J O N P E T E R S O N O C T O B E R 2 0 1 2

W I T H M A T E R I A L B O R R O W E D F R O M G E O F F H U S T O N , O L A F K O L K M A N , A R B O R N E T W O R K S ,

H U R R I C A N E E L E C T R I C , A N D S E V E R A L I E T F P L E N A R I E S

Governing an Internet

What is the Internet?

  This is a deceptively tricky question   A series of tubes?

 Don’t laugh at Ted Stevens

  A collection of routers?  The smarts to move things between tubes

  An agreement of companies?   Interconnection, peering, compensation

  A stack of protocols?  The Internet Protocol (IP), among many others?

A definition, for today

  The Internet is   An overlay over a diverse set of physical networks, with the

property that:   any computer with an Internet Protocol address can send

arbitrary information to any other computer with an Internet Protocol address

  IP is the glue that binds physical networks to applications   The “waist of the hourglass”

 Many different physical networks run below it  Many different applications run above it

So who controls IP?

  IP invented by Vint Cerf and Bob Kahn   Specified in a document series called the Requests for Comment (RFCs):

IPv4 circa 1981 [RFC791]   Most Internet protocols are specified in RFCs

  Email, the web, Voice over IP, TCP, BGP, DNS, TLS, you name it   Today, the Internet Engineering Task Force publishes standard RFCs

  The standards of the Internet   The IETF has change control over IP as a specification

  IP addresses originally handled by Jon Postel (1943-1998)   Along with domain names, when they came around   Eventually, this job had to migrate to a team

  The first “Internet Architect” was Dave Clark   Eventually, his position was fielded out to an appointed group called the

Internet Architecture Board

IPv4, IPv6 and the Internet

  You’ve probably heard that the IPv4 space is depleted   The IETF developed a protocol called IPv6 with more address space

  However, IPv6 has not yet become mainstream   The Internet’s stakeholders invested tremendously in IPv6   Lack of adoption is a constant challenge and puzzle

  The IAB is responsible for the administration of protocol parameter values managed by IANA   IANA formed to carry on the work of Jon Postel (1943-1998)   Maintains records for the root of the DNS, autonomous system

numbers, IP address allocation, and various related fields   So who can make IPv6 happen, then?

Who to Blame?

IANA

Internet Assigned Numbers Authority

IAB

Internet Architecture Board

ICANN

Internet Corporation for Assigned Names and Numbers

Regional Internet Registries (RIRs)

ARIN, RIPE, AFRINIC, APNIC, LACNIC

Pretty much everyone

In the beginning…

  IPv4 came out in the early 1980s   The young Internet lived in a world of mainframes

  Many user terminals leashed to one central machine on the Internet   Personal microcomputers in the first generation, few modems even   Internet backbone ran only to advanced research facilities

  Only researchers really cared about Internet resources   IPv4 uses 32-bit addresses: e.g., 134.10.2.45

  Surely 4.2B addresses are enough!

  "I think there is a world market for maybe five computers." – surely apocryphal remark attributed to Thomas Watson, chairman of IBM

Address Blocks and Classes

  Originally, IPv4 allocated carelessly (see [RFC943])   Class A (/8)

  16,777,216 IPv4 Addresses   Stanford: 36.0.0.0/8 (Student body: 6000U/8000G)   1/256th of the entire IP addressing space!   Famously, 1st IETF Chair Mike Corrigan had his own (21.0.0.0/8)

  Class B (/16)   65,536 IPv4 Addresses   Reed College: 134.10.0.0/16 (for ~1200 students)   Stanford had one of these too (128.12.0.0/16)

  Class C (/24)   256 IPv4 Addresses

  Class D and E never saw much use (multicast)   Simplified routing: easy to aggregate prefixes

Presented at the IETF in 1990 We’ve known IPv4 depletion was coming for a long time

These notes predict Class B depletion

“Imminent death of the net predicted,” but didn’t happen quite as people thought then

Growing Importance of the Internet

  By the early 1990s, the Internet had grown up   Jon Postel simply could not scale anymore, IANA became a discrete

entity   From this point forward, only multi-stakeholder address

assignments were feasible   InterNIC, RIPE NCC and APNIC all founded around 1992

  ICANN created in 1998 as a successor to InterNIC   ARIN formed in 1997 to administer IP addresses

  Takes large blocks from IANA to distribute in North America and the Caribbean

  Jon Postel originally on the board   Originally covered Latin America and Africa as well

  Eventually split off into LACNIC and AfriNIC

  People started to care who owned which addresses   Ultimately, the root of may security questions

