These are unedited transcripts and may contain errors.
Plenary session on Tuesday, 14th of May, 2013, at 11a.m.:
BRIAN NISBET: Hello. Good morning. Good morning. And welcome to the second plenary session this morning so, if you can all, please, take your seats or take a seat, we will begin.
Just to let you know, although it's not terribly relevant to people who are already sitting in this room, we have open the room next door as an overflow room, and the video will be played in there, although if you wish to ask a question, you will have to either do so via Jabber or come in here and go to a microphone.
So, I am Brian, this is Osama, who will be chairing the sessions this morning and we are going to start with Thomas Weible from flexOptix on FTTx, find the technology.
THOMAS WEIBLE: A company which is specialised in optical transmission technology, especially when it comes to plugable transreceivers, and I did a little bit of comparison today which I want to present about to the home installation, especially for the transport part.
Yes, the basic structure I want to discuss today here, I draw a small infrastructure, small architecture, on the left side we have our core network, that is where all the big data is, we take a feeder line which is fibre optic cable to distribution point, could be a POP or ?? from there we distribute out, the traffic to our subscribers in the tiny blue houses where our grandmother sits and she wants to buy her socks on?line. There are different technologies to do this and the first I want to start is PON. What is this acronym stand for, Passive Optical Network and it can be in all kind of variations, there are some digits, we have got the E which is ethernet and if there is no E it's not Ethernet, this is ATM technology then. If we have got the G, stands for gigabit and combined with the 10 and you have 10 gig bit. That is basely. You can make all kind of combinations, you can make cheap, this is something broadly used which is gigabit ethernet PON or if it's just plain G?PON it's going to be gigabit PON but based on ATM technology.
Now, the interesting part about PON is not the combinations of those acronyms, it's more what is inside our street cabinet. I am going to show it like here. This is our street cabinet and inside that or the POP we do have a passive optical splitter does it, it takes a signal from one input and splits it out on two outputs, that is a basic function. Now, you can compare this with YPs, which is attached to your water tap and on one outlet you are going to attach or attach a washing machine and on the other one, a second washing machine, for example. Why you want to do that, maybe for redundancy? Your mother can wash all the socks she bought on?line.
Now, the nice thing about splitters is you can cascade them so two outlets is a little bit less. When you cascade them up to a layer of seven splitters you can have 128 outputs and on every single you can connect a subscriber so you have got a split race I don't from one to 128 with one single optical signal. That is pretty nice. On the other side there is a drawback. Every splitter divides the signal strength in half, and that means in total DB of loss every splitter has 3dB of loss. Now, in our single path. Now, when you have seven cascaded splitters behind each other off loss of 21dB which is quite a high attenuation in your fibre optic network. That also leads to a point that you only when you want 10 gigabit and do a little bit with amplifiers, you can reach for the feeder line and the distribution line up to 20 kilometre of reach and that is basically for sure if you go down to one gigabit, the distance is going to be longer.
Now, PON has this nice thing that we have one signal, we can distribute it out to a whole bunch of subscribers but everyone gets the same signal. We would like to avoid this because I don't want to have the data which my neighbour gets and he doesn't want the data which I get. How is this done? In the PON environment there are two new terms called the optical network unit. This is basically a CPE, which you know from the DSL, for example, on the other side, the counterpart is the OLT, optical line termination and they both play together. They have an implementation of the multi?point protocol which takes care every dedicated ONU gets the payload which is intended for it. In the downstream path, coming from here, from the from our core network, the OLT does encryption and tagging and so every single ONU gets its tagged frame, for example.
Now, on the other way around coming from the ONU up to OLT, upstream path, we have to ensure not on ONUs send at the same time because if we assume the probability is quite high when we have 128 ONUs going to sell at the same time but probability is quite high that this will happen and in a fibre optic network that can only be light or no light and if there is only light, there is no signal any more or it's a signal with single one very long.
So, the multi?point control protocol has doing token based algorithm so every ONU gets a dedicated time slot which some people I assume know from the ATM world, that every single ONU is only allowed to transmit on a certain time slot and that is how the PON environment or the PON technology makes sure that the media is always clear and every single ONU can transmit when it has to.
But, bear in mind it's also important for later on when we compare all three technologies, which I show now or the next two ones, that it's a shared media, it's comparable with wireless LAN.
Now, this is the first one. The the second one, it's Active Optical Network, and that is something I assume quite a lot of you when you run a network in these days, are familiar with that. The first one is, we stay with our, we stick to our street cabinet here, but there is no splitter inside any more. Basically, what we do is place a switch, a Layer 2 switch inside the street cabinet and we start from there, to distribute our traffic out to the subscribers and we get all the nice benefits of today's Layer 2 switches, you can plug in any type of optics and reach up to 80 kilometres if you want to and same for upstream path back to your core, plus 80 kilometres, depends how long you want to go.
And the next good thing here, you are not bound a physical boundary of the splitter. If you have more than 128 subscribers attached to your street cabinet or to your POP, you can just fill your street cabinet up with switches and get more ports in there, and the physical boundaries basically, the side of the street cabinet or actually the power which you get in the cabinet and get it out again, I mean if there are a whole bunch of switches in there it's going to be quite hard.
