Internet Engineering Task Force 100, 13 Nov 2017

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF100-V6OPS-20171113-1330

Description

V6OPS meeting session at IETF100
2017/11/13 1330

https://datatracker.ietf.org/meeting/100/proceedings/

A

B

Okay, 130 in all 12.

B

How many people in the room have never seen the note well before? Okay, there's one okay, so no well.

C

So we have a couple of announcements as we start. Let me look. Let me start with I'm Lee Howard. That's Fred, Baker, that's Ron Bonica, where you're co-chairs for v6 ops, if you're not here for v6 ops, then you need to figure out where you, where you wanted to be a couple of material items.

C

Michael Abramson is our jabber scribe, he's sitting next to the front Mike. He asks that as you approached the mic, please approach the front mic, so he can see your nametag and please have it visible to him so that he can spell your name correctly and Barbara Stark is taking notes in etherpad. Thank you both very much I love this working group, because I didn't even have to ask for help. People came up to me before the meeting started and offered that's fantastic.

C

One of the things some of things some of you may have noticed is the v4 SSIDs for IETF have been disabled in this room. You might see some leakage from those SS studies from the adjacent rooms. Please don't use them because that you'll be stuck, but then those will get overloaded and performance will be poor. I have actually just accidentally tested this and determined that, in fact, performance is poor for me on the IETF main SSID, because I'm pulling it from the the access points over there. I didn't mean to be on that one.

C

So, furthermore, therefore please, if you're going to be online, please join one of the ipv6 enables SSI to the v6 Lior, the nat64 SSIDs and please report tickets to was it tickets, dots, ietf.

C

Tickets, dot meeting IETF org, they would love to see problem reports so that we can figure out what to do about them.

C

So that is just for this room and just for the duration of this meeting, everything will be relabeled after we're finished here, but it seems like this would be a good place to do this experiment here. We have our agenda any further announcements, all right, so we have somebody from Cisco is gonna, hear you are good speakers. Please stand inside the pink box. That's here in front of this microphone because you're on camera and remote participants can't see you if you're on camera, if you're outside the box.

D

All right good afternoon, everyone, my name, is Kelly Javed I, am part of Cisco IT and worked with the team that helped deploy ipv6 only in one of our buildings in the San Jose campus I've been with us quietly for a time now and I just want to call out at the very beginning. This is my first ITF, please be gentle.

D

I am from IT. I am NOT from product management or product development and I sit with you guys in those chairs, not this side of the fence, all right so I'll take those questions, but I'll just pass them aside. Right.

D

So on my agenda, I've got an overview, a dual-stack recap, because we started back in 2009 ish what we did with building 23 in the San Jose campus and our data center plans.

D

So we are just like any other large enterprise that you would expect to find I'm not going to count out each of these. You can all see them, but roughly we're looking at about 5 million IP address assignments. Ida may not be live, endpoints their allocation assignments and that's pulled from our address management database and that's the kind of scale be looking at when we're talking about going to ipv6 only or dual stacking our infrastructure.

D

We have 11 9 cops across the world which are advertising an arrant provider aggregate Able's. Last 32 we have 1/32 prefix from Arin that is being split up and advertised across the world right we run EIGRP internally and to end and all our management for current infrastructure is over v4.

D

We using the Cisco Network register or CNR for our dhcpv6 assignments and for v4, and we have put slack in special locations in the network as an exception. So we talked about that.

D

So most of the network that we have was dual stack back when we did world v6 day and world v6 launch. So we were dual stack before world v6 day. We started core outwards and.

D

You know it was juice extended everywhere, but there were areas where we could not do it because of various gaps. Let's say in the products or in in the way we were doing things. There are some pilot deployments that we have not taken forward and those include the extranet and the Cisco virtual office, which is basically the home office that employees are using to access the cisco corporate network, the pilot, CV or Cisco virtual office. That's done it's really carrying a previous external inside the IPSec VPN, it's not native ipv6.

D

On the external, a quick overview of a timeline we did world a, we did well launch we're. Looking we've done, building 23 learning lessons from them. We are looking to go out and develop this design for the data center side as well. It's in in in POC stages, right now for a v6, only data center hot and we're focusing on getting the Train training and development off for the teams, specifically the application developers getting them awareness around the need to develop IP agnostic applications, especially as we move towards a micro services, architecture and.

D

We're hoping to mandate all new applications be ipv6 only I'm not going to put a day there, but the unofficial personal view is that it might happen sometime in 2019 right, but these things are controlled by people who have different agendas.

D

Okay, so coming over to building 23 in San Jose, so it was a single campus building that was targeted for both wired and wireless mobile devices as well. We had a nat64 and dns64 set up to look after the translation, management and data, so the bit that was doing out to be a six only was also being managed over ipv6 and it included all the unified comms applications as well.

D

It did not include building management systems for health and safety by diverse still on the v4 production, obviously because they they themselves with some bad leaders or various. You know, security, cameras, etc. They're still not fully active e6 only capable.

D

What you see in front of you is the physical topology, a standard design for Cisco IT.

D

We had a nat64 setup that you see on the right hand, side and we had a dns64 set up based on by 9.

D

The 38 50s are a typical switch stack along with the 45 hundreds and the 3800 ApS for wireless access.

D

So the ipv6 only bit started from the 6500 virtual switching system that you see two green boxes from their north, where it was ipv6 only and of course, everything below that was ipv6 as well. Now, I want to call out here that the cloud that you see on the top is the Alpha backbone.

D

That is a semi production network that we have it's used to bring the business units in so our core and it hangs off the distribution layer for the san jose building there, which is dual stack so I, wouldn't say that that's an entirely production network, it's it is semi production, in that it is not bound by the constraints that you would have from a change request perspective that normal production networks would have, and that's the reason why I hooked it up there, because we didn't have to file change requests or anything in case we wanted to do something very quickly.

D

Okay, moving on the features we deployed our standard, everybody expects these I believe nothing new here, first off routing, first off security and all the ipv6 security features that are available across our platforms for ipv6.

D

We are, we are doing dhcpv6 stateful by default, and slack is there only as a special case because of the attribution forensics issues that sit behind privacy addresses there like I, already called out ERP for ipv6 and, of course, not x4 dns64, some stats there from the 14th of October, we had a peak of 500 users. This was on the day that invited everybody to come on in and log on to the ipv6 enabled corporate SSID there. It took us three months to do the entire deployment. That means it's still running. It's not.

D

We ran it for three months and we stopped it took us three months to do the entire deployment, approximately seven to eight engineers and the average traffic we see there was about 250 megabits per second. This is on the northbound links from the from the café's 6500 pair that you saw there approximately 32,000 nat64 translation entries in the boxes. There.

D

This is chart for the maxixe for translation table entries. As you can see, we peaked at 32,000 proximately. The dips are obviously the weekends. When there's nobody in there I'll call out why we couldn't gather it under SNMP. We were using a script because it's not supported there's a slide on that.

D

Okay ipv6, only DC is still in the PLC stages, single port, we're targeting based on our ACI fabric, which is application, centric infrastructure for those who don't know we're just doing the data plane. Nat64 dns64, of course we're doing a combination of stateless and stateful math there, and if there is budget, we intend to do a port per quarter, starting fi, 19, again subject to approval.

D

That's the high level. Topology again is pretty straight forward with the nat64 set up there, the DCC or the nexus 7 case that you see as the right-hand side the two blue boxes from there on. It's all build stack outside.

D

Okay, I'll come over to the issues and challenges we faced. While we were doing this, it is probably something that you guys are more interested in and- and let me tell you it's working so there's nothing. We couldn't work around right, I'm, just calling these out, because yet these are some of the stumbling blocks that we had to find a way around. Any connect issues on the Mac only resulting from some software problem with an upgrade and a code fix. This was resolved.

D

There's apparently no babe, no map for extracting translation information from the nat64 boxes, so we filed an enhancement effect there, but I, don't know what can be done about that. If there's no standard right, we had an issue with our Cisco TV or infinite video, which was an acquisition again. It was a back end up that fix the problem.

D

We had issues with jabber clients. Again it was an upgrade to version 12 of the CUC and the Cisco Unified Communications managed to call manager server and it was resolved so user sitting in building 23 could use jabber. They could use Cisco TV, they could use applications wire. The nat64 to connect to ipv4 only applications and yeah we mean on the day we had a war room. There were initial issues, but everything settled after that.

D

We had spark that was also working, but only the application. The web enabled side of spark. The web-based date was not working. Webex WebEx has an IT infrastructure that is not under Cisco IP it as a separate IT infrastructure and is going through its changes. So we had issues there because the load balancer was quite old and it would send surveil and the nat64 would not be able to. You know synthesize a core day, but again it is the GSS upgrade thing: that's going to resolve our.

