We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

No more IPv4

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
3
 Cite
 Share
 Download Purchase
Logo of FOSDEM VZWFOSDEM VZW
 Vyncke, Eric

Formal Metadata

Title
No more IPv4
Subtitle
Impact on applications and measuring IPv6 deployment
Title of Series
Number of Parts
199
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The IPv4 address exhaustion brings a broken Internet with the heavy use of NAT. While HTTP is now a major vehicle for any application, and while NAT is friendly with HTTP, there are still issues with large scale NAT as used by some ISPs (mainly mobile). This session explains the security and application issues of NAT, but also explains how an application can easily be extended to support the next generation IPv6, which does not require NAT
00:00
Standard deviationArithmetic meanTerm (mathematics)Stack (abstract data type)Communications protocolInternet service providerOnlinecommunityPhysical systemContent (media)InternetworkingScaling (geometry)Address spaceIP addressInformation securityPolar coordinate systemSpeicheradresseOrder (biology)SoftwareMereologyOperator (mathematics)Wireless LANCuboidOpen setEmailTable (information)Server (computing)Web 2.0Complete metric spaceLine (geometry)Shape (magazine)Different (Kate Ryan album)Open sourceSummierbarkeit1 (number)Cartesian coordinate systemRight angleConnected spaceConnectivity (graph theory)FreewareMobile appNormal (geometry)GradientEndliche ModelltheorieState of matterMultiplication signBasis <Mathematik>Slide rulePersonal identification numberResultantComputer virusMaxima and minimaBit rateMatching (graph theory)MassMusical ensembleComputer animation
08:12
SpywareWindowLaptopWeb browserLevel (video gaming)Sheaf (mathematics)Right angleInternet service providerContent (media)Connected spaceMixed realityBit rateBoss CorporationMappingObject (grammar)InformationMereologyMassElectronic visual displayAddress spaceCartesian coordinate systemReading (process)Statement (computer science)ExistenceMultiplication signShared memoryPoint (geometry)Metropolitan area networkPhysical lawGraphics tabletOpen setSingle-precision floating-point formatMultiplicationServer (computing)Android (robot)TesselationIP addressArithmetic meanXML
11:55
Web 2.0EmailContent management systemCASE <Informatik>Density of statesConnected spaceMultiplication signAddress spaceOpen setIP addressLatent heatMultitier architectureInternetworkingMereologyBit rateRight angleData miningFigurate numberMusical ensembleInstance (computer science)Server (computing)Pattern languageError messageSequenceAreaSurfaceSymmetry (physics)Source codeXML
14:41
Multiplication signLatent heatInternet service providerFrequencyCartesian coordinate systemIP addressArithmetic meanRemote procedure callCASE <Informatik>Address spaceRight angleIncidence algebraTranslation (relic)DialectRoutingMereologyLecture/Conference
15:48
Cartesian coordinate systemSource codeCASE <Informatik>InternetworkingMultiplicationWritingUniform resource locatorDevice driverAddress spaceNetwork topologyPlotterRenewal theoryComputer animation
17:24
InternetworkingAddress spaceSet (mathematics)NumberBitMappingSemantics (computer science)DigitizingForestWebsiteBlock (periodic table)Computer file.NET FrameworkSingle-precision floating-point formatRight angleDigital electronicsConfiguration spaceMathematicsText editorGoodness of fitFunction (mathematics)Direct numerical simulationReading (process)Equivalence relationCommunications protocolInformation securityScaling (geometry)Cartesian coordinate systemMessage passing32-bitMultiplicationDefault (computer science)Slide ruleIPSecLink (knot theory)Drop (liquid)IP addressXMLComputer animation
21:13
Error messageDisk read-and-write headQuadrilateralDirect numerical simulationBitMultiplication signPoint (geometry)Reverse engineeringAddress spaceNumberMathematical analysisWeightMappingCASE <Informatik>Functional (mathematics)Amsterdam Ordnance DatumDigitizingPlotter
22:46
Cartesian coordinate systemInternetworkingOpen sourceContent (media)String (computer science)Mechanism designOperating systemLink (knot theory)CuboidServer (computing)Multiplication signAddress spaceDirect numerical simulationPoint cloudSpeicheradresseLocal ringSet (mathematics)Connected spaceDecision theoryDifferent (Kate Ryan album)WindowDivergenceRouter (computing)Latent heatState of matterMappingPolar coordinate systemInstance (computer science)Right angleWeb 2.0Internet service providerSlide ruleCASE <Informatik>Client (computing)Physical systemCellular automatonRing (mathematics)Electronic mailing listAreaWhiteboardForcing (mathematics)Default (computer science)Form (programming)QuicksortNoise (electronics)Mathematical analysisProgram flowchart
28:03