A second variant, how to do this set?up, if you for example, have no power, in the street cabinet, is you take the switch and move it more to the core facilities so you concentrate all your switches in your core facility, and within the street cabinet it is really important that there to patch it through so there is ?? it's still again a passive solution than here. And if you, for example, don't want to patch too much patch cores, a good attempt here to do with biodirectional so a single fibre solution and you can then serve all the distribution lines straight ahead from the feeder line. What you see here for sure you need way more feeder lines than the first one you need in the first solution from the AON world or the PON environment. The good thing is when you concentrate all like it's going to be here in ?? when you concentrate all your switches at a central point you can run different type of applications, if you have a whole bunch of customers serving one gigabit but a couple of them want 10 gig this is quite handy because you can concentrate it and have way more subscribers want this high bandwidth service than just when it's in the street cabinet.
So, that is ?? this was basically the introduction of the three technologies. When we compare them, when we ?? when we compare all three of them together, there is definitely the nice benefit of the PON and the AON environment that we need a single feeder line, we only need one of them and this is is cost?effective in terms of if we, for example, don't own the fibre. But, also, when we look at our subscribers, there is one really important thing you should bear in mind on the PON environment, that is because it's a shared media. If you have one CPE inside your PON environment for one path or one branch actually, and this makes trouble either by purpose because someone placed around with this ONU and he likes and if it fails of any reason, this can cause you a whole bunch of trouble in your network, especially in the up stream path. Because the Layer 2 protocol, the MC P approximate can only handle on the protocol level if there is one laser inside your network which just bursts your network, the splitter ?? burst into the splitter and that is simple pretty simple with laser, just turn it on and don't turn off anymore, and so the entire upstream path is broken and this is quite tricky at this stage.
Now the other point is, if you want to serve for this poor guy here, he wants to have a higher bandwidth, then the other guys there they are quite happy with the gig they get from you and if this poor guy wants 10 gig, for example, he is stuck to the solution you have installed at the moment. If you want to serve him higher bandwidth you have to duplicate your entire environment, especially in the street cabinet plus the back?holing done in your core. The same applies for the AON world when you put a switch inside the street cabinet, to get there, that you serve another customer a higher bandwidth, you have to add a second switch, for example, and it may be sometimes it's only just for one or two customers which is a high at this stage.
Now, a nice interesting variant is also in the AON world do this with biodirectional straight out of your core. For sure we need a whole bunch of feeder lines but the good thing; as you concentrated in a single point you can offer different services, either the 10 gig solution or 1 gig solution, it's really ?? it's really more flexible.
Now, this was mainly the technology I had a look at the moment. Now, I ask myself, hey, OK, which technology is currently used in the environment here in Europe, basically and what I did, I travelled a little bit around and had a chat with some people from the audience, I assume so, too, in different network of operator groups in different countries and asked them some basic questions about the structure of their network at the moment, if they have street cabinets, do they have power inside, and how long are the fibres at the moment, for example, for the distribution set?up, and do they use PON at the moment and the picture was pretty interesting, and I am going to show now the result of my six month survey.
So the summary was basically Germany, Switzerland, Sweden, Ireland and England, and it was quite interesting because in all countries it was almost the same, there was actually no PON, there was a little bit PON, I don't want to say there was zero but there was a little bit and it was mainly done by the incumbent but smaller ISPs they did no PON at all, they went for active solution and with biodirectional straight from the core because it was pretty simple to do it and it was not a technology decision, it was Moran administrative issue, because if you don't own the fibre and if you don't own the street cabinet it's quite hard for you to get the set?up done so it's very easy to do this in the facility where you have access to and you can install your active gear and just rely on the rendered passive equipment there.
All street cabinets in these countries do have power so it would be technically be possible to place switch inside the cabinet and the distances is also into the big issue because the longest fibres people had in the distribution layer was five kilometres, even less, actually, it was sometimes the maturity was one to three kilometres so the longest line was five kilometres long until the next street cabinet or POP and I think that is a really interesting picture here so from the technology point of view you can do all three solutions and now you have to get along with your incumbent or the people own the fibre that you get access to it.
Yes, and that is basically the end of the presentation. I hope you found part of the technology which could be interesting for you and if you don't consider about the FTTh, FTTx environment and more considered about your core, is now available and we are pretty happy about this. Thank you very much.
(Applause)
CHAIR: Any questions? Questions anyone? No questions. So we have got one question there. You are just trying to find seat, sorry. Any questions? Right. Thank you. Oh excellent.
Blake Willis: Neo telecoms. In your survey of operators did you find these in these Layer 2 street cabinets did you find any carriers using MPLS boxes at the level or was it L2 ring topology or PBT, PP whatever that nasty thing is called type technology.
THOMAS WEIBLE: It was mainly Layer 2 geared directly so there was not a lot higher intelligence up there, some people go for open access and, yeah...
CHAIR: Any other questions? All right. So, thank you, Thomas. I'd like to say a couple of words about the rating. So how many of you here rated yesterday, rated the talks yesterday? Oh, that is pretty good. Actually, I think some of you are lying. We need more of you to rate, please. We need more ratings, please, because it helps us actually improve the content. If we did a good job it tells us and if we didn't it tell us that we didn't and we can improve on that. Please rate. We have an incentive, we have the voucher, the 100 euro voucher and we did have a winner for yesterday, the winner is Oskar Stenman. You can get it from Serge or from the team at the NCC so if you want to be a winner today, please, great, but that should not be your objective, honestly. Your objective should be actually improving the material for the community. That is what you ?? should be your objective. Actually and it's pretty easy to do, if anybody was hear last time I did a demo, it was really fancy and pretty easy to do and we are working on the command line interface for this survey but that is still, that is still in the pipeline so there is no hurry on that. Thank you, Thomas. So our next speaker is Chris Grundermann from ARIN going to be talking about the future of home networking with HIPnet solution.
