Another driver for v6?

Steven_Bellovin · October 29, 2008, 2:40am

According to
http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
Windows 7 will have a cool feature called DirectAccess that "requires
deploying IPv6 and IPsec". I know nothing more of this feature than is
in the article, but if accurate it may create a client-centric demand
for v6, i.e., desirable new functionality that isn't available on v4.

Of course, Windows 7 will have to ship first, and then get deployed in
the enterprise...

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Nathan_Ward · October 29, 2008, 3:11am

Thanks, Teredo.

Interesting point, IPSEC is really useful in IPv6, especially transport mode opportunistic encryption/authentication. But, that requires (in my understanding) keys in DNS, which really needs a secure DNS infrastructure to be, well, secure...

stir stir stir

Notice the DNSSEC support at the end of page one and beginning of page two.

Matthew_Kaufman · October 29, 2008, 3:13am

Nathan Ward wrote:

According to
http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
Windows 7 will have a cool feature called DirectAccess that "requires
deploying IPv6 and IPsec". ...

Thanks, Teredo.

Interesting point, IPSEC is really useful in IPv6, especially transport mode opportunistic encryption/authentication. But, that requires (in my understanding) keys in DNS, which really needs a secure DNS infrastructure to be, well, secure...

...

The new UDP-based RTMFP protocol that just shipped in Flash Player 10 will automatically use IPv6 for both client-server (to Flash Media Server) and direct Flash Player-to-Flash Player communication if there is a working IPv6 path between the endpoints and it is at least as fast or faster than the IPv4 path latency-wise. (Not that there are many of those these days... but as they start to exist, you'll start seeing the traffic on them) It is also encrypted and (in some cases) authenticated.

Matthew Kaufman
matthew@eeph.com
http://www.matthew.at

Mikael_Abrahamsson · October 29, 2008, 6:59am

Microsoft has been at at least two events I've attended and done presentations about a strategy that sounds like what you're talking about.

They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication.

They indicate this as a strategy to do away with VPN clients, so in order to reach your work resources from home you'd need to have some kind of IPv6 connectivity, tunneled or not. You'd then connect to all resources using IPv6 totally transparently to you. All security would be host based.

I am quite impressed by this strategy as it re-implements the end-to-end principle of the Internet that most of us appreciate. I also bought their claim about much improved security and their 5 year long track of no remote exploits like Slammer, when they had to release their emergency patch for that RPC based remote exploit the other week, which kind of broke their streak...

Let's hope they can sell this to all the enterprise guys, as I am very tired of all the problems caused by multiple layers of NATs and PAT.

Joe_Maimon1 · October 29, 2008, 3:32pm

Mikael Abrahamsson wrote:

Bruce_Curtis · October 29, 2008, 10:29pm

Microsoft, on 200,000 computers at the time of the paper below.

http://technet.microsoft.com/en-us/library/bb735174.aspx

We have a couple of departments using IPsec here and one more seriously looking at it. (Mainly a matter of finding time to test and implement.)

Plus there are at least a couple of other Universities.

http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1

https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1

And I see a City has been added to the list.

http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161

http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf

Steven_King · October 29, 2008, 10:32pm

Kind of a side question but we have not implemented IPv6 in our network
yet, nor have we made any plans to do this in the near future. Our
management does not see a need for it as our customer base is not
requesting it at this time.

Does anyone see any benefits to beginning a small deployment of IPv6 now
even if its just for internal usage?

Bruce Curtis wrote:

Nathan_Ward · October 29, 2008, 10:41pm

Do your customers ask for IPv4, or do they just connect to the "Internet" as you tell them?
Your customers are never going to ask, unless they have some propeller-head who wants to be on the latest "version of the Internet".

If you tell them that you're giving them IPv6 service, you'll find they start using it, and they'll ask other providers for it when re-evaluating their service providers, and decide to stick with you as you're forward looking and all that stuff.