Router (computing)Arithmetic meanType theorySoftwareWritingLine (geometry)Internet service providerLaptopMathematicsCuboidObject-oriented programmingLink (knot theory)BitSinc functionCache (computing)Web 2.0Communications protocolTraverse (surveying)Network socketServer (computing)Reverse engineeringMessage passingProxy serverMaxima and minimaConnected spaceClient (computing)Cartesian coordinate systemSlide ruleMultiplicationInternetworkingKeyboard shortcutAdditionField (computer science)CASE <Informatik>Price indexContent (media)Goodness of fitComputer fileElectronic mailing listAddress spacePoint (geometry)Extreme programmingMetric systemState of matterRight angleWordExecution unitXML
33:20
Instance (computer science)Internet service providerRight angleContent (media)Axiom of choiceMassTelecommunicationWordMultiplication signSystem callImplementationVideoconferencingComputer configurationTraverse (surveying)Traffic reportingOrder (biology)Maxima and minimaNetwork socketPoint cloudInformation securityReal numberArithmetic meanSession Initiation ProtocolComputer animationLecture/Conference
35:34
1 (number)Maxima and minimaSoftware developerKeyboard shortcutRight angleVirtual machineNegative numberSoftware frameworkServer (computing)Database normalizationPosition operatorSoftwareMedical imagingPixelStatisticsFile formatFunctional (mathematics)Binary codeInstance (computer science)Address spaceNumberDigital electronicsSelf-organizationForm (programming)Fitness functionWeb browserLatent heatBit rateMereologyLibrary (computing)Connected spaceTable (information)Physical systemSemiconductor memoryState of matterProcess (computing)Different (Kate Ryan album)Cartesian coordinate systemGame controllerMultiplication signWeb pageTouchscreenWebsiteDefault (computer science)Order (biology)Function (mathematics)outputConfiguration spaceSampling (statistics)Operating systemField (computer science)Computer fileRandom number generationSystem callSpeicheradresseRadical (chemistry)Bounded variationGraphical user interfaceGreen's functionPlastikkarteClique-widthMultiplicationFacebookDuality (mathematics)Stack (abstract data type)Mechanism designPoint (geometry)Network socketElectronic visual displayLoop (music)Open setBitComputer programmingDirect numerical simulationXML
44:18
Peer-to-peerGreen's functionComputer fileNumberClient (computing)SoftwareMultiplication signBounded variationSingle-precision floating-point formatWeb 2.0Internet service providerDrop (liquid)Content (media)Source codeOffice suiteOpen setCurveScripting languageCartesian coordinate systemWebsiteLibrary (computing)Address spaceElementary arithmeticMusical ensembleVertex (graph theory)MathematicsWordLevel (video gaming)TheoryHydraulic jumpBit rateState of matterData miningSoftware maintenanceProcess (computing)MetreService-oriented architectureBitFigurate numberVector spaceRight angleMeasurementNetwork topologyComputer animation
Transcript: English(auto-generated)
00:00
Eric is here to tell us why we shall say no more IPv4. Thank you, Eric. Thank you. And thank you as well for this first talk on IPv6. Thanks to multiple people, including Andrew Peters and others, FOSDEM network has been IPv6 for many, many years.
00:21
But networking part to moving of the IPv6, and I'm from Cisco, right? So that's easy, kind of. The more complex part is the application, is the operation. So with this talk, I really would like to give you an idea of what is the impact of not having IPv4 anymore, of moving to IPv6.
00:43
And the last part will be whether it's worth moving to IPv6. Are there anybody besides FOSDEM using IPv6? So we all know. Oh, by the way, if possible, I'm more than happy to take questions on the fly. I've got some giveaway for questions.
01:03
The small stickers, you are too far away to see it, but it's basically IP legacy equipment only inside, right? It's basically for device running on IPv4. And as I'm a partisan of open source and open data,
01:21
but also open book. We're friends, we wrote a book about wireless. And the wireless is, of course, an IPv6 component, and I wrote the part. This is a book which is printed here as a giveaway, but you can find it as well on the internet for free, of course. So there is indeed no more IPv4. You have it at home, but that's it.
01:43
There are less and less IPv4 addresses available. It started two years ago, where the big pool of addresses in US for the complete internet run out. Then after, quickly, it was APNIC, Asia Pac, because they are simply growing.
02:01
So they were burning and using their last IPv4 addresses before us. Us, assuming that most of us are coming from Europe, are basically for more than two years. We are running out. Meaning a new ISP. If you want to create an internet service provider with friends, you go to Rive to get addresses,
02:23
and you will get a wonderful 1,000 addresses. If you want to be your ISP for your village, that's fine. If you want to be an ISP for your country or your province, good luck. So that's a real, real issue here. So basically, what are the service providers doing?
02:46
Because I mean, there is a wall, right? We need to go through this wall or bypass the wall. One way is what we call dual stack. That's basically where the service provider gives you
03:01
IPv4, if it still has some IPv4 addresses, and the brand new protocol, brand new meaning 97. I guess most of us in the room are older than this.
