Ferenc Csorba - 17-05-2021 13:00:02
Hi everyone, I'm Ferenc Csorba from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want it read out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon. Please note that all chat transcripts will be archived and made available to the public on https://ripe82.ripe.net/.
Julf Helsingius - 17-05-2021 13:00:32
I like Patrik's T-shirt
Cynthia Revström - 17-05-2021 13:01:17
patrick I like your t-shirt, it makes me want to go and get some coffee
Sabine Meyer - 17-05-2021 13:01:22
I like coffee :)
Patrik Fältström - 17-05-2021 13:01:36
I knew some people would get it ;-)
Julf Helsingius - 17-05-2021 13:01:41
Shouldn't it say "Fika"?
Dmitry Kohmanyuk - 17-05-2021 13:02:15
coffee never hurts!
Sabine Meyer - 17-05-2021 13:02:16
baked goods only take up space that could be filled with more coffee...
Sascha Growe - 17-05-2021 13:02:17
I would like to have an koffie verkeerd
Sascha Growe - 17-05-2021 13:02:19
Patrik Fältström - 17-05-2021 13:02:20
Fika can also be tea!
Blake Willis - 17-05-2021 13:02:29
& please preference asking via the mic, state your name & affiliation
Dmitry Kohmanyuk - 17-05-2021 13:02:39
Fika is a social tradition!
Julf Helsingius - 17-05-2021 13:02:43
@Patrik: that is just wrong!
Blake Willis - 17-05-2021 13:04:48
Stefan Wahl - 17-05-2021 13:05:21
Blake Willis - 17-05-2021 13:05:49
If you're a Salesforce customer, please bug them about IPv6 support, & feel free to reference that 10 year old "idea" (complete with anniversary cake)
Stefan Wahl - 17-05-2021 13:05:50
Dmitry Kohmanyuk - 17-05-2021 13:07:03
Dmitry Kohmanyuk - 17-05-2021 13:07:23
i use the term “legacy IP”
Wolfgang Tremmel - 17-05-2021 13:07:27
lots of the Azure stuff also does not do IPv6
Dmitry Kohmanyuk - 17-05-2021 13:07:55
maybe we would call it IP 2G
Nathalie Trenaman - 17-05-2021 13:08:02
Ruben van Staveren - 17-05-2021 13:08:05
I get a headache of letting k8s do something with ipv6 (ipv4 too btw)
Wolfgang Tremmel - 17-05-2021 13:08:07
Chris Buckridge - 17-05-2021 13:08:21
LOL @ Wolfgang
Klaas Tammling - 17-05-2021 13:08:28
IPv6 adventures in security applianced powered by Checkpoint?
Andreas Härpfer - 17-05-2021 13:08:51
No IPv6 in VPCs in Google Cloud, either :-/
Hans Petter Holen - 17-05-2021 13:09:08
"Upgrade your Phone to 5G and Network to 6" ?
Gert Doering - 17-05-2021 13:09:31
Ruben: supposedly ipv6-only in k8s works, just dual-stack doesn't
Christian Adler - 17-05-2021 13:09:38
Dmitry Kohmanyuk - 17-05-2021 13:10:23
yes, the internet is one generation ahead of telcos (we had v4 before they had 4G)
Blake Willis - 17-05-2021 13:10:42
RFC5549 is also great for connecting v6 islands
Ruben van Staveren - 17-05-2021 13:10:43
Gert, I still need to get my head around on getting "loadbalancer" to work on bare metal so I can add an ingress :(
Wolfgang Tremmel - 17-05-2021 13:11:05
do we have IPv6 over avian carriers yet?
Andreas Härpfer - 17-05-2021 13:11:20
metallb works quite well
Benedikt Neuffer - 17-05-2021 13:11:22
At KIT we had a lot of VPN issues because of CGNAT etc. After deploying IPv6 endpoints things got a lot better. Today most VPN users connect via IPv6.
Klaas Tammling - 17-05-2021 13:11:39
Cisco supporting IPv6 on their SD WAN and cloud managed stuff would be interesting.