CHRIS GRUNDEMANN: Thank you. Yes, I am going to talk about home networking which is something a little bit new for me, I have been working on big networks for a long time and so looking at the little networks is a little bit odd and maybe for some of you as well. But I think that that is where a lot of innovation is happening and a lot of things are changing there. If we start by looking at ?? lass draft on this solution so after I go through it, it's draft, you can take a look there. I have got all the authors listed here so the content in the draft, if it's brilliant credit goes to awful these guys and if the slides are horrible that is my fault.
So, starting with what we have seen in the past, why home networks are kind of maybe overlooked and seem very simple is, a single home LAN and ISP and home gateway, you are done. And maybe somebody puts in an extra router because they want to get wi?fi access or they need nor switch ports and add another router and today with IPv4, that just kind of works, you stack the NATS and it's not the best service discovery break, some other things break because you are double NATTing through your house, seg greated by NAT pools but it works. Now we have added IPv6 or starting to add it, you basically have some, a bigger problem because there is no NAT which means there is no mechanism built in for the second LAN to be populated within the home.
And beyond that, we are starting to see a lot of use cases emerge in home networks, so just starting with the first thing is people are starting to realise they have all kinds of data on their home computers they don't necessarily want visitors to have access, to photos, tax documents, so they need a guest LAN to provide visitors with Internet access without providing them access to their home LAN and all that information. Things like community wi?fi where service providers are starting to leverage to provide services to other folks outside of the home are starting to pop up. Smart grid things, security monitoring and automation, IP enabled devices throughout the house. The idea of starting to look into multi?homing and various ways of doing it, IP video sources, maybe you have a feed for IP video are and another feed for data or multiple feeds for data as communication for home is becoming more and more important. IP streaming from outside the home or within, media being shared within the home and from outside the home on the IP layer. Telecommunity picking up a lot of places and for a lot of companies so there is additional requirements on the home network and then just the basic idea of the ever?increasing number of devices in the home, you have got all kinds of phones, tablets, PCs, TV is now connected maybe a gaming station or multiple of them and then beyond that not only is it IP connectivity and wi?fi but heterogenous access technologies within the home like Zigbee or bluetooth which are causing the need for additional routers in the home or gateways to translate between these services.
So moving forward, starting to have additonal routers and additional networks in the home becoming more and more common or at least will over the next several years. You may have home entertainment gateway that provides IP connectivity to your TV, stereo receiver and all of these things. Maybe also IP sensor gateway, so you can do monitoring within the home, security system as well, video camera system, home appliances, perhaps your fridge and all these start to have IP connectivity enabled as they have computers and added to them to track home inventory of groceries. And also again these technologies like Zigbee in this example where you have an additional gateway to bridge the gap between those and the IP network. It talks about the guest LAN as well or perhaps community wi?fi and additional LANs within the home and we see this explosion of complexity within home networks. Which isn't necessarily that complex compared to big networks but home users aren't typically network operators, outside of this room most of the folks who are running it have no idea what IP even stands for and so we can't expect them to be configuring as they become more complex, they have to be self configured and have to work on their own out of the box. And so, that is where this HIPnet home network solution comes in as kind of a near term solution to this problem. By creating a self configuring routing act our for the home that can operate in these increasingly home networks, doesn't require user interaction, in most cases, leverages protocols so not nursing new protocols into the home that could be new holes and bugs and brokenness, reusing in new ways and doesn't need a routing protocol. This would be fairly simple, multiple router, your grandfather or your cousin may not be the best at troubleshooting that or operating that network once you have introduced that.
Also the home networking group within the IETF has already laid out principles and some ways these things should work and this solution meets those principles. And we started with this set of common principles on thousand do this. The first one I think is the most important, home networks will become more complex but home users will not.
The second one is invoking a God box leads to religious wars. You are going to have all these extra devices in the home, let's build a cool router that sits in the front of the house and takes care of everything. That doesn't quite work because you can't control users and stop them from going out and buying another router and adding to the network and also, if you are getting different services from different vendors and different protocols it's very, very hard to get one box that everyone can agree on that will actually operate and run all of these services. New protocols bring new problems. That are things tried and true in the home network that seem to work and we should continue using those as soon as possible. Efficient distribution of addresses within the home is probably not a big of a deal with IPv6, we have enough addresses we can do these things and when the corporates here we are using the suite of tools available to us through the IPv6 protocol suite, and then supporting IPv4 as well obviously because that is going to need to continue to work for quite a long time in the home.
Luckily, IPv6 is being deployed, we are seeing more and more of it. Home networks are also growing today so we need this solution, today it would be great if we already had a solution in place. The basis of this is on RF, it provides that baseline but needs to grow beyond that. And the HIPnet solution we have running code, we have some undergrads from University of Colorado, they came back with a working prototype, so it's fairly simple, we demonstrated at the last IETF, I don't have it with me today so if you take my word but it works. And the way it works is again through the self organising that we are calling directionless routers. And then recursive prefix delegation using hierarchical routing and we have got a little bonus this multiple IP family support. And so we have a solution that is basically dead simple but can support arbitrary topologist, multi?homing discovery, all the things home network needs to support.