D

So that's that's the long term fix and this only happened when they failed over to a data center that was not ipv6, enabled versus otherwise ipv6 enabled. Finally, ipv4 literals. We had engineer sitting there who were using ipv4 literals to get to their labs and there's no fix for that right, so I mean we worked around by coding. Those are tv4 literals with dashes into the DNS servers so that we could just accommodate them. For the time being,.

D

Right so privacy extensions are quite an issue with us, especially with slack. There is a significant Android user community across Cisco. We don't have that problem with the iPhones right with iOS, but with Android. We have this problem and we and we're not essentially against this. You know we'll. All we want is that InfoSec have the ability to track these address rotations as they happen, or that means we do so for that.

D

We have to develop a tool to somehow figure that out right or we do something called device profiling, and we say that if you've enabled you know, privacy, extensions and I can't let you join the wireless network. So that is why I'm asking Google here. Can you please give us the switch to switch this on or off so that we can decide at a corporate level by their devices which have enabled privacy extension should be allowed onto the network or not? And then it's the users choice the RFC mandates. It says it's a must.

D

It's not a should so I mean you're not really following the RFC by not forwarding that switch ok gaps on issues on the data center side, I'm going to open up the entire slide here, so YB replication services. This is a Cisco device that does van optimization.

D

It doesn't support ipv6, yet I'm complaining to cisco standing here today right by calling this out. We need that so, hopefully, they've got it in the roadmap, but as priorities have always shifted things around it keeps slipping, kubernetes is actually resolved. This is slightly dated information.

D

We do have I previously support there since March, but from a from an internal IT perspective, we're still looking and working on on this. There Fixi boot doesn't support ipv6 and storage.

D

My storage architects tell me that if I was to go out to v6, only their pools will be fragmented and understandably all right and if they're fragmented, then you still have to go through some kind of a translation infrastructure to go between the pools or I guess you'd have problems having wheels moving around or things to that effect right. So storage pools are an issue when we look at the data center. If you are ipv6-only, that's as long as there is ipv4 own stuff that is trying to access them.

D

So we'll get more on this as we further develop the design all right. The larger issues, oops I skipped this one Joule. Second, adoption has held us back from the latest innovations.

D

Now what I mean by that is because we were beust at entirely across our access network in 2012, and we did well launched and as the B use developed products that did not do ipv6, we suffered there because we couldn't put those out into our network every time, claiming that an X amount of traffic from our network is ipv6 and if, whatever you're developing, does not give us the ability to add value to that flow, then it's a bit of something that held us back.

D

We did find workarounds for this, but this this is something that is going to be an ongoing issue as as long as the people that hold the budget and who decide the priorities about developing products. Do not make sure that ipv6 is part of that.

D

Making the business case for dual-stack was hard for ipv6 it's hard and risky for ipv6. Only what I mean by that is so we got everything into into Gil stack now, as people try to go into ipv6, only application owners come up and ask all right. So what if it breaks so now there is, there is a line where you have to convince them.

D

That is, you need to move to ipv6, and then there is a line which says: okay, what if it breaks for people who don't have a previous a so if you go to the translation infrastructure, so that's that's a message. I hear from people I talk to and this message is still not flowing downhill. I want to take everybody back to 2011 and 12. The service providers had a use case. They needed growth and therefore we gathered the momentum and we did ipv6 day and we did ipv6 launch.

D

We had the content providers come in and they said. Ok, that's really no good until we get a lot of the service providers in because yet things will still be going through translational infrastructure and we had a lot of momentum. So between 2 and 3 years, we had the graph go up like this right now, it's 5 years since then, and still the application owners are not convinced that they are ready to go to ipv6.

D

Only and I think that momentum comes down to the leaders who are sitting at the top from folks like you who influenced their thoughts. It doesn't go bottom-up from people like me and that's that's what I mean by the message is not flowing downhill yet because we've done our bit on the infrastructure side, with dual stack: try to minimize the risk you've been taking a building on to active v6 only but going forward. You know we're ready, but the application owners are not convinced that they want to go there.

D

Just yet I'll give you a recent example: Cuban IT support came in sometime like March 2016 for ipv6. Now we are doing a micro services. Migration for all our applications and I was very keen on making sure that you know we have a playbook where we lead by example, and have developers do IP, agnostic, application development saying that, yes, we can do this over a few basics only, but if the overall architecture direction that the application they're moving to things like those are late and doing our pp6, only then I've lost the case.

D

It then suddenly becomes a disincentive to go there. You know if it's not only not doing that. Furthermore, you know I mean I know that we are doing some kind of an overlay not for v4 for the micro services piece now that that that further, you know, aggravates the problem of people not trying to go to ipv6 only so I. That's that's my feeling on this that that's what's happening out there in the wider world and yeah. There was a great team behind this and I just wanted to stand.

D

It acknowledge those people who spend a lot of time doing this.

D

Okay, if there's any questions, I'll take them now.

E

Hi David's Ganassi Apple regarding your point of device tracking and a global switch for privacy addresses as someone who makes user-friendly devices, don't expect me to put in a switch for ipv6 privacy addresses. That's not what the user wants. Also privacy addresses or beneficial prevents there's some website from tracking them. Whether the your device is on your network or not. If you really want to track them, why aren't you tracking, based on MAC, address.

D

Okay, so your question is the user would want that? That's you're deciding for the user, let the user. Yes, that.

E

Is my job to decide.

D

So what is the unit I think that it can be debated, but I think that when you sign up to a corporate network, you already sign a contractor. You already signing to agree with the policy. If your corporate policy says that yes, no privacy extension, then it's the users choice. You can come on or you can not come on so.

E

Your corporate policy is that now, if I'm on your network and going to some public website, I have less privacy, because you didn't figure out how to track at layer. Two.

D

Yes, exactly that's that that's the case, because we set out the policy you could go to the policy and find 200 other lines which say: oh yeah, I. Why are you doing this because I should have rights? So it's it's legal has to face a lot of legal obligations. They have to make sure that they're in compliance with a lot of things. That's that what they tell me. Okay,.

E

Would you also like a switch for me to disable TLS while you're at it.

D

Iiii, don't make that policy I'm just telling you that this is what's preventing slack going out, so you can either take it that, like that, alright, we are going to leave it like that you're not going to do it and help not let ipv6-only proliferate or you can say, hey user. Here's a switch! Your choice agreed.

D

F

Thank you, Marconi grab, my happens, cheap. Thank you. Great work, especially coming from a vendor eating your own dog food is always good. I spend a lot of time kind of selling this at a high level to all sorts of people who are not engineers and I'm still a bit confused and in the message here. If you're telling me that this is a message that needs to come or a decision needs to be made top-down, but it's costly.

F

It's high risk and essentially you're already dual stack, so you should disable ipv4, which I don't sort of. Are you suggesting that people who are already dual stack and should move on to ipv6 only already now pentesting something that's supposed to be a green field deployment, because I kind of don't see the pot from dual stack to v6. Only if you've got a working, dual stack then shouldn't happy. I was take most of the strain and make ipv4 squared.

D

Okay, if I had some difficulty hearing you but I guess you're saying that if your dual stack, why are we not going to ipv6 only and happy eyeballs want.

F

Once you've got dual stack, you've got the ipv6, Joe I call the job done. Yeah.

D

But happy eyeballs is is more of something that we found to mask a lot of connectivity issues. We feel that dual stack is not the way to go forward operationally. It should be active. A six only and happy eyeballs doesn't help at all in making sure that Idris is connectivity is really working. There. I suspect.

G

Learns a clearly I suspect that what Marko is actually saying is that it falls on you to claim a lower burden of operational cost to justify moving to v6. Oh yeah,.

D

That's not the only thing that that defines the equation that people who are developing products- you know they've got other revenue targets to meet I, guess so so operational costs. We are already saying that we do not want to maintain two protocols. We are already saying that the the way we would like to go ask me to do it again today and I'll. Do I do v6 only and I'll invest everything I possibly can into a translational infrastructure so that I can I can work out the kinks there, but.

G

We are you start I shouldn't have said you I should have said people like you all across the industry, when the operational cost will basically start being substantial enough. The people are starting to stop gonna start asking themselves. Why do we need this before thing anyway? That is the point when your app developers are going yeah yeah.

D

Absolutely so let me tell you where I stand on that and I'm talking about people like me. Hopefully other people have their opinions, maybe I don't know, but from my perspective, operational costs are owned by a different budget owner an application revenue is owned by a different budget owner, so you have to look at it from the top down. You see the the guy out there, whose application is bringing in billions of dollars of revenue does not own the operational costs. No.

G

But his customers would like to use them. The customers that buy that application that are suffering the same operational cost that you are suffering will eventually request that, as in yes,.

