Stack-Hacker Itojun Talks About IPv6

Alert reader Sin Yuhara writes: "I've encountered [an interview in which] Jun-ichiro "itojun" Ogino(KAME Project Core/NetBSD Core/FreeBSD Comitter) talks about IPv6. The KAME IPv6 ^[?] stack is very well known in the BSD world and beyond. I'm sure IPv6 and related stuff must deploy, and this article may help all people." It's a really good read -- itojun talks about the IPv6 tools that are already integrated into the various BSD systems, about the need for ever more testing, and about why Japan rocks.

Re:Total FUD.

[mbyte]

No .. sorry to dissaponit you.

Win2k german does NOT have build-in IPv6 support ! Really ! I DID test it ;)

There's an addon on the micro$oft website, which you can install to have IPv6, but IIRC it was still labeled BETA the last time I did ceck it out ! (it was about 4 months ago !)

So please stop spreading FUD!

Re:Not using NAT, are ISPs going to become nicer.

[matman]

Can you still subnet? I mean, I dont really have a use for 2^64 addresses :) LIke, you cant really fit more than a hundred (the spec is something like 1024 isnt it?) on an ethernet network. I mean, what's the point of using addresses frivilously, when we have the technologies to easily manage addresses more efficiently?

Re: Not using NAT, are ISPs going to become nicer.

[Wesley+Felter]

Namely, every subscriber, be it a corporation or a household, gets a /48.

That might be how it's supposed to be used, but that has little effect on how ISPs will actually configure their networks. What if an ISP defines all their customers to be part of one /64 "subnet" (which might even be defensible since some broadband equipment is based on bridging) and thus assigns each customer only one address?

Re:IPv6 and QoS

[Cato]

This is probably the biggest myth of IPv6 - it has precisely one feature beyond what IPv4 supports, the 16 bit flow label field in the IPv6 header, that relates to QoS.

Deploying IPv4 QoS is possible today - I work for a company that makes software to enable QoS in routers, amongst other things, and am helping customers do this. The key approaches are DiffServ (easy to deploy, softer QoS), and RSVP (harder to deploy, harder QoS, and I don't know any real networks that have deployed this).

The IPv6 flow label reduces the load on core routers where RSVP has been deployed, by caching the result of an earlier classification decision (i.e. matching packets against IP adddresses, port numbers, etc). However, it's hardly a big step forward for QoS if you are using DiffServ as most networks do.

What's more important for QoS is that IPv6 will (eventually) make NATs much less popular. Trying to classify NATed traffic is a nightmare, of course, and IPv6 should make things easier.

My company also does MPLS stuff - interestingly, this will help IPv6 deployment, because the big fast core routers will NOT need to have their forwarding hardware upgraded to forward IPv6 packets. MPLS labels packets near the edge of the network, and once labelled the packets are forwarded using ONLY the 32 bit MPLS label. Hence the IPv6 headers are only inspected on the edge router for the MPLS network.

The result is that the core routers only need to run IPv6 routing software, not IPv6 forwarding - hence no need to replace those ASICs. The edge routers are typically small enough that they should be able to run IPv6 forwarding in software.

Of course, as someone else already pointed out, there is still a lot of work before the ISPs' routers get fully upgraded with the entire set of add-on protocols - routing, multicast, PPP, RADIUS, IP-over-ATM, and so on.

Security without NAT

[Cato]

Many people seem to use NAT for security purposes, because it makes it harder for outsiders to connect to internal machines. Of course, NAT is not meant for this, and has potential holes (e.g. if the NAT software fails it may just forward packets straight through, as has happened on at least some NAT boxes), but that's what a lot of people think.

Until people manage their host and firewall security a lot better, many sites may just stick with NAT because it's what they know, removing a key benefit of using IPv6. So perhaps improved security processes and technology are a prerequisite for IPv6 deployments.

Re:What about applications?

[njd]

go to www.kame.net there is a list of applications that work with IPv6 there.

MPLS makes IPv6 work on core routers

[Cato]

First of all, the IPv6 header is actually more regular than the IPv4 header - fewer fields, and only twice the size of IPv6 despite addresses that are four times larger. Also, the routing tables for IPv6 are supposed to be more regular, so the performance impact on software-based routers may not be that much.

