SlideShare a Scribd company logo

VNIX-NOG 2021: IPv6 Deployment Update

APNIC
APNIC

APNIC Training Delivery Manager Tashi Phuntsho gives an update on IPv6 deployment at VNIX-NOG 2021, held online from 28 to 29 September 2021.

Internet
1 of 21
Download to read offline
1 IPv6 Deployment Update (Stories and Stats!) 29 Sept 2021|VNIX NOG Tashi Phuntsho (tashi@apnic.net) Senior Network Analyst/Manager – Training Delivery
2 2 IPv6 Measurement • Uses scripted online advertisement – Over 12M measurements/day!! • The ad-script fetches three URLs – IPv6 only URL, Dual-stack URL, IPv4 only URL • If the device can fetch: – IPv6 URLs (native/dual-stack) over IPv6, deemed IPv6 capable – dual-stack URL over IPv6, deemed to prefer IPv6 • RFC8305 (Happy Eyeballs) bias?
3 3 IPv6 end user Readiness IPv6 capable ~ 28% >300% increase in the last 5 years https://stats.labs.apnic.net/ipv6/
4 4 IPv6 Table - World Economy IPv6 capable (%) India 74.21 Belgium 60.72 Germany 51.39 Malaysia 51.27 Greece 50.24 United States 48.73 Saudi Arabia 46.52 Finland 45.59 Vietnam 44.66 Taiwan 43.03 Sri Lanka 42.56 Thailand 42.18 Economy IPv6 capable (%) Austria 27.79 Myanmar 25.51 New Zealand 24.71 Peru 23.41 Romania 22.89 Ireland 20.67 China 18.52 Ecuador 17.65 Paraguay 17.32 Rep of Korea 17.27 Nepal 17.16 Singapore 16.91 Colombia 16.57 Czech Republic 16.11 Argentina 15.50 Norway 15.07 https://stats.labs.apnic.net/ipv6/ (27 Sept 2021) Economy IPv6 capable (%) Portugal 40.42 Uruguay 38.77 Mexico 38.32 Switzerland 37.70 Brazil 37.53 Japan 37.09 Hungary 37.00 UK 35.75 UAE 34.22 Netherlands 33.65 Israel 33.11 Canada 32.16 Luxembourg 31.54 Estonia 31.48 Australia 28.61
5 5 • The true driver for IPv6 adoption - Mobile Internet! • However, born and raised on NAT! – Still heavily based on CG-NAT IPv6 - Who is in control?
6 6 IPv6 in Action: Mobile Networks Carrier Economy Deployment Verizon Wireless USA Dual-stack (2011) T-Mobile USA 464XLAT (2012) Telekom Malaysia Malaysia Dual-stack (2013) SK Telecom Korea 464XLAT (2014) Telstra Australia 464XLAT (2016) Reliance Jio India Dual-stack (2016) Dialog Axiata Sri Lanka Dual-stack (2016) AIS Thailand Dual-stack (2017) Bhutan Telecom Bhutan Dual-stack (2018) Chungwa Telecom Taiwan Dual-stack (2018)
7 7 Dual-stack preference? Our migration strategy was to allow existing users to make graceful switch to IPv6… Users did not experience any issues, as they could still access the Internet via IPv4.. To help customers migrate from IPv4 to IPv6 in a seamless manner… You need to consider redundancy/fallback, and ease of network maintenance….
8 8 IPv6 Performance - Analysis • We look at TCP (3-way) handshake – A received SYN with no subsequent ACK is interpreted as a failed connection attempt – The time between the receipt of the SYN and the subsequent ACK at the server is interpreted as the RTT (not implicit RTT) SYN SYN-ACK ACK Server Client 1 RTT
9 9 IPv6 Performance • Is IPv6 as reliable (robust) as IPv4? – Do all TCP connection attempts succeed? • Failure ~ no ACK for a received SYN • Global IPv6 failure rate 1.2% L – End point filters/firewalls? • Not allowing inbound IPv6? or • ICMPv6 (PTB) filtered? PMTUD failure? – End points on unreachable IPv6 address?
10 10 IPv6 Performance • Is IPv6 as fast as IPv4? – Comparison of RTT • time since SYN and subsequent ACK • IPv6 appears faster – Africa, Europe, and the Americas – CG-NAT/NAT boxes? • IPv4 seems faster – Asia & Oceania – Different routing paths for IPv4 and IPv6? https://stats.labs.apnic.net/v6perf
11 11 IPv6 Performance & Routing Path IPv4 RTT – 325ms IPv6 RTT – 213ms https://labs.apnic.net/?p=850
12 12 Closer to home – Routing Path IPv4 IPv6
13 13 EHs - security nightmare? • RFC8200 states: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” • Firewalls (stateful/stateless) should not inspect them? – But destination nodes must accept and process EH… • “any order and occurring any number of times in the same packet”
14 14 Remember Extension Headers? • IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header – Allows adding new features to IPv6 protocol without major re-engineering IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 4 SRH 6 TCP 17 UDP 43 IPv6 Routing Header (SRH) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
15 15 EHs - security nightmare? • The number of EH is NOT limited • The number of options within an Options header (Hop-by-hop and Destinations) is NOT limited • The order of EH is NOT defined (only a recommendation) • RFC2460/8200 “it is recommended that those headers appear in the following order”
16 16 EH and Fragments • Should we DROP all IPv6 fragments? – How does services like DNSSEC work? • RFC7112 – “When a host fragments an IPv6 datagram, it MUST include the entire IPv6 Header Chain in the First Fragment” • inspect and drop • RFC8200: – “Extension headers, if any, and Upper-Layer headers MUST be in the first fragment” IPv6 Header Next Header = 44 Fragment header Next header = 6 + Fragment offset Data (first fragment) 1st Fragment TCP header
17 17 EH and Fragments • If you cannot do stateful inspection, you can use other solutions – undetermined-transport (Cisco) • Drop fragments that do not have upper-layer headers in the first fragment (satisfies RFC7112/8200) deny any any [undetermined-transport] • OR, drop fragments destined for network nodes – But allowing fragments to end users (transiting the network)
18 18 Aside ~ SRv6 • 5G network slicing – Logical network service overlay to support new service level objectives and expectations – TE based topology slicing with Segment Routing
19 Securing the SR domain • Two levels of access control: 1. Drop any packet entering the SR domain and destined to a SID within the SR domain: • Configured on all external interfaces of edge nodes • It is your internal domain, so no one from outside should be sending packets with SID as the dest addrs 2. On every node in the SR domain, drop any packet to SIDs from source addresses outside the SR domain: • Configured on all internal interfaces of all SR nodes in the domain
20 20 How can we help? • Operational trainings – Direct country assistance – Standalone workshops/tutorials – NOGs • Technical Assistance – Remote or F2F https://www.apnic.net/community/ipv6
21 THANK YOU

