Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

Dealing with filtered 6to4 clients

  

 
First page Previous page 1 2 Next page Last page  View All nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


tore at linpro

Oct 27, 2009, 4:29 AM

Post #1 of 26 (1889 views)
Permalink
Dealing with filtered 6to4 clients
Hello list,

I've been doing some testing in order to determine whether or not it
would be «dangerous» for our customers to dualstack their web sites. The
largest problem I've found so far affects a very specific group of
clients, which:

1) are using Windows Vista or newer, and
2) are using the Opera web browser, and
3) are assigned public IPv4 addresses, and
4) are on a network which filters inbound proto-41 traffic.

In this case, the client will have a 6to4 tunnel interface automatically
configured, and will prefer using it over native IPv4 for contacting
dualstacked web sites. However the return traffic never makes it back
to the client, which manifests itself on the server as unsucessful
retransmits of the SYN+ACK TCP packet. On the client, it looks as if
the site is down (or extremely slow, as it will eventually fall back on
IPv4).

There's two eyeball networks (of significant size) in Norway which does
this kind of inbound proto-41 filtering at the moment, and it makes it
hard for me to talk my customers into providing IPv6 content as they're
terrified of client loss of any kind. The issue has been discussed with
the networks in question and while at least one of them acknowledge the
problem, they're reluctant to allow inbound proto-41 traffic as that
will basically create a wide hole in their firewall filter (which I
believe allows only inbound «established-looking» packets at the moment).

So, assuming that allowing 6to4/proto-41 (or deploying native v6) is out
of the question: Does anyone have any suggestions on how I (or the
eyeball networks) can handle this in a better way?

I've tried filtering the 6to4 packets on the way out and returning a
ICMPv4 type 3 code 13 (tried code 3 as well) to the client, hoping that
it would prompt Opera to fall back on v4 immediately, but unfortunately
it does not have any effect at all - it still hangs as if the site is down.

Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


martin at airwire

Oct 27, 2009, 4:33 AM

Post #2 of 26 (1845 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Tore Anderson wrote:
> Hello list,
>
> I've been doing some testing in order to determine whether or not it
> would be «dangerous» for our customers to dualstack their web sites. The
> largest problem I've found so far affects a very specific group of
> clients, which:
>
> 1) are using Windows Vista or newer, and
> 2) are using the Opera web browser, and
> 3) are assigned public IPv4 addresses, and
> 4) are on a network which filters inbound proto-41 traffic.
>
> In this case, the client will have a 6to4 tunnel interface automatically
> configured, and will prefer using it over native IPv4 for contacting
> dualstacked web sites.

Why would 6to4 be preferred over native IPv4 here ? That's not the
behaviour intended.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


tore at linpro

Oct 27, 2009, 4:36 AM

Post #3 of 26 (1842 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
* Martin List-Petersen

> Why would 6to4 be preferred over native IPv4 here ? That's not the
> behaviour intended.

It's a bug/feature of the Opera web browser. I believe it will prefer
Teredo over IPv4, too.

Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


martin at airwire

Oct 27, 2009, 4:46 AM

Post #4 of 26 (1844 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Tore Anderson wrote:
> * Martin List-Petersen
>
>> Why would 6to4 be preferred over native IPv4 here ? That's not the
>> behaviour intended.
>
> It's a bug/feature of the Opera web browser. I believe it will prefer
> Teredo over IPv4, too.

First approach would be to get Opera to fix the bug/feature then, making
them aware of the issues, they are causing.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


jeroen at unfix

Oct 27, 2009, 4:48 AM

Post #5 of 26 (1841 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Tore Anderson wrote:
> * Martin List-Petersen
>
>> Why would 6to4 be preferred over native IPv4 here ? That's not the
>> behaviour intended.
>
> It's a bug/feature of the Opera web browser. I believe it will prefer
> Teredo over IPv4, too.

