Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

Gmail MX over IPv6

 

 

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


lucab at debian

Jun 15, 2012, 2:30 PM

Post #1 of 25 (5773 views)
Permalink
Gmail MX over IPv6

Hi,
I'm not sure if it is a recent change or if I have just been
white-listed, but today in mailserver logs I've spotted that gmail.com
is already accepting mail over an IPv6 MX:

lucab [at] galate:~$ dig +short mx gmail.com
10 alt1.gmail-smtp-in.l.google.com.
20 alt2.gmail-smtp-in.l.google.com.
30 alt3.gmail-smtp-in.l.google.com.
40 alt4.gmail-smtp-in.l.google.com.
5 gmail-smtp-in-v4v6.l.google.com.

lucab [at] galate:~$ dig +short any gmail-smtp-in-v4v6.l.google.com.
173.194.70.26
2a00:1450:8005::1b

I haven't yet seen any mail coming from gmail.com over IPv6, though.

Cheers, Luca

--
.''`. | ~<[ Luca BRUNO ~ (kaeso) ]>~
: :' : | Email: lucab (AT) debian.org ~ Debian Developer
`. `'` | GPG Key ID: 0x3BFB9FB3 ~ Free Software supporter
`- | HAM-radio callsign: IZ1WGT
Attachments: signature.asc (0.19 KB)


ipv6-ops+phil at spodhuis

Jun 15, 2012, 6:40 PM

Post #2 of 25 (5149 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 2012-06-15 at 23:30 +0200, Luca BRUNO wrote:
> I'm not sure if it is a recent change or if I have just been
> white-listed, but today in mailserver logs I've spotted that gmail.com
> is already accepting mail over an IPv6 MX:

Recent, started with this year's IPv6 day. I've been whitelisted for
a couple of years, but I noticed it on June 6:

https://plus.google.com/101939425596655172174/posts/b5Rfyg8czw9

> I haven't yet seen any mail coming from gmail.com over IPv6, though.

Me neither, but they do seem to have been giving some recent attention
to their SMTP gateways; they also recently picked up support for TLS1.2
inbound-to-Gmail. Not yet outbound.

-Phil


evyncke at cisco

Jun 16, 2012, 11:21 AM

Post #3 of 25 (5114 views)
Permalink
RE: Gmail MX over IPv6 [In reply to]

Indeed, gmail cannot send to IPv6 MX... Just tested with dual-stack and IPv6-only email recipients

-ťric

> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com [at] lists [mailto:ipv6-ops-
> bounces+evyncke=cisco.com [at] lists] On Behalf Of Phil Pennock
> Sent: samedi 16 juin 2012 03:40
> To: Luca BRUNO
> Cc: ipv6-ops [at] lists
> Subject: Re: Gmail MX over IPv6
>
> On 2012-06-15 at 23:30 +0200, Luca BRUNO wrote:
> > I'm not sure if it is a recent change or if I have just been
> > white-listed, but today in mailserver logs I've spotted that gmail.com
> > is already accepting mail over an IPv6 MX:
>
> Recent, started with this year's IPv6 day. I've been whitelisted for a
> couple of years, but I noticed it on June 6:
>
> https://plus.google.com/101939425596655172174/posts/b5Rfyg8czw9
>
> > I haven't yet seen any mail coming from gmail.com over IPv6, though.
>
> Me neither, but they do seem to have been giving some recent attention to
> their SMTP gateways; they also recently picked up support for TLS1.2
> inbound-to-Gmail. Not yet outbound.
>
> -Phil


ek at google

Jun 16, 2012, 3:32 PM

Post #4 of 25 (5095 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 17 June 2012 03:21, Eric Vyncke (evyncke) <evyncke [at] cisco> wrote:
> Indeed, gmail cannot send to IPv6 MX... Just tested with dual-stack and IPv6-only email recipients

Not at this time, no. For one thing, gmail.com's SPF record has no
ip6: elements. =)


ocl at gih

Jun 16, 2012, 4:03 PM

Post #5 of 25 (5138 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 15/06/2012 23:30, Luca BRUNO wrote :
> I'm not sure if it is a recent change or if I have just been
> white-listed, but today in mailserver logs I've spotted that gmail.com
> is already accepting mail over an IPv6 MX:

Yes, but they appear to have "forgotten" googlemail.com which at some
point used to call gmail.

