
Getting The World IPv6 EnabledIPv6 Forum Singapore
 
Practice brochure
Practice brochurePractice brochure
Practice brochuredb architects
 
14.30 Michele Neylon, Blacknight
14.30 Michele Neylon, Blacknight14.30 Michele Neylon, Blacknight
14.30 Michele Neylon, BlacknightIPv6 Summit 2010
 

More Related Content

What's hot

IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksAPNIC
 
Protecting your Peering Edge
Protecting your Peering EdgeProtecting your Peering Edge
Protecting your Peering EdgeInternet Society
 
IX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionIX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionMaksym Tulyuk
 
WINS: Peering and IXPs
WINS: Peering and IXPsWINS: Peering and IXPs
WINS: Peering and IXPsAPNIC
 
IPv6 deployment in Telekom Malaysia, PTC17
IPv6 deployment in Telekom Malaysia, PTC17IPv6 deployment in Telekom Malaysia, PTC17
IPv6 deployment in Telekom Malaysia, PTC17APNIC
 
Voice over Ethernet - SIP Trunk Service for Large Enterprises
Voice over Ethernet - SIP Trunk Service for Large EnterprisesVoice over Ethernet - SIP Trunk Service for Large Enterprises
Voice over Ethernet - SIP Trunk Service for Large EnterprisesTalkTalk Business
 
IPv6 Enabled WiFi: Planning, Deployment and Best Practices
IPv6 Enabled WiFi: Planning, Deployment and Best PracticesIPv6 Enabled WiFi: Planning, Deployment and Best Practices
IPv6 Enabled WiFi: Planning, Deployment and Best PracticesNetwork Utility Force
 
The Gateway Known as Johor Bahru
The Gateway Known as Johor BahruThe Gateway Known as Johor Bahru
The Gateway Known as Johor BahruAPNIC
 
IPV6 Deployment for Broadband Internet by Azura Mat Salim
IPV6 Deployment for Broadband Internet by Azura Mat SalimIPV6 Deployment for Broadband Internet by Azura Mat Salim
IPV6 Deployment for Broadband Internet by Azura Mat SalimMyNOG
 
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™Multapplied Networks
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT TelecomAPNIC
 
The Case for IPv6: Paving the Way for the Internet of Things
The Case for IPv6: Paving the Way for the Internet of ThingsThe Case for IPv6: Paving the Way for the Internet of Things
The Case for IPv6: Paving the Way for the Internet of ThingsNetwork Utility Force
 
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNSIPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNSNetwork Utility Force
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC
 

What's hot (20)

IPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networksIPv6 deployment architecture for broadband access networks
IPv6 deployment architecture for broadband access networks
 
Protecting your Peering Edge
Protecting your Peering EdgeProtecting your Peering Edge
Protecting your Peering Edge
 
I pv6
I pv6I pv6
I pv6
 
IX Future: AMS-IX example. English version
IX Future: AMS-IX example. English versionIX Future: AMS-IX example. English version
IX Future: AMS-IX example. English version
 
Dead Men Walking: IPv6 and DNSSEC
Dead Men Walking: IPv6 and DNSSECDead Men Walking: IPv6 and DNSSEC
Dead Men Walking: IPv6 and DNSSEC
 
IPv6 @ Cloudflare
IPv6 @ CloudflareIPv6 @ Cloudflare
IPv6 @ Cloudflare
 
WINS: Peering and IXPs
WINS: Peering and IXPsWINS: Peering and IXPs
WINS: Peering and IXPs
 
IPv6 deployment in Telekom Malaysia, PTC17
IPv6 deployment in Telekom Malaysia, PTC17IPv6 deployment in Telekom Malaysia, PTC17
IPv6 deployment in Telekom Malaysia, PTC17
 
Voice over Ethernet - SIP Trunk Service for Large Enterprises
Voice over Ethernet - SIP Trunk Service for Large EnterprisesVoice over Ethernet - SIP Trunk Service for Large Enterprises
Voice over Ethernet - SIP Trunk Service for Large Enterprises
 
IPv6 Enabled WiFi: Planning, Deployment and Best Practices
IPv6 Enabled WiFi: Planning, Deployment and Best PracticesIPv6 Enabled WiFi: Planning, Deployment and Best Practices
IPv6 Enabled WiFi: Planning, Deployment and Best Practices
 
The Gateway Known as Johor Bahru
The Gateway Known as Johor BahruThe Gateway Known as Johor Bahru
The Gateway Known as Johor Bahru
 
IPv6: Early Mover Advantage?
IPv6: Early Mover Advantage?IPv6: Early Mover Advantage?
IPv6: Early Mover Advantage?
 