03:20
But I got sons that are younger than IPv6 and older as well. So it's not so young. So somehow, the internet community has failed, honestly. And I mean, a couple of us are working in the IETF, which drives the standards and the deployment, and we fail to push it further. And anyway, so IPv4, IPv6 are there.
03:43
There's one way of running them on the network, dual stack. Or second technical solution, which is the easiest one. And we all know that people, when they got a long term fix, which is slightly more complex,
04:02
or a short term fix, which is easy, we take the short term fix easy even if it's dirty. The short term fix dirty, that's shared IPv4. That's basically doing that on the large scale. I shall come back on this. The third step is IPv6 only.
04:22
So running the new protocol only, and accessing the IPv6 internet only, and accessing the IPv6 content only. Currently, it's kind of a dream. Most operating systems can do it. Not all applications, far less networks.
04:42
And the content is not yet there. This network, with the name of IPv6 only, thanks to Andrew and the others, is not actually IPv6 only. Because at the edge, as soon as you reach the internet, you can go back in IPv4. So it's not an IPv6 only.
05:02
But it's already a good experiment. So most service providers will try to do the stack. And I've got two slides on this. On the left hand side, assume that you're home. Where you have, on the left box, your router,
05:21
and all the PCs which are there. OK? And on the internet, you have IPv4. But now, the service provider is running out of IPv4 addresses. So you need to share. So it's easy. If you are receiving, you have five friends working late,
05:43
and you order only two pizzas. If you have two big pizzas for five people, that's OK, right? If you cut enough pieces, everyone has got enough. Now, if you have five, and you order a small pizza, that's where the problem is.
06:02
OK? Or else you go to the cellar or to the fridge, and you get beers, and the problem is fixed. Right? And basically, the beers, that's IPv6. I mean, kind of, right? It's Sunday, after all. So basically here, we have an issue. We need to share. So the service provider is running out of resource, right?
06:22
He doesn't have enough IP address. So he will share it. He will do the NAT in his network, in big box. We call this Kayak-rate NAT. Kayak-rate is simply because vendors, like my employer, can sell them for a lot of money, and others as well. Most of it's the same thing, right?
06:41
We are even running Linux inside, and doing an improve NAT, but anyway, it's NAT. So basically, you have an address here. It's translated once and twice. Wow. On this one, I'm pretty sure you can fix IP tables to do the right post-forwarding to allow
07:02
inbound connection, right? For your email server, your web server. Do you think a service provider will give you access to change the IP tables there? No, right? So we are in problem over there. It's basically called UI NAT.
07:20
Now, if you add on the top of this UI stack, and that's what more and more service providers can do, because as you will see, if you are working only through this kind of NAT, it's not the internet as we know. The internet there is broken. They offer in green, what I said, the beers, right? The green line is IPv6.
07:41
And then, there is no NAT at all. Neither at the service provider, nor in this box. Some people freak out, because hey, NAT means my security. Do you really want me to expose myself to the internet without security? I would say, ha ha, okay. If you rely on NAT for security, you're in bad shape.
08:03
Different story. Everyone is behind the NAT, and most of the PCs, I mean, the one, not all, right? But the one of our friends, mothers, father, and mabla, all of them has got varices and part of a botnet behind the NAT. A clear statement that a NAT doesn't protect you.
08:22
But here, you don't have any NAT. And a lot of advantages we shall see. So, meaning that every content provider now needs to prepare itself to a world where, or application, right, where inbound connection to your application, to your content, can be like before,
08:45
a single public IPv4 address for everyone, or a shared IPv4, or a mix of IPv4 and IPv6, right? Multiple solution, but you must be ready for them,
09:02
your application, your servers. So we all know that there are only 65,000 TCP ports, right? And if the NAT is kind of naive and efficient, it means that per IPv4 address that is shared
09:21
by the service provider, it can have only 65,000 connection, right, put above 16. Now, if you're sharing this IP address by 1,000 subscriber, a couple of street in downtown, it means that every subscriber has only 60 connection.
09:42
I am a father of two. I think we have two of three Androids, one Android tablet, one iPad. Everyone has got a laptop with a couple of device. It's not enough, okay? I have a Jabber session open, I have Facebook open and refreshing every time.
10:02
I need way more session. And we all know that Ajax relies on other session. Example coming from Japan. And actually, it is the map of Brussels downtown. And you know with Ajax, we are downloading tiles on Google Maps. Just using it as a visible example.
10:22
If you are running out of connection when you create a new Ajax request or object, you cannot get a tile and the map is empty. So on the map, you see it. Now, what if it's a game? What if it's a e-banking application
10:40
when you only get part of the information? Your application, at least, must support that when you get, you try to get an open connection to Ajax, it can fail. Okay, gracefully fail and display some warning there. Now, questions for you.