Éric Vyncke - 17-05-2021 13:11:44
@Wolfgang rfc 5514
Blake Willis - 17-05-2021 13:11:45
wolfgang yes but the duplicate address detection is very messy
Blake Willis - 17-05-2021 13:11:50
(just like in ethernet :-)
Ivan Beveridge - 17-05-2021 13:11:58
Yeah. Meraki :/
Ruben van Staveren - 17-05-2021 13:12:04
Andreas: for v6 too? then I'll try again. was checking out purelb
Gert Doering - 17-05-2021 13:12:12
Benedikt: happy to hear that :-)
Dmitry Kohmanyuk - 17-05-2021 13:12:53
this idea of conflicting v4 being ok in presense of v6 is mind-boggling
Ondřej Caletka - 17-05-2021 13:13:15
Unfortunately, you cannot use link-local in URL :(
Éric Vyncke - 17-05-2021 13:13:38
in local URL, why not ?
Thomas Schäfer - 17-05-2021 13:14:00
firefox doesn't accept scopes
Éric Vyncke - 17-05-2021 13:14:08
Stephen Farrell - 17-05-2021 13:14:14
might enable snooping attacks if you allowed that
Ondřej Caletka - 17-05-2021 13:14:21
Browsers don't support it. Their reasoning is that URL is global so scoped IPv6 address shouldn't go there.
Dmitry Kohmanyuk - 17-05-2021 13:14:33
we need “default interface” designator for scope maybe
Blake Willis - 17-05-2021 13:14:36
but localhost is fine?
Éric Vyncke - 17-05-2021 13:14:46
Ondřej Caletka - 17-05-2021 13:14:51
RFC1918 are also fine :)
Ondřej Caletka - 17-05-2021 13:15:09
There are other provisions to make snooping harder like Same Origin Policy
Blake Willis - 17-05-2021 13:16:24
Dmitry Kohmanyuk - 17-05-2021 13:16:34
this natnatnat genuine t-shirt material
Florian Streibelt - 17-05-2021 13:16:56
firefox deios not handle the %ethx part in the ip adress :/
Peter Magnusson - 17-05-2021 13:17:16
Blake Willis - 17-05-2021 13:17:22
recently augmented by RFC8950
Klaas Tammling - 17-05-2021 13:17:50
Checkpoint firewalls doing 6-to-6 NAT when you are not careful. :weary:
Petra Zeidler - 17-05-2021 13:19:54
Gert Doering - 17-05-2021 13:20:05
NATs are good!
Klaas Tammling - 17-05-2021 13:20:17
NATs provide me security. I don't feel safe without my NATs
Gert Doering - 17-05-2021 13:20:34
(and with the epic fail of IETF to properly address dual-/48 multihoming, using ULA + dual-NAT66 sounds like a viable approach...)
Christian Bretterhofer - 17-05-2021 13:20:54
please stop jokes with NAT, gets to boooring
Christian Adler - 17-05-2021 13:21:48
Petra Zeidler - 17-05-2021 13:21:56
NAT: the rollator walker of networking
Ruben van Staveren - 17-05-2021 13:22:26
this is true
Gert Doering - 17-05-2021 13:22:28
Gert Doering - 17-05-2021 13:23:10
I think IPSEC in NAT-Traversal mode might work just fien...
Rüdiger Volk - 17-05-2021 13:23:23
IPSec old?? 1st invented in v6 and then retrofitted to v4
Blake Willis - 17-05-2021 13:23:54
if your box has UEFI v2.5 or later compliant firmware, it should be able to http(s) boot
Éric Vyncke - 17-05-2021 13:23:57
@Gert indeed of course do not use PSK linked to IP addresses ;-)
Shane Kerr - 17-05-2021 13:24:07
Yes, but the IETF was still in the "NAT is evil" phase, and not designing protocols that worked behind NAT when they made IPSEC.
