>> Dick Leaning: Good morning, ladies and gentlemen. We'll start. It's 11:50. Our last panelist just arrived. Just to make sure everyone is in the same room. If you're like me this week, I've been in many rooms I shouldn't be. So, this session now is how can we limit the negative impact of carrier grade NAT technologies and boost IPv6 adoption. I don't know if people in the room know what carrier grade is. Don't worry about it, in 90 minutes' time, you'll know everything there is to know about it. And you could tell us a bit more about it as well. Just filling in time because I'm not sure if the presentations are all loaded. Okay?
My name is Dick Leaning. I'm from RIPE-NCC moderating the session. It's one of the regional internet registries and we administer IP addresses around 76 countries. I won't Gao through the introduction of the panelists now. I'll do it as they speak. The issue is to get on to the internet, you need an IP address. If you don't have your own, you have to share an IP address. And with everyone having three or four of these things in their pockets and their bags, we're running out of IP add dresses that each one can have. So, there's more and more sharing going on. That's specific. As we get into the detail, we'll go into more of it. That's the problem we're having at the moment, there isn't enough IPv addresses to go around so we're sharing. The challenges is for the businesses, law enforcement, the public, etc., etc.
In the 90 minutes, we'll have a clear review of what the challenges are and how we can move forward. So, the first person I hope is ready is Ron. An executive leader, technology expert and well known. CO for the technologies global, and he's a member of the ICANN board. Ron?
>> Ron DaSilva: I'm going to borrow something I saw Niels do. Raise your hands. Everybody, just raise your hands. This is a forced exercise, you think, if you know what CGN is, lower your hand. How about IPv6. No, lower. So, this was a test to see how many in the audience are here with us that have no idea what CGN is and a little bit about if IPv6 is familiar.
That's important, my task in kicking off the panel is to provide a little foundation on what is CGN? It's an acronym. What is it, why is it important? Why are we talking about it? And we're going to achieve that and hand it to the rest of the panelists related to CGN. So next slide, please. Maybe?
We can change it on the fly. Good, thank you. It's important to note that very every device to communicate on the internet, it needs to have a unique address. This is important. Think of it as on your postal address, you share the same address as your friend's cousin who lives in Kenya. You happen to reside in Indonesia. You're looking for a gift to come to your birthday, half the year -- on the even years, it goes to Kenya, the odd years, it goes to your house. You get your gift every other year. If you have a unique address, you don't have the issue of your birthday gift showing up at anybody's house every other year.
And on the internet, if your address is not unique, it's unclear where to send your Skype, your e-mail browser, it's important that your device is uniquely identified so it can communicate with every other device on the internet. Service providers are in the business of providing service technology. In order to provide and sell access to the internet is to have a pool of addresses that you can assign to the customers as the customers come on to the internet using their network. Next slide.
The way service providers obtain the unique addresses north to allocate them to their consumers or businesses that are customers of the service providers, and similarly, even enterprisers on the internet, they need addresses to uniquely identify every server, every device, every router, switch, phone, every IOT device that is providing surveillance and monitoring and all kinds of availability. Everything needs a unique address. These are managed through a regional internet registry system. There's a different map showing different colors are regions shows how that's indicated across the globe.
There are five places that have large pools of addresses that operation tors in these regions can go to and obtain the necessary addresses required for providing access to the internet for their customers.
Generally, these addresses, they're -- let me talk about aversioning for a second. The internet was established with initial protocol version No. 4. IPv4 had 4 billion addresses defined. Early on, it was believed it would be enough for the foreseeable future. Half a billion, if you take half the population, everybody with a phone, you're there. Besides a mobile phone, lap top, other devices in your home, you can see 4 billion is way under-resources for the needs of connecting to the entire world to the thing called the internet.
So, we're running out. Early on, some early adopters had gotten huge tranches of addresses before the coordinated registry system was established. Since it was established in the 1950s, it's been well established on policies regarding need, a service provider who can demonstrate they have a forecast for some of the customers can come to the registries and indicate I need addresses, here's my marketing forecast, the sales forecast, here's how I can justify the need to have all of those addresses, more on the earlier allocations that predated the registry systems a bit later in the slides. Next slide, please?
How many are there? I mentioned in the protocol version 4, the initial version, there are 4 billion of these. In '99, a new version was established and adopted by the industry called internet protocol version 6, yes, it skipped 5 by design. It provides 4 billion times 4 billion times 4 billion or 4 billion or a pile of addresses. This is also perceived to be plenty for the foreseeable future. If we can simply address all of the unique devices coming on to the internet with one of the new IPv6 addresses then we have what we need, which is uniqueness for any device. The problem is, one of migration. Any device using the old protocol cannot communicate with the device using the new protocol. They're incompatible. That means until the entire internet is using IPv6, then it's necessary to still have IPv4 addresses so you can communicate with devices using IPv4.
Next slide. So, a common strategy to make this work is three-fold. Run everything in both addresses, use IPv4 and IPv6 until there's enough of the internet using IPv6 so IPv4 can be deprecated. We're not close to being there. So, they're obtaining IPv6 addresses and numbering or addressing all the customers and equipment with both addresses.
It's important, if a service provider was selling internet access today and only had IPv6, because the entire internet is not using that yet, it would be a competitively disadvantaged service. As a customer or a business given only an IPv6 address, there's a large portion of the internet I couldn't reach. If I only had an IPv6 address, I can't communicate to the majority of the internet still using IPv4. And some of it, IPv4 only. Thus, as an operator, do I not only want to number all of my devices to both addresses, I want to save and conserve the IPv4 addresses I have in my pocket. How can I delay my runout of IPv4 as long as possible so I can continue to sell a competitive product.
