1 Status of IPv6 Rollout at Swisscom Martin Gysi, public
2 Status of IPv6 Rollout at Swisscom Agenda 2 Remember IPv6? It s IP with longer addresses! (Nothing more, nothing less. But it s crucial for the future of the Internet) Residential Datacenter Mobile Enterprise Customers
3 Januar Februar März April Mai Juni Juli August September Oktober November Dezember Januar Februar März April Mai Juni Juli August September Oktober November Dezember Residential Evolution of dual-stack customers 3 Remote activation of IPv6 began in March 2013 for ADB «centro» routers Residential IPv6 customers ? IPv6 is not yet activated by default. So, due to customer churn, numbers decline after a rollout. New customers are activated periodically New firmware for older CPEs will allow turning on v6 by default. Rollout depends on VDSL vectoring, don t know when it is going to happen. Should roughly double the number of active users
4 Residential Evolution of bandwidth for dual-stack users 4 Average peak traffic per customer since start of rollout: Total: +50% IPv4: + 30% IPv6: + 245% IPv6 traffic is 26% of total traffic IPv4 average peak traffic per customer IPv6 average peak traffic per customer Services that are available on IPv6 grow significantly faster than the average!
5 Residential IPv6 traffic sources 5 60% from Google, 5% FB, 35% rest of Internet 60.00% 50.00% 40.00% Distribution of IPv6 packet sizes % % % % % 30.00% 20.00% 10.00% 0.00%
6 6 IPv6 Rapid Deployment on IPv4 Infrastructures (RFC 5969) 6RD is a Stateless Tunnel Technology, Embedding the CE s IPv4 Address into the IPv6 Prefix. Network topology Native IPv4/IPv6 IPv4 only. IPv6 tunnelled over IPv4 Native IPv4/IPv6 6rd CE router 6rd Border Relay IPv6 address format for 6rd send to preconfigured BR address send to embedded CE address 2A02: Subnet ID Interface ID RD prefix subscriber subnetting up to 32 bits of subscriber s IPv4 address IPv4 header & encapsulated IPv6 packet (downstream) IPv4 Header IPv4 dest IPv6 Header copy IPv6 Payload
7 Residential Border Relay (ASR 9010) technical details 7 6rd encapsulation and decapsulation is performend on «NPU» of line cards Three ports of a 24-Port Line Card share 1 NPU Service Blade for «exceptional traffic», e.g. ICMP (Ping, Traceroute, Path MTU Discovery) First step of rollout: Use every third port on LC. service cgn SC_6rd service-location preferred-active 0/0/CPU0 service-type tunnel v6rd 6rd1 path-mtu 1472!!! br ipv6-prefix 2a02:1200::/28 source-address unicast address 2a02:120c:1051:d010::1! address-family ipv4 interface ServiceApp4! address-family ipv6 interface ServiceApp6 Te0/1/0/0 NPU NPU NPU NPU NPU NPU NPU NPU Te0/1/0/3 Te0/1/0/6 Te0/1/0/21 Te0/1/0/23 6rd BR IPN 1 IPN 2 Te0/5/0/0 Te0/5/0/3 Te0/5/0/0 Te0/5/0/3 IPN, 8-port LC
