Re: Microsoft: Give Xbox One users IPv6 connectivity
On 14.03.2014 12:47, Tore Anderson wrote: Christopher and others = you are RIGHT! Do not change your mind Right abouth _what_? You provided not a single reason for the described behaviour, i.e. the missing fallback to native IPv6. According to Microsoft, there should never be a fallback to native IPv6, as IPv6 should be the preferred protocol. Teredo should be the fallback, for those situations where end-to-end IPv6 isn't available. The fallback I was talking about is not a description of the current behaviour, it's about what is missing. Can you confirm that this is the case that all the XB1s involved have native IPv6 connectivity, and that Teredo is used in spite of that? (If No, and I did not claim that. not all of the XB1s communicating have native IPv6, fallback to Teredo is the expected behaviour.) documented, yes, but sureley not expected. involved XB1s are behind AVM HGWs, any IPv6 connectivity is broken and thus useless. That may well be the reason why the XB1 is trying to fall back on Teredo in the first place, a fact that makes the claims in the No, according to Microsoft the XB1 will not use native IPv6 if one of the peers is IPv4 only. «The Xbox's behavior contradicts the Teredo standard (RFC 4380 Section 5.5)». -- No, it doesn't, because the XB1 *doesn't* have IPv6 connectivity, because the AVM broke it. No. Just because there's stateful IPv6 firewall does not mean no IPv6 connectivity? (Besides which, RFC 4380 section 5.5 is meant for Teredo implementers, not for HGW manufacturers.) So what? It's XB1 which is using Teredo and violating section 5.5 of RFC 4380 (which is, ironically, authored by Microsoft itself). And now the HGW is the one to blame for that it was not expecting that? Finally, the KB article says «there is a risk that using Teredo could allow the security functions of the FRITZ!Box to be circumvented». I cannot see how the presence of IPv6 makes this any worse. If AVM had That's simple: - As long as my HGW is _not_ doing IPv6, I do not expect it to prevent unwanted IPv6 traffic - If my HGW _is_ doing IPv6, I do expect it to prevent unwanted IPv6 traffic Sure, this is all debatable and everything, but I really don't understand the harsh bashing of AVM and avid defense of the XB1 at the same time time here. The XB1, as recently released device, abuses an outdated, skunky protocol to create its own pseudo-VPN and everybody's cheering for it, without a single critical remark? That's just sad.
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 14/03/14 00:21, Marco Sommani marcosomm...@gmail.com wrote: AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. Marco I agree and disagree :-) Agreement on the fact that AVM is not the only CPE vendor doing this (and also blaming ISP -- notably in my country 15% of broken IPv6 connectivity = Belgium)... Disagreement: RFC 6092 has TWO settings: one close and one open and the choice should be given to the end-user. As you may know, there have been heated discussion at the IETF on this topic -éric
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 14/mar/2014, at 07:08, Eric Vyncke (evyncke) evyn...@cisco.com wrote: On 14/03/14 00:21, Marco Sommani marcosomm...@gmail.com wrote: AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. Marco I agree and disagree :-) Agreement on the fact that AVM is not the only CPE vendor doing this (and also blaming ISP -- notably in my country 15% of broken IPv6 connectivity = Belgium)... Disagreement: RFC 6092 has TWO settings: one close and one open and the choice should be given to the end-user. As you may know, there have been heated discussion at the IETF on this topic One can configure exceptions on Fritz!Boxes too: just go to InternetPermit AccessIPv6. The problem is that they just allow exceptions for individual Interface Identifiers; no way to configure a permit all. I'm wondering how many XBOX users are able to find their Interface ID. -éric -- Marco Sommani Via Contessa Matilde 64C 56123 Pisa - Italia phone: +390500986728 mobile: +393487981019 fax: +390503869728 email: marcosomm...@gmail.com
RE: Microsoft: Give Xbox One users IPv6 connectivity
