1. 1
APNIC Member Gathering
12 April 2018, Ulaanbaatar
Che-Hoo Cheng: Infrastructure & Development Director
Tashi Phuntsho: Senior Network Analyst
Vivek Nigam: Member Services Manager
5. IPv4 Delegations
5
As at 28 Feb
0
500
1000
1500
2000
2500
3000
3500
4000
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
East Asia
Oceania
South East Asia
South Asia
11. 11
202.131.224.0/19 MobiCom Corporation to Mobinet LLC
202.21.96.0/19 MobiCom Corporation to Mobinet LLC
27.123.212.0/22 Mobinet LLC to MobiCom Corporation
203.174.26.0/24 Unison Networks Limited to YokozunaNET
66.181.160.0/19 ARIN/BARDL to MCS Com Co Ltd
64.119.16.0/20 ARIN/NORTH-95 to MCS Com Co Ltd
IPv4 transfers in Mongolia
https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs/
12. Transfer services @ APNIC
• Pre-approval
• Transfer listing service
• Transfer mailing list
• Registered IPv4 brokers
12
13. Ideas for improvements
• Automating renewal of pre-approval service
• Listing service for Members with available IPv4 addresses
• Validating resource custodianship using RPKI
• Checking quality of IPv4 resources
• Incorporating Inter-RIR transfer form in MyAPNIC
13
15. About Mongolia
3,121,772 people
1,111,350 users
36% penetration
47 ASes
11.18B GDP
IPv4 36 in BGP
233,472 addresses
0.07 per head
88% visible
IPv6 6 in BGP
68,719 M addresses
22,013 per head
19% visible
0% capability
16. IPv6 adoption stats - Google
https://www.google.com/intl/en/ipv6/statistics.html
17. Top 1000 websites - IPv6
http://www.worldipv6launch.org/measurements/
26% as of
7 April 2018
18. End-user readiness - APNIC Labs
4 April 2018: 17.43%
30% increase in last 12 months!
https://stats.labs.apnic.net/ipv6/
19. How we measure
• Uses advertisement to load measurement script (HTML5/flash) on user’s browser
Over 2M measurements/day!!
• Script fetches three invisible pixels
⁃ IPv4 only URL
⁃ IPv6 only URL
⁃ Dual-stack URL
• If:
⁃ Fetches IPv6 URLs (native/dual-stack) over IPv6, device is deemed IPv6 capable
⁃ Fetches the dual-stack URL using IPv6, its deemed to prefer IPv6 (HE bias – RFC6555?)
Only Chrome – 300ms (Firefox and Opera parallel; OS X and iOS – 25ms)
20. IPv6 table – East Asia
https://stats.labs.apnic.net/ipv6/
24. IPv6 performance
• Is IPv6 inferior to IPv4 in terms of service performance?
• Two sessions between the same
endpoints
• Same e2e transport protocol
• Same applications at each end
• Different IP protocol used by the two
sessions
25. IPv6 performance
• Enough data collected to analyze IPv6 performance
⁃ APNIC Labs
• Is IPv6 as robust as IPv4?
– Do all TCP connection attempts succeed?
• Connection failure = no ACK for an acknowledged
SYN
– IPv4 connection failure sits at 0.2%
– IPv6 connection failure sits at 1.6% (8 times higher!)
• PMTUD (ICMPv6 filters)?
26. IPv6 performance
• Enough data collected to analyze IPv6 performance
⁃ APNIC Labs
• Is IPv6 as fast as IPv4? (IPv6 unicast)
– Comparison of RTT (not implicit RTT)
• Time since SYN till ACK
• factors out any congestion issues
– IPv6 is faster about half of the time
• 45ms faster (world average)
• NAT?
• IPv4 and IPv6 using different paths (different peering policies for IPv4 and IPv6)?
– IPv6 as fast as IPv4
29. Deployment planning
• Get your IPv6 address – very easy
• Address planning – not difficult
• Assess your network
⁃ Do the existing network nodes support IPv6?
What requires updating (fw/sw)?
What needs upgrading/replacing (hw)?
⁃ Talk to your vendor!
• Do you have in-house skills or need consulting?
⁃ Talk to the community – many are willing to help!!
• Start from the backbone – not so complicated
• Deploy for enterprise customers – not difficult
30. Deployment planning - 2
• Deploy in access network
⁃ Both financial and technical assessment required!!
