Internet Engineering Task Force 105, 22 Jul 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF105-V6OPS-20190722-1550

Description

V6OPS meeting session at IETF105
2019/07/22 1550

https://datatracker.ietf.org/meeting/105/proceedings/

A

Multiple people duck.

B

A

Oh, no, that I downloaded from I kind of me already yet. Okay, so blue sheets are wandering around sign him. I could Kara's missing in action. I have no idea. What's going on how many of you have never seen into Walt's life?

A

Okay, so you all know what that's up.

A

Let me talk real briefly about the agenda. We have invited and that's.

A

What we're doing with the invited talks, those four years I, hope you're familiar with, but basically trying to target, ideally people that are playing I six only.

A

Okay, ideal example bitter turning off IP before deploying Isaac only to get their experience. You know where's the rug, where does the shoot not set and when we can't get that we've been asking people to simply talk about their ipv6 20 where's, the rug where's, the shooter on set so Andrews going to talk about liquid telecom. This point.

A

So there are well actually so Barbara is taking notes if somebody could be a jabber strike. I would very much appreciate that.

A

Seeing no my hands okay, so Eric will be generous right. So we've got two internet drafts that we've been working on in this working group and we'll see where that goes and then Arabic cabs. Any draft that is about to go into working group last call and off set, and they asked basically to get feedback commentary from v6 pops in that context, so so give him an opportunity to talk. If we have time.

A

I have three other drafts where people have come to humbugs chairs under on tonight, and they asked for time and I haven't seen mailing list discussion about them in one case in two years, and so, if we have time spent, then we'll give them or if they don't have time. I'm sorry, you know that's the way it's gonna be, but we have the slides and we can give them before. We turn that would be kind of the nature of whitening clock. It'll be a ten minute, as opposed to get an hour just.

C

To comment that the last one, the title is wrong:.

A

Place your thoughts here enough: okay, you're right, a nice duplicated death, okay, I screwed them just all my god, I'll change this but yeah. So Harry, that's! What's going on! Does anybody want to dash the agenda?

A

You have changes. You would like to make them. Okay, fine with that, then Andrew.

A

Now you're gonna find this one far more usable because that's connected to the wrong computer.

D

Yeah I think you can hear me here so. Firstly, thanks very much for having me actually my first IETF and it's it's quite an honor to be here but yeah thanks for having us, I'm gonna talk a little bit about our v6 deployment today and the challenges that we're facing and some of our solutions to them. I think that a lot of what I've seen in the lists etc is focusing on getting v6 to the end-user and we've found that the challenges to doing that are actually more related to our backbone and I'll cover that.

D

But it's a it's a bit of a different perspective from what I've seen on the lists and yeah, let's jump into it. So who is liquid and just to give you a bit of an idea of the scale of a network? We run Africa's largest fiber network 70,000 kilometers covering 16 countries, probably about 12,000 MPLS nodes on the network. It's a large network and we try and stay at the bleeding edge because it gives us a competitive advantage, particularly with the fact that we're not dealing with a lot of legacy text.

D

So we get to leapfrog and kind of leave. Their tech behind, which has its advantages, also means, if you're playing on the bleeding edge. Well, sometimes you're going to bleed and hopefully not too much so our current v6 deployment highlights.

D

We started our v6 Road many years back with one customer in Zambia, and we deployed it across the backbone for that one customer, because liquid has never bought a transit in Africa, so we needed to take it all the way through the backbone in order to get it there. Anyway, we switched our backbone to single topology mode. Six years ago, the motivation go was simple.

D

The engineers would forget to put v6 there, because, while it was the second-class citizen, so you in for single topology well that doesn't work if it's not there and it helps that really actually had quite a profound effect on our v6 deployment.

D

We then rolled out v6 in Zimbabwe on our cheap on network which, to our knowledge, is still only major v6 deployment in Zimbabwe, and it was the first country on the Google map to actually kind of show any movement, and it got us to about a five point: nine three percent adoption in the country, which was a nice step forward.

D

It would be a lot higher, but keep in mind that internet in Africa is incredibly mobile based and the mobile providers well they're, not exactly moving very fast in the v6 world in Africa, a new Jeep on network in Tanzania, which is only two weeks old built on the same model, and we are hoping that as that grows, we will start to see some movement there.

D

Now our challenges, because that slide unfortunately, was where the good news ends. So now we get to talk about some of the bad news and some of the solutions that we are using to deal with it. So why did things in our v6 deployment stall?

D

Firstly, our customer base is incredibly enterprise centric and they are very net centric and convincing customers to move from what they know and trust is not easy.

D

We also find that net is actively sold in Africa as a security mechanism and to the point where customers go but you're taking away my net. You can daddy secure my network and it's not true, but we are fighting a disinformation campaign on a constant basis on this, and it does not make things easy until recently.

D

There's almost no movement on the mobile providers, we are now seeing it with Safaricom in Kenya the the predominant mobile provider who started to do some v6, the mobile network in the su2 and if I get time, I'll tell a funny story about how that one actually came to happen. It was quite a bizarre story, we're also seeing some movement in Gabon, which is Vivendi, but again it's an international operator.

D

It's not an african-led deployment, what's happening in Gabon, and that is kind of worrying me, because I'm not seeing much movement from the African operators themselves. We've also had some major vendor challenges, particularly in the cpe side. If you control all your CPEs, this is easy. You've got one standard CPE when people are bringing their own CP ease, you've got a problem and when it comes to Jeep on the ont support that we've seen out there for v6 is her illness. It is.

D

It is really really bad, but to talk about our challenges in Africa, we have a challenge whereby we have to be able to steer our traffic at a moment's notice. Governments in Africa have a habit of doing very strange things and deciding well. You can't have Facebook your kind of whatsapp, and that means that you get to the inland countries. I need to be able to click something and say divert this traffic from this source to this destination around this country, I cannot spend hours, building manual, te tunnels, etc.

D

This is a problem and the lack of feature parity with MPLS and some of the stuff we're seeing in v4 is actually creating some fairly significant challenges in our deployment of v6 in those countries, because I cannot guarantee the same quality of service because I don't have the same level of control that I get on v4 because of MPLS feature parity. We see some very inconsistent vendor implementations, and this is interesting, there's one particular vendor who, when you order your hardware, if you say I want v6 with it, it costs you nothing.

D

If you forget to say that, and you asked him 24 hours later after you've, given them the check, you will get an invoice that says it almost the cost of the router. You do not forget to ask if you've got legacy equipment from that vendor. You have a problem deploying v6, because it's going to cost you a lot of money.

D

Why not just replace that window? Well, there are certain countries in Africa where bringing some vendors is problematic because of export restrictions and other such things. So you are left with certain vendors where they are your only option. I will leave the rest to your imagination,.

D

You also have a lack of consistency, PEO implementations that cause problems and it's the reason why we do static v6 on japon networks, because the whole array in the issues on dynamic v6 caused us absolute nightmares in many many cases and then on the translation mechanisms.

D

When we wanna go v6 I mean which one there's, how many v6 translation mechanisms are they and there are a lot of them right now, map a map, TBS light 464xlat that data and the problem with us is the fact that, when you put a multitude of CPE Z in play here, who supports what actually becomes a little bit challenging I'll talk a little bit about that. But it's. Let's talk. First about the MPLS challenges.

D

We need to be able to steer an engineer traffic and in the African environment when you're working across 17 countries, where you don't know what's gonna happen tomorrow, where you've got a constantly shifting environment, where potentially you can't buy a high-capacity circuit. So you have to start balancing traffic because, for whatever reason, the provider, where you can't build long haul, say you've got to use STM sixteens. In some cases, you've got to have that ability to engineer traffic.

D

All of the engineering tends to be fairly heavily MPLS based, and we found that that lack of feature parity has really really caused us. Quite a bit of problems do I like the fact that we have to do that. No, but it's a practical reality of working in the environment in which we operate. We need those features now we're using a lot of SR. Mpls we've been doing that for about a year and a half, and it's worked very very well for us in many many cases.

D

Unfortunately, when you get to certain countries where you are running the vendors that you have to use they're because of the political reasons you find that they've decided randomly that they're not going to support ipv6 with this or MPLS at all, it's just not there and they won't even discuss it with you. They just go well, you'll use s or v6, but then the other vendors that you're using elsewhere don't support s or v6. Yet, and of course, you you end up with a problem.