The vast majority of IPv6 packets will not have options - yes, they need to be looked at if present, but in that case you just dump the packet into a slow path. Also, MPLS will help here (see below) - the packet should only hit the slow path on lower end routers.

As for core routers that use forwarding ASICs - the answer is to implement MPLS, starting on edge routers that forward IPv6 in software, and attach MPLS labels. The core routers ONLY see the 32 bit MPLS label, so there is no problem about forwarding IPv6 just as efficiently as IPv4, once it is MPLS labelled. The core routers need to run IPv6 routing processes, but that's just on the main CPU.

MPLS is already deployed in ISP and telco IP networks - it is currently used for traffic engineering (balancing traffic loads over the network) and MPLS VPNs, and the same technique will be used to carry ATM, Frame Relay, Ethernet and SONET.

In the longer term, new routers will come on the market with smart enough ASICs and network processors to handle IPv6 with no reduction in forwarding rates, but MPLS will be useful for those ISPs that want its extra features.

Re:MPLS makes IPv6 work on core routers

[Cato]

You are right, it's only the hop-by-hop options that matter - I was being a bit lazy in not specifying this, but the point is that these options only incur an overhead when they are there - if there's no next-header pointer, there's no extra work.

Re:MPLS makes IPv6 work on core routers

[Cato]

Re the headers - you seem to be assuming that most IPv6 packets will have hop-by-hop options headers, when in fact this should be a tiny minority of packets (most packets will not use the special IPv6 features for source routing etc). The main IPv6 header is very regular - you can have extra headers, pointed to by the next-header field, in which case you have extra overhead.

Re edge routers in software vs. hardware - I'm mainly talking about ISP's existing provider-edge routers (7500s and so on, quite often). Most of the deployed routers are software-based, so they are covered by the MPLS approach.

Of course, there are many hardware-based provider-edge routers as well, but these will be covered by hardware updates before too long (see http://www.cisco.com/warp/public/732/ipv6/IP_Vers6 _SD_0622.pdf - this is Cisco's IPv6 roadmap, which will cover IPv6 hardware acceleration in Phase II, under 'CEFv6'). Even with software-based Cisco routers, it's probably waiting for CEFv6 (Cisco Express Forwarding) in Phase II of the Cisco roadmap, as until then IPv6 is process-switched (i.e. slow path).

Once you have CEFv6, most IPv6 traffic should have the performance of IPv4 - not sure how the hop-by-hop options headers will affect this but I don't believe these will be common.

Re MPLS - it's not quite 'the terminal stage of virtual circuit networking'! It re-uses the data plane (i.e. label-based forwarding) but the control plane is normally just an IP routing process (some see this as a way of turning ATM switches into IP routers...). By default, MPLS is NOT circuit based at all - labels are assigned using LDP (label distribution protocol), which piggybacks on the IP routing protocol you are using. This lack of circuits is one reason why MPLS VPNs are very scalable (see www.orchestream.com, my company's site, for lots more info here).

You can use MPLS for traffic engineering, which requires laying down circuits, but you ONLY create circuits as the exception, to direct traffic somewhere other than the shortest-path route. Most traffic in a traffic engineered MPLS network may still be IP routed using MPLS labels that are not attached to circuits (aka label switched paths). See www.mplsforum.com.

MPLS does let you do quite a bit more than IP - it's really just a very thin encapsulation technology (i.e. a 32 bit label is the encapsulation overhead), so you can use it for VPNs (much more scalable than GRE tunnels or meshes of FR PVCs), Voice over MPLS (lower overhead than IP/UDP/RTP), Frame over MPLS (more scalable), and so on.

In particular, MPLS has a 3 bit EXP field that is used for CoS levels (i.e. DiffServ style QoS) - most MPLS edge nodes should copy the IP Precedence into the EXP field. If this is not enough, you can steer traffic onto different labels depending on CoS levels, and with MPLS traffic engineering you can reserve bandwidth for a given MPLS label switched path ('circuit') if needed.

