<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Hisham,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We’re actually facing an interesting challenge with a client of mine around V6 and security, and the next major challenge is going to be to secure the network. Now, I would argue that securing v6 can actually be a little more tough than v4, since the technology is not quite as advanced, at the same time however, v6 offers some interesting possibilities on a security level that we’re exploring.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you look at v4, you can pvlan and do port isolation into aggregated vlans on the distribution layers, and things work out ok. However, v6 lets you take this is a step further, where you can actually do complete port isolation with a /64 *<b>per port</b>* and static it. (Using scripts to generate the configs). This produces a lot of config I will admit, and it requires reasonably large FIB’s at the distribution layer if it’s a last distribution site, however, it does resolve issues associated with RA and makes things very easy to tie back to a port. With proper aggregation the vast number of FIB entries also will not propogate past the distribution point. This is something we’re currently exploring and testing in the lab as one potential option.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Sadly, we’ve found that DHCPv6 hasn’t been a terribly viable option because of a wide range of clients and lack of support on the client side in many devices, RA is still the more mature of the options in terms of end point support, so, it’s now about securing the RA. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We’re also still investigating IPS options under IPv6, and this is proving to be a MAJOR challenge. Using a device from Palo Alto, we tapped the network firstly with v4, using port mirroring, and we got some fairly interesting IPS data back out of that. However, mirroring the v6 traffic, while there was a couple of hundred meg of traffic on the port, we were not getting ANY IPS hits. This either means that by some miracle there was nothing the device was seeing that was nasty (yeah, right), or the device simply wasn’t able to see the V6 properly. We’re raising that one with the vendor at the moment to see if we can figure it out. Any advice though from the community about v6 IPS devices that can act as network taps would be hugely appreciated. (We’re looking for IPS devices that can handle 10gig+ of traffic per device).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Anyway, that’s the news from my side.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Andrew<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> afripv6-discuss-bounces@afrinic.net [mailto:afripv6-discuss-bounces@afrinic.net] <b>On Behalf Of </b>Hisham<br><b>Sent:</b> Sunday, February 17, 2013 3:48 PM<br><b>To:</b> IPv6 in Africa<br><b>Subject:</b> [afripv6-discuss] What have you done for IPv6 lately, since the 1st of January, 2013?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Dear all,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>With the near launch of the IPv6 portal,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>There will be a segment for initiatives and projects that happen on a national and / or a regional <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>level to help with the IPv6 uptake in Africa. The idea is to get these initiatives recognized so that <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>others can share ideas, suggestions and even resources.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This email will be sent on the 15th of every month, to share what has changed within this month,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>be it a prefix being advertised, a site turning on AAAA, to larger national and/or regional projects.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As mentioned these efforts will be featured on the IPv6 portal and shall be used as further input <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>to some of the other global and regional initiatives the IPv6 program coordinates such as:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>* "IPv6 in the African region workshop" that is co-organized with IANA during the ICANN meetings <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>held in Africa.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> The first of these workshops was held in 2011 in Dakar, <span style='font-size:11.5pt'><a href="http://dakar42.icann.org/node/26999">http://dakar42.icann.org/node/26999</a></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'><br><br></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'>The second will be in 2013 in the Durban ICANN meeting.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'><br><br></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'>** Also these initiatives and projects will be featured in the NRO documentation for the global </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'><br><br></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.5pt'>Internet Governance Forum, "IPv6 around the world"</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div style='margin-top:2.25pt'><div style='margin-top:2.25pt;margin-bottom:3.75pt'><p class=MsoNormal><cite><b><span style='font-style:normal'>nro</span></b></cite><cite><span style='font-style:normal'>.net/wp-content/uploads/<b>NRO</b>_<b>AroundTheWorld</b>.pdf</span></cite><o:p></o:p></p></div><div style='margin-top:2.25pt;margin-bottom:3.75pt'><p class=MsoNormal><o:p> </o:p></p></div><div style='margin-top:2.25pt;margin-bottom:3.75pt'><p class=MsoNormal><cite><span style='font-style:normal'>Regards </span></cite><o:p></o:p></p></div><div style='margin-top:2.25pt;margin-bottom:3.75pt'><p class=MsoNormal><cite><span style='font-style:normal'>IPv6 Program </span></cite><o:p></o:p></p></div></div></div><div><p class=MsoNormal><span style='font-size:11.5pt'><br><br></span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>