11:02
I'm not sure whether you know what speed is. Who knows speed? Okay, so for the other half, right? Speedy is basically TLS connection where you multiplex HTTP request on the top of it. So all the Ajax connection of before
11:22
on the background map will go over a single TCP TLS session. Okay, so you will not exhibit this behavior. But at some point of time, it will fail anyway. You can simply open more tabs, more browser window, and that's it.
11:43
Reputation now. And I don't know how much of you are working into the spam world, but to oversimplify, if you receive an SMTP connection to sending an email coming out of some countries,
12:02
and again, just to take the obvious, like Nigeria, you may suspect it's coming out of spam. And some very specific IP addresses are reputed as spam because they are open relays, for instance, right? Or they're part of a botnet. You do it per IPv4 address.
12:24
Public. Now, if your host is beyond this big tiered rate NAT, you are, the bad guy is there with 1,000 other good guy. It brings a reputation of the shared IPv4 address, the one used by this 1,001 people
12:42
when they go to the internet is bad. So your good email could be marked as spam. Not good. Or vice versa. The spam could be categorized as spam. It's good. Not good. How do you protect any server,
13:03
in this case, a web server, against user trying to do a DOS against you? Such as sending your request to your content management system for search. How many search can you sustain per second on your server?
13:21
Maybe 100. Because it involves a couple of SQL behind it. Now what if one guy is sending you 1,000 search requests per second? Normally, you look into your log and you block this IPv4 address, right?
13:41
So now, there's the issue of reputation again. If there was one bad guy behind the CDN launching this 1,000 search per second, you block it, you block the other customers sharing the same IPv4 address. So you need to find something else. If it's web, you can use cookies, for instance, right?
14:04
Or, this is the case where a friend of mine, Ed, he was using his mobile phone and searching on Google, simply. Google obviously needs to protect against those attacks. But what Google didn't know, it was mobile phone beyond the CDN.
14:21
And there were most of the 100 or 200 people beyond the CDN doing the search at the same time. So there, it was good behaviors of everyone, but it was stacked as an attack and block, hence the catch-up, basically, to prove that you are human.
14:41
And the other part, I mean, all application, most of them are well-written, but they are attacked at some point of time. If your application has some value, it will be attacked. And in some case, you want, first of course, to make application more secure,
15:00
but in some case, you may want to trace back to see who is attacking you. It become much, much more complex, right? Because an IP address doesn't mean anything. Service providers now need to keep the locks of the translation, saying, hey, this subscriber
15:20
at this specific period of time use that IP address, as they do right now, and these TCP ports, meaning now, in all your locks, even if you don't want to go to the IPv6 route, in all your locks, for whatever application you need, if you are logging the remote IP address,
15:41
you also need to log accurate time and ports, the remote ports, TCP or UDP. So in case of incident, we can trace it back to the source of the attacker. And that's basically what I'm explaining on this slide. If your application uses Apache,
16:04
that's basically one way how you can configure Apache to log the ports, and that's basically in red, what's happening here. So a friend from Yahoo, write this. Maybe you have seen this. That's a big thing, it's a CGN,
16:22
and you see it's 100% loaded, and basically it means that on the left-hand side, you have multiple IP address, multiple subscriber, but they appear to the internet as a single one. And by the way, you are also losing your location there.
16:40
So if you look there, you see C, like Seattle, SGC, they are airport codes, right? Like San Jose, like Oakland. And you see as well here, bad guy, like the bad guy. And this bad guy, misbehave. And that's what I've explained.
17:01
What are you left to? Getting everyone. That's basically the internet that you are heading to. It's not the internet we knew three years ago, five years ago. If you want to keep the internet we knew three or five years ago, we need to get the move,
17:21
and move to IPv6. So let's talk about it. Okay, I tried to summarize IPv6 in one slide. So one thing is basically the same thing.
17:40
It's like IPv4 with much larger addresses. Such thing like 128 bits rather than 32. Okay, obviously it will have impact. There is no NAT. Okay, I already explained it doesn't bring anything against security. It even makes things simpler, right?
18:01
Because there is no NAT, less configuration. Everything which is simple is always more secure than something which is more complex. So it's security. Data link layer, no need to change. Your ethernet, your Wi-Fi will run unchanged. The transport layer, the circuit API that you are using
18:22
for TCP or UDP or whatever, no change. Application themselves are unchanged. And I put quotes because I'm explaining the rest of my talk, explaining what are the change. But basically, Postfix, DNS, whatever you want
18:41
are running perfectly fine over TCP. The protocol even changed. So basically it's IPv4. It's neither better nor more secure. It's been specified, as I said, a long time ago. Everything is pretty much identical,
19:01
including IP security or SSL, they work the same. The only benefit, honestly, is the big address space. And the benefit of the big address space, as I said, we get back the internet we had five years ago. And I think it's important.