D

G

And and that message again comes top-down, it still doesn't flow, bottom-up. Okay, so now on the privacy dress front you're correct that we don't implement for a 94 run correctly. The I would I would ask your InfoSec people. Do you want everyone on the Internet to track your users in perpetuity? Because if you disable privacy addresses that's, what's gonna happen? You.

D

Know I've had this debate with them myself. They say they need to meet legal obligations. Full stop. You see now, when you put the legal wrap around it, I can't say much more because I'm not going to go and sit down and change.

D

I, don't know any any legal law that requires people to track stuff all but I hear it I hear them when they say that look when you switch on your laptop or your PC into the office, you are agreeing to a code of conduct with respect to the use of the network, and that has so many other clauses that you would normally agree. Yeah.

G

Yeah I'm just saying it it's their job to protect your employees as well and by turbulent privacy, addresses they're, putting a big target on their backs. But you know I'm not gonna, try to argue these people I mean, but.

D

I say that if you do not want to implement it, I said Google. If you don't want to do it, then go get the RFC devised. If the RFC says it's a must, you should do it. Okay, we'll do.

G

That, okay, you know now if we can get consensus on that, we we will and we'll we'll start the process. So finally,.

D

At the end of the day- maybe sorry- maybe maybe two years down the road you can say you know we don't need this anymore. Everybody agrees that we should have privacy, extensions and that's good, but if you do that today it will help people who are not deploying slack because of legal issues, deploy slack and allow ipv6 to come on, but.

G

Then forever we will have no privacy, so there's a trade-off. I mean so another point I wanted to make is that the legal, the consensus statement of the ITF on this topic has been published. Okay, it's written in Rye of c79, three four and it contains detailed text about address tracking and what is recommended in the ITF I would recommend that you follow that advice, because that's the advice of the ITF.

G

That's really really all that we need to say about this. So.

D

You should we should go back and in in addition to developing or or spending all the money to do. Obviously, we should also develop, spend the money to develop special Troops tools to track addresses, because you don't want to implement an RFC. You.

G

Have the tools your devices do this? They send syslog messages when new neighbour cache entries are created, that's written in the RFC implementations. Are there I mean so so, like I said, read ERC and we would be happy so so. There's a flip side also right we're trying to we're trying to look at this for the long haul.

G

What we're trying to see is what can we do with multiple IP addresses that you can't do with just one and we're talking about we're starting conversations about like how can you sign an ipv6 address to an app the Firefox people are saying: how can we sign a different IP source IP address for a every origin, server to preserve privacy's? There's all these things that we're going to require multiple addresses on hosts and just saying, there's one IP address per host is not gonna. I'll go on gonna allow all these things.

G

There realize that there's attention there, but I think we. We should think about the long term. A little bit more and I did have some conversations with people at Cisco and I. Think there was general agreement around the table that it would be better to base this tracking not on an IP address, but on a solid attestation like the 802 dot. One excerpt right, if you want to build this, come talk to us and I think that's a way better solution.

D

For everyone- and we have that- that's how we have turned on slack for those people.

G

D

Then do our devices do what you want already no I, don't know. I haven't gone down in the details there so, but.

F

Then I saw you have turned.

D

On attitude open x4 for slack there, I am not privy to the details whether we actually track once the device changes its address. I don't know about that, because I was not involved in that you.

G

You may also consider a final point. You may also consider the ipv6 prefix per host raft, which gives you a much easier way of tracking that, since you only have to track one thing at a time you can assign the host. You can assign the host one prefix based on based on radius, and that will give you tracking to from IP to Mac and if the device randomizes its Mac you're Sol, just.

H

Like all right a day, so it's but.

G

We will do this and- and you know, you're gonna have to be the owners of the device to disable Mac at restaurant I'll. Take that back.

D

And we'll see how we can you know change the way we design our network to do that.

B

D

Equipment in here.

B

I'm capping the mic, so we need to move on to the next, but go ahead. Okay, quick.

I

Question I'll: keep it brief, do you have anything online like a blog article or something that has a little bit more detail than just the slides, but that's not video that somebody could read I'd love to share this more widely on mailing lists in social media, as it is just as you know, a used case. Your experience. Do you have anything, that's easy to share there.

D

Are more details on all the issues and challenges and the use cases and they were going? They are going to be written in a blog article and I'll be happy to share that or you can find it on our Thanks.

J

Gentleman call Google just for sanction presentation very interesting, but as someone who operates a corporate network I definitely would not like users to have privacy addresses disabled because they would not enable them when they walked out of the door. They wouldn't do it. Every time the commons office, unmown, young, disabled privacy, addresses and renamed was, and after so we actually, because we just do not have right tools in place. We should not sacrifice security and privacy concerns.

J

So probably we should concentrate on getting the right tools like telemetry, for mark to ipv6, address, Mac and and so on. I think it's better place to put effort fair.

D

E

David's cañazo, just so I am NOT a lawyer, and if someone is and knows this rules in the great city of San Jose, please come and correct me, but I highly doubt that the regulations stipulate exactly how you would need to track users. They probably only tell you that you should track users, so the fact that you're doing an IP address and not on MAC address. You can't hide behind the legal requirement.

D

E

D

I, don't know how you're doing it. This is an IP. This is an InfoSec thing. It's dark circles, even I'm, not privy to that. What tools they have, what attrition mechanisms they have there, but the feedback I got from them was that if it's in the RFC it needs to be there. If it's not there in the RFC, then you know then.

E

They'll have to redevelop their tools and.

D

E

A fair response, I mean I dealt with InfoSec teams before and well, while you're not privy to their decisions. I would suggest you go back to them and tell them that they're not privy to the coasts OS decisions, so we're not going to enable this and just tell them that ok.

F

C

So I'm standing before you not as a working group co-chair but as somebody who did some fun activities over the weekend with a bunch of people here, of course, you know that the IETF we've been hosting a hackathon for a while and I said: hey, let's go do some, not a hackathon, not software development, necessarily, but let's test the various v4 v6 transition technologies that we've developed, so two goals that I had come up with were to inform this discussion.

C

We've had on the IETF list about whether the default SSID should be the nat64 or should be four six, four X lat or some other variation, and also to compare the various transition mechanisms. And so let me Clemmy come back to the team. We did so we here's how we did it. We had this rodent domicile rat's nest that we created it interconnecting a whole bunch of home gateways with VPP implementation of transition technologies.

C

It took us a while to put it together. Here's the the network diagram. You can see that the network diagram has, you know handwriting, hidden, written notes on it, because things change on the fly. That's why it's a hackathon, the CPE that we used was lead or ledee or, however, you that, if that is properly pronounced and the event and VPP was used for all the BRS and aft ARS for this, this is the team that was working on it.

C

Actually, anybody in the room who's on this who who helped work on this, would you stand up for a minute, so you know great work. I really appreciate all the work at the end here, I note that Jen link, OVA and Randy Bush, specifically tested against IETF nat64, implementations and Jen's couldn't come up and give her slides in a minute we tested always tested these transition technologies, and these applications and everything worked except steam was one that Jen noticed the unable to reach a certificate. Revocation list might have been a glitch in the matrix.

C

That was a weird one for me, because it turns because I tried to reach the CRL that was offered by the the Wi-Fi SSID and it turned out that I couldn't get there on that 6:4, but later I tested it again and I could get there and I may have made a typo.

C

We didn't get a chance to test Matt, T and Matt II. It should work the same as like wait for over six. We just you know we couldn't prove it because we did have a chance to test it. Vpns. There was a special case because VPNs don't work if they're configured not to work or, if they're not configured, to work. It kind of works both ways and that kind of brings me to well. Let me go ahead and show this. This is essentially Jen's slide. She's gonna come back and talk about her results.

C

We tested dual stack light and you can see lots of gaps here where we didn't actually have a tester in place or the facilities. Somebody who could test that or we somehow just missed the test case. The nice thing is almost everything we tested was green everything most of what we worked where we test it actually worked. Spotify so Spotify interesting lis didn't work on Mac OS as an app, but it works just fine.

C

As with the web client, that's another one that I'd like to go back and test and do some packet captures, and apparently air display didn't work on on Android, but worked on the the Apple OS is four six four X. Let's similar results, not quite as many such cases tested, we weren't able to test most VPN clients, because we just didn't have the right people at the table, who happened to use those VPN clients and sort of additional testing that we also did but not rigorously, not not well noted.

C

Was we tested slack and Remote Desktop Protocol on a couple of things next time? So these are some of my lessons learned the first day setup was much harder than I expected took us a long time to get the configurations of both ends working together next time we do this and I do think there should be it next time.

C

I need to assign or somebody we need to assign test cases to individuals ahead of time like fill out the matrix and put people's name on names on them and say: please come and do this and that destroys coverage, but it's also makes sure that we have the apps pre-installed rather than trying to download and configure them and register on site, especially true with VPNs.