Number three, how do we get the rest of the industry to get there. How do we deploy, thus the problem of incompatibility goes away. This is a common strategy you'll hear from a lot of people about IPv6. What happens to the operator when they're out of IPv4. When there's insufficient amount of the internet using IPv6 and they're looking to expand access, there's a problem. There's several ways, at least a couple I'll talk about. Go to the market. There is now established mechanism where an operator has more than they need or an entity that has larger space than they have a business need for, they can sell it. They can sell it to other operators who need it. Remember I mentioned early on before the coordinated registry systems existed, there were adopters in the internet who obtained large tranches of addresses. Now that can sell them to people who need them. There's this option, it costs. The operator could look in the open market and find other entities who have large pools of IPv4 addresses and acquire them to through some sort of monetary exchange.
Secondly, this is the whole point of our topic this morning, they could share them. Next slide, in the same way at home you may have a router connecting to you to your access provider, the devices in the house all share what's called private addresses, these are addresses only used in your home. As they leave the house, as a web request comes from your browser over to Google for a search engine request of some sort, it gets translated from an internal private address to the unique address the communicate with the internet. All of the devices in the home may share the IPv4 address and the internet by using this on the router. Then router comes in and translates to the private address. This works great in your home. You see this in hotels when you visit the hotel, the addresses are shared and the hotel uses a pool of addresses rather than give out unique addresses. They share a pool and as your communications from the hotel room or the lobby goes to the rest of the internet, it gets translated. Well operators are looking at those models and implementing that same strategy on a much larger scale. They call this carrier grade NAT, CGN, the acronym, is carrier grade NAT. The larger appliances are being deployed on a larger scale to share a small pool of addresses with a very large population of customers. Thus, as communications leave the service providers network to the rest of the internet, they change the address. Put the unique address on the outside, when it comes back to the network, they can readdress it back to the private address. Sounds great, conservation at its best.
Next slide, this is my last. In general, service providers recognize that crime is bad for business. A lot of operators will coordinate with local national and international law enforcement agents in order to make sure that if there's a crime happening on their network or going through their network, they can support the prosecution of that crime. Crime is not good for business. Service providers recognize that and will be supportive of efforts to help combat crime. What does this have to do with CGN? Well, if it's shared, there's a crime taking place, some criminal is leveraging access to some service provider's network to go across the internet and trying to hack or otherwise compromise a web server somewhere, the operator of the web service could contact their law enforcement and provide to them, this is the address that's attacking my servers. Law enforcement can then go to the service provider who has that address and ask who is the owner of the address. It's easy if the address is from your house. A little less -- it's also easy if it's an address from the hotel. The hotel can try to identify where is it coming from inside or a conference like here. It gets more difficult, the larger the pool is that's sharing those addresses.
So, if you think about this appliance, this carrier grade NAT being deployed and providing a small pool of addresses across a large population of internet users, then it becomes very complex. For the law enforcement to then identify here is the address of the miscreate. That address is being shared. Who is it? It could be anybody. It's not so straightforward to say this address belongs to this particular customer and thus we can prosecute that particular end point. And thus -- the point of our slide -- the point of our panel.
>> Richard Leaning: Thank you, Ron. Yes, round of applause.
[ Applause ]
>> Richard Leaning: That's the scene setting. I know it was a high level to let everybody know what the issue is. And now we're going go to George is one of our technical experts, renowned globally. So many networks around and networks for ISOC. He's going to go to real techie stuff. Hang on to your seats, listen, if anyone who doesn't understand, make yourselves known and we can also field questions as we go along. It's important we all understand what it is we're talking about as we move along. Yeah?
>> Panelist: Hello. I work for internet society. I come from Slovenia. And just as a disclaimer, this presentation that you will see is much reduced from 30 slides to 19. It was in 2010 and it's used to make operators understand the bad things that CGN will bring if they implement it in their network and try to put people behind and do it without employing IPv6 at the same time. Next slide, please. Yeah, this is a disclaimer. It was on 2010. This is my personal view done before I joined the internet society. Next slide, please.
This is the CGN. I think Jason made this very nice picture of you can see a lot of people coming in. You have the overloaded device that is -- this is a machine that needs to keep all of the sessions. The morning users you put behind the CGN, the more sessions need to be recorded and maintained. Then you have one little cable out that is -- you can see many times this thing goes to 100% and just doesn't work. Next slide, please?
Bear in mind, this was done for operators to change their minds on CGN. The perspective of CGN. It delays the space because we share the IPv4 addresses. If we're blind enough, we cannot see all of the consequences. And network architects can get away easily with it because it solved the problem quickly. People know how networks -- how translation works, and they can just easily implement it in the network and just move the problem to somebody else. Network architecture is all about moving the problems around the network, usually.
We can even persuade some people the network is more secure with CGN because we're doing the security by obscurity because we're hiding people behind. And we close our users in the world garden and keep them there forever. Next slide, please.
Yes, this is bad. Some operators may even see this as the good thing because they closed their users in the garden where they can only do the things that the operator is prescribing them to do and letting them do. Next slide, please. Okay.
A lot of misconceptions that net is a security mechanism. It is not. Firewall is a security mechanism. NAT is a mechanism, right? It comes with obscurity. But don't get it as the security mechanism. Next slide, please.
Also with this in the core, you trap a person with the unchanged application policy. That means internet was done on innovation. So if I innovate a new protocol and I build the application that would communicate with the other host, in the open, I stop talking to you and we'll stop sharing with each other and everything will be fine. If I'm behind CGN, then all of a sudden, my application, my protocol cannot talk to you because there's a CGN in the middle. Can you imagine me calling my internet service provider, the Telekom, and say, oh, please, could you implement the layer gateway and helper in your big CGN for my specific protocol that I just invented. They would just hang up the phone probably. It doesn't work. So you completely killed the innovation with that. This is the opposite of the end-to-end internet that we all love and embrace. Next slide?