Don’t Come Late to This Party

  Most initial allocations in North America   The bulk of IP addresses thus held by the developed world

IPv4 Conservation

  Classless Interdomain Routing (CIDR) [RFC1518]   Begun in September 1993   Create finer aggregation tools than just the three choices, A B or C   /2 through /32, whatever fits the need   Don’t allocate a /24 when a /28 will do

  Reclamation became the order of the day   RIRs and IANA hunted down underutilized assigned space

  Hunt down “dark” address space, friend of spammers everywhere   By 2000, Stanford turned in their Class A

  Only took 5 /16s in return   Note that MIT kept their /8 (18.0.0.0) and now has two /16s (128.30.0.0/16 and

128.31.0.0/16) as well as several /24s   Neustar (founded late) really only has /24s, though we have 100+

  With finer granularity came new limits   BGP prefix advertisements mushroomed – far less aggregation   Few namespaces can realistically achieve more than 30% allocation

What’s Actually Advertised in BGP

Conservation is Not Enough

  Original assumptions of the Internet, defied   Now primarily a consumer tool, not a research tool   Internet became accessible through modems, then broadband

and cellular   A clear path to billions of devices on the Internet   Devices are always on, always connected   No option other than increasing the address space

  The IPng initiative   Undertaken by the IETF in the early 1990s (see [RFC1550])   Led to IPv6 [RFC1883] published in December 1995, mature

version in [RFC2460] December 1998   (What happened to IPv5, anyway? See ST-II [RFC1819])

Virtues of IPv6

  Plenty of addresses   340,282,366,920,938,463,463,374,607,431,768,211,456   That’s 128 bits, 340 undecillion or 3.4×1038

  Grouped into /64s, blocks of 18 quintillion addresses   IPv6 fixes the network prefix at 64 bits

  Enough addresses in a network that they can be chosen whimsically   2001:19f0:feee::dead:beef:cafe (freenode)   2001:420:80:1:c:15c0:d06:f00d (cisco)   2620::1c18:0:face:b00c:0:1 (facebook)

  IPsec built-in from the start   Vint often remarks this was the greatest shortcoming of IPv4

  However, a new standard can’t be introduced overnight   What’s the interim strategy?

Multiplexing an IP Address

  IETF created “private” address space [RFC1918] (1996)   Most famously 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16   Technically, the 172.16 block is 16 contiguous /16s, and the 192.168 block is 256

contiguous /24s

  I remember compiling ip-masq into Slackware (Linux) in 1997   Allowed multiple computers to sit behind one modem’s Internet connection   Required application-layer gateway (ALG) for sophisticated features like FTP

  Today the ubiquitous home “router” is mostly a Network Address Translator (NAT)   Has one public IP address on the WAN side, maps external ports to internal   Private addresses served via DHCP on the WiFi/Ethernet side   Your computer’s IP address has a good chance of being 192.168.0.1   If you can’t reach DHCP, then link-local autoconfiguration (169.254.0.0/16)

[RFC3927]   Implements various NAT, firewall and forwarding policies, supports many sorts of

ALGs

A 3-Tier World The Home Network, or Enterprise, with private address space

The Access Network, with public address space assigned to an ISP

The Public Internet, the default-free zone of prefix routing

The Dark Bargain of NAT

  Work by masking the address from which packets are sent   The NAT effectively hides the addresses behind it   Effectively firewalls the private network   However, recipients can’t distinguish endpoints behind the NAT

  NATs optimize for client-server connections   Surfing, downloading, gaming

  NATs interfere with asynchronous notifications   A NAT opens “pinholes” only when a client on the inside sends traffic out   When services on the outside want to send traffic in, you have a problem

  NATs bungle rendez-vous protocols that require endpoints to know their own IP   A variety of workarounds have been developed to address this   These create real problems for peer-to-peer applications

  Skype and BitTorrent are triumphs of engineering

Judgment Day

  Ultimately, strict conservation and NATs merely delayed the inevitable

  Final IPv4 IANA assignment rule invoked Feb 3 2011   At that time, the five remaining /8s held by IANA were

allocated, one each, to the RIRs   As of April 2011, APNIC already ran out   RIPE ran out on September 14, 2012   The rest will follow in the next couple years

 Right now, ARIN & LACNIC have 3 /8s left, AFRINIC has 4

  Good thing IPv6 is here to pick up the slack! Right?

16 Years Later, How is IPv6 Doing?

Still between 0.1-0.2% of Internet traffic

  Not a very good return for 16 years of work   IPv6 has been widely implemented

  All your laptops support it, as do web servers, etc.   Core routing infrastructure supports it as well   Implementation, however, is not deployment

  IANA distributed huge IPv6 blocks to the RIRs   Some customers have taken them   Neustar has about 20 IPv6 /48s – get to work using that space!