[root [at] waikik log]# dig +short mx googlemail.com
10 alt1.gmail-smtp-in.l.google.com.
20 alt2.gmail-smtp-in.l.google.com.
30 alt3.gmail-smtp-in.l.google.com.
40 alt4.gmail-smtp-in.l.google.com.
5 gmail-smtp-in.l.google.com.
[root [at] waikik log]# dig +short gmail-smtp-in.l.google.com.
173.194.67.27

Also -- did anyone check whether it breaks the SPF checking? It appears
that when gmail received email by IPv6, it doesn't recognise the IPv6
address which my mailer uses as a permitted sender, thus spf=softfail

Received-SPF: softfail (google.com: domain of transitioning ocl [at] gih does not designate 2a00:19e8:10:5::b as permitted sender) client-ip=2a00:19e8:10:5::b;

vs.

Received-SPF: pass (google.com: domain of ocl [at] gih designates 212.124.200.129 as permitted sender) client-ip=212.124.200.129;



Anyone else with this problem?

Kind regards,

Olivier

--
Olivier MJ Crťpin-Leblond, PhD
http://www.gih.com/ocl.html


wolfgang.rupprecht at gmail

Jun 16, 2012, 8:18 PM

Post #6 of 25 (5183 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Olivier MJ Crepin-Leblond <ocl [at] gih> writes:
> On 15/06/2012 23:30, Luca BRUNO wrote :
>> I'm not sure if it is a recent change or if I have just been
>> white-listed, but today in mailserver logs I've spotted that gmail.com
>> is already accepting mail over an IPv6 MX:
>
> Yes, but they appear to have "forgotten" googlemail.com which at some
> point used to call gmail.
>
> [root [at] waikik log]# dig +short mx googlemail.com
> 10 alt1.gmail-smtp-in.l.google.com.
> 20 alt2.gmail-smtp-in.l.google.com.
> 30 alt3.gmail-smtp-in.l.google.com.
> 40 alt4.gmail-smtp-in.l.google.com.
> 5 gmail-smtp-in.l.google.com.
> [root [at] waikik log]# dig +short gmail-smtp-in.l.google.com.
> 173.194.67.27
>
> Also -- did anyone check whether it breaks the SPF checking? It appears
> that when gmail received email by IPv6, it doesn't recognise the IPv6
> address which my mailer uses as a permitted sender, thus spf=softfail

I got a hardfail from gmail. Their SPF parsing for IPv6 is messed up.
Maybe the "::" notation scewed up a string compare to ":0:0:0:" or
":0:0:0:0:"?

Received-SPF: fail (google.com: domain of XXX [at] wsrcc does not designate 2001:5a8:4:7d1::1 as permitted sender) client-ip=2001:5a8:4:7d1::1;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of XXX [at] wsrcc does not designate 2001:5a8:4:7d1::1 as permitted sender) smtp.mail=XXX [at] wsrcc

wsrcc.com. 3600 IN TXT "v=spf1 ip4:64.142.50.224/29 ip6:2002:408e:32e0::/48 ip6:2001:5a8:4:7d0::/60 -all"

-wolfgang
--
g+: https://plus.google.com/114566345864337108516/about


cloos at jhcloos

Jun 17, 2012, 5:11 PM

Post #7 of 25 (5050 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

>>>>> "WSR" == Wolfgang S Rupprecht <wolfgang.rupprecht [at] gmail> writes:

WSR> I got a hardfail from gmail. Their SPF parsing for IPv6 is messed
WSR> up. Maybe the "::" notation scewed up a string compare to
WSR> ":0:0:0:" or ":0:0:0:0:"?

I can confirm that. I have a ip6: netblock in my spf and my outgoing
box's ipv6 is typically ascii-fied with a ::. When I configure my
MTA to prefer ipv6 for outgoing, goog shows an spf fail. When the MTA
uses ipv4 goog is happy.

I can see three possibilities:

Their spf parses doesn't grok ip6: tagged entries at all.