So the first part is what I am calling directionless home routers and these are fairly /SEUFRPBLGS every router that we news a core network or access is directional, any port can go any direction, forward packets in and out however you want. Home routers haven't been that way and physically separated from dedicated LAN ports and so there is an up and down basically on the router built in. And when you know folks are picking these up at their favourite retailer and plugging them in /TH*E they will have no idea about networking, it's very, very easy for that not to be connected properly and so the idea of the directionless home router it's just got ports tonne and people can take them home and plug them in however they want and it's going to figure it out. The way it does is by sending router solicitations, we are not using wi?fis in up link, configure that manually. And any interface that receives a router advertisement /TPWABG considers that and date up interface so that is a potential route to the Internet. Going to it has a router attached to by receiving the router advertisement, and it's going to evaluate those offers and using a simple algorithm to decide which one it's going to /PA*EU pick as up interface. If there aren't any received it could create a slash 48 space, so how it decides which interface to use it's going to prefer a valid global address over something that has got a /HRAOEUL time of 0 or doesn't get a valid prefix back on. Use an internal prefix preferred over external and that gets into the multi?homing stuff, but basically we are doing a check, we are assuming that ISPs are handing out to the interface addresses for customers from its separate pool than they are handing out the prefix pool, so basically just checks and says OK, is the prefix I received within the same slash 48 as the interface address I received? And if not, then I assume I am getting those addresss from an ISP, if they are from the same I can assume it's the same slash 48 so it's within the home network and it's an internal prefix. And then the largest prefix as you will see as we work through this, is going to come from the router that is closest to the Internet because as you do recursive prefix delegation each is grabbed broken up and handed down. So the biggest prefix is probably closest to the Internet. Look at link type and bandwidth at the first response or the lowest numerical prefix so it's deterministic and you always have an up interface, something you know is pointing towards the Internet. So, an example quickly here, if these two routers are connected to each other and we add another in the middle, receives back advertisements from both routers. Going to send out DHCP requests and R one replies and then R3 replies and so he is going to pick the first one that is his up route, fairly simple. A little bit more complicated example, if you install a router here where he is connected to three other routers that are kind of meshed up, skipping over the router advertisement stuff, he sends out his PD requests, all to all three routers, receives back responses and in this case R one because it's connected to the ISP, he received a/56 so he is breaking that up on anybody he will boundaries, the others have their/60 from R one so they can only offer a /64 so R2 knows that is my interface that is how I get to the Internet.
It also works for rearranging, if you move routers around within the home. So we take R4 and put up on top, plug him in, he sends out router solicitations, R one because he considers that his up interface, he is not going to send an RA, so only from the Internet and R4 is sending those out will trigger to realise now have a new up interface but a new router and now we have a new customer router at the edges connected to the Internet. And then there is some backup slides after that get into the multi?homing example and failover and how that might work. Basically what you have here is any arbitrary physical topology, loops redundant links, however it might work and through this process of this up detection as we are calling it you basically build a logical hierarchy, so a physical mess into a logical hierarchy which allows you to do recursive prefix delegation and that is very simple recurve civil delegating prefixes, so at the top receives a prefix from the ISP, breaks it up, hands chunks down, smaller prefixes down to the routers below him and they do the same thing and you populate out routes. This is based on R 3633, just prefix delegation, and was inspired by, there was a draft in the IETF that talked about this, kind of refined the rules of how to do this.
So, the question then is how do you break up the prefix, how do you know ?? what prefix you get, how do you know which size prefix to hand out below you? And the algorithm we are using is basically what I am calling with optimisation, with is basically the number of directly connected counsel stream routers connected to any router and depth would be the number of routers that can chain together down through the home network. And we are basing it on the number of interfaces on the router as a proxy for the width of the network so with 8 physical interface can have a greater width, versus a router with four ports can only have four connected into it and you could have a switch in there and there is other ways to get around this, it's a fairly good proxy and works most of the time. Based on the prefix you receive and the number of ports you have you can if I can out how many bits to use to break up the prefix and hand it down to give you the best fit for the network you are operating in.
Then the end result of taking the prefixes, doing the up detection, loading this logical hierarchy and doing recursive, you end up with very simple hierarchical routing table. So you have your up route point towards the Internet and then everything else is the prefixes you handed down you install a route so I handed X prefix to Y router and I saw that route there. And it's fairly simple and doesn't need a routing protocol and everyone understands how to route without a user intervention.
The next thing that I think is fairly neat anyway, is that because you have got this hierarchical prefix table and everyone kind of understands what is going on below them, you can use this recursive prefix delegation to support other address families. And the way, which may be unique local addresses or a second group of prefixes if you are doing multi?homing or IPv4 needs to be routed in this home network as well. We are calling link ID, 8 or 16 bits that is extrapolated were your prefix and these additional prefixes are matched up with the first one. To look at this, we start with your global prefix, your global address on the router, the first 48 bits you probably going to come from the ISP, 48 bits or more are going to be the prefixes handed to that home from the ISP, so you can kind of ignore those and obviously the right so again those aren't very useful for actual prefixes on networks. Those middle 16 bits become interesting because if you take a /48 of ULA space for example and move those 16 bits down you now have a matching ULA prefix without communicating with any routers around you and they understand you are using that /64 because it's the same bits 16 bits in the GUA space, 10./8 if you add 16 bits on that you now have a /24, and so routing again can work for multiple address families without a routing protocol or any communication between the routers just based on the fact this prefix has been announced through the three and you are going to be using the same link ID for the prefixes on any given link and install the hierarchical routing table on all the routers as it goes down without communication or anything else needed there.