Blake Willis - 17-05-2021 13:24:14
plug for Lenovo UEFI here
Marco d'Itri - 17-05-2021 13:24:24
Marco d'Itri - 17-05-2021 13:24:25
Petra Zeidler - 17-05-2021 13:24:28
I'd worry about netboot last because that happens on an isolated network anyway
Marco d'Itri - 17-05-2021 13:24:45
(HPE usually always had outstading IPv6 support in firmwares)
Thomas Schäfer - 17-05-2021 13:25:14
he talked about 10 year old devices..., five years old boot fine via ipv6
Gert Doering - 17-05-2021 13:25:19
@Eric: well, true, but at least aggressive mode should work...
Éric Vyncke - 17-05-2021 13:25:43
@Gert: this is also what I have in mind
Gert Doering - 17-05-2021 13:25:54
IPv4 is a chocolate cake?
Gert Doering - 17-05-2021 13:26:00
you can all go to v6 now, and I keep the cake
Stefan Wahl - 17-05-2021 13:26:34
Gert: we are a sharing community ;-)
Jinguk Kwon - 17-05-2021 13:26:39
James Kennedy - 17-05-2021 13:26:40
@Gert: yes, there's none left :)
Peter Magnusson - 17-05-2021 13:26:47
Franziska Lichtblau - 17-05-2021 13:26:51
I think that cake's eaten ;)
Petra Zeidler - 17-05-2021 13:26:52
the thing that is missing for IPv6, for my work, is skills at the IT provider it contracts
Ruben van Staveren - 17-05-2021 13:28:56
the cake is a lie
Gert Doering - 17-05-2021 13:29:20
so when can we have github with IPv6?
Blake Willis - 17-05-2021 13:29:29
A: already overstretched ops/arch staff & budget
Stefan Wahl - 17-05-2021 13:29:37
@Lars: training in the call centers if there is a ipv6 question
Brian Nisbet - 17-05-2021 13:31:02
Franziska Lichtblau - 17-05-2021 13:31:14
Thanks Nico :clap:
James Kennedy - 17-05-2021 13:31:16
Tom Hill - 17-05-2021 13:31:19
I enjoyed that, thank you Nico.
Ruben van Staveren - 17-05-2021 13:31:26
Sebastian Becker - 17-05-2021 13:31:31
Jinguk Kwon - 17-05-2021 13:31:48
Paul Duffy - 17-05-2021 13:32:01
Nice map of Achill island in the back
Blake Willis - 17-05-2021 13:33:30
the original optical "telegraphe chappe" was hacked by some guys to manipulate the stock market https://fr.wikipedia.org/wiki/Piratage_du_t%C3%A9l%C3%A9graphe_Chappe
Nico Schottelius - 17-05-2021 13:33:31
Ruben, regarding k8s/IPv6, we are actively working together with the Alpine Linux and also the Calico members - if you are curious to discsus that, ping me on nico [at] ungleich [dot] ch
Gert Doering - 17-05-2021 13:33:54
hah, I have one of those T-Shirts
Alex Le Heux - 17-05-2021 13:34:00
"Nor clearly a great plan" -> "Clearly not a great plan" ;)
Blake Willis - 17-05-2021 13:34:03
Ruben van Staveren - 17-05-2021 13:34:13
Check, will do that Nico :pray:
Chris Buckridge - 17-05-2021 13:34:27
@Alex could work either way ;)
Gert Doering - 17-05-2021 13:34:47
I never managed to actually understand the perl code on that shirt...
Gert Doering - 17-05-2021 13:34:54
it seems to be very crypt-ic
Ruben van Staveren - 17-05-2021 13:35:32
still need to have that rsa dolphin shirt somewhere.. idk
Alex Le Heux - 17-05-2021 13:35:45
I remember the very heavy box of printed PGP source code someone brought in their luggage...
Julf Helsingius - 17-05-2021 13:36:54
I remember the hacker camp with hundreds of people in tents proofreading the scanned pages...
Alex Le Heux - 17-05-2021 13:37:08
That's the box I mean
Julf Helsingius - 17-05-2021 13:37:14
Vesna Manojlovic - 17-05-2021 13:37:50
Julf Helsingius - 17-05-2021 13:38:17
yes, that was long ago...