8 show command: #sh cgn tunnel v6rd 6rd1 statistics 8 Tunnel 6rd configuration ========================= Tunnel 6rd name: 6rd1 IPv6 Prefix/Length: 2a02:1200::/28 Source address: BR Unicast address: 2a02:120c:1051:d010::1 IPv4 Prefix length: 0 IPv4 Suffix length: 0 TOS:, TTL:, Path MTU: 1472 Tunnel 6rd statistics ====================== IPv4 to IPv6 ============= Incoming packet count : Incoming tunneled packets count : Decapsulated packets : ICMP translation count : Insufficient IPv4 payload drop count : 0 Security check failure drops : 1483 No DB entry drop count : 0 Unsupported protocol drop count : 0 Invalid IPv6 source prefix drop count : IPv6 to IPv4 ============= Incoming packet count : Encapsulated packets count : No DB drop count : 0 Unsupported protocol drop count : IPv4 ICMP ========== Incoming packets count : Reply packets count : 1 Throttled packet count : Nontranslatable drops : 9693 Unsupported icmp type drop count : 0 IPv6 ICMP ========== Incoming packets count : 1346 Reply packets count : 1325 Packet Too Big generated packets count : 2128 Packet Too Big not generated packets count : 0 NA generated packets count : 0 TTL expiry generated packets count : 0 Unsupported icmp type drop count : 0 Throttled packet count : 7434 IPv4 to IPv6 Fragments ======================= Incoming fragments count : 0 Reassembled packet count : 0 Reassembed fragments count : 0 ICMP incoming fragments count : 0 Total fragment drop count : 0 Fragments dropped due to timeout : 0 Reassembly throttled drop count : 0 Duplicate fragments drop count : 0 Reassembly disabled drop count : 0 No DB entry fragments drop count : 0 Fragments dropped due to security check failure : 0 Insufficient IPv4 payload fragment drop count : 0 Unsupported protocol fragment drops : 0 Invalid IPv6 prefix fragment drop count : 0 IPv6 to IPv4 Fragments ======================= Incoming ICMP fragment count : 0 RP/0/RSP0/CPU0:lssic20p-brd001#
9 Residential 6rd vs. CG-NAT 9 As we don t have enough public IPv4 addresses, a number of (low-end) customers get RFC 6598 addresses combined with NAT. Restricted IPv4 access. Of course, their IPv6 /60 prefix is public! 6rd uses IPv4 as transport between CPE and Border Relay, in a completely stateless fashion RFC 6598 addresses are routed (non-natted) to the BR. Saving IPv4 addresses and deploying IPv6 are two separate, distinct problems that must both be solved!
10 Reverse DNS in IPv6 how? 10 In IPv4, ISPs assign a reverse DNS entry for every IP address that they assign to their customers in-addr.arpa. IN PTR cust.bluewin.ch. In IPv6, that s a hard thing to do: Swisscom has 2^100 addresses for residential customers alone. No DB or flat file could hold so many entries. (See Lee Howard from Time Warner Cable: draft-howard-isp-ip6rdns-06) No entry: Common. But not best practice «No such domain (NXDOMAIN)» entry: Gives you no answer, but at least you know that somebody owns this space «Wildcard» entry: Return the same answer for all requests within a certain space. That s what Swisscom does. Disadvantage: Forward and reverse entries will never match. * a.2.ip6.arpa. IN PTR dynamic.wline.6rd.res.cust.swisscom.ch. Generated-on-the-fly entry: More CPU intensive (especially with DNSsec). Advantage: Matching forward end reverse entries Dynamic DNS: ISP s DNS delegate to Residential Gateways, hosts automatically register their names there.
