Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
Hi, We are using 6to4 on our fallback site because the provider there is not able to provide us native IPv6 yet. We have also installed a fallback nameserver over there using a 6to4 address. This works good and no complains what so ever in the past. However, last week Denic (registry for .de) changed their policy (or their checks). They don't allow a nameserver for a .de domain anymore which contains a 6to4 address. The policy is "it should be a global unicast AND the block should be assigned to a RIR for suballocation purpose". The 6to4 range is Global Unicast (http://www.iana.org/assignments/ipv6-unicast-address-assignments/) but it is not assigned to a RIR because it is a special block. This fails their policy and their checks (resulting in a ERROR: 105 All IPv6 Addresses must be Global Unicast). Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it. We know we should push our provider to support native IPv6, and we do. But this should not stop us using IPv6 6to4. regards, Igor Ybema
At 13:26 +0100 2/11/10, Igor Ybema wrote:
Ok, policy is policy and we should not complain.
No, really, policies should be examined and questioned. Having been in policy meetings, unless the operations crowd openly questions and gives feed back, the meetings are just wastes of time.
However, I'm asking your opinions about this policy.
That's the right first step. (Note: no commentary on 6to4 in this, I'm not familiar enough with it.) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction.
On 11/02/2010 12:26, Igor Ybema wrote:
Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it.
Someone once asked Angela Merkel what she liked most about Germany. She replied "Ich denke an dichte Fenster! Kein anderes Land kann so dichte und so schöne Fenster bauen" ("I think ... thick windows. No other country can build windows which are as thick or as nice.") This might just be a cultural thing. While lots of countries have a love affair with doing things badly, Germany realises the value of quality infrastructure. 6to4 is ghetto. DE-NIC doesn't like it. Putting a DNS server on a 6to4 address serves no other purpose than to say: "There! I fixed it!" ob-url: http://thereifixedit.com/ Nick
On Feb 11, 2010, at 8:15 AM, Nick Hilliard wrote:
On 11/02/2010 12:26, Igor Ybema wrote:
Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it.
Someone once asked Angela Merkel what she liked most about Germany. She replied "Ich denke an dichte Fenster! Kein anderes Land kann so dichte und so schöne Fenster bauen"
("I think ... thick windows. No other country can build windows which are as thick or as nice.")
Actually, the translation is: "I think about airtight windows. No other country can build widows that are this airtight and this beautiful." dicht = airtight, dick = thick.
This might just be a cultural thing. While lots of countries have a love affair with doing things badly, Germany realises the value of quality infrastructure.
6to4 is ghetto. DE-NIC doesn't like it. Putting a DNS server on a 6to4 address serves no other purpose than to say: "There! I fixed it!"
ob-url: http://thereifixedit.com/
Nick
In message <a05493651002110426u7d9688c9i273ff64c456ecdc7@mail.gmail.com>, Igor Ybema writes:
Hi,
We are using 6to4 on our fallback site because the provider there is not able to provide us native IPv6 yet. We have also installed a fallback nameserver over there using a 6to4 address.
This works good and no complains what so ever in the past.
However, last week Denic (registry for .de) changed their policy (or their checks). They don't allow a nameserver for a .de domain anymore which contains a 6to4 address. The policy is "it should be a global unicast AND the block should be assigned to a RIR for suballocation purpose". The 6to4 range is Global Unicast (http://www.iana.org/assignments/ipv6-unicast-address-assignments/) but it is not assigned to a RIR because it is a special block. This fails their policy and their checks (resulting in a ERROR: 105 All IPv6 Addresses must be Global Unicast).
Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it.
We know we should push our provider to support native IPv6, and we do. But this should not stop us using IPv6 6to4.
regards, Igor Ybema
If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE. I use HE.NET and have for the last 7 or so years for my home network. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote:
If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE.
Our external IPv6 web accesses are still very low, but have grown linearly over the last five years from 0.1% in 2005/06 to 0.5% of total web traffic now. Internally of course our figures are higher. Of that IPv6 traffic, 1% comes from 2002::/16 prefixes. Even less from Teredo prefixes. I guess we could run stats against known TB prefixes to determine who is using those. -- Tim
On 16/02/2010, at 5:03 AM, Tim Chown wrote:
On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote:
If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE.