19:22
128 bits, that's a long, long, long number. The only way to do it is to write them in hexadecimal. Everyone hates hexadecimal. And you will have to explain shortly to your daughter or to your girlfriend, to your boyfriend or whatever, how to spell an hexadecimal address.
19:42
It was already difficult with an IPv4 address, even more. We simply block them, drop them by four digits. Okay, block off 32-bit if you do the math. And there are multiple ways of writing it. There are, of course, letters, like A, B, C, D, E, F,
20:01
that you can write in lowercase, in uppercase. Oh, so we know you need to be search insensitive in your text file or whatever. And we are also removing zeroes. Okay, because zeroes are useless. And block of, multiple block of zeroes
20:20
can be suppressed and replaced by a single colon colon one. Could even be if you have this address in IPv6, which is the equivalent of the 127.0.0.1, the loopback address, right? L was zero. You replace all those block of zeroes by colon colon.
20:43
And you have this address, which is colon colon one. So you see geeks now having t-shirts, having, there is no such place as colon colon one. That's nice t-shirt. This one, with all the zeroes,
21:02
which is used mainly for default route, or the v6 address, when you do not know yet, your IP address is full of zeroes, is written colon colon. I mean, I'm used to it, but the first time you need to scratch your head. If you see an error message, your address is colon colon.
21:21
You look, hey, where is my address, right? But it's there. Of course, then, with such numbers, you really, really need to get DNS working. And DNS is two ways with IPv6, okay?
21:42
You have, in the IPv4, you get the A to translate the hostname to IP address, and you get the reverse mapping, what they call the PTR records, to translate an IPv4 address into an N. In v6, we've got the same thing, of course, because we need to do the same function.
22:01
And we have there the quad A, to translate a name into an IPv6 address. Now, if you wonder why a quad A, that's simple. A was for an IPv4 address, 22 bits.
22:22
So a quad A is for four times longer addresses, 128 bits, like IPv6. And that's the real story. Now, the reverse is, of course, you need to spell out all the numbers. It's most impossible to do it by hand. You need to get tools to go doing it.
22:42
And the last point with DNS, in the case of DNS, you need to transport the DNS request. You can do it over IPv4 or IPv6. It's orthogonal, right? You can send a request for an IPv6 address
23:01
over an IPv4 UDP or over an IPv6 UDP, and vice versa. What you request over DNS is no link with the transport mechanism. Could be completely divergent. Readiness, are we able to do it?
23:22
Yes, for many, many years. Router, switches, PCs, OS, whatever you want. Everyone is ready. Application, Microsoft, MacOS, R, and of course, for many times longer, the Linux and the BSD are as well. So there's not so much an issue
23:41
on the operating system or on some application. A lot of application, specifically in the public domain open source, dual stack for many, many years. I don't remember when Apache got v6 support, but I'm running an Apache server over IPv6 since 2005, right?
24:03
And it was IPv6. So it tells you how much the open source community was in advance there. Coexistence, quickly. And you need to understand a few things. And for instance, there's a reason
24:22
why we need to talk about DNS. I have a dual stack PC on the left. And I have any kind of servers. Take it web, that could be whatever you want. I put IPv4 internet and IPv6 internet over there. Like two clouds. But actually they are the same of course, right?
24:41
There's the same router, the same optical fiber, the wifi, whatever, they're the same. But it's easier to show here on the slide. Now, if the PC wants to visit, let's say, a server foo.com, he asked to his DNS server, hey, what are the v4 and the v6 addresses?
25:02
To request, by the way. And in this case, the server will reply, hey, here are the two addresses. One v4, one v6. Then it's up to the PC, and this may be slightly surprising. It's up to the client, to the initiator,
25:20
to decide whether to use IPv4 or to use IPv6. It's not up to the application on the right-hand side. It's not up to the server on the right-hand side to decide, okay? Then it will go one way or the other way. Not easy at all. The decision, so it's done by the initiator.
25:42
Two ways of doing it. There is some kind of local policy within the operating system of the initiator, let's say, hey, here are the set of my addresses, v4 and v6. Here are the set of IP addresses, v4 and v6, of the server, which one should I use?
26:02
And let's say the internet is trying to make a good decision there. Or you are more pragmatic, and you rely on the stuff written by Dan Wing and Andrew, Andrew being the guy with the curly hair and the yellow t-shirt in the front there, right? Which is API ball, eyeball being this in English, right?
26:22
And you want to keep the user of the application happy. And how you do it, by ensuring that you start connection, v6 first, you wait a little, and you put an IPv4 connection. And then you use the fastest one, summarizing.
26:42
So if v6 is faster, you get v6. If v4 is faster, you take v4. If both of them are mostly equal, typically you go with v6. So far, so cool. To my understanding, only Chromium implements this RFC to the letter.
