14 October 2019
HANS PETTER HOLEN: I think we're almost ready to start the meeting, so if you could take your seats please. Welcome everybody to RIPE 79 here in Rotterdam in the Netherlands. My name is Hans Petter Holen, I am the Chair of RIPE, and in my day job I'm working for a company called Visma in Norway, so I have come to Amsterdam for the nice and warm whether.
This is another big meeting. There are 816 registered, and at one o'clock, there was more than 500, 508 checked in, so this is going to be yet another record.
We do have some meeting principles for this meeting, this is an open meeting, everyone can participate and what we want to do is to bring people together from different backgrounds, cultures, nationalities beliefs and genders, and we really want this to be a safe supportive and respectful environment, and because of that, we do have a meeting code of conduct, and treat each other with tolerance and respect. There has been work in progress on a Version 2 of this code of conduct, it doesn't really change it fundamentally, but it's more detailed in order to give better guidance and also there are mechanisms to, for consequences if it isn't followed. This will be presented in the community Plenary on Thursday, so if you are interested in that, please make sure that you are there, the draft has been published online and there are still some tweaks having been done, so hopefully we'll have a final version to call for consensus after that meeting.
If you feel that you have ‑‑ need somebody to discuss with whether you feel safe or not at meetings, we have three trusted contacts. These are them here. They are sitting around here and then you can contact one of them in order to get assistance.
Diversity is something that's been on our agenda for a long time and we have a diversity Task Force and my daughter was kind enough to share this with me before the meeting because she said, dad, diverse custody is really just the first step. That's like being invited to the party. Your next stop is make sure that everybody is asked to dance, that's the inclusion part. And really belonging is when you get to select the music. So, I have been here so long that I actually get to select some of the music at least as RIPE Chair but that's actually what we need to make sure that we welcome everybody and include them and make sure that they feel that that you all feel that you belong to this community.
So cheats the diversity Task Force been working on, well we do have a RIPE fellowship programme, we have a RACI programme to build new researchers and younger people into this community. So it's not just old grey haired men like me. We do have a Women in Tech session in tomorrow's lunch break, how to attract, hire and keep Women in Tech, I think that's a very interesting discussion, not only to women, but to all of us this in this industry. We do have on‑site childcare and that's fully booked, so that's really great. We do have a mentoring programme and this work is then being done by the RIPE diversity task force and that's also going to be going on in the future. So if you are interested join this effort.
We do have some Working Group chairs, you can see pictures of all of them here. In all the Working Groups we two or three chairs, there is missing a co‑chair in the Routing Working Group, he stepped down last time so there are two candidates for the Working Group Chair, it's still possible to volunteer to become a co‑chair that have Working Group, but there will be a selection of that in the routing Working Group later this week.
The Programme Committee, this is also somewhere where you can participate, but these are the people who have put together the great programme on the agenda this week and the PC Chair will talk a bit about that later on.
Microphone. If you want to comment, ask questions and so on, there are microphones here that you can line up after. And since we have remote participants as well, please make sure that you speak clearly, state your name, state your affiliation so we know who you are in the discussions.
Meeting plan: You have all seen this. We have Plenary sessions on Monday and Tuesdays, on Wednesdays and Thursdays, we do have Working Group sessions. In the Friday morning, there is NRO and RIR reports so if you wonder what's going on in the other regions on in the number resource organisations, that's your place to be.
And this time, we also have something new that we haven't had before. It's the RIPE Community Plenary on the evening on Thursday. And that's something that's come up in discussions that we have had over the last couple of meetings, that we need a place to discuss community matters.
We do have socials, so some people say that the most important part of the RIPE meeting is actually happening in the breaks or at the socials. So make sure that you join us in the welcome reception tonight. There is a networking event on Tuesday, and on Thursday there is a RIPE dinner, so what to do on Wednesday, well that's actually up to you, then you can do whatever you want so create your own social with your friends.
The Chair selection process:
I have been Chair for five years now. The previous Chair, Rob Blokzijl, selected me as his successor, some people thought that that was brilliant, then they didn't have to think about who was to be the next Chair. A lot of people thought that that's probably not the way we want to do it. So I'm really happy to announce that we now have consensus on a new process, it's been documented in the RIPE Chair selection process, to be selected by a nominating committee. So there was just before we started this session, an e‑mail sent to the RIPE list, so you can volunteer yourself to be on the nominating committee. And the RIPE NCC exec board has appointed a NOMCOM Chair, a non‑voting Chair that will simply facilitate the process, and if you have been here for a while you all know Daniel Karrenberg who was one of the kind of founders of this community and he has written most of the process, or put the sort of, held the pen on writing the process. So he should know it intimately.
The call for share and vice‑chair will be published later this week and if you want to understand better what this is and how questions and discussions about it, this will be on the agenda for the community Plenary: In the community Plenary we will also discuss or have space for discussion on the RIPE database task force. The code of conduct and whether or not the PDP is fit for purpose. So do we need a next generation policy development process?
There is a networking app, so if you don't want to interact in person you can do that through an app. We do have some sponsors, so I would like to thank all of them, because without the sponsors, we wouldn't have all the coffee, the parties and all the good stuff.
And I guess that's the sign since we have some brilliant new technology here I now have a yellow sign so now I know I have to wrap up and I'll hand over the microphone to Axel Pawlik, our host for this meeting.
AXEL PAWLIK: Thank you very much. This is slightly unusual. But, as RIPE NCC is the host for this meeting, I get to tell you jokes for half an hour, which is great, I like to do this. I have a good joke that Lawrence told me yesterday. On the other hand, that's diplomatically a little bit complicated so maybe I won't tell you this right now, but talk to me later over a beer.
So, the RIPE NCC is happy to have you, not in Amsterdam this time, you might have noticed. I hope that you all got up early enough and got in early enough to see the blue skies which we have arranged for you, had arranged for you, but, you know, things happened. So, that's basically that.
Sponsors, thank you to our sponsors, a slightly different slide this time around but happy to have you.