Two possible fixes:
- get Opera to stop deciding what the network should behave like
and explain them that getaddrinfo() and more specifically RFC3484
exist for a reason and that the OS definitely know more than they do

- get Microsoft to include a connectivity test inside their stacks.
(which, partially, is there for Vista/Seven)

Both require people to upgrade stuff, the first requires less people to
upgrade, the latter would fix other issues.

Greets,
Jeroen
Attachments: signature.asc (0.19 KB)


tore at linpro

Oct 27, 2009, 5:01 AM

Post #6 of 26 (1837 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
* Martin List-Petersen

> First approach would be to get Opera to fix the bug/feature then, making
> them aware of the issues, they are causing.

That has already been done. I don't know when (or if) they'll fix it,
but in any case the broken implementation won't vanish overnight when
the fixed version is released. I doubt this will be the last broken
client-side implementation we'll see either...

Maybe I shouldn't be too optimistic about it, but I'm hoping to find a
solution that will solve the problem today (without requiring assistance
from third parties like Opera or Microsoft), in a manner that allows me
to convince my customers to start providing their content over IPv6. If
I can get just that ball rolling and more and more v6-enabled sites show
up here in Norway, the onus to not break v6 will shift to the eyeball
networks (or so I hope).

Thanks to you and Jeroen both for your input!

Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


martin at airwire

Oct 27, 2009, 5:08 AM

Post #7 of 26 (1856 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Tore Anderson wrote:
> Maybe I shouldn't be too optimistic about it, but I'm hoping to find a
> solution that will solve the problem today (without requiring assistance
> from third parties like Opera or Microsoft), in a manner that allows me
> to convince my customers to start providing their content over IPv6. If
> I can get just that ball rolling and more and more v6-enabled sites show
> up here in Norway, the onus to not break v6 will shift to the eyeball
> networks (or so I hope).

The only other way of fixing this or ensuring no breaking is a DNS
whitelist type of filter like what Google does.

I wouldn't encourage that, but if your eyeball networks are that
paranoid, that's a way, how they can be in control. They could then
choose not to provide AAAA records to 6to4- and teredo- clients.

Anyhow .. that's a hack and not to be encouraged, really.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


martin at airwire

Oct 27, 2009, 5:10 AM

Post #8 of 26 (1838 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Martin List-Petersen wrote:
> I wouldn't encourage that, but if your eyeball networks are that
> paranoid, that's a way, how they can be in control. They could then
> choose not to provide AAAA records to 6to4- and teredo- clients.
>
> Anyhow .. that's a hack and not to be encouraged, really.

Arghh .. me not thinking today. Obviously they can't know, what the
client has, but they could whitelist known good deployments then.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


ghen at telenet

Oct 27, 2009, 5:15 AM

Post #9 of 26 (1846 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
> Martin List-Petersen wrote:
> > I wouldn't encourage that, but if your eyeball networks are that
> > paranoid, that's a way, how they can be in control. They could then
> > choose not to provide AAAA records to 6to4- and teredo- clients.
> >
> > Anyhow .. that's a hack and not to be encouraged, really.
>
> Arghh .. me not thinking today. Obviously they can't know, what the
> client has, but they could whitelist known good deployments then.


Or, on your side, you could not serve AAAA records to (the DNS chaches of)
the problematic network(s)?


Geert

--
Geert Hendrickx -=- ghen [at] telenet -=- PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!


tore at linpro

Oct 27, 2009, 5:23 AM

Post #10 of 26 (1842 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
* Geert Hendrickx

> Or, on your side, you could not serve AAAA records to (the DNS
> chaches of) the problematic network(s)?

Hmm... That could work, at least for the customers who also have their
DNS hosting from us. You'd need to create a separate view in BIND for
the problematic networks using copies of the original zones sans the
quad-A records, right?

I'll look into it, thanks!

Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


martin at airwire

Oct 27, 2009, 5:26 AM

Post #11 of 26 (1844 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Geert Hendrickx wrote:
> On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
>> Martin List-Petersen wrote:
>>> I wouldn't encourage that, but if your eyeball networks are that
>>> paranoid, that's a way, how they can be in control. They could then
>>> choose not to provide AAAA records to 6to4- and teredo- clients.
>>>
>>> Anyhow .. that's a hack and not to be encouraged, really.
>> Arghh .. me not thinking today. Obviously they can't know, what the
>> client has, but they could whitelist known good deployments then.
>
>
> Or, on your side, you could not serve AAAA records to (the DNS chaches of)
> the problematic network(s)?

That is the better approach alright.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


spz at serpens

Oct 27, 2009, 10:13 AM

Post #12 of 26 (1845 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Hi,

Thus wrote Tore Anderson (tore [at] linpro):

> 1) are using Windows Vista or newer, and
> 2) are using the Opera web browser, and
> 3) are assigned public IPv4 addresses, and
> 4) are on a network which filters inbound proto-41 traffic.

If the networks in question had their own "6to4 tunnel brokers" they could
prevent loss of connectivity that their filtering generates by not
actually brokering their clients but providing a kind of proxying instead.
That'd be incredibly ugly but probably better than the current state.

Getting IPv6 and actually brokering their customers of course also would
help :)

regards,
spz
--
spz [at] serpens (S.P.Zeidler)


ek at google

Nov 2, 2009, 1:50 PM

Post #13 of 26 (1822 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
2009/10/27 Martin List-Petersen <martin [at] airwire>:
> Geert Hendrickx wrote:
>> On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
>>> Martin List-Petersen wrote:
>>>> I wouldn't encourage that, but if your eyeball networks are that
>>>> paranoid, that's a way, how they can be in control. They could then
>>>> choose not to provide AAAA records to 6to4- and teredo- clients.
>>>>
>>>> Anyhow .. that's a hack and not to be encouraged, really.
>>> Arghh .. me not thinking today. Obviously they can't know, what the
>>> client has, but they could whitelist known good deployments then.
>>
>>
>> Or, on your side, you could not serve AAAA records to (the DNS chaches of)
>> the problematic network(s)?
>
> That is the better approach alright.

Until the IPv6 Internet gets less sucky it's the pretty much the only
approach we've been able to come up with.


martin at airwire

Nov 2, 2009, 2:08 PM

Post #14 of 26 (1819 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Erik Kline wrote:
> 2009/10/27 Martin List-Petersen <martin [at] airwire>:
>> Geert Hendrickx wrote:
>>> On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
>>> Or, on your side, you could not serve AAAA records to (the DNS chaches of)
>>> the problematic network(s)?
>> That is the better approach alright.
>
> Until the IPv6 Internet gets less sucky it's the pretty much the only
> approach we've been able to come up with.

Hi Eric.

No, you don't serve to anybody but who's on your whitelist.

The last approach here was to serve to everybody and blacklist networks
that suck.

I prefer the latter, but I do understand the approach. Some networks do
need the quality.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


ek at google

Nov 2, 2009, 2:16 PM

Post #15 of 26 (1823 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
2009/11/2 Martin List-Petersen <martin [at] airwire>:
> Erik Kline wrote:
>> 2009/10/27 Martin List-Petersen <martin [at] airwire>:
>>> Geert Hendrickx wrote:
>>>> On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
>>>> Or, on your side, you could not serve AAAA records to (the DNS chaches of)
>>>> the problematic network(s)?
>>> That is the better approach alright.
>>
>> Until the IPv6 Internet gets less sucky it's the pretty much the only
>> approach we've been able to come up with.
>
> Hi Eric.
>
> No, you don't serve to anybody but who's on your whitelist.
>
> The last approach here was to serve to everybody and blacklist networks
> that suck.
>
> I prefer the latter, but I do understand the approach. Some networks do
> need the quality.
>
> Kind regards,
> Martin List-Petersen
> --
> Airwire - Ag Nascadh Pobail an Iarthair
> http://www.airwire.ie
> Phone: 091-865 968
>

