[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
jim.small at cdw.com
Thu Sep 6 05:22:59 CEST 2012
> > 1) Do you believe there is a compelling case for RDNSS/RFC 6106? I
> personally like it but when I have spoken to vendors they pointed out that
> most things do or will support stateless DHCPv6 and they don't see any
> reason to add RDNSS support. Can you give me some strong cases I can take
> back to vendors for RDNSS? I want to emphasize that this is not an idle
> promise - any strong case will go straight to the parties who can effect
> change at the vendors.
> I share your view. Personally I don't like SLAAC at all. However it is
> very "explosive" topic where different people have very differed opinion
> about that. Observing the current situation all important vendors (MS,
> Apple) started supporting DHCPv6, so I expect that DHCPv6 will be a
> dominant method of autoconfiguration.
So we're pretty much writing off RDNSS? That what it seems like to me, but just confirming.
> > 3) For end user accountability/host tracking the best solution is probably
> 802.1X, granted that likely is not workable in your situation. That said there
> have been tremendous strides in this space and I have deployed some nice
> solutions that go a long way in facilitating this.
> Not at all. 802.1X is the layer 2 authentication. That says nothing
> about IP address used for communication. You have to deploy some
> mechanism that allows somehow tie L2 information obtained from 802.1X
> authentication process (user, MAC address) with a L3 IP address. What is
> pretty difficult since DHCPv6 don't have MAC in the requests and it is
> impossible to tie 802.1x authentication requests with DUIDs from DHCPv6.
> As such some extra system that gathers neighbor cache on the router have
> to be deployed. The absence of MAC address in DHCPv6 is really tragic
This is very interesting to me - so there may not be a solution yet, but one is coming. I will file this away and let you know (via the list) when I have more.
> Some more about that is on
> http://ipv6.vutbr.cz/article/flow-based-monitoring-of-ipv6/ (slide 6)
> and more detailed description in the article
Nice write up - seems like the hardest part is supporting older devices that don't do stateful DHCP. Did you ever consider trying to split up the clients or just do stateful DHCPv6 for example on the LAN with older clients being relegated to IPv4 only? Sounds like that's where you're going based on your next comment.
> > 8) Slide 27 - first hop security countermeasures:
> > SeND - will probably never happen. Microsoft and Apple have no interest
> in doing this and that pretty much kills it.
> > RA-Guard/PACLs - these work. It's true you can use a tool to defeat these
> with fragmentation but that requires actively attacking the infrastructure
> with an attack tool (would never be by accident which is mostly what you run
> into). If I look at the IPv4 world, it is rare that people deploy DHCP
> snooping/DAI/IPSG because it can break protocols that can't deal with
> security (e.g. Apple's). Therefore while I would like to see a solution to this I
> wonder how many people will actually use it.
> I can't agree that features like DHCP snooping are used very rare. In
> our environment it is basic requirement and every switch that is bought
> must support it. In a past few years the worms like Flush.M or
> DNSChanger has appeared quite often. Specially within environment where
> users connects their own devices (computer, laptops). Agree that this
> features are not necessary, lets say, in the office network or within
> the network where you have control over the devices that are connected
> to. But is not always the case. At the beginning we started without this
> features as well. But as the network connectivity is essential for every
> staff and worms are more aggressive the requirements for this features
> are more often. I expect that importance of first hop security will grow
> up in the future.
I'm glad to hear that - see what I wrote Tim. Curious what your thoughts/experiences with this are.
> > 10) Slide 38 - Implied message is no business case for IPv6. I think this is
> leaving out some important details. Since this is a very technical list I will get
> to the point - we have < 141 million IPv4 addresses left at a burn rate of
> around 200 million IPv4 addresses/year. Everyone on this list agrees CGN
> sucks. In addition, it has been clearly shown that it is cheaper for an ISP to
> deploy IPv6 then CGN. Therefore the future of the Internet is clearly IPv6.
> So let's ask this question - how many of your users value having Internet
> connectivity? If you look at it from this vantage point I think everything else
> on that list pales in comparison. In Europe RIPE enters depletion this month
> or next - this is not some far off event. It's here now.
> I didn't want to implicate that message. That slide just says the there
> is always something more important than IPv6 in many organizations That
> is the reason why IPv6 deployment is going so slow. I completely agree
> that CGN as any kind of NAT sucks, but I also can see many ISPs having
> no other choice than deploy CGN. NATs are used by many smaller providers
> for years, so it is not a brand new technology comparing to IPv6. Btw.
> you hit some interesting topic. Do you have some statistics or documents
> proving that IPv6 is cheaper then deploying CGN ? I am not sure about that.
> The fact is that less than 0.7% of clients are able to use IPv6 today
> and less that 4% of content providers have content available over IPv6.
> Such numbers also means that there are approximately 99.6% of clients
> that are not able to reach IPv6 content and 94% of content (lets say web
> sites) is not available for IPv6 only clients. It doesn't look good on
> both sides and I really don't know what to do about it.
This is climbing steadily. Overall Google's IPv6 traffic is up to .78%. In my neck of the woods it's at 1.34%. I've done a lot of research on this - unfortunately this is somewhat US Centric, but hopefully this will be encouraging:
In the US there are 10 residential ISPs with over a million subscribers. Of these, 6 are deploying IPv6 including the top 4. The largest residential ISPs have all exceeded 1% IPv6 usage for end users before June (part of World IPv6 Launch). The 7th is deploying next year, the 8th is currently testing, and only the 9th and 10th (the smallest ones) are quiet on their plans. However, even with these on the business side they have rolled out IPv6 offerings.
I don't mention the core/Tier 1 ISPs but just for the record they are all fully deployed across their core with IPv6, in fact this is true for the top 20 global ISPs.
>From an AT&T study, where IPv6 is enabled all the way to the home user, up to 40%+ of their traffic switches to IPv6. As IPv6 keeps getting steadily deployed in the US expect these numbers to rise rapidly. I already mentioned LTE/4G and IPv6 surging this fall.
>From a Content Provider vantage point:
Of the top 10 US Web Sites visited, 5 have IPv6 enabled:
1) Google 2) Facebook
3) YouTube 4) Yahoo
6) Wikipedia (Wikipedia is ranked #6, #5 doesn't do IPv6 yet)
Netflix which peaks at up to almost a third of US backbone traffic is fully IPv6 deployed
10% of the Alexa 1000 sites including Bing, AOL, XBOX, WebEx, US News, USDA, NYU, and many others are IPv6 enabled.
10% of US AS' have IPv6 prefixes
BYOD and mobile growth has caused several large American companies to deplete all RFC 1918 address space and take a hard look at IPv6
The US Federal mandate to have all public facing services on IPv6 by this month has spurred lots of action:
While there's still more red than green this has had a tremendously positive impact on IPv6 interest an adoption - as the Feds role out IPv6, all the companies that work with them starting deploying, then the companies that work with them start deploying, etc...
The next US Federal mandate is complete IPv6 deployment by this time 2014. In response, several Federal agencies including the massive Veterans Affairs division have announced the elimination of IPv4 from their networks by this date.
The Cisco Visual Network Index estimates over 19 billion unique nodes on the Internet by 2016 - that would surely be joyous to do in IPv4.
Time Warner also did a study and concludes that CGN pricing pressures (it's very expensive to deploy and maintain) will result in universal deployment of IPv6 by the end of 2014. Still sound far off? :-)
More information about the Ipv6hackers