D

We have a rather interesting solution to this problem, though that I will talk about later, that we've been testing in order to do the end-to-end traffic control and steering, as I said, there are islands of this hardware that doesn't support us or MPLS and there's a bit of a solution. There are also some fairly major challenges with regards to BGP labelled unicast and keep in mind that we consider LD p6 a stillborn child. It LD p6 just never really happened.

D

That means, if we're doing MPLS with v6, it is SR and SR and BGP labeled unit cost in the absence of LDP done, always play so nicely. Together, you get random label insertions and other funny things across all of the vendors. So you have some issues over there. We've largely managed to work around them. Primarily. What we see is the fact that it introduces an extra label onto the stack with a random label that it generates and in lo label devices we've only got three labels to work with.

D

This will cause us problems, so we've had to work around that on the vendor implementation side. Our traffic control in our steering is heavily heavily BGP link-state. We use a lot of link state without controllers and the implementations from the vendors around BGP link state. It's all there in the RF sees that the TVs. Are there everything? Unfortunately, the v6 he'll he's in most food in a lot of the vendors are just well missing. I just don't show up, and so that's a problem, but we're working with the vendors on that and saying please.

D

You know we need a consistent implementation here, but it does create problems with our entire traffic steering chain. The support for v6 on low-end CPEs is as inconsistent as it comes. I mean it is. It is a mess out there. You, you name, the CPE and I mean I. Think I've got a cupboard at home of about 50 different CPEs, which we went through testing one by one by one by one and every report is inconsistent, it was, it was quite bad and so that's created some some issues. The other thing is dpi.

D

The DPI supports the traffic through v6 is getting better, but it has been extremely patchy and classification of traffic again I, don't like dpi. We prefer not to run dpi. Unfortunately, in certain segments of the network it is a necessity and so problems with dpi on v6 traffic have caused us some issues on our translation mechanisms. At the moment, it's looking like we are veering towards the s wife, because it's supported by all our cheap on our n T's.

D

It's the one thing that is and I know that there are a lot of people who are going, but why not map you? Why not map T? Why not this one at that? You know in our testing with what we've got on the network. This is just a practical. You know it's a practical decision. This is what we see is the most supported in the technology that we have on the network.

D

No, no religious preference, I don't do religion, I, do what works and consulting my customers. You know what I mean, but at the moment we've also still got v4 space, so our preference is still just to do all stack. It week until we run out of v4 space, we're in the lucky position, where we still have v4 afrinic still has some v4.

D

How long that lasts for well we'll wait and see you know so we'll do all stat, but we are in no ways putting on a back seat the translation mechanisms and our exploration, and we are actively working on that and testing out the options.

D

So the solutions that we've got.

D

On the ESO MPLS and steering the traffic assort MPLS is our preferred method for solving our MPLS issues.

D

However, most of the MPLS protocols particularly fell through circuit extensions, very heavily LD be tied, store, mattina contella, even l3 VPN. You can't turn up an LV VPN with v6 without some form of v4 underlay.

D

Don't ask me why that is because it should be bgp signaled, but it just is you need that local v4 address now we see some hope with a VPN and a VPN vp w for circuit extensions, etc, because that does just work and it works on an assault backplane as well, then on those islands I talked about so actually it was this week and I read some p4 code to test this.

D

We need to kind of skip over these islands, but maintain into in traffic control. So I might get told I'm completely insane here, but what we've been looking at is using a binding label on the SR stack of labels and steering it to the edge of the network and using that binding label to pop off the binding label and then effectively push a v6 stack onto the package, with a seat with a compressed routing header destination option in there and then using stock standard routing to the other side pop off.

D

The v6 header again push the traffic back on and use BGP signaling in between to signal the labels across it, which means that you can skip over the island which will solve one of our problems. It's a one of the more extreme solutions, but it does potentially solve a problem.

D

We also believe that SR v6 is coming. We have quite a number of concerns with standard SR v6, though, and with regards to address overloading wastage of v6 base. And yes, that is actually a concern when you look at the volumes of it and so we've kind of got involved in. We know what we need here, so we're working in the spring working group to say you know this is our perspective and see where it goes.

D

Our preference is always going to be s our MPLS, but we know that certain vendors are not going to support v6 on S or MPLS, so we need to ensure that whatever option does come out of that works for us in the absence of that not ideal, but it is what it is.

D

Then another challenges and solutions on the link state problems. We're working with the vendors we've seen some success, but we augment through other data sources, if necessary, not ideal but functional. On dpi, it's getting a lot better. We've been banging on the vendors doors for a long time, and you know like twice a day fix this fix this fix this and it seems the harassment seems to be working we've also because of the inconsistencies in implementation.

D

Changed the procurement models that we buy Britta's under we now say here, are a list of RFC's that you have to support if you deviate from this or if she in any paragraph, tell us where you tell us why and tell us when you're going to fix it and if you don't comply with it, I reserve the right to return the hard way when I find out about it.

D

It's actually worked quite well.

D

Uuugh you'd be surprised at how honest vendors come when there's a clause in there that says, I will return the two million dollars with a hardware. If you lie to me yeah, and particularly since we've done it once you know, so you change the procurement level and it puts pressure and it does seem to have worked quite well. You also find that suddenly you get a new code release that fixes the incompatibility, quite particularly on the bigger orders.

D

So moving down the track, we're busy v6, enabling some consumer networks in Uganda, Rwanda, Zambia and Kenya, some of that stuff will start showing up fairly quickly. Some of it is more problematic because of Jeep on Ont is that aren't working on the vendors we're working with in Tanzania and and Zimbabwe, and we've got some issues there, but it's something that's actively being worked on.

D

We've within the last week launched a new network in South Sudan, which goes effectively from Kenya to Uganda and up into South Sudan and obviously there's a lot of traffic issues when you start talking: South, Sudan and Uganda in the middle, because there's some interesting politics there, but we're doing it anyway and that will be v6 enabled from day one using all the SR technologies to deal with some of the problems.

D

Our investigation on the translation mechanisms continues, but we've got some room to move because we've still got v4 space and it's not taking a back seat, but it does take some pressure off us and then we'll continue working in the spring working group and hopefully we'll get to the point where we do feel that we've got enough parity to really do what we need to do. We are getting bidding the house on SR to solve a lot of our problems. No denying that it's just a question of where the SR debates go.

D

It's it's going to be very interesting to see, and then by policy we now deploy v6 towards every client on the interface there's a 64 on the interface and a 48 routed to the interface, and we don't care. If you don't use it, we will try and get you to use it. But if you don't it's there, it's deployed it's allocated in our systems and we'll tell you about it, but every client we're now putting it on there.

D

Sadly, getting them to actually use it as a problem, but we deploy it by default and we, you know, there's just no option for it. It hasn't had much of an effect, sadly, because it gets to the edge and well the customers.

D

Don't do anything with it, then we'll in launching some fairly major v6 awareness campaigns fairly shortly and we're using a platform that we've got 21c skills initiatives which we're trying to use to train people in Africa, and this will consist of training, videos, white papers, promotional materials, etc and we'll continue to try and dispel the myth of security. By now, we are looking at potentially doing cloud-based firewalling to the DIA customers etc. To say you know what get ready on that will push your v6 through a firewall and you don't have to pay for it.

D

But we'll do that to protect you against the that net is protecting you and will still get very. Your net will get your v6. So that's one of the initiative. You know the initiatives, but that's a little bit about you know a quick brief on what we're doing and yeah. Hopefully, somebody finds like useful, so thanks very much.

D

If anyone's got any questions, just grab me off to absorb.

E

Jordy Paulette I have the feeling I am not really sure, but I have the feeling that when you mention translation mekinese, you actually want to say transition in general. Yes,.

D

E

That great, that's some confusion at the beginning. One of the points that you mention about the CPE support for the for the transition mechanism, specially for ipv6 only an ipv4 as a service. You may not know, but about three months ago this working group got through RFC 8585, which is probably what you should ask to your vendors for new filter updates or new equipment or so on. So you have all the choices, depending even if the vendors, if the customers buy the CPE outside yeah,.

D

Cool that, thank you, that's that's actually good I didn't know that, and it's something to look at.

F

Hi, my name is so much jewellery from feature a a great presentation. Thank you. So much I have one question. Regarding the one of the slides you mentioned, there are routers where you cannot push more than three labels for you know, so you see a lot of that equipment because that's generally, we see in cell site routers the routers have small in backhaul there you can use Broadcom chips. You cannot put for more than four layers. It's it's it's a general case for uro. How is it we see a.