C

We need to add these additional transition, technologies, I think and there's still there's a different work that isn't just what we do next time is the the lead documentation for these transition technologies is sparse if existent at all, I think I'm going to go ahead and say in at least a couple cases. There is just no documentation that when you do search for how to configure it, you come up with email from geordie to the lead development team.

C

We I think we may want to come up with some VPN best practices, how to configure your VPN so that you're, not opening yourself up to the to the internet over v6. How to make sure that you're, not you know, split tunnels are a really weird situation. Wes has been telling George has been telling me about some of his unique cases. We've got some potential hosts requirements and potentially some potential input into host requirements that all a really is is saying: hey, I think we've learned this.

C

We really need to work on this some more and we also need to test home electronics stuff that I'm not gonna bring to an IETF, because you know packing up a whole bunch of game consoles and stuff here and dragging them on an airplane doesn't sound like a good idea but I'm working on this there. That's what I wanted to do. Real, quick Jen can talk about her results and then we'll take questions for just a minute or two I.

J

Actually sent you updated slide option, because I would like to bill all the slides, because you helped a lot on the hackathon, sir okay, so I said that I just sent you updated slide version. So if you can upload later updated, sent because I missed bills, name on the slide and I feel very bad about that. My apologies. So we had the discussion last time about how useful is IETF, not six voice. S ID, so I hope everyone who keeps their laptops open.

J

A current show not six for SS ID and if not I would like to I would like to see ticket soap and explaining why they. What did not work. So we try to see get moderate about what is going to be broken if suddenly before disappears. So it was a list of applications selected mostly based on other tickets, which NOC received previously during previous IETF and plus some applications, which we believe I need to be tested like applications which require for working group. Our participations like metal, Jabar and so on, so anak helped sense.

J

A lot for creating troubleshooting environment, who is mirroring, curb all traffic to switchboard and so on. So we were able to troubleshoot when something went wrong. So yeah it was the matrix, so green means works. Fine gray means it didn't make any sense to test because, for example, me take oh I didn't test on iOS, Android and orange means you need to be tested because I had some visual issues with getting Windows 10 up and red means it did not work.

J

And surprisingly, it actually looks quite well so Spotify application on MCOs did not work because it looks like iOS. Application was fixed because of HIPAA requirements, but there is no such requirements for desktop application. It still believes that if there is no before address, there is no before connectivity and even on, and it's still trying to use refer address and error display on Android behaves the same way. It's application just complains. I know I, do not have internet connectivity. Please come back later. I.

J

Found yeah, it was another sync, I tested telegram messengers and everything works fine, except for web-based key generation. So it's just sitting there doing nothing. But after if you get kid Keys generated, it works just fine and I'm trying to find people who can fix it and I feel bugs for a bug report for display. So again, if you user display on Android, you can complain to them and the most important sync actually was VPN, because I think it was the main concern that people could not get their work done.

J

I repay an applications do not work and I see, surprisingly good results, so Open VPN works, cisco people tested the corporate VPN and came back to me here, and it works just fine. So here some corporate VPN do have issues. There are vendors which do not support v6 only clients, but I've heard that some people might even consider on changing those vendors to better ones, and there are some work.

J

Europeans might not be just a configurate to York explicitly, and indeed here, when you split tunneling, it's tricky right, split tunneling might hurt, even if you want before only network, because it's osseous DNS split horizon issue, you get DNS respond over VPN, it doesn't mean you can actually use that respond to send traffic, not in the VPN tunnel, so it was actually quite good. Yeah I, say telegram. Messenger was also tested.

J

It wasn't so I know that a lot about various millions of instant messengers this week I did not even know so many of them exist. So we tested two more. They worked. I heard that some of them did not. I will show that steam application does not work and it's actually old version of my slide to two versions so yeah. The most funny thing is all these fossils in your configurations.

J

Don't check your SSH configs for host star familiar net check your EDC host for explicitly specify it before addresses, which means dns64, doesn't help you much and so so yeah. You might have some very interesting configuration on your devices. Yes, so there I'll, indeed a lot of things to test, I'm pretty sure there are other VPN applications around.

J

There are millions and millions of messengers and again it would be really nice to get more data about what people using at IDF network and want what needs to work here to see if not six four is in the good shape to be a usable SSID here. So please use not six for this week and report if it does not work actually if it works, it also nice to know. So I think that's it.

H

Michael Abramson, did you say you managed to get a lady box to do the nat, 6, 4, plus dns64 or or not, which.

J

H

C

No, we were using VPP to do the ok, so I have.

H

An opened up be based in omnia Taurus at home that I managed to win like half an hour to get that working as a net 6-4 dns64 box. um I can probably try to get a normal out of box lady and try to do instructions on how to do that. Would that be useful so that anyone can set up a dns64 plus the nat64 box at home for testing I.

C

Think the having documentation that that said how to do that would probably be useful, I think yeah.

H

So you did not find good.

C

Documentation of this, so that would help I didn't look for how to do dns64 and nat64 on a lead box, because we had the the ietf heavy version using using one vendor, and we had VPP providing another instance. So I didn't need to I didn't go that there was actually one more comment on I need to make on something else, which was in several cases. We found that an application had problems, but once we upgraded it to a more recent version, the problems went away. Several cases.

G

Other ones are Kodi thanks for reporting this there's another bug where I just wait. It's it's mostly amusing, but.

H

G

Wireless controller in this network, if you don't do G HP v6 and you don't do a UI 64, that's like well you're, not on the network. So that's something that we're reporting the Cisco, because our devices can't get on the network at all our new ones, because they don't do UI. 64 addresses anymore and.

G

Me no, no, no newer! So there's a lot of testing still to be done.

E

David's can now see Apple I wanted to make a couple points on the VPN slides well, first off thanks a lot for all this. This is really heartwarming, especially that things are getting fixed on the VPN configuration shouldn't matter since, like a few years back, we went through and fixed all of the VPNs that are shipped with iOS and Mac OS, and you can try to configure them any way you want.

E

You can't get them to not work, because these VPNs, if they use UDP or TCP, they will go through a nat64 just like they go through an app for for like things that UCSB could be a different story, but if that any kind of VPN that can go through an at4 for can go through an app 6-4. Otherwise, it's a bug in the VPN software. It's not a configuration problem. I.

J

Was under impression that at least at some point, Open VPN could be configured to explicitly only use before. Yes,.

E

But I, so imagine this if you configure it to say this is a full tunnel VPN that disables all v6, which is what you want, because otherwise you're leaking all your traffic over v6. If your goal is to make a VPN that privacy and you don't you, don't your server infrastructure doesn't support v6, you want everything on before and you explicitly want to drop on v6. Then what that would do is all of to the phone. It offers a v4 or default route.

E

It doesn't offer any v6, but underneath the VPN goes over TCP UDP over ipv6 through the nat64 that case you're describing is that there's a bug in the Open VPN code that they still haven't fixed.

J

Last time, I saw it not this time. I it was VPN was not even asking for quad the a, and it was I think it was something that configure right on it, but it was a desktop. It wasn't that.

E

That's a bug in the in the client software like you, even if you configured it as I, want only a v4 route and I'm connecting to VPN example.com that software should still be asking for a quad a-and. Have the underlying do NAT six four! So.

C

One of the cases that we think this is different than what you described is I did hear of somebody describing that their IT department had them configured for split tunnel and therefore their their applications believe that they had v6 and could use v6 and there and then, of course, they're set to use the the ISPs name server. In one case they said they got it because they didn't have v6 locally and they didn't before locally. They were getting a link.

C

Look what see tonight at 284 address, and this is probably more than we can solve here. We ought to say you.

E

Know, there's something that we've already solved. Those second point lit tunnel and nat64 is discussed in the happy eyeballs version to draft in 70 section, not something, and it's up to the client OS to solve the problem, because I agree that split tunnel makes this hard, but split tunnel is and split, DNS aren't going away, so you this can be fixed in the host and the RC documents. How to do it. Thank.

C

You and that's, that's probably exactly where we need to take it, and but that doesn't mean it's been implemented by everybody yet, and you can stop so you can.

E

C

Break a VPN: if you try hard enough.

E

Absolutely, but in general we idea it's, the software needs to be fixed, the user, configuring it wrong shouldn't, be an option.

D

So one comment on the testing, so we tested Skype for president, we tested jabber and we tested outlook on Windows. It works. You can carry out your testing, my question or I. Don't know. Maybe the suggestion is. Is you know we had v6 certified? Can we have nat64 certified for applications?

D

No, that would boost a lot of confidence for a lot of people saying yeah. This application has been nat64 certified, help speed up the v6 adoption.