It's always great to find a way to make the meetings better, bring new services or better networking, bigger cookies, nicer coffee, chocolates with beetroot in them, stuff like that. It's great to have sponsors do that, so if we can do that in a way that is somewhat cost neutral to you.
Right... so, the community. The RIPE community is about 30 years old this year around. We, at the RIPE NCC, try to support you for 27 years, something like that. We are happy to do that. It's always, and we are not inviting you to do the marathon, no, under two hours, we don't do this I think in this community ‑‑ but, there is always some new record to be broken; be it, oh, the largest meeting ever, this looks quite promising, or the nicest social ever, the longest lasting dinner, the fullest childcare, we are booked out this time around, which is brilliant. So it's always exciting to do something new and see that it's a success and there is a new number that you can be proud of.
Speaking of numbers, around this time, the RIPE NCC is running out of ‑ yeah, I know it's boring ‑ out of IPv4 addresses, we have said it many times. There are so many different words, exhaustion, and whatnot. So, yeah, we do run out of this type of thing around now. And it's a very orderly event I have been assured, sort of looking quite nicely, we have communicated about this multiple times, many times, and it's great, it's especially nice to see that our folks at home in the office are putting their most, their utmost into this to make it nice, as nice as it can be, and orderly and well‑communicated and ‑‑ yeah, they will all be very flat when that has happened. So, we also sort of looking for that, forward to that and then it will be a bit quieter for us and we can concentrate on new things, possibly.
That's basically all I have to say. Oh, if you want this half hour, I still have some minutes left. The next time around or at a RIPE meeting for you or your organisation, of course you are welcome to host them, we need hosts, of course, at most of the meetings. And you are invited to talk to our meeting team, I think most of you might know Martina, just go and grab her and say we want to host a meeting in a year or two years' time.
With that, me and all of our staff at the RIPE NCC and our board wishes you a lovely Monday, Tuesday, Wednesday, Thursday and Friday. Have a great RIPE week and look for the blue skies. Cheers!
CHAIR: Hi. So, let's get started with the Plenary, some people who are here regular visitors will see this is a new face, I am not Benno, I'm Franziska, I have been elected by my fellow Programme Committee members to be the RIPE PC Chair for the foreseeable future and I hope I will continue the really really good way that Benno started and I don't see you in the room right now but I really thank you for being supportive for me and helping me ‑‑ oh, there he is ‑‑ being supportive for me, get to go know what I actually have to do to make this Plenary a success together with my fellow PC members.
A couple of words about myself. I have a research background. I am a researcher on Internet measurements at the Max‑Planck Institute for Computer Science. I am about to finish my Ph.D. in the last probably next year, a bunch of friends already joked to me, all the time we have seen you you are still working on that. That might come to an end at some point, but I will still be interested in everything that's going on here.
So, the RIPE Programme Committee. These are all the marvellous people with whom we set up the Plenary sessions, lightning talks, tutorials and workshops. These are their faces. We all have RIPE Programme Committee on our badges. If you have comments, input, anything, don't hesitate to talk to us, we are very, very happy to get your feedback on what we are doing here.
What is the PC responsible for? We mainly care for everything that says Plenary except as Hans Petter introduced the Community Plenary, but we put together the Plenary sessions on Monday, Tuesdays and Fridays, which are composed of full‑time Plenary presentations and lightning talks. I will say a word on lightning talks later on. We have amazing tutorials which I hope you enjoyed this morning recollect we are usually on the Monday morning slot, and we have BoFs and workshops that are usually covered with evening sessions.
A word on lightning talks. There has been some confusion and maybe I can either add to that confusion but I hope I can reduce it. Many of you contact us and say I want so submit a lightning talk to let's get clear what what is actually a lightning talk. Lightning talks are supposed to be about new ideas that come to your mind and you think I just want a small amount of screen time, mic time, pitch that idea to people and then have a discussion within and during the meeting. This is why we as explicit decision as the Programme Committee said we will accept lightning talks on short notice. So, we usually publish the acceptance notifications for lightning talks at the day before the respective slot. We are aware that this might be a hassle to some people, but we want to keep the format as it is and as dynamic as possible. Of course, if you, as a community, say, okay, we are not that happy with that, we would like to change it, come and talk to us, we are very, very open to suggestions from your side in that respect.
Really, really important thing: If you click on the meeting agenda for every Plenary session, and I think some of the Working Groups are also using it as well, there is a rate button. Please rate the talks. We, as the PC, in the end, we look at the ratings, see what did you like, what did you not like so much, and we also give this as a feedback to our presenters. They really want to know how well they have done.
So please take the small time and actually rate the talks.
PC elections. At every meeting we have up two seats for election, so if you are interested in working with this great bunch of people, please, please, please send a mail to pc [at] ripe [dot] net, and nominate yourself. You can also suggest somebody else, but you might want to talk to them beforehand. As I am aware right now, we didn't receive any nominations yet, so if you want to, please go ahead and do that. It's an amazing amount of fun, it's cool, you can have influence on the meetings, on what we do here, you get to talk to a lot of people and, yes, we all have day jobs, we all do it in our free time, it's really doable. So here you will see that during the whole meeting, are the time slots, nominations will open tomorrow, 3:30, and candidates will present themselves quickly on the stage at four, when the Plenary starts.
And another note. I am not sure whether that is changed. The voting link is on the meeting main site which many people do not apparently click, they only click on the meeting agenda. The voting link will be on ripe79.ripe.net. Please go there and there is vote for the PC because that is your voice that you also have within this community.
And with that, we can start with the first Plenary talk. A word on the next two talks. As Axel already mentioned, we are seeing the end of this IPv4 thingy, so, we actually make sure to open the meeting with two very, very nice success stories for the IPv6 story that we all hope that we will see very soon.
I want to introduce ‑‑ so we have two speakers today, we have Gerben Kline Baltnik and Herman Timmermans, and they will talk about IPv6 deployment in the Netherlands. Thank you.
GERBEN KLEIN BALTINK: I think it's a great opportunity. It's almost five years ago that we started with what we call the Dutch Internet standards platform. In that platform, as you can see, is a permanent place for RIPE NCC, amongst others. So, we are really happy that we can present what we have done over the last five years in this community.
