The document discusses deploying IPv6-only networks while still allowing access to IPv4 resources. It describes using DHCP option 108 and router advertisement option PREF64 to signal to IPv6-only capable devices that they can disable their IPv4 stack. This allows IPv6-only traffic while NAT64 and DNS64 allow access to IPv4 resources. However, full IPv6-only deployment is difficult due to lack of support for these options in some devices and routers. While IPv4 conservation is achieved, full IPv6-only introduces challenges of lost functionality and inability to communicate between dual-stack and IPv6-only hosts in some cases.
Is it time to panic? Are we completely out of IP addresses? Do I have to learn to speak hexadecimal? What is IPv6 and should you care? In this session, we'll attempt to answer these questions and more and we're likely to have more questions than answers. IPv6 is the newest version of the IP/Internet Protocol (currently referred to as IPv4) and was created primarily to address the shortage of IP addresses across the world. However, there's a lot more going on with IPv6 than just addressing changes. This session will address just what the campus has done and still needs to do and what you need to worry about as IPv6 comes closer to your front door.
IPv6 configuration at CSCS
● Dual Stack approach
● Static addressing for networking equipment and servers
● Dynamic addressing for PC and guest networks
– Auto configuration with SLAAC
● But we still rely on DHCPv4 to distribute DNS
– Tests ongoing for:
● Distributing DNS via RA (RDNSS, RFC6106)
● DHCPv6
IPv6 deployment
5
● Configure the network part and FW/ACLs
– Test
● Configure IPv6 on the systems
– Test
– At this point the system uses IPv6 and IPv4 for outgoing
connections
● Publish the AAAA resource record into the DNS with short TTL
– If test is succesful: set normal TTL for the RR AAAA
– Now the system is fully IPv6 enabled
IPv6 lessons learned
7
● Some network devices send out RA even if they shouldn't
– Impact: machines get IPv6 global address
● Disable SLAAC autoconfiguration on all the servers
● Rogue RA:
– Impact: default gateway changed! No IPv6 connectivity anymore..
● Filter RA messages at the network level
● IPv6 ACL: be careful not to filter NS/ND messages
– Impact: you may break IPv6 connectivity
● On IPv6 ARP is replaced by ICMPv6 NS and ICMPv6 ND messages
● Firewall IPv6 limitations (CLI config needed, WebGUI not ready)
● Services not listening on IPv6. Remember to configure ssh, httpd, etc to
listen also on IPv6
How to set up an IPv6 LAN with Linux. Using IPv6 requires two steps, firstly setting up the local LAN to support IPv6 and secondly connecting to the internet. The exact mechanism to connect to the Internet depends on your ISP. If you have an IPv4 address of IPv6 and whether you trying to access an IPv4 or IPv6 host.
Jumping Bean offers IPv6 training for businesses (http://www.jumpingbean.co.za/ipv6-training)
IETF IPv6 Activities Report by Cathy Aronson at ARIN 36. Presentation and webcast archive available at: https://www.arin.net/participate/meetings/reports/ARIN_36/ppm.html
Is it time to panic? Are we completely out of IP addresses? Do I have to learn to speak hexadecimal? What is IPv6 and should you care? In this session, we'll attempt to answer these questions and more and we're likely to have more questions than answers. IPv6 is the newest version of the IP/Internet Protocol (currently referred to as IPv4) and was created primarily to address the shortage of IP addresses across the world. However, there's a lot more going on with IPv6 than just addressing changes. This session will address just what the campus has done and still needs to do and what you need to worry about as IPv6 comes closer to your front door.
IPv6 configuration at CSCS
● Dual Stack approach
● Static addressing for networking equipment and servers
● Dynamic addressing for PC and guest networks
– Auto configuration with SLAAC
● But we still rely on DHCPv4 to distribute DNS
– Tests ongoing for:
● Distributing DNS via RA (RDNSS, RFC6106)
● DHCPv6
IPv6 deployment
5
● Configure the network part and FW/ACLs
– Test
● Configure IPv6 on the systems
– Test
– At this point the system uses IPv6 and IPv4 for outgoing
connections
● Publish the AAAA resource record into the DNS with short TTL
– If test is succesful: set normal TTL for the RR AAAA
– Now the system is fully IPv6 enabled
IPv6 lessons learned
7
● Some network devices send out RA even if they shouldn't
– Impact: machines get IPv6 global address
● Disable SLAAC autoconfiguration on all the servers
● Rogue RA:
– Impact: default gateway changed! No IPv6 connectivity anymore..