You do need IP routing on every MPLS node, but only on the control plane - IP forwarding is only needed on edge nodes. I wouldn't suggest MPLS is necessarily the best or only way to deploy IPv6, but it is a great way to scale IPv6 backbones in the absence of IPv6-specific forwarding hardware, and it does have useful features that will apply to IPv4 and IPv6 traffic identically (hence MPLS can be justified for existing IPv4 traffic while enabling IPv6).

Re:Not using NAT, are ISPs going to become nicer.

[Xanni]

What, 65536 networks isn't enough for you, you need to subnet as well? :)

One of the reasons to have 2^64 host addresses is so that you can use globally unique EUI64 host addresses (for example, for Ethernet, based on the hardware MAC address) to allow immediate auto-configuration on any network anywhere in the world without any chance of an IP address conflict or having to do manual assignments. (Manual assignments are also supported, though.)

There's more than one kind of efficiency; part of the idea of IPv6 is to make routing simpler to gain speed and avoid abominations like NAT. Anyway, only 15% of the address space has even been defined so far; 85% is still reserved for future uses! I wish people would bother to learn about things before commenting.

Re:OpenBSD

[AntiBasic]

stop whining.

Not using NAT, are ISPs going to become nicer.

[stompro]

He asks why anyone still uses NAT seeming to say that with ipv6 noone will need to use NAT. I personally use NAT so I don't have to pay my isp 40$ extra every month to have all my machines hooked up. Are ISPs going to just start handing out ipv6 address for free, I don't think so. I can't wait until my isp just hands out subnets, not individual addresses.

Re:Not using NAT, are ISPs going to become nicer.

[jguthrie]

AC wrote:

Temporary?! Bullshit. Do you have any idea how much 2^128 addresses is?? It's enough for every person in the world (assuming 6 billion people) to have 5.67E+28 addresses each! There's no way we will use all of those before networking as we know it is completely redesigned.

You've completely left out the efficiency factor from your calculation. While it is true that IPv6 allows a standard metric buttload of addresses, the system is set up to assign those addresses quite inefficiently.

For example, the standard assignment for an individual end user is likely to be a /64, which has appriximately 16E18 addresses in it, of which only one will be used, typically. Small ISP's like myself are currently assigned a /48, which has enough addresses for 65K end users, of which only a fraction will ever get used.

Of course, should the address space starts to become exhausted, what will happen is what always happens when a nonrenewable resource becomes scarce: conservation, but for right now IPv6 addresses in freaking huge blocks are easy to get. I've got 2^80 addresses, myself.

To answer the question asked in the subject, the reason the blocks are so large is because the routing tables would quickly become huge if the assigned blocks were smaller. That means that ISP's will likely assign blocks to end users and not worry about whether or not those end users assign those addresses to multiple computers. It's more work than it's worth to keep track of those addresses individually. NAT will still be around, though, because people like the additional security offered by it.

Re:Not using NAT, are ISPs going to become nicer.

[Xanni]

But that's exactly how IPv6 is intended to be used. The existing IPv6 address space is being allocated with the first 64 bits being the network address and the last 64 bits being the host address. Furthermore, the current specifications for Aggregatable Global Unicast Addresses (see RFC2373) define the first 48 bits as being assigned by the backbone provider and ISP and the next 16 bits by the site (you!) This means you get to have up 65536 networks of up to 2^64 hosts.

Japan is ahead of us in IPv6

[shalunov]

Not only do they have large deployed IPv6 networks; not only their ISPs provide IPv6 service to their subscribers, and it's actually supported; not only does the government give tax breaks to ISPs that support IPv6; not only are their companies doing IPv6; not only do they develop games for freaking consoles that use IPv6; not only are their cell phone providers implementing IPv6; but they actually have a fairly large IPv6 user community.

Go, Japan!

Re:No mention of 6to4?

[hubertf]

Right you are - here's a link for 6to4 on (Net)BSD. Maybe check out my IPv6 page, it has a bit more on 6to4.

- Hubert

IPv6 routing doesn't fit well in hardware

[The+Fanfan]

I don't see IPv6 taking off any time. IPv6 problem is not just a deadlock between ISPs and router manufacturers. The big roadblock on the way towards TWGD (i.e. total worldwide global domination, let's see if this one sticks ;-) is that IPv6 doesn't fit well in hardware acceleration. IPv6 has huge and variable headers, which are a pain in the bottom end to process in hardware.