As you can see by all the different logos, we are a government and not‑for‑profit organisation. And the platform with mostly at meetings, 25, 30 people present, tries to focus on what we call relevant standards, modern relevant standards to keep the Internet open, free and secure.
These are the standards we are talking about. It's not just IPv6, I'll come back to that later on. But it's also DNSSEC and the whole list that you see beneath it and why did we start this platform? We were not specifically the technical guys that had the idea about the standard in technical depth, but we found it very necessary to use these modern standards. And we saw, we noticed that even with a task force for IPv6 in the Netherlands, it was not easy to have a growth in the number of IPv6 connections. It is not easy, once you have defined the standard, to make sure that it is implemented and implemented correctly.
So, we came up with this platform as a way to convince people that they really have to invest in modern standards. But we also want to listen to the community if they have a specific issue with a standard because it doesn't work or it is too difficult for them to implement in their own organisation.
So the role of the platform is to, let's say, stimulate the adaptation of the standard but also to carefully listen to all parties involved, what the hurdles might be.
And sometimes you know that there are hurdles, they may be technical because you have legacy situations that you have to deal with. They may be financial, because you really need a project in a larger organisation to do something on DNSSEC, it's not just a switch that you can use. And we want to listen and we want to do something with this. The good news is we have seen an uptake of all these standards over the last five years, been government there is a specific policy on that and that policy is make sure that you comply or explain with these standards, if you don't comply, please make sure what, that you explain what the reasons are that you don't. That list does not only contain the standards that I mentioned, it's a longer list, but it's for government only so far, and with our Dutch Internet standards platform, we want to focus on society as a whole, so also all the commercial organisations in the Netherlands.
One of the ways we want to support it by offering a test environment, a very simple tool located on Internet.nl, it's both in Dutch and in English, so, I invite all of you to make use of that tool, where you do a simple check on for example the local connection, not part of the standards in the broader sense for the web domains and for e‑mail, but your local connection is something to be tested as well. The post till yen connection only scores 10%, so that's not the one you should use today.
Make use of it and report back to us if you see any specific problems. The code behind this Internet.nl page is Open Source and available on GitHub. And then to the process as a whole. There is policy in front of it that may not interest you, but the good news is the Dutch government and Dutch society as a whole has this kind of policy developed. Comply or explain as I mentioned. And a specific agreement on deadlines, when, by the end of 2019, should a specific standard be implemented.
But it's not just policy. It's also knowledge exchange, what have you learned from the past and how can we make sure that we offer that knowledge to all people that might be interested? Public and private parties. And we offer to monitor, not only the internet.nl page as I showed it a few seconds ago, but also for organisations that do have a lot of domains or mail servers to check an application, a bulk test environment where you can do long lists of up to several thousands of websites, domains at a time.
As I mentioned before, IPv6 is one of the focal issues of our platform, and we are very happy that we have a good working, together with the Dutch association of municipalities, we have German here who will explain to you how they work with IPv6 in all the communities in the Netherlands. Herman.
HERMAN TIMMERMANS: When I got the invitation to show up here, I thought I had to address a workshop for a couple of people. Wow, what an audience!
I have a short presentation about how we did it within the Dutch municipalities. I am here with a colleague of mine and I have two other colleagues or at work who have to implement IPv6 right now' municipalities because so they couldn't attend this meeting. Joost and I worked on an organisation called VNG Realisatie, and that's a part of the association of the Association of Netherlands Municipalities. It's a very old organisation, more than a century old, and it represents all 355 Dutch municipalities. And VNG supports and promotes its strengths and the quality of local administrations and within that organisation we have a specific part called this Realisatie which we work for and they are concerned with IT matters within the Dutch municipalities. And we work close together with other government meant organisations and the most important are, and some colleagues of us are here, the Dutch standardisation forum and lodgeious, which are both part of the ministry of internal affairs.
How do we implement IPv6 within the Dutch municipalities?
The first thing is quite obvious. We only look at external sites. That means the only thing that bothers us are websites and mail servers which can be addressed by normal citizens, and the goal in that respect is that we would like to have all Dutch municipal websites be reachable by IPv6 by the end of 2020. Sorry, by the end of this year. And I will show you how that works right now.
Mill is something different and the target there is to have all mail servers, the external mail servers of Dutch municipalities (mail) accessible by IPv6 by mid‑2020.
That means, that we don't do that much on the internal implementation of IPv6 within municipal networks, but it doesn't mean that there is nothing going on. There are some municipalities who are already busy with implementing IPv6 in their own networks, but at this moment, we are only focus from a national perspective on the external side.
The implementation of IPv6 doesn't stand on its own. It's part within the Dutch municipalities, of a larger programme for the development of dedicated community Cloud for Dutch municipalities, and that project is called GGI.
And now the results. I think these figures are quite obvious. We have 62% of all Dutch municipal websites reachable by IPv6 at this moment. And for e‑mail, that is 16%. The growth of IPv6 reachable websites is achieved in almost one‑and‑a‑half years. And we started at 19%, by the end of 2017, to 62% right now. And as I mentioned before, e‑mail needs special attention. The implementation of e‑mail requires more involvement of external suppliers, and that's one of the reasons why that figure isn't as good as the websites.
This shows how the IPv6 implementation, as we call it, of the Dutch municipalities is going on. Everything that is green represents a municipality that has already a dual stack access, both IPv4 and IPv6 and if you look at this sheet, then you can see how the growth was developing, especially the last one I can't have years, and the arrow I show you here, shows you that this is the moment when we started our project.
We use what we call a close loop approach, that means that we started the municipal website that is accessible through pour, and in our project, we helped that municipality to get access as well through IPv6. In order to check if that website is compatible with IPv6, we used an API as mentioned before by Gerben, it's linked to the internet.nl site, and that site gives us information about the status of the IPv6 compatibility or compliance of that municipal website. The results that we got at this point are linked back to us and by that information, we can improve our project approach. And also, we represent the results to the municipality, to the management of the municipality, and moreover, we publish on website: Theimplementation approach of Dutch municipalities is based on specific points. We have a dedicated team of four people who support ‑‑ we constantly measure the progress of the IPv6 implementation through internet.nl. Sometimes we use a translation gateway. For instance, it takes much more time to implement all actions in specific situations and if that is the case, we have translation gateway which translates IPv4 to IPv6 and vice versa in order to get the website of the municipality up and running, Of communication to share our successes and findings. A little word about the working of the gateway.