C

Bit so we we do have RFC is describing it I, don't think the IETF does. This runs a certification program. There might be somebody in the room who does run a certification program, but when we did the the ipv6 ready logo program it was we had to write a spec describing the expected behavior and then work with the v6 forum on developing a essentially a compliance test suite that they could then use to test against. So there's work to be done there I, don't know any reason why it couldn't be done and I don't see.

C

Tim winners jumping up to say no there he is. He is jumping up now that I've called him by name.

K

Yeah yeah Tim winner is UNH hi well um so for the v6 ready logo stuff. Obviously, when there's interest in these types of things, that's when we go and do it. So if someone relates really nice document that we can read and we can create a test program and there's interest on it, we would absolutely do that.

L

Geordie palette I was not sure to understand in your presentation both of you, but especially for for not just not 64, but the rest of the transition mechanism. I actually try it Open VPN, which disappea not with UDP, but we still need work it in all the transition mechanisms that we tested. Okay, so that's that's clear and also responding to what Michael said. I have already implemented in a city like this ten ten dollars, not sixty four and dns64 on open wrt. So that's that's visible as well, and it works yeah.

L

Well, not instructions, but I will make it. I am going to document everything what is missing in leather for for for that.

B

Okay, I need to cap the mic after Lorenzo Daniel.

I

Show afrinic quick question in regards to the testing of all the different instant messaging telegrams lack, what subscribe, etc, etc? Did you differentiate it all between text, voice, video, I,.

J

Yes, so when it's green, it means we tried video if messenger supports it yet because text works all the time, but here there are cases when a video is not possible. Yeah cool.

C

Thanks I'm gonna respond owners wanted that too, because I don't know that on the other transition technologies, I think that we did test all functions in all of them, but I don't know that we did Jodi's saying. Yes, we did test all functionality good and.

J

I would say well more. We try to make sure is that we we have a video between a client on not 6-4 and before only client, because if you have to coin on to v6 and networks, it's probably yeah, it should work of.

G

Other insecurities to reply dear to your comment. Jordi I think it's it's not as easy, as you say so. I've gotten I've, gotten nat64 dns64 to work on our printer belchy, but it's dog slow, really, really really slow. Cuz tiger punch the packets user space and it's not really an acceptable solution for a mass-market device which is going to have a CPU. That's as small as it can be. Well.

B

That makes it a fee right.

G

But jewel is not upstream right, so you have to like integrate it into your curl.

G

Right but it's not in the upstream kernel, so you still have to do integration work. So it's it's! You know it's! It's! It's not trivial! um Oh we're! Testing! Yeah! It's fine, but you know.

B

Okay, thank you.

J

B

J

J

All right so conditional erase and underpriced multihoming, so I, don't know I just quickly remind you what's all about right, so we have a problem of enterprise networks which want to use pay, address space and be multi homes at the same time and do not run BGP.

J

So how can we do this? Especially if we look in the situation when some up links might go down come back up again, and so so there is a draft adopted by routing working group which describes a solution for quite general use case, and the problem is so. The problem said the solution proposed, which tries to cover almost every possible scenario requires hosts to you to use rule 5 5 for default. Address selection, algorithm to select a next hop router and then select the source address.

J

Because again, the problem is: how can we tell hosts that this prefix should not be used right now, because uplink, for example, is either down or it's your backup uplink and you do not want hosts to use the address space from the high speed so.

J

This draft documents tactical solution which could be implemented on any network with reasonably modern clients. I mean coins which support the current version of default. Address selection even result supporting the roof I file, which is op, which is optional, as per default, address selection algorithm, so they the whole idea. Is you if a host is allowed to use the prefix, because uplink is up and operational?

J

You allow host to use it because it's your primary or lot value on balancing between up links, then the host just received Pio, who is nonzero default lifetime and can use it. If network needs to signal back to house that this prefix should not be used because uplink is down or use your backup uplink and you do not want to send any traffic yeah there. Yet then prefix is duplicated by sending array is preferred lifetime. Zero, for this is P.

J

So here is a link for my slides from Alice ITF, which covers the solution in more details and now I just tell you what's happened since prog, so the draft was adopted and after this very productive discussion and the way headed, prog I, think I addressed comments received. So now, I explicitly clarify that when network chain state changes, it's not just one array being sent to signal situation to the host, but all subsequent arrays I have the same parameter.

J

So, for example, if you are uplink is down that all periodic unsolicited or solicited arise received by a host would have preferred lifetime 0 set for this prefix. So he has a an any point of time. Basically, they are a sent by router should be consistent with the desired network. Topology, oh yeah, so in the previous version of the draft I didn't make it clear what should be done if all up links are done, shall we duplicate all prefixes or do something else and I think this?

J

Based on the discussion we had now, the draft clearly states that, if all up links are down that o prefix certificated, so I added the reference to requirement from CPE, which say similar things and I also clarified the limitations for the proposed solution, because Zee could be used in scenario when you, when the network has two more up links to internet, it probably would not work very well with three cable Gardens scenarios and so on, but I believe that this use case is quite common.

J

So solving it would be really nice step forward, helping enterprise networks to deploy ipv6. So I heard why I'm here, because I sent updated version linked, updated version to the list. First of all, I would really like to hear from people who minded to use the phone and would likely see it implemented and would be interested it probably deploy in it. So I would like to see if it just a problem I'm trying to solve, for there are other people who would use it if you, if you'd like to use it.

J

Please talk to me during this week or after whenever you want and any additional feedback. How shall we proceed because I'm happy to address any feedback received, but so far my to-do list is empty.

A

Eric not much so. This seems like a useful thing. I was wondering about hysteresis when there's like link flaps and whether you immediately, which ended as opposed to waiting for five seconds to see.

A

If the link comes up and in the past there's been some host implementations that would immediately go kill, TCP, Camacho, that's when it becomes invalid I think so we have to look at whether hysteresis is useful when it goes up and down- and you know there might be something to consider I don't know if this is an easy way to test this stuff, but yeah.

J

I think it might be potentially useful to have some delay before you propagate the change of the network. Right because.

H

J

Testing in the lab is this delay because I'm using some automation, because vendors do not do it like I, couldn't apply a polish on the route they're saying if this uplink is down like you're doing the VAP right, please update the right configuration so I have to do some scripting, which introduced in July yeah but yeah. Maybe you are right. Maybe it should be some kind of dampening and yeah not propagate and change immediately.

A

J

A

If it went down and then comes up five seconds later, well, the immediately advertised it again right as opposed to saying oh, let's wait and see if it is really stable because it went down, come back, came back up quickly, I, don't know, and then, if you're only prefix well, the rules might be they're fun than if you have two or three but yeah.

J

G

Ranee, have you have you tested, oh yeah, I guess it would be useful to test on on their implementations. I think I'm, pretty sure that on Android, if you, if you deprecated all that suppresses it'll, say I, don't like this I'll get the hell out of here.

G

You could I mean I, guess you could certainly say that you know you. We should not do that and we could I think the the challenge was that we saw that on certain networks. When addresses were deprecated, it was because they'd actually timed out. We actually had no route, but we could. We could consider changing that. But if you had an implementation report, if you test some various implementations- and you told us what was wrong, if anything, then we could fix that I I.

J

Think it's more kind of related to network design because, for example, if you're talking about I, don't know small office with few people right, a few users sitting there. Maybe when all your links are downs, it's a full outage right. If you're talking about something more complex you might want to use, usually is there to keep intra site connectivity up because you you want to probably connect your printers on your workstation or something I am Not sure, because yeah you realize have placed here for keeping your inter-site connectivity in case of internet outage yeah, no.

G

I mean like just have a report on how testing affects.

J

G

Then, if there, if you find bugs, then we can fix them.

J

H

Michael Abramson so I think the the whole net proof of concept code already does a lot of this. You could probably use that for testing as well instead of the orchestration here. We're talking about I. Think I mentioned this last time as well, that this is a lot like the when you're sitting on the user side of this. It looks a lot like sitting at home that or this solution I mean some of the machinery in the middle in the network might be different but device perspective. It's probably very similar because again.

J

It was I was tasting in my particular scenario, when I needed to a particular setup worker.

B

Okay, thank you.

L

L

Presented this this document in the previous IDF, it's a still version zero zero, but actually should be zero. One I make a mistake with the naming and then the data tracker didn't didn't wanted me to play the the number just going very quickly because I don't want to repeat everything. I said the last time. The the situation here is that happy, happy eyeballs is is good for the for the for the user, but actually is hiding problems in in the network to the operators.

L

Yes, I agree: the operators should be monitoring their network, but actually they don't do at the same level as which ipv4. So what I am proposing is a kind of extension to happy Abel's in order to an automatic reporting of the of the issues for simplicity and I am NOT saying.