And then the multi?homing, I want to gloss over really quickly, there is not enough time but we see three basic use cases for multi?homing, one is the special purpose which I talked about a little bit, it may have one connection for your data pipe and another service provider for IP video and in that case we think it's probably a managed service the ISP or whoever is providing is going to help you set it up so that is not a case that is necessarily in scope for self configuring home network, it's going going to be special purpose and configured. The backup is the default case, if you have two ISPs, it will failover between them and this is the ?? the way the algorithms are set up, with the internal and external, if there is already Internet connection in the home prefer that one and if that goes away shift over to the other one. There is no recursiveness so it doesn't fail back but at least you have two Czechs and you can use them both in the case of a failure. And two multi?homing where you have active active, there are some ways this solution works for that as well, especially if the two routers are on the same LAN and also if you are doing one router is on another LAN from the other one, you can have a subset out to VPN connection or everything else, there is some slides in the backup if you are interested in how that might work you can drill into that.
So basically, the HIPnet solution here is the directionless home routers using up detection to create a hierarchy, populate your routing tables and using the link ID to add multiple address families, which results in a hierarchical routing where everyone understands the routing of the topology without any additional protocols or communications. So we think this is the next step in home networking and there may be things beyond this, once you have used this as your base for self configuring home network you could add a routing protocol if you wanted to and utilise those extra links and go beyond that as well but this being the next step in not having these stack NATS within the home but still enabling multi?router topologist as home networks become more complex. I sped through that fairly quickly. But I am willing to take any questions.
BRIAN NISBET: Do we have any questions for Chris? We have plenty of time for questions so if you want to dig in, please do.
GERT DORING: Hello. Two questions, actually, one is, is there a running code for this because this is really cool, I want to see this and buy this? Is there any vendor having sort of like ?? actually, the thing is, right now, I am wondering about recursive HDDP because I have not seen even that part. The up port detection is more advanced but recursive detection would be interesting to see.
CHRIS GRUNDEMANN: One of my day jobs is at cable labs, it's the e?router specification which is basically a router embedded with a cable modem and so the recursive delegation is built in there and I know that I have seen a prototype at least from broad come so, this is starting to happen right now, I don't know of any shipping product that has it today but we do have OpenWRT code load that I haven't been able to post publically yet and we are working on the legal side of that. There is code in existence, it's not available yet and there are products that is being developed right now that will do these things.
GERT DORING: That is great. I am really looking forward to the OpenWRT code to give this a good beating. Something elsewhere I admit I have been too lazy to look it up, when you do recursive DHCP PD and the up stream prefix changes, is there a mechanism in PD to actually propagate that down, like this old prefix is gone now without having five?minute team and downstream router come back.
CHRIS GRUNDERMANN: It's still kind of an open issue, you have the router advertisement mechanism where you can use your ??
GERT DORING: In the ??
CHRIS GRUNDEMANN: It's tied together in most cases so it ignores that, so that is still an open question in my mind way.
GERT DORING: So there is no DHCP to tell the downstream router oh prefix gone.
CHRIS GRUNDEMANN: You can reconfigure and ask it to look but it doesn't have to listen to you. There is mechanisms there but no hard sure way to make sure that works every time.
GERT DORING: That might need to go into the requirements as well?
CHRIS GRUNDEMANN: For sure.
GERT DORING: Thanks for explaining that.
AUDIENCE SPEAKER: Why do you restrict this technology to home networks? There are many small companies who have no IT department who have no idea of dynamic routing, maybe if you ?? few aesthetic routes, which should be suitable for them as well. Do you think of is extending it.
CHRIS GRUNDEMANN: Absolutely. There is no reason why this couldn't be used in small businesses, small office, and even small enterprises, that was not necessarily the target when we were looking at putting this together but it's absolutely a potential use case and there is nothing stopping that from happening so basically, the idea this would be in your commercial off?the?shelf routers, the routers you would go buy at regular big box store and those enterprises that go and buy they would get this inherited basically.
AUDIENCE SPEAKER: Steve Nash. As an individual, I am dual homed and one problem I have is SMT blocking by my e?mail provider, so that is a problem that still needs fixing.
CHRIS GRUNDEMANN: Absolutely. And the other thing with multi?homing is there is a bigger question there too because that is one place at least in the residential market in the US at least, one place where BCP 38 is actually enforced where these ISPs won't allow you to send traffic on to their network with source addresses from another person's network so that is still kind of an open problem, so even if you have this mechanism to self configure multi?homing still gets a little tricky and personally at least at this point I see true multi?homing as something you have a little bit of clue or hire someone to do a little bit of configuration, it's probably not going to be something you are going to have to expect to work out of the box. There are some tricky points there for sure.
AUDIENCE SPEAKER: Question: Could you please elaborate on security aspect of it. Is there any requirements on build and default filtering?
CHRIS GRUNDEMANN: Yes, basically it's just typical home network stuff, but you know, our idea would be just to have a basic firewall on by default on the customer router, whatever router it decides once it realises it's attached to ISP, internal versus external prefix check or some other methods, firewall turned on by default and of course it would be the only one to add VP 4 NAT as well. The internal routers, I think there is a question there as to what they want to do, some for example would like all firewalling to be turned off within the home and others think there should be some within the home. If you have these dozens of devices in your home you may not want them to be able to infect each other, some firewalling within the home and that is an optional thing that is kind of per application but if firewall at the edges is absolutely something that should be required.
AUDIENCE SPEAKER: Thank you.
George Michaelson: AP?nix. We see somewhere north of 50 to 60,000 ULA prefixes a day in the reverse lookup tree, and that is from approximately 10% of the ASs in the global Internet so it's somewhere around 4,000 different ASs are originating these requests. Do you have ?? is there a HIPnet gone viral on OpenWRT or something because I cannot explain why this many ULA would be so distributed unless it's something like you.