Apologies for the staggered reply. Another note, RFC 6092 is about IPv6 behavior. If our Teredo traffic is de-encapsulated, one will notice the traffic carries IPsec, which unambiguously should be allowed by section 3.2.4. That's a theoretical point really, I don't expect (or necessarily even want) middle boxes to bust open Teredo and apply RFC 6092. Recommendations for IPv4 NAT behavior and UDP, including discussion of UNSAF NAT traversal, falls closer to RFC 4787 IMHO. Sent from my Windows Phone From: Christopher Palmermailto:christopher.pal...@microsoft.com Sent: 3/13/2014 8:39 PM To: Eric Vyncke (evyncke)mailto:evyn...@cisco.com; Marco Sommanimailto:marcosomm...@gmail.com; ipv6-ops@lists.cluenet.demailto:ipv6-ops@lists.cluenet.de Subject: RE: Microsoft: Give Xbox One users IPv6 connectivity The relevant excerpt on Teredo usage: Even for users that do have native IPv6 - Teredo will be used to interact with IPv4-only peers, or in cases where IPv6 connectivity between peers is not functioning. In general, Xbox One will dynamically assess and use the best available connectivity method (Native IPv6, Teredo, and even IPv4). The implementation is similar in sprit to RFC 6555. This is from our online documentation. I have a tentative work item sitting in my queue to do something more proper for the IETF (like a draft). http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC498F8732/Xbox%20One%20Technical%20Details.docx The feedback about Teredo has been hard to digest. Our platform multiplayer solution uses standards for connectivity (Teredo/IPv6) and security (IPsec) - would it be better for the community to encourage opaque non-standard techniques instead? (this is a rhetorical question, not a call for discussion :P) What is the intent of a CPE configuration that blocks an UNSAF NAT traversal mechanism using ports 3544 and 3074 (Xbox + Teredo), but allows other ports to be used for open NAT traversal? That just seems like a very vendor-targeted blockage, like they dislike Xbox, but they're fine with other devices doing unknown things over UDP. I know this isn't the intent, but a deeply negative person could look at this and say the policy is: block Microsoft products because they had the audacity to standardize their network behavior and use documented ports. If a home router generally blocks NAT traversal, then I get it. I disagree with that default configuration and think it's the wrong thing for users, but at least is something I can understand on principle. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Eric Vyncke (evyncke) Sent: Thursday, March 13, 2014 11:09 PM To: Marco Sommani; ipv6-ops@lists.cluenet.de Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On 14/03/14 00:21, Marco Sommani marcosomm...@gmail.com wrote: AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. Marco I agree and disagree :-) Agreement on the fact that AVM is not the only CPE vendor doing this (and also blaming ISP -- notably in my country 15% of broken IPv6 connectivity = Belgium)... Disagreement: RFC 6092 has TWO settings: one close and one open and the choice should be given to the end-user. As you may know, there have been heated discussion at the IETF on this topic -éric
Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi, On Thu, Mar 13, 2014 at 10:44:17PM +, Eric Vyncke (evyncke) wrote: Or is it because AVM blocks all inbound IPv6 connection and X/Box has no choice but falling back on Teredo? I am really unclear on the exact situation No, AVM blocks *Teredo*. Native IPv6 is permitted according to firewall config on the box... but as far as I understand, the XBox does not even *try* native. It will do Teredo, period. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 pgpe3d7W6nW6B.pgp Description: PGP signature
Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi, On Thu, Mar 13, 2014 at 07:17:16PM -0500, David Farmer wrote: They prefer native IPv6, but only if all the peer-to-peer participants also have native IPv6. So, if all your gamer buddies have native IPv6, then native IPv6 is preferred. They do not want to use Teredo Gateways. So, they do not allow Native IPv6 to Teredo communications, and prefer Teredo if any of the participants needs Teredo to do IPv6. OK, thanks. I was not fully aware of these details, but it does explain what happens - since native IPv6 is still not ubiquitous, at least one of the players will be on Teredo, and *that* will not work through a (default-config) AVM box if the AVM has native IPv6 (do not tunnel if you can do native, it's better for your packets), so all fall back to IPv4... Yeah, hard to see how to fix that, without resorting to Teredo relays (which are not a good approach to latency-sensitive gaming traffic either). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 pgpTr8iJD7mhG.pgp Description: PGP signature