The internet was built with the smart at the edge. As I explained, you can easily deploy a new application if you have the smart edge and stupid core. But with the CGN, you're taking the smart in the core. There's good called revenge of the smart core. This is not internet thinking. It's the opposite of the internet thinking. Next slide, please.
If we want things like this, we offered the customers limited control over them. I cannot imagine you would send from your home the UPNP commands and try to drill the holes and reserve some ports. No operator will let you do this. Next slide, please.
We have a session state. Every CGN is a stateful machine. Internet is never meant to be stateful. It needs to be stateless. We need to do the tradeoff in if state and the stateless. If we put our CGN towards the end of the network, you get less state that you need to maintain. But then, you know it's not a stateful end as it should be. If you put it to the core of the network, you have to maintain a huge number of states in your machine. This is costly. And it doesn't scale properly because when you have more people behind the CGN, you have to put a lot of money to put your CGN bigger and bigger. Next slide, please?
Yeah, we covered that. Yeah, next slide, please. This is the CGN. This is the IPv4 life support. And we connect to it and we just keep it going and keep it going, until that little machine works, we are alive. That's if we implement IPv4 without IPv6. It doesn't work. Next slide. The question is how do you have an exit strategy? You deploy space between your users. But what is the exit strategy? Your user base is getting bigger and bigger and you need to maintain your CGN and scale it and put a lot of money in it. You see what's the problem with this picture? These guys park at the van and start implementing this around, but they didn't think of the exit strategy. They didn't have much thinking implemented in this. So, this is like when you implement CGN without IPv6. Next slide, please. The way out. Back in time, we standardized the A plus B protocol, address, passport sharing mechanism. And we have this basically based on IPv6. Then we have map E and map T as the stateless of A plus B. We have where it's a viable stateful solution.
Remember, if you implement CGN, please implement it with IPv6. Because today, I travelled around the world, talked to operators. They say when they deploy IPv6 and gave it to their customers, half of the traffic moved to IPv6. Because Google, Facebook, all conference operators are going to be 6. So, move your traffic and just go end to end without any need of translation. The rest of the traffic that needs to talk to IPv4, it's going to the translation box, but the box is smaller, that means less money. When I know you scale your user base, you don't have to scale your whole traffic.
If you skip out your traffic, it's better to provide the translation of just 500 gigs of traffic and not for 100 gigs of traffic. So, it works better if you're deployed. Next slide, please?
But back in 2010, we're figuring out what your report figured out today. It's a problem with the address sharing solution. Next slide, please? Sorry. IP address is not an identifier of users anymore. They must stop logging them in their logs. There are things that people will want to investigate on-line. And if you can't provide who that user was behind that IP address and if you say, oh, that was 60,000 users using that IP address at that point in time, then people cannot investigate it and most possibly you as an operator will be viable for that address and somebody will shoe you if your user stole $10 million from the bank, the bank will sue you as the operator of the CGN because that was configured on your dice in your network. So, think about it.
Next slide. The log-in on the CGN is a killer because you have to log everything that's a resource hog. This is all becoming a complete mess. Next slide. IPv6 and mobile networks and IPv6 and map E and map 2, a stateless, A plus B solution based on IPv6 for fixed access networks. CGN, as such, without IPV6 has no exit strategy. Remember the van, thank you very much.
[ Applause ]
>> Richard Leaning: Everyone keeping up? Good, now the marquis panel presenter. Mike Mounier who just ran away. Don't run away. Greg Mounier based in The Hague the head of outreach and strategy for the EC-3 is going to talk about some of the challenges that law enforcement have.
He's bravely stood up for this panel session after he's been given a hard time already this week so please feel free to do the same. It used to be me who sat there, now I'm happy I sit there. Greg, over to you.
>> Greg Mounier: Thank you very much. I see a number of you, Mike, in particular. Thanks everyone to set up the baseline. What I'll do quickly is to tell you more details the impact of global IPv4 on the criminal investigations on-line and the program we get as law enforcement. We didn't identify the problem last -- even today. We've identified a problem since 2011. Some of the EU member states, in particular, Belgium, has taken steps in 2012 but it takes time to put things around and we're happy to put it back upon the agenda now.
Next slide, please. If you take a step back, if you do investigations on-line, whatever type of crime is reported to the police, the first traces we'll find are e-mails, information, you have connections to the websites. Social media platforms and the rest. You can find nicknames, whatever things, and look for the good luck lines. If you have this type of information, the internet providers, the hosting platform, the social media platform. You get the IP of connection plus potentially a time stamp. Then you go to the data base and find out this particular IP belongs to a block of IP that belongs to let's say the providers in France. You go back to those providers in France and say can you please if a subscriber you going it the whole time connecting to Facebook. Once you do that, you can donor mall research and interrogate people. The problem -- next slide, please. Next slide, again, we've been through this. And again. Yes.
The impact, of course, is once you make that request, you go home to orange or another internet access provider if you have a global IPv4 address as your only link to the crime. Then they will come back with a list of potentially hundreds of potential users using the same IP because you can't discriminate between the users because you're not providing them with the right information. Because of CGN, it will only describe behind one e-mail address. I can't give you that list of 200 people because you have potentially have one suspect and all of the others are innocent. If you are working on a case that's important, you might have to be a bit more persuasive. If provider will give you the list that will go up to the south sometimes.