I'm so over this chicken/egg thing it's not even funny, just do it already. Well, if you don't it's no problem I suppose, your users are automatically tunnelling across you already.

If you're only thinking about doing a small IPv6 deployment now, you're behind the curve.

Isabel_Dias · October 29, 2008, 10:45pm

question - "beginning a small deployment of IPv6 now
even if its just for internal usage"

Sure! there are plenty of reasons .........most obvious one is to feel confortable about ipv6

Steven_King · October 29, 2008, 10:48pm

I personally agree with that. Now only if I can convince our management
to start work on that.

isabel dias wrote:

Nathan_Ward · October 29, 2008, 10:58pm

Another related good reason is so that in 18 months when they decide they need it done last week, contractors like myself don't charge you through the nose to implement it because management wouldn't let you guys skill up on a test network now. That makes it a monetary thing, something they understand better perhaps..

Yep, this post is going against my best instincts.

David_W_Hankins · October 29, 2008, 11:29pm

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At
this point, I'd say people are still trying to figure out how clients
will migrate to IPv6. Which seems like a pretty bad time to still be
trying to figure that out, but ohwell.

It is at this time more a question of strategic positioning. The
kind of thing your boss should be thinking about.

Switching your management network to IPv6 single-stack frees up
IPv4 addresses (depending on how big your management network is)
to use in customer-facing areas, which gives your network longer
legs in the projected IPv4 address shortfall. If you get really
pressed, you can tunnel your IPv4 network over an IPv6-only backbone,
giving you another handful of precious moneymaking IPv4 addresses.

Having your backbone and servers AAAA'd (even on separate FQDN's),
tested, and ready to go puts you ahead of the curve if clients start
rolling out (you can just move your AAAA's around).

Starting now on collecting IPv6 peering wherever you peer puts you
ahead of the curve in the quality of your network's connectedness,
again presuming this IPv6 thing takes off.

And of course you need to "run your own dog food" on internal LANs
before you start telling customers these IPv6 address thingies are
useful.

IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

Steven_Bellovin · October 30, 2008, 1:10am

> Does anyone see any benefits to beginning a small deployment of
> IPv6 now even if its just for internal usage?

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At
this point, I'd say people are still trying to figure out how clients
will migrate to IPv6. Which seems like a pretty bad time to still be
trying to figure that out, but ohwell.

Once, after hearing Vint Cerf give a cheerleading talk for v6, I asked
why google.com didn't have a AAAA record. He just groaned -- but of
course I knew the answer just as well as he did.

It is at this time more a question of strategic positioning. The
kind of thing your boss should be thinking about.

Switching your management network to IPv6 single-stack frees up
IPv4 addresses (depending on how big your management network is)
to use in customer-facing areas, which gives your network longer
legs in the projected IPv4 address shortfall. If you get really
pressed, you can tunnel your IPv4 network over an IPv6-only backbone,
giving you another handful of precious moneymaking IPv4 addresses.

Having your backbone and servers AAAA'd (even on separate FQDN's),
tested, and ready to go puts you ahead of the curve if clients start
rolling out (you can just move your AAAA's around).

Starting now on collecting IPv6 peering wherever you peer puts you
ahead of the curve in the quality of your network's connectedness,
again presuming this IPv6 thing takes off.

And of course you need to "run your own dog food" on internal LANs
before you start telling customers these IPv6 address thingies are
useful.

IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

I'd rate the probability of v6 as rather higher...

More seriously -- you need to get experience with it, and you need to
at least understand where your internal support systems and databases
have v4-only wired in. I'm not saying that substantial, real-world
demand for v6 is imminent or even certain (although frankly, I regard
it as more likely than not). I am saying that the probability of it is
high enough that preparation is simply ordinary prudence.

I posted the story link because for the first time since v6 was real,
there's a *feature* that people will want that relies on it. Never
mind lots of addresses; you can't easily sell that to management. But
something that will make security management easier and cheaper -- you
may be able to avoid triangle routing, with the consequent need for
bigger pipes -- is a story they'll understand. You want to be ready to
serve those customers.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Mikael_Abrahamsson · October 30, 2008, 7:10am

Does anyone see any benefits to beginning a small deployment of IPv6 now
even if its just for internal usage?

