Going dual-stack, how do apps behave and what to do as an operator (Was: Apple Airport Extreme IPv6 problems?)

Jeroen Massar jeroen at unfix.org
Sat Sep 15 20:03:54 UTC 2007


[spam: Check http://www.sixxs.net/misc/toys/ for an IPv6 Toy Gallery :)]

Somewhat long, hopefully useful content follows...

Barrett Lyon wrote:
[..]
> The other thought that occurred to me, does FF/Safari/IE have any
> ability to default back to v4 if v6 is not working or behaving badly? 
> This could be a helpful transition feature but may be more trouble than
> it's worth.

The IETF recommendation is that IPv6 is tried before IPv4, BUT there is
RFC3484 (http://www.ietf.org/rfc/rfc3484.txt) which gives an extra edge
to this. In general it comes down that the resolver will, assuming there
is both an IPv4 and IPv6 address (A + AAAA) on the dns label requested
try, as a source address:

- IPv6 native (anything not 2002::/16 + 2003::/32)
- IPv4 native
- IPv6 6to4 (2002::/16)
- IPv6 Teredo (2003::/32

Of course when there is only a A or AAAA only that protocol will be
used. All applications are supposed to use getaddrinfo() which sorts
these addresses per the above specification, the app should then
connect() to them in order, fail/timeout and try the next one till it
connects correctly. The above table is re-programmable per host and
there are discussions/drafts to automate that for a complete network.

The correct way to use getaddrinfo() is described in:
http://gsyc.escet.urjc.es/~eva/IPv6-web/ipv6.html by Eva Casto and of
course the almost 10 year old document by Jun-ichiro itojun Itoh at:
http://www.kame.net/newsletter/19980604/


Now the really BIG problem there is though is that when network
connectivity is broken. TCP connect will be sent, but no response comes
back or MTU is broken, then the session first has to time out.

Thus if a user has IPv6 and the server has it also but the connectivity
between them is b0rked then it will take quite some time to recover
properly from this. Apps could of course do a multi-connect and try all
in parallel but I am pretty sure that servers are not waiting for that
and for instance the Firefox programmers don't even know what
"threading" is, seeing that they can't even separate their UI from the
network and rendering code, thus don't wait for them to do it for that.
Also there is this nasty concept of deployed base and getting people to
upgrade is of course far from easy, fortunately those types won't do
IPv6 either hopefully ;)

6to4 and Teredo are a big problem here, especially from an operator
viewpoint. This as an operator has absolutely no control over the flow
of packets from/to his/her network. When the packets flow back it might
just be that, due to BGP in the remote network, something attracts the
6to4 packets destined back for 6to4 and they mysteriously disappear or
get routed around the world. The same for the way from the user on your
network to the 6to4 relay at 192.88.99.1 (if you, like me, can't
remember the address just type "host -t any 6to4.ipv6.microsoft.com" ;)
This one can also be situated anywhere on this planet and BGP might pull
it somewhere where you don't want it to go.

As such, if you, as an ACCESS operator want to have full control over
where your users IPv6 traffic goes to you might want to do a couple of
things to get it at least a bit in your control:
 - setup a 6to4 relay + route 192.88.99.1 + 2002::/16
 - setup a Teredo Server + Relay and make available the
   server information to your users and inform them of it.
 - and/or the better option IMHO, to keep it in control: setup a
   tunnel broker and provide your users access to that. For instance
   Hexago sells appliances for this purpose but you can also ask SixXS
   to manage one for your customers.

For CONTENT operators, get yourself a nice chunk of RIR space from your
RIR. Then what you might want to do is setup the following little test:
http://www.braintrust.co.nz/ipv6wwwtest/ and/or mods of it, put it on
your important content sites. This will allow you to discover if your
clients are using IPv6 and if they are able to reach it. Then if you are
confident that you are up to it and that your clients are fine, you
might want to consider adding AAAA's to your site and go fully dual stack.

If you have somewhat tech savvy users you can of course also ask them to
test it for you. "Check out our Cool new toy: we got IPv6!" or something
and ask them how it works.

As for the above spammed toys URL, I have to note that especially AXIS
folks are really cool, you send them a mail asking "what products
support IPv6" and the next day you get back very nice PDF's containing
their overviews of everything that supports IPv6, they have lots of it,
nearly all their products do. The best thing of course is that the sales
reps actually KNOW what IPv6 is, wow, I like those AXIS folks! :)

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070915/0543b373/attachment.sig>


More information about the NANOG mailing list