Vivek Nigam, Tashi Phuntsho, and Che-Hoo Cheng from APNIC give an update about APNIC's services and new initiatives at a Member Gathering in Mongolia.

1. 1
APNIC Member Gathering
12 April 2018, Ulaanbaatar
Che-Hoo Cheng: Infrastructure & Development Director
Tashi Phuntsho: Senior Network Analyst
Vivek Nigam: Member Services Manager

2. Topics of interest
2
15
13
10
5
IPv6 deployment
case studies
Global IP address
allocation
IPv4 address
transfers
RPKI and routing
security

3. APNIC
3
“A global, open,
stable and secure
Internet that serves
the entire Asia
Pacific community”

4. Activities
4
Serving APNIC Members
Supporting Regional Internet
Development
Cooperating with the Global
Internet Community

5. IPv4 Delegations
5
As at 28 Feb
0
500
1000
1500
2000
2500
3000
3500
4000
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
East Asia
Oceania
South East Asia
South Asia

6. Available IPv4 /8s in each RIR
6
Dec, 2017 NRO

7. Remaining address pool consumption
7

8. IPv4 transfer requests
8
0
50
100
150
200
250
300
2010 2011 2012 2013 2014 2015 2016 2017
Between RIR Regions
Within APNIC Region
As at 28 Feb

9. IPv4 transfer policy
9
• Feb, 2010 Prop-050: IPv4 address transfers
• Aug, 2011 Prop-095: Inter-RIR IPv4 address transfers
• Nov, 2011 Prop-096: Maintaining demonstrated needs
• Sep, 2017 Prop-116: Prohibit to transfer IPv4 addresses
in the final /8 block

10. IPv4 addresses transferred
10.8 Million595K 111K128K
17.2 Million
March 2018

11. 11
202.131.224.0/19 MobiCom Corporation to Mobinet LLC
202.21.96.0/19 MobiCom Corporation to Mobinet LLC
27.123.212.0/22 Mobinet LLC to MobiCom Corporation
203.174.26.0/24 Unison Networks Limited to YokozunaNET
66.181.160.0/19 ARIN/BARDL to MCS Com Co Ltd
64.119.16.0/20 ARIN/NORTH-95 to MCS Com Co Ltd
IPv4 transfers in Mongolia
https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-logs/

12. Transfer services @ APNIC
• Pre-approval
• Transfer listing service
• Transfer mailing list
• Registered IPv4 brokers
12

13. Ideas for improvements
• Automating renewal of pre-approval service
• Listing service for Members with available IPv4 addresses
• Validating resource custodianship using RPKI
• Checking quality of IPv4 resources
• Incorporating Inter-RIR transfer form in MyAPNIC
13

14. Membership growth in Mongolia
14
0
5
10
15
20
25
30
35
40
45
50
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Member Count Visible ASN

15. About Mongolia
3,121,772 people
1,111,350 users
36% penetration
47 ASes
11.18B GDP
IPv4 36 in BGP
233,472 addresses
0.07 per head
88% visible
IPv6 6 in BGP
68,719 M addresses
22,013 per head
19% visible
0% capability

16. IPv6 adoption stats - Google
https://www.google.com/intl/en/ipv6/statistics.html

17. Top 1000 websites - IPv6
http://www.worldipv6launch.org/measurements/
26% as of
7 April 2018

18. End-user readiness - APNIC Labs
4 April 2018: 17.43%
30% increase in last 12 months!
https://stats.labs.apnic.net/ipv6/

19. How we measure
• Uses advertisement to load measurement script (HTML5/flash) on user’s browser
 Over 2M measurements/day!!
• Script fetches three invisible pixels
⁃ IPv4 only URL
⁃ IPv6 only URL
⁃ Dual-stack URL
• If:
⁃ Fetches IPv6 URLs (native/dual-stack) over IPv6, device is deemed IPv6 capable
⁃ Fetches the dual-stack URL using IPv6, its deemed to prefer IPv6 (HE bias – RFC6555?)
 Only Chrome – 300ms (Firefox and Opera parallel; OS X and iOS – 25ms)

20. IPv6 table – East Asia
https://stats.labs.apnic.net/ipv6/

21. IPv6 capable
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
2011-10
2012-01
2012-04
2012-07
2012-10
2013-01
2013-04
2013-07
2013-10
2014-01
2014-04
2014-07
2014-10
2015-01
2015-04
2015-07
2015-10
2016-01
2016-04
2016-07
2016-10
2017-01
2017-04
2017-07
2017-10
2018-01
%IPv6Capable MN