It doesn't handle addr/prefix notation for ipv6.

It cannot compare explicit vs :: notation.

-JimC
--
James Cloos <cloos [at] jhcloos> OpenPGP: 1024D/ED7DAEA6


ek at google

Jun 17, 2012, 5:30 PM

Post #8 of 25 (5099 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 18 June 2012 09:11, James Cloos <cloos [at] jhcloos> wrote:
>>>>>> "WSR" == Wolfgang S Rupprecht <wolfgang.rupprecht [at] gmail> writes:
>
> WSR> I got a hardfail from gmail.  Their SPF parsing for IPv6 is messed
> WSR> up.  Maybe the "::" notation scewed up a string compare to
> WSR> ":0:0:0:" or ":0:0:0:0:"?
>
> I can confirm that.  I have a ip6: netblock in my spf and my outgoing
> box's ipv6 is typically ascii-fied with a ::.  When I configure my
> MTA to prefer ipv6 for outgoing, goog shows an spf fail.  When the MTA
> uses ipv4 goog is happy.
>
> I can see three possibilities:
>
>  Their spf parses doesn't grok ip6: tagged entries at all.
>
>  It doesn't handle addr/prefix notation for ipv6.
>
>  It cannot compare explicit vs :: notation.

An issue with SPF parsing was raised and I'm told a fix should be
rolling out this week.


jkrolan at mnathani

Jun 20, 2012, 11:28 PM

Post #9 of 25 (5015 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4 only
machine gets the Gmail IPv6 address and attempts to deliver email. Its only
when the timeout has been reached will it try the IPv4 address.

I am curious if anyone else is experiencing this or perhaps I need to do
something on the CentOS 6 box to disable IPv6 till the time when it has
native IPv6 capability.


Jun 21 02:14:47 onion postfix/cleanup[1494]: 435AD1A110A:
message-id=<20120621061447.435AD1A110A [at] host>
Jun 21 02:14:47 onion postfix/qmgr[1348]: 435AD1A110A:
from=<user [at] host>, size=448, nrcpt=1 (queue active)
Jun 21 02:15:09 onion postfix/smtp[1497]: connect to
gmail-smtp-in-v4v6.l.google.com[2001:4860:b007::1b]:25: Connection timed out
Jun 21 02:15:10 onion postfix/smtp[1497]: 435AD1A110A: to=<
myemailaddress [at] gmail>,
relay=gmail-smtp-in-v4v6.l.google.com[209.85.225.27]:25,
delay=23, delays=0.29/0.03/22/1.2, dsn=2.0.0, status=sent (250 2.0.0 OK
1340259310 e9si1516803ign.65)
Jun 21 02:15:10 onion postfix/qmgr[1348]: 435AD1A110A: removed

Mansoor nathani

On Sun, Jun 17, 2012 at 8:30 PM, Erik Kline <ek [at] google> wrote:
> On 18 June 2012 09:11, James Cloos <cloos [at] jhcloos> wrote:
>>>>>>> "WSR" == Wolfgang S Rupprecht <wolfgang.rupprecht [at] gmail> writes:
>>
>> WSR> I got a hardfail from gmail. Their SPF parsing for IPv6 is messed
>> WSR> up. Maybe the "::" notation scewed up a string compare to
>> WSR> ":0:0:0:" or ":0:0:0:0:"?
>>
>> I can confirm that. I have a ip6: netblock in my spf and my outgoing
>> box's ipv6 is typically ascii-fied with a ::. When I configure my
>> MTA to prefer ipv6 for outgoing, goog shows an spf fail. When the MTA
>> uses ipv4 goog is happy.
>>
>> I can see three possibilities:
>>
>> Their spf parses doesn't grok ip6: tagged entries at all.
>>
>> It doesn't handle addr/prefix notation for ipv6.
>>
>> It cannot compare explicit vs :: notation.
>
> An issue with SPF parsing was raised and I'm told a fix should be
> rolling out this week.


fred at cisco

Jun 20, 2012, 11:39 PM

Post #10 of 25 (5013 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On Jun 20, 2012, at 11:28 PM, Mansoor Nathani wrote:

Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4 only machine gets the Gmail IPv6 address and attempts to deliver email. Its only when the timeout has been reached will it try the IPv4 address.