The problem is there's no facility to attribute and work on-line on the basis of an IT and you can't trace back with an IPv4 or less. It's not only affecting cyber, it's any kind 06 crime. Even a murder, you might have information on the mobile of the suspect connected to the internet just before and you need to know, that's probably one of the only clues that you had to link to a person, we had a number of case IDs that a number of compliance. In most countries, you have legislation saying any electronic providers served with a court order needs to identify the users on any such of international that you provide. In UK, you have the same, there's also references in this convention. Because of that, service providers cannot comply.
The scale of the problem, in 2016, we made a survey with EU member states. Everyone is affected. So, some of the country was less severe. Belgium managed to find a work-around system. So, terrorism, fraud, any kind of crime.
So, think about it. Now everyone is using the mobile to connect to the internet. That means, in fact, that you don't need to go too far to be anonymous on line. If you use your mobile phone to connect to the internet with 3G or 4G, hard to identify what someone does on if internet.
Conclusion, CGN is a major problem on-line and the problem is growing. Next slide, please? There is a simple way of identifying an end user behind CGN. So, the content providers or the websites on which somebody connects to should log the number. That's what Jan was saying. They don't do it. No obligation to do it. In the end, if you make your request, you won't get the number. Next slide, please.
So that's a case example that was given to me last year by the French police. It's a French speaking website for hunting gear. So if you're in to hunting and you want to sell your old rifle, you go to the website and somebody will buy it from you. One day somebody reports to the police someone is trying to sell an AK-47 assault rifle. Its's illegal in France and all of the member states in the EU. The police will go and make the request of the IT logs, they provide the logs. You get the IP address. It results in a Swiss internet mobile provider. We make the request to the Swiss police. They go see Swiss Telekom. And they say if you don't get the telephone number, I can't identify the subscriber. In that case, we close the case. Why? It's just -- the add was taken down quickly and in the end we don't have resources to investigate everyone, so in the end we left it. That's distressing for a French police officer.
Someone in France was trying to sell an AK-47, either because it will be used somewhere in the suburbs of Marseilles to kill a 17-year-old in the case of drug trafficking or in the streets of Paris to kill 150 people in a terrorist attack. That's distressing. You know for sure they will be linked to the investigation in that case. Where you just dropped the case. Next slide, please?
That's another case that the French police gave me in 2016. Reported, the investigator going to see the services, they get the log of IP -- the IP logs, they get a time stamp. So, they go back to the internet access providers and 15 individuals using the same IP connecting to the same platform at the same time. In that case, we investigated everyone.
That means we have to invade the privacy of 49 potential innocent people to find one, because in the case like this, it's child abuse material, very important, privacy -- so from the privacy perspective, it's already there.
Next slide? Negative impact of CGN on security and on-line accountability for everyone. There's no on-line accountability. We have a massive problem to investigate criminal activities. It's hindering every type of criminal activities from CSC, child abuse, murder, rape, everything. It pushes them to revert to promising evasive techniques to find out who's behind an address. That's what I wanted to tell you about the impact of CGN. Thank you.
[ Applause ]
>> Richard Leaning: Going to try to leave 30 minutes at the end for questions. Unless you have a question now. Certainly?
>> Audience: I'm here for the Swiss Telekom. And in the Swiss case, I would try to reiterate, I don't know the case itself, but to be clear, had the French police provided the search? Okay. Just a quick question, sir.
>> Audience: Okay. Do you know these problems? And a public facility. Is it time for the government to come and say that, you know, a mandate -- use policy question because of these problems. Say it's time to implement IP6? What do you think about that?
>> Richard Leaning: I think I'll come back to that to the end. There's similar questions and to my right, an expert that works for Proximus, that's good, it's my provider. I'll be speaking to him about some buffering issues I have. He's the liaison for research and law enforcement in Belgium.
>> Panelist: Just waiting to get the slides up. You can go on there. So, I've been bold enough to put my contact details on here. So, if you want to talk after this panel, you know how to find me. Next slide.
So, we've been discussing that CGN is a bad thing. We came to the conclusion that we needed CGN. Why? In 2012, our uh local RNR ran out of IPv4 space. So, while we saw relatively slow adoption of v6, told if you implement v6, 50% of your traffic will shift to v6, which is true. But that means only the big providers have adopted v6. It's only a small hat in a long tail problem. Can we abolish IVv4 as an access provider, we can't.
We quickly have more sessions for our fixed line and mobile device. And that surpassed largely the IPv4 we had. So, we adopted CGN with all of its problems. Then we backed out. Next slide?
Next slide. We needed CGN. On one end, we had social responsibility as an operator. We do not want to voluntarily box in the customer and give them a broken internet.
So, I think as an operator, we still want to give the customer full and correctly working internet access. And through CGN, you will not achieve it. But we also have a social responsibility towards society and we need to support our law enforcement agencies to be able to identify misbehaving persons, in cybercrime or real world crime, we need to be able to support their identification needs. Next slide? Excuse me.
So, in 2012, we were approached by the regulator, and the federal computer crime unit through our internet service provider association to say hey, you gave us CGN, we gave it to you and you gave us thousands of IPs, we can't do this. So, can we come to an understanding. We engaged in a voluntary code of conduct that all of the internet providers signed it and say they will comply to restrict the uses of CGN. So only when it's below the 20% threshold, you can implement CGN. I think most of the providers are currently in that situation, but it limits the number of subscribers that not behind a single identifier or a single address to 16.