27:04
Without any big surprise, Windows and oa6 do something different. So now, I mean, it's kind of laughable, right? It means the application on the right-hand side need to understand those three different behaviors and be ready for them.
27:23
And you don't know it, because when you start, you receive the TCP SYN, you don't know, right? There is no user agent string there. It's way later that you get the user agent string. So, content has no influence there.
27:40
So what you can do, as well, is using something called NAT64, and it's basically what the Wi-Fi team is using here. Where basically, you ask the address of the server, if you get v6, you go direct v6. As you go to a specific box called NAT64,
28:00
it's nothing from IPv6 to IPv4. As I said, the application line change is still HTTP, HTML, and blah, blah, blah, blah. So you simply need to change the network layer, IPv4 addresses, IPv6 addresses, and shuffle a bit in some field, and you're gone. Easy.
28:22
You can do it, as well, on the server side. So in this case, okay, oops. In this case, I have IPv4-only servers, and I'm using, let's say, some kind of HTTP proxy, mainly for SSL acceleration or web caching or whatever.
28:42
So the people coming from the IPv4 internet go traverse on your DMZ, maybe a firewall, but arrive at the reverse proxy, okay, varnish, HAProxy, or whatever, before going to the IPv4 server. All those proxies, the application proxies,
29:01
so they can receive a connection over IPv6, on the left-hand side, do the proxy at the application layer, and connect back to IPv4. So if you know how to deploy a proxy in HA, proxy or varnish or whatever, it's trivial to move your content,
29:23
your application, to IPv6. So little excuse not to doing it. Okay, anyway, the tricks, impact on the application. Multiple thing. We shall see whether the package is there or not is basically the agenda of the next slide.
29:45
As I said before, a lot of application are ready for IPv6. I could, for instance, it's very complex in bind. You need to type this command. On SSH, you need to be sure that you listen to address, colon, colon.
30:01
Again, remember, colon, colon means full of zeros, meaning any addresses, basically. Okay, so don't be surprised, that's the way it's written. And in postfix, you need to say, added protocols equal all. So very, very simple to configure. Are there any IPv6-only networks?
30:22
There is this one here. There is Cernet, which is basically the education network in China, and a few others, including, and nothing is important, T-Mobile in US, which is a mobile provider for the 4G network that are using Android phones
30:41
with only IPv6. So it means that, of course, as the user still needs to go to some legacy IPv4 content, they obviously need to go through a NAT64 box. We started with a couple of IPv6 enthusiastic,
31:03
an IPv6-only day. So we signed a petition, and we are, I don't know, 200 now or something, feel free to join, and we said to our employer, on that day, I'll remove IPv4 from my laptop. Either you give me the tools to work,
31:22
or simply I do whatever work I can do with that with v6, okay? So now it will be kind of challenging, since it's a Friday, if I'm not mistaken, so that's always a little bit easier. See the link over there? And in the same vein, and I just hear about it last week, BSD10.0 is a specific build
31:43
without INET protocol family, only INET6. So you install it, and you get only IPv6. This is a little bit extreme, of course, right? But if we do not try, if we do not push, the world is not changing, okay?
32:02
So we need to keep hammering this. So one technical thing that you need to understand as one of the application, at the application layer, right, if you have a socket for TCP or UDP, you can send whatever size of segment, of message.
32:21
You can write 10K, and for you it looks like it's atomic, but as you know, over the internet, it's limited to 1500 bytes, so it's chunked in small pieces, fair enough. Now some links are smaller than others, hence the need for something we call PATH MTU,
32:42
MTU meaning maximum transmit unit, so a way to discover the shortest packet on the path between the client and the server, okay? In IPv4, it exists, in IPv6 as well. In IPv4, if it does not work, not a big deal,
33:01
because routers on the path, when you receive a big packet you need to send to something which is smaller packets, it will fragment it, IPv4 is working fine. In IPv6, in 97, they wanted to optimize the routers and basically say routers in IPv6 receive a big packet,
33:23
on the other side, small packets, I'll drop the packet. Period, right? Meaning that now this path seems to discover that works by kind of magic, actually ICMP packets, right? To discover the smallest packet size on the path must work.
33:41
Now, implementation is broken, some security people are stupid, right? It does not work, so we need to change this. And one easy way of doing it, that's by doing an option when you open a TCP socket to set what we call the MSS, the maximum segment size,
34:04
so the maximum segment that you are ready to receive of a TCP to something which is small enough so you are sure it will go on every line, and there's a value which is there. So it's commonly used by big content provider right now,
34:22
and simply because they don't rely on path seem to discover to work. V6, no more NAT, and I think that's the best thing, okay? We are now open to a real peer-to-peer communication,
34:43
whether it be torrent or real phone or video, whatever. Now, every time you place a phone call or a SIP call or whatever, you are behind the NAT, you cannot really traverse it. You always go to somewhere in the cloud to act as a relay, right?
