On 12/10/2007, at 9:43 AM, Tony Hain wrote:
Nathan Ward wrote:
On 6/10/2007, at 3:18 AM, Stephen Wilcox wrote:
<stuff>
Given the above, I think there is no myth.. !
That's because the 'v6 network' is broken enough that putting AAAA
records on sites that need to be well reachable is a bad idea.
For example, due mainly to Vista's 6to4 tunnelling stuff (based on
researching a random sample of users), I'd lose about 4% of visitors
to my web-sites if I were to turn on AAAA records.
For a transit provider, having an unreachable (or seemingly
unreachable) web-site is a really bad idea.
So why didn't you put up a 6to4 router and put AAAA records in that
pointed
to the 6to4 prefix for those servers? Is the concept of multiple IPv6
addresses on the server really as scary as people make it out to
be? After
all by having an IPv4 and an IPv6 address you already have multiple
addresses on the server, so what is one more?
I have both 6to4 and Teredo relays available to all my servers, let
me explain;
(sorry to those who've read me talking about this already)
The problem is "enterprise" networks that have /all/ of the following
conditions as true:
- Use non-RFC1918 addressing for hosts.
- Do firewalling (and block IP proto 41) or NAT.
- Use Windows Vista and have not disabled 6to4.
Some common examples:
- Large companies.
- Educational institutions (especially ones where people bring their
own laptops - Vista configs can't be dictated).
Solutions:
1) These networks deploy 6to4 relays.
2) These networks deploy IPv6 natively.
3) These networks deploy 'fake' 6to4 relays which return unreachable
messages when someone tries to use them, so packets don't time out.
4) Everyone else figures out a standard to to test the availability
of 6to4 services (not unlike Teredo's qualification procedure).
I think that (4) is probably the path of least resistance, so I
intend to do some work in that area.
The entire finger-pointing fiasco between the infrastructure
providers and
the content providers has to stop. The content providers just have
to ignore
the lethargic infrastructure providers and tunnel over them.
Tunneling IPv4
over voice is how we got around the lethargy before, so now the only
difference is we are tunneling IPv6 over IPv4. I hear whining from
content
providers about how 6to4, or tunneling in general, is bad because
the path
is not predictable. They never stop to realize that they could
avoid that
problem by putting up their own tunnel endpoint and through the
magic of DNS
completely avoid the problem they are complaining about. The only
reason
clients will look for a public 6to4 relay is to find sites that
insist on
having a single IPv6 address from a formal RIR IPv6 assignment
process. In
the grand scheme of things the 6to4 prefix that would correspond to
your
6to4 router is formally assigned, it is just through the IPv4
assignment
process. In any case a 6to4 connected client will traverse the
direct IPv4
path to the server's 6to4 router, so as I said earlier if content
providers
would just ignore the infrastructure and deploy their own 6to4
routers to
tunnel over the top, we could move forward.
As both a an infrastructure and content provider (I have many
different hats), I point at Microsoft Vista - I appreciate the
initiative, but problems like this have (in my view) had a net
negative effect.
Nice rant though :-)
What is your suggestion RE DNS there? Are you proposing using views
or something, to direct 6to4 'clients' to content over 6to4? If so, I
don't think that would work terribly well - it wouldn't solve the
problem in situations I describe above, but it's likely that it would
improve performance for networks who choose to run 6to4, and have
their own recursive resolvers who live in their v6 island.
Does anyone have info on how bind (and other recursive resolvers)
select whether to use v6 or v4 if an NS points at a resource with
both A and AAAA records? Most OSes prefer the AAAA record, does bind
behave the same?
--
Nathan Ward