IPV6 Deployment for Broadband Internet by Azura Mat Salim
IPV6 Deployment for Broadband Internet by Azura Mat SalimIPV6 Deployment for Broadband Internet by Azura Mat Salim
IPV6 Deployment for Broadband Internet by Azura Mat Salim
 
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
 
IPv6 at FPT Telecom
IPv6 at FPT TelecomIPv6 at FPT Telecom
IPv6 at FPT Telecom
 
The Case for IPv6: Paving the Way for the Internet of Things
The Case for IPv6: Paving the Way for the Internet of ThingsThe Case for IPv6: Paving the Way for the Internet of Things
The Case for IPv6: Paving the Way for the Internet of Things
 
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNSIPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
IPv6 Technical Overview: Address Architecture, DHCPv6 and DNS
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 Deployment
 
Gaurab Ixp Tutorial
Gaurab Ixp TutorialGaurab Ixp Tutorial
Gaurab Ixp Tutorial
 
Getting The World IPv6 Enabled
Getting The World IPv6 EnabledGetting The World IPv6 Enabled
Getting The World IPv6 Enabled
 

Viewers also liked

14.30 Michele Neylon, Blacknight
14.30 Michele Neylon, Blacknight14.30 Michele Neylon, Blacknight
14.30 Michele Neylon, BlacknightIPv6 Summit 2010
 
Prof. Brian Carpenter (University of Auckland)
Prof. Brian Carpenter (University of Auckland)Prof. Brian Carpenter (University of Auckland)
Prof. Brian Carpenter (University of Auckland)IPv6 Summit 2010
 
Evergreen Branded Media Master
Evergreen Branded Media MasterEvergreen Branded Media Master
Evergreen Branded Media Masterccrever
 

Viewers also liked (6)

Practice brochure
Practice brochurePractice brochure
Practice brochure
 
14.30 Michele Neylon, Blacknight
14.30 Michele Neylon, Blacknight14.30 Michele Neylon, Blacknight
14.30 Michele Neylon, Blacknight
 
Prof. Brian Carpenter (University of Auckland)
Prof. Brian Carpenter (University of Auckland)Prof. Brian Carpenter (University of Auckland)
Prof. Brian Carpenter (University of Auckland)
 
Islamic designs
Islamic designsIslamic designs
Islamic designs
 
СольWhy not.
СольWhy not.СольWhy not.
СольWhy not.
 
Evergreen Branded Media Master
Evergreen Branded Media MasterEvergreen Branded Media Master
Evergreen Branded Media Master
 

Similar to Mat Ford - ISOC

The State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentThe State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentJohn Loughney
 
The case for IPv6
The case for IPv6The case for IPv6
The case for IPv6APNIC
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excusesIvan Pepelnjak
 
IPv6 Single Stack Now or Later? - The Ultimate Carrier Conundrum
IPv6 Single Stack Now or Later? - The Ultimate Carrier ConundrumIPv6 Single Stack Now or Later? - The Ultimate Carrier Conundrum
IPv6 Single Stack Now or Later? - The Ultimate Carrier ConundrumAPNIC
 
IPv6 Deployment: Why and Why not? - HostingCon 2013
IPv6 Deployment: Why and Why not? - HostingCon 2013IPv6 Deployment: Why and Why not? - HostingCon 2013
IPv6 Deployment: Why and Why not? - HostingCon 2013APNIC
 
23rd PITA AGM and Conference: Key business drivers for IPv6
23rd PITA AGM and Conference: Key business drivers for IPv623rd PITA AGM and Conference: Key business drivers for IPv6
23rd PITA AGM and Conference: Key business drivers for IPv6APNIC
 
PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview PROIDEA
 
Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
IPv6 in Mobile Networks
IPv6 in Mobile NetworksIPv6 in Mobile Networks
IPv6 in Mobile NetworksAPNIC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06Irsandi Hasan
 
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Javier Benitez
 
12 steps for IPv6 Deployment in Governments and Enterprises
12 steps for IPv6 Deployment in Governments and Enterprises12 steps for IPv6 Deployment in Governments and Enterprises
12 steps for IPv6 Deployment in Governments and EnterprisesAPNIC
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fred Bovy
 
Converged Communication and IPv6, afrinic-8
Converged Communication and IPv6, afrinic-8Converged Communication and IPv6, afrinic-8
Converged Communication and IPv6, afrinic-8John Loughney
 
Can today’s Internet protocols deliver URLLC?
Can today’s Internet protocols deliver URLLC?Can today’s Internet protocols deliver URLLC?
Can today’s Internet protocols deliver URLLC?3G4G
 

Similar to Mat Ford - ISOC (20)

The State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentThe State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 Deployment
 