D

Lot of that, particularly down at the edge- and we see that in some of the aggregation stuff, we we hit the three label limitation and we need to traffic steer. We do that through the controllers, using SR and binding labels and effectively bind the label and switch out the stack at intermediate Ori points to lower the number of labels on the stack at any one point that works quite well in a completely controller based environment, where you can automate it mm-hmm.

D

If you are not automating that, though, and you've got that amount of stitching happening, it's a non-story, you will lose track of it everywhere. You also do have a couple of challenges there with regards to enter in path, testing, etc, and we had to do some quite interesting stuff on the operational side to do into end s or path testing, where we're injecting packets that have labels that take it to the head.

D

End user, binding label to take that packet through the tunnel and back to the controller and then measure whether or not the packets arriving back and packet loss etc, because it gets quite interesting testing whether a path is alive once you've injected it with bgp. But that worked quite well. Three.

F

Is really small number you have VPN labeled easy PLU. After that you have only one label that is LDP, then you have to replace it bindings it now. Yes, it does it.

D

Gets it gets a little bit interesting and certainly.

D

And I'm around all week, if anyone has anything else, Thanks.

A

You make it fullscreen.

A

G

At all, right, no.

A

Not gonna comfort, we wanna.

E

Be able to see oh, it's, okay, that's, okay, I think I can I can move through without going to the middle of the screen. Okay, this document was was presented for the first time in the in the last IDF in in prac alejandra, which is the co out or actually he's online in Argentina.

E

He come to the list which problem: hey: I am willing to deploy for six Forex Latin my broadband network, but when I do cgn, I can optimize the traffic to the caches to the city ends and so on that I can not do that which for six Forex lat. So there is any way to find a solution, so we started working on that.

E

That's basically the problem statement, of course with cgn. This only works for those Syrians or caches that are able to use the private addresses special for the cgn right. So it's range 100, dot, 64, dot, 0 dot, 0 / 10. If they cannot accommodate to that, it's also useless. So this is the typical 4 6 for excellent deployment, where you may have the not 64 and the connection to to internet, and then you have the 80 v6 internet. If, in addition to that, you have Syrians.

E

If you have connection to Syrians and just a note here, we started this document sinking in Syrians, but actually who realize it that is useful for any ipv6 a naval service. So if you have CD ends here, ops that course to first yeah we're on Boonton this one.

E

If you have the Sirians here, and you have here an ipv6 enabled device, you take advantage of this flow right of this n to n, which ipv6 the problem is when you have, for example, a Smart TV or a set-top box, which typically is not yet ipv6 enabled.

E

What is going to happen is that, even if this device here the CDN or the catch air, whatever is dualistic, the flow will be truly, not 64, so you are doing an ipv4 to ipv6 and then again PPD for translation, which don't make sense, and this is something common in other transition mechanism. For example, map T is having also the same problem. Okay, so in fact, even again, the original document was thinking in for 6 for X that this is also solution for mati for this optimization.

E

So what we are trying to do is this one, because this IP v4 only device will get translated to ipv6 by the silat or the nut for 6, which is the same. We want that this flow can reach directly. They ipv6 side of the dual stack service. Ok, instead of going through the not 64, that's the idea, so how we do that well, this will be the picture of the different scenario. So we have optimal scenario. We have dual stack devices or ipv6, enabled devices behind the CP demux. The support email will be.

E

It will use the part through the not 64, and then what we can do is again getting that without the nuts 64 translation. So we keep the cielab translation, the not for 6 translation, up-to-date destination which ipv6 okay. Now we investigate the three approaches. One of them is equivalent to the cgn that I mentioned before, which is having the Syrians and the catches using the nat64 addressing a space.

E

So if you are able to configure your Syrians with the 64 prefix, that's ugly, but it's the same that we do with caraway not right, so that will be one possibility, of course, some CDN or ketchup providers don't like this.

E

They don't want to use their interfaces, they that's 64 addressing space and it has some complexity because you may be using a net were specific graphics and, of course this will only work if decisions or HS are in the SP network, but not if they are, for example, in an IX, because the not 64 prefix is non wettable okay. So the second approach is: let's get the salaat with typical ease in the CP, together with a DNS proxy to talk together and guess.

E

If the device that is trying to access a dual stack resource or an ipv6 enabled resource is an ipv4 only device or application. If we don't succeed in that gasps nothing happens, we still don't break anything. But if we do a good guess, we are able to help that traffic flow to go. End-To-End today, t v6 address instead of translating twice so even if we make a failure in the gas is still not breaking anything okay. That has been our primary consideration with the design of this approach.

E

So what we do is a few steps which are detection of suppose that IP before only device of all or applications, detection, that the destination is ipv6, enabled we create explicit, address mapping tables for connecting those two sides: the source taping for only source, quits, the ipv6 enabled destination, and then we use existing routing to forward the ipv6 traffic. Okay, and then we have some points based on DNS details to maintain the the entries in the in the specific address mapping.

E

So one example: let's suppose we have a smart TV looking for www.example.com and it gets an a record and even if the Smart TV, because he said before only is not asking for the quad a record, the city will do that. Okay, so the CP can guess that it's getting a query for an a record.

E

It can infer that probably is an ipv4 only device, because if you get a query first for the record, most probably is not a dual stack. Okay again, if it's not, if it's a bad guess, we still don't break anything.

E

Then we create this mapping table okay, Oh mapping, entry in the explicit address, mapping table and then they're, not 64 or select. Sorry we're not for six. That's that's incorrect. Now that should be not for six or the salaat is translated to that address, and the CDN, of course, has the what a address. So it just works. Okay. Now, let's suppose there is another device in the same CPE that is asking for a different name, and this was as a consequence of Martin I.

E

Don't remember the name, but that a Czech guy that was in the last meeting- and he was saying hey, you are forgetting what we call the reverse proxies reverse proxies. Have a single ipv4 address for multiple ipv6 destinations.

E

Just do this part is not going to work. So in the last version of our document, we included something else to solve this problem. Okay, so the thing is that if we detect that another query is using the same ipv4 address, we need to discard the optimization. So in the case of reverse proxies, we cannot do that. Okay, because otherwise we may break one or the other connection right.

E

We did a lot of questioning about our procedure to make sure that we are not breaking anything because the the pongos, let's make sure that if you deploy ipv6 with this optimization, the CDN will be happy or the service provider will be happy. We cannot have the risk of breaking anything okay, because that means the CDN will disable ipv6 for that customer.

E

We don't want to go through that, so we do a lot of points on that and then there is a final approach which is somehow equivalent to the automated approach in the Salah talking with the DNS proxy inside the CP. But in this case is manually configured by the ISP, so there you speak and get the ENT and send it to the cities. Okay, but of course that means configuration by the operator, so we wanted to do it automatic.

E

We believe that from the three approaches base it on routing or Delta mated, one or the manual one from the operator at provisioning. The second one is the is the best. The best choice, in addition to that there is an interesting thing here, is that today we don't have a solution.

E

If there is an ipv4 only device here like a set of bugs and will happen, ipv6 only service. Of course we could deploy CDC right, but maybe these can provide an an additional solution to that which is even if this is ipv6 only connected. If you put an a record, this will work right, it's ugly, but it works.

E

So this may be a way to I. Do really need CDC. Well, not really I just create an I record, even if I don't have this box connected right before, because I am never going to use that, because everything will come by ipv6.

E

Of course, of course, but the idea is that you can have a good page in the SP saying sorry. This service is only for ipv6 enable customers- okay, because if you don't have a P before the rest of the of the customers will never reach that. So we are not creating any additional problem right. So that's the thing.

E

Thank you. Questions.

H

I

Not just about other names that have the same ipv4 address, it's also a V before literals right yeah. It was the same yeah for quick.

E

I didn't mention, but yeah no.

I

But like right.

E

C

I

Entry table you're not gonna, have a DNS lookup to notice that your EMT or whatever it is, is invalid. But but then the EMT.

E

Was not created if you AMT entries created only if you have a DNS.

I

Query right in this scenario: what happens if the eam TEM 80 is created because of a DNS entry? Yes, subsequently, somewhere in a page, there is a string literal. Okay, if I remember.

E

I salt on that I remember.

