East Asian countries surge ahead
South Korean and Vietnamese telecoms firms go for large-scale IPv6-only implementations
Major Asian telecom operators are working hard to implement IPv6. They have little choice, because some have tens of millions of customers wanting internet connections, but no big (historical) pool of IPv4 addresses to fall back on. What's more, two IP addresses are needed for every end user: one for voice, one for data. The region's mobile providers are therefore transferring customers to IPv6-only en masse. Various forms of address translation are then used to enable connections to IPv4-only systems and services.
SK Telecom, South Korea's biggest telecoms operator, is providing its 23 million LTE-users with an IPv6-only connection by default. The policy was explained by Mobile IP Network Manager Hanwoong Lim at the APRICOT 2019 conference earlier this year.
SK Telecom enables access to IPv4-only services by using 464XLAT, as specified in RFC 6877. The approach involves first translating IPv4 addresses in the access network to the specially reserved IPv6 prefix ::ffff:0:0:0/96. That is done by a DNS64 server (a caching resolver, as specified in RFC 6147), which answers queries about hosts without AAAA records by mapping the available IPv4 addresses to the ::ffff:0:0:0/96 address space ('SIIT addresses'). Further up in the network, there is a (stateful) NAT64 gateway (a provider-side translator or PLAT, as specified in RFC 6146) that establishes a connection to the IPv4-only server on behalf of the IPv6-only client.
The approach does have a couple of drawbacks. First, clients within the network can't be addressed by external IPv4 systems (which is also the case with CGNAT). Second, users can't reach hard-coded IPv4 addresses that would otherwise be approached without using the DNS ('IPv4 literals'). As a workaround for the second problem, an additional (stateless) CLAT client (customer-side translator) can be configured on the end user's device. The CLAT client makes a virtual IPv4 stack available locally and translates IPv4 addresses into SIIT addresses if there is no IPv4 connection. SK Telecom has validated the approach by checking that it works with more than 1500 popular (Android) apps in Google's Play Store. Meanwhile, support for IPv6-only networks has been mandatory for all Apple App Store applications for the last three years. In other words, all apps on sale in the store have to work properly in IPv6-only environments.
However, 464XLAT has one problem that can't be worked around: it's fundamentally incompatible with DNSSEC validation by the end user's own client. That's because the DNS64 server can't attach a digital signature for the original domain name to a SIIT address the client has generated. The DNSSEC standard does not permit an AD flag to be set for non-authentic RRsets. A validating DNS64 server could therefore only block requests for non-validating A records by not returning SIIT addresses. As long as 464XLAT is needed to facilitate the transition from IPv4 to IPv6, we will therefore have to (temporarily) accept that DNSSEC validation doesn't work at the endpoint for IPv4-only services.
Although Lim says that the network architecture is enormously scalable, there is a bottleneck at the NAT64 gateways that perform the translation and manage all IPv6-IPv4 connections, because the sessions are stateful. What's more, the gateways have to interface with the packet gateway (PGW) equipment that maintains the IPv6 connections in the access network. Lim also flagged up a vulnerability in the intermediate systems, where static and policy-driven routing and IP address pool configurations are required. An error in one of those systems could make a service unavailable nationally. SK Telecom is currently working to remove that vulnerability through automation.
In-house development is not something that SK Telecom generally shies away from. In order to realise the transition, the firm has adapted or developed forty applications for tasks such as authentication, costing, capacity management, address management, statistical analysis and reporting. Enabling a dual stack on the internal network was very straightforward, according to Lim: out-of-box support is provided by all major network suppliers. About two thirds of the traffic on SK Telecom's LTE network now uses IPv6. To make that possible, the company has agreed sixteen new peering contracts with big players such as Google and Facebook.
IPv6 adoption in Vietnam tops 40 per cent
In Vietnam, the eleventh and last national IPv6 Day took place on 3 May. For the last decade, telecom companies, government organisations and service providers have used the annual event as a vehicle for driving IPv6 implementation. The country's transition to IPv6 has been organised on the basis of the Vietnam National IPv6 Action Plan, drawn up in 2009 by the Ministry of Information and Communication. Since the plan took effect, IPv6 adoption in Vietnam has risen sharply and now stands at more than 40 per cent: the highest figure anywhere in South-east Asia. That equates to 20 million-plus users. Malaysia runs Vietnam a close second, with 38 per cent adoption of IPv6.
Key features of the action plan included extension of the national internet exchange (VNIX) and infrastructure, adoption by providers, and provision of test facilities, training and public information.
We previously reported how hundreds of millions of mobile users in India and China were being transferred to IPv6-only networks, pushing up IPv6 use in those countries considerably. For big players looking to upgrade their infrastructures, the combination of IPv6-only with 464XLAT is usually the obvious route to take. It provides a future-proof infrastructure and enables you to scale down your transition systems as IPv6 adoption progresses.