Presd1 09
Presd1 09Presd1 09
Presd1 09
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
 
The case for IPv6
The case for IPv6The case for IPv6
The case for IPv6
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excuses
 
IPv6 Single Stack Now or Later? - The Ultimate Carrier Conundrum
IPv6 Single Stack Now or Later? - The Ultimate Carrier ConundrumIPv6 Single Stack Now or Later? - The Ultimate Carrier Conundrum
IPv6 Single Stack Now or Later? - The Ultimate Carrier Conundrum
 
Ip v4 & ip v6
Ip v4 & ip v6Ip v4 & ip v6
Ip v4 & ip v6
 
IPv6 Deployment: Why and Why not? - HostingCon 2013
IPv6 Deployment: Why and Why not? - HostingCon 2013IPv6 Deployment: Why and Why not? - HostingCon 2013
IPv6 Deployment: Why and Why not? - HostingCon 2013
 
Micheal O'Foghlu - TSSG
Micheal O'Foghlu - TSSGMicheal O'Foghlu - TSSG
Micheal O'Foghlu - TSSG
 
23rd PITA AGM and Conference: Key business drivers for IPv6
23rd PITA AGM and Conference: Key business drivers for IPv623rd PITA AGM and Conference: Key business drivers for IPv6
23rd PITA AGM and Conference: Key business drivers for IPv6
 
PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview PLNOG 6: Julian Curtis - IPv6 Overview
PLNOG 6: Julian Curtis - IPv6 Overview
 
Addressing plans
Addressing plansAddressing plans
Addressing plans
 
IPv6 in Mobile Networks
IPv6 in Mobile NetworksIPv6 in Mobile Networks
IPv6 in Mobile Networks
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06
 
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
 
12 steps for IPv6 Deployment in Governments and Enterprises
12 steps for IPv6 Deployment in Governments and Enterprises12 steps for IPv6 Deployment in Governments and Enterprises
12 steps for IPv6 Deployment in Governments and Enterprises
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
 
Converged Communication and IPv6, afrinic-8
Converged Communication and IPv6, afrinic-8Converged Communication and IPv6, afrinic-8
Converged Communication and IPv6, afrinic-8
 
Can today’s Internet protocols deliver URLLC?
Can today’s Internet protocols deliver URLLC?Can today’s Internet protocols deliver URLLC?
Can today’s Internet protocols deliver URLLC?
 

More from IPv6 Summit 2010

Daniel Karrenbourg - KEYNOTE
Daniel Karrenbourg - KEYNOTEDaniel Karrenbourg - KEYNOTE
Daniel Karrenbourg - KEYNOTEIPv6 Summit 2010
 
Michele Neylon- Blacknight
Michele Neylon- BlacknightMichele Neylon- Blacknight
Michele Neylon- BlacknightIPv6 Summit 2010
 
Martin List-Petersen, AirWire
Martin List-Petersen, AirWireMartin List-Petersen, AirWire
Martin List-Petersen, AirWireIPv6 Summit 2010
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
 
Prof. Brian Carpenter - Keynote
Prof. Brian Carpenter - KeynoteProf. Brian Carpenter - Keynote
Prof. Brian Carpenter - KeynoteIPv6 Summit 2010
 

More from IPv6 Summit 2010 (8)

Daniel Karrenbourg - KEYNOTE
Daniel Karrenbourg - KEYNOTEDaniel Karrenbourg - KEYNOTE
Daniel Karrenbourg - KEYNOTE
 
Michele Neylon- Blacknight
Michele Neylon- BlacknightMichele Neylon- Blacknight
Michele Neylon- Blacknight
 
Martin List-Petersen, AirWire
Martin List-Petersen, AirWireMartin List-Petersen, AirWire
Martin List-Petersen, AirWire
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton
 
SFI - Prof. Fionn Murtagh
SFI - Prof. Fionn MurtaghSFI - Prof. Fionn Murtagh
SFI - Prof. Fionn Murtagh
 
Dave Northey - Microsoft
Dave Northey - MicrosoftDave Northey - Microsoft
Dave Northey - Microsoft
 
Peter Wyatt_
Peter Wyatt_ Peter Wyatt_
Peter Wyatt_
 
Prof. Brian Carpenter - Keynote
Prof. Brian Carpenter - KeynoteProf. Brian Carpenter - Keynote
Prof. Brian Carpenter - Keynote
 

