IPv6 Performance. Geoff Huston APNIC Labs February 2015

Similar documents
Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Introduction of Intrusion Detection Systems

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Firewall Firewall August, 2003

"Dark" Traffic in Network /8

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Network support for TCP Fast Open. Christoph Paasch

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

Internet Measurement Research

1 SIP Carriers. 1.1 Tele Warnings Vendor Contact Versions Verified SIP Carrier status as of Jan 1,

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Improving DNS performance using Stateless TCP in FreeBSD 9

Measuring IP Performance. Geoff Huston Telstra

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Transport Layer Protocols

Troubleshooting Tips and Tricks

Lab 3: Recon and Firewalls

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Network and Services Discovery

Visualizations and Correlations in Troubleshooting

VPN. Date: 4/15/2004 By: Heena Patel

Challenges of Sending Large Files Over Public Internet

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

BlackRidge Technology Transport Access Control: Overview

Ignoring the Great Firewall of China

Using SYN Flood Protection in SonicOS Enhanced

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

How To Protect A Dns Authority Server From A Flood Attack

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

FortiWeb 5.0, Web Application Firewall Course #251

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Polycom. RealPresence Ready Firewall Traversal Tips

Policy Based Forwarding

- Introduction to Firewalls -

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Traffic Monitoring : Experience

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

EE627 Lecture 22. Multihoming Route Control Devices

Strategies to Protect Against Distributed Denial of Service (DD

Firewalls and System Protection

Investigating the IPv6 Teredo Tunnelling Capability and Performance of Internet Clients

The Fundamentals of Intrusion Prevention System Testing

Edge Configuration Series Reporting Overview

IPv6 Transport Support and Market Segmentations

Firewalls. Pehr Söderman KTH-CSC

Reducing the impact of DoS attacks with MikroTik RouterOS

Application Note. Onsight Connect Network Requirements v6.3

1. Firewall Configuration

Introduction to Metropolitan Area Networks and Wide Area Networks

Firewalls, Tunnels, and Network Intrusion Detection

co Characterizing and Tracing Packet Floods Using Cisco R

Firewall implementation and testing

Limitations of Packet Measurement

Solution of Exercise Sheet 5

CS514: Intermediate Course in Computer Systems

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Denial Of Service. Types of attacks

IP Anycast: Point to (Any) Point Communications. Draft 0.3. Chris Metz, Introduction

Dynamic Content Acceleration: Lightning-Fast Web Apps with Amazon CloudFront and Amazon Route 53

How To Prevent DoS and DDoS Attacks using Cyberoam

AKAMAI WHITE PAPER. Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Chapter 3 Using Access Control Lists (ACLs)

IxLoad-Attack: Network Security Testing

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Firewall Defaults and Some Basic Rules

IP Office Technical Tip

ACHILLES CERTIFICATION. SIS Module SLS 1508

TEST METHODOLOGY. Data Center Firewall. v2.0

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Project 4: (E)DoS Attacks

ReadyNAS Remote White Paper. NETGEAR May 2010

Microsoft Present and Future

On evaluating the differences of TCP and ICMP in network measurement

Automated Mitigation of the Largest and Smartest DDoS Attacks

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Transcription:

IPv6 Performance Geoff Huston APNIC Labs February 2015 #apricot

What are we looking at: How reliable are IPv6 connections? How fast are IPv6 connections? #apricot

What are we looking at: How reliable are IPv6 connections? How fast are IPv6 connections? #apricot

The Measurement Technique Embed a script in an online ad Have the script generate a set of URLs to fetch Examine the packets seen at the server to determine reliability and RTT #apricot

Measurement Count #apricot

Measurement Count #apricot

Measurement Count Log Count #apricot

What are we looking at: How reliable are IPv6 connections? How fast are IPv6 connections? #apricot

Let s dive into Naked SINs! Y #apricot

Connection Failure Outbound SYN client server Busted SYN ACK Return path #apricot

Compare two data sets The first data set has been collected across 2011 Teredo and 6to4 were still active as IPv6 mechanisms Little in the way of other IPv6 services The second data set has been collected across 2015/ Missing comparative IPv4 data for the period September October L #apricot

2011 - Measuring Failure #apricot

2011 - Relative Connection Failure Rates #apricot

2011 - Relative Connection Failure Rates And why is the V4 relative failure rate dropping over time? #apricot

What is going on with IPv4? #apricot

What is going on with IPv4? The failure rate for V4 decreases as the volume of experiments increases which implies that the number of naked SYNs being sent to the servers is not related to the number of tests being performed. Aside from residual IPv4 failures in the image fetch due to device resets, connection dropouts, etc, the bulk of the recorded failures here is probably attributable to bots doing all-of-address scanning on port 80 or maybe not! #apricot