  For now, we can keep them   We’re not greedy: the DoD took a /16, 9 trillion /64s

  Few last-mile providers offer IPv6, however   Most access it through tunneling (IPv6 over IPv4) to the IPv6 backbone   Worse still, many places that do use IPv6 NAT it to IPv4 to reach the

Internet

Is Time Running Out? Yes!

Transition Strategy

  We’ve spent more than a decade struggling with this   We can’t simply turn off IPv4

  Far too much deployment, and no central authority

  Most transition strategies thus depend on dual stack   Implement both IPv4 and IPv6, let hosts acquire one of each address   Try IPv6 first, and only if it fails fall back to IPv4 [RFC3484]

  However, dual stack turns out not to be so simple   How do you know if you have a “good” IPv6 address?   For that matter, the same goes for IPv4

 We know 169.254.0.1 is usually “bad,” but what about 192.168.0.1?   Sometimes your Linksys router is up, but Verizon is down…

  But the bigger problem isn’t technical…

What can you buy for

$11.25

An IPv4 Address, Apparently

  Nortel sold 666,624 IPv4 addresses to Microsoft for $7.5M in March, 2011   $11.25 per address   Dec 2011 – Borders Books sells a /16 for $12 per address

  Did Nortel own those addresses?   What did they pay for them originally?   Protip: Stanford did not pay $188,743,680 for 36.0.0.0/8   Now IPv4 is a business of speculation

  The domain name business has long been this way   I remember writing to InterNIC for a domain back in 1993   First come first serve, no money changed hands   Five years later you could flip domains for millions

Economic Fundamentals

  Not a coincidence to see this sale so soon after Judgment Day   Supply and demand, scarcity drives cost

  Once something has a value, the entities that own it will protect that value   Incentive to keep IPv4 in use and worth the money   The more scarce IPv4 becomes, the more these costs will go

up, and the more these incentives to keep it around will grow

  Cost of transitioning to IPv6 thus includes writing off the value of IPv4 resources

Commodities Markets

  Addrex, Accuro, IPv4Marketplace, tradeipv4

  Specialize in moving blocks, often large ones   /8s have been advertised

for sale on these sites!

  Snapshot date: Oct 4

Valuable Enough to Steal

  Ownership of address blocks has never been strongly coupled to their advertising   If you are a carrier, you advertise the routes you are paid to advertise,

typically   Hence “dark” blocks became favorites of hackers and spammers

 Dark blocks are allocated but not advertised legitimately

  This is a significant weakness in the global Internet   Hackers have advertised routes for large blocks just to eavesdrop on

a single user’s communications

  Impossible to authenticate in the absence of some authority of assignment   Greater diversity in assignment over the years has made this harder

Resource Public Key Infrastructure (RPKI)

  Certify assignment of address blocks   Build a root of authority in IANA that delegates through the RIRs to

individual assignees

  Next step: only propagate routes from certified sources   Build capabilities into the routing system to verify these properties

 The simplest: that the owner of an address block has authorized a particular AS to advertise its routes (the ROA)

  Ultimately, the goal is to accept BGP advertisements only if they are signed and authorized

  This has real implications for the commodities market   Now, must ARIN issue a new cert to the new owner?

  Building it in to IPv6 from the start   Not that conservation is a worry, but hijacking and spoofing always is

Delegation and Authorization

Improves Security, but…

  Mostly defends value of IPv4   While important to protect IPv6 from route hijacking,

squatting is not a practical concern there

  Does preserving the value of v4 inherently harm v6?   Operational overhead could become significant

  As with DNSSEC, chains of validation can be required  Certification from IANA -> RIR -> LIR -> customer

  Once these becomes part of BGP, that will bring new challenges  BGP PATH attribute validation (through eBGP exchanges)

  Failure modes for DNSSEC teach us to be cautious  Anything prone to brittleness will be turned off

An Innovator’s Dilemma

  Say you need a lot of IP addresses   Perhaps an Asian mobile carrier, adding ~15M subs/year   That’s a /8 worth, enough to exhaust 10.0.0.0/8

  Why not deploy greenfield IPv6?   Virtually all of the Internet today is on IPv4   Your IPv6 would exist in an isolated island   To reach IPv4, you’d need a 6-to-4, a type of NAT

 Deploying a 6-to-4 that scales to 10Ms or 100Ms is expensive  How do the costs per port compare to $11.25?