L

If, if we go on with this work, is the only way to do that, but for simplicity at the moment, I I think that the best way, because because it's something that usually is already in operators, networks is to use 6 lakh only with UDP only with the default port, which is 5, 1 4, and only using ipv6 links to report the problem, because it is supposed that that that the link to the operator should be working. If not, the operator has a bigger, bigger problem towards those users.

L

I am also using an existing protocol to report or to actually find the the syslog server in the network. So it's it's again thing new, it's something that already exists there and and I'm, using basically the same system as for finding the nat64 okay. So it's nothing new. Just I am using a specific address that it should not be use it in any way, because I am using ipv6 only. It will not conflict with any other existing protocol.

L

If somebody still has 6 to 4, which is the dress, I- am using configure it there, because I am not using the ipv4 address, but the ipv4 address as part of an ipv6 address which is unique to every operator. Network. Ok. So this is some of the comments that they got from the previous presentation. That's that's not going to be an issue even if somebody has still 64 working there.

L

So the idea is that when happy Able's detects failure, it should use the the 6 lock server to report things that need still to be define it. It's something that we need to work with, which they always vendors, probably like timeout parameters, failure, destination address and SUSE prefix, and one of the major concerns that I hear in the previous meeting was about privacy considerations. Okay, I have been working with an encounter that they have for the document. I think is somewhere here in the room Carlos.

L

The idea is first. We believe that this information is already being collected by vendors and operators and in general, current regulations allow collecting the data, but they don't allow is to disclose it. Ok, we have a similar discussion with skara brae, not in the list and also which, which you do poll and so on, and and all these that is being done.

L

The difference is, you are not allowed to show that that outside of the technical management of the network right, so it should not be a problem, but anyway we have been considering a soft version of this problem of this work, which is we don't really need to report the source address or the suspects, because in most of the cases it would be enough if the operator know that some destination from within his network is not reachable at which ipv6 that will solve probably I, don't know 70 80 % of the problems, which is a lot okay.

L

So this is a very simple diagram. Let's suppose we have a few customers in different kind of networks connected to an ISP, and the problem can be in different places if we report both the source and the destination.

L

Of course, we know exactly where the problem is, if it's inside the customer network, if is in the access network of the ISP, if it is within the core network or transit of the SP or if it is in the transit providers of at the destination network, if we don't report the source address, we are not able to understand if the problem is inside the customer network or maybe in part of the access network, but we still know that we have a problem either in the transit or app streams or the destination network.

L

So it's a decision that we need to take. If we want to get rid absurdly of this source address privacy consideration, we can go through this way, so I think. Basically, that's answering the main concern that I got in the previous meeting. I think there were other questions like incentive to deploy, implement this well. I think the incentive is the same as happy evolves is improving the ipv6 deployment quality. That's that's obvious.

L

There was another question about the OS vulnerability if I understand that, because the SIS lock is the same as you have today with any other six locks, so there should be no difference. You are already. If you have a six lock, you are protecting that that server, somehow maybe not allowing reporting from outside your network or whatever or right limit or whatever.

L

There are more things to work. Yes, of course, but I think having this document as a working group item will help to get comments, because, basically, as the case for for the previous presentation from gen, we didn't have any comments or any inputs in the mailing list. So hopefully it's it's going to improve ops and to open questions.

L

It's possible to do this reporting with what ipv4 and ipv6 but I believe that if we are looking into the future in 26, only it makes much simple to report using ipv6. If they td6 access to the customer is broken. Then, as I just mentioned, you have a much bigger problem right, so so you probably need to detect that some somehow in a different way.

L

In that case, basically, you will not get the reporting and then well I have a question that I guess is a personal question about if it's possible, to ask I Ana to reserve a specific address you said before, but that will not be changed. The problem because we could use any other ipv4 address main changes from the previous version.

L

A set numbering is incorrect, but whatever nevermind there is a new router to the document which is Carlos from carlos martinez from latnok and basically, what we did in the document is extending the privacy considerations, which I think was the main concern that remain unresolved from the previous meeting and with that questions.

H

Michael jeomsun, so I, don't remember if we discussed this at. Let me what was the rationale for choosing dot one in the prefix. The exact same address st is 64 real a. What was it rationale for choosing that address and not another address in that / 24. Just what was the rationale for choosing dot one? Well, actually you can choose.

M

There is less 24, yes,.

H

But you you're specifically saying dot one dot. One is used as a 64 relay, be it a Qi. Dot net is still running a 64 relay on that address for from one vantage, but.

L

Never mind because I am not using. Actually, they P for address I am using they people for address as a suffix to an ipv6 address. Okay,.

H

So this whole thing about- if you were doing this in v4, then it would be a different yeah.

L

But I am NOT, considering right now doing that in before it can be another address, I mean that's, that's something that we can change in the document. It's just a suggestion right now to make it easy we can, we can define any other address, I.

G

Would suggest pick you know the v4 address if necessary can pay the ten bucks by hit so on on the question of whether it's report from using v6 before it doesn't seem to make sense report this over v6 like if happy eyeballs fell back to v4. It means that v6 is broken and we've seen a lot of the cases where we see the v6 is broken.

G

It's actually the last mile, not something in the core, so at least in our experience it seems like you're, better off doing something else, either reporting out always on before or or using happy eyeballs to do your report right, because if it because if there's an outage- and you see an error, then the ears who can report that error, what you're looking for what you're worried about is silent failure is where the system falls back so then use the same. Fallback behavior and you'll be guaranteed that it's gonna work.

G

If you just use v6, it may not work if.

L

If that's the case well, we will need to change the document to do the reporting either only in before or try v6 and if it fails report with before.

G

Use before, by definition, it shares fate right, but.

L

In my experience, what I have which which customers deploying ipv6 is mass most of the time the failure is not in the access network. That's my.

G

Experience, that's that's a different. We see loads of bugs where the CP like gets any prefix and stops working. It's we.

L

Will it will be interesting to have that information from from vendors, but really my experience and people which we talk it, for example, about this in the last meeting, is most of the failures are in the transit or in the destination, not in the access network. So.

B

Fred, Baker speaking, is an individual first comment. I think you just argued yourself into a happy eyeballs approach.

B

Reason being we've got differences of experience and producing opposite results, so I I think you wind up having to try them both okay, but the reason I stood up here colleague, I.

L

Didn't I don't hear very well do I.

B

Am not sure if the out in the room or whatever I think you wind up needing to use. They happy I'm, also approach, which is what I end up with.

L

Suggestion so so it seems that that what the hair right now is that it will better be better to report either using the six or before right.

B

Yeah right, okay, but Khalid I've got a question for you.

B

L

Whatever well, the point if we want to report before, is that the way to discover the the this is locked need to be modified, but we will find the way sure you.

B

Right, there's, no air, so okay, so you can't use happy eyeballs. You just sent to UDP messages and bite the bullet on the fact that they can be correlated yeah, okay, so collied in your talk, you said that dual stack worked against you and that the happy eyeballs approach was a problem which is to say the Geordie is talking about where you were talking about. Do you have additional comments you want to bring in from an operational perspective,.

A

L

D

Thank you so Fred. My our view is also that the problems lie either in the transit or the destination. That's what we found in all the diagnoses. We've done for all the cases where we found issues. I can cite specific ones, but yeah.

B

That's very fun: okay, so I just wanted to make the correlation there.

E

David's Ignasi Apple a silly question: if the Pratt problems lie in the transit and the destination and not on your network, why do you need any reporting? Because you can't fix those? If, if you don't get the reporting.

L

You don't know it happens. I can tell you some examples and probably similar situation as as Cisco mention I have got one National Bank from a country telling me hey, we have deployed ipv6 and then I was testing it and it was not working and partially. The problem was the transit, international transit and the interesting history.

L

Out of that was that when we check, if his transit provider, they discover it that they pv6 link was presenting failures since one year ago and I agree it's something that they should monitor, but this is a way to work that hey something is happening, and even if, if this is not going to tell you, where is the problem, at least you are aware there is a problem, so you can tell to your transit because you keep the destination address, hey you have a problem or the transit or or already that the last mile, okay, the web server or whatever?

L

E

That makes sense thank.

L

E

Question so on the slides you mentioned, or one I couldn't find that oh no, no.

L

What they mention is I, make a mistake with any submitted version: zero zero when I, try it to send version zero one because I the title to correct a mistake. The data tracker didn't wanted to accept zero one for a non-existing previous rule. Zero, so I make a new zero zero. So this is the second version, but a still zero: zero. Okay. Okay, thanks.

E

So I then I couldn't find it so I haven't got that if.

L

You, if you look at the document in this story, you will see two zero, zero versions, which is a different title. Okay,.