In the case they cannot provide, we give 16 addresses. Is that ideal? No, it's better than invading the privacy of -- in the case of 1,000 addresses, of invading 999 innocent people. It increases the likelihood of identification. Most cases, the law enforcement agencies have more than one data point in mind. So, if you clump that together, you're more likely to get the single misbehaving person out of it. And we also guarantee, obviously, if they can provide the sport, we can provide the subscriber. We log the provider, not all of the connections, because that's a tradeoff between capacity and privacy, but we block our location. So, if they can provide the source board, we can provide the unique subscriber. Next slide? It's all of that signing without effort? No. In order to actually keep up with the COC, with the code of conduct, we currently are always reshuffling the IPv4 to make optimum use of v4 but also ramping up v6 deployment. CGN has scaling issues, so the more subscribers we bring to v6, the less investment we need to do for the commercial entity after all.
So, we're currently for fixed line, dual stacking all of our modems, so by the end of next year, to phase out the all of the older ones, all customers will have v4 and v6 address. Our TV boxes, will be v6. If you stream Netflix on your TV, it will be v6. And a study to how to converge to v6 only b and less v4. For the mobiles, that's where we adopted the CGN first, but a little bit lagging behind. So, they're behind CGN. And in 2018, they will double stack them. So, all of the mobile sub providers will also be v6 enabled.
And as a provider of the organization, we're trying to increase the number of source boards that we log, the number of applications where we logged the source board. So, if somebody, if we are attacked, we can approach and provide the source boards and they can do unique identification. Next slide?
One point is that it's only regulating the access provider. Because CGN and IPv6 deployment and adoption is not only a provider problem. The code of conduct reduces it CGN impact, it smooths it out while we do the increase transition to v6, but on the other end, a loot of other players to get to full v6 adoption. You have the content providers. You also have the government part. If they have a new contender, not able to keep it enabled. Even if they deploy new infrastructure, it's not v6 enabled. So, there's no traction on the content side, actually, to move over to the not enough traction to move over to v6. I think we're in the boat together, only when content traction to v6 increases, the internet providers will follow suit.
[ Applause ]
>> Richard Leaning: Thank you, Ronny. Now to Paul Wilson who's the CEO of APINIC. Paul?
>> Paul Wilson: Thank you, very much. I'm the last speaker and complete the all-male panel. Second to last, sorry. Last man on the panel. Sorry. I have some slides coming off of a USB stick. I'm Paul Wilson for APNIC, we spend time managing, allocating, and related numeric internet resources for ISPs and the Asian Pacific. We're one of five, so therefore internet entities around the world share this task. I do have slides and graphics I want to show. I'll hand over to the seconds last member of the panel and sort out this technical problem. Thanks.
>> Richard Leaning: No problems. It is live. These things do happen. Now over to -- are you ready? Danny, the CEO in Kenya. Danny, over to you.
>> Daniel Obam: I was going to say I'm the last speaker. I was going to agree with what my colleagues have to say, especially on the issues of, you know, the problem s from what they've said.
Let me say I'm grateful to be on this panel. Everybody who has spoken and is going to speak is an expert. I'm the only guy here from government and until five days ago, I didn't know what CGN meant. So, it's okay. Don't worry. It means that I can -- I'm the only person who can talk from his heart and say dumb things which perhaps we'll try to bring a different perspective other than experts in this field.
In IGF, I talk about stake holder investment. When I look at this table here, according to Kenya, we have to make sure we have a 30% gender parity. We don't have that. The only person for government. We don't have everyone at the table. Maybe for next year, we'll have a similar discussion we should be more, I think, inclusive. What we're trying to say is how do you encourage the deployment of IPv6 so that we run away from the potential problems that is being presented to us.
And my comments will dwell on what we know. What we've done in Kenya to try to encourage the deployment of v6. So that may be the gist of my contribution.
In 2009, actually, what we did, we really practice major stakeholders. So, we had a national task force deployed for the -- for the deployment of IPv6, the government, the regulator, industry, in Kenya. And the deal is to try to put together a strategy that would adopt long term over the -- over to deploy this. You can see I'm doing -- I was the last person and I was just going to talk for one minute or so.
This ended up recommending that we have a test bed which was provided by AFRENAC, our regional registry and deployed at our national registry. And training on the aspects. Later on, that was moved to the access point so more people could have access to it. And informed that the African union and commissions upgrading that equipment so the capacity is increased. We're on the stage where we're trying to bring up the deployment of version 6. What we've done with the government of Kenya is put a provision that the government will encourage and support the deployment of IPv6. We put there something that is not mandatory but says all new government purchases should be ICT version 6 capable. So that's the high level, that's what we're trying to do as a government. Now the test would be how to implement that in terms of implementation or the people who procure the equipment. That's what we've done.
In Kenya like many developing countries, 99.99% of our internet access is through mobile prices and 80% of that market is by one player and three more operators. I believe those three operators provide them with important stakeholders to have in the discussion about this deployment. As we've seen, they're the largest users of CGN.
So, I get a feeling, I could be wrong, but technical people are talking to themselves too much and they're not expanding that sphere to include the people who actually effect these changes. I tell the government about policy and I didn't know what CGN was. The conversation is taking place for ten years, but myself or people like me not considered relevant or not found to be worthy of being in the discussion. So, what am I saying? The issue of CGN and deployment of IPv6 should not be technically driven or market driven but maybe should be policy or a combination of all of that so that everybody is on the same page on what we need to do.
On the issue of law enforcement, in our country, we face a lot of challenges in terms of crime and also terrorism. You have the shortcomings of CGN, it's possible you'll see a lot more being done. So that's something that I would like to ask that we include everybody in the discussion.
I'm about to conclude. So, I think this should be policy driven and any other term familiar in which I'll use an example. Some people had this before. We did an integration from analog to digital TV. Initially, it was a technical process. When we took it as a policy driven process with new content, new access to information, we're able to do the migration very well and Kenya was one of the few countries that managed to migrate from analog to TV in this period of time. So, a policy-driven process is more inclusive and can get results. The other question is why is CGN -- what problem is it solving? So, we can answer that question, perhaps we'll find out why this is it.