What is going on with IPv4? Syn attacks? #apricot

What about IPv6? Local Miredo Relay Failures Why is the base failure rate of all IPv6 connections sitting at 40%? This is amazingly bad! #apricot

V6 Failure Rate by Address Type Teredo All V6 Average 6 to 4 Unicast #apricot

6to4 Failure is Local Failure 6to4 failure appears to be related to two factors: 1. The client s site has a protocol 41 firewall filter rule for incoming traffic (this is possibly more prevalent in AsiaPac than in Europe) 2. Load / delay / reliability issues in the server s chosen outbound 6to4 relay (noted in the data gathered at the US server) Even so, the 10% to 20% connection failure rate for 6to4 is unacceptably high! #apricot

V6 Unicast Failures January March 2012: 110,761 successful V6 connecting endpoints 6,227 failures That s a failure rate of 5.3%! 7 clients used fe80:: link local addresses 7 clients used fc00:/7 ULA source addresses 2 clients used fec0::/16 deprecated site local addresses 16 clients used 1f02:d9fc::/16 Nobody used 3ffe::/16 prefixes! #apricot

Data Set 2: Connection Failure in 2015/ January 2015 January 40,359,805 IPv6 endpoints 1,361,256 Failure rate (3.37%) #apricot

Daily IPv6 Failures #apricot

Daily IPv6 Failures RIP Flash! HTML5 + TLS + Mobile Devices #apricot

6to4 7,693,849 6to4 endpoints 19% of all IPv6 used 6to4 9% failure rate within the set of 6to4 connections #apricot

Daily IPv6 Failures #apricot

Daily IPv6 Failures 6to4 failure rate has improved from 15%-20% in 2011 to 9% in 2015 Teredo has all but disappeared Unicast failure rate is between 1.5% and 4% in 2015 Current unicast failure rate is 2% #apricot

Killing off 6to4 Proportion of IPv6 connections using a 6to4 address #apricot

IPv6 Failures Sep 2015 Jan 20,872,173 unique IPv6 Addresses 464,344 failing IPv6 addresses 142,362 6to4 addresses 138 teredo addresses 68 fe80:: local scope addresses 834 unallocated addresses 1,244 unannounced addresses 319,698 addresses from unicast allocated routed space 216,620 unique /64s #apricot

Origin AS s with High IPv6 Failure Rates AS Failure Samples AS Name Rate AS13679 97.33% 374 Centros Culturales de Mexico, A.C.,MX AS201986 93.69% 222 ARPINET Arpinet LLC,AM AS17660 65.14% 1,374 DRUKNET-AS DrukNet ISP,BT AS10349 60.29% 763 TULANE - Tulane University,US AS21107 46.97% 692 BLICNET-AS Blicnet d.o.o.,ba AS20880 42.65% 762 TELECOLUMBUS Tele Columbus AG,DE AS12779 36.70% 109 ITGATE IT.Gate S.p.A.,IT AS46261 35.64% 101 QUICKPACKET - QuickPacket, LLC,US AS9329 35.29% 119 SLTINT-AS-AP Sri Lanka Telecom Internet,LK AS52888 27.92% 265 UNIVERSIDADE FEDERAL DE SAO CARLOS,BR AS30036 27.55% 60,228 Mediacom Communications Corp,US AS45920 25.77% 163 SKYMESH-AS-AP SkyMesh Pty Ltd,AU AS210 25.04% 571 WEST-NET-WEST - Utah Education Network,US AS28343 24.57% 985 TPA TELECOMUNICACOES LTDA,BR AS7477 21.72% 488 TEREDONN-AS-AP SkyMesh Pty Ltd,AU AS24173 21.48% 256 NETNAM-AS-AP Netnam Company,VN AS28580 21.48% 1,341 CILNET Comunicacao e Informatica LTDA.,BR AS32329 20.63% 126 MONKEYBRAINS - Monkey Brains,US AS17451 19.35% 248 BIZNET-AS-AP BIZNET NETWORKS,ID AS5707 19.35% 155 UTHSC-H - The University of Texas Health #apricot