22. IPv6 capability – Mongolia

23. IPv6 interconnection - Mongolia
23
As at 28 Feb

24. IPv6 performance
• Is IPv6 inferior to IPv4 in terms of service performance?
• Two sessions between the same
endpoints
• Same e2e transport protocol
• Same applications at each end
• Different IP protocol used by the two
sessions

25. IPv6 performance
• Enough data collected to analyze IPv6 performance
⁃ APNIC Labs
• Is IPv6 as robust as IPv4?
– Do all TCP connection attempts succeed?
• Connection failure = no ACK for an acknowledged
SYN
– IPv4 connection failure sits at 0.2%
– IPv6 connection failure sits at 1.6% (8 times higher!)
• PMTUD (ICMPv6 filters)?

26. IPv6 performance
• Enough data collected to analyze IPv6 performance
⁃ APNIC Labs
• Is IPv6 as fast as IPv4? (IPv6 unicast)
– Comparison of RTT (not implicit RTT)
• Time since SYN till ACK
• factors out any congestion issues
– IPv6 is faster about half of the time
• 45ms faster (world average)
• NAT?
• IPv4 and IPv6 using different paths (different peering policies for IPv4 and IPv6)?
– IPv6 as fast as IPv4

27. Routing path and performance
IPv4 RTT – 325ms
IPv6 RTT – 213ms
https://labs.apnic.net/?p=850

28. 28
IPV6 DEPLOYMENT??

29. Deployment planning
• Get your IPv6 address – very easy 
• Address planning – not difficult 
• Assess your network
⁃ Do the existing network nodes support IPv6?
 What requires updating (fw/sw)?
 What needs upgrading/replacing (hw)?
⁃ Talk to your vendor!
• Do you have in-house skills or need consulting?
⁃ Talk to the community – many are willing to help!!
• Start from the backbone – not so complicated
• Deploy for enterprise customers – not difficult

30. Deployment planning - 2
• Deploy in access network
⁃ Both financial and technical assessment required!!
 Vendors and ”IPv6 consultants” will tell you otherwise 
⁃ Mobile: IPv6 PDP license 
 Either IPv6-only or dual-stack (IPv4v6)
⁃ Wired broadband:
 MSANs, DSLAMS, OLTs should carry IPv6 ether-type (do not assume)
 CPEs, wireless routers, APs: https://getipv6.info/display/IPv6/Broadband+CPE

31. 31
IPV6 IN BROADBAND
NETWORK (FIXED)

32. Broadband network (IPv4)
PPP Access
Request &
Response
(Accept/Reject
)
RADIUS (AAA)BRAS/BNGDSLAMCPE/RG
Home LAN
End user NAT
LSN/CGN
DHCP Server
On the BRAS Centralized

33. IPv6 over PPP (RFC 2472)
• Link Control Protocol (LCP) same as in IPv4
⁃ Establish the connection, agree packet sizes (MTU/MSS)
• Authentication same as IPv4
⁃ (PAP/CHAP)
• Network Control Protocol (NCP) for IPv6 is IPV6CP
⁃ Choose the network protocol (IPv6)
⁃ Options:
 Interface Identifier (to negotiate the 64-bit int-id for SLAAC)
 Compression Protocol (ability to received compressed packets)
IPv6 over
PPP
BRAS/BNGDSLAMCPE/RG

34. IPv6 CPE WAN
• CPE IPv6 address
⁃ SLAAC based on the RA (and set ‘O’ flag for DNS), or
⁃ use the link-local, OR
• DHCPv6 over PPP
• How will home devices get IPv6 address?
⁃ Proxy RA?
ipv6 nd prefix 2400:db8::/64
no ipv6 nd ra suppress
ipv6 nd other-config-flag
ND-RA over
PPP
BRAS/BNGDSLAMCPE/RG
Home LAN
DHCPv6 over
PPP
DHCPv6
Server

35. IPv6 on home LAN (DHCPv6-PD: RFC 3633)
• CPE requests prefix from BRAS (delegator)
⁃ DHCPv6 messages over PPP
⁃ BRAS delegates /64 prefix from the pool to CPE
• ND-RA to home devices by CPE
⁃ Auto-configure IPv6 address (SLAAC) using the delegated prefix
BRAS/BNGDSLAMCPE/RG
Home LAN
DHCPv6-PD over
PPP
(2001:db8::/64)ipv6 local pool PD-POOL 2001:db8::/60 64
ipv6 dhcp pool DHCPv6-PD-POOL
prefix-delegation pool PD-POOL
dns-server 2001:db8::1
RA
DHCPv6
Server