Right. I meant the not-serving-to-problem-networks part. We just
assume that all networks could have problems, unless otherwise
explicitly stated. =)


paul at timmins

Nov 2, 2009, 3:19 PM

Post #16 of 26 (1799 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Erik Kline wrote:
> 2009/11/2 Martin List-Petersen <martin [at] airwire>:
>
>> Erik Kline wrote:
>>
>>> 2009/10/27 Martin List-Petersen <martin [at] airwire>:
>>>
>>>> Geert Hendrickx wrote:
>>>>
>>>>> On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
>>>>> Or, on your side, you could not serve AAAA records to (the DNS chaches of)
>>>>> the problematic network(s)?
>>>>>
>>>> That is the better approach alright.
>>>>
>>> Until the IPv6 Internet gets less sucky it's the pretty much the only
>>> approach we've been able to come up with.
>>>
>> Hi Eric.
>>
>> No, you don't serve to anybody but who's on your whitelist.
>>
>> The last approach here was to serve to everybody and blacklist networks
>> that suck.
>>
>> I prefer the latter, but I do understand the approach. Some networks do
>> need the quality.
>>
>> Kind regards,
>> Martin List-Petersen
>> --
>> Airwire - Ag Nascadh Pobail an Iarthair
>> http://www.airwire.ie
>> Phone: 091-865 968
>>
>>
>
> Right. I meant the not-serving-to-problem-networks part. We just
> assume that all networks could have problems, unless otherwise
> explicitly stated. =)
>
Is there a way to get on the approved list without a bunch of peering?


ek at google

Nov 2, 2009, 3:25 PM

Post #17 of 26 (1800 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
>> Right.  I meant the not-serving-to-problem-networks part.  We just
>> assume that all networks could have problems, unless otherwise
>> explicitly stated.  =)
>>
>
> Is there a way to get on the approved list without a bunch of peering?

If we see you behind 2 or more networks with whom we have good
connectivity that's usually good enough (though I'm not the final
arbiter in the matter).

We're still in the process of rolling out IPv6 to all geographic
regions, so sometimes that's the bigger blocker (like if we perform
maintenance on the datacenter nearest you and the next closest is
half-way around the world then that's a problem, regardless of how
well we're connected to one another).


chaz at chaz6

Nov 3, 2009, 4:34 AM

Post #18 of 26 (1807 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
On 03/11/09 00:25, Erik Kline wrote:
> If we see you behind 2 or more networks with whom we have good
> connectivity that's usually good enough (though I'm not the final
> arbiter in the matter).
>
> We're still in the process of rolling out IPv6 to all geographic
> regions, so sometimes that's the bigger blocker (like if we perform
> maintenance on the datacenter nearest you and the next closest is
> half-way around the world then that's a problem, regardless of how
> well we're connected to one another).

Please consider setting up an alternate domain (for example google6.com)
which has IPv6 DNS glue. At present it is impossible to directly access
google from an IPv6-only network.


martin at airwire

Nov 3, 2009, 5:07 AM

Post #19 of 26 (1799 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Chris Hills wrote:
> On 03/11/09 00:25, Erik Kline wrote:
>> If we see you behind 2 or more networks with whom we have good
>> connectivity that's usually good enough (though I'm not the final
>> arbiter in the matter).
>>
>> We're still in the process of rolling out IPv6 to all geographic
>> regions, so sometimes that's the bigger blocker (like if we perform
>> maintenance on the datacenter nearest you and the next closest is
>> half-way around the world then that's a problem, regardless of how
>> well we're connected to one another).
>
> Please consider setting up an alternate domain (for example google6.com)
> which has IPv6 DNS glue. At present it is impossible to directly access
> google from an IPv6-only network.
>

Google has done that. It's ipv6.google.com.

And there is no problem accessing Google from an IPv6 only network, if
your network is whitelisted. Contact Google to get it whitelisted. I use
Google every day from a IPv6 only box.