Our external IPv6 web accesses are still very low, but have grown linearly over the last five years from 0.1% in 2005/06 to 0.5% of total web traffic now. Internally of course our figures are higher.
Of that IPv6 traffic, 1% comes from 2002::/16 prefixes. Even less from Teredo prefixes. I guess we could run stats against known TB prefixes to determine who is using those.
You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for AAAA if it has non-Teredo IPv6 connectivity 2) When Windows has non-Teredo IPv6 connectivity and so can ask for AAAA, preference for reaching your web content is going to be non-Teredo IPv6 -> IPv4 -> Teredo, due to the prefix policy table, unless you have an AAAA in 2001::/32 (Teredo space), in which case it will prefer IPv4 -> Teredo. With 6to4, Windows hosts will ask for AAAA, and will prefer non-6to4 IPv6 over 6to4 over IPv4. I'm a little surprised at how little 6to4 traffic you get. Teredo gets most use when an application asks for a connection to a certain IPv6 address, without DNS. This is most common in peer to peer - you're not going to levels of web traffic and P2P traffic using Teredo that are comparable ratios to IPv4. My expectation is that lines in your web logs in 2001::/32 have user agent strings indicating non-Windows hosts - or perhaps someone has miredo running on a proxy server, or perhaps the users' non-Teredo IPv6 AND IPv4 paths to you were broken when they tried to make a request. Stranger things have happened.. I wrote some code that will allow you to better understand the connectivity that end users of your web content have - when they visit your site it has them get 1x1 px transparent GIF images from various different hostnames with different characteristics in the DNS, and then reports back which loaded and how long. http://www.braintrust.co.nz/ipv6wwwtest/ Wikipedia were running this for a while, on every 100th hit. They did a modification to this where they also had a large image to test for pmtud errors. Google are using a similar technique to test IPv6 capabilities and networks. I'll add something with the pmtud stuff in the next week or so, and I'll also push the code to github. You'll probably want to make you own changes based on what you're interested in, also. -- Nathan Ward
* Nathan Ward
You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for AAAA if it has non-Teredo IPv6 connectivity 2) When Windows has non-Teredo IPv6 connectivity and so can ask for AAAA, preference for reaching your web content is going to be non-Teredo IPv6 -> IPv4 -> Teredo, due to the prefix policy table, unless you have an AAAA in 2001::/32 (Teredo space), in which case it will prefer IPv4 -> Teredo.
With 6to4, Windows hosts will ask for AAAA, and will prefer non-6to4 IPv6 over 6to4 over IPv4. I'm a little surprised at how little 6to4 traffic you get.
Teredo gets most use when an application asks for a connection to a certain IPv6 address, without DNS. This is most common in peer to peer - you're not going to levels of web traffic and P2P traffic using Teredo that are comparable ratios to IPv4.
When it comes to HTTP traffic, that's not always the case: The Opera web browser in all recent versions will unconditionally prefer IPv6 (including Teredo and 6to4) over IPv4. Since Windows Vista and newer automatically configure Teredo and/or 6to4, this is the biggest single reason for regular clients being unable to access dualstacked websites here in Norway, according to my measurements (which are done in a similar fashion to yours). In case you're interested, I've been posting reports to the ipv6-ops list about it for a few months now: http://thread.gmane.org/gmane.org.operators.ipv6/2636 http://thread.gmane.org/gmane.org.operators.ipv6/2683 http://thread.gmane.org/gmane.org.operators.ipv6/2764 http://thread.gmane.org/gmane.org.operators.ipv6/2908 Opera has fortunately improved the behaviour in their next version (10.50) by simply using getaddrinfo() on Windows. It is due to be released in a month or two - hopefully then I'll be able to talk some of my customers into dualstacking their content. Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com/ Tel: +47 21 54 41 27
On Tue, 16 Feb 2010, Nathan Ward wrote:
You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for AAAA if it has non-Teredo IPv6 connectivity
Please don't just say "windows" as the different versions of windows behave differently, as we've already discussed in the thread here: <http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01587.html> Windows XP will happily use Teredo when faced with AAAA response only. What you're describing is Vista and Win7 I guess? -- Mikael Abrahamsson email: swmike@swm.pp.se
On 16/02/2010, at 7:34 PM, Mikael Abrahamsson wrote:
On Tue, 16 Feb 2010, Nathan Ward wrote:
You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for AAAA if it has non-Teredo IPv6 connectivity
Please don't just say "windows" as the different versions of windows behave differently, as we've already discussed in the thread here:
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01587.html>
Windows XP will happily use Teredo when faced with AAAA response only.