Blake Willis - 17-05-2021 13:39:08
sad to see that DNS over DTLS never caught on
Alex Le Heux - 17-05-2021 13:39:13
If you hang around long enough you'll see past follies presented as innovations... *cough* clipper chip *cough*
Blake Willis - 17-05-2021 13:39:22
er, never had a champion rather
Peter van Dijk - 17-05-2021 13:39:24
Blake, are there even decent DTLS implementations?
Blake Willis - 17-05-2021 13:39:59
nothing much I'm aware of
Franziska Lichtblau - 17-05-2021 13:40:25
@Alex, this is why I enourage my students to also read "old" CS and networking papers - many ideas have a tendancy to come back..... sometimes we can save people from re-inventing the wheel ;)
Blake Willis - 17-05-2021 13:40:29
presumably because UDP fragmentation over the internet isn't particularly reliable
Peter van Dijk - 17-05-2021 13:40:29
that probably did not help then; I have never spoken to a DNS vendor that said "oh let me first type in a TLS stack" ;)
Alex Le Heux - 17-05-2021 13:41:30
Vesna Manojlovic - 17-05-2021 13:42:26
I would like to share this paper:
“The Moral Character of Cryptographic Work”
Vesna Manojlovic - 17-05-2021 13:43:12
by Phillip Rogaway from
Department of Computer Science
University of California, Davis, USA
rogaway [at] cs [dot] ucdavis [dot] edu , in
Daniel Karrenberg - 17-05-2021 13:43:23
@franziska: this is also good to teach how ideas develop and put more nuance to some 'I published first' stories.
Farzaneh Badiei - 17-05-2021 13:43:47
that's a very interesting paper, Vesna. thanks for sharing.
Franziska Lichtblau - 17-05-2021 13:44:07
Blake Willis - 17-05-2021 13:44:39
apparently routedns supports it: https://awesomeopensource.com/project/folbricht/routedns
Shane Kerr - 17-05-2021 13:44:45
@Blake the problem with DNS over DTLS is that you still need to fall back to DNS over TLS if packets are too big (like unencrypted UDP falls back to TCP if packets are too big). Since you have to implement TLS anyway, DTLS adds complexity to the entire system.
Franziska Lichtblau - 17-05-2021 13:45:03
Florian Streibelt - 17-05-2021 13:45:04
politicians don't understand that you cannot argue with laws of nature or mathematics
Gert Doering - 17-05-2021 13:45:23
@florian: who would have guessed after last year
Blake Willis - 17-05-2021 13:45:24
yep, the lack of reliable udp fragment transmission killed it
Petra Zeidler - 17-05-2021 13:45:38
as demonstrated by widestread attempts to find a compromise with a virus
Gert Doering - 17-05-2021 13:45:43
OpenVPN protocol is sort of "like DTLS" (TLS over UDP), but it's older than DTLS...
Farzaneh Badiei - 17-05-2021 13:46:12
Encryption is not a problem. Good, creative police work is. They always want the easy way out.
Shane Kerr - 17-05-2021 13:46:44
I want the easy way out too!!! I just can't use laws and regulations to force people to make it easy for me. ;-)
Gert Doering - 17-05-2021 13:47:19
can we not just make it illegal to commit crimes?
Vesna Manojlovic - 17-05-2021 13:47:29
Dmitry Kohmanyuk - 17-05-2021 13:47:33
that is so already
Peter Koch - 17-05-2021 13:47:39
this is all a question of how we define "end"
Blake Willis - 17-05-2021 13:47:53
country-level DPI works for the IRGC...
Éric Vyncke - 17-05-2021 13:47:56
@Gert: make 'illegal' being 'illegal' ?
Stephen Farrell - 17-05-2021 13:48:01
@peter: not quite - some of it really does defy laws of physics
Éric Vyncke - 17-05-2021 13:48:07
Brian Trammell - 17-05-2021 13:48:12
"european commission guiding principles" --> "exceptional police access to endpoint devices"
Jerry Lundström - 17-05-2021 13:48:14
Joerg Dorchain - 17-05-2021 13:48:23
@Gert: It is forbidden to break the law!
Donald Neal - 17-05-2021 13:48:28
Are you sure you mean "law enforcement" and not "intelligence"?