I am curious if anyone else is experiencing this or perhaps I need to do something on the CentOS 6 box to disable IPv6 till the time when it has native IPv6 capability.

This is essentially the same issue described in RFC 6555. The good news is that it is largely fixed for common web browsers; the bad news is that the penny has not seem to have dropped that

(1) this is not about IPv4 vs IPv6, it's about having multiple addresses, some of which have a route and some don't at any given time, and
(2) this applies to any application.

Jun 21 02:14:47 onion postfix/cleanup[1494]: 435AD1A110A: message-id=<20120621061447.435AD1A110A [at] host<mailto:20120621061447.435AD1A110A [at] host>>
Jun 21 02:14:47 onion postfix/qmgr[1348]: 435AD1A110A: from=<user [at] host<mailto:user [at] host>>, size=448, nrcpt=1 (queue active)
Jun 21 02:15:09 onion postfix/smtp[1497]: connect to gmail-smtp-in-v4v6.l.google.com<http://gmail-smtp-in-v4v6.l.google.com/>[2001:4860:b007::1b]:25: Connection timed out
Jun 21 02:15:10 onion postfix/smtp[1497]: 435AD1A110A: to=<myemailaddress [at] gmail<mailto:myemailaddress [at] gmail>>, relay=gmail-smtp-in-v4v6.l.google.com<http://gmail-smtp-in-v4v6.l.google.com/>[209.85.225.27]:25, delay=23, delays=0.29/0.03/22/1.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1340259310 e9si1516803ign.65)
Jun 21 02:15:10 onion postfix/qmgr[1348]: 435AD1A110A: removed

Mansoor nathani

On Sun, Jun 17, 2012 at 8:30 PM, Erik Kline <ek [at] google<mailto:ek [at] google>> wrote:
> On 18 June 2012 09:11, James Cloos <cloos [at] jhcloos<mailto:cloos [at] jhcloos>> wrote:
>>>>>>> "WSR" == Wolfgang S Rupprecht <wolfgang.rupprecht [at] gmail<mailto:wolfgang.rupprecht [at] gmail>> writes:
>>
>> WSR> I got a hardfail from gmail. Their SPF parsing for IPv6 is messed
>> WSR> up. Maybe the "::" notation scewed up a string compare to
>> WSR> ":0:0:0:" or ":0:0:0:0:"?
>>
>> I can confirm that. I have a ip6: netblock in my spf and my outgoing
>> box's ipv6 is typically ascii-fied with a ::. When I configure my
>> MTA to prefer ipv6 for outgoing, goog shows an spf fail. When the MTA
>> uses ipv4 goog is happy.
>>
>> I can see three possibilities:
>>
>> Their spf parses doesn't grok ip6: tagged entries at all.
>>
>> It doesn't handle addr/prefix notation for ipv6.
>>
>> It cannot compare explicit vs :: notation.
>
> An issue with SPF parsing was raised and I'm told a fix should be
> rolling out this week.


nick at foobar

Jun 21, 2012, 12:03 AM

Post #11 of 25 (4987 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 21 Jun 2012, at 07:39, "Fred Baker (fred)" <fred [at] cisco> wrote:
> (1) this is not about IPv4 vs IPv6, it's about having multiple addresses, some of which have a route and some don't at any given time, and
> (2) this applies to any application.

That's for sure. A recent provider v6 mta problem caused my office's outlook installations to have severe indigestion. Turns out that users don't like it when outlook freezes every time it attempts to check for new mail. Who knew?

Nick


berni at birkenwald

Jun 21, 2012, 12:15 AM

Post #12 of 25 (4990 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Am 21.06.2012 08:28, schrieb Mansoor Nathani:

Hello Mansoor,

> Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4
> only machine gets the Gmail IPv6 address and attempts to deliver email.
> Its only when the timeout has been reached will it try the IPv4 address.
>
> I am curious if anyone else is experiencing this or perhaps I need to do
> something on the CentOS 6 box to disable IPv6 till the time when it has
> native IPv6 capability.