Perhaps the issue of content. If only 50% of the content can be translated, what happens to the other 50%. The localization of content, perhaps you'll leave out the local -- the national content providers who may still be running on the old protocol. I think the proposals made for looking for other solutions as we promote version 6 is really important.
So other than that, I would like to thank you very much for inviting me. And I hope I can answer any questions that you have. Thank you very much.
[ Applause ]
>> Richard Leaning: Thank you. Thank you. We have tried very hard for the gender and diversity on this panel. The time of year is not particularly great for any of us. Anyway, I will say no more about that. Paul, are you ready now?
>> Paul Wilson: I think CGNs are being defamed but they're being accepted as a necessary evil. I want to say a few words which are not about CGNs argue but about the motivations of CGNs and the exit strategy which is IPv6. Because that exit strategy is now available and it is being taken. Its's really worth us all understanding now where we are with IPv6 because things are changing rapidly and have changed very rapidly just in recent -- the last couple of years.
As we heard, IPv6 is the exit strategy. It has a huge amount of address space. The only reason to deploy CGNs is if you're not using IPv6 and using IPv4 and share addresses. CGN is the answer there. It's been ready for ten years. The disappointment to many that it wasn't just automatically deployed as many years ago it was assumed. You have to think back to the dot-com boom times, you didn't need to do much to justify spending a lot of money on the internet, that changed in the early 2000s. The internet became a leaner and meaner and highly competitive industry. And the cost of deploying IPv6 didn't stack up against the other uses of funds that could be invested in competitive advantage. As we probably know, IPv6 has been its own enemy in terms of not delivering something the end users went looking for the theoretical application for IPv6 for many years. The killer application is the internet itself only when it's necessary to move through the transition through the lack of IPv4. So, we can see on the next slide what that looks like in terms of the IPv4, pools available at each of the five. And they've hit rock bottom in at least one RAR. But all four of the four others now are in a rationing phase where only small allocations of v4 are available. That's been done deliberately because v4 is still some access to v4 addresses is still necessary for the use of CGNs in the future for anyone who needs it. If you didn't have that rationed space available to you, you would be stuck, it wouldn't even be a question of using CGNs. 20 million or so addresses available. Only now with that shortage that the minds are sharpened and the real need for IPv6 has come about, which is the lack of v4 addresses.
The next slide shows what has changed. The blue line is the world end user capability for use of IPv6. This is a graph based on the collection of about 12 million measurements day that come into APINIC and tell us not only that IPv6 is being used and others as well. The world adoption is close to 1 billion people using IPv6 today.
The second red line debunks a misperception about Asia that Asia is somehow ahead of the game. It was ahead of the game in foreseeing the need, but did -- has not performed until recent years any actual deployment of great significance. The Asian curve is rising rapidly and the deployment will exceed the rest of the world very soon.
The next chart drills down more. On a country basis, which are the countries of the highest deployment percentage wise of v6. This starts with Belgium, 58%. Followed by -- this has changed recently, India at 51%. India, percentagewise is the second country in terms of v6 usage in the world. It's by far the largest in terms of the number of years, because 51% of Indian internet users is some hundreds of millions of internet users using IPv6. The list goes on. I won't go into it. As expected, you see quite a few developed markets on this list and also a few developing markets. That's interesting with the assumptions that where IPv6 is going to be deployed.
Let's look at India next. India has a deployment average of 50%. That's do uh to the company called reliance GEO that mucked up the market by offering free mobile wireless data services to anybody who needed it and consequently signed up, like I said, hundreds of millions of Indian internet users to a service that is an IPv6 service. Hence, their own internal use of IPv6 are 930% of users are on IPv6. People on phones and other issues are less than 10%. I think as Jan said before, having the dual stack network is that NAT is only used in the IPV4 and here's alliance of users in a great advantage compared to others. The interesting thick here that I don't have on the chart but it is the -- that there are two other mobile providers in India who have quickly followed and they're developing up to 20% or so capability as well. That's a good example of a later -- a competitive situation with the leader moving first. Quickly to the next slide, the United States as predicted proved it can be used again over the recent years in a production reliable internet industry manner. --
Next, Japan has moved up over the years. More rapid movers as well which is something to be aware of in recent years. The next one is Vietnam. As I say, not an economy people expect it to be used. There's a provider, a cable provider providing V6 services and that's attributed to Vietnam's being high on the list as well. To show how quickly this can move, Uruguay's Antel (phonetic) deployed v6 in the last 10 months and they've gotten close to 50% of the country's internet users being with this cable.
This is on the provider's side. It's a chicken and egg situation. No point in providing it unless you can access it. Google's latest is their services are delivering 20% of their content through IPv6. That's a huge volume of content.
The next one, Facebook, 50%. The USA. The next couple of slides is how long will this take? No one can predict the future. This comes out of the blue with countries with business plans. If we look at the Sigmoid curve, a mathematic employment that shows how this works, all of the things in history roughly follow an Sigmoid curve which is a slow start and period of expansion with a long tail. We take a look at the early phase of IPv6 adoption as we see it. We see we're at that early point in the Sigmoid curve, if we follow this curve, we're in a four or five-year period of rapid growth and followed by a possibly five-to-10-year long tail which IPv4 will exist but it will be IPv6. This is wide. I try to tell people there is still after 15 year, there's still an early adopter advantage for IPv6 because you can as a user or a provider you can move to the 6 and take advantages because you're either delivering your content to a user base to 20% IPv6 users or you're able to access a large volume of content which is available on IPv6. So, it's been something that's worth knowing about. It's something that's changed in the last couple of years and it's going to only continue to grow. Thank you.
