1. 1
IPv6 Deployment Update
(Stories and Stats!)
29 Sept 2021|VNIX NOG
Tashi Phuntsho (tashi@apnic.net)
Senior Network Analyst/Manager – Training Delivery
2. 2
2
IPv6 Measurement
• Uses scripted online advertisement
– Over 12M measurements/day!!
• The ad-script fetches three URLs
– IPv6 only URL, Dual-stack URL, IPv4 only URL
• If the device can fetch:
– IPv6 URLs (native/dual-stack) over IPv6, deemed IPv6 capable
– dual-stack URL over IPv6, deemed to prefer IPv6
• RFC8305 (Happy Eyeballs) bias?
3. 3
3
IPv6 end user Readiness
IPv6 capable ~ 28%
>300% increase in the last 5 years
https://stats.labs.apnic.net/ipv6/
4. 4
4
IPv6 Table - World
Economy IPv6 capable (%)
India 74.21
Belgium 60.72
Germany 51.39
Malaysia 51.27
Greece 50.24
United States 48.73
Saudi Arabia 46.52
Finland 45.59
Vietnam 44.66
Taiwan 43.03
Sri Lanka 42.56
Thailand 42.18
Economy IPv6 capable (%)
Austria 27.79
Myanmar 25.51
New Zealand 24.71
Peru 23.41
Romania 22.89
Ireland 20.67
China 18.52
Ecuador 17.65
Paraguay 17.32
Rep of Korea 17.27
Nepal 17.16
Singapore 16.91
Colombia 16.57
Czech Republic 16.11
Argentina 15.50
Norway 15.07
https://stats.labs.apnic.net/ipv6/ (27 Sept 2021)
Economy IPv6 capable (%)
Portugal 40.42
Uruguay 38.77
Mexico 38.32
Switzerland 37.70
Brazil 37.53
Japan 37.09
Hungary 37.00
UK 35.75
UAE 34.22
Netherlands 33.65
Israel 33.11
Canada 32.16
Luxembourg 31.54
Estonia 31.48
Australia 28.61
5. 5
5
• The true driver for IPv6 adoption - Mobile Internet!
• However, born and raised on NAT!
– Still heavily based on CG-NAT
IPv6 - Who is in control?
6. 6
6
IPv6 in Action: Mobile Networks
Carrier Economy Deployment
Verizon Wireless USA Dual-stack (2011)
T-Mobile USA 464XLAT (2012)
Telekom Malaysia Malaysia Dual-stack (2013)
SK Telecom Korea 464XLAT (2014)
Telstra Australia 464XLAT (2016)
Reliance Jio India Dual-stack (2016)
Dialog Axiata Sri Lanka Dual-stack (2016)
AIS Thailand Dual-stack (2017)
Bhutan Telecom Bhutan Dual-stack (2018)
Chungwa Telecom Taiwan Dual-stack (2018)
7. 7
7
Dual-stack preference?
Our migration strategy was to
allow existing users to make
graceful switch to IPv6…
Users did not experience any
issues, as they could still
access the Internet via IPv4..
To help customers
migrate from IPv4
to IPv6 in a
seamless manner…
You need to consider
redundancy/fallback, and
ease of network
maintenance….
8. 8
8
IPv6 Performance - Analysis
• We look at TCP (3-way) handshake
– A received SYN with no subsequent ACK is interpreted as a
failed connection attempt
– The time between the receipt of the SYN and the subsequent
ACK at the server is interpreted as the RTT (not implicit RTT)
SYN
SYN-ACK
ACK
Server
Client
1 RTT
9. 9
9
IPv6 Performance
• Is IPv6 as reliable (robust) as IPv4?
– Do all TCP connection attempts succeed?
• Failure ~ no ACK for a received SYN
• Global IPv6 failure rate
1.2% L
– End point filters/firewalls?
• Not allowing inbound IPv6? or
• ICMPv6 (PTB) filtered? PMTUD
failure?
– End points on unreachable IPv6
address?
10. 10
10
IPv6 Performance
• Is IPv6 as fast as IPv4?
– Comparison of RTT
• time since SYN and subsequent ACK
• IPv6 appears faster
– Africa, Europe, and the
Americas
– CG-NAT/NAT boxes?
• IPv4 seems faster
– Asia & Oceania
– Different routing paths for IPv4
and IPv6?
https://stats.labs.apnic.net/v6perf
13. 13
13
EHs - security nightmare?
• RFC8200 states:
– “Extension headers (except for Hop-by-Hop Options header)
are not processed, inserted, or deleted by any node along a
packet's delivery path, until the packet reaches the node”
• Firewalls (stateful/stateless) should not inspect them?
– But destination nodes must accept and process EH…
• “any order and occurring any number of times in the same packet”
14. 14
14
Remember Extension Headers?
• IPv6 allows an optional Extension Header in
between the IPv6 header and upper layer header
– Allows adding new features to IPv6 protocol without major
re-engineering
IPv6 Header
Next Header = 6
TCP header + data
IPv6 Header
Next Header = 44
Fragment header
Next header = 6
TCP header + data
Next Header values:
0 Hop-by-hop option
4 SRH
6 TCP
17 UDP
43 IPv6 Routing Header (SRH)
44 Fragmentation
50 Encrypted security
payload
51 Authentication
58 ICMPv6
59 Null (No next header)
60 Destination option
Extension Header
15. 15
15
EHs - security nightmare?
• The number of EH is NOT limited
• The number of options within an Options header
(Hop-by-hop and Destinations) is NOT limited
• The order of EH is NOT defined (only a
recommendation)
• RFC2460/8200 “it is recommended that those headers appear in the
following order”
16. 16
16
EH and Fragments
• Should we DROP all IPv6 fragments?
– How does services like DNSSEC work?
• RFC7112
– “When a host fragments an IPv6 datagram, it MUST include
the entire IPv6 Header Chain in the First Fragment”
• inspect and drop
• RFC8200:
– “Extension headers, if any, and Upper-Layer headers MUST be
in the first fragment”
IPv6 Header
Next Header = 44
Fragment header
Next header = 6
+
Fragment offset
Data (first
fragment)
1st Fragment
TCP
header
17. 17
17
EH and Fragments
• If you cannot do stateful inspection, you can use
other solutions
– undetermined-transport (Cisco)
• Drop fragments that do not have upper-layer headers in the first
fragment (satisfies RFC7112/8200)
deny any any [undetermined-transport]
• OR, drop fragments destined for network nodes
– But allowing fragments to end users (transiting the network)
18. 18
18
Aside ~ SRv6
• 5G network slicing
– Logical network service overlay to support new service level
objectives and expectations
– TE based topology slicing with Segment Routing
19. 19
Securing the SR domain
• Two levels of access control:
1. Drop any packet entering the SR domain and destined to
a SID within the SR domain:
• Configured on all external interfaces of edge nodes
• It is your internal domain, so no one from outside should be sending
packets with SID as the dest addrs
2. On every node in the SR domain, drop any packet to SIDs
from source addresses outside the SR domain:
• Configured on all internal interfaces of all SR nodes in the domain
20. 20
20
How can we help?
• Operational trainings
– Direct country assistance
– Standalone workshops/tutorials
– NOGs
• Technical Assistance
– Remote or F2F
https://www.apnic.net/community/ipv6