I’m posting these notes earlier than usual because it’s the RIPE dinner later. As usual there are links to the presentation materials from the RIPE77 meeting plan.
One hallway conversation worth noting: I spoke to Colin Petrie of RIPE NCC who mentioned that they are rebooting the Wireless APs every day because they will not switch back to a DFS channel after switching away to avoid radar interference, so they gradually lose available bandwidth.
Anand Buddhdev - RIPE NCC update
k-root: 80,000 qps, 75% junk, 250 Mbit/s on average, new 100Gbit/s node
RIPE has a new DNSSEC signer. Anand gave a detailed examination of the relative quality of the available solutions, and explained why they chose Knot DNS. Their migration is currently in progress using a key rollover.
Anand also spoke supportively about CDS/CDNSKEY automation
Ondřej Caletka - DS updates in the RIPE DB
Benno Overeinder - IETF DNSOP update
Overview of work in progress, including ANAME. I spoke at the mic to explain that there is a “camel-sensitive” revamped draft that has not yet been submitted
Matthijs Mekking has started a prototype provisioning-side implementation of ANAME https://github.com/matje/anamify
Sara Dickinson - performance of DNS over TCP
With multithreading, TCP performance is 67% of UDP performance for Unbound, and only 25% for BIND
Current DNS load generation tools are not well suited to TCP, and web load generation tools also need a lot of adaptation (e.g. lack of pipelining)
There’s a lack of good models for client behaviour, which is much more pertinent for TCP than UDP. Sara called for data collection and sharing to help this project.
Petr Špaček - DNSSEC and geoIP in Knot DNS
Ondřej Surý - ISC BIND feature telemetry
Ondřej asked what is the general opinion on adding a phone home feature to BIND which allows ISC to find out what features people are not using and which could be removed.
NLnet Labs and CZ.NIC said they were also interested in this idea; PowerDNS is already doing this and their users like the warnings about security updates being available.
Sasha Romijn on IRRd v4
Nice to hear a success story about storing JSON in PostgreSQL
RPSL has horrid 822 line continuations and interleaved comments, oh dear!
Mircea Ulinic (Cloudflare) Salt + Napalm for network automation
Andy Wingo - a longer talk about Snabb - choice quotes:
“rewritable software”
“network functions in the smallest amount of code possible”
Peter Hessler on OpenBSD and OpenBGPD - a couple of notable OpenBSD points
they now have zero ROP gadgets in libc
on arm64
they support arbitrary prefix length for SLAAC
Martin Hoffman - “Oxidising RPKI” - NLnet Labs Routinator 3000 written in Rust:
Jen Linkova on current IETF IPv6 activity:
IPv6 only RA flag
NAT64 prefix in RA
path MTU discovery “a new hope?” - optional packet truncation and/or MTU annotations in packet header
Indefensible Neighbour Discovery - Jen recommends this summary of mitigations for layer 2 resource exhaustion
Oliver Gasser on how to discover IPv6 addresses:
You can’t brute-force scan IPv6 like you can IPv4 :-)
Use a “hitlist” of known IPv6 addresses instead, obtained from DNS, address assignment policies, crowdsourcing, infering nerby addresses, …
It’s possible to cover 50% of prefixes using their methods
Cool use of entropy clustering to discover IPv6 address assignment schemes.
Jens Link talked about IPv6 excuses, and Benedikt Stockebrand talked about how to screw up an IPv6 addressing plan. Both quite amusing and polemical :-)