CHRIS GRUNDEMANN: No, luckily I can say that is not happening, I have been trying to get the code out and right now it's fairly locked down.
GEORGE MICHAELSON: Maybe it's your evil twin.
CHRIS GRUNDEMANN: It could be.
RICHARD BARNES: So your answer to the question about security was not what I expected so what I am wondering is, it seems like this up down discovery algorithm has some interesting ?? has that sort of abuse of the algorithm security risk been considered in these?
CHRIS GRUNDEMANN: Not really, I mean so that along with any ?? regular Neighbour Discovery attacks and all the stuff that could happen on a home LAN if, someone has access to the home LAN then there is a lot ?? physical access and they can plug a router in there is a lot of problems there. It's one of the reasons why the wi?fi interfaces don't participate by default. You can't bridge in. But in general if you have allowed someone to attach to your home network with a router, you have some security problems already, right? So, you can't come from the ISP side and do those attacks, you would have to actually be in the home network.
RICHARD BARNES: It still seems like it might be ?? I don't have full complete trust in everything in my network, like ?? there is an idea of segregation in the network architecture because you have a guest that work things that are separate from other things so, it seems like all elements in the network aren't trusted to the same level, and so there may still be some potential for abuse here so these questions might be worth considering at least to elaborate on what the model is.
CHRIS GRUNDEMANN: Sure.
BRIAN NISBET: Any other questions? No. In which case, thank you very much, Chris.
CHRIS GRUNDEMANN: Thank you.
(Applause)
BRIAN NISBET: So, our third and final talk of the session this morning, all ?? verging towards afternoon rapidly but not quite there yet, is IPv6 at Cisco life, 2013, behind the scenes talk.
SPEAKER: So I am Andrew Yourtchenko from Cisco and I work as a technical leader in the area of IPv6 transer which translates into garage mechanic, from educating partners, customers, to writing some prototype code to doing hands?on at the various events and today it's something that I wanted to talk about as a network engineer and about my experiences deploying IPv6 at a conference using a network gear.
So, before we go to the technology aspects, I would like to tell in a couple of words what Cisco life is. So all?in?all, it is an educational conference, the only thing that is geared towards a particular vendor. So there is a lot of various technology related talk and product related talks that happen and people listen to them and they do all sorts of things. From the network point of view, it is fairly interesting network. So it is not so large, because usually it's just couple of core switches, few dozen distribution switches and probably two or three 100 access switches and also the wireless network is not so large so it is about 300 access points so if you talk about your average wireless deployments on campus that is probably couple of thousand of them, right?
So, why this network is kind of interesting is that it comes and goes very fast. So the conference lasts for four days and all the crew comes four days in advance so you have very little time to prepare to the conference. And also, as at any conference the IPv6 is really the vital part of ?? IPv6 and wireless is rale vital part of it because you need really the connectivity that is reliable to all the attendees, but before we can have IPv6 and before we can any connectivity we need to have the service provider provide that to us and I will give the word to Daryl Tanner who was our service provider.
DARYL TANNER: Thank you. So, a quick introduction, I am Daryl Tanner, I am the lead IPv6 architecture for Virgin Media. (Arc tour). I believe Cisco had spoken to the, the facility where we provide IPv4 connectivity already, to ask them about v6. I believe they have spoken to some of our business account managers and no particular joy. And so they contacted me directly and asked in mid?October if we could provide the native IPv6 for the conference. And at that time, we had an address block from RIPE, which was kind of useful, but we had no IPv6 Frans in place, IPv6 wasn't allowed on the network, so as an architect I am not allowed anywhere near the production network and the Ops and engineering guys kind of don't want to be woken up in the middle of the night because things aren't working and v6 seems to have this concept that that is what is going to happen. There has been a lot of testing that has been going on and that testing still isn't complete. The security guys, they don't like IPv6, either. And the Ops guys just really didn't want to be able to support this.
So, we had a little think about what we can do, and as I say, we already provide IPv4 into London Excel where the event was. I couldn't do IPv6 but they said, yes, that is fine if you want to, you can do Layer 2. OK, that is fine. What we kind of need then is a dedicated transit and transit router away from the v4 stuff and away from the production network but we can use Layer 2 so that is still kind of on production network. But nobody will actually see it because all they see is Layer 2.
So, we put a Layer 2 path into our new transit router and then Layer 2 down to London Excel and then from our transit provider, we put v6 through to the transit router and then to London Excel. The rest of it was kind of fairly plain sailing, really, it was BGP to advertise the routes to the outside world allocating a block for the event. And...
ANDREW YOURTCHENKO: That is where we got IPv6 from, and so that was fairly easy. But as I said, the wireless portion is something that is the trick is to fall. So, the wireless code that we were using, the official support for IPv6, that is the parity with all the security features, started to appear so that is not to say we did not do IPv6 before that, so. V6 packets obviously were able to be bridged but you had to always sit and do quite a lot of babysitting. So one thing that we saw was that in as we added all these security features we saw the interesting behaviour on particular kind of the devices and I wanted to show just a little video which talks about that.