Vendors and ”IPv6 consultants” will tell you otherwise
⁃ Mobile: IPv6 PDP license
Either IPv6-only or dual-stack (IPv4v6)
⁃ Wired broadband:
MSANs, DSLAMS, OLTs should carry IPv6 ether-type (do not assume)
CPEs, wireless routers, APs: https://getipv6.info/display/IPv6/Broadband+CPE
32. Broadband network (IPv4)
PPP Access
Request &
Response
(Accept/Reject
)
RADIUS (AAA)BRAS/BNGDSLAMCPE/RG
Home LAN
End user NAT
LSN/CGN
DHCP Server
On the BRAS Centralized
33. IPv6 over PPP (RFC 2472)
• Link Control Protocol (LCP) same as in IPv4
⁃ Establish the connection, agree packet sizes (MTU/MSS)
• Authentication same as IPv4
⁃ (PAP/CHAP)
• Network Control Protocol (NCP) for IPv6 is IPV6CP
⁃ Choose the network protocol (IPv6)
⁃ Options:
Interface Identifier (to negotiate the 64-bit int-id for SLAAC)
Compression Protocol (ability to received compressed packets)
IPv6 over
PPP
BRAS/BNGDSLAMCPE/RG
34. IPv6 CPE WAN
• CPE IPv6 address
⁃ SLAAC based on the RA (and set ‘O’ flag for DNS), or
⁃ use the link-local, OR
• DHCPv6 over PPP
• How will home devices get IPv6 address?
⁃ Proxy RA?
ipv6 nd prefix 2400:db8::/64
no ipv6 nd ra suppress
ipv6 nd other-config-flag
ND-RA over
PPP
BRAS/BNGDSLAMCPE/RG
Home LAN
DHCPv6 over
PPP
DHCPv6
Server
35. IPv6 on home LAN (DHCPv6-PD: RFC 3633)
• CPE requests prefix from BRAS (delegator)
⁃ DHCPv6 messages over PPP
⁃ BRAS delegates /64 prefix from the pool to CPE
• ND-RA to home devices by CPE
⁃ Auto-configure IPv6 address (SLAAC) using the delegated prefix
BRAS/BNGDSLAMCPE/RG
Home LAN
DHCPv6-PD over
PPP
(2001:db8::/64)ipv6 local pool PD-POOL 2001:db8::/60 64
ipv6 dhcp pool DHCPv6-PD-POOL
prefix-delegation pool PD-POOL
dns-server 2001:db8::1
RA
DHCPv6
Server
37. IPv6 in mobile networks: technology
Carrier Economy Deployment
Reliance Jio India Dual stack in 2016
SK Telecom Korea 464XLAT in 2014
Telstra Australia 464XLAT since 2016
T-Mobile USA 464XLAT in 2012
Verizon Wireless USA Dual stack in 2011
38. Dual-stack in mobile networks
• Does NOT solve IPv4 (public) depletion issue
⁃ Still need to use CG-NAT to access IPv4-only sites
• But effective, and the only viable and scalable way forward
⁃ IPv6 native access to most of the major content providers
⁃ None of the scalability issues of v4 CG-NAT
⁃ And of course, no DNSSEC issues
39. 464XLAT (RFC 6877)
CLAT
(NAT64
)v4p
(v4 sockets)
v6
IPv6
Mobile Core
GGSN
IPv4
Internet
IPv6
Internet
Mobile Phone
DN
S
64
PLAT
(NAT64)
IPv4 embedded IPv6:
IPv6 /96 + 32 bit IPv4
(RFC6052)
Stateless NAT64
(RFC6145)
Statelful NAT64
(RFC6146)
64:ff9b::/96
40. CLAT (Stateless NAT64) (RFC 6145)
• When IPv4 connection is required (an IPv4 socket)
⁃ CLAT function provides private IPv4 address (and default route for
applications to bind to)
⁃ a dedicated prefix (/64 or /96) for stateless translation (DHCPv6)
⁃ must know the PLAT side translation prefix
⁃ Route connections to the PLAT (stateful NAT64)
⁃ 1:1 mapping
⁃ 2400:6400::[v4p in HEX] (RFC6052)
41. DNS64 (RFC 6147)
• Generate AAAA records from A records
⁃ Allows IPv6-only client to talk to IPv4 hosts
⁃ If ‘AAAA’ records exists, no synthesis
⁃ If only ‘A’ record exist for the queried name (after recursive query),
synthesize to AAAA record
DNS
64
AAAA Query:
test.com
Authoritative
DNS
AAAA Query: test.com
Empty Response
A Query: test.com
Response: 192.168.2.10
Response:
2406:6400::C0A8:20A
42. DNS64 example
• DNS64 options statement in BIND9.8
https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html
⁃ mapped: which IPv4 addresses are to be mapped (A records)
⁃ exclude: list of IPv6 addresses to ignore if they appear in the domain’s AAAA records (synthesize it from
the NAT64 prefix+v4 address)
⁃ break-dnssec yes: by default, DNS64 module does not process secure queries (DO = 1) or responses.