What you see here is the components we use in that situation. Once an IPv6 ‑‑ let's say a citizen wants to look up something at the website of the town he lives in, the citizen has a computer with IPv6‑only connection. The website of the city is still IPv4, and we added the IPv6 address together with the IPv4 address in the DNS of the website and in a AAAA record and now the citizen tries to get in contact, as you see here, with the red line, through the Internet, with the municipal website. And in that case his address is also being sent to the gateway server and once that is the case, the gateway server orders his address to the municipality, and once that is established, we have a working connection. That's why we use, and how we use the gateway.
The gateway is a temporary solution, the maximum time we use the gateway is almost one year, and we ask the municipality to get rid of the gateway and to install IPv6 in a fixed way.
Now, I would like to stress some additional topics. Bun of them is that we have to use so‑called governmental IPv6 addresses here in Holland, that means that those addresses are only for governmental use, also for municipalities, so if you look up that address, you will see that it's a governmental address. For the implementation of that governmental addresses, which was issued by Logius, that was the organisation which acts as an intermediate between the municipalities and the Dutch administrative of internal affairs.
Marketing and communication is something you can read here that are especially the things we use to communicate our achievements. We use targeted messages, as you call it, so if you have to do with an IP specialist, the idea behind the message is the same but the language we use can be different.
To show you what we are doing with communication, I have a little example which is a video, I have to apologise for the fact that this video is in Dutch, but we have to try ‑‑ we had tried to use the subtitles, they are a little bit fast, so, the idea is to get the meaning of this video, it's only two‑and‑a‑half minutes, and you see how we communicate with everybody who is involved in IPv6.
(Video being shown)
That's how we do it. It's as simple as that!
Some additional steps.
What we try to do with the experience we have until now is to accelerate the implementation of IPv6. And we do that by several means, and one of the examples is that we organise what we call an IPv6 week, two weeks ago, with ‑‑ in fact, there were three separate meetings, one with the municipalities, one with suppliers and vendors, and ISPs, and one with other governmental organisations. And that IPv6 week, which was attended by almost 100 people in total, that IPv6 week also was used to develop a manifesto with suppliers, municipalities and other governmental organisations in which we call, and that were all the people available there, which will call for an acceptance of IPv6 for all governmental organisations by the end of 2021. So that means that if you are living in this country and you are trying to get in contact with a governmental organisation, by the end of 2021, could you do that also via IPv6. And ahead of that, we, as municipalities, go on with our own project and that means that we will have all the municipal websites reachable by IPv6 by the end of this year.
To wrap up:
We have learned some lessons during this project. Also, it was only one‑and‑a‑half years that we were working on it.
First of all, don't waste your time with making business plans. It doesn't work. It is no use. You have to do it.
Keep it simple. Take not the whole issue of IPv6, internal and external, but focus on one specific part and the easiest part is to implement IPv6 on the external side.
Be aware that there are constraints and blockades, and trace them and get rid of them. And one of the examples how we do that is by using the IPv6 translation gateway.
Use internet.nl, it's a tremendous important tool to track and trace the status of the IPv6 implementation, and present on a continuous basis the results you got.
Use small teams, both on the national side as well as in the region and on the municipal side, and provide a checklist and all kinds of means and guidelines in order to do their job.
And target messages at specific levels. Have a different language for general management for IT specialists, operators and so on. And last but not least, go operate with your suppliers, your vendors and the ISPs.
If you need additional information about what I told you here in this short briefing, these are our credentials, so, take the opportunity to get in contact with us and we will react as soon as possible.
Thank you for your attention.
Now, my counter is on 5:21 so that means that we have a little bit of time for Q&As.
JAN ZORZ: Okay. Hello everyone. There are questions. Okay. Go. Hi, it's Marco Davids from SIDN. Thank you for the presentation. It might sound a bit like nitpicking but it's a question I have the opportunity to ask.
You showed this map with the Dutch municipalities, but there are also a couple of municipalities overseas in the Caribbean, are you in touch with those islands? And are they also. ..
HERMAN TIMMERMANS: Actually, not in the subject, but I will leave this country on in the coming Thursday for verification on the Dutch Caribbean. We are not in ‑‑ actually not in contact with the governmental organisations there, but this is one of the topics that is on our agenda to do as soon as possible, Yeah.
JAN ZORZ: We have 15 minutes for questions. Who was first?
AUDIENCE SPEAKER: Jen Linkova. Thank you very much, very encouraging. Just curious, what was the biggest technical challenge? What broke? What prevented you to do it in one quick rollout everywhere so ‑‑
JOOST THOLUIJSEN: The ‑‑ one of the challenges, one of the things we noticed is that sometimes a site according to one criteria is available via IPv6, which it has a DNS record etc. What the plain requirements, but then in the end the fifth requirement, which is that 90% of the site needs to be the same content as the IPv4, and then you sometimes notice that a site that is accessed by IPv6 does not give the full same content. So, that is something that then the web hoster ‑‑ or the web builder has to pay attention to. That's one of the items.
The other blockings are the non‑technical that are the ISPs if a company or an organisation host their own websites where the ISP is not ready yet. That's what we often see. And the third one block, is that a web supplier is planning to provide IPv6 but only in a year or one‑and‑a‑half years time, and that's a case where the gateway that Herman mentioned plays a role to overcome that gap.
AUDIENCE SPEAKER: Marco Hogewoning, RIPE NCC. I have been working for the five years now in the ‑‑ trying to progress this and I'm happy to see that there is some progress.
As for a question and I kind of going to jump on where you left off. You mentioned the supply chain, the vendors, can you elaborate on sort of how is the cooperation with the local supply chain and, in particular, the web hosts this year? Because I assume that once you have one web host on board, you go for multiple governmental sites. I assume that the market is consolidating in that a bit. So do you see an effect there or is it really just one government at a time, one hoster at a time?