11 Datacenter Overview 11 «Product IT networks» (PIN) datacenter: Routing (IPv6 on MPLS) has been in place for 40 weeks. Services are tested end-to-end in lab and work fine. Load balancers are still nok, due to software issues not related to IPv6. So no live services are running dual-stack today, no DNS, no bluewin.ch, no mail. Next IOS release for LB will be available in November. another round of IPv6-testing. Swisscom IT Services datacenter: swisscom.ch: Running dual-stack since «World IPv6 Launch», using two dedicated F5 load balancers
12 Datacenter Some learnings and caveats 12 PIN runs on old hardware (c7609 with SUP720 and PFC3B/C line cards) Routes: Limited to max 256 k 32 k IPv6 routes by default (an IPv6 route counts as two IPv4 routes) c6500#show mls cef maximum-routes FIB TCAM maximum routes : ======================= Current : IPv4 + MPLS - 192k (default) IPv6 + IP Multicast - 32k (default) c6500(config)#mls cef maximum-routes? ip number of ip routes ip-multicast number of multicast routes ipv6 number of ipv6 routes mpls number of MPLS labels ACLs: 128 Bit TCAM. So not enough room for IPv6 address + port, ACL exceeding 128 Bits are treated in software ( bad idea! ) Activate «ACL compression»: mls ipv6 acl compress address unicast Verify ACL is not punted to CPU (watch for «punt» in output): sh tcam interface gigabitethernet 1/10 acl in ipv6
13 Mobile 13 VoLTE (VoIP over LTE) will use an IPv6-only APN (~VRF in mobile). Launch announced for mid No launch date for IPv6 on the Internet APN. But should be achievable with the experience gained from the VoLTE rollout. We plan on using 464XLAT (RFC 6877) to get rid of IPv4 in the mobile network, but still enable IPv4 connectivity for applications that need it. Handset Mobile Network CG-NAT Internet IPv4 IPv4-only app IPv4 service NAT 4 6 NAT 6 4 IPv6 IPv6 app IPv6 only IPv6 service
14 Enterprise customers 14 Currently working on a dual-stack offer for SME customers. IPv6 will be part of the «All-IP» product bundles ( my KMU office ), to be launched mid Mid-range offer will include Static /48 subnet CPE supporting DHPv6 prefix delegation, making it possible to chain routers IPv6 Internet Services from IP-plus have been available for more than ten years, on a best-effort basis LAN-I (L3-VPN): On customer request. We currently have one pilot site running (Alte Kantonsschule Aarau).
15 Classification, First name & surname, Organization, Filename_Version dd/mm/yyyy Addressing the infrastructure 2001:4d98::/32 15 Infrastructure 2001:4d98::/32 Routed to Internet 2001:4d98::/34 Reserved Not routed to Internet, internal only 2001:4d98:8000::/34 Reserved Datacentre /36 Datacentre reserv. /36 IP-Plus /40... IA Core /48 Mobile core /48 Big chunks Small chunks Datacentre Datacentre reserv. /36 /36 IP-Plus /40... IA Core /48 Mobile core /48 Organized by service, zone, network, device type (e.g. mgmt) etc. Default /48 per service or zone. Larger allocations require justification by an address concept. Geographical significance (if any) only within assigned block, local responsibility Every service or zone is assigned with an Internet-routed (x 16 ) and an internalonly (x ) block. Use according to need.
16 Deploy IPv6, help put Switzerland back on top! 16 Belgium: 27.1% Luxembourg: 11.32% Germany: 11.15% Switzerland: 10.57% IPv6. It s not an option!
17 Contact information 17 Swisscom AG Martin Gysi Network Development Binzring 17 CH-8045 Zürich
Accessing the WAN Chapter 7 Objectives 2 Configure DHCP in an Enterprise branch network. DHCP features and benefits Differences between BOOTP and DHCP DHCP operation: and configuring, verifying, and troubleshooting
ZyWALL 5 Internet Security Appliance Support Notes Version 4.02 Dec. 2006 INDEX Application Notes...12 Seamless Incorporation into your network...12 Using Transparent (Bridge Mode) Firewall...12 Internet
TCP/IP illustrated Vol. 1 The Protocols Chapter 1 - Introduction Introduction Late 1960 s research project. IPv4 described in RFC-791 (1981) Today's most widely used network protocol Open system Definitions