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 14 Mar 2014, at 00:50, SM s...@resistor.net wrote: Hi Marco, At 16:21 13-03-2014, Marco Sommani wrote: AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. I took a quick look at some of the RFCs to figure out the guidance which was published. The short summary is that it is confusing when security and getting things to work are taken together. As others have pointed out, this is something of a bikeshed topic in the IETF discussions. As a result, the homenet arch text simply says, after IESG comment, the following: The topic of whether future home networks as described in this document should have have a 'default deny' or 'default allow' position has been discussed at length in various IETF meetings without any consensus being reached on which approach is more appropriate. Further, the choice of which default to apply may be situational, and thus this text makes no recommendation on the default setting beyond what is written on this topic in RFC 6092. We note in Section 3.6.3 below that the implicit firewall function of an IPv4 NAT is commonplace today, and thus future CERs targeted at home networks should continue to support the option of running in 'default deny mode', whether or not that is the default setting.“ There are are least three IDs/RFCs documenting different models, including the recent draft-ietf-v6ops-balanced-ipv6-security-01. Tim
Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-online-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
Jakob What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... Christopher and others = you are RIGHT! Do not change your mind -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) On 13/03/14 18:43, Jakob Hirsch j...@plonk.de wrote: Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC 498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o nline-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
Le 2014-03-13 15:12, Eric Vyncke (evyncke) a écrit : What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... Christopher and others = you are RIGHT! Do not change your mind -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) +1000 Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi On Thu, Mar 13, 2014 at 07:12:54PM +, Eric Vyncke (evyncke) wrote: What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I'm not sure what NAT44 has to do with it. The point is that there is *native* IPv6 and the XBox insists on preferring Teredo - and the AVM box blocks Teredo if it has native IPv6, because there is no real use in permitting an tunnel IPv6 around the IPv4-only router! protocol when there *is* a perfectly good IPv6-capable router around... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: Microsoft: Give Xbox One users IPv6 connectivity
Or is it because AVM blocks all inbound IPv6 connection and X/Box has no choice but falling back on Teredo? I am really unclear on the exact situation -éric On 13/03/14 21:46, Gert Doering g...@space.net wrote: Hi On Thu, Mar 13, 2014 at 07:12:54PM +, Eric Vyncke (evyncke) wrote: What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I'm not sure what NAT44 has to do with it. The point is that there is *native* IPv6 and the XBox insists on preferring Teredo - and the AVM box blocks Teredo if it has native IPv6, because there is no real use in permitting an tunnel IPv6 around the IPv4-only router! protocol when there *is* a perfectly good IPv6-capable router around... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: Microsoft: Give Xbox One users IPv6 connectivity
On Mar 13, 2014 4:22 PM, Marco Sommani marcosomm...@gmail.com wrote: On 13/mar/2014, at 20:12, Eric Vyncke (evyncke) evyn...@cisco.com wrote: Jakob What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. Marco I believe there is an exception for allowing inbound ipsec in the rfc ... but this really goes to show how stateful firewalls are more harm than good in the general case. AVM may as well stay on ipv4 nat444 since they gave up on e2e with the stateful inspection. CB I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... Christopher and others = you are RIGHT! Do not change your mind -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01for my point of view :-)) On 13/03/14 18:43, Jakob Hirsch j...@plonk.de wrote: Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC 498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o nline-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob -- Marco Sommani Via Contessa Matilde 64C 56123 Pisa - Italia phone: +390500986728 mobile: +393487981019 fax: +390503869728 email: marcosomm...@gmail.com