HERMAN TIMMERMANS: Well, it's a good question. One of the challenges we had was to convince the providers, the suppliers, to work with us. So they have their own priorities, their own time schedule and a lot of providers said at the beginning, more than two years ago when we started talking with them, IPv6 is not an issue, nobody uses it. We didn't have any question of people who said, why is this site not reachable by IPv6? Still, we started talking with them and we convinced them that if they would like to get more business and be prepared for the future, it's necessary to work along with us, and we succeeded in to get the cooperation with, in fact, all the major players on the regional field. And that is one of the successes we booked in this project. If they didn't work with us, then we couldn't have achieved the results I presented to you right now.
So, that is, on the municipal side. What we discovered was that every governmental organisation has its own pace and its own provider, and there are the differences. What we think is necessary doesn't mean that all of governmental organisations find that necessary as well, and that means that the suppliers of those other organisations have still their own time schedule. And one of the items we tried to do with the manifesto I mentioned was to align that situation and the only way we think we can do that is by organising the whole government, the whole government side in order to ask the suppliers and the providers always the same question and use the same time schedule in order to implement IPv6 at the external side of the governmental organisations.
AUDIENCE SPEAKER: Dmitry. I am very impressed, I wish we could do the same. I notice that a very low number of e‑mail support and I guess why. Do you have any plans to tackle that? I mean, I know it's not easy.
JOOST THOLUIJSEN: The one major number of municipalities that we see that have a problem with the e‑mail is that they have a spent provider which is outside of their e‑mail presence which is not ready, and they don't even have a road map to do so. So that's why we're now planning to make a facility like we have, the web facility, the gateway, we're planning to do that for e‑mail too, but it comes, let's say the principle of e‑mail and the spam filtering that you have to do, that's the difficulty that Herman mentioned that comes on top of that. But, it is for a great deal, the existing providers of the municipalities that do not offer it.
AUDIENCE SPEAKER: Randy Bush, Arrcus and IIJ. Excuse, but in this community world is a little obsessed with technical details, and one thing that you said kind of went tweak, which is they all must use the same IPv6 government address space. How does this work if ‑‑ how does this work if they are not on the same network topology and how does this work if they have outsourced the supply of the website or ‑‑ I mean... This at first thought, kind of, doesn't work.
AUDIENCE SPEAKER: I can give the answer because I am the one who wrote this address and plan ‑‑ Although I wrote this plan, I am currently unaffiliated and basically, it's a large block and the pieces of address space that are given to the municipalities and other government organisations they use them as PI space. But if you want to know more, I'll be here all week so come talk to me.
JOOST THOLUIJSEN: I can add to that. On the complexity level, the idea was that every municipality gets a block and that's what is happening now, 79 out of the it have got that block or a set of blocks. The idea was that if they have their website hosted outside, that I would reserve and hand over a part of that to that web hoster. Well, we have had some comments from municipalities but especially from suppliers with a lot of municipalities as a customer that they would have a lot of administrative and technical hassle. So the plan has changed there. These suppliers get a block that's recognisable as a municipal address, but not specific for this one municipality. So, that is something that happened in the last year and it slowed down the process for half a year because there was the interest of the governmental was to have one central approach in the interest of host was to have as little hassle as possible, and that's resolved now in cooperation between these parties.
RANDY BUSH: And it works out well where the hoster is Google, Yahoo, Microsoft, etc., especially as you move into e‑mail?
JOOST THOLUIJSEN: Or AWS, for example, that is a problem then because there are parties that are willing to absorb an address that's handed by us, there are parties not so. So that's the struggle that we are going to expect or we are in the middle of.
RANDY BUSH: I don't think you need the struggle. You should discover and maybe do something also called the DNS.
JOOST THOLUIJSEN: Right. Yes, that's partly a wish from the Logius etc. To have recognisability on the address side and that's partly a school that says do not make everything depend on recognisability of an address.
NURANI NIMPUNO: Hello. Nurani. Great to see there is this project coming to fruition. I was just wondering if you could talk a little bit about the decision‑making process of the implementation of this project and some of the hurdles that you went through? What we see with a lot of organisations wanting to implement IPv6, you often have the situation where everyone agrees that it's a priority but just not right now. So, to get from that to actually getting everyone on board and to set the timeline, was it something that came from the top‑down or did you need to sort of get everyone on board inside the organisation? And especially if there are things that maybe other organisations, government or ISPs or others can take with them as lessons learnt from you.
HERMAN TIMMERMANS: What we did is quite easy. We looked for people who are ‑‑ who were familiar with IPv6 and, first of all, we have looked for the enthusiasm sped over the country and we have ‑‑ we tried to find those people and we got them together and we told them our plans. By doing that, we had already these people are enthusiasts and they could spread the news in their own environment, in their own region, and we would like to have, and that works very well, new contacts in that region of people who are thinking about implementing IPv6. So ‑‑ and that's, in fact, the whole way we work if somebody doesn't want to implement IPv6, it's very difficult to convince him because everything works still on IPv4. If people say, well, you have kind of what I call an assurance stick, you tell them what can happen and that are large disasters, and, to prevent those, the effects of those disasters, you have to implement IPv6 right now. But that guy comes back and says, well everything works, what are you talking about? So, first of all, we started to find the people who are enthusiastic about implementing and using IPv6. And the second thing is, we convinced those people who had to implement IPv6 that it's quite easy if you start at the outside, if you only focus on websites and on mail servers, then the impact of implementing IPv6 isn't that difficult. It doesn't cost a lot. That's completely different when you start implementing IPv6 within internal networks. Then you have to think about frameworks, you have sometimes, like, change the hardware which is not compatible with IPv6. So, we avoided all those nasty and difficult things, and only focussed on the external side. And what you see now is, once you are ‑‑ you achieve that, we achieved that, a lot of people are enthusiastic about implementing IPv6 on the outside, some other people who are still looking, should we do it or not, also get into the IPv6 bandwagon and that is in fact the situation we have right now.