The break-dnssec yes overrides this default.
However, the synthesized response will not have any DNSSEC records added and therefore cannot be verified by the client!
dns64 2406:6400::/96 {
clients {any;};
mapped {!rfc1918; any;};
exclude {0::/3; 2001:DB8::/32;};
break-dnssec yes;
};
43. PLAT (Stateful NAT64) (RFC 6146)
• IPv6 to IPv4 translation (public)
⁃ And vice versa
⁃ Bindings for every translation maintained
Need a return path
⁃ N:1 mapping (conserves IPv4)
⁃ 2400:6400::[v4p in HEX] to [v4]:port (~PAT)
44. IPv6-only (iOS) to IPv4 ‘Internet’
CLAT
(NAT64
)v4p
(v4 sockets)
v6
IPv6
Mobile Core
GGSN
IPv4
Internet
Mobile Phone
DN
S
64
PLAT
(NAT64)
Dst: [2406:6400::C0A8:20A]:80
Src: 2406:6400::9
192.168.2.10
(test.com)
IPv4 Pool: 202.70.77.1-30
Dst: 192.168.2.10:80
Src: 202.70.77.1:6435
Over IPv6
Over IPv4
46. IPv6 and mobile devices
• Android supports 464XLAT (4.4 - KitKat)
⁃ But not DHCPv6
• IPv6 supported over mobile interface since iOS 9
(supported IPv6 on WiFi for a long time!)
⁃ All apps submitted to App Store must support IPv6 (only) since June
2016
https://developer.apple.com/support/ipv6/
47. IPv6 tethering
• RFC 6653:DHCPv6-PD for Mobile Networks
⁃ 3GPP Rel-10
• RFC 7278: Extending IPv6 /64 prefix from Mobile interface
to LAN
⁃ “Flaky” support since Android 6.0 (Marshmallow)
⁃ Stop-gap until DHCPv6-PD
50. Fat-finger/Hijacks/Leaks
• Bharti (AS9498) originates 103.0.0.0/10
⁃ Dec 2017 (~ 2 days)
⁃ No damage – more than 8K specific routes!
• Google brings down Internet in Japan
⁃ Aug 2017 (~ 24 hours)
⁃ AS15169 leaked ~24K specifics of 114.144.0.0/12 (AS4713) to its
peers
Verizon (701)
50
51. Fat-finger/Hijacks/Leaks
• Google (AS15169) services downed
⁃ Nov 2012 (~ 30 minutes)
⁃ Moratel Id (AS23947) leaked Google prefixes to its upstream
(AS3491)
AS path: … 3491 23947 15169
• YouTube (AS36561) Incident
⁃ Feb 2008 (down for ~ 2 hours)
⁃ PT (AS17557) announced 208.65.153.0/24 (208.65.152.0/22)
Propagated by AS3491 (PCCW)
51
52. How do we address this…
• Filters!!!
⁃ On both ends of a eBGP session
AS-PATH, prefix-list, max-prefix limit
⁃ Only announce/originate your own prefix (and your
downstream)
⁃ Only accept your peer’s prefix (and their downstream)
52
53. Goals of RPKI
• To authoritatively prove who is the legitimate holder of an IP
prefix and which AS(es) can originate
⁃ Attaching digital certificates to network resources (AS number and IP
address)
• The chain of trust follows the allocation hierarchy
⁃ IANA -> RIRs -> ISPs -> End Customers
53
54. Benefits of RPKI
• Prevents route hijacking
⁃ A prefix originated by an AS without authorization
⁃ Reason: malicious intent
• Prevents mis-origination
⁃ A prefix that is mistakenly originated by an AS that does not own it
⁃ Also route leakage
⁃ Reason: configuration mistakes/fat finger
54
55. RPKI profile
55
• Resource certificates are based
on the X.509 v3 certificate format
(RFC 5280)
• Extended by RFC 3779 – binds a
list of resources (IPv4/v6, ASN)
to the subject of the certificate
• SIA – Subject Information Access;
contains a URI that references
the directory
X.509 Cert
RFC 3779
Extension
IP Resources
(Addr & ASN)
SIA – URI where
this Publishes
Owner’s Public Key
CA
Signedbyparent’spvtkey
59. Validation states
• Valid
⁃ The prefix and AS pair are found in the database
• Invalid
⁃ Prefix is found, but origin AS is wrong, or
⁃ The prefix length is longer than the maximum length
• Not Found / Unknown
⁃ No valid ROA found
⁃ Neither valid nor invalid
Perhaps not created!