IPv4 is much nicer. Only the first few hundreds bits in the packets really matter. Sure, an IPv4 header can be much bigger with options. It's just that nobody expects those options to be implemented. With IPv6, ignoring options is not ... an option. Even core routers must completely walk the header chain of each packet.

The reason is that the IPv6 effort was started in the early 90s at a time when IP routers where basically a bunch of interfaces and DMA engines around a shared packet buffer with a CPU in the middle chopping and tweaking the headers to route the packets. All the decisions were made by software, and, sometime in low cost routers, the CPU even performed the data transfers with the interfaces, no DMA. The IPv6 was built with this architecture in mind and requires the routers to do a lot of smart gee whiz things on the headers. That clean architectural model is alas obsolete.

Nowadays, routers' CPUs nearly never see a packet. All the routing is completely done in hardware. The CPUs just do housekeeping, maintaining the routing tables, collecting and processing statistics, that kind of stuff. The only packets they ever see are those for network maintenance, SNMP, etc, and routing protocols, OSPF, IGRP, BGP, you name it.

In serious routers, the real stuff happens between the switch fabric and the routing processors. The switch fabric, centralized or distributed, handles the bulk of the data transfers, receiving and sending packets between the interfaces and the packet buffers. Here, the unit is the gigabit per seconds (a few tens or hundreds of Gb/s or even Tb/s). When the switch fabric receives a packet, it stores it in a buffer and at the same time extract a few hundred bits of the header and forwards that to routing processors, a huge pipeline of table lookups and processing, 100% hard-coded in silicon.

After a while, the routing processors spit an answer to the switch fabric to flush or forward the packet with updated data for the variable fields (the TTL for instance, or even the whole header on NAT or multicast), or to create new packets. For instance, ISMP packets on TTL timeout can be completely generated in hardware! The unit there is the 100s of millions of packets per second. Go do that with CPUs... Worst of all, the IPv6 headers are highly variable and that completely screws up pipeline design where it's much better to handle bounded amount of data.

So, on current routers, IPv6 is supported ... as an exception, using the CPUs. The performances are merely catastrophic. IPv6 is not really practical with current router architecture. May be an IPv7 will come, one day when IPv4 is really breaking at the seams.

Oh well ... that just my $0.02 on IPv6 ...

Heh.

[Will+The+Real+Bruce]

Great; now we can all steal the *BSD IP stack again. :)

Thanks, *BSD, for continuing to be the research arm of the software community...

Reality check: the killer app

[driehuis]

Until BGP, OSPF, and IS-IS all FULLY support IPv6 don't expect ANYONE to even begin a migration.

Well, of course there is the traditional killer app that can tip the balance real quickly. For example, RIPE (the European IP address agency) received a phone call one day from a cellphone operator that they needed two class A address ranges, and when could they get them?

Of course, those guys were sent back to the drawing board. But if one of the bigger handset manufacturers starts deploying IPV6 (and IPV6 is complete enough to do that right now), the balance of power would shift and a lot of folks would be forced to keep up with the Joneses.

As you say, my concern is with the infrastructure more than with client support. Microsoft has been mentioned a lot in this thread, and I would be greatly surprised if they didn't have something in the wings to at least work around lack of native IPV6 support for existing clients (like 6to4 support).

Re:OpenBSD

[Shanep]

Which is not on be default so the OpenBSD page can still retain the "Three years without a remote hole in the default install!"!

Re:need NT, NOT.

[1337d00d]

Unfortunately, you are wrong. Microsoft® WindowsNT® and Windows2000® products can give you a reliability guarantee that no other products, certainly not this supposedly 'free' software, can provide. That's right, the nine fives promise. You heard it correctly. Microsoft will guarantee an uptime of %55.5555555. Yes: More than half of the time, your servers will be up and running, allowing you to take advantage of the new, electronic economy. With that kind of power, you can transform your business. That's the kind of leverage Microsoft provides.