36. 36
IPV6 IN MOBILE NETWORKS

37. IPv6 in mobile networks: technology
Carrier Economy Deployment
Reliance Jio India Dual stack in 2016
SK Telecom Korea 464XLAT in 2014
Telstra Australia 464XLAT since 2016
T-Mobile USA 464XLAT in 2012
Verizon Wireless USA Dual stack in 2011

38. Dual-stack in mobile networks
• Does NOT solve IPv4 (public) depletion issue
⁃ Still need to use CG-NAT to access IPv4-only sites
• But effective, and the only viable and scalable way forward
⁃ IPv6 native access to most of the major content providers
⁃ None of the scalability issues of v4 CG-NAT
⁃ And of course, no DNSSEC issues

39. 464XLAT (RFC 6877)
CLAT
(NAT64
)v4p
(v4 sockets)
v6
IPv6
Mobile Core
GGSN
IPv4
Internet
IPv6
Internet
Mobile Phone
DN
S
64
PLAT
(NAT64)
IPv4 embedded IPv6:
IPv6 /96 + 32 bit IPv4
(RFC6052)
Stateless NAT64
(RFC6145)
Statelful NAT64
(RFC6146)
64:ff9b::/96

40. CLAT (Stateless NAT64) (RFC 6145)
• When IPv4 connection is required (an IPv4 socket)
⁃ CLAT function provides private IPv4 address (and default route for
applications to bind to)
⁃ a dedicated prefix (/64 or /96) for stateless translation (DHCPv6)
⁃ must know the PLAT side translation prefix
⁃ Route connections to the PLAT (stateful NAT64)
⁃ 1:1 mapping
⁃ 2400:6400::[v4p in HEX] (RFC6052)

41. DNS64 (RFC 6147)
• Generate AAAA records from A records
⁃ Allows IPv6-only client to talk to IPv4 hosts
⁃ If ‘AAAA’ records exists, no synthesis
⁃ If only ‘A’ record exist for the queried name (after recursive query),
synthesize to AAAA record
DNS
64
AAAA Query:
test.com
Authoritative
DNS
AAAA Query: test.com
Empty Response
A Query: test.com
Response: 192.168.2.10
Response:
2406:6400::C0A8:20A

42. DNS64 example
• DNS64 options statement in BIND9.8
https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html
⁃ mapped: which IPv4 addresses are to be mapped (A records)
⁃ exclude: list of IPv6 addresses to ignore if they appear in the domain’s AAAA records (synthesize it from
the NAT64 prefix+v4 address)
⁃ break-dnssec yes: by default, DNS64 module does not process secure queries (DO = 1) or responses.
The break-dnssec yes overrides this default.
 However, the synthesized response will not have any DNSSEC records added and therefore cannot be verified by the client!
dns64 2406:6400::/96 {
clients {any;};
mapped {!rfc1918; any;};
exclude {0::/3; 2001:DB8::/32;};
break-dnssec yes;
};

43. PLAT (Stateful NAT64) (RFC 6146)
• IPv6 to IPv4 translation (public)
⁃ And vice versa
⁃ Bindings for every translation maintained
 Need a return path
⁃ N:1 mapping (conserves IPv4)
⁃ 2400:6400::[v4p in HEX] to [v4]:port (~PAT)

44. IPv6-only (iOS) to IPv4 ‘Internet’
CLAT
(NAT64
)v4p
(v4 sockets)
v6
IPv6
Mobile Core
GGSN
IPv4
Internet
Mobile Phone
DN
S
64
PLAT
(NAT64)
Dst: [2406:6400::C0A8:20A]:80
Src: 2406:6400::9
192.168.2.10
(test.com)
IPv4 Pool: 202.70.77.1-30
Dst: 192.168.2.10:80
Src: 202.70.77.1:6435
Over IPv6
Over IPv4

45. v4p (Android) to IPv4 ‘Internet’
CLAT
(NAT64
)v4p
(v4 sockets)
v6
IPv6
Mobile Core
GGSN
IPv4
Internet
Mobile Phone
PLAT
(NAT64)
Stateless XLATE prefix:
2406:6400:EEEE::/96
PLAT-side XLATE prefix:
2406:6400:AAAA::/96
v4p address (Src): 192.168.12.99
Dst: 202.69.185.252:80
IPv4 Pool: 202.70.77.1-30
PLAT-side XLATE prefix:
2406:6400:AAAA::/96
Src: 202.70.77.1:888
Dst: 202.69.185.252:80
202.69.185.252
IPv6 Src:
2406:6400:EEEE::C0A8:C63
IPv6 Dst:
[2406:6400:AAAA::CA45:B9FC]
:80

