[afnog] What are the major challenges in enabling Services to run on IPv6?

Tue Oct 28 18:00:33 UTC 2014

On Mon, 27 Oct 2014 13:59:59 +0400 Kofi ANSA AKUFO wrote:
> What are the major challenges in enabling Services to run on IPv6 in our
> region?

Let me try to shed some insight while typing this from a residential, 
native IPv4/IPv6 connection in the Netherlands. Not Africa, but I think
there's still some lessons to learn.

Setting up dual-stack webservices is easy, that has been done for 15 years or so.
Techniques required for that are well understood and I won't elaborate here.
The question, however, is how to make the services accessible to the users.

My service provider, XS4all, started providing IPv6 connectivity in 2001 or so,
initially through IPv4 tunnels (I've IPv6-connected the AfNOG network in Kampala
this way, for instance) and since a number of years natively.
IPv6 is enabled by default so if you enroll as customer you automatically
get IPv4 and IPv6.

That road was not easy. Getting the core routers to talk IPv4 and IPv6 is
easy enough (I'm pretty sure that most of the routers of the African ISP
community *can* to IPv6, perhaps a config option, perhaps an image update
but that's it). There were several challenges getting customers connected.

One issue is that XS4all doesn't do local loops to consumer customers themselves,
they depend on DSL loops from the incumbent provider and add their ISP service
on top of it. These days, that service is PPPoE and it's easy to do IPv4 and IPv6
over this DSL pipeline. The old DSL network (which, I'm told, will be switched off
before the end of the year) used PPPoA and could not do this. The old network is
at least 15 years old now and even I have migrated away from it now.

Another issue is the CPE. Many CPE's won't / can't do IPv6, and XS4all had to
work together with one that does. The result is actually cool: XS4all got to
create the specs for the IPv6 functionality (there are RIPE documents about
'IPv6 CPE requirements') and they are now using prefix delegation, the 
PPPoE segment runs numberless, and, from what I hear, the helpdesk is pretty
quiet about the whole issue.

One thing that the CPE does, by default, is add a diode (only outgoing connections,
no incoming connections, by default). That does help a lot for poorly patched
domestic windows PC's (we all know them!). Like with IPv4 NAT, is it possible to
make holes in the diodes to allow connections to certain hosts/ports but the
defaults are 'safe'

I do know that XS4all spent a lot of time and effort to make this all 'right',
but it's there now and I, for one, would not notice if IPv4 would shut down
tomorrow as nearly everything I talk to is IPv6 capable now.

The net result is that a. most XS4all residential customers do have IPv6 
(unless they manually switched it off or broke it), and b. new customers,
by default, do have IPv6 as well. And there's hardly any additional effort 
- anymore - as the hard work was done years ago.

I don't think the situation in Africa neccessary needs to be much different
from here. Yes, you probably have braindead CPE's - we got those too.
There are ill-advised 'reasons' not to do this - we got those too.
But, ping6 works from here. Go figure!

The architecture actually isn't bad. You can add more PPPoE sessions for 
closed networks (that's how IPtv apperently works, but I don't use it),
or VoIP (as implemented by other ISP's using the same infrastructure),
so there are other advantages.

The key thing is to Just Do It and select your kit accordingly when you do.

Geert Jan

(and, for the record, I do worry about the current 'health issue'. 
My thoughts are with those affected, and I am hoping for more positive news 
from the continent!)