[ Applause ]
>> Richard Leaning: 25 minutes left for Q&A. I'm sure there will be lots of questions from the floor. The first one is we're going to answer this gentleman's question regarding -- another question, sure.
>> Participant: The first was rushed -- it's rushed. Is it really a smart to -- what kind of -- so I think the right question would be what kind of policy -- can government give to the small content of the bigger problems in, you know, assess IPv6 and funding rights to the process in place. So what kind of s I think it's a problem now. It remains small con tints, big tail and -- bigger, long tail. So what kind of policies in ethnic or -- for governments to give. That's a long time. Something needs s to be done fast. Thank you.
>> Richard Leaning: Who would like to -- yeah? Yeah?
>> Panelist: Okay. So, I don't think the policy can solve this problem. We have a good example in Belgium. There are reasons why traffic to Google coming to Belgium is 50% on IPv6. Belgium is the world champion on IPv6 to getting eyeballs on IPv6. I was always wondering why. When I talked to Gregory, we said, yes, the operators from Belgium went into this voluntary agreement for law enforcement that they would not put more than 8 or something, 16, but now they are putting 8, they're putting basically eight users behind one IP address to limit the people who they have to investigate if the crime happens. All of a sudden, the operators realized, oh, the CGN is not as useful as it was before. Because now we use much more IP addresses to serve our customers. What's the way forward? They found out that IPv6 is solving the issues. And now it's 50% of Belgian traffic is IPv6. These are the kind of incentives to move the operators in the natural way to move things to cost less end-to-end. And save them from non-scalability and the cost of a CGN.
If you put in the policy saying everybody must deploy IPv6, this is a repressive mechanism. People should -- deploying IPv6 is not a business upgrade, it's a technology upgrade, technology refresh. Operators should offer the connectivity for the user to the internet where you have IPv4 and IPv6. So why should the operator give it just to half of the internet? It's the duty of the operator to give access over all used protocols to the internet. And I think this is a good incentive, thank you.
>> Panelist: To add to that, it's not just a technology upgrade or an access media. If an operator wants to implement IPv6, there's a lot more to be done than upgrading the technology of the network. So, the technology of the network is an easy thing. A lot of backend systems that need to be adapted. But as to the answer to the question, it's a personal opinion. One of the reasons the IPv6 adoption is not ramping up in smaller organizations, there's awareness. We're still failing to educate people on how these things work. If we look at traditional IP, you talk to the networking people there, they're not very well v6 aware. So that's where governmental support could help.
>> Richard Leaning: You and then the gentleman over there and you, sir.
>> Audience: In the African region, they've been giving away free IPv6 blocks for every address for the last ten years or so. The challenge is not everyone who receives is deploying the v6. And there's also been training happening. And the training has been targeting the teams. And they were able to get training for managers. That helps to get more of the operators now begin to deploy v6, but not on the level we should be. But the managers who attended the training sessions are able to appreciate the need for IPv6. So, yes, there's been capacity building. Targeting only the technical stuff. And not the management, the position or the companies that need to make a decision to deploy v6.
>> Richard Leaning: Thank you, sure.
>> Audience: Quick comment on both of your questions. You've updated. But going back to the question of should there be some governmental top-down mandate. I raise a couple of concerns on that. One is operators are often trying to address their business needs of scale. Maybe security. Maybe they need to move to the cloud. These are all resource initiatives. And if a mandate says everything needs to run v6 by X date, there's business implication s to that. Then a jurisdiction question. Many operators in multiple countries. Who provides that mandate. Is it a fractured mandate? A lot of these are meshed, the connectivity across their enterprise doesn't follow the geography underneath per se or necessarily the jurisdiction boundaries. So, there's complexity making that top-down edict. I appreciate the revised question of what kind of incentives could I create. The one that comes to mind to me is there's a cost. There's an operator cost to enable it. Perhaps I've seen this in the U.S. where there's been incentives on R&D credits, maybe a v6 credit you.
Uh get incentives through tax breaks or giving the opportunity the opportunity to take the costs and implementing it with a timeline and giving benefit in that regard. That might be a great way to do it.
>> Richard Leaning: If you ask a question, please be short and blunt and we'll answer it quickly. So, the first one on the list is the gentleman over there.
>> Audience: Thank you. I am end user and I tried to follow your presentation. It's quite interesting and I hope I understand. Thank you for putting one image of one user. Maybe the next time you can do the IPv6. The version you give is IPv4. The next one is we try to have the government saying that everybody needs it. We try with ISP. We try with -- why don't we try with end user? Maybe it's time to say in one year, we, end user, will be on strike for IPv4. And we need everybody to be on IPv6. If we start, withe will not be able to be any more customers if we don't have not IPv4 -- IPv6. Thank you.
>> Panelist: The challenge with that is we're in an ecosphere here, around internet governance where we know about the internet. The majority of the population just trusts their internet is working. They have no idea what an internet address is. To have 7 billion people to rally around the idea that we mouth have IPv6 is quite a challenge.
>> Richard Leaning: Gentleman here in front.
>> Audience: Thank you. From Switzerland. For a long time avoided listening to IPv6 discussions in the last year. This is the first time I heard from two of oh the panelists that there was an economic business case for IPv6 implementation. Maybe Dick from ISOC and Proximus. So, is there really one for a multitude of operators? And if so, who spreads the word? Because I would suppose operators need to know. Because the common conception is too expensive and unless everybody else does as we want to first, we're not copying the stupid people investing too much.