E

Cuz, the one that I dig did find and read the Security section consideration section said we don't have any security considerations and that's terrifying. This is a huge privacy breach that can be mitigated and must be mitigated right now, syslog over UDP unencrypted, really like what Sentra.

N

E

I'm this is leaking what the iPhone user is connecting to that's like one of the Holy Grails of privacy right there, even if, like it's encrypted, I'm gonna need a lot more than a oh. We have a soft approach and we don't log your client IP, even if it says, must in the RFC. That's maybe not even good enough, so I think we need to really sit down and talk a lot more about privacy if you want the client OS to adopt it because going back to your point about incentive.

E

This is these: these aren't the same incentives. That's deploying happy eyeballs. We didn't deploy happy eyeballs to make ipv6 better. We deployed happy eyeballs because we had deployed ipv6 and people were turning it off.

E

In this case, that's done the incentive for this there's no incentive for us as a client device. The customers are already happy. Their eyeballs are happy because of happy eyeballs. This is to make your network better, which I want to help with, but we're really going. The incentives aren't there. So we're really gonna have to work on making a thea sensitives and be convincing us to build a way. That's privacy-preserving, so maybe using something like differential privacy or in something I, I. Think.

L

I'm not sure right now, I, don't have the text here, but I think what they said is no new security issue. So, of course, if there are security issues from previous protocols I have the same I is is that it could improve. Let's.

E

Go this is a new security issue. Now I'm reporting to you, the websites that I'm connecting to, like literally in writing on 6 lakh protocol and I, didn't do that before. Let's welcome that.

B

Let me stick in the middle here: I think. Actually we're not identifying a happy eyeballs problem were identifying a syslog problem. Syslog should be using DTLS.

E

So a that that's a step in the right direction. When the attack vector is someone sitting on your open Wi-Fi at home, but that doesn't solve the problem where his box, that has the six log results, gets compromised and then someone can see all the websites I've been connecting to I.

G

Mean yeah we're to start right, I think I.

G

You know if you I really think if you want this to be implemented. It is this it like basically, is a security problem and is- and you know this is actually creating lots of lots of security problems. I'm, not even I'm, not even like qualified to comment on your assertion that you know it's not a privacy breach unless you disclose the information you know it.

G

It doesn't seem credible to me, but like I'm, not going to talk about that, I think I think you'd be much better off doing some sort of flow analysis and getting this done on a statistical basis. To be honest, if you're looking at TCP just look at sins and syntax, divert them off to a mirrored port and like see see if they come back right because it the traffic is gonna, be symmetric at the cost from where endpoint I'll just do that I mean, like so I mean like yeah. You can standardize.

G

This I mean like we're, never going to implement that good. Such a huge privacy hole right so I mean I, don't want to get in the way of useless work right. You know if it's if it's harmful, I'll get in the way, but if it's used to the Senate doesn't matter because as long as you don't implement that there's no problem right but but I think if you want it to be relevant and I think you have to think about.

G

You know you really have to deal with the privacy issues like it did and that's a big bowl to take by the horns. Well,.

L

At the end, I think that if we believe this is useful and I think for several comments is useful. We want to do this. Maybe the way to that this big proposal right now is not the best one, but what I am saying is: please provide inputs about that about how to do that, how to improve and- and we will move into that direction.

G

Difference between improving something, that's almost there and improving something that's in the wrong direction, but yeah you know, maybe it can be proved.

J

Genuine cover two comments. Actually it's quite interesting to see two different words, because, as someone who operates reasonably sized enterprise network, almost every failure- I see is the last mile. So it's almost never somewhere in the destination and.

J

My last mile, otherwise I wouldn't know so and but back to security. I can give you one security scenario. You requested what knew before address you before block for this right and if my ISP has no idea about this technology and I get an endpoint which implements this. It will send UDP traffic to some destination, which someone else might advertise to my ISP and what my traffic will go there, and some people somewhere and Internet will get some interesting information about all sites I'm trying to reach.

J

If my v6 is broken, I kind of do not like it.

O

Chris Margot GLE not really for Google's purposes, but I'm trying to understand why I would care about this so.

O

David said he FTA, it's not a same question. He said okay, maybe at the end he was ok with it, except for the security problem. If the problem is on my local network and I'm an enterprise provider.

O

Ok, fine I'd like to know that I have problems with my network, but maybe I could monitor that in some fashion and that would be cool I'm not doing that today. I'm, probably not gonna, do this. If it's the problem is on the remote network, I can't really tell them there's a problem so much like they're, not gonna, listen to me, I can call Telecom Italia and say something is broken, and lo say we don't know who you are go away right, which they do.

O

That's fine, so other than sort of research paper saying well, we see, X percent of things are broken. I, don't really understand what the point is and then add this. The dislodging everybody's web request is: that's a bit horrible, so I guess it's a neat hack I appreciate that, but I don't really understand why I would ever do it so sell it. Please.

O

B

So yeah so I think where we stand, we're not ready to think about adoption. At this point several issues been raised in the last few minutes and if you could address those, then you know I think you see where that goes now, don't go too far. Jordi Jordi come back, so here's we've got another half hour. So I'm gonna move one of your drafts forward from next week.

B

I, don't ever I, don't know so.

B

Just aim by the way I haven't got your forceps for ex-life drives slides. Yet, oh that's it. You told me that you created them, but you haven't. Sun-Ok is.

L

On it, right now in.

B

Any day so we talked about this yeah. This will probably take half an hour. Okay,.

L

Okay, we start I started this document because when when we talk among us, sometimes we are saying ipv6 only and in fact even talking with some of the co-chairs, some of the times about some specific documents or work or situations in networks. We are not thinking the same, so I have a position about goatees ipv6. Only and some other people has another one so and I think it was Lee in the previous meeting said.

L

Maybe we really need to have a definition or a concrete definition of what is ipv6 only to get in sync, so well, I, the first version of the document. Some people was not understanding. What I was telling when talking about forwarding IP in layer, 2, layer, 3 or whatever so I changed it completely in this version of the document, and basically, what I am saying is: let's define what is the specific scope or what a specific network are when we say that we have or not native support for APB for ipv6? Okay.

L

So that's that's the basic idea to really say instead of ipv6 only ipv6 only where and in the sense of native support of one or the other protocol. So this is this is an example of of a network, so we have a network which has cellular residential and corporate customers and in this case I am using an example: 4 4, 6, 4 X lat, which many people will say hey. That means that it's ipv6 only because basically you have only it before in the transit.

L

Ok, then they in the plot in the nat64 and so on.

L

I don't know. Will you agree that this is an MPV six only network? Some people told me yes, this is a pv6 only book, because in inside of your head were basically, you can have everything which ipv6-only and that's true and you can have, of course, dual stack at the at the lungs of the customers, but you are not actually transporting ipv4 natively, okay, so it will read. This is ap physics. Only then now want to look at every specific part of the network, so, for example, in the cellular network.

L

It's true that we have ipv6 only in the access in the one, but still the solar form can have dual.

M

Stack question: do you want to take them at the end or during the flow I? Don't know how do you prefer I'm I am okay, I am okay. Yes, so you.

P

Have included in this diagram technology that has no arbitrary layer to packet forwarding capability, the cellular component is a constrained network, so I is a customer can't bring a device that can make it attempt to do are because ARP does not reside inside that layer to fabric, but the corporate network could say: oh, we are v6 only, but if they have not deliberately constrained their switching fabric to terminate the forwarding of certain kinds of layer to packets, that's only an administrative statement.

P

It is not literally true and I feel there is this quality lurking underneath what you're saying? If you want the corporate net to be an ipv6, only LAN, you really have to say it's looking for layer, two packet types that would be required and for and forbidding them.

L

Well, in general, what I try to do is not to say if the devices or the network has the capability of being dual stack or not. What I am saying is, if actually from the perspective of the operator, he is or not transporting natively, ipv4 or ipv6 I. Think that's, that's the small difference. So maybe we need to fix that in in in in the and saying explaining what would you just set to differentiate both situations?

L

Q

Yeah this is Alexandra Petrescu, I I, see you picture there. A cellular network and I still have to read the draft and I hear you call it ipv6. Only I I believe there are at least two kinds of cellular network that support, ipv6 and actually I. Think none of them is ipv6 only, and this is why maybe I have to give you some comments.

Q

So you mean there are no ipv6.

L

Only cellular networks- yes I, agree with you because the cellular device can run both before and b6, but big one is ipv6. Only that's precisely the reason for this document. You see the confusion. Yeah many people is saying I happen, ipv6 only cellular network. They are correct. No.

Q

L

Good I am trying to fix cellular networks as such is not an ipv6 only cellular network. They one link. The axis is ipv6 only, but at the end device you can run dual stack. Yes,.