35:02
If you're using Skype, for instance, Bingo, the relays are in Microsoft. Do you want to place a call going to Microsoft in US? It's up to you, right? But with NAT, you had no choice but using relays. In IPv6, there is no NAT. So if the gentleman there wants to talk to the gentleman over there, they go direct
35:23
without going to a third party. That's wonderful. And to come back on Microsoft, right, at least for once they were smart multiple times. But something where they're pretty smart regarding V6, their new Xbox relies on V6, simply because they want to go direct for gamers.
35:44
It's always shorter if you go direct than if you go by a third party. There's a reason why they do support V6. Also, NAT, if you have an application doing NAT, okay, and using TCP, NAT device need to keep states,
36:02
need to remember, hey, this address and this port talks to this address and this port. And of course, it's memory. If there is no traffic, they remove it. So your application right now needs to send keep-alives over TCP, right? Every few minutes. Simply to keep this state in the NAT device up,
36:25
prevent it to be being removed. Now in IPv6, there is no NAT, so there is no need to send those keep-alives. And we made some experiment in a different framework about the battery life of a mobile phone,
36:40
whether you are keep-alive and sending radios. It changed a lot. Dramatically, if you want to send keep-alives quite often, or you don't send keep-alives, because you don't need to try to maintain state in your NAT IPv4. So really important. Now, when routing application,
37:03
you need to be aware that the IPv6 addresses are much bigger. Okay, looks obvious. So you need to have a screen which allow the input and the output of v6 addresses. Same for the configuration file.
37:21
If you store it in secret database, you need bigger field. Your lock need to understand it. Looks easy. But I was talking once to a developer of application, you know, on this small payment terminal you get in shops. When you put your credit cards or master cards, they do not have an IPv6 addresses
37:42
is maximum 39 characters. The width of the screen is 20. Okay, you can tell me. It's easy, right? We can write it on two lines. After all, I mean, we tried this domain. The keyboard, now. How many keyboard have you seen on this machine?
38:02
Exactly similar, right? None of them. It's zero to nine. There is no A, B, C, D, F. Okay, now we can again write like SMS, right? Press twice to the zero and you get A. Press three times to the zero, you get B or whatever. Not that easy.
38:20
I would love to draw your attention to those two functions in blue. Because as I said, v6 addresses can be written in multiple ways, right? Lower case, upper case, with leading zero, without leading zeros or whatever. There is one single way to write it into a canonical format.
38:41
And those two functions basically transfer from the printed ASCII to the network, binary, and vice versa in the right way. So that when you display any v6 addresses, please, please display it into the right way.
39:03
So the same thing for the audit, of course. Socket API. If you want to use this, capital function has been made dual stack. You can use, for instance, this one rather than just a socket. Because this one has wider space
39:21
for v4 and v6 and whatever later. You may as well now either open two sockets and do the loop on the select on the two. One which is v4, one which is v6. Which is what quite a lot of applications are doing. Or you use a single one, the one for IPv6.
39:46
SSH, my understanding is doing this. Open SSH. And then we can add, hey, what if I want to connect to IPv4? It's okay. Your IPv4 connection coming from the outside
40:00
will arrive and will be mapped into this kind of very specific v6 address where the last part is the v4 address. By 22 bits of IPv4, you can include them into an IPv6 address space. Get away is impossible. There's a reason why they're done this way.
40:22
Now if you program in Perl, Python, or whatever, you don't care. Because usually you open a connection to a DNS name. And it's up to the libraries to do the magic. Work of v4 or v6.
40:40
That's where basically API ball can work. But we have seen that API ball depends somehow upon the underlying operating system as well. This RFC 6424. And you see the table on the right. It looks pretty ugly. I always need myself to reread the draft,
41:03
the RFC to understand what it means. But it basically means, hey, if I have a loop back address, I use it. The higher the precedence, the better. I will not go in detail. But it's basically what Linux and the other operating system has by default. And you can change it locally.
41:22
So if your application is doing the right system call and library call, it will be processed by this library. At this table. Okay. Are you losing your time this afternoon or not? Is there any IPv6 on the outside?
41:41
First, I will encourage you to use this IPv4, which is you install it on Chrome or there are variations depending upon the browser. And this page has only been received on IPv4, the big four. In red, of course, right? If it's in six, this is in green.
42:00
Right, as usual. And others. So you can really see what's happening. I will encourage you to see it to see more and more. I mean, all the YouTube, the Gmail, the Yahoo, the Wikipedia, and so on, and Facebook are over IPv6. So a huge amount of website are over IPv6. Okay.
42:20
How can we measure? And that's basically what I'm spending a lot of my time here. One way to measuring it is to measure the subscribers. How can we measure home users? We rely simply on big, big websites.