Recommended

mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
APNIC
 
IPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanIPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in Japan
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
Hussein Elmenshawy
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server System
APNIC
 

Recommended

mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
APNIC
 
IPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in JapanIPv6 Progress and Challenges in Japan
IPv6 Progress and Challenges in Japan
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
Hussein Elmenshawy
 
OARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server SystemOARC 26: Scoring the Root Server System
OARC 26: Scoring the Root Server System
APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
APNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
APNIC
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
APNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Measuring the End User
Measuring the End User Measuring the End User
Measuring the End User
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
APNIC
 
npNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deploymentnpNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deployment
APNIC
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
APNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
APNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
Jimmy Lim
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
APNIC
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 Deployment
APNIC
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoT
APNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
APNIC
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
APNIC
 

More Related Content

What's hot

What's hot (20)

Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Welcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, MongoliaWelcome to the APNIC Member Gathering, Mongolia
Welcome to the APNIC Member Gathering, Mongolia
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Measuring the End User
Measuring the End User Measuring the End User
Measuring the End User
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
npNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deploymentnpNOG 2: APNIC IPv6 deployment
npNOG 2: APNIC IPv6 deployment
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
 
BGP filtering best practice
BGP filtering best practiceBGP filtering best practice
BGP filtering best practice
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
 
APNIC IPv6 Deployment
APNIC IPv6 DeploymentAPNIC IPv6 Deployment
APNIC IPv6 Deployment
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoT
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
 

Similar to VNIX-NOG 2021: IPv6 Deployment Update

Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002
suvobgd
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
srmanjuskp
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4
Open Networking Summits
 

Similar to VNIX-NOG 2021: IPv6 Deployment Update (20)

Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
 
KHNOG 2 Online Webinar: IPv6 Deployment Update
KHNOG 2 Online Webinar: IPv6 Deployment UpdateKHNOG 2 Online Webinar: IPv6 Deployment Update
KHNOG 2 Online Webinar: IPv6 Deployment Update
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
IPv6 Deployment Update
IPv6 Deployment UpdateIPv6 Deployment Update
IPv6 Deployment Update
 
Software Network Data Plane - Satisfying the need for speed - FD.io - VPP and...
Software Network Data Plane - Satisfying the need for speed - FD.io - VPP and...Software Network Data Plane - Satisfying the need for speed - FD.io - VPP and...
Software Network Data Plane - Satisfying the need for speed - FD.io - VPP and...
 
Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002Internet Protocol Version 6 By Suvo 2002
Internet Protocol Version 6 By Suvo 2002
 
IPv6 New RFCs
IPv6 New RFCsIPv6 New RFCs
IPv6 New RFCs
 
IPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi PaletIPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi Palet
 
ITN_Module_8.pptx
ITN_Module_8.pptxITN_Module_8.pptx
ITN_Module_8.pptx
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
 
npNOG 5: IPv6 Deployment Update
npNOG 5: IPv6 Deployment UpdatenpNOG 5: IPv6 Deployment Update
npNOG 5: IPv6 Deployment Update
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4
 
IPv6 on the Interop Network
IPv6 on the Interop NetworkIPv6 on the Interop Network
IPv6 on the Interop Network
 
Panel with IPv6 CE Vendors
Panel with IPv6 CE VendorsPanel with IPv6 CE Vendors
Panel with IPv6 CE Vendors
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 