Mat Ford - ISOC

  • 1. Large-scale address sharing issues ‘There must be some way out of here,’ said the joker to the thief. Bob Dylan Mat Ford Irish IPv6 Summit 2010, Dublin 1
  • 2. Address sharing @ @ @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 2
  • 3. Large-scale address sharing @ ISP Internet 2010-05-19 Irish IPv6 Summit 2010 3
  • 4. Address Sharing • Current practice: give a unique IPv4 public address to each subscriber – this address can be shared into the residential/office LAN through a NAPT device (in the CPE) • With IPv4 free-pool allocation completion this is no longer possible for new subscribers – Scalability of RFC1918 space also creating problems • A possible solution: allocate the same IPv4 public address to several subscribers at the same time – this is what we call large-scale address sharing 2010-05-19 Irish IPv6 Summit 2010 4
  • 5. Port multiplexing • Q: How is it possible to differentiate between multiple subscribers all sharing a single address? • A: Use the transport layer port field to multiplex 2010-05-19 Irish IPv6 Summit 2010 5
  • 6. Background • Long-tail of subscribers requiring >median number of ports Source: http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html 2010-05-19 Irish IPv6 Summit 2010 6
  • 7. 30 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 7
  • 8. 20 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 8
  • 9. 15 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 9
  • 10. 5 ports Slide credit: Shin Miyakawa 2010-05-19 Irish IPv6 Summit 2010 10
  • 11. It’s your problem now • Introduction of large-scale address sharing creates potentially serious issues for third parties: – Some applications will fail to operate – Reverse DNS will be affected – Inbound ICMP will fail in many cases – Amplification of security issues – Service usage monitoring and abuse logging will be impacted – Penalty boxes will no longer work – Spam blacklisting will be affected – Geo-location and geo-proximity mechanisms will be impacted – Load balancing algorithms may be impacted – Authentication mechanisms may be impacted – Traceability of network usage and abusage will be affected 2010-05-19 Irish IPv6 Summit 2010 11
  • 12. Impact on applications • Breaks applications that – Establish inbound communications – Carry address and/or port information in their payload – Use fixed ports – Do not use any port (ICMP) – Assume uniqueness of source address – Explicitly prohibit concurrent connections from identical addresses 2010-05-19 Irish IPv6 Summit 2010 12
  • 13. ICMP • ICMP is problematic for address sharing mechanisms as it does not carry any port information • Responses to outbound ICMP can be handled relatively easily • Inbound ICMP sourced off-net will not be routable • ICMP attacks – Malicious user could send Packet Too Big reducing the MTU down to 68 octets – Value will be cached by server for all subscribers sharing the IP of the malicious user – Could lead to a DoS condition for the server and the NAT 2010-05-19 Irish IPv6 Summit 2010 13
  • 14. Geo-proximity, geo-location • Conforming with regional content licensing restrictions • Targeting advertising • Customising content • Emergency services • Shared addressing may reduce level of confidence and location granularity • Application performance may be affected in the presence of highly centralised CGN 2010-05-19 Irish IPv6 Summit 2010 14
  • 15. Tracking service usage • Monitoring unique users of a service no longer possible by simply counting connections from discrete IP addresses • CPE NAT complicates this today, large-scale address sharing will make it a more widespread and severe issue • In general, all elements that monitor usage or abusage in the chain between a service provider that has deployed address sharing and a content provider will need to be upgraded to take account of the port value in addition to IP addresses 2010-05-19 Irish IPv6 Summit 2010 15
  • 16. Traceability • Address sharing solutions must record and store all mappings they create – Potentially very large volume of data – Pre-allocating groups of ports mitigates – Trade-offs between • size of pre-allocated groups • ratio of public addresses to subscribers • Impact on logging requirements • Port randomisation security • Need for timestamping and accurate timekeeping – Densely populated CGN could mean even small amounts of clock skew result in misidentification of subscribers – Alternatively SPs start logging destinations, giving rise to privacy concerns, 2010-05-19 Irish IPv6 Summit 2010 16
  • 17. Security-related issues • Port randomisation • Abuse logging, penalty boxes – Need to log source port as well as source address • Spam • IPsec • Authentication 2010-05-19 Irish IPv6 Summit 2010 17
  • 18. Load balancing • Deterministic algorithms based on IP addresses may see sudden imbalances in load as address sharing is enabled • Growth of address sharing will require re-evaluation of load balancing algorithm designs 2010-05-19 Irish IPv6 Summit 2010 18
  • 19. Other issues • Fragmentation • Multicast • Mobile-IP • Single Point of Failure • Reverse DNS – Reverse DNS strings no longer sufficient to identify a discrete subscriber 2010-05-19 Irish IPv6 Summit 2010 19
  • 20. Conclusions • Large-scale address sharing will make many existing address sharing issues more severe and more widespread • Large-scale address sharing will also create new technical and business issues • Third-parties, content providers, LEAs, will be impacted • IPv6 is the only way to avoid this 2010-05-19 Irish IPv6 Summit 2010 20