Good time to deploy IPv6 to your MTA :-)

Have a look at http://www.postfix.org/postconf.5.html#inet_protocols and
http://www.postfix.org/postconf.5.html#smtp_address_preference . OTOH,
if you get a timeout your system is broken anyway, since a
well-configured system will return destination unreachable immediately.
You would not notice it. So please show "ip -6 addr; ip -6 route" from
the server.

Best Regards,
Bernhard


gert at space

Jun 21, 2012, 12:16 AM

Post #13 of 25 (4989 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Hi,

On Thu, Jun 21, 2012 at 02:28:31AM -0400, Mansoor Nathani wrote:
> Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4 only
> machine gets the Gmail IPv6 address and attempts to deliver email. Its only
> when the timeout has been reached will it try the IPv4 address.
>
> I am curious if anyone else is experiencing this or perhaps I need to do
> something on the CentOS 6 box to disable IPv6 till the time when it has
> native IPv6 capability.
>
> Jun 21 02:14:47 onion postfix/cleanup[1494]: 435AD1A110A:
> message-id=<20120621061447.435AD1A110A [at] host>
> Jun 21 02:14:47 onion postfix/qmgr[1348]: 435AD1A110A:
> from=<user [at] host>, size=448, nrcpt=1 (queue active)
> Jun 21 02:15:09 onion postfix/smtp[1497]: connect to
> gmail-smtp-in-v4v6.l.google.com[2001:4860:b007::1b]:25: Connection timed out

The more interesting question, actually, is why it actually has to wait
for IPv6 to time-out if your machine is IPv4-only - it should immediately
fail for IPv6, and then try IPv4.

What does "ip -6 route" show on your machine?

I'd guess that your machine thinks it *does* have IPv6, because a friendly
Windows box in the neighbourhood announced a 2002 prefix...

*Broken* IPv6 is what causes these problems, "no IPv6" is handled just fine
(but then, for outgoing mail sent by a MTA, 30 seconds delay do not *really*
cause harm)

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279


jkrolan at mnathani

Jun 21, 2012, 12:28 AM

Post #14 of 25 (5023 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Here is the output:

I noticed it seems to be picking up some ip / address info from an IPv6
tunnel to Hurricane Electric.

I never configured this host with any such IPv6 information however.

The tunnel is using 2001:470:b148::/48 .

Here is an attempt to traceroute to google:

[root [at] onio ~]# traceroute6 google.com
traceroute to google.com (2001:4860:4008:802::1001), 30 hops max, 80 byte
packets
1 fe80::205:32ff:fee8:8b61%eth0 (fe80::205:32ff:fee8:8b61%eth0) 1.729 ms
5.032 ms 5.331 ms
2 * * *
3 * * *


[root [at] onio ~]# ip -6 add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::215:5dff:fe02:830a/64 scope link
valid_lft forever preferred_lft forever


[root [at] onio ~]# ip -6 route
unreachable ::/96 dev lo metric 1024 error -101 mtu 16436 advmss 16376
hoplimit 4294967295
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -101 mtu 16436
advmss 16376 hoplimit 4294967295
2001:470:b148::/48 dev eth0 proto kernel metric 256 expires 0sec mtu
1500 advmss 1440 hoplimit 4294967295
unreachable 2002:a00::/24 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
unreachable 2002:7f00::/24 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
unreachable 2002:a9fe::/32 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
unreachable 2002:ac10::/28 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
unreachable 2002:c0a8::/32 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
unreachable 2002:e000::/19 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -101 mtu 16436 advmss
16376 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
default via fe80::205:32ff:fee8:8b61 dev eth0 proto kernel metric 1024
expires 0sec mtu 1500 advmss 1440 hoplimit 64


On Thu, Jun 21, 2012 at 3:16 AM, Gert Doering <gert [at] space> wrote:

> Hi,
>
> On Thu, Jun 21, 2012 at 02:28:31AM -0400, Mansoor Nathani wrote:
> > Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4
> only
> > machine gets the Gmail IPv6 address and attempts to deliver email. Its
> only
> > when the timeout has been reached will it try the IPv4 address.
> >
> > I am curious if anyone else is experiencing this or perhaps I need to do
> > something on the CentOS 6 box to disable IPv6 till the time when it has
> > native IPv6 capability.
> >
> > Jun 21 02:14:47 onion postfix/cleanup[1494]: 435AD1A110A:
> > message-id=<20120621061447.435AD1A110A [at] host>
> > Jun 21 02:14:47 onion postfix/qmgr[1348]: 435AD1A110A:
> > from=<user [at] host>, size=448, nrcpt=1 (queue active)
> > Jun 21 02:15:09 onion postfix/smtp[1497]: connect to
> > gmail-smtp-in-v4v6.l.google.com[2001:4860:b007::1b]:25: Connection
> timed out
>
> The more interesting question, actually, is why it actually has to wait
> for IPv6 to time-out if your machine is IPv4-only - it should immediately
> fail for IPv6, and then try IPv4.
>
> What does "ip -6 route" show on your machine?
>
> I'd guess that your machine thinks it *does* have IPv6, because a friendly
> Windows box in the neighbourhood announced a 2002 prefix...
>
> *Broken* IPv6 is what causes these problems, "no IPv6" is handled just fine
> (but then, for outgoing mail sent by a MTA, 30 seconds delay do not
> *really*
> cause harm)
>
> Gert Doering
> -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
>


berni at birkenwald

Jun 21, 2012, 12:32 AM

Post #15 of 25 (4982 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Am 21.06.2012 09:28, schrieb Mansoor Nathani:

Hi,

> I noticed it seems to be picking up some ip / address info from an IPv6
> tunnel to Hurricane Electric.
>
> I never configured this host with any such IPv6 information however.
> The tunnel is using 2001:470:b148::/48 .

Well, someone in your network obviously did.

> 2001:470:b148::/48 dev eth0 proto kernel metric 256 expires 0sec mtu
> default via fe80::205:32ff:fee8:8b61 dev eth0 proto kernel metric 1024
> expires 0sec mtu 1500 advmss 1440 hoplimit 64

The device with the MAC address 00:05:32:e8:8b:61 is sending router
advertisements with the prefix 2001:470:b148::/48 . Lucky (or unlucky)
for you they are wrongly advertising a /48, not a /64, so SLAAC does not
work and you don't get an address assigned. I'm a bit confused at the
moment, since I thought Linux was handling "has defaultroute but not a
global address" correctly these days, but obviously there are still some
issues.

Hunt down that bogus advertisement, that should solve the problem.

Bernhard


ignatios at jaguar-alpha

Jun 21, 2012, 12:47 AM

Post #16 of 25 (4979 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Hi,

On Thu, Jun 21, 2012 at 03:28:06AM -0400, Mansoor Nathani wrote:

> The tunnel is using 2001:470:b148::/48 .
...
> [root [at] onio ~]# traceroute6 google.com
> traceroute to google.com (2001:4860:4008:802::1001), 30 hops max, 80 byte
> packets
> 1 fe80::205:32ff:fee8:8b61%eth0 (fe80::205:32ff:fee8:8b61%eth0) 1.729 ms
> 5.032 ms 5.331 ms
...
> default via fe80::205:32ff:fee8:8b61 dev eth0 proto kernel metric 1024
> expires 0sec mtu 1500 advmss 1440 hoplimit 64

In case you didn't know, that's the device with MAC address
00:05:32:e8:8b:61, or a clever DOS attack disguising as such. I'm
not familiar with Linux IPv6 commands - does it have something like
ndp to check?

%> grep -i 00-05-32 oui.txt
00-05-32 (hex) Cisco Systems, Inc.

So it is some Cisco box.

Regards,
-is


pim at ipng

Jun 21, 2012, 12:48 AM

Post #17 of 25 (4976 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Hoi Mansoor,

2012/6/21 Bernhard Schmidt <berni [at] birkenwald>:
> Am 21.06.2012 09:28, schrieb Mansoor Nathani:
>
> Hi,
>
>> I noticed it seems to be picking up some ip / address info from an IPv6
>> tunnel to Hurricane Electric.
>>
>> I never configured this host with any such IPv6 information however.
It seems you are in a hostile ethernet environment where you do not
control all nodes, and one of them is sending router advertisements.
I've always been upset with Linux for accepting RA by default. You may
want to consider:
# sysctl -w net.ipv6.conf.default.accept_ra=0

and turning on accept_ra only if you know your network environment.
That will save you from surprises like this one.