Farzaneh Badiei - 17-05-2021 13:48:31
law enforcement wants to be one "end"
Peter Koch - 17-05-2021 13:48:58
@Farzaneh most often just an additional "end"
Brian Trammell - 17-05-2021 13:49:03
(which, to be fair, is the way this worked in the analogy-system, POTS, in that without layer separation the telco was always an end)
Robert Scheck - 17-05-2021 13:49:12
Stephen Farrell - 17-05-2021 13:49:28
well, we also need to recall that we're really bad at doing multiparty crypto, even when we want to
Peter Koch - 17-05-2021 13:49:29
Randy Bush - 17-05-2021 13:49:50
LEO will keep pushing for (at least) two reasons: they might get some of what they want; and, at the same time, the tussle occupies the encryption folk and slows progress. So do not expect them to stop.
Cynthia Revström - 17-05-2021 13:49:55
I remember someone talking about how the Swedish police had concerns about ENUM domains as DNS interception is not very hiddden
Blake Willis - 17-05-2021 13:49:59
average training time for new French police recruits: 8 months
Stephen Farrell - 17-05-2021 13:50:20
to be fair, JS programmers probably do less training;-(
Mark Scholten - 17-05-2021 13:50:31
end-to-end encryption isn't the problem for law enforcement
Mark Scholten - 17-05-2021 13:50:42
just store all private and public keys on a central server...
Blake Willis - 17-05-2021 13:50:49
JS programmers are not granted the monopoly on the legitimate use of violence by the state
Stephen Farrell - 17-05-2021 13:51:03
true, not yet anyway:-)
Dmitry Kohmanyuk - 17-05-2021 13:51:13
@blake so so funny not
Randy Bush - 17-05-2021 13:51:26
JS hackers do commit a lot of violence
Blake Willis - 17-05-2021 13:51:49
especially anyone who ever had to upgrade a Node install...
Jan Žorž - 17-05-2021 13:51:56
currently this are all unproportionate measures as yet
Brian Trammell - 17-05-2021 13:52:38
the internet is a tempting target here simply because of the openness of the architecture. the "person-carried medical device" is what makes this *really* scary
Blake Willis - 17-05-2021 13:52:45
this is why we created the cooperation working group
Elmar K. Bins - 17-05-2021 13:52:49
I believe that Randy's points are very valid - they might get a little bit (or more), AND they inhibit progress on the crypto front, which also serves their purpose
Blake Willis - 17-05-2021 13:53:10
Farzaneh Badiei - 17-05-2021 13:53:21
thank you Patrik.
Chris Buckridge - 17-05-2021 13:54:27
thanks Patrik and Stephen - great presentation(s)!
Wolfgang Tremmel - 17-05-2021 13:54:29
Please do not forget to rate the talks!
Shane Kerr - 17-05-2021 13:55:15
Nice question. :-D
Éric Vyncke - 17-05-2021 13:55:30
Good Q by Andrew Campling indeed
Jari Arkko - 17-05-2021 13:58:28
Thanks for the great presentation S&P! Multistakeholder, open discussion is of course the way forward. But the topic is complex of course. One complexity that you did not highlight was that there’s encryption on many layers. I think we need more real e2e encryption (not just encryption to the cloud) while fending off both the social media giants and government surveillance.
Stephen Farrell - 17-05-2021 13:59:04
@jari: true - I wonder if anyone has an I-D on that topic? :-)
Benno Overeinder - 17-05-2021 13:59:20
Fully agree with Chris, great presentation and discussion Stephen en Patrik!
Patrik Fältström - 17-05-2021 13:59:25
Jari: Agree. We should not over-use the term e2ee. That should be used for what e2ee is. Not edge-to-cloud-to-edge.
Wolfgang Tremmel - 17-05-2021 13:59:53
Please do not forget to rate the talks!
Olaf Kolkman - 17-05-2021 14:00:01
Sebastian Becker - 17-05-2021 14:00:05
Thanks for the presentation/talk!
Ferenc Csorba - 17-05-2021 14:00:09
This session has now ended. The Plenary will continue at 14:30 (after the coffee break). More info on the RIPE 82 meeting plan: https://ripe82.ripe.net/programme/meeting-plan/