Services that don't work on IPv6 aren't available to IPv6 yet.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


chaz at chaz6

Nov 3, 2009, 5:12 AM

Post #20 of 26 (1787 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
On 03/11/09 14:07, Martin List-Petersen wrote:
> Google has done that. It's ipv6.google.com.
>
> And there is no problem accessing Google from an IPv6 only network, if
> your network is whitelisted. Contact Google to get it whitelisted. I use
> Google every day from a IPv6 only box.
>
> Services that don't work on IPv6 aren't available to IPv6 yet.

This is /not/ accessible from an IPv6-only network. The google
nameservers are only v4-connected.

$ dig -6 +trace ipv6.google.com. in aaaa

; <<>> DiG 9.6.1-P1 <<>> -6 +trace ipv6.google.com. in aaaa
;; global options: +cmd
. 112691 IN NS M.ROOT-SERVERS.NET.
. 112691 IN NS L.ROOT-SERVERS.NET.
. 112691 IN NS J.ROOT-SERVERS.NET.
. 112691 IN NS B.ROOT-SERVERS.NET.
. 112691 IN NS E.ROOT-SERVERS.NET.
. 112691 IN NS C.ROOT-SERVERS.NET.
. 112691 IN NS H.ROOT-SERVERS.NET.
. 112691 IN NS D.ROOT-SERVERS.NET.
. 112691 IN NS I.ROOT-SERVERS.NET.
. 112691 IN NS G.ROOT-SERVERS.NET.
. 112691 IN NS A.ROOT-SERVERS.NET.
. 112691 IN NS F.ROOT-SERVERS.NET.
. 112691 IN NS K.ROOT-SERVERS.NET.
;; Received 332 bytes from ::1#53(::1) in 2 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 496 bytes from 2001:7fd::1#53(K.ROOT-SERVERS.NET) in 51 ms

google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 169 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in
240 ms

;; connection timed out; no servers could be reached


chaz at chaz6

Nov 3, 2009, 5:12 AM

Post #21 of 26 (1781 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
On 03/11/09 14:07, Martin List-Petersen wrote:
> Google has done that. It's ipv6.google.com.
>
> And there is no problem accessing Google from an IPv6 only network, if
> your network is whitelisted. Contact Google to get it whitelisted. I use
> Google every day from a IPv6 only box.
>
> Services that don't work on IPv6 aren't available to IPv6 yet.

This is /not/ accessible from an IPv6-only network. The google
nameservers are only v4-connected.

$ dig -6 +trace ipv6.google.com. in aaaa

; <<>> DiG 9.6.1-P1 <<>> -6 +trace ipv6.google.com. in aaaa
;; global options: +cmd
. 112691 IN NS M.ROOT-SERVERS.NET.
. 112691 IN NS L.ROOT-SERVERS.NET.
. 112691 IN NS J.ROOT-SERVERS.NET.
. 112691 IN NS B.ROOT-SERVERS.NET.
. 112691 IN NS E.ROOT-SERVERS.NET.
. 112691 IN NS C.ROOT-SERVERS.NET.
. 112691 IN NS H.ROOT-SERVERS.NET.
. 112691 IN NS D.ROOT-SERVERS.NET.
. 112691 IN NS I.ROOT-SERVERS.NET.
. 112691 IN NS G.ROOT-SERVERS.NET.
. 112691 IN NS A.ROOT-SERVERS.NET.
. 112691 IN NS F.ROOT-SERVERS.NET.
. 112691 IN NS K.ROOT-SERVERS.NET.
;; Received 332 bytes from ::1#53(::1) in 2 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 496 bytes from 2001:7fd::1#53(K.ROOT-SERVERS.NET) in 51 ms

google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; Received 169 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in
240 ms

;; connection timed out; no servers could be reached


martin at airwire

Nov 3, 2009, 5:18 AM

Post #22 of 26 (1803 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Chris Hills wrote:
> On 03/11/09 14:07, Martin List-Petersen wrote:
>> Google has done that. It's ipv6.google.com.
>>
>> And there is no problem accessing Google from an IPv6 only network, if
>> your network is whitelisted. Contact Google to get it whitelisted. I use
>> Google every day from a IPv6 only box.
>>
>> Services that don't work on IPv6 aren't available to IPv6 yet.
>
> This is /not/ accessible from an IPv6-only network. The google
> nameservers are only v4-connected.
>
> $ dig -6 +trace ipv6.google.com. in aaaa