So, I can say, we will succeed in getting all the 355 municipal websites reachable by the end of this year by IPv6, that isn't that quite difficult.
JAN ZORZ: We have two minutes left. Daniel, Please.
DANIEL KARRENBERG: Hello: I am Daniel with the RIPE NCC. A couple of things. First, Thank you very much for this encouraging talk. As a resident of the Dutch province of Limburg, I was very proud to see some green there. I didn't expect it so you have done well. And the question is: What do you consider more important, and this is a continuation of what Randy Bush, the previous person on this microphone, said ‑‑ implementation of IPv6 or usage of specific addresses that were made in the plan somewhere. What's more important?
JOOST THOLUIJSEN: I would say the first, if we are banging out municipal organisations and say, well, you have to do it from the start in exactly the way that we have devised here with our central addressing plan framework, that would shy off people. So we say if you first start with whatever address you get from your host or your supplier and then later, there is some kind of familiarity with the address and with the whole situation, then we suggest to go for the Logius framework address. So in that order.
DANIEL KARRENBERG: That's very encouraging. I have one little announcement. As the Chair of the 2019 /20 NOMCOM, there is already four volunteers only a couple of minutes after the call for volunteers opened and Wolfgang Tremmel was the first one.
JAN ZORZ: Thank you very much.
My name is Jan Zorz, I'll take care of the rest of the session as usual. Now, we have another IPv6 talk, another IPv6 success story. So, Nico Schottelius will talk about how to build, maintain and market an IPv6‑only data centre, so we still have work to do.
NICO SCHOTTELIUS: Hello everyone, I am very happy to be here today. It's a great audience what what I have seen and talked to already. Before I go a bit into my talk, I was a wondering who of you already deployed or is planning to deploy IPv6 soon? Just a quick hand‑raise? Right. So around 40%, maybe...
So, before ‑‑ why are we doing this and where am I doing it at all? What we are doing is, we are running a fully renewable energy data centre in Switzerland, in the mountains. So basically imagine a valley, a bit of waterfalls, a lot of water power plants and a lot of old spinning and weaving factories, so huge factories. We are reusing these factories and we are making them data centres and a big part of them is making them IPv6 first data centres.
So, why all of this? Sure, we can do, we can go out ‑ IPv4 addresses are, at the moment, not yet that crazy expensive ‑ e can go out and buy a block for 30,000 francs. We get another thousand IPv4 addresses not on the LIR but on the market, but it really doesn't make fun, and, you know, that's how we started actually.
To go back, and I was actually quite intrigued to hear about the two‑year approach that we heard before. We started in 2017 and our company only started because your customers were pressuring us, they say you do all the Linux consultancy, can you also offer hosting? Our answer would be, no, why would we? There are tonnes of hosters out there. So eventually, we were convinced to have a look at it and to try to build a data centre in the mountains, and, coming to 2017, we had very heated discussions internally, like, do we go IPv4 only, dual stack, do we go IPv6 only? And it's something to be shared at a later time of the day, but it was really heated.
So we started our first stage in 2017 and we were saying, like, all right, it's 2017, everybody has IPv6, or something. So we will build it completely IPv6 only internally, all virtual machines will be IPv6 only. And every ‑‑ but every virtual machine will get an IPv4 address mapped by NAT 64 on the outside. Sounds good, doesn't it? Somebody is laughing.
Right. Sounds good in theory, but there is some things that happen didn't work out, and some customers, for instance, reported services were not reachable, like a web server would listen on IPv4 only but on IPv6 only. So we ran into a bit of a problem there that our customers were getting used to it, it was a bit hard to convince them.
So, what we did then, we entered stage 2 and we said, well, in the end, our job is not to promote IPv6; our job is to make life easier for customers, so, in 2018, we began to say, all right, our customers do need IPv4, so we switched actually to making all our VMs, dual stack VMs. The hardware itself still stayed IPv6 only. But then we changed our architecture and we came into a bit of trouble; that is, we added net boot to our services. If you have a server and you load up the operating system from the network, then this can be done by IPv4 /IPv6 and our hardware didn't support IPv6 at the time. So we actually had to add internal IPv4, which was a bit trouble.
You have long, heated nights and then something like this.
So, fast forward to the end of, I think, 2018, we are thinking, like, well, our original idea was, we go IPv6 only. Why don't we try something crazy? Why don't we launch a new product, we'll call it IPv6 only hosting, and it is hosting on IPv6 only. Not only don't give incoming NAT so cannot access those VMs by IPv4, but some of them, like, depending on the customer, we also didn't give outgoing NATs. It was like purely IPv6 only. Nowadays, the service is running on outgoing NAT. So you actually can access an IPv6 only VM but you can access the IPv4 Internet.
That works well for quite some customers. And over the time, and that is the reason why I'm here today, is, we got a lot of learnings and one of them is that just having NAT 64, I'm not talking about regular NAT today here, by not having NAT 64 is not the only answer. There is a lot of things grey in between and we found out actually that having what we call smart NAT 64 like bridging individual protocols helped a lot. If you believe it or not, you can actually easily proxy HTTPS requests, so if you actually having IPv6 only VMs and you want to reach them by IPv4, you can gut a transparent proxy in between, which works very well even without opening like the security initials there.
This is also something that is for anyone who thinks about IPv6 hosting, why do you want to do this at all? I mean, IPv6 is cool, la‑la‑la, we have heard that. But eventually, you do this because you have a lack of IPv4 addresses so you actually want to create end mapping. So you want to say there is one IPv4 address and you have a lot of potential IPv6 addresses behind it.
So, another problem was, how do we actually get people to use IPv6. We have VMs without actually having IPv6 connectivity. So the customers came and we are saying, well I ordered a VM but I cannot access it. Well, what do you do? The answer was, I'm trying, and then I get this answer like there is no route to host. Yeah, because there isn't a route to host because they were coming from IPv4‑only network.