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At

Could you please elaborate on this point? My data presented
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates that there are very very few (the longer I collected the data, the better the ratio got) who cannot properly fetch a resource that has A/AAAA.

this point, I'd say people are still trying to figure out how clients
will migrate to IPv6. Which seems like a pretty bad time to still be
trying to figure that out, but ohwell.

6to4 and Teredo traffic is increasing very rapidly, so that seems to be one path taken right now:

<http://ipv6.tele2.net/mrtg/total.html>

(We have all our IPv6 related stats and info on <http://ipv6.tele2.net/>)

But yes, how to get native to residential users is still not hammered out.

And of course you need to "run your own dog food" on internal LANs before you start telling customers these IPv6 address thingies are useful.

Quite, I think OSS/BSS is going to be a bigger challenge than actually moving the IPv6 packets.

IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

If you actually KNOW the apocalypse is coming (but not when), this is correct.

Matthew_Moyle-Croft · October 30, 2008, 8:23am

Mikael Abrahamsson wrote:

But yes, how to get native to residential users is still not hammered out.

It's been an issuing weighing our our minds for a while. We've gone dual stack but getting it into the last mile (ADSL) is quite hard and running a tunnel server is ugly.

Main issue is BRAS support from our vendor as well as ADSL CPE under US$100 (eg. not Cisco 8xx series).

Quite, I think OSS/BSS is going to be a bigger challenge than actually moving the IPv6 packets.

Moving packets is pretty easy. We went to dual stack in the core in just a couple of months for a network spanning 3 continents. Getting our customer management systems and BRASes talking IPv6 is going to take a lot longer. Getting our systems group to IPv6 enable resolvers, dns etc is also taking longer than it should.

MMC

michael.dillon · October 30, 2008, 10:28am

Does anyone see any benefits to beginning a small deployment
of IPv6 now even if its just for internal usage?

According to <http://www.getipv6.info/index.php/First_Steps_for_ISPs>
you should deploy some IPv6 transition technology to make sure that
your network does not cause problems for the growing number of your
customers who are already using IPv6.

Of course, getting up to speed on IPv6 is also a worthy goal
especially since it enables you to move much more quickly if
IPv6 takes off suddenly.

--Michael Dillon

Matthew_Ford · October 30, 2008, 10:39am

Does anyone see any benefits to beginning a small deployment of IPv6 now
even if its just for internal usage?

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At

Could you please elaborate on this point? My data presented
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates that there are very very few (the longer I collected the data, the better the ratio got) who cannot properly fetch a resource that has A/AAAA.

Your stats (which are very interesting btw, thanks for doing the work) suggest that the number of clients that would make use of the AAAA record for a dual-stack service is about the same as the number of clients that would fail in the event that both A and AAAA were present. That's not exactly an incentive to content providers is it?

IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

If you actually KNOW the apocalypse is coming (but not when), this is correct.

The end is nigh - http://penrose.uk6x.com/

Mat

michael.dillon · October 30, 2008, 10:45am

It is almost lunacy to deploy IPv6 in a customer-facing sense
(note for example Google's choice to put its AAAA on a
separate FQDN).

If you're going to use emotionally charged language then
don't shoot yourself in the foot by using such an
illogical and contrary example.

Google is a very big network-oriented company and they
have indeed deployed IPv6 in a customer-facing sense.
To follow in their footsteps is not lunacy.
They have shown that when you have a large distributed
load-sharing platform, it is perfectly safe to deploy
IPv6 as an alternate service entry point, in the same
way that they have mail.google.com and docs.google as
separate service entry points.