I

I assault on that. This was part of why the original net PT was deprecated. Okay in 49 66, there's a bunch of reasons why this stuff was annual replaced with the nat64 and dns64 separating them out later you're sort of reinventing Matt PT, not pity on thoughtfully.

E

I

On observing all of the DNS going by to do all the mapping and that was separated out into nat64 dns64 in part, because I think I think it's 49 66 the deprecated Matt PT you're kind of reinventing it I.

E

I

Sync on that I believe.

E

Iii was considering that case, and, and it goes not against this- this mechanism, but I need to sing on that again.

J

Every drag, I won't comment too much on on the feature itself. I got some reservation to be honest, but the name should be changing it, because if ever it works, it's wider than curious yeah.

E

J

E

That's true: we started as I mentioned before. We started this as only sinking in for six for exact, and then we realize it that it's useful for, in fact, any four six translation right.

K

I haven't thought this through, but you said that it doesn't break other stuff. Doesn't this also break DNS, SEC I? Guess not DNS x4 does as well, but this feels an extra okay.

E

If, if you are using, not 64, which dns64 DNS SEC may be broken already,.

K

E

No, we are not using it, but if you remove the optimization, what is will be the wrestled DNS SEC broken as well. You see the point.

L

M

All right, while we wait for him to rejoin the queue uh chaired, much Akamai CDN or at least wearing a CDN hat I mean we find our customers pay us to work in all the situations and I'm concerned about this, because this is likely to break the customer experience. They don't want to have their end. Customers end up at a page that says I'm. Sorry, this content is only available if you're on a v6 network, so this seems infeasible. This seems interesting to discuss but infeasible in practice.

M

E

We had conversations with several CDN providers, including Akamai, and they told us we don't want to use a special addresses for ap v6 in the interfaces. So you find a better solution that having manual configuration of a special addresses, it's better for us. That's what we got from you guys that.

M

Would help ya address at least one slice of the the concerns but I think, generally speaking, our customers pay us for the performance and for a functioning service and in a way in ways that this would show up in operations. I'm extremely concerned that this would end up causing the customers, the end-user experience to be extremely poor, and they would be better off going through an ad or something else.

M

As a result, then, then, trying to go and communicate to us, especially when our customers are, are doing in some cases, multi CDN approach, so we have to actually coordinate with them and with everybody else. In order to achieve this and and you're seeing some of this play out in the DNS working groups as well with how to do things like a name, etc, etc with how to have those how the domain name holder can actually have stuff show up in multiple different realms.

M

We also have other additional issues that will come up from DNS tunneling, which I won't get into here and so yeah. There's a lot of there's a lot of reasons why this is cool, but it's also more reasons why it's not gonna work.

N

Hello, yeah, okay, hello, hey! How are you doing Shirley thanks for the presentation? Well, this is a very interesting work. We have working with Shirley I just wanted to comment, some things: what Shirley's Senate? Of course, this draft is all poured before.

N

As you know, in the process we we were working on that we restore that.

O

Make tissue mekinese like mod p and order to achieve neutral services within the the ISP.

O

Out of the service provider right so.

O

But assurances I work in network greater in Argentina and I, really really like X lot. But when I was implementing that because I able to get a few more in a term I'm going to support silat I discovered that I won't be able to implement this transition economies because.

O

Many many network service provider have an already or medical intimidation were with a pole, to use the cgn by doing a bypass and true in let this Cillian to deliver directly the traffic to the to the cable modems without going through dissonant. So, if we implement also for its lack of before Eric speak, we we will need to to deliver again the traffic through the this through the nat64 202. Anything, that's it for to the final TVs or set-top boxes, which most of them are just in a be reformed.

O

That's why I won't be able to recommend to our company to solution for C Ferguson at the willing to implement a large-scale object, for that was the main issue and another point of your listed that we were talking with many content providers of Syrians, for example, of Facebook impermanence the trap that they were interested in in any transmission mechanism, that in evolving definitely a second nuts, if fuller or as ETA me, because.

O

Get the most transparent we need to be finding customer, so the most of customers already has our PP in router mall right. If we, we will add in another they're not device in the middle, they they don't. We don't like it.

O

For example, Google Plus efficient is support for the traffic directly without knowing precision we didn't have any saturation and any any congestion, but we implemented that with the final draft internment a little bit, but was amended and with any intercession and part of auspicious incision, but it showed to us that, obviously, with a mod direct connection, without going through decision, we finally get a bad performance which confirmed that this could be a right way to optimize the network. So that's what I wanted to share.

O

D

Andrew yeah Judy I was watching that last section of your presentation and maybe I'm missing something here, but if you add a fake, a record to make this work that works. Ok, if somebody is behind this, however, if you've got a v4 only client outside normally, when he's browsing and there's not a record, it goes well, there's no a record go away and it does that pretty quickly.

D

If you've got a fake, a record there, it's suddenly going to cause some significant degradation as it tries to access that, and if it was a real v4 address, then you were using a real forward baseball. Then it's your step anyway. So the option using a fake area code on something doesn't fly because it will break people who aren't behind us and who I.

E

Probably miss it explaining it. This was not the original idea of all this. This is an extra and we don't know and I think I have in the drivers. Question Mars. We didn't want that. We didn't salt on this, originally that we thought. Ok. If some people start deploying ipv6 only services, if they are not reachable by ipv4 only devices right, they will break now.

E

You have such kind of services in the future, and you do this. You at least solve the problem for set-top boxes and a Smart TVs that ipv4 only for the others will not work, but because it was an ipv6 only service not intended to be accessible by ipv4. Only devices. Okay,.

D

Yes, it won't work right, but there is. There is a rule that if something's gonna fail- and it's not going to work, it must fail fast. If it's a fake v4 address the delay in that failure is going to be far more extended, then I do not have an area code go away.

D

E

Have a webpage if it's a webpage service that says this is not reachable because you are not on ipv6 again. This is an extra this, probably probably, this need to be in a different ID. So don't consider this as the main thing of this presentation, because probably we are going to split the document in two different documents.

P

Over eyes, a media of Verizon named sure today, so if you go back, you essentially are saying that you're going to watch for DNS lookups, then you're gonna, look at the before I answered your query against the what are fine, they call it v6 and then create a mapping. So here's the question majority of CDM is out there. You see Ning chains in order to do this, so look up against example.com, which will see name potential to a different place for before vs. v6.

P

Now you have another lookup, which one are you gonna try to fake on us, because we do this for performance reasons and odds are the two mappings are not the same, so how in the world they actually going to do this in a way that doesn't matter we'll break the forms? Okay,.

E

Let's look from there from the CP device from the CP. If I do an a query to reach Yahoo I will get to up to place right if, instead of equity, if instead of an equity I, do a quite a query, I will go to another place right now. What I am saying is I am Telling You Yahoo that I am NOT an ipv4 device. I am an ipv6 device that will that should work, because you don't know in advance which kind of device you have in the CP right or behind the CP. So it's.

P

No way to know exactly what you know, but exactly is that in the process of doing that, let's say male des yahoo.com, you try to go there and you decided to take my answer for Melda yahoo.com. That's New York now try to look it up from a different place, because now you're gonna do it from a different place and that different place is gonna. Tell you some Francisco so now you're going to just assume that New York equals San Francisco in before v6, potentially and.

E

Well is the same because if, if I am a real ipv6 device, I will get the same response and I am going to use the TTL for the DNS responses.

P

You may or may not get the same response, because the poles for the server's are not necessarily the same and they're not going to same lip and they're, not up at the same time. You're right may maybe.

E

Or maybe not, but this is the same result as if I am a real ipv6 device.

P

Device, the content provider is going to be responsible for how long the maintenance. Last at what point our timeouts kick in. There is a two different sets of TTLs for v4 versus V such records. Very often, so it's not just that the DNS details there's what okay.

E

Audience and there.

P

You are what we.

A

E

Asked it several times in the list is please people from CBN's tell us if this may work or not and what we can do to improve it. So please go to the list.

P

I mean one of the big things is that you know our v4 services are there for a reason, and we probably would not want your fake v6 connectivity, because so one of the big things is that some apps do not support the don't support v6, not because you can't connect the movies.

E

P

Because for logging requirements or whatever other security tokens, whatever they're, not v6, enabled from a abuse perspective or something else, all of a sudden you're trying to connect and spoof them out from a v4 client that can't actually provide sufficient information over v6 will break things which will result in most of us black less than you, which will break things of a more well.