42:41
And the biggest one doing it publicly is Google. And basically what they do, they insert a one by one pixels outside of the frame with a negative positioning so you don't see it if it fails or whatever. And the pixel, you basically are fetching
43:00
three of them. One which is on an IPv4 only server, one which is an IPv6 only server, and one which is on the dual stack. Right, and you add specifically a random number behind. So now, if the user fetched the v4 and the v6, it's dual stack. If he fetched only the IPv4, it's single stack v4.
43:21
If he fetched only the v6, he matches on the v6 only network. Very simple. And you can get statistic on this. I should come back on the other mechanism there. Let's note that basically what I said on the one by one pixel. So what does it give?
43:43
Those are the public numbers from Google. And they are quite nice. They are also in some point very much open data. And I think sharing data is very, very important here. So in green, this is basically the numbers of browsers having IPv6.
44:04
And it's growing, we are currently slightly below 3%. It's doubling every nine months. Cannot resist from Belgium, right? And usually, my country is assumed to be a laggard, specifically in IT, compared to Netherlands,
44:22
Germany, or whatever. And again, thanks to the numbers from Google, I'm simply doing some number crunching there. And if you look about the purple one, this is Belgium, where we have just slightly 9% of the users. Switzerland, which is on the top, is around 10.
44:42
They have variation simply due to the vacation or whatever. So if you do an application which is v6, it's not for the beauty, that's because there are user behind. And you can also monitor the web content. And although you monitor the web content,
45:02
you simply download, again, an open data source of the one million most visited website, and through a per script of mine, you try to reach all of them. And if you reach over the v6, lucky. And it gives you something like either those curves
45:22
where you see going up and up. This one, this date was June, two years ago, the World v6 launch, where the big website all jumped together and enabled v6. They did not dare to do it like this alone. So they do it for one day in June, 2011.
45:44
That's why you see a big peak here. And then they do it for 24 hours, just a test. If you put this on a map, and you can see it on the website, on Six Lab, you see the Czech Republic
46:01
and Luxembourg are the best one. Lot of green, and it's good. So again, the big website are very important here. BitTorrent, BitTorrent support v6 for many, many, many years. And BitTorrent and NAT are not friends.
46:23
So you can guess that BitTorrent and IPv6 are good friends. So I wrote a BitTorrent client using the BitTorrent library and basically pretend to be a BitTorrent peer and trying to download as much file as possible. I was not downloading them, and I was not having them.
46:42
If by any chance there is a police in the room, right? I've done nothing bad, I hope. And then I can measure them. And again, you see a lot of greens. The greener, the better. And the contrary, I think it was Germany, with the most peer doing v6.
47:01
So my website, my client in January, about 60% of my German peer were IPv6, and 40 were IPv4. By us, of course, right? Because IPv4, they are behind the NAT, and I cannot reach them. Okay, they only can reach me. So the numbers need to be taken between
47:22
with some precaution here. Okay, with this, I think I'm mostly just on time. We have mostly time for one or two questions, or more after. And don't forget, if you have questions, you can book a stickers. Now, if the questions is bad, you have nothing, right?
47:51
Okay, the question is about NAT66. Okay, can we do NAT from IPv6 to IPv6? Then the question is twofold.
48:02
The ITF has standardized an IPv6 network to another IPv6 network. It's mainly for mutaming and this kind of stuff. But the ITF has not standardized something like a complete IPv6 network to a single IPv6 address. So there is no NAT66, like the sense of NAT in IPv4,
48:22
on purpose. Now, to be honest, customers ask it, so vendors, like my employer and others, do it. But it's not standardized. Okay, and it's bad, it's bad. Okay? Okay, I need to get my salary paid, right? So I'm okay with it.
48:41
So, drop a book afterwards. I have a question, three. How do I get my internet provider to give me IPv6? Okay, how to push your ISP provider to get IPv6? So first, if you want to try, and that's what I've been doing, there are multiple, what we call, channels provider. Like, you're working on electric or 66S.
49:02
Okay, look for tonight brokers, you'll find it. Basically, you install something on your Linux box, and then all your network at home or at office goes through your Linux, put all the v6 packets into NAT IPv4 packets, it's sent. Working fine, it works for me for many years. How to push your service provider? Maybe it is.
49:21
I mean, from your accent, I guess you are from Germany. Austria. Austria, no luck, yeah, sorry. Austria is not that advanced. No, asking, asking, and asking, yeah. Another book for you, if you want. Can I? Oh, and you drop the stickers, right, with IPv4 only for your provider.
49:41
Okay, sir. Can I? Sir, you said Japan has already run out. How are they approaching it? Are they v6 only, or are they dual stack with an AT or something? Japan, they run out, you said.
50:02
On BitTorrent, or? No, Japan itself, how do they give out the IP addresses? With your servers? Ah, the flight, BitTorrent, right? No. Just, I believe, I believe that's normal.
50:21
Let's do it offline. Anyway, thank you for your attention, by the way. So now you are on a quest, right? Enable IPv6 when going home.