Most people who are urging ISPs to deploy IPv6 are not
telling them to do stupid things like run out and add
AAAA records to all their domain names. We are telling
people to trial and test IPv6 in the lab, and then roll
out specific targeted IPv6 services like a 6to4 relay.
Above all, don't be a lunatic, and do educate yourself
and your staff before you make a move. IPv6 deployment
is not a greenfield deployment so you have to weave it
into the fabric of your own unique network architecture.
That requires understanding of IPv6 which you can only
get by trying it out yourself in your lab environment.

At this point, I'd say people are still
trying to figure out how clients will migrate to IPv6.

That is a pretty dumb thing to do. Clients have already
migrated to IPv6 years ago using the technology given
to them by Apple, Microsoft and the free UNIXes.
Job 1 is to support those clients. Job 2 is to figure
out how you can deploy IPv6 at your network edge in
such a way that you can grow the edge without consuming
IPv4 addresses. For many small and mid-size ISPs, Job 2
does not involve anything to do with the customer's "modem"
device because you don't have the kind of relationship
with "modem" vendors to influence their product development.
So focus on your own network edge, not on your customers'
network edges.

It is at this time more a question of strategic positioning.
The kind of thing your boss should be thinking about.

Bosses really appreciate well-reasoned white papers with
a clear and straightforward management summary on the first
page. Do you have the information and understanding of IPv6
in order to write such a white paper?

Switching your management network to IPv6 single-stack

This may actually be the last and toughest thing that ISPs
do because of the variety of software and stuff in the
management network.

--Michael Dillon

Mikael_Abrahamsson · October 30, 2008, 11:08am

The last couple of days the ratio went down to less than 0.3% who would potentially get in trouble (factor is most likely less as the measurement method penalises later objects).

But yes, there is absolutely no upside to deploying IPv6 for content providers in the short term. It's like Y2K, there was NO upside to fixing it until December 31 1999.

David_W_Hankins · October 30, 2008, 3:47pm

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At

Could you please elaborate on this point? My data presented
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
that there are very very few (the longer I collected the data, the better
the ratio got) who cannot properly fetch a resource that has A/AAAA.

I'm sorry I led you down the wrong ferret hole. The issue isn't
directly the involvement of a A/AAAA mixed RRsets. The issue is that
such dual placement complicates debugging and operations.

If someone can't reach www.google.com now, you know that it is either
a DNS or IPv4 issue. It is very straightforward.

If someone can't reach the hypothetical A/AAAA www.google.com RRset,
you've just increased your support costs. "My network is slow."
"Are you using IPv4 or IPv6?" "Netscape."

This costs you something, but doesn't gain anything.

Nevermind that IPv6 often breaks at some networks, and no one at
the remote network seems to care to fix it. It is someone's
experiment.

I'm recommending a variety of caution which is to go ahead and deploy
your initial/experimental IPv6 on separate FQDN's, so that you can
easily migrate your AAAA's onto "production names" when there is an
advantage to doing so, and in the meantime you aren't breaking
anything for the rest of the planet.

will migrate to IPv6. Which seems like a pretty bad time to still be
trying to figure that out, but ohwell.

6to4 and Teredo traffic is increasing very rapidly, so that seems to be one
path taken right now:

<http://ipv6.tele2.net/mrtg/total.html>

I don't know how to ask this question without sounding mean, but did
the graph spike out of zero, or did you start collecting two months
ago?

Both Teredo and 6to4 strike me as a kind of network operations
"terrorism." That is, the clients that engage in this automatically.

It proposes precisely the same support-cost-increase problem for the
ISP ("My network is slow." "Are you using IPv4 or IPv6?" "Netscape."),
and it's not clear to me how an ISP can "opt out".

So it's kind of like these OS manufacturers are sending ISP's a little
message; spend your support costs, or we'll spend them for you.

I'm not sure that's productive overall.

IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

If you actually KNOW the apocalypse is coming (but not when), this is
correct.

I think everyone knows the IPv4 shortfall is coming. I do not think
the world's view of the consequences is consistent yet.

So I don't think it matters; it's prudent to get a defensible position
today.