War3 doo u w4nt 2 g0 70d@y!!!1©

ARIN's IPv6 Fee Policy Has Changed

[Wesley+Felter]

And I quote: "ARIN will not collect subscription fees for those current ARIN IPv4 subscribers who request and qualify for IPv6 address space. ... Those IPv4 subscribers who have already paid fees for IPv6 address space are eligible for a refund of those fees."

Oh really?

[Wesley+Felter]

What you're saying is opposite from this part of The Case for IPv6:

"IPv6 encodes IP header options in a way that streamlines the forwarding process. Optional IPv6 header information is conveyed in independent "extension headers" located after the IPv6 header and before the transport-layer header in each packet. Most IPv6 extension headers are not examined or processed by intermediate nodes (in contrast with IPv4). This enables a big improvement in the deployability of optional IPv6 features, compared to IPv4 where IP options typically cause a major performance loss for the packet at every intermediate router."

Yes.

[mindstrm]

ISP's *WILL* hand out ipv6 addresses for free, because that's how it's designed. It will be easy for an ISP to get a /64 (that means half the bits will be available for them to assign) which is a size that is larger than the current internet nowadays times itself (due to address wastage).

It is ENTIRELY possible, and will be commonly done, to assign large blocks to each user, so as many devices as they want can be online, AS IT SHOULD BE.

Two things.

[mindstrm]

1) T3's are a lot more than that....

2) Your summary is essentially correct, but the root cause of the way ISP's charge is.... that's their business model. They don't care about charging for bandwidth, because the vast majority of their customers have the same usage habits. Someone who actually uses the bandwidth they pay for is a 'bad net citizen' or an 'abuser'.

That is why ISP's will invariably, eventually, shift to a model where you pay for what you use.

I tell you, if @home would come to me when I use lots of bandwidth and say 'look, you use three times the bandwdith of our averagesubscriber... so we want you to pay 3 times as much' I'd probably say 'Okay.. sounds fair'. But they don't, they just cut you off.

Total FUD.

[iamsure]

All MS operating systems SINCE 2000 (with the exception of ME) have built-in IPv6 support. Whistler has it, 2000 (all versions) has it.

Its just a matter of what kernel they were working from. 2000's supported it, 98's didnt.

They are already dropping support for 98+98se, I really dont think ME is far behind.

They arent holding ANYTHING up.

ICANN Pricing obstacle to IPv6

[billstewart]

I'm not having much luck searching www.icann.org tonight, so these details may be incorrect and may have changed by now - YMMV. One of the big obstacles to IPv6 deployment is ICANN's totally artificial pricing for address space. One of the motivations for IPv6's design is to provide nearly-infinite quantities of address space, which means it ought to be basically free - but ICANN set pricing on it that makes the smallest available chunk of routable address space cost an annoyingly large amount of money. IIRC, it was something like $2500 for a /48, but even if I've got the size wrong the principle is reflected accurately - they're trying to delay and control the deployment by setting an unreasonable price.

It's not totally stupid - one of the problems that does need to be solved by any widespread replacement of the current IPv4 stack is routing table size for the Big Internet, as BGP usage continues to multiply. IPv6 has some support for efficiency and consolidation, but there's still a lot of work to be done.

Re:Where's the beef?

[Salieri]

It doesn't work that way -- it has nothing to do with hard drive companies holding out. There are serious technical reasons why this trend can't continue until new, radically different data storage technologies pick up steam.

As data gets more and more tightly packed onto the platters, the energy that holds the magnetic spin on each bit (determining whether it's a 0 or a 1) gets less and less significant, and now it is so close to the ambient thermal energy that bits are randomly flipping and corrupting data.

So they're looking at a lot of different techniques, but instead of my trying to explain them, let me just show you the Scientific American article where this is all coming from.

--------------------------------

No mention of 6to4?

[Wesley+Felter]

It's too bad this article didn't mention that you do not need to wait for your ISP; you can start using IPv6 today with 6to4. Slashdot ran a story about how to configure 6to4 under BSD, and here are the instructions for Linux.

I know someone is going to mention that freenet6 or the 6bone is also easy to use, but they're much less efficient than 6to4.