So in this device in the lab I have the IPv6 DHCP and assign addresses. So whenever I connect this way I get three addresses on the device. And what I am doing is that I am simulating the behaviour of the participants of the conference and whenever you are at a large conference what happens is you connect the device and you look at I need to go there and then disconnect the device and you start walking and then you connect the device, what is the next step? So I am simulating that behaviour with turning the airplane mode on and off. So what happens is that the IOS in particular is fairly aggressive in terms of getting a new address. So each time it reconnects to the wi?fi it gets the new temporary address. So you can probably notice that the DHCP 6 and the UI 64 addresses stay the same but the privacy addresses keep piling up. So, as on the centralised side of the controllers side, we need to keep adding them on and on. And since the devices go away fairly abruptly, we really have no means, so the device doesn't signal hey, I went off?line. So, over all, the addresses keep being added to the table that tracks who owns which device ?? who owns which address, and you need to do that especially in the wireless environment because otherwise, well, if someone can hijack your address, they can hijack pretty much a lot of your traffic.
So you have to do that, both for IPv4 and for IPv6.
So, and right now we are seven addresses on the controller so we can see that the traffic still works fine so I am able to ping. And I will reconnect a couple of more times to see what is going on. So, whether it continues working or not. And at eight addresses I will reach the limit that is hard coded on the controller to prevent the denial of service against the control itself because obviously can you not pile the addresses indefinitely, so you will deny all service the wireless itself.
So, and finally, I don't have this aggressive installed privacy address in the cache so the controller says you don't have this address so you cannot send the traffic and that is where interesting, properties of v6 troubleshooting kick in so I cannot ping the external host but at the same time when I am pinging the local default gateway address I can perfectly ping it. So I will be a little bit more complicated in troubleshooting so I asign the global address to my default gateway as well, I will try to ping the default gateway's global address and that is basically my prefix colon, colon one. And I see the Gail way global address also works. It selects another address for ?? and yet, the connectivity to the outside world is still broken. So, as we saw this behaviour really we had to change the algorithm in the controller code. So, what happened is that we added more aggressive probing to the entries that are not in the reachable state any more so I now changed the configuration on the controller to put reachable state art fishery short so it's 30 seconds and we are just five minutes before the client entry times out so I will turn the airplane mode and just wait five minutes, so it's four, three minutes left, two minutes left and one minute left and then the disappears from the controller. So now I will reconnect and see if what happens. So what is the behaviour of the algorithm now? So now you see again the entry has been created afresh so we have four addresses and really, in slight network I will just have three, no BGP address, as I keep reconnecting, it seems to remind of the previous behaviour so I have five addresses, but as I keep doing that, the number of entries now never grows beyond five. What we changed was the entries in the stale state in the stable are being more aggressively tested so the entries are being deleted in the entry is no longer assigned to the device.
So this allows us to get the IOS devices even in this dynamic environment as the conferences are. Of course if you don't reconnect the device then it will stay with the same privacy address for a longer time but that is something that had to be changed in the controller code between 7 to 2 and 7 to 3.
So, really, the take away from that was that 7.3 code worked as designed, so we took the 7.2 behaviour and motified it and had it working correctly this time. So, with 7.3 the defaults were pretty much out of the box, that was pretty straightforward.
The other interesting operational consideration if do you use the centralised wireless then you run the traffic encapsulated between the controller and the access points, and that is all fairly straightforward but with IPv6 you rely on sending router advertisements from the router to the clients, right? You need to send periodic. So if you do naive replication of the traffic before encanslated into tunnels then you basically need to send micro birth of traffic because one RA, if you have 300 access points, you need to send 300 copies of this router advertisement. So that is no good because it creates micro burst of traffic and micro bursts ?? for this reason you need to have the multicast mode of operation where your multicast array is encapsulated into the cap crap packet is destined to the multicast address so then your network infrastructure deals with the replication of the packets as many times as needed. However, of course this introduce a coupling between IPv4 and IPv6 so infrastructure needs to work in order to have IPv6 working. Operationally, if you have a large network that is something interesting to consider.
Now, having multicast routing to work implies having the identical multicast on couple of devices in this case. So to make that in the simplest way possible so we just run, we a little bit cheated and used SSM range and reconfigured that in the router and we use the addresss from 232 range as the multicast group on the controller. So, that put all the configuration mistakes to the minimum and that allowed to configure multicast on IPv4 on that network fairly easily.
Now, the multicast works but then I run, now we are getting a little bit too many so since people are moving on this network and people are connecting and disconnecting, they solicit the RAs from the first POP and the standard says that the solicited array needs to be sent multicast so effectively every disconnection and reconnection of the client causes yet another multicast RA to be sent so that is something where if you have very large network you can see quite a lot of multicast RA facts and in the case of wireless that means you will have a lot of air time being spent handling multicast and because that is is sent in a lower bandwidth than all the other packets.
So, with multicast RA, again that was just one check box to click, that help to reduce the number of multicast packets dramatically. And another operational consideration that we had to do, which was again kind of take away from previous times that we run larger conferences, was looking at bonjour, because again, bonjour sends packets as devices reconnect and disconnect from the network and as the network is highly volatile, if you have 3,000 devices of the same time on the network, that is a lot of traffic. So, I am a big fan of Bonjour and I am happy to run it on my home network but this case due to the size of the network we had to blow the traffic on the bonjour so it's 53 on 53 on UDP on v4 and v6. That is again the multicast traffic management on the network.
And finally I found that interestingly, the different end points don't consistently add the same way, surprise. So these two devices connect at the same axis point and one of the them has v6 address and the other doesn't. Luckily I had the second unit to test with because otherwise I was suspecting the access point not sending the router advertisement. So small V load and everything started to work correctly, that is ?? have two copies of the end points whenever you test.
And I told that wire IPv6 was very easy so the local website that we had on site, that dealt with all pretty much all the logistics of the event, so it was all the registrations, all the evaluations for the talks, all the feedback, that was dual stacked in about an hour, so half an hour was me giving a small refresher course to the server guys and half an hour was testing that everything worked. So it was not really big exercise.