--
Pim van Pelt <pim [at] ipng>
PBVP1-RIPE - http://www.ipng.nl/


jkrolan at mnathani

Jun 21, 2012, 12:51 AM

Post #18 of 25 (4987 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

After turning off Router Advertisements from a cisco device on the network,
I get the expected Network is unreachable message when the MTA tries IPv6
and right after that the message goes through using v4.

Thank you for your assistance.

Jun 21 03:41:48 onion postfix/qmgr[1348]: 3CCDA1A1123: from=<
root [at] example>, size=452, nrcpt=1 (queue active)
Jun 21 03:41:48 onion postfix/smtp[22635]: connect to
gmail-smtp-in-v4v6.l.google.com[2001:4860:b007::1a]:25: Network is
unreachable
Jun 21 03:41:50 onion postfix/smtp[22635]: 3CCDA1A1123: to=<
myaddress [at] gmail>, relay=gmail-smtp-in-v4v6.l.google.com[209.85.225.26]:25,
delay=1.9, delays=0.21/0.02/0.86/0.84, dsn=2.0.0, status=sent (250 2.0.0 OK
1340264510 ab7si1761286igc.10)
Jun 21 03:41:50 onion postfix/qmgr[1348]: 3CCDA1A1123: removed


On Thu, Jun 21, 2012 at 3:32 AM, Bernhard Schmidt <berni [at] birkenwald>wrote:

> Am 21.06.2012 09:28, schrieb Mansoor Nathani:
>
> Hi,
>
> > I noticed it seems to be picking up some ip / address info from an IPv6
> > tunnel to Hurricane Electric.
> >
> > I never configured this host with any such IPv6 information however.
> > The tunnel is using 2001:470:b148::/48 .
>
> Well, someone in your network obviously did.
>
> > 2001:470:b148::/48 dev eth0 proto kernel metric 256 expires 0sec mtu
> > default via fe80::205:32ff:fee8:8b61 dev eth0 proto kernel metric 1024
> > expires 0sec mtu 1500 advmss 1440 hoplimit 64
>
> The device with the MAC address 00:05:32:e8:8b:61 is sending router
> advertisements with the prefix 2001:470:b148::/48 . Lucky (or unlucky)
> for you they are wrongly advertising a /48, not a /64, so SLAAC does not
> work and you don't get an address assigned. I'm a bit confused at the
> moment, since I thought Linux was handling "has defaultroute but not a
> global address" correctly these days, but obviously there are still some
> issues.
>
> Hunt down that bogus advertisement, that should solve the problem.
>
> Bernhard
>


gert at space

Jun 21, 2012, 12:54 AM

Post #19 of 25 (4984 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Hi,

On Thu, Jun 21, 2012 at 03:51:05AM -0400, Mansoor Nathani wrote:
> After turning off Router Advertisements from a cisco device on the network,
> I get the expected Network is unreachable message when the MTA tries IPv6
> and right after that the message goes through using v4.

Alternatively, you could configure the Cisco correctly, so that it will
not announce a /48 on the LAN but a /64 - and then your mail will go
out over IPv6 :-)

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279


ignatios at jaguar-alpha

Jun 21, 2012, 12:56 AM

Post #20 of 25 (4979 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

Hi,

On Thu, Jun 21, 2012 at 09:47:35AM +0200, Ignatios Souvatzis wrote:

> In case you didn't know, that's the device with MAC address
> 00:05:32:e8:8b:61, or a clever DOS attack disguising as such. I'm
> not familiar with Linux IPv6 commands - does it have something like
> ndp to check?

The equivalent to (Net?)BSD's "ndp -a", at least on the one Linux
server I have access to, is:

> ip -6 neigh

You should check what the router's MAC really is before hunting the culprit.