E

What we are trying, precisely to avoid that, so the way we are doing, we believe, is not going to create anything, but for you that's what we need to double check, with your help, guys.

P

You're, making the decision in the middle without any information, what either side needs and you're making a lot of assumptions in your game. There's something that you could do this in DNS, which, as we saw with not PT, failed utterly because there's a lot of protocols out there. They use before literals and there's a bunch of other stuff out there, which is. Why was deprecated to begin with? There's games.

A

Like a giant step back.

A

So, thanks to your Oren, did you have something you are saying.

K

Quick question, so you have the CP doing the DNS lookup, something I couldn't figure out from the draft is: is the CPE supposed to spy on all DNS traffic or only queries which are actually sent to it? Is it supposed to do only.

E

The queries that are sent to it because, like.

K

In some countries it's like 70 or 80 percent of people, just don't use their CPE provided DNS exactly and that's already mentioned in the document.

E

If you don't use the CP for the queries, you will not get optimized it, but we don't break anything. So that's already in the draft.

E

Please go to the list, especially or I am here all the week, especially the people working in Syrians I think we can probably fix if there is anything broken here. Thank you.

Q

Q

Son I kind of have a problem yeah big one. When users try to connect to v6 on the networks, they sometimes coming back to be complaining and said: oh, it takes ages for my device to confirm that there is network connectivity so after looking into it, what we found out is hello. Gern Hall joins the network or actually it's almost the same with host configures in you, bla bla dress, so host and saneras.

Q

Maybe if there is a corresponding option in Torres, router might create a neighbor cache for host link-local doesn't might actually then host get back and erase which I forgot to put on this picture, and then it configures global address default gateway and it has a neighbor cache. Entry for Lille for default gateway, link, Alcala dress and the corresponding MAC address so host is basically ready to send traffic.

Q

All good now hosts are sending traffic and actually address may be still optimistic if a host is using optimistic that hosts engine can address our packets somewhere off, link, router, successfully, routing same link and all loops good, no neighbor cache updates at this stage right then return traffic comes the first packets appears on the route or from outside run altercations. The packet look, oh I, have no neighbor Cassandra for that address and creates incomplete entry and starts all his neighbor discovery process. Meantime, what packets arrive, all the speckles get dropped.

Q

Unfortunately, then, it's point of time MA, coming back from a host whose router neighbor country changed stay to reachable that first, but red packet may be delivered the host and ma traffic. A potential occurs apparently, and some applications might be unhappy about also spec, it's being dropped, because if, for example, they implement increment like exponential back-off, it might introduce huge delay and in general, when I look at this, it basically means we designed neighbor discovery in a way that it intentionally drops packets all the times. There is no way to avoid it.

Q

It's like by design, which is kind of sad Manu seriously. So what I'd like to see an ideal or like spherical, a spherical Network in vacuum, old boot right. So, ideally as soon as start sending packets from a host outside, it would be nice to somehow create a neighbor cache entry right. So when a returning traffic arrives it's already and actually in if it was just two hosts on the same link, it happens because neighbor discovery takes care of it.

Q

If you sent an MS to talk to, host host will create a neighbor currently because it assumes it. You want to talk to me. I might need to send some traffic back to you soon, so actually on dual stack networks.

Q

We do not notice this because, when ipv4 addresses configured host actually announced that and all neighbors, including routers, get their caches updated and as a result, because we have high payables dual stack networks working very well so on, as I said, the problem is that this would have worked for only in communication, but it does not work because routers are not not supposed to create a neighbor country if they receive an A.

Q

So if we try to do this, ARP, like sync for neighbor discovery, it would not work because 1461 explicitly prohibited with a good reasoning which works for only in communication, but for adversity completely different use case. If you see a router might need to send traffic back without without receiving NS previously. So it looks like the reason is good, but not for out there, surrounded by kind of X exclude that from that logic.

Q

So, as I said what we act sure when a web server and packet loss all the time delay for applications to start using the network and as a result, I'm creepy eyeballs, because users are complaining- you don't know before in every, and now everything is worse than before so options. What we can do, we can say a nasan we can look and take can be tweaked neighbor discovery. All we can try to look into advertising addresses from hosts. We can just fix, hosts and applications yeah.

Q

There are option of buffer ma packets on the routers, but obviously it's not an option, because we basically make router suspect able to neighbor discover a cache attack once you want to comment- or you just want me to finish- no.

R

I think there's something else we can do, which is also a bad idea, but I'll say that later.

S

Q

So before talking about solution, I was trying to summarize how the solution should look like. So obviously it would be really nice to create a stale entry in our neighbor cache for a host, if not, if simply doesn't exist. Obviously we do not want to overwrite the existing entry to minimize the disruption because, as I said address my D optimistic. So we do not know if there are any real owner of that address and link about it again.

Q

It would be nice if applications could use it for optimistic addresses as well, because it's exactly the case when you want to start using the network as soon as possible. So if device so application is okay with delays, it probably would not be using optimistic addresses and they might be okay with, like 10 second delay before they could connect and also, as you might know, in some networks, you have more than one router. So it would be nice if traffic live in the network from one router and return flow goes through another.

Q

It still works so again, nice and work intended you I, don't know. Maybe we can say: okay, it's a cosmetic issue. We can wait for 10 seconds every time your hosts connect to the network with a new address, but, as I said, obviously it makes people unhappy and I think it hurts the deployments. So users get a feeling that v6 only networks do not work as well, as was there coupons, so it's introduced additional resistance. So that's cool with the great suggestions about.

Q

Can we look into registration based in G, which is used in other types of the network? Well, it's a kind of maybe it's a strategic solution. I, don't know! If so by solving this problem, you introduce as a problem, so not so I think it should be discussed, maybe actually in six manner, not here so I'm not covering this in this slide, because I think it should be completely different topic.

Q

What we can do, tactically again, coming back to an a logic it looks like it does make sense for host to do the same thing as we did in before and advertise in your address and for our alters routers should acknowledge. This should because should means you don't do this unless you have a very good reason and I believe providing cool. When I read this justification, router it doesn't apply to routers and actually some vendors well-known vendor sexually. Have this already it's a configurable feature when they could glean from any packets sent by devices.

Q

Yes, I said the good thing is it's actually RFC compliant. We just need to ignore, should and already implement that. So there is actually deployment experience with this and it works for a symmetric traffic flow. So we have first hop redundancy over others. You'll receive an a over outers will obtain a broker.

Q

Obviously it would require some changes to hosts, of course, wants to start using network as quick as possible, and obviously this feature needs to be configurable, because probably nobody wants this by default to prevent attacks on neighbor, cache absorption and again, every time you do something within G, as I discovered, you have a slight chance of being affected by smart intermedia intermediate Wi-Fi devices, which can do some neighbor discovery tricks, but it's I, don't think we can do much here and other options are I looked at was host my scent neighbor solicitation from its global address to a router.

Q

It would create stale entry for that host for that address on the router, because again it will be like standard neighbor discovery state machine. If you get an anise 4 Mew I probably need to create an entry. However, the main problem here it wouldn't work for optimistic addresses because exactly for this reason to prevent disruption in case of duplicate addresses, hosts are not allowed to say and NS with source link layer address option, so this would not work. Another option is sent address from global address to a router.

Q

Then I think it would again, it would work if address is not optimistic or it would work actually 40 mystic addresses if route the response for unicast, because what's happened over address, would receive errors if address is not optimistic. Mac address was included into options and routers will create an entry if addresses empty mystic answer is no my country SSL la option in arrays. Then, if router responds with array unicast, it will need to do all this neighbor discovery machine, but again it might introduce additional delay because erase will be sent with some random delay.

Q

They might be Scotland. So what also suggested that we might just start pink in the router.

Q

Ok someday the traffic go into the router address 3 through the SSH a DGP session, whatever yeah as Goods increase, it will probably bypass all this intellectual middleboxes and wireless. The cons is I'm, not sure you can always send such a packet to another address. Its additional CPU load on routers will be dropped by a control, plane, action and again what else you've left the empty router would not work in isometric traffic flow.

Q

So what I'm, trying to summarize is suggestion is kind of recommend router vendors to do configurable, glean from unsolicited honest, again configurable it shouldn't be on by default. It shouldn't be enable per interface and and host probably can send unsolicited Tenace when they get a new address, configure security considerations. Warren was concerned about breaking stuff actually, no, because the only changes proposed is to create entry when entry does not exist.