Session Name: NAT64 Technical Deep Dive Session Number: 206151477 Date: Wednesday, September 14, 2011 Starting Time: 11:28 AM Question Answer ETA for Stateful NAT64? ASR1k is now shipping stateful NAT64
UNIVERSIDADE DE LISBOA Faculdade de Ciências Departamento de Informática IPV6 - A NEW SECURITY CHALLENGE Vitor Manuel Carujo Leitão MESTRADO EM SEGURANÇA INFORMÁTICA Dezembro 2011 UNIVERSIDADE DE LISBOA
XAVi Technologies Corporation Tel: +886-2-2995-7953 9F, No. 129, Hsing Te Road, Sanchung City, Taipei Hsien 241, Taiwan Copyright 2003, XAVi Technologies Corporation Information in this manual is subject
ii Copyright 2006 Comcast Communications, Inc. All Rights Reserved. Comcast is a registered trademark of Comcast Corporation. Comcast Business IP Gateway is a trademark of Comcast Corporation. The Comcast
SYMANTEC ADVANCED THREAT RESEARCH The Teredo Protocol: Tunneling Past Network Security and Other Security Implications Dr. James Hoagland Principal Security Researcher Symantec Advanced Threat Research
IP Office 3.2 Phone Installation Guide 15-601042 Issue 11e (27th June 2006) 2006 Avaya Inc. All Rights Reserved. Notice While reasonable efforts were made to ensure that the information in this document
CHAPTER 1 The Internet and Its Uses Objectives After completing this chapter, you should be able to answer the following questions: How is the Internet evolving? How do businesses and individuals use the
LISP-TREE: A DNS Hierarchy to Support the LISP Mapping System Loránd Jakab, Albert Cabellos-Aparicio, Florin Coras, Damien Saucez and Olivier Bonaventure 1 Abstract During the last years several operators
BEC 6300VNL GigaConnect 4G/LTE VoIP Wireless Broadband Router User Manual Version release: v1.07 Last revised: November, 2014 TABLE OF CONTENTS CHAPTER 1: INTRODUCTION... 1 INTRODUCTION TO YOUR ROUTER...
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
Voipswitch Manual for version 340 and higher by Gabriel Georgescu 1 OVERVIEW 3 SOFTSWITCH 4 REQUIREMENTS. 10 PROGRAM INSTALLATION. 10 LAUNCHING THE MAIN APPLICATION VOIPSWITCH 12 GATEWAYS 18 GK/REGISTRAR
VMG1312-B Series Support Notes Jun2012 Edition 1.0 Index General Application Notes... 6 Why use VMG1312-B Series?...6 Application Scenario...8 Prologue... 10 Access Application Notes...12 Web GUI... 12
Elfiq Link Balancer (Link LB) Quick Web Configuration Guide Elfiq Operating System (EOS) - Version 3.5.0 and higher Document Version 2.0 -January 2012 Elfiq Networks (Elfiq Inc.) www.elfiq.com 1. About
C H A P T E R 3 IP Network Traffic Plane Security Concepts IP traffic plane concepts provide the mechanisms from which comprehensive IP network security strategies can be implemented. Before discussing
Active-Active Servers and Connection Synchronisation for LVS Horms (Simon Horman) email@example.com VA Linux Systems Japan, K.K. www.valinux.co.jp with assistance from NTT Comware Corporation www.nttcom.co.jp
PREPARING AN IP6 ADDRESS PLAN MANUAL PREPARING AN IP6 ADDRESS PLAN MANUAL ersion 2, 18 September 2013 CONTENTS 1. Introduction... 3 1.1. For Whom is this Document Intended?... 3 2. Structure of IPv6 Addresses...
I nt er netload Bal anc i nggui de Peplink Balance Internet Load Balancing Solution Guide http://www.peplink.com Copyright 2010 Peplink Internet Load Balancing Instant Improvement to Your Network Introduction
PORTA ONE Porta SIP TM Administrator Guide Maintenance Release 16 www.portaone.com Porta SIP PortaSIP Administrator Guide Copyright Notice & Disclaimers Copyright 2000-2007 PortaOne, Inc. All rights reserved.
The owner friendly phone system for small business VoIP Network Configuration Guide Release 7.10 Copyright 2011 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiGuard, FortiCare, FortiManager,
ADMINISTRATION GUIDE Cisco Small Business 300 Series Managed Switch Administration Guide Release 1.2.7 Contents Table of Contents Chapter 1: Getting Started 1 Starting the Web-based Switch Configuration