Origin AS s with Zero Failure Rates AS Fail Rate Samples AS Name AS3676 0.00% 2,149 UIOWA-AS - University of Iowa,US AS55536 0.00% 1,548 PSWITCH-HK PACSWITCH GLOBAL IP NETWORK,HK AS57026 0.00% 1,188 CHEB-AS JSC "ER-Telecom Holding",RU AS133414 0.00% 1,179 FOXTEL-AS-AP Foxtel Management Pty Ltd,AU AS18144 0.00% 1,179 AS-ENECOM Energia Communications,Inc.,JP AS196705 0.00% 936 ARDINVEST Ardinvest LTD,UA AS21191 0.00% 816 ASN-SEVERTTK TransTeleCom,RU AS1239 0.00% 734 SPRINTLINK - Sprint,US AS56420 0.00% 717 RYAZAN-AS JSC "ER-Telecom Holding",RU AS33070 0.00% 656 RMH-14 - Rackspace Hosting,US AS51819 0.00% 651 YAR-AS JSC "ER-Telecom Holding",RU AS27357 0.00% 625 RACKSPACE - Rackspace Hosting,US AS7233 0.00% 623 YAHOO-US - Yahoo,US AS20130 0.00% 606 DEPAUL - Depaul University,US AS49048 0.00% 604 TVER-AS JSC "ER-Telecom Holding",RU AS25513 0.00% 481 ASN-MGTS-USPD OJS Moscow city telephone network,ru AS53264 0.00% 426 CDC-LMB1 - Continuum Data Centers, LLC.,US AS29854 0.00% 392 WESTHOST - WestHost, Inc.,US AS13238 0.00% 391 YANDEX Yandex LLC,RU AS10359 0.00% 372 EPICSYS - Epic Systems Corporation,US #apricot

What about IPv4 Connection Failures? 2011: failure rate 0.2% #apricot

What about IPv4 Connection Failures? 2011: failure rate 0.2% 2015: 446,414,857 IPv4 endpoints 1,166,332Connection Failures (0.26%) #apricot

IPv4 Connection Failure Missing PCAP data #apricot

Comparison #apricot

Comparison: Unicast #apricot

Comparison: Unicast #apricot

Comparison Ratio: Unicast #apricot

It s still not good! IPv6 Unicast Failure rate: 1.6% (falling) IPv4 Failure rate: 0.2% (steady) #apricot

What are we looking at: How reliable are IPv6 connections? How fast are IPv6 connections? #apricot

Why SYNs? Every TCP session starts with a SYN handshake It s typically a kernel level operation, which means that there is little in the way of application level interaction with the SYN exchange On the downside there is only a single sample point per measurement #apricot

Generating a comparative RTT profile For each successful connection couplet (IPv4 and IPv4) from the same endpoint, gather the pair of RTT measurements from the SYN-ACK exchanges Use the server s web logs to associate a couplet of IPv4 and IPv6 addresses Use the packet dumps to collect RTT information from the SYN-ACK Exchange Plot the difference in RTT in buckets #apricot

2012 Data #apricot

2012 Data Number of samples (log scale) IPv6 is faster Unicast 6 to 4 IPv6 is slower Teredo #apricot RTT Difference (in fractions of a second)

December 2015/January Number of samples (log scale) Unicast IPv6 is faster IPv6 is slower #apricot RTT Difference

December 2015/January Number of samples (log scale) IPv6 is faster 6to4 IPv6 is slower #apricot RTT Difference

December 2015/January Number of samples (log scale) IPv6 is faster IPv6 is slower #apricot RTT Difference

2015/6 RTT Data CDF Proportion of samples IPv6 is faster Unicast IPv6 is slower 6 to 4 #apricot RTT Difference (millisecs)

2015/6 RTT Data CDF Proportion of samples IPv6 is faster Unicast IPv6 is slower 6 to 4 RTT Difference (milliseconds) #apricot

2015/6 RTT Data CDF Proportion of samples IPv6 is faster Unicast 13% of samples unicast IPv6 is more than 10 msec faster than IPv4 IPv6 is slower 32% of samples unicast IPv6 is more than 10 msec slower than IPv4 6 to 4 Zero point is 0.44 RTT Difference (milliseconds) #apricot

Is IPv6 as good as IPv4? #apricot

Is IPv6 as good as IPv4? Is IPv6 as fast as IPv4? Basically, yes IPv6 is faster about half of the time For 65% of unicast cases, IPv6 is within 10ms RTT of IPv4 So they perform at much the same rate But that s just for unicast IPv6 The use of 6to4 makes this a whole lot worse! #apricot

Is IPv6 as good as IPv4? Is IPv6 as robust as IPv4? IPv4 connection reliability currently sits at 0.2% The base failure rate of Unicast V6 connection attempts at 1.8% of the total V6 unicast connections is not brilliant. 6to4 is still terrible! It could be better. It could be a whole lot better! #apricot

Is IPv6 as good as IPv4? If you can establish a connection, then IPv4 and IPv6 appear to have comparable RTT measurements across most of the Internet But the odds of establishing that connection are still weighted in favour of IPv4! #apricot

That s it! #apricot

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information