Going dual-stack, how do apps behave and what to do as an operator (Was: Apple Airport Extreme IPv6 problems?)

Sun Sep 16 14:08:44 UTC 2007

On 16-sep-2007, at 15:17, Nathan Ward wrote:

> 6to4 uses protocol 41 over IP. This doesn't go through NAT

Those statements are both true, but they're unrelated. If your NAT  
box knows there is more to IP than TCP and UDP, it's possible that  
you can do IPv6-in-IP tunneling in general (protocol 41) through the  
NAT box, but that doesn't help 6to4 because your 6to4 address range  
is constructed from your IPv4 address which can't be done  
successfully using RFC 1918 addresses.

> stateful firewalls (generally).

Depends on the firewall and how it's configured. This is a problem,  
because if you use public addresses but protocol 41 is blocked, IPv6  
stuff needs to time out.

> if you're a enterprise-esque network operator who runs non-RFC1918  
> addresses internally and do NAT, or you do stateful firewalling,  
> PLEASE, run a 6to4 relay on 192.88.99.1 internally, but return  
> ICMPv6 unreachable/admin denied/whatever to anything that tries to  
> send data out through it. Better yet, tell your firewall vendor to  
> allow you to inspect the contents of 6to4 packets, and optionally  
> run your own 6to4 relay, so outgoing traffic is fast.

Right.

> Even if you don't want to deploy IPv6 for some time, do this at the  
> very least RIGHT NOW, or you're preventing those of us who want to  
> deploy AAAA records alongside our A records from doing so.

Well, I don't care: you break it, you buy it. But I can see how  
people who make money from their content would...