Q

So if you're concerned about host doing and the exhaustion of it could do it anyway right, it could sent an SS, it could send RSS whatever whatever, if you have malicious hosts inside nice and changes right for from service this from a disruption perspective. Again, we only talking about situation when there is no entry. Even incomplete entry wouldn't be updated. Only talking about situation when entry does not exist, so it's safe to assume that there is no traffic for that host.

Q

Yes, there is a very rare condition when host might be sleeping for 25 days, someone sent a packet from outside and in the same moment of time we got a duplicate address coming on our well I'm, not sure. If it's so critical that it better to still see in constant packet loss, in all other cases, I says it's all. I have.

K

Go back to the gratuitous ARP one and while you're doing that I point out, that's not actually gratuitous off! That's optimistic or cleaning! Our I can't read pasta to.

Q

Really stick to me: we won't slide Turin. Our.

K

R

And the reason why doesn't work, maybe six is the TRA? Has the SLO leo all.

K

That's not what I was gonna say all I gotta say is. This was a problem and before we solved it in v4, by doing the opportunistic or cleaning or carpenter ease, and that works well enough that, like on the ITF hotel network, the router doesn't send any Arps at all. So like it's a problem in v4, we fixed it in v4, it's a problem in v6. We should fix it in v6.

R

Question so the that the have you seen what other implementations do I think Windows Windows sends or used to send na to ffo to Kona column. One have you seen what other implementations do? I know that Android doesn't ID.

Q

Okay, I have the best implementations, yet I think Mac OS does not do that. It was a report on release from Alexandros with Windows. Does this and obviously I think so so? Obviously, some vendors implemented that on the router equipment, so I suspect they had a reason for this. So there are some environments when hos doing this.

Q

Alright, so and again, it's kind of if you want Android device to do this like to get the cash update at first, they probably make sense to do something so, as I said, I have some concerns about syncing trace through the pings, because it might not work on every environment and I believe this might better chances to work. If router vendors doing blame have.

R

You checked that the unsolicited, in a survives like optimizing Wi-Fi devices, I.

Q

Feel, like I, sent one eye on the device. I guess that and I think it did yeah. Well, it doesn't mean it's gonna survive every optimized Wi-Fi, but I assume. If what Warren is sworn is saying right, it does for you for so yeah. We have a good chance. If it doesn't, it might be. Just this code is not in place. Here's some wireless devices, but again it's not fundamental issue.

M

Shared much Akamai, it seems like yeah. We should update it to be explicit to say that the routers III think it should probably be promoted from the should text that I saw highlighted to you know something something else and is yeah yeah yeah. Sorry I think you I think you might have showed both I think you might show the change. So basically it's a it's.

Q

Very hot sent right: it's talking to us, so I think what we should be doing. I suggest we write a document for router when you're saying router recover as they recommended to ignore this shoot and have a configuration option, configuration option to ignore this shoot and still do beam. Yes, so it's this one right, because River dweller violations is how I've seen it's it's talking about host sexually. So it's not a case for routers right.

M

Yeah I think we should give it explicit guidance. You get the router yeah.

C

M

Vendors implement implementers and then do a bit of an inventor us would do an inventory of what what vendor is to stuff, because it looks like iOS. Does this mmm-hmm, but it doesn't look like the others. Have configuration knobs for them.

P

Yeah high equal missions gave one of the others of 65 83 with Warren, so the vendor. That is doing so. Yes, this is a massive problem.

P

The vendor that is doing, cleaning based off dad has done so based on our I. Don't know if the feature request would be the right way of mandate like we have tried to actually when we were writing 65 83. This was one of the things we want.

C

P

In the equivalent of gratuitous ARP, the way that we were suggesting to do that was basically when dad is being done. At that point, sorry, not gratuitous cleaning, your fault cuz, you would just mention it, but basically do glean based on receiving a dad at that point, put it on stale revalidate and kick off the process. We were told that a document of the six ops should not mention a implementation of a protocol, which is why was not included in 65 83. Yes, that is exactly what we're told.

P

We could probably find some of the original text. If you want to do that.

R

P

We were not allowed to make, which is why our.

A

K

P

We actually had to go to six man. There were other, not change. There are other changes too.

P

B

P

We had other things that we went to six men and modified the nut behavior, but this particular one that we try to modify, we were told, was in our place. Please finish. Our work and I could probably find some of the.

M

P

I probably have at some work as I most of the original. The original work I wrote the original thing that Warren had to rewrite completely for 65 83, but my original one probably has the gleam text and a tall shitty to you, but the reason why a version of Cisco implements it is because they were our vendor at the time and we work with them to make it happen, because otherwise my iPhone could take out a data center and there's not a happy place to be.

Q

Okay, so we we discussed implementation, details, cool and.

P

The problem is that we were not allowed, as v6 ops were not allowed to discuss these implementation details, and in here it was supposed to be six men and six men didn't care about the implementation of how it's actually done and routers they cared about spec. We should wash a place that it would be awesome if we thought.

A

Well, we are not allowed to do this. Protocol we are allowed to, according to our curve, provide operational work grounds.

A

T

Are allowed to provided.

A

Advice to other working groups in specifically six-man seems like where you're going is. We need an erratum against 4860 ones. That says no.

Q

Actually so this seshu right.

A

So you want to change that shirt in the event that it's relevant, no.

Q

I, don't think we need to change it. We need to say, guidelines for outer implement resides, they could. May those a glint, because I see you shoot, we've been while I shoot, isn't.

A

Should not basically waste me, wait.

A

We need to file an erratum against forty eight sixty one that covers the case to your very, not necessarily, and the other thing that we need to do is provide operational guidance.

K

Right yeah I mean so you can file it or rod up, but there's no I can accept it, because that would be changing what the intent was when they wrote it. So, whether or not I agree it's a stupid thing. When it was written, an errata I can't be used to change an existing, not even.

A

Any clarify or really the only way, yeah.

K

You know what we could probably do is if it were to be written in v6 ops and we walked over to six matter like we're. Just is it okay with you all? If we just mess with this bit, they might say it's more trouble to for us to do it than for you to do it whatever, but I think it's useful. A document is written and if we discuss it there and if we say we think this is a great idea and we take it to six man, even if they want to actually progress it.

K

You know having a bunch of operator, people show up and say yeah. This is broken. It would be better if we just make this one small patch, you know cause it has to progress this year. If it has progressed.

A

And I don't think we need to discuss politics, debit,.

H

Number: let's go from easy to hard if you have a smart, Wi-Fi solution. Ideally you would update your smart Wi-Fi solution and it would do then a to the router for the Wi-Fi client, which is that's totally. What's gonna happen, even if you don't want it.

Q

H

Will happen if we proceed this way.

Q

Why, oh I would so.

H

The the Wi-Fi controller will interfer it's it's it. It is. It is its job to interfere, basically with all of the neighbor discovery traffic, so it will totally sit. It's boxy in the middle they're.

Q

Going to send unsolicited a and make sure router is updated. Fine, we discussed about the trailers normally, unless it's a one particular vendor, ignore those anaise right, yeah, okay,.

H

So either way the detail on the presentation. The end I do see one privacy issue with this, which is that if you do the n/a for privacy address, you have to broadcast it essentially or multicast it. So you didn't do that before are.

Q

You you sent an MS for that. Do you do that.

Q

Okay, we have two more Erik.

I

Line I'm not an ad, but it seems like a document. That's saying why this should is violative all four routers: it's not necessarily out of scope. That's all you need to say right. Okay, just explanation, my.

B

And headaches also.

I

In any of the testing that you did, do you ever try setting the router alert option on any of the messages? hmm Does that change anything? No.

Q

I was kid retracting your office and just in case yeah we can yeah I, don't.

I

Know I, don't know how routers actually hey with around earlier adoption, maybe maybe they all ignore it.

R

Q

Called Robin in your shoes, if I not get paged for crashing, also.

I

I mean testing with Android devices. Those those addresses are optimistic by default right.

I

Try it was something it's not doing. It's not good.

H

Tim winner of you and a try well couple things, I think this is a good idea. I do think we're gonna have to put something in here about up it being an update to 48 61, there's two way too many implementations out there that will just ignore these packets. The only other thing is make sure it goes to the all routers not to the all nodes address, because we only want routers to care about this and yeah.