46. IPv6 and mobile devices
• Android supports 464XLAT (4.4 - KitKat)
⁃ But not DHCPv6 
• IPv6 supported over mobile interface since iOS 9
(supported IPv6 on WiFi for a long time!)
⁃ All apps submitted to App Store must support IPv6 (only) since June
2016
 https://developer.apple.com/support/ipv6/

47. IPv6 tethering
• RFC 6653:DHCPv6-PD for Mobile Networks
⁃ 3GPP Rel-10
• RFC 7278: Extending IPv6 /64 prefix from Mobile interface
to LAN
⁃ “Flaky” support since Android 6.0 (Marshmallow)
⁃ Stop-gap until DHCPv6-PD

48. References
• IPv6 in Mobile Networks – Telstra
⁃ Sunny Yeung, Senior Technology Specialist
⁃ Presentation @APNIC 41 (Feb 2016)
⁃ https://conference.apnic.net/data/41/yeung.-s-tutorial-apricot-
2016_1455689286.pdf
• 464XLAT: Breaking free of IPv4 - TMobile
⁃ Cameron Byrne’s presentation at SANOG 23 (Jan 2014)
⁃ http://www.sanog.org/resources/sanog23/SANOG23_464XLAT.pdf

49. www.apnic.net/ipv6

50. Fat-finger/Hijacks/Leaks
• Bharti (AS9498) originates 103.0.0.0/10
⁃ Dec 2017 (~ 2 days)
⁃ No damage – more than 8K specific routes!
• Google brings down Internet in Japan
⁃ Aug 2017 (~ 24 hours)
⁃ AS15169 leaked ~24K specifics of 114.144.0.0/12 (AS4713) to its
peers
 Verizon (701)
50

51. Fat-finger/Hijacks/Leaks
• Google (AS15169) services downed
⁃ Nov 2012 (~ 30 minutes)
⁃ Moratel Id (AS23947) leaked Google prefixes to its upstream
(AS3491)
 AS path: … 3491 23947 15169
• YouTube (AS36561) Incident
⁃ Feb 2008 (down for ~ 2 hours)
⁃ PT (AS17557) announced 208.65.153.0/24 (208.65.152.0/22)
 Propagated by AS3491 (PCCW)
51

52. How do we address this…
• Filters!!!
⁃ On both ends of a eBGP session
 AS-PATH, prefix-list, max-prefix limit
⁃ Only announce/originate your own prefix (and your
downstream)
⁃ Only accept your peer’s prefix (and their downstream)
52

53. Goals of RPKI
• To authoritatively prove who is the legitimate holder of an IP
prefix and which AS(es) can originate
⁃ Attaching digital certificates to network resources (AS number and IP
address)
• The chain of trust follows the allocation hierarchy
⁃ IANA -> RIRs -> ISPs -> End Customers
53

54. Benefits of RPKI
• Prevents route hijacking
⁃ A prefix originated by an AS without authorization
⁃ Reason: malicious intent
• Prevents mis-origination
⁃ A prefix that is mistakenly originated by an AS that does not own it
⁃ Also route leakage
⁃ Reason: configuration mistakes/fat finger
54

55. RPKI profile
55
• Resource certificates are based
on the X.509 v3 certificate format
(RFC 5280)
• Extended by RFC 3779 – binds a
list of resources (IPv4/v6, ASN)
to the subject of the certificate
• SIA – Subject Information Access;
contains a URI that references
the directory
X.509 Cert
RFC 3779
Extension
IP Resources
(Addr & ASN)
SIA – URI where
this Publishes
Owner’s Public Key
CA
Signedbyparent’spvtkey

56. Trust Anchor (TA)
56
Source : http://isoc.org/wp/ietfjournal/?p=2438

57. Single Trust Anchor
57
• Feb 2018: a single expanded trust anchor
– https://blog.apnic.net/2018/02/27/updating-rpki-trust-anchor-configuration/
APNIC “All Resources” CA
Intermediate (online) CA
“From AFRINIC”
certificate
“From ARIN”
certificate
“From IANA”
certificate
“From LACNIC”
certificate
“From RIPE-NCC”
certificate

