bbu's Diary: RIPE76 -Marseille
The first RIPE Meeting in 2018 took place at Palais du Pharo in Marseille, France from 14 to 18 May 2018. Here's my report :-)
France - Home of air traffic controller strikes and unstable weather
Unfortunately, unlike for ripe72, I couldn't afford the time to ride my bike to the meeting (See footnote, if this link seems to be broken for you). But, foreseeing the strike of the french air traffic controllers, I arrived early enough to have two wonderful and sunny days in Marseille, just before the bad weather and airport-chaos kicked in. Other attendees weren't so lucky, so there was a steady stream of latecomers in the following days. In the end, this RIPE Meeting had more than 700 attendees at Palais Du Pharo and almost 200 where newcomers. Amazing.
As is turns out, there's more to the 'Palais du Pharo', than immediately meets the eye: There's a full blown conference center hidden underground and on one side, large windows provide an awesome view to Vieux Port, the historic port of Marseille. A notable addition was a new childcare area at the venue, similar to those at other hacker- and networking community meetings.
The first day started with wind and rain. What's the best thing to do in such a situation? Yes, you are absolutely right: A nice welcome reception at one of the sponsored coffee-bars and a long chat with other community members :-) Then there where several tutorials on IPv6 security & segment-routing, network programming and event-driven network orchestration. It seems, that segment routing has the potential to pull a bigger community towards IPv6 adoption, especially in datacenters and IoT, but there's also a lot of complexity involved. If you are working in this field and haven't done v6 yet: Now is the time to start with it. There's a new and exciting world ahead.
Later on, Artyon Gavrichenkov of Qrator Labs provided some insights into new types of amplification attacks, like the 1.7 Tb/s attack recently seen with insecure memcached installations. But especially the growing fleet of embedded devices are of concern. Large parts of the embedded devices industry seems to be stuck in the 90s, where IPv4, lazy security and closed source software where dominating. But times have changed. Any modern embedded device might end up in the next big DDoS farm and we'll need means to control and mitigate the resulting risks. But it's not only the devices, as Erik Bais from A2B pointed out; people need to think about network hygiene and thread mitigation on the network level.
Tuesday & Wednesday
Tuesday started with several network-protocol centric talks, so I put my "networking cap" on and learned more about monitoring and security of the BGP ecosystem, enjoyed Geoff Huston’s talks about some of his latest experiments with TCP & the scalability of BBR, then Louis Plissonneau from Facebook talked about passive monitoring, Total TCP Loss detection, etc. Richard Sheehan, Facebook, talked about commodity-based networks and the challenges to run 1280 40G-Ports on Linux based hardware in a single 42" rack, just for fun and curiosity. Life seems to be easy, if you consider a 500k$ rack of networking hardware as a cheap playground and if network security is not of concern, because you pushed to the edges of your network. But, actually, we are working at the other end of the line and although we might learn a lot from Facebook's insights, other topics are more relevant for us. So I followed Aaron Glenns talk about the packet processing language P4 and Jacky Hammers overview about RFC 6980 implementations on different operating systems.
The meeting programme on Wednesday was more policy-oriented. Following the discussions around organising a post-IPv4-depletion world, it became clear that we are facing a hard time if people don't start acting quickly. It is horrifying to see, what type of "solutions" are introduced, just to keep IPv4 a little longer alive. But the pool of IP-Addresses has been empty for several years now and we start to see the negative effects all around. While several VPN- and communication protocols stopped working behind the growing number of CGN- and protocol translators, more and more clients are pooled behind scarce IP-resources (sometimes 100+ clients per global v4 address). IPv4-Brokerage starts to look like a new field for the mafia of the 21st century, even large companies start to hijack "uninteresting" IPv4-Address space, mapping all their overlapping RFC1918 networks to something different and the price for IPv4 address space is rising. "Oh, that space is reserved and unroutable on most devices? We don't care, our devices appear to work with it", "Oh, that IPv4 space belongs to someone else? We don't know them, so we don't care". Well, you might care, when your networks CGN cascade starts to collapse.