Q

I think I forgot to put it in the case, but yeah I was thinking you can send yeah.

H

Okay, oh, we have plenty of implementations, we'd be more than happy to tell you guys what current implementations do at I/o. Well, so.

R

I

R

Speaking of all, we're is restore old hosts. I know that there are a bunch of devices that drop stuff to all that drop stuff to all nodes, but not all rivers, and if those things happen to have forwarding turned on then by sending it to all reuters you'll start chewing up their batteries.

R

We want to be careful about what current implementations do so I heard about that.

H

David lamp utter again, but if you don't send it to all our routers and you don't send it to the that group, your yeah, but that's that that's exactly where I don't want wanted for privacy purposes, because it's not on all nodes. Yet if you have a privacy address you're at least a little bit private still there.

Q

Right he's a private, so.

P

This is actually the exact reason for why original we were proposing to off of death, because anybody that cares about that good, ok, routers could essentially, which has to be anyways yeah like anybody. That's listening to old dad is listening to all the dresses. Ok,.

Q

So, as a quick question, can we call for adoption? Oh, they think not very quiet.

A

All on the list, but when we ask for a sense of the room, do you think this is something that we could have done if so.

D

Which one is it.

J

Okay, thank you and, if somebody's in the jabba room, that could be interesting. If somebody replaced me when I'm speaking here, I am single entity of myself I'm, not the tickets. Okay anyway, this draft is basically belonging to OPSEC. We're to two chairs are here. So thank you for being here and supporting me, fathers and basically it's as you can read. We try to analyze all the operational security issue in several places in the network, specific focus on service provider, network enterprise network and residential as IOT is a very complex place.

J

We do not talk about it, even if some couple of thing we say in this document also applies to iot of you see and that's an informational draft, and what we want to do is basically I mean all of us are doing v6 deployment. How often do you get a all secure? Is it organized securely deploy my network, so we try to put all things together there and our recommendation.

J

So now the bad news we are working on this since September 2012 I was not even the object chair that point of time. You were not even right. So a long long time ago, but still in the 21st century- and basically it is quite a vast domain and it's a kind of moving target right with capital of people in this community discovering new security issue, and so we need to update the draft and so on and so on.

J

As I said, informational document, it's quite long, though 50 page and nothing and we are putting the record on all many reference. We have in a reference section: I counted them yesterday, 116, because basically the text says a for this. We briefly explain the issue and then we'll be fair, basically to the RFC, all the other documents that are not always AIT of documents. By doing its consideration, it's not recommendation by the way, so the structure of the document, the big part, is about a generic security.

J

Consideration and I shall come back on this on the next slide. Then we go capital of page 1, Enterprise I, said capable of bridge on service provider. Where we talk about BGP about the transition mechanism, including translation mechanism, of course, and Ally right I mean the service provider network and residential network. We simply refer to those to RFC here.

J

The big chunk, so is generic consideration and then we go and the first paragraph was addressing architecture and at the beginning we were doing a lot of about ula. Now it's only one line. Basically, because there's quite controversy there, we talked about DHCP slack promise. Reconsideration next step is about extension, headers orders how, by up what we do with fragmentation and refer to your draft link layer security. What about new discovery? Of course?

J

What about rogue array and so on fewer to about three GBP as well control, plane security, it's easier because it's mostly the same in a PV for ipv6, so that that's easy. We only expect from is what we call the packet exception.

J

This is when we need basically to send the packet to the CPU okay, which has some time different, compare v4 and v6 rotting security, basically explaining what we can do there about the routing, update the rod filtering or refer to this RFC 6060, six about the DCR prefix, for instance, everything about the transition techniques, you a stack and capsulation translation. We even kept Terra dos and six to four, even if nobody is using it, because when we talk to customers and people do bring it the questions still pop up and it's communicated.

J

Those two has been made: history and sharing device hardening.

J

Where we are so, we are revision, 17, a thing or whatever. Obviously, as you said, some section we're quite controversial right, I mean I, see at least one somebody in the room here. Another lady in the end and Tim shown is not here, but many people has provided feedback plug it and we listen to this right. So we basically now counting the text. You elaine only nothing. We don't talk about p.

J

I versus PA, for instance, we'd try to talk to take into account all the consideration that will raise on them in english in a previous review in this group couple of years ago. So we think we are now in a reasonable shape here.

J

Capital of acknowledgment- and I think many people in this room up out there- that's all the people sending review comments. Thank you again. We have requested looking group last call to Jen and and run through the optech working group share. They want to talk to us to me. I, guess before doing this, so we'll do it later this week, Matt as an author I would love to get as well. We will go if everything is okay, working group last Conan OPSEC, but in this case it's also v6.

J

So while we do the group last goal in OPSEC, it would be nice for the authors that you also do the review here. Okay, because that's observed, roar and v6, so I hope that we'll get some people reviewing. It I understand it's 50 page, so it takes some times, but it's really useful, because after reading it and reading it I mean the authors, we don't don't know anymore right, okay, so basically we have to get done. Thank you again and any questions nataly's.

C

Shredderman ripe ncc every ITF that there is a presentation about this draft I go to Mike I thank the alters, maybe one or two cones, no I'm done. Okay, I read it again after the last revision. It looks great. Thank you. I would suggest neat last call and move on, and maybe after eight years to be done, Thanks.

J

Thank You Nathalie.

E

I I don't know if you have seen my last email a couple of days ago. I think. Basically, it's done. I ripped all the text again after the ITF in March and again last week there are just a couple of needs and I still disagree with not differentiating between Matty and me because they are somehow different from the perspective of security and then I think. The other comment was there is nothing about the DNS proxy problem. If you don't have a DNS proxy in the CPS, you need clarification. We can talk about this by email.

E

I. Think it's simple to do. Add some text on that. Okay,.

J

Anyway, thank you for your email with it's not time yet to react on it and I. Don't understand, indeed your DNS proxy, so you need to talk. I mean.

R

I think your strategy of trying to change nothing is good if one reports anything with any text delete the text set, say: okay, it's out of scope. One thing you do need to delete is the reference to the ula usage considerations document, because that ain't happening yeah.

T

I've been open.

R

For years, so it's off because, like until that gets out of whatever, until that makes it to RFC. You can't publish this one anyway,.

J

Right, yes, all right! That's.

R

J

Was wondering the same thing Renzo? To be honest in.

E

My March review I provided a text about the ula that I think it will be better than deleting that you may want to reconsider that text. Please read it again: I.

U

Usually, don't want to touch you away right for this.

R

One I think the text you have there for your lasers fine. As long as you delete the reference to the thing, that's not gonna get published. Okay! Thank you. Oh.

J

Maybe you can reach it so.

A

Question are you looking for comments to come to music stops really good outside I.

J

Think, if you can put OPSEC I mean it's up to the chair by the way here. I would love this community to review it and send a comment to OPSEC right I mean all of us signed the same thing, so we will see it anyway, but put the name of the draft there right. That's the way when the meaning lists when you look in the archive is.

G

J

Else interested.

A

Going back to the agenda, we have a couple day to read things: creative, these things again: I'm gonna. Let them look some politics.

A

Yeah for the one in your.

A

F

Okay, my name is Uma I'm going to talk about is sv6 empty deployment. Considerations and I thanked her kindly agreeing to put this because they asked me to send an email. I could not send I was traveling, but I promise after this meeting, I will send an email with the document and on my comments, if you have any things, I want to ask I will send it. So this is regarding the ISIS protocol for v6, only topology or multi topology.

F

Ok, this work has been presented in LSR working group in idea for node 3, based on the feedback and suggestions we are presenting in v6 operation. Some of the people said that you know this is no document is required. We don't want to do LS. Our working group doesn't want to do deployment considerations document some of the things are known, and you know that kind of stuff, so I just wanted to know your feedback. If this is a known thing, that's fine. Otherwise we want to think we think that it's good to document.

F

What is there out there? We are not changing anything in the protocol so background. There are a lot of IP ipv4 ISS deployments. A few more folks are seeking ipv6 only deployments. The first thing I worked in 2012 me, my world employer. We started looking at ipv6 only deployments still it's happening. The questions are the same. We are amazed, but you know, but this is the that this is the fact. So this is based on talks with multiple operators. Most of the things we are looking at, it is right now, mobile, backhaul.