● Filter RA messages at the network level
● IPv6 ACL: be careful not to filter NS/ND messages
– Impact: you may break IPv6 connectivity
● On IPv6 ARP is replaced by ICMPv6 NS and ICMPv6 ND messages
● Firewall IPv6 limitations (CLI config needed, WebGUI not ready)
● Services not listening on IPv6. Remember to configure ssh, httpd, etc to
listen also on IPv6
How to set up an IPv6 LAN with Linux. Using IPv6 requires two steps, firstly setting up the local LAN to support IPv6 and secondly connecting to the internet. The exact mechanism to connect to the Internet depends on your ISP. If you have an IPv4 address of IPv6 and whether you trying to access an IPv4 or IPv6 host.
Jumping Bean offers IPv6 training for businesses (http://www.jumpingbean.co.za/ipv6-training)
IETF IPv6 Activities Report by Cathy Aronson at ARIN 36. Presentation and webcast archive available at: https://www.arin.net/participate/meetings/reports/ARIN_36/ppm.html
Similar to Deploying IPv6-mostly access networks (20)
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Monitoring Java Application Security with JDK Tools and JFR Events
Deploying IPv6-mostly access networks
1. IPv6-only and dual stack in one
network
Deploying IPv6-mostly
access networks
Ondřej Caletka | 30 September 2022 | NLNOG Day
2. Ondřej Caletka | NLNOG Day | 30 September 2022
The endless transition to IPv6
• IPv6 is slowly being deployed
• IPv4 is still the protocol of the Internet
• There are simply not enough IPv4 addresses
- repurposing 240/4, 127/8 or 0/8 will not help
• There are many transition mechanisms, two of which are special:
- Dual stack: Running both protocols at the same time
- NAT64: Allowing limited access from unmodified IPv6-only hosts to IPv4 resources
2
3. Ondřej Caletka | NLNOG Day | 30 September 2022
The best transition mechanism
• IPv4-only and IPv6-only
resources directly accessible
• IPv6 preferred for dual-stack
resources
• Problems with IPv6 masked by
Happy Eyeballs algorithm
• But it does not address IPv4
scarcity
3
Dual Stack
IPv6
IPv4
4. Ondřej Caletka | NLNOG Day | 30 September 2022
NAT64 allows IPv6-only networks
• IPv6 accessible natively
• IPv4 is translated into part of IPv6
address space
• Together with DNS64, everything
seems to be accessible over IPv6
• But sometimes you run into…
- IPv4 literals
- Legacy software opening IPv4-only sockets
- Dual-stack servers with broken IPv6
4
IPv6 Internet
NAT64 Box
IPv4 Internet
DNS64
IPv6-only
5. Ondřej Caletka | NLNOG Day | 30 September 2022
Mobiles are ready
• Apple forces all iOS apps to work well
on IPv6-only networks with NAT64
• There is Happy Eyeballs 2.0 for IPv4
literals or broken IPv6 on dual stack
servers
• Finally CLAT is used for tethering to
a computer
• Android uses just CLAT (464XLAT)
- so IPv4 is accessible via two translations
5
IPv6 Internet
NAT64 Box
IPv4 Internet
DNS64
IPv6-only
CLAT
6. Ondřej Caletka | NLNOG Day | 30 September 2022
Desktops suffer on IPv6-only
• No Happy Eyeballs 2.0 implementation outside Apple
- and even on Apple, only high-level APIs support it (eg. Safari, not Chrome)
• No CLAT in Windows, Linux or ChromeOS
• Famous problems known for years:
- Spotify desktop app does not work
- IPv4 literals do not work
- Dual-stack servers with broken IPv6 do not work
- Legacy Happy Eyeballs doesn’t help since there's no IPv4 to fall back to
- Most corporate VPNs will not work (often just a configuration issue)
6
7. Can we do IPv6-only?
At least for some devices…
8. Ondřej Caletka | NLNOG Day | 30 September 2022
Signalling IPv6-only capability
• New DHCP(v4) option number 108: IPv6-only Preferred
- Requested by DHCP clients of devices capable of running IPv6-only
- Offered by DHCP servers for networks that support IPv6-only operation
- When offered by DHCP server, the client will deactivate IPv4 stack
- If not requested by client or not offered by server DHCP handshake continues
normally
• IPv6-only capable devices can opt-out from IPv4
• Legacy devices keep using dual stack
• Users are not required to select proper network based on device
capability
8
(RFC 8925)
(they will always prefer dual stack as it has no downsides for them)
9. Ondřej Caletka | NLNOG Day | 30 September 2022
Is DHCP option 108 already deployed?