58. Origin validation
58
RPKI-to-Router
(RtR)
RPKI
Cache Validator
2406:6400::/32-48
17821
.1/:1
.2/:2
AS17821
AS4826
Global
(RPKI)
Repository
ROA
2406:6400::/32-48
17821
TA
TA
TA
2406:6400::/48

59. Validation states
• Valid
⁃ The prefix and AS pair are found in the database
• Invalid
⁃ Prefix is found, but origin AS is wrong, or
⁃ The prefix length is longer than the maximum length
• Not Found / Unknown
⁃ No valid ROA found
⁃ Neither valid nor invalid
 Perhaps not created!
59

60. Policies based on validation
• Define your policy based on the validation state
⁃ Do nothing (observe)
⁃ Label BGP communities
⁃ Modify preference values
 RFC7115
⁃ Drop the announcement (paranoid)
 Invalid - but verify against other databases (IRR whois)
60

61. RPKI caveats
• When RTR session goes down, the RPKI status will be
NOT FOUND for all routes after a while
⁃ Invalid => Not Found
⁃ We need several RTR sessions (at least 2) or need to be careful with
filtering policies
• In case of a router reload, which one is faster, receiving
ROAs or receiving BGP updates?
⁃ If receiving BGP routes is faster than ROA, the router will propagate
the invalid routes to its iBGP peers
61

62. https://www.apnic.net/roa
62

63. Training & TA
63
TA- Indonesia
2018 (to date)
Face-to-face training
Locations
Trainees
9
7 economies; 7 cities
310
Community Trainers 11
eLearning sessions
Trainees
17
53
Training videos
Views
128
549,229
Training, Lao PDR training.apnic.net

64. APNIC Academy
64
• Launched April 2017
• Free public access
• 2017: ‘Introduction to
CyberSecurity’, ‘IRM, Routing’
• Enrolled: 1,806
• Certified: 338
• Coming:
• Introduction to IPv6
• Internet Routing
Protocols
• APNIC Address Policies
• DNS Concepts
apnic.academy

65. Community
65
• NOGs: Participated in 24 NOGs
(2017); 3 (2018 to date)
• Root servers: J-root installed in NP;
in progress at PG and FJ
• MoUs: Sri Lanka CERT|CC, ISC,
KISA, APIA, Netnod
• IXPs: Support in PG and FJ
• Fellowships: 48 fellows at APNIC 44
(23 female), new Returning Fellows
category
• Sponsorships: 40 regional events
(including 19 NOGs)
PacNOG 30, FJ

66. Security
66
• Security training: 30 courses (2017); 1
(2018 to date)
• LEA training (2017): 4 events
SG (2), FJ and KR
• Other engagements (2017): 37
APSIG 2017, APrIGF 2017, ASEAN,
KISA APISC, CNCERT, INTERPOL SG,
APCERT, RISE, ITU Cyberdrill
• FIRST: MoU signed, Events at
APRICOT 2017 and APNIC 44
• Adli Wahid re-elected to FIRST
Board
• Security team: Additional Internet
Security Specialist
• Security blog posts: 65 (to date)
apnic.net/security
Adli Wahid

67. IPv6
67
apnic.net/ipv6
APNIC/ITU IPv6
Workshop 2017,
Bangkok
• Training: 24 face-to-face, 712 trainees
(2017); 3 face-to-face; 110 trainees (2018 to
date)
• eLearning: 25 sessions, 153 trainees (2017);
3 sessions, 6 trainees (2018 to date)
• Regional events: 16 presentations (2017)
• Joint APNIC/ITU IPv6 Infrastructure Security
Workshops in TH and BT
• Revamped IPv6 web pages, 20 deployment
success stories
• World IPv6 Day, 6/6/2017: video, blogs,
social media, Member emails
• IPv6 blog posts: 77 (to date)

68. Policies can change the Internet
68
• Ensured each RIR fairly received a final /8
of IPv4 address space
• Ensured IPv4 addresses are still available
for new businesses and networks
• Removed barriers to innovation and
competition
• Ensured emerging economies did not
miss out on IPv4 addresses
• Allowed transfers of addresses between
organizations and regions
• Created fair rules for the distribution of
IPv6
Address policies
created by people like
you have…

69. Get involved!
69
Follow policy
discussions at
conferences & online
Join the Policy SIG
Mailing list
Have your say!
Discuss your policy
ideas

70. Coming Soon
70

71. Stay in Touch!
71
blog.apnic.net
apnic.net/social

72. https://www.surveymonkey.com/r/APNIC-MN
72