Different issue. The nameservers should either be made available via
IPv6 or your nameserver needs IPv4 connectivity.

marlow [at] sleipne:~$ dig -6 www.google.com aaaa

; <<>> DiG 9.4.1 <<>> -6 www.google.com aaaa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2426
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN AAAA

;; ANSWER SECTION:
www.google.com. 80776 IN CNAME www.l.google.com.
www.l.google.com. 204 IN AAAA 2001:4860:a005::68

;; Query time: 42 msec
;; SERVER: 2a02:278:50::1#53(2a02:278:50::1)
;; WHEN: Tue Nov 3 13:15:51 2009
;; MSG SIZE rcvd: 80

Creating another domain for that cause is the wrong approach.

Kind regards,
Martin List-Petersen
--
Airwire - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-865 968


chaz at chaz6

Nov 3, 2009, 5:26 AM

Post #23 of 26 (1799 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
On 03/11/09 14:18, Martin List-Petersen wrote:
> Different issue. The nameservers should either be made available via
> IPv6 or your nameserver needs IPv4 connectivity.
>
> [..]
>
> Creating another domain for that cause is the wrong approach.

I would of course prefer that they IPv6-enabled one or more of their
primary DNS servers, but given they are taking a whitelisting approach
for serving AAAA for www/mail/etc that seems unlikely to happen in the
near future.


chaz at chaz6

Nov 3, 2009, 5:26 AM

Post #24 of 26 (1778 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
On 03/11/09 14:18, Martin List-Petersen wrote:
> Different issue. The nameservers should either be made available via
> IPv6 or your nameserver needs IPv4 connectivity.
>
> [..]
>
> Creating another domain for that cause is the wrong approach.

I would of course prefer that they IPv6-enabled one or more of their
primary DNS servers, but given they are taking a whitelisting approach
for serving AAAA for www/mail/etc that seems unlikely to happen in the
near future.


gert at space

Nov 3, 2009, 6:12 AM

Post #25 of 26 (1787 views)
Permalink
Re: Dealing with filtered 6to4 clients [In reply to]
Hi,

On Tue, Nov 03, 2009 at 01:07:28PM +0000, Martin List-Petersen wrote:
> Google has done that. It's ipv6.google.com.
>
> And there is no problem accessing Google from an IPv6 only network, if
> your network is whitelisted. Contact Google to get it whitelisted. I use
> Google every day from a IPv6 only box.

There is no way to resolve www.google.com from an *IPv6 only* network,
as the white-listing part only relates to the records returned for "www",
not to the DNS chain.

$ dig www.google.com aaaa
www.google.com. 16h24m58s IN CNAME www.l.google.com.
www.l.google.com. 2m32s IN AAAA 2001:4860:a003::68

$ dig google.com ns
;; ANSWER SECTION:
google.com. 1d7h32m35s IN NS ns4.google.com.
google.com. 1d7h32m35s IN NS ns2.google.com.
google.com. 1d7h32m35s IN NS ns3.google.com.
google.com. 1d7h32m35s IN NS ns1.google.com.

;; ADDITIONAL SECTION:
ns3.google.com. 3d16h25m43s IN A 216.239.36.10
ns1.google.com. 1d23h52m27s IN A 216.239.32.10
ns2.google.com. 1d23h52m27s IN A 216.239.34.10
ns4.google.com. 1d23h52m27s IN A 216.239.38.10


(And yes, I know that this is a hard problem to change, and that a
fully IPv6-only network that doesn't have a v4 fallback DNS won't go
very far today - but this is one of the steps that eventually need to
be done as well)

Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 144438

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279

First page Previous page 1 2 Next page Last page  View All nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.