F

We're for fighting services are being deployed, people are thinking about ipv6. Only some people are looking for sr v6 and folks are in l3. Dc underlay is looking for v6 only deployments. So what's the goal and what can be done goal of this degree? This document is to lay out the nuances around Isis and ipv6. There are a lot of options with ISS. How one can apply one can deploy with ipv6. The first thing I wanted to clarify is is is multi. Topology is not equal to ipv6, it's one way of deploying ipv6.

F

The second thing is provide various options and limitations with eius eius for transitioning to ipv4 to ipv6 and looking for ipv6 only deployments, so it doesn't provide. This document doesn't provide any protocol extensions. It's only it's just it's. What is there over the last 10-15 years? What happened in is critical. It's a documentation of fourth and one sis non-goal there is ISS multi topology.

F

There are a lot of use cases, even the developers, even the people who are writing the drafts, get confused to what empty can do and what cannot do there can be lot of things that can be done with empty, but we are not going to empty what can be done and the exhaustive use cases around empty, okay, ipv6 in ISS.

F

Primarily there are two ways to do: ipv6 and ISS. One is ipv6 first introduced in five 3:08 RFC five-30, eight there's a new reachable TTL, we TLB 236. It works on a single topology mode. That means one decision process happens. That is one SPF happens and you get come. You get to compute both ipv4 routes and ipv6 routes and download to the fav. So there is that's the one thing and there is a limitation. There is a condition there how this works.

F

I will come to that later later, on, RFC Phi 1 to 0 introduces ISS multi topology. This brings back, brings two topologies specific edition seasoned topologies specific decision process.

F

There is TLB 22 added for a high density, LV and TLB to 35 to 37 arid for Monty topology TLB, where each ability, ipv6 addresses can be advertised so as I set up all the decision process, topology specific decision process- that is a very multi topology you have ispf complication, happens and the main computer main thing is here: MPI d2 is reserved for ipv6 routing topology, and this is where most of the SS empty deployments are seen basically is empty, is used only for MK ID. It's a safe alternative, deploy ipv6 in the legacy networks.

F

So what's the problem with RFC Phi 3 0, it only thing is it's very simple: ipv6 we just read: T 1 TL v, TL B 236. You are good to go, but the only condition is the whole network should be congruent. That means all the all the nodes and links have both v4 and v6 should be unable in sync, as a simple example. Here, let's say a network bitten like this, everything is v4 and v6, but between RX and not to only v4 is enable. What happens is in this case in the RFC five-30.

F

It is a single topology mode, even though there is an alternate path between r1 RX, r, 1, r y r2, but the shortest path is between RX + r2. So it tries to get this and you know that you look at a black hole. So basically you're routing gets black hole here.

F

So that's the problem so basically for RFC five-30, it's single topology mode to work all the links and node should have before and v6, so how this gets fixed either you can enable v6 on that link or you can switch to RFC 5 and to zero, where you can do mt ID, because decision process is different there, so you don't have to worry about anything there.

F

So there is a single topology mode with multiple address families. So we we talked about this restrictions network must be congruent. We have seen this and some examples where this is not possible when ipv6 is getting introduced in the networks and legacy nodes does not support ipv6 our implementation issues causing the ipv6 to be disabled or Hardware scale limitations, causing that p v6 to be persons or low-end devices.

F

So all these cases, forced people to think is SMT, but still people are using this and we get questions even after after 8 years of my bus first question, I got it from 2011 and still like I get this questions.

F

Actual is that's the reason we wrote this document so in out on is SM here single adjacency with multiple empty IDs in the edges NC, you list all the empty IDs you support and MK ID specific decision process done and the common repent Feb, but the thing is MT ID deployments only MT ID to is only seen because a lot of implementations lot of the big vendors don't support at that multi are the topologies in empty.

F

That's one of the problems with empty okay, so the one of the another confusion with Isis is all around with the technology. Now we can see that multi topologies. It says that MT ID 2 is reserved for ipv6 routing topology, but rather they should have said that this address family. There is no distinction between utters, family and topology there. It's all mixed up there with the terminology. This caused a lot of confusion, even though a lot of questions comes because of this fact. So so yes, MT can be used for other than ipv6 routing topology.

F

If you want 84, you can do whatever you want another ipv6 routing topology. Maybe they wanted to say that, as this is the first routing topology with ipv6, it's a tiring conversation. If you want ipv6, only use MK, ID I, don't want multi, topology I just want single topology ipv6 only I want, but still you how to use empty ID because, as a result, ipv6 routing, topology.

F

Ok, one of the goal of this talk when to use this conversation. Another deployment notice as I said lot of with big vendors. Don't support multiple topologies generously. There are other ways to do this. If you have interest, I can talk to you guys, but this is the fact.

F

So in summary, this document only provides various options available for ipv6 only deployment or transition to ipv4 to v6 and what are the pitfalls to avoid? Maybe this is known to a lot of people, but you know this is not thing thought I got and I ever haven't. We talking to customers and demystifies. What's been out there in is SMT and any comments feedback I will happy to take, and we are looking to ask for adoption in LS are working group.

F

Ls are working, so one of the ellis our feedback I got was, is, is ipv6 all done in 1195 ahrefs 1195 and they don't want to do deployment guides because it's a known issue, so many things they are tied up there even I didn't put multi topology transition. There is another confusion there, so all these are documented in I thought it will be useful, but it's up to the folks here also I will get the feedback from here. Okay, so I'll ask you the same question: I asked your: where do you want feedback?

F

I, won't feedback from here v6 operations, because these are the folks who are deploying ipv6. Only Network are transitioning to ipv4 to b6, so you guys might have faced some of these problems or you might have work around sunny. No, no v6 I will send a mail to the v6 ops and if you can send the feedback in the basics.

P

F

That will be useful and that will be useful for me to say that I presented this in v6 ops and this is the feedback. I got.

A

Okay, so one please.

A

Summarize does anybody wish to do a manual review of the document? I, don't see them, so you wonder.

F

A

Will summarize any comments we go? Thank.

F

You so much okay! Thank you. This.

A

And she grabs yeah. What do you want to do? I.

E

Can I can go to that one very quickly just to to get comments in the lists? Hopefully, okay, so I started this. This work, something like 10 years ago, but at that time we didn't, we didn't jump it into into it. Actually, the main point is that when you read the document about how you do point-to-point links, it looks like it's recommending a slash 127, but actually this is not what the document says. What the document says is that routers must support it.

E

So I am trying to clarify that here, especially because almost 70% of the networks are using a different way, so we should document in basic sub Scotties actively being used in the network right the resource. Another point here, which is supported by RFC six60 three, which is exclude option for as last 64 from a bigger prefix. So you have well actually shorter prefix.

E

If you have, for example, as last 48 for a customer, you can use the first slash 64 for the point-to-point link, and this is not documented anywhere, its reference it as something that can be done, because you have the exclude option in dhcpv6, perfect delegation, but it's actually not documented, and a lot of people is using that. So what I am what I am trying to do in the in the draft is describing the different choices that you have for the point-to-point link, good things and bad things from its bond and also the numbering ways.

E

So, for example, you can use global unicast, you can use your leis, you can use a number it which is a link, local and so on. So that's, basically what the draft is describing all those are used by different ISPs, but we don't have a real document which is describing all the choices. Okay. So most of the time when, when you get questions from ISPs, how I do that? You don't have a single document to reference everything like that, and some of the possibilities are not documented in any way.

E

So that's basically it I got some comments from Eric one week ago. It's true that the draft goes dormant for one year, because I didn't have time to date. It but I plan to to have a new update in one or two weeks, taking consideration Eric comments and if there are other comments as well.

H

So you're missing at least one option, which is to assign a 64 to a router and assign 128 out of that 64 2 links, oh yeah, that's.

E

That's another one yeah thank you. I will consider that please send send something into the list. Okay, thank you.

E

So again sang with this document. It has been dormant for one year, one year more or less I didn't have it sufficient time to take over it, and at that time it was not considered by the working group, but this is a discussion that that we have every two three months actually I. Think two weeks ago we had the same discussion in the list, so in other working groups we have definition, sort of terminology.

E

We don't have that here, and this is a very simple different definition about what is native good Teesside tv6 only and that's the goal of the document. So let's try to speak the same language because we are confusing people, that's that's it I I, don't think I need to go through the slides. This is so simple like that. We you may agree or not with this definition. That's the reason we need to work on that. Okay and that's it. Thank you go to the list. Please.

A

With that I guess we're adjourned.

B

D