Regards,
-is


cloos at jhcloos

Jun 21, 2012, 12:40 PM

Post #21 of 25 (4985 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

>>>>> "MN" == Mansoor Nathani <jkrolan [at] mnathani> writes:

MN> Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4 only
MN> machine gets the Gmail IPv6 address and attempts to deliver email. Its only
MN> when the timeout has been reached will it try the IPv4 address.

Your log shows that you use postfix.

Add this:

smtp_address_preference = ipv4

to main.cf to tell postfix to use only ipv4 for outgoing smtp.

The postconf(5) man page explains:

,----< excerpt from postconf(5) >
| smtp_address_preference (default: any)
| The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
| will try first, when a destination has IPv6 and IPv4 addresses with
| equal MX preference. This feature has no effect unless the inet_proto‚Äź
| cols setting enables both IPv4 and IPv6. With Postfix 2.8 the default
| is "ipv6".
|
| This feature is available in Postfix 2.8 and later.
`----

That doc snippit reminds me that you could instead add:

inet_protocols = ipv4

to do the same thing.

-JimC
--
James Cloos <cloos [at] jhcloos> OpenPGP: 1024D/ED7DAEA6


geert at hendrickx

Jun 21, 2012, 12:52 PM

Post #22 of 25 (4999 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On Thu, Jun 21, 2012 at 15:40:58 -0400, James Cloos wrote:
> >>>>> "MN" == Mansoor Nathani <jkrolan [at] mnathani> writes:
>
> MN> Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4 only
> MN> machine gets the Gmail IPv6 address and attempts to deliver email. Its only
> MN> when the timeout has been reached will it try the IPv4 address.
>
> Your log shows that you use postfix.
>
> Add this:
>
> smtp_address_preference = ipv4
>
> to main.cf to tell postfix to use only ipv4 for outgoing smtp.
>
> The postconf(5) man page explains:
>
> ,----< excerpt from postconf(5) >
> | smtp_address_preference (default: any)
> | The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
> | will try first, when a destination has IPv6 and IPv4 addresses with
> | equal MX preference. This feature has no effect unless the inet_proto‚Äź
> | cols setting enables both IPv4 and IPv6. With Postfix 2.8 the default
> | is "ipv6".
> |
> | This feature is available in Postfix 2.8 and later.
> `----
>
> That doc snippit reminds me that you could instead add:
>
> inet_protocols = ipv4
>
> to do the same thing.


No, this will disable IPv6 for inbound connections as well.


Geert


--
geert.hendrickx.be :: geert [at] hendrickx :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!


nick at foobar

Jun 21, 2012, 3:15 PM

Post #23 of 25 (5047 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 21/06/2012 20:40, James Cloos wrote:
>>>>>> "MN" == Mansoor Nathani <jkrolan [at] mnathani> writes:
>
> MN> Since Gmail has enabled AAAA records for some of its MX hosts, my IPv4 only
> MN> machine gets the Gmail IPv6 address and attempts to deliver email. Its only
> MN> when the timeout has been reached will it try the IPv4 address.
>
> Your log shows that you use postfix.
>
> Add this:
>
> smtp_address_preference = ipv4

alternatively, either remove the ipv6 default route or else fix your v6
connectivity. removing the default route will cause immediate failover to
v4. Fixing things will ... uh, n/m.

Nick


cloos at jhcloos

Jun 21, 2012, 5:00 PM

Post #24 of 25 (4963 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

>>>>> "GH" == Geert Hendrickx <geert [at] hendrickx> writes:

GH> No, this will disable IPv6 for inbound connections as well.

True, but since he lack(ed|s) v6 routing, that d(id|oes)n't much matter....

-JimC
--
James Cloos <cloos [at] jhcloos> OpenPGP: 1024D/ED7DAEA6


nick at foobar

Jun 21, 2012, 5:23 PM

Post #25 of 25 (4996 views)
Permalink
Re: Gmail MX over IPv6 [In reply to]

On 22/06/2012 01:00, James Cloos wrote:
> True, but since he lack(ed|s) v6 routing, that d(id|oes)n't much matter....

he lacked ipv6 connectivity, not an ipv6 next-hop. There is something on
his network announcing an ipv6 default gateway if this sort of thing is
happening.

Nick

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.