What a lovely week! An in-person RIPE meeting – Jan Žorž said to me over dinner “it immediately felt like home”, and I totally agree.
Following some tradition I will summarize a few interesting, IPv6-related talks & other observations from last week in this post.
Constanze Bürger: Challenges and Chances of IPv6 Deployment in Public Authorities in Germany
Constanze serves a state secretary (‘Staatssekretärin’) in the German Federal Ministry of the Interior and Community. She has been driving IPv6 in the public administration space for a long time, and for that reason she’s been present at pretty much all RIPE meetings over the last years. In her talk she spoke about the challenges of getting IPv6 traction in her world, due to the distributed nature of responsibilities and to the high degree of siloization (sounds familiar to some of you large-enterprise folks? ;-). She included a very nice – positive – case study though: the German online tax system called ELSTER, which has IPv6 enabled since 2020 (which seems not to be the case for similar systems in other countries).
In October 2021 52% of the connections to it happened over IPv6 (Antonios Atlasis suggested those filing over v6 should get a tax discount, which given the current prices of IPv4 addresses could be worth a discussion ;-), and I could imagine that number is even higher in the interim.
Carsten Strotmann: Frag-DNS. IP Fragmentation and Measures Against DNS-Cache-Poisoning
IP fragmentation attacks against DNS have been known for a while (research overview on the APNIC blog here, paper by Shulman et al. on DNS over TCP from 2021 here), but their Internet-scale impact was unclear, and members of the DNS operator community considered them theoretical (see discussion at RIPE78). This is why the German BSI decided to commission a study evaluating both the real-life impact and discussing mitigations. The results of this study were presented in this talk:
Wilhelm Boeddinghaus: IPv6 and the Windows 10 Firewall
In this talk Wilhelm spoke about the intricacies of the default rule set of the integrated firewall of Windows 10 when it comes to IPv6, namely in the space of ICMPv6. While I don’t share his perspective that these rules are overly risky (and I think for such types of security controls, very understandably, usability often wins over strictness, which in turn might even increase overall risk reduction as users do not disable the whole thing then), it was an interesting technical exercise nevertheless.
Paolo Volpato: IPv6 Deployment Status. Update and Remaining Challenges
This was similar to Paolo’s recent talk in the IETF v6ops working group, hence I refer to my comments in this blog post. To note that in the subsequent Q&A some challenging questions were asked, which were not directly related to the talk.
Justin Iurman: Just Another Measurement of Extension Header Survivability (JAMES)
This was also presented at IETF 113 which is why I, again, point to this post.
Tl;dr: IPv6 extension headers can be considered unusable for any Internet-level service.
Matthias Scheer (AVM): IPv6 Addressing Inside a VPN Tunnel Between Endpoints With Rotating Prefixes
The talk itself might not win the title of the most entertaining or most exciting technical presentation of the week ;-), but given the strong presence of AVM in the German market many practitioners incl. myself heavily welcomed the fact that the vendor sought interaction with IPv6 folks at a RIPE meeting. I mean this is not least what those meetings are for, and it’s a great move by AVM to work on their IPv6 capabilities based on feedback from the IPv6 community (at least the part represented in RIPE circles).
The meeting network & IPv6
Several quick things to note as for the meeting network and IPv6:
- During the whole week I was connected with my iPhone with the v6-only/NAT64 network, and everything worked smoothly.
- In the terminal room there was a networked printer and connecting (thanks mDNS) to the printer over IPv6 and more importantly printing (over IPv6, ofc) worked like a charm.
- Here’s a router advertisement from the main conference network. I know that as an IPv6 person one should generally be very careful with mentioning the principle of least astonishment (POLA) 😉, but I’m not fully sure I can follow the client provisioning approach taken here.
Finally let me mention that one could take the RIPE NCC IPv6 certifications for free at the venue (which I did for the IPv6 Security Expert, and I luckily passed 😅). Offering these on-site at the meetings is an excellent idea imho (those who ever tried to perform them on-line might have an idea why I state this).
Overall it was a great week with lots of technical learnings and, more importantly, lots of good hallway-track encounters. Hope to see some of you folks at Belgrad in October!
The Internet Protocol Blog 