>> Panelists: Most operators have adopted CGN. But since that's a stateful core and most of the implementations you do NAT for, are stateful in the core which means I need to get all of my traffic through one choke point and make sure it comes back and then I need to scale to support the ever-growing needs that's just technically very difficult to do. And you keep adding boxes to that. If you transition your users to v6, you don't need to add as many boxes that directly relate to money to the problem. So, I think most operators should -- should have v6 knowledge by now. Because there has been a lot of capability building in the operator community. So, I think gradually, and that's also one of the reasons why a city and adoption rates and capability rates increasing in a multitude of countries because people have deployed historically CGN and are now facing scaling issues with CGN so ramping to v6 as a natural evolution.
>> Panelist: I may need to add, it's simple. If you want to translate 100 terabytes of traffic, you invest 1 million Euros.
If you need to translate half of that, invest half a million Euros. Is there an incentive? I think there is.
>> Richard Leaning: CGN is growing investment.
>> Audience: How high was Proximus's investment. That's something ISPs need and would like to know. As far as I see it in Europe, they're not motivated. Because of the money.
>> Richard Leaning: We can take it up after. I'm conscious on the time. I don't mind standing here after the time the room is empty. Because I don't have lunch. We have to close before lunch. Otherwise, the gentleman here next, then Allen, Dimitri, Oscar, and Paul. So quick questions and we'll try to answer -- if we can't answer them now, we'll answer them or we can sit here in the break.
>> Audience: I'm an operator in Norway. We have not done V-6 yet. We're very careful before doing it. However, one point is that Ron, sorry, Gregory, you mentioned you had problems solving cases where you were meeting NAT problems. If those customers are perpetrators would have v6, would you be able to solve that case then? Because my -- my -- the incentive for that question is, we have talked a lot about operators here. We talked a lot about ISPs doing CGN and doing everything, but little about providers. Typically, the systems, Facebook and Google, sure, they've done it. But in my country, 40% to 50% of the website still being only 4 comparing the 500 websites. So, sure, it's an important issue to target as well. Not just the internet operators but also the content providers. So, thank you.
>> Audience: I think we need to be -- I don't know if we can solve the case, but I think the internet access providers will be able to give us one subscriber connected to one IPv6. Of course, within the house hold or within the small SME, it might be several persons behind it. But at the end, you use normal investigation techniques to find who is that. But you don't come with a list of 2,000 people.
>> Audience: A quick comment. Sure, as long as the website is v6 enabled. If it's not, you're just as far.
>> Audience: If it's not v6 enabled, the majority of their time goes over v6, you can as an operator more easily adopt the same method we did, limiting the amount of subscribers behind an IP address. So currently if you're only adopting v4 nothing, then it's a numbers problem, you need to do 1,000, 10,000 people behind an IP. If you do the combination of both techniques, you can come to a workable scenario for the agencies.
>> Richard Leaning: We've got five minute, Allen?
>> Audience: Allen from AFRNIC. I'd like to say something about what Fiona said AFRNIC giving v6 blocks when people receive IPv4 block. We've never done that. You have to request it. It's not automatic if you don't request it. Thanks.
>> Richard Leaning: Thank you, Dimitri?
>> Audience: I heard if you remember was saying how to solve the law enforcement problem. And just the tools how to solve. For example, 20 years later, we will get some -- with capabilities. But we will solve the problem or we'll get a new one. Because the network now -- we move to mobile. Different objective. And we have behind us a lot of service management. A lot of DPI. You can say it depends on tasks. Maybe we're trying to solve the wrong problem. And with the wrong tools. What do you think about it? Because also for me it looks as a key problem for law enforcement is corporation. Yes, you're trying to -- inside Europe, you still can't solve this problem. What is the real demand. Sorry, I don't believe. The same -- is this presentation different, I see it about ten years ago. It was expected within this year, we will have the demolition of IPv4. We shifted to ten years later.
>> Richard Leaning: I'm going to have to close the list to let guys up here to finish us off. You first.
>> Audience: I agree with Mr. DaSilva with the top down politics for the country. There's something that the governments can do with technology. Thanks for starting to ask for IPv6 with their own solutions that they're requiring that would put the needle enough in the countries for the providers to make it a business case. I think they can do it in some instances to bond all of the entries with all equipment because that's also a risk to become a dump country with old technology and that's something that some countries can do as well.
>> Richard Leaning: I'm going to leave it for Paul to say 30 seconds and leave the last comment out here to wrap up the section. Paul?
>> Paul Wilson: Thank you, Dick. I was going to make a point for government procurement as a strong mechanism for industry development and inspire some of the development or capacity that the governments can require. Important to understand that v6 compatibility is not a binary yes-no thing. There's a lot of aspects depending on what's being purchased. It would not be useful to have a tokenistic IPv6 requirement. It requires some validations, some understanding, some drilling down hard for that to happen. But it is very powerful.
The other thing that is related is that governments are interested in IPv6 perhaps for industry development but we should all be interested for the sake of the future of the use of our internet and all of us who use the internet products services of many kinds and any has an IPv6 component to it and not be investing or trying to specialize in any product without asking or informing yourself about how IPv6 has to be supported. That goes to web developers, consultants, and advisors as much as it does for modems and connectivity services.
>> Richard Leaning: It says it will support and ebb courage.
>> Panelist: This is not policy. This is a response. And my last comment is that I think ICANN internet society, the regional industry, I think this discussion needs to go outside of the technical community and involve everybody, including police because decision makers and users so when the time -- when crunch time comes and we connect 30 billion or 20 billion people, we're connected using the correct protocol. Capacity building. Include other critical stakeholders in the discussions. Certainly, my pleasure to be on this panel. Thank you very much.
>> Richard Leaning: We're here for the rest of the day and for tomorrow as well. If you have more questions, we are about -- we can get our e-mail addresses. Can you give the panel a big round of applause for the time and effort. And give yourself a round of applause for listening to all this. And thank you very much.