What we are watching here, is nothing else than the death of the internet. A whole industry is acting crazy. Like a drowning person, committed to rather die than leave some valued baggage behind, the IP-networks of today will rather accept closed, mostly disconnected, AOL-like network islands than moving forward and implementing IPv6. Oh, we just move to the cloud … yeah. This will definitely solve all our problems. Want some blockchain on top of it, dude?
But what does that mean for embedded computing? Won't we need even more address space for all of those shiny IoT devices? YES. Move now or you are doomed. If anything is crystal clear, then it is the insight, that there is no viable alternative to IPv6 adoption. We are running out of time.
The talks on Thursday shed some more light on the IPv4 pool size distribution in Europe, the need for some countries to use CGN to keep their users online and a call for action regarding more research on internet infrastructure related topics. I skipped some talks about regulatory topics in favor of some more technical conversations at the coffee bar, but topics like the new European NIS Directive, e-evidence and a "cybersecurity act" proposal are definitely worth reviewing.
In the Open Source WG, cz.nic presented their newest hardware project, the modular Turris Mox SOHO router. From an operational point of view, the talk on recent Kea developments was quite interesting. With added high-availability support, Kea might soon be ready to replace the good old isc-dhcpd. The last talk was about the applicability of blockchain to secure IP addresses allocations and delegations. Well, I'll pass.
Unfortunately, the first regular meeting of the new founded IoT WG was in parallel to the IPv6 WG Track, but luckily there's all slides and recordings available on the ripe76 website. In the IPv6 WG, Geoff Huston started with another interesting view on IPv6 deployment measurements, asking: "What Drives Deployment of IPv6?", followed by several interesting topics, like Helge Holz with "Painting by Numbers" (I'd like the blue block of addresses, please) and Jordi Palet about distributing unique /64 prefixes instead of single addresses from a shared prefix. Interesting stuff, done with standard ra-infrastructure.
From my point of view, Jen Linkovas ideas about Enterprise IPv6 Multihoming using PA were … debatable. The presented concept is interesting and surely works for small eyeball networks with only short living udp/tcp connections (e.g. a small Wifi HotSpot Infrastructure). However, for classic small- and medium-sized business, this isn't a presentable multihoming solution. Nowadays, even the smallest barbershop has permanent infrastructure like video cameras, cashdesk systems, music-servers, NAS Boxes, VoIP Telephony, some even have external facing webservers on their NAS. Dynamic DNS usually saves the day, but with current implementations, renumbering everything from your printer to your coffee machine is a real pain. Currently, there is a wide gap between theory and practice. For medium sized businesses, it is worse. You can expect to have critical infrastructure with lots of ACLs and long running connections, like terminal server-sessions, rsync, SSH, distributed network filesystems, Backup, Databases, Web-, Printing- and Application-Servers, NFS, Virtualisation Servers, […]. Yes, you could use ULA, NAT 66, Local Link Addressing, but why would anyone in their right mind want to do that in a IPv6 world, where end-to-end communication and stable global addressing is possible again? As long as shim6 or IPv6 mobility are not widely deployed, even small enterprise networks with need for multihoming will (actually should) continue to use IPv6 PI for enterprise multihoming. I might add: There is another area, where Jens idea actually fits nicely: Mobile WiFi routers and tethering setups with multiple uplinks.
Due to flight plan changes, I missed the plenaries on Friday, but videos of all talks are available on the ripe76 website. As for the last years, the RIPE76 meeting was a nice opportunity to meet with colleagues and friends from a variety of very different networks, discussing best current operational practice, as well as the findings of the academic community. See you in Amsterdam!
If you clicked on the first link in this article and it seemed to be broken, then your internet connection is missing IPv6 support. Please go to your ISP and ask for IPv6.
Unter dem Motto "Voll verteilt" finden die Chemnitzer Linux Tage auch 2022 im virtuellen Raum statt. Wie auch im letzten Jahr, könnt ihr uns in der bunten Pixelwelt des Workadventures treffen und auf einen Schnack über Linux, Open Source, oder neue Entwicklungen vorbei kommen.
Wir wollen zum Bundesweiten Digitaltag am 18.6.2021 das Thema "Smarte Städte" ein bisschen von der technischen Seite beleuchten, aber keine Angst: es bleibt für alle verständlich.