  But surely you can reach some services natively over IPv6?  Not *everything* needs to go through a NAT, right?

Applications and IPv6

  Web browsers look up names in the DNS to find addresses   In the IPv4 world, an A record will contain the IP address   For IPv6, the new AAAA (“quad-A”) record delivers it

  If your resolver has an IPv6 address, should you prefer a AAAA?   Depends on whether or not your IPv6 address can actually route to the

web site   Some endpoints autoconfigure with an IPv6 address, or receive a v6

address from a home network that has no v6 connectivity   You should not prefer these over private IPv4 addresses that are actually

routable thanks to a NAT   No real way to know if you can route without trying

  The result: brokenness   Best case, delay for a timeout until reverting to IPv4   Worst case, never reverts

A “Solution”: IPv6 DNS whitelisting

Unhappy Eyeballs

  How much of this brokenness exists?   Early 2011 estimate vary, but somewhere less than one percent

 Might not sound like much, but out of two billion hosts?  Enough for Google to implement its whitelist

  Brokenness reported in several devices  Opera web browser  Mac OS X when interacting with certain Windows boxes  Various legacy hardware

  Some “fast-fallback” schemes have been developed   Try IPv6 and IPv4 via TCP in parallel, start HTTP on IPv6 if it

responds, etc.   Browsers starting to implement these

  How can we measure how bad this problem really is?

World IPv6 Day

  June 8, 2011 – a day to test IPv6   Facebook, Google, Yahoo!, over 1000 other

participating sites turned on IPv6 for their web sites

A Brief Spike in Deployment

From under 0.5% of web sites, to around 3% supporting IPv6 on that day

Quickly turned off, however!

Facebook v6 Day traffic No units, so, they must be tiny

Much of this observed traffic was undoubtedly testing scripts

Reported about 1M IPv6 users overall

Traffic quickly peters out, actually around COB on June 8

Indefinite Coexistence?

  So, apparently we’re still not getting much adoption   How to stimulate adoption in such an entrenched, complex,

decentralized system is a profoundly difficult question   A core question of Internet governance

  Stakeholders are nervous   Everyone in the alphabet soup of “coordination” is uncertain   DoD attempted to promote IPv6 by requiring it for their product

certification  They introduced that requirement in 2005, backed out in 2009

  IETF rethinking mid-term needs, though still committed to IPv6   United Nations (ITU-T) wants to be its own RIR

 Want to avoid address shortages in the developing world  More strategically, wants to compete with ARIN/RIPE and the IETF

  Much second-guessing about transition strategies today

Imminent Death of IPv6 Predicted?

  No one has a better idea than IPv6   The key is adoption by the access network

  Two problems:  Access networks own (and value) existing IPv4 space  Access networks want to provide service differentiation, and like the

flow-awareness of their NATs

  The superiority of the technology alone will not overcome market forces   There are plenty of alternatives to TCP and UDP (SCTP, DCCP, etc)

but few see any real use   Hardest thing for the IETF to accept

  But there are still some reasons for hope…

IPv6 support after World IPv6 Day Steadily more networks advertising IPv6 prefixes

This did not decline after IPv6 Day (the blue line), but nor did IPv6 Day accelerate it

Growth, and total share, is still marginal

1.3% uptick in two months

Glimmers of Hope

  Some real deployments began in second half of 2011   Comcast in the USA (Nov 2011), KDDI in Japan, free.fr in France

 Comcast now (as of September) at around 2% IPv6 traffic   v6 Deployment then around 3.4% in France, 1.5% in Japan

 Average out .fr and .jp, and v6 deployment may be 0.1% of the Internet

 Reported v6 Day brokenness in .jp was high, 0.25%   Telstra (.au) made its backbone fully dual-stack (Sep

2011)   Islands of IPv6 deployed behind NATs could converge

through a backbone   With enough network effect, may reach a tipping point

  2012: The World IPv6 Launch on June 6, 2012   More than a few hours’ experience might help   Turn it on and keep it on!

AMSIX IPv6 today

Total IPv6 volumes – close to double

Google hits via IPv6 (2009-2012)

Governing an Internet

  Even making the necessary shift to IPv6 is a difficult undertaking   Lots of stakeholders today argue that the Internet has

outgrown its hobbyist roots   “Responsible adults” (e.g., the United Nations) should take

over now

  Similar problems in domain name administration   The recent crop of new TLDs also controversial   ICANN increasingly autonomous and

  The challenge:   How do we evolve the Internet while preserving the qualities

that made it successful?

S L E E P W E L L T H E I N T E R N E T W I L L S T I L L B E H E R E

W H E N Y O U W A K E U P

The End