59
60. Policies based on validation
• Define your policy based on the validation state
⁃ Do nothing (observe)
⁃ Label BGP communities
⁃ Modify preference values
RFC7115
⁃ Drop the announcement (paranoid)
Invalid - but verify against other databases (IRR whois)
60
61. RPKI caveats
• When RTR session goes down, the RPKI status will be
NOT FOUND for all routes after a while
⁃ Invalid => Not Found
⁃ We need several RTR sessions (at least 2) or need to be careful with
filtering policies
• In case of a router reload, which one is faster, receiving
ROAs or receiving BGP updates?
⁃ If receiving BGP routes is faster than ROA, the router will propagate
the invalid routes to its iBGP peers
61
63. Training & TA
63
TA- Indonesia
2018 (to date)
Face-to-face training
Locations
Trainees
9
7 economies; 7 cities
310
Community Trainers 11
eLearning sessions
Trainees
17
53
Training videos
Views
128
549,229
Training, Lao PDR training.apnic.net
64. APNIC Academy
64
• Launched April 2017
• Free public access
• 2017: ‘Introduction to
CyberSecurity’, ‘IRM, Routing’
• Enrolled: 1,806
• Certified: 338
• Coming:
• Introduction to IPv6
• Internet Routing
Protocols
• APNIC Address Policies
• DNS Concepts
apnic.academy
65. Community
65
• NOGs: Participated in 24 NOGs
(2017); 3 (2018 to date)
• Root servers: J-root installed in NP;
in progress at PG and FJ
• MoUs: Sri Lanka CERT|CC, ISC,
KISA, APIA, Netnod
• IXPs: Support in PG and FJ
• Fellowships: 48 fellows at APNIC 44
(23 female), new Returning Fellows
category
• Sponsorships: 40 regional events
(including 19 NOGs)
PacNOG 30, FJ
66. Security
66
• Security training: 30 courses (2017); 1
(2018 to date)
• LEA training (2017): 4 events
SG (2), FJ and KR
• Other engagements (2017): 37
APSIG 2017, APrIGF 2017, ASEAN,
KISA APISC, CNCERT, INTERPOL SG,
APCERT, RISE, ITU Cyberdrill
• FIRST: MoU signed, Events at
APRICOT 2017 and APNIC 44
• Adli Wahid re-elected to FIRST
Board
• Security team: Additional Internet
Security Specialist
• Security blog posts: 65 (to date)
apnic.net/security
Adli Wahid
67. IPv6
67
apnic.net/ipv6
APNIC/ITU IPv6
Workshop 2017,
Bangkok
• Training: 24 face-to-face, 712 trainees
(2017); 3 face-to-face; 110 trainees (2018 to
date)
• eLearning: 25 sessions, 153 trainees (2017);
3 sessions, 6 trainees (2018 to date)
• Regional events: 16 presentations (2017)
• Joint APNIC/ITU IPv6 Infrastructure Security
Workshops in TH and BT
• Revamped IPv6 web pages, 20 deployment
success stories
• World IPv6 Day, 6/6/2017: video, blogs,
social media, Member emails
• IPv6 blog posts: 77 (to date)
68. Policies can change the Internet
68
• Ensured each RIR fairly received a final /8
of IPv4 address space
• Ensured IPv4 addresses are still available
for new businesses and networks
• Removed barriers to innovation and
competition
• Ensured emerging economies did not
miss out on IPv4 addresses
• Allowed transfers of addresses between
organizations and regions
• Created fair rules for the distribution of
IPv6
Address policies
created by people like
you have…
Their IP penetration per head is under 40% so they have a huge future growth. They cannot satisfy this with V4, and so are staring at CGN.
MN needs IPv6.
In June, it was about 16%
Accessing IPv4 content still needs to traverse CG-NAT
88% of their allocated IPv4 is visible: they are using everything they have (this is a high visibility)
They have no shortage of V6 per capita but they need more of the active ASN to announce it.
Assignments so far – 122; 1 f
Most of the ASN they have are visible: 37 of 47. But only 6 announce IPv6. and only 19% of the allocated V6 is visible.
rom AP
Generally, we see network performance either as its carrying capacity/throughput, or by its end-to-end delay, or its level of delay variation or jitter. Each of these parameters could affect an application’s performance. data transfer is affected by carrying capacity and by end-to-end delay, while a raw encoding of a voice or video stream could be more sensitive to jitter than to the end-to-end delay.
But when we are looking at the relative performance of two different IP protocols then many of these performance concepts fall out of scope.
Accessing IPv4 content still needs to traverse CG-NAT
TA provided in Philippines, PNG, Fiji – ANY OTHERS