Q

On the end device, you can run dual stack and in the core network also those networks that provide ipv6 only to smartphone, also in the core network, are both ipv4 and ipv6. They carry ipv6 inside gtp. The.

L

Core network, maybe not well, depending on what you call the called the core network. You know what.

I

Maybe the network is not only a TV.

L

6 and you have ipv6 only at the nat64 that that that works no.

Q

No yeah, no, no. There is no core network ipv6. Only in cellular networks.

L

In any case, precisely what I am trying to say is when we say whatever only we need to put the scope, we need to say agree with exactly.

Q

She, that's that's. That's.

L

The reason for this.

G

Yeah, so it's it's worth noting that the same the same network can at the same time, support maybe v4, v6 and v6 only links so yeah. It's not a property of the network, but it is a property to the point-to-point channel you established over that network. There is most certainly an ipv6, only PDP context that is only v6, alright, so sorry v6 only SSID yeah, so the logical link layer. There definitely is v6 only link.

N

Julie, it seems like there's a semantic distinction, that's being teased out here where client isolation is such that you either do or do not have v4, and you do or do not have v6 right. If, if you don't have v4 on the client or in the clients, immediate upstream connectivity cone, it's irrelevant whether the rather rest of the network supports v4 or not right, because client can't use it even if the client does it internally.

N

It's not present so like to the extent that you know that isolation is enforced where it's enforced actually describe to what kind of a network you have right, because by and large we do not have layer to broadcast domains which have multiple hosts associated with them right. So you don't have the case where the clients could have v4 and the rest of the network does not.

R

Islands cannot forgive a previous command. What matters is what the client can do right what's in the network, is x.25 doesn't matter, but my point is: if you call ipv6 only a network when you can have ipv4, how do you call a network where you cannot have IP before.

L

Okay, but what I am saying is if the network is transporting ipv4, natively or not, I am NOT, saying cannot have ipv4 on top of an ipv6. Only link is the same as when today we have an ipv4 only network which most of the espys hub. Unfortunately, users can still have Tunnel brokers to have a PVC service that they spinette worries. Dual stack, not the ipv6 network, is in this case I think for only you see the point honestly. No okay.

Q

This is again I'll expect risk. Oh I wanted to say something that I agree with earlier. It was said that in cellular networks, the PDP type is ipv6 only and I agree to it. Okay, so maybe that's also a good term to say yes, the PDP is ipv6 only that's all, but all.

L

That's that's in the case of a cellular network is just one example. If you look at fixed networks or nor cellular networks, you will see that there is not something like a PDP type, ipv6 or type ipv6 before yes, so that's the point.

Q

Ppp he said well.

L

Not every not every net will use PPP yeah.

A

Q

With respect to the definition, I think there is no well operating system that does not have an ipv4 starting to it again.

L

I am not telling I am NOT talking about operating systems, I am talking, I mean I am NOT. Talking about the capability to support both protocols. I am talking about the actual native transport. What is their actual native transport ipv6 or a TV for a real dual-stack.

Q

L

What I am talking about? You mean.

Q

By native, do you have a million or a native or just native native made I, don't know what forwarding.

L

Only ipv4 forwarding only ipv6 natively, okay.

Q

F

Marconi ripe, ncc again wearing the head off one of the people, who's trying to sell this technology outside of the room you're, not really helping. Here.

F

This is already a very complex case for the last ten years, I've been explaining to people that, in the case of an ipv6 only network, yes, there will be a residual connectivity to ipv4 sheriff sheesh you're, not losing anything in your transitioning you're, not helping me here from an end user perspective and even as that sort of Joel mentioned and I think Alan was also going there from an implementation perspective. You have a v6 stack, it might work, it might not.

F

You have a v4 stack, it might not work, it might not certain cases, something doesn't work. We have simple word for that. It's called broken. We don't need to draft to overcomplicate. Yes, thank you. I I,.

L

Don't think you don't got the point here, because what I am saying is that there are going to be, and there are already some service providers that either in solar or non similar networks will deliver and they are delivering ipv6 only access. For example, if you talk about the one link, so in that case we want to be very specific when we say ipv6 only if it's the full network or only part of it.

F

That provider either sells me Internet connectivity or she sells me something horribly broken. That's where I'm coming from, but yeah.

E

David's canaussie Apple, so conversations that I have at the ITF. It's true that for some people, the ITF, nat64 or SSID that everyone no room should be on is v6 only for some people. It's not v6. Only and it's true that there's some confusion there, but we generally clear it up pretty quickly. I then read your draft, and now I am ten times more confused.

E

Viewing the questions and your answers. I am still extremely confused, so I don't know what problem you're trying to solve and I think you're, making it worse. At the end of the day, whoever you're talking to you're gonna have to explain the terms anyway and having a document that says, no really don't call it as a cell. We renamed them to TLS people stopped, calling it as a cell. It doesn't help like we don't we don't even have a problem to solve here and would I I'm just completely confused now. Well,.

L

I I, don't really I really have I really believe, and after this conversation I think it's more obvious that not everybody has the same understanding of what is ipv6-only or not agreed.

E

And and not everyone has the same understanding of your draft. Okay, let's fix.

L

It I mean the point is: if we don't have a concise terminology, we are not going to get out of the confusion. That's the scare.

J

Understand what you're trying to do? Because it's really nice to I, don't.

D

J

So general ink over so on one hand, I, don't understand what you're trying to do and I appreciate that it's really nice to have a common terminology, but I think when you're trying to define something which is in this area, you might, as Ben said, you might create more confusion by trying to define things because, for example, I look at your definition of ipv6, only local area networks, you say not natively transporting ipv4 if I have a router and a host and a switch in the middle and my host has v6 address and switch obviously will switch Ethernet packets with v4 inside is it ipv6 only only for router doesn't have before dress with router has before address, and we do not provide DHCP before or what.

J

How would it look like.

L

If you are talking about a local area network in a local area network, if it's ipv6 only it means there is no native ipv4 traffic. That's.

J

I can configure if.

L

You are, if you're, sending a ipv4 traffic that is not native. Only it's.

J

Obvious, when I put one single client with static IP v4 address on sanction, which you consider being ipv6 on the network like ITF, not 6, 4, ATM v6 on raises idea. It will suddenly make this network not ipv6 only but those that great I.

J

Don't think so right, but it looks like it because there is before traffic on this network. I might start saying something before traffic on this ipv6 only SSID it might create some ipv6. So.

L

Maybe the actual definition in the document off and ipv6 only LAN need to be fixed, considering that, but for a 1 link, I think it's clear in a 1 link. You are not going to send ipv4 traffic if it's only admitting ipv6 right.

J

The problem is you kind of mix in technical, administrative definitions right there. There are administrative factions which might make your network v6 only, and there are technical things if, for example, in your LAN, you deploy filter some layer 2 which prevents it to happen. Yes, it's one thing, but if I'm just design, my network has been v6 only, which means I am not supposed to provide before service.

J

It's a different thing, so I actually start thinking that, probably we should leave it like that and let people when they talk about particular network, to define what they mean by that case-by-case because it might be different case every time.

C

We Howard a couple of comments. I stood up to get it lined to respond to Marko, to point out that not all networks or Internet networks, and that terminology like this will be used on IP networks that aren't necessarily connected to the ipv4 internet.

C

That still makes it an IP network and may even still be an intern Network, even if it can't reach ipv4 I, don't believe that ipv4 will exist forever on the internet, maybe effectively forever in some pockets like we have obscure protocols still running in data centers now, but I don't believe that what we think of as being the Internet, the largest subset of Internet of interconnect, all devices will always include ipv4 addressing everywhere, but I.

C

Think what I'm hearing from the conversation- and this may be more about putting a chair hat back on as I'm looking at my co-chairs- is I'm, not sure that we're hearing from the comments here that there is a problem that we need to solve. If we hear that if we agree, there's a problem that we need to solve, then I challenge us to go figure out. Alright, maybe we don't still don't have the right, maybe we're nowhere close. Maybe we're close and haven't quite gotten there.

C

Yet I don't know, but if we don't, if we don't agree, there's a problem we need to solve because there's communication, then then, there's no point in advance of the document. I will point out that I'm not connected on my laptop over there to the nat64 SSID I'm connected to the ipv6, only SSID and the nat64 one isn't v6 only but that's yeah we've got a terminology collision right. There.

B

So speaking as chair, my feeling at the moment is that we don't have a universal consensus supporting this draft that affairs table okay. Okay, if I was to go ahead to your customer prefects draft, do you think you could do that in 13 minutes, or should we leave that.

H

Until I think we need to live to the next SMI now.

B

Thursday, it is and I need your forceps for x1, ok, cool.

B

So we're adjourned for today, we'll come back Thursday morning.

S

T

Well, I'm sure you did the right thing.