So one of the big learnings and the thing I want to ‑‑ why I'm presenting here today is, I want to encourage you to do the same that we do, is to give your customers a possibility to have IPv6 everywhere. Right now, my notebook is lying over there, it has its own /48 network which I carry around all the time. Actually, as a matter of fact, if it occurs and you want to ping nico.ungleich.cloud, this is my other notebook somewhere else which is worldwide reachable. Why? Because it actually helps me to find stuff. I don't know how often did it happen to you, but sometimes I leave my notebook in the office, I go out and then it's like, that file that I didn't synchronise, that particular file, I need it right now. And with IPv6, I'm actually going to my notebook and grabbing it.
One note here. I know there are a lot of vendors here. In terms of what kind of VPM to choose, I know it's a religious war and I will not go into details. There is one thing that we found Wire Guard is a technology that is quite easy to use and works across NATTing but it's just one thing that we use.
So one of the main topics building an IPv6 only data centre is one thing, but marketing it, why would anybody do that? Clearly for fun. To be different? Some people do that, to say, like, I want to be a bit ahead of everybody else. Maybe?
For us, come from a background where we do everything as ecological as possible, it is also thinking about the future. It's about being sustainable, and I said before we could go out there, we could buy our IPv4 blocks, but if you think about it, it's not really sustainable. It is ‑‑ it's like heating up the earth; it doesn't make a lot of sense and you don't want to do that.
There is another big reason why you want to promote and also to sell IPv6 and that is actually that you decentralise services. A short question also in the audience: Whoused Google today? Okay. Who didn't use Google today? Maybe around 20 people in here, you do the percentage. The problem is that we are living in an Internet that is very, very much centralised. If Google goes down, Facebook and Twitter and Reddit go down, what do you do today? E‑Mails, maybe. So, my point is, the reliance on a couple of companies has really grown quite a lot. So, when you think about IPv6, don't only think about I'm switching the network, I'm going with much, much more IP address space, that's true, but think about it differently. The Internet was built to communicate with each other. The Internet was built so that I can talk to somebody else directly, not via some kind of weird NAT or hidden services.
Obviously, if you do IPv6‑only marketing, you should also think about the profit. Be it financially or be it ethically, or whatever, you need to be able to sustain your business. So you always need to keep in mind like, okay, I'm building a new IPv6‑only service, but I have to be there tomorrow. If I create a product that lasts for only a short time, it doesn't help your customers either.
So, there is one thing that I claim, that is everyone can have IPv6. If you disagree with me, that's okay. We can have a drink later, we can figure it out. My claim is there is no place where you really cannot have IPv6 nowadays. You have a lot of ISPs which offer native IPv6. There are tons of tunnelling services, they are free, they are paid, you name it. I think you don't really have a good excuse nowadays to say, I cannot have IPv6. So why I am mentioning this is, like, usually there was this difference between content provider, should we offer IPv6? Well, the clients don't have connectivity. So from my point of view, the connectivity problem has been solved. It mightn't always be the easiest way, but it is possible.
From our side, we are offering VPNs, IPv6 only in a variety of different countries, anything from Spain to the mainland of China. It works.
The other thing is, like, you can post your content to IPv6 CDNs. So also, there is really no excuse any more nowadays to not do, to not put it on IPv6.
So, but the question is a bit like, I'm standing here, we are having this really cool IPv6‑only hosting discussion, but what does it mean for you? And I want to encourage you to think about creating your own IPv6‑only service, and there are a lot of ones, as I said before, connectivity is already there. So, my point is, if you think about creating an IPv6‑only product yourself, the only thing you will really need is connectivity. This can be easily done.
And the second problem is much, much harder than the connectivity. In any case, if you create a product, you should solve a problem. It might be obvious, but it isn't for everybody.
So, what kind of problems can we actually solve? Why do we have IPv6? Well, we don't have enough IPv4 addresses. So we are handling NAT, or double NAT, or triple NAT, quadruple NAT ‑‑ how much time do I have?
The point is, with IPv6, you can use technology to allow direct communication to each other and beginning to utilise that. As mentioned before, IPv6 enthusiasts, they are the ones that are important to all of us. So, how do you approach them is, you talk to people: Like, do you want to test something? Maybe you are implementing some dynamic routing for them, something, or an IPv6‑based backup. A lot of things where you can talk to people who are already IPv6 enthusiasts and you can build a product around them. Or you can IPv6‑based pillows, where is my pillow? I will just ping it. Think about it. I will buy it.
The fridge, I also buy it, but if it's reality, I don't know, does anybody know if there is an IPv6‑based fridge? I think the idea was ‑‑ other, a printer. I might not store my meat into it...
So coming back to the IPv6 enthusiasts. Think a bit about, like, what you are building, and sometimes it doesn't even have to be easily accessible if you are dealing with the right people. If you are talking with IPv6 enthusiasts, you can create a product which is maybe a bit rough, but it's really, really cool, You know. I don't care, like, what I have to do to configure my IPv6 pillow. I just want to have it.
Then there is another group, Which is really, really interesting, I don't know when you have last time checked out, like, what is going on in discussions in the Internet about hosting. It's really interesting, there is a new market of really ultra low cost hosting, and does anybody know what this device is? It's actually not released, so it was a trick question. This is an unreleased from an unnamed vendor somewhere in the US and China which is actually on the back, this is a fully Linux‑based computer, with a TFT that is about a bit bigger than this size, works via Wi‑Fi, it's really cool, and it is reachable everywhere in the world, and basically you can send your message, whatever you want to say, to this display by IPv6. This is is completely autonomous on its own. It's quite a nice thing.
The point is, you will not update the display very Often so it actually operates on like very low bandwidth, so you can think about something like, some of you might know Lucherban [phonetic], which is very low bandwidth numbering for wireless transmission. You can build products in a similar way that you say it is actually IPv6 reachable but it's a very low price point.
Who else? We have customers in the area of SME /IT companies which are very much interested to expose their office. They do actually what everybody of us in a way should be doing, They are actually providing services from their office. They are not especially reliable or they are not made for production, they are not having generators, they are not running a data centre, it's all okay. All they want to do is get ‑‑ giving other developers access to their code or to like running code, something that's testable. So basically I have the code running on my notebook, I just want to show it to you, this works very easy with IPv6.