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 13.03.2014 20:12, Eric Vyncke (evyncke) wrote: I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... I really don't know what this has to do with Toredo or IPv6, but well... Blocking inbound connections will save your host from remote exploits of its network services, but not from getting infected by malicious websites or email attachments. This is out of the scope of the common RG. And this has nothing to do with AVM, Technicolor or any other RG manufacturer, last time I checked Cisco RGs did just the same. Christopher and others = you are RIGHT! Do not change your mind Right abouth _what_? You provided not a single reason for the described behaviour, i.e. the missing fallback to native IPv6. -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) I liked especially this section 5. Security Considerations where it says The policy addresses the major concerns related to the loss of stateful filtering imposed by IPV4 NAPT when enabling public globally reachable IPv6 in the home. and This set of rules cannot help with the following attacks: [...] Malware which is fetched by inside hosts on a hostile web site (which is in 2013 the majority of infection sources). This approach seems a little too bold to me, and the lack of incidents may just be caused by the lack of attacks via IPv6, but if it works for Swisscom, good for them. Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 3/13/14, 15:46 , Gert Doering wrote: Hi On Thu, Mar 13, 2014 at 07:12:54PM +, Eric Vyncke (evyncke) wrote: What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I'm not sure what NAT44 has to do with it. The point is that there is *native* IPv6 and the XBox insists on preferring Teredo - and the AVM box blocks Teredo if it has native IPv6, because there is no real use in permitting an tunnel IPv6 around the IPv4-only router! protocol when there *is* a perfectly good IPv6-capable router around... They prefer native IPv6, but only if all the peer-to-peer participants also have native IPv6. So, if all your gamer buddies have native IPv6, then native IPv6 is preferred. They do not want to use Teredo Gateways. So, they do not allow Native IPv6 to Teredo communications, and prefer Teredo if any of the participants needs Teredo to do IPv6. Then they fall back to IPv4 after Teredo, again all participants doing IPv4. If I remember correctly what was said at NANOG last fall. -- David Farmer Email: far...@umn.edu Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 1-612-626-0815 Minneapolis, MN 55414-3029 Cell: 1-612-812-9952
Re: Microsoft: Give Xbox One users IPv6 connectivity
I just had a look at our TR-069 stats and only 31,7% of our managed CPEs have UPnP enabled. Hint: We mostly ship CPEs with UPnP disabled by default (due to some security issues we had in the past). -- Tassos Christopher Palmer wrote on 11/10/2013 21:31: Our data shows that only 24% of user-encountered networks have a NAT that supports UPnP management (we successfully create a port mapping). That's across the Windows 7 and 8 population. That's unfiltered, so it will include hits from corporate environments, hot spots and such, etc. I feel pretty good about infering that the number is residential networks is around 35%, looking at the top-of-the-line number and looking at other population metrics we collect. Nowhere near 80% :(. Sometimes a home router supports UPnP, but it's not activated by default. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of erik.tarald...@telenor.com Sent: Friday, October 11, 2013 12:12 AM To: ipv6-ops@lists.cluenet.de Subject: SV: Microsoft: Give Xbox One users IPv6 connectivity I don't have numbers for other markets, but in Norway I would say more than 80% have UPnP enabled gateways. At least the ISP I work for have provided customers with UPnP enabled gateways the last 7+ years. Most devices I can see in the Norwegian market (online and physical stores) have support for UPnP. But not to derail the discussion to much. Even with UPnP enabled, there are apparently very different ways to enterpete how to use UPnP. Some clients fail misserably if they dont get the port they seek, some release the port as soon as it has been granted (older version of microsoft messenger did this, caused a lot of cpu usage on the gateways). Some clients do not understand that they have a port, and proceede to the next port and then use up all ports on the gateway. -Erik Taraldsen Telenor Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de [ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de] p#229; vegne av Mikael Abrahamsson [swm...