More from APNIC

More from APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 

Recently uploaded (13)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 

VNIX-NOG 2021: IPv6 Deployment Update

  • 1. 1 IPv6 Deployment Update (Stories and Stats!) 29 Sept 2021|VNIX NOG Tashi Phuntsho (tashi@apnic.net) Senior Network Analyst/Manager – Training Delivery
  • 2. 2 2 IPv6 Measurement • Uses scripted online advertisement – Over 12M measurements/day!! • The ad-script fetches three URLs – IPv6 only URL, Dual-stack URL, IPv4 only URL • If the device can fetch: – IPv6 URLs (native/dual-stack) over IPv6, deemed IPv6 capable – dual-stack URL over IPv6, deemed to prefer IPv6 • RFC8305 (Happy Eyeballs) bias?
  • 3. 3 3 IPv6 end user Readiness IPv6 capable ~ 28% >300% increase in the last 5 years https://stats.labs.apnic.net/ipv6/
  • 4. 4 4 IPv6 Table - World Economy IPv6 capable (%) India 74.21 Belgium 60.72 Germany 51.39 Malaysia 51.27 Greece 50.24 United States 48.73 Saudi Arabia 46.52 Finland 45.59 Vietnam 44.66 Taiwan 43.03 Sri Lanka 42.56 Thailand 42.18 Economy IPv6 capable (%) Austria 27.79 Myanmar 25.51 New Zealand 24.71 Peru 23.41 Romania 22.89 Ireland 20.67 China 18.52 Ecuador 17.65 Paraguay 17.32 Rep of Korea 17.27 Nepal 17.16 Singapore 16.91 Colombia 16.57 Czech Republic 16.11 Argentina 15.50 Norway 15.07 https://stats.labs.apnic.net/ipv6/ (27 Sept 2021) Economy IPv6 capable (%) Portugal 40.42 Uruguay 38.77 Mexico 38.32 Switzerland 37.70 Brazil 37.53 Japan 37.09 Hungary 37.00 UK 35.75 UAE 34.22 Netherlands 33.65 Israel 33.11 Canada 32.16 Luxembourg 31.54 Estonia 31.48 Australia 28.61
  • 5. 5 5 • The true driver for IPv6 adoption - Mobile Internet! • However, born and raised on NAT! – Still heavily based on CG-NAT IPv6 - Who is in control?
  • 6. 6 6 IPv6 in Action: Mobile Networks Carrier Economy Deployment Verizon Wireless USA Dual-stack (2011) T-Mobile USA 464XLAT (2012) Telekom Malaysia Malaysia Dual-stack (2013) SK Telecom Korea 464XLAT (2014) Telstra Australia 464XLAT (2016) Reliance Jio India Dual-stack (2016) Dialog Axiata Sri Lanka Dual-stack (2016) AIS Thailand Dual-stack (2017) Bhutan Telecom Bhutan Dual-stack (2018) Chungwa Telecom Taiwan Dual-stack (2018)
  • 7. 7 7 Dual-stack preference? Our migration strategy was to allow existing users to make graceful switch to IPv6… Users did not experience any issues, as they could still access the Internet via IPv4.. To help customers migrate from IPv4 to IPv6 in a seamless manner… You need to consider redundancy/fallback, and ease of network maintenance….
  • 8. 8 8 IPv6 Performance - Analysis • We look at TCP (3-way) handshake – A received SYN with no subsequent ACK is interpreted as a failed connection attempt – The time between the receipt of the SYN and the subsequent ACK at the server is interpreted as the RTT (not implicit RTT) SYN SYN-ACK ACK Server Client 1 RTT
  • 9. 9 9 IPv6 Performance • Is IPv6 as reliable (robust) as IPv4? – Do all TCP connection attempts succeed? • Failure ~ no ACK for a received SYN • Global IPv6 failure rate 1.2% L – End point filters/firewalls? • Not allowing inbound IPv6? or • ICMPv6 (PTB) filtered? PMTUD failure? – End points on unreachable IPv6 address?
  • 10. 10 10 IPv6 Performance • Is IPv6 as fast as IPv4? – Comparison of RTT • time since SYN and subsequent ACK • IPv6 appears faster – Africa, Europe, and the Americas – CG-NAT/NAT boxes? • IPv4 seems faster – Asia & Oceania – Different routing paths for IPv4 and IPv6? https://stats.labs.apnic.net/v6perf
  • 11. 11 11 IPv6 Performance & Routing Path IPv4 RTT – 325ms IPv6 RTT – 213ms https://labs.apnic.net/?p=850
  • 12. 12 12 Closer to home – Routing Path IPv4 IPv6
  • 13. 13 13 EHs - security nightmare? • RFC8200 states: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” • Firewalls (stateful/stateless) should not inspect them? – But destination nodes must accept and process EH… • “any order and occurring any number of times in the same packet”
  • 14. 14 14 Remember Extension Headers? • IPv6 allows an optional Extension Header in between the IPv6 header and upper layer header – Allows adding new features to IPv6 protocol without major re-engineering IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 4 SRH 6 TCP 17 UDP 43 IPv6 Routing Header (SRH) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
  • 15. 15 15 EHs - security nightmare? • The number of EH is NOT limited • The number of options within an Options header (Hop-by-hop and Destinations) is NOT limited • The order of EH is NOT defined (only a recommendation) • RFC2460/8200 “it is recommended that those headers appear in the following order”
  • 16. 16 16 EH and Fragments • Should we DROP all IPv6 fragments? – How does services like DNSSEC work? • RFC7112 – “When a host fragments an IPv6 datagram, it MUST include the entire IPv6 Header Chain in the First Fragment” • inspect and drop • RFC8200: – “Extension headers, if any, and Upper-Layer headers MUST be in the first fragment” IPv6 Header Next Header = 44 Fragment header Next header = 6 + Fragment offset Data (first fragment) 1st Fragment TCP header
  • 17. 17 17 EH and Fragments • If you cannot do stateful inspection, you can use other solutions – undetermined-transport (Cisco) • Drop fragments that do not have upper-layer headers in the first fragment (satisfies RFC7112/8200) deny any any [undetermined-transport] • OR, drop fragments destined for network nodes – But allowing fragments to end users (transiting the network)
  • 18. 18 18 Aside ~ SRv6 • 5G network slicing – Logical network service overlay to support new service level objectives and expectations – TE based topology slicing with Segment Routing
  • 19. 19 Securing the SR domain • Two levels of access control: 1. Drop any packet entering the SR domain and destined to a SID within the SR domain: • Configured on all external interfaces of edge nodes • It is your internal domain, so no one from outside should be sending packets with SID as the dest addrs 2. On every node in the SR domain, drop any packet to SIDs from source addresses outside the SR domain: • Configured on all internal interfaces of all SR nodes in the domain
  • 20. 20 20 How can we help? • Operational trainings – Direct country assistance – Standalone workshops/tutorials – NOGs • Technical Assistance – Remote or F2F https://www.apnic.net/community/ipv6