A similar way, if you are having remote workers and in your office you just want to see, like, can you quickly deploy? Well, I have it already deployed in my notebook, have a look, this is the name or IP address of my notebook ‑‑ a better name, though.
Then, with one more segment, And this is large scale enterprises, and this is a bit tricky, because on the one hand, large scale enterprises, you have a lot of opportunities to market IPv6‑based products, But you have very long lead times, depending on where you are. On the other hand, they are always looking for skilled people. I don't know who is working for big corporates here, but you will notice that there are a lot of people that are not so well skilled because of the bell curve. So, you can always, in a way, offer your service to larger enterprises if you actually have a good product, it may take a bit of while, but one of the things is, and we had the discussion on this before ‑‑ if you are a bigger corporate and I tell you that well, in a couple of years you might be disconnected from the Internet, they would be like, oh, my God, no, what do I need to do? Where do I need to sign? Where do I need to put my money not to be disconnected? You explained, hey, they are networks coming IPv6 only and you should begin to offer your service on the IPv6. You get the whole talk started.
But, you know, how bad does it look like? And we have been conducting some experiments in IPv6‑only networks. And basically if you are the IPv4‑only world nowadays, you might be cut off at some point in the future. So, it's something we need to consider.
Some practical examples of what we have seen is organisations running out of RFC 1918 space. Not a joke; it was poorly designed in the first place, yes, but it actually gets a bit tricky there. So, you can actually offer services to upgrade the networks to get out of the RFC 1918 space, you can upgrade infrastructures with front ends, we have seen it before, you can upgrade the VPN because whenever you have a merger between companies you have, you might have a conflict in terms of networking, so that you merge different RFC 1918 spaces, so there are a lot of opportunities even in large scale companies to introduce IPv6‑only networking.
One note from my side: Tryto avoid introducing dual stack networks when you can. If you go IPv6 only, things tend to get very easy and very nice. So, when you can, I would recommend you do that.
So, how can you profit from IPv6? Well, it's very easy. Solve problems with IPv6 and profit from the Growth. If you liked this, and there is more IPv6 stuff and as you can see, we're a bit involved in this. There is a hackathon happening soon in Switzerland, actually, in the mountains, if you want to see everything live, 29th November. We are having IPv6 chat, a blog that's related only to IPv6 work, And we are experimenting with an IPv6‑only‑based freelancer platform, that's ipv6.work. The idea here is that you can only apply for a job if you have IPv6. If you don't have IPv6, well ‑‑ and if you can't get IPv6, maybe you're not qualified. Just think.
That's it from my side. Thanks a lot for listening and I'm open for questions now.
JAN ZORZ: Thank you very much. Great work. I have a small question. Did you look at the things that Tore Anderson did for his IPv6‑only hosting in Norway?
NICO SCHOTTELIUS: No.
JAN ZORZ: I think in 2011 he was experimenting with similar stuff. We have questions. Please.
AUDIENCE SPEAKER: Lee Howard, IPv4 dot Global. I love you all. Thank you so much. That was actually ‑‑ that's fantastic. When you talked about the proxy that you have, I was going to come back to something similar to what Jan asked, what kind of proxy. Two things. One is, can you tell me more about the proxy that you were using? And the other is, you said it's easy to have, to do a transparent HTTPS proxy. I haven't found it that easy, and maybe it's because I install my certificates on the web server and then try to build the proxy, and you're not doing it that way. That's sort of a, yeah, I have a server and I'm trying to put the proxy in front of it and you are doing the proxy before you have the server installed. Can you tell me more about that setup?
NICO SCHOTTELIUS: Absolutely. I am very, very happy and this is one of the questions where I probably need to put up my €10 later and give it to you. I didn't plan for the question but it's a very good one. Initially, we were actually doing the approach of storing actually the certificates of customers on our servers and it really didn't make us feel well because we shouldn't be able to decrypt the traffic and we're not interested in decrypting the traffic. So our current solution ‑‑ we are completely Open‑Source‑based, so our solution is based on HA proxy, and, what we are actually doing is, we are using the TLS handshake as an area for which host to proxy to and we are doing a TCP‑based. The disadvantage was the approaches at the end device doesn't see the real IPv4 address, but, then again, there is a proxy protocol in HA proxy that allows us to pass information to the back end.
So, now your next question should be: What about TS1.3 where the SNI is encrypted? Was it going to be?
AUDIENCE SPEAKER: There was a pretty good chance that was going to be it.
NICO SCHOTTELIUS: The way how TLS 1.3 works is by storing keys of the name indicator in DNS. So if customers are going ‑‑ are going down this road, we will need the decryption key for the SNI indicator, that's true, but not for the content.
AUDIENCE SPEAKER: There is some fun magic on the back end there but I can see how you do it. Thank you.
AUDIENCE SPEAKER: Blake. No hats. Thank you for that. That was particularly engaging. The cartoons are particularly appreciated, just as something to like get people a little more interested in it. The paper that Jan was referring to earlier, the title is the case for IPv6‑only data centres. Thanks.
JAN ZORZ: Thank you.
AUDIENCE SPEAKER: Maksym. We used IPv6‑only hosting and we're told servers for avoid DDoS attacks because of nowadays DDoS attacks on IPv6 can be ‑‑ can't be so huge as for IPv4. And to be able this side to host it on IPv6 only hosting, we can use a CloudFlare because if you connect to CloudFlare, it will give you IPv4 address and IPv4 reachability and also, TLS and the DSL certificates management. So, it can be used together with CloudFlare for to avoid DDoS.
NICO SCHOTTELIUS: Like any proxy and caching service can be used for that, that's true. Good point.
JAN ZORZ: Are there any other questions? We have two minutes left. 3, 2, 1 ‑‑ thank you very much.
All right. Please rate the talks. It's really important for the Programme Committee to understand which talks you like the most. Be back at 4 p.m. That's half an hour for coffee, I hope it's enough. And in the evening we have the best in practice task force.
LIVE CAPTIONING BY
MARY McKEON, RMR, CRR, CBC