Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

If you know of any issues that customers might encounter during the transition to IPv6, please add a subheading to this page and explain both the problem and how to address it.

Firewall Config Issue

Especially if you have users on Vista.
It does this IPv6 tunnelling thing that on the surface
appears really cool. When you try and talk IPv6 to
something other than link-local: (in order)

  • If you have a non-RFC1918 (ie. 'public') address, it fires up 6to4.
  • If you have an RFC1918 address, it fires up Teredo.
    Seems cool in theory, and you'd think that it would really help global IPv6 deployment - I'm sure that's how it was intended, and I applaud MS for taking a first step. But in practice, however, this has essentially halted any IPv6 /content/ deployment that people want to do, as user experience is destroyed.

You can help, though - here's the problem:

6to4 uses protocol 41 over IP. This doesn't go through NAT, or stateful firewalls (generally). Much like GRE.
Because of this, if you're a enterprise-esque network operator who runs
non-RFC1918 addresses internally and do NAT, or you do stateful firewalling, PLEASE, run a 6to4 relay on 192.88.99.1 internally, but return
ICMPv6 unreachable/admin denied/whatever to anything that tries to send data out through it. Better yet, tell your firewall vendor to allow you to inspect the contents of 6to4 packets, and optionally run your own 6to4 relay, so outgoing traffic is fast.
Even if you don't want to deploy IPv6 for some time, do this at the very least RIGHT NOW, or you're preventing those of us who want to deploy AAAA records alongside our A records from doing so. If you need configs for <vendor/OS B/C/J/L>, post a message to the NANOG list and I'll write some templates.

I see this sort of IPv4 network quite commonly at universities, where students take their personal laptops and throw them on the campus 802.11 network. While disabling the various IPv6 things in Vista at an enterprise policy level might work for some networks, it doesn't for for a university with many external machines visiting. So, if you're a university with a network like this (ie. most universities here in NZ, for example), please spend a day or two to fix this problem in your network - or better yet, do a full IPv6 deployment.
--Nathan Ward

Misbehaving applications and operating systems

Some pieces of software prefer using unreliable 6to4/Teredo over IPv4. This is a major contributor to the «broken users» problem deterring content providers from deploying dual-stack on their web sites (e.g. Yahoo (https://sites.google.com/site/ipv6implementors/2010/agenda/07 Fesler Y\!atGIPv6ImpConf.pdf?attredirects=0), Google, Redpill Linpro). Typically this is due to the piece of software either not implementing RFC 3484, which typically will cause IPv6 to be preferred unconditionally over IPv4; or that the piece of software implents it verbatim, which causes IPv6 to be preferred over private/RFC 1918 IPv4 addresses. The latter problem is due to a weakness in the RFC which has been elaborated on by Rémi Denis-Courmont, and there is currently an effort within the IETF 6MAN WG to correct the problem.

The following table known pieces of software that have, or have recently had, this problem:

Software package

Behaviour

Vendor bug report

Status

Apple Mac OS X

Prefers IPv6 unconditionally

Apple-IPv6-Dev posting

No fix available

GNU C library

Prefers 6to4/Teredo over private/RFC 1918 IPv4

No fix available

Debian

Prefers 6to4/Teredo over private/RFC 1918 IPv4

Fixed in Debian Squeeze (not yet released)

Fedora

Prefers 6to4/Teredo over private/RFC 1918 IPv4

Fixed in Fedora 13 Goddard

Ubuntu

Prefers 6to4/Teredo over private/RFC 1918 IPv4

LP#555210

Fixed in Ubuntu 10.04 Lucid Lynx

Mandriva

Prefers 6to4/Teredo over private/RFC 1918 IPv4

Fixed in Mandriva 2010.1 Spring

openSUSE

Prefers 6to4/Teredo over private/RFC 1918 IPv4

Fixed in openSUSE 11.3

Gentoo

Prefers 6to4/Teredo over private/RFC 1918 IPv4

Fixed as of 2010-04-25

Android

Prefers IPv6 unconditionally

 

Fixed in Android 2.2 Froyo

Opera

Prefers IPv6 unconditionally

Fixed in Opera 10.50

Workarounds

The most correct fix is to find out which device in your network is acting as a defective 6to4/Teredo router and disable it. If that's difficult, you still have some workarounds to choose from:

Mac OS X

Disable IPv6 system-wide using the following command:

More info about IPv6 configuration in Mac OS X is available here.

GNU libc and derivates (i.e. most Linux distributions)

Add the following lines to the file /etc/gai.conf (create it if it doesn't exist):

You can verify the fix using the command getent ahosts, like so:

If the IPv4 addresses are sorted on top, you're in the clear.

Increased Latency to your IPv6 Content

If you do deploy an IPv6 network for your content, set up a Teredo relay, and point 2001::/32 at it. Your viewers/users will automatically use this relay when accessing your content, and their traffic to you will be over IPv4, all they way from their PC to your network - so, equivalent performance as IPv4. Note that I say relay here, not server.

Mozilla.org are doing this for example. Cue Matthew Zeier.
--Nathan Ward

Check out Enabling IPv6 on a Mail Server‎.

Unfortunately, not all Domain Registrars are providing IPv6 Glue yet

It may be tough to get IPv6 AAAA records for your nameservers into the DNS Glue records, depending on your registrar.

Check out DNS Registrars IPv6 Support Status, let's build a list of who does and does not.

  • No labels