And the result was that about half of the addresses that were heating the server were IPv6 addresses, so from the outside of course, there was relatively little traffic because the outside network has, well, there was majority of the hits for the server were coming from the local network, from the event itself.
And a couple of slides with some stats, right. So what I did was just scraped the neighbour tables for IPv4 so the ARP tables and the neighbour tables for IPv6 and at first you will see that that sounds pretty strange so we have so many IPv6 neighbour entries. So that happens because of the privacy addresses, obviously. So the ?? all of this reconnections generate additional neighbour entries which show up here.
So to compare a little bit better what is the real distribution of the IPv4 or IPv6 only host and so on, I duplicated based on the Mac address. So after deduplication and this time I looked at that time from the Mac address perspective, the picture was a little bit less optimistic should I say, and if do you it in the ratio, so the hosts that have both IPv4 and IPv6 address, related to all of the hosts on the networks, so we can see that during the main days of the show, we hit about 70% of the devices were using dual stack on the network which is a little bit less than I would like to see as someone who works in the area of IPv6 transition but it's nonetheless something that is fairly impressive and I think the value, so the value as it is I think partially is caused imperically by the laptops that had various firewalls installed with the administrators ensuring that IPv6 doesn't get configured because they haven't been ready yet for transition. So traffic?wise, I have saved, so if you are interested to play around and look how it looked like you are very welcome to take a look. And IPv6 specifically at the event, it was about 5% compared to IPv4, so the part of that was, as well, that during the event actually, there was an update to IOS so all of the IOS devices who were on the conference network decided to download the update so that was a huge spike in traffic. And that is pretty much it that I had. And my take away message is that well, IPv6 today works, so ?? and, at the same time, you do need some experience, you do have some quirks which you need to try to look at and the earlier you do that, the better. Thank you.
(Applause)
CHAIR: Any questions? So I am supposed to wait 3 to 8 seconds ?? very good.
AUDIENCE SPEAKER: Tom Burke, Virgin Media why are you why afraid of v6?
DARYL TANNER: Yes, thank you for that question. I don't necessarily think we are that afraid of it.
AUDIENCE SPEAKER: Even BT aren't scared of it.
DARYL TANNER: Very true. But I mean, service providers generally sort of globally, there is not that much and there is not enough v6 out there, I am perfectly happy to stand here and say that. I really think we should be doing more v6, I am certainly pushing it within Virgin Media. It's slow, it doesn't have priorities, going back to Olaf's talk yesterday morning, he kind of said pretty much the same things on that.
AUDIENCE SPEAKER: Jen. I am very glad to hear as deploying v6 is so easy now especially if you don't use wireless, yes, the question, it looks like you have done some testing and you found some issues with default wireless on devices, I go into public any best practices document about how to deploy v6 on wireless networks.
ANDREW YOURTCHENKO: Yes there are existing papers, the part that I wanted to emphasise which probably I didn't do that good job of doing, that in ?? well, in the previous version, it had more quirks so in the version that we deployed this year, the default settings just work so I actually had that in the earlier version of presentation but the Programme Committee asked me to include some learning so that is why ?? it would have been much shorter presentation because this year the defaults ?? on wireless the defaults pretty much work.
CHAIR: Sorry about that guys.
Jen: Values might need to be changed depending on the scale, are you doing any research or publishing any data on how can you scale if you deploy into v6?
ANDREW YOURTCHENKO: These values I was talking about don't need to change depending on the scale. There are other values that may need to change but that is a topic for a separate talk and discussion.
Jen: So on the next RIPE meeting, yes?
ANDREW YOURTCHENKO: Yes.
AUDIENCE SPEAKER: David from RIPE NCC. We have a question from James Blessing on the chat for Virgin Media. When are you going to deploy IPv6 for everyone? Are you going to announce it next week or are you going to implement it next week?
DARYL TANNER: Yes, again thank you for the question. I am not in a position to be able to answer that. I am really sorry, I can't give time scales.
AUDIENCE SPEAKER: OK. Thank you very much.
CHAIR: Any other questions? Let's try five seconds of silence. That didn't work. It was supposed to work. All right. OK. So thank you very much, thank you Darrel and Andrew.
(Applause)
CHAIR: So we are almost done. Isn't there something I am supposed to remind you of? Oh, yeah, rate the talks, please. Yeah, I forgot to mention that. So please rate the talks. By the way, has anybody had any problems trying to rate the talks? Right so. If you are signed in it, should show up so just click on that and rate the talks and we are done for the day. We should be back at 2 p.m. ?? not the day, we are done for this time slot. I am in a hurry. Right. So we should be back here at 2 p.m. so we have lightning talks, if you miss five minutes you miss half the talks.
FILIZ YILMAZ: I just told I am too small, so I need to go there and get some perspective. I just want to remind everybody again about the PC elections, we still have space on the RIPE Programme Committee if you want to help us, get in contact ?? getting content and selection of the content towards the RIPE plenary programme please send your interest plus photo to PC [at] ripe [dot] net. We will have the elections on Friday. The sooner you send your interest and information to us, the sooner your information will be uploaded on the web page so as a candidate that will give you time to mingle with people and see what others need and if you can, you know, work towards those needs and collect information, also come to us, what needs to be done; if you have questions, grab one of us around. So please, be mindful about that. Thank you.
CHAIR: And we are done. PC means Programme Committee, just in case ?? I had that question, so...
So see you guys at 2p.m. Thank you.