What you're describing is Vista and Win7 I guess?
Yep, sorry! XP won't ask for AAAA unless it has non-Teredo connectivity though I don't think. -- Nathan Ward
On Tue, 16 Feb 2010, Nathan Ward wrote:
XP won't ask for AAAA unless it has non-Teredo connectivity though I don't think.
That doesn't compute considering all the XP machines with Teredo addresses that asked for my AAAA only content. <http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> "Of the users getting v6 only gif from non-tunnel-space, 58% were from Proxad (free.fr I believe), and then on the list came UNINET, SUNET, FUNET (university networks in .no, .se and .fi) and Hurricane electric. 98% of Teredo users run Windows XP. 88% of 6to4 users run Windows Vista." So 98% of Teredo users getting the v6only content (using DNS) was using WinXP, so it does seem it does AAAA lookups. -- Mikael Abrahamsson email: swmike@swm.pp.se
On 16/02/2010, at 7:47 PM, Mikael Abrahamsson wrote:
On Tue, 16 Feb 2010, Nathan Ward wrote:
XP won't ask for AAAA unless it has non-Teredo connectivity though I don't think.
That doesn't compute considering all the XP machines with Teredo addresses that asked for my AAAA only content.
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html>
"Of the users getting v6 only gif from non-tunnel-space, 58% were from Proxad (free.fr I believe), and then on the list came UNINET, SUNET, FUNET (university networks in .no, .se and .fi) and Hurricane electric.
98% of Teredo users run Windows XP. 88% of 6to4 users run Windows Vista."
So 98% of Teredo users getting the v6only content (using DNS) was using WinXP, so it does seem it does AAAA lookups.
I mean non-Teredo connectivity in addition to Teredo. Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios. -- Nathan Ward
On Tue, 16 Feb 2010, Nathan Ward wrote:
Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios.
I think their only IPv6 connectivity was Teredo (for instance, they're behind NAT), and thus they used it to get the IPv6 only content. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Tue, Feb 16, 2010 at 08:14:13AM +0100, Mikael Abrahamsson wrote:
On Tue, 16 Feb 2010, Nathan Ward wrote:
Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios.
I think their only IPv6 connectivity was Teredo (for instance, they're behind NAT), and thus they used it to get the IPv6 only content.
So for our case here at Southampton our web presence www.ecs.soton.ac.uk is advertised via both A and AAAA records. What we see is less than 1% of our IPv6 traffic coming from the Teredo prefix. 6to4 is at most 1%. I think the reason we see less 6to4 than some might expect is that a lot of our IPv6 accesses may be from other academic networks where IPv6 is available 'properly'. I had our web guys send me a log of recent Teredo accesses to our servers and the user agents were varied. As Tore suggested, Opera 9.8 was on the list (since fixed), but also some Mozilla-based entries from both Linux and Windows platforms. Total entries: 761 Opera 9.8: 354 Firefox 3.5.7 (Windows): 61 Firefox 3.5.7 (Linux): 96 Iceweasel 3.5.6 (Linux): 8 Mozilla 4.0 (Windows): 242 Not a huge sample, but it shows Windows UAs hitting us from the Teredo prefix. -- Tim
* Igor Ybema:
We know we should push our provider to support native IPv6, and we do. But this should not stop us using IPv6 6to4.
You should complain to the DENIC member you use, or perhaps the DENIC ops team. Perhaps it's a simple mistake. NANOG isn't the right forum for this.
participants (10)
-
Edward Lewis
-
Florian Weimer
-
Igor Ybema
-
Marc A. Runkel
-
Mark Andrews
-
Mikael Abrahamsson
-
Nathan Ward
-
Nick Hilliard
-
Tim Chown
-
Tore Anderson