9
Devices are ready, networks are lagging behind.
You bet! Option 108 is
requested by recent:
- Android
- iOS
- macOS
34%
66%
Requesting Option 108
Not requesting
Unique MAC addresses
measured during RIPE 84
10. Ondřej Caletka | NLNOG Day | 30 September 2022
But what about macOS?
• It allows you to run any software
including those using legacy IPv4-
only APIs (Spotify for Desktop, for
instance)
• Pure IPv6-only would break such
applications
• It turned out there is CLAT in
macOS too!
- It gets activated by DHCP Option 108
together with RA Option PREF64
10
11. Ondřej Caletka | NLNOG Day | 30 September 2022
PREF64 RA Option
• A Router Advertisement option carrying NAT64 prefix
• Needed for CLAT configuration, local DNS64 synthesis or Happy
Eyeballs 2.0 (dealing with IPv4 literals)
• Replaces NAT64 prefix discovery using DNS64 query for
ipv4only.arpa (RFC 7050)
• Shares fate with other configuration parameters
- can be trusted a bit more than DNS64
• Supported by recent Android,
iOS or macOS
11
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Scaled Lifetime | PLC |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| Highest 96 bits of the Prefix |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12. Ondřej Caletka | NLNOG Day | 30 September 2022
NAT64 / PREF64 / DNS64 / IPv4
• PREF64 is sufficient to setup CLAT on all platforms
• In theory, DNS64 should be optional
- This would force all IPv4 to go through the CLAT
• In practice, you have to use DNS64 for Safari and iOS
- When DHCP option 108 is received, Safari and most iOS apps refuse to use any IPv4
- Without DNS64, IPv4 internet is invisible to them
- On iOS, CLAT is used mostly for VoWiFi and perhaps for tethering
• You still need IPv4 and DHCP(v4)
- For legacy devices and to trigger CLAT on Apple devices
- The DHCP pool can be smaller, though
12
14. Ondřej Caletka | NLNOG Day | 30 September 2022
DHCP option 108 is easy
• Native support in the latest Kea
• Most DHCP servers support defining custom options
- for instance: dnsmasq -O 108,0:0:1:2c
- the option value represents duration for which the IPv4 stack should be disabled
• No special processing on the DHCP server side is required
• But there have to be free addresses in the IPv4 address pool
- Otherwise the DHCP server will not respond
14
15. Ondřej Caletka | NLNOG Day | 30 September 2022
PREF64 RA option is harder
• No custom RA option support in routers
- We already had this issue with Recursive DNS Server option, now we have it again
- Router vendors should really implement custom options similar to DHCP
• There are patches for some software routers:
- radvd (merged but unreleased)
- FRR (pull request pending)
- odhcpd (pull request pending)
15
16. Ondřej Caletka | NLNOG Day | 30 September 2022
Surprises on macOS
If there are multiple network prefixes, CLAT picks up a single
address from a random one, without considering ULA or
deprecated prefixes
16
17. Ondřej Caletka | NLNOG Day | 30 September 2022
Surprises on macOS
If user sets up a custom IPv4 DNS server address, DNS will not
work, despite commands like host working normally
17
18. Ondřej Caletka | NLNOG Day | 30 September 2022
Surprises on macOS
When CLAT is active, the order of getaddrinfo(3) output is
altered so IPv4 (via CLAT) is preferred over native IPv6
18
20. Ondřej Caletka | NLNOG Day | 30 September 2022
Pros
• Users have only one network
to join
• IPv4 addresses are not
wasted for devices that don't
need them
- Cool if you don't use NAT
• Even for dual-stack clients, the
usage of IPv4 is minimal
- DNS64 will force all IPv6-capable
applications to use NAT64 over native
IPv4
20
• Most complex network setup
• IPv4 still has to be deployed
• NAT64 is still needed
• IPv4 communication between
dual-stack and IPv6-only hosts
is problematic
- Setting up a Chromecast from
an Android phone is impossible
Cons
22. Ondřej Caletka | NLNOG Day | 30 September 2022
NOGs Participants Survey
• Takes 5-7 mins!
• Your views on:
- Channels to stay connected
- Important topics for NOGs to discuss
- Challenges that prevent you from
attending NOGs
22
https://ripe-ncc.typeform.com/to/SjgKEKSx