@swm.pp.se] Sendt: 11. oktober 2013 06:50 To: Christopher Palmer Cc: ipv6-ops@lists.cluenet.de Emne: RE: Microsoft: Give Xbox One users IPv6 connectivity On Thu, 10 Oct 2013, Christopher Palmer wrote: The thing about protocols like UPnP - the vendors who would ignore an IETF recommendation are likely to be the same vendors to skip out on making an adequate UPnP stack. Most people today do NOT have home routers that support UPnP. Do you have numbers on this? My belief has been that most people today who care about anything more than web surfing would have a decently new gateway (less than 3-5 years old) and that this would support UPnP. I don't have any numbers so I would like to know more :) -- Mikael Abrahamssonemail: swm...@swm.pp.se
RE: Microsoft: Give Xbox One users IPv6 connectivity
It doesn't. The Windows Teredo sunset process and the usage of Teredo of Xbox are separate discussions. The server deployments are separate, the customers that are affected, etc. I'll provide a fairly informal explanation for this divergence. On Windows, people aren't using Teredo for anything really cool (very informal) Teredo causes random headaches for customers and maintaining the service is moderately painful for our team . When we did the deactivation test, generally everything was great. On Xbox One, Teredo's usage is focused on a particular application suite and forms a critical part of an end-user experience. Teredo by itself isn't useful, it's the secure P2P connectivity we're providing to developers, and the usage of Teredo is an implementation detail of the abstraction we're providing. At some point we might considering exposing a similar abstraction in Windows (for games or otherwise) - which would put Teredo in a more advantageous light. But right now, on Windows, Teredo is just an IPv6 address providing limited end-user value. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Steinar H. Gunderson Sent: Friday, October 11, 2013 5:09 AM To: Christopher Palmer Cc: Tassos Chatzithomaoglou; Tore Anderson; ipv6-ops@lists.cluenet.de; Dan Wing Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On Thu, Oct 10, 2013 at 01:22:06AM +, Christopher Palmer wrote: There are some network effects that complicate the story. Inevitably we have to use Teredo for lots of P2P, because IPv6 is so rare. You might have IPv6, but if your peer doesn't - alas. Also, address selection is sensitive to policy that we'll be tuning as the Xbox One launch progresses. How does this interact with the previously announced Teredo sunsetting process? /* Steinar */ -- Software Engineer, Google Switzerland
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 2013-10-10 00:02, Christopher Palmer wrote: John and Lorenzo beat me to it J. Example: Samantha has native IPv6 and Teredo. Albert has Teredo only. But what do you do with the more and more common case[1] where one gets native IPv6 and IPv4-over-DSlite; especially considering the high rate of connection problem over that IPv4 path? This as the dslite gateways are heavily overloaded as most destinations (read: http/bittorrent) are IPv4 only. Will then Teredo be used which is broken or the perfectly working IPv6 native path? Getting out over native IPv6 in that specific scenario will be the better thing to do. From that perspective, applying the Apple-variant of Happy Eyeballs will be beneficial. It will mean that one will have to expose all the possible IPv4 and IPv6 addresses amongst peers so that they can try out the variant combinations. SCTP or MP-TCP might be a good fit there too. [1] German ISPs like Unitymedia, which is part of UPC/LibertyGlobal and thus it is expected when that trial pans out that all other countries where UPC is located will be following down that rabbit hole too
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 10-10-2013 14:01, Brzozowski, John Jason wrote: Chris can you share details of the brokenness check? What variables are considered? Perhaps native IPv6 on the client with firewall rules that do not permit inbound traffic. A legit issue that can be expected to pop up. Also, is there any active work on the uPNP extensions for IPv6 that allow hole punching in the firewall rules? (for native IPv6). * Would this method also apply to the Xbox 360 in the coming years? Kind regards, Seth On Thu, Oct 10, 2013 at 12:02 AM, Christopher Palmer christopher.pal...@microsoft.com mailto:christopher.pal...@microsoft.com wrote: John and Lorenzo beat me to it J. __ __ Example: Samantha has native IPv6 and Teredo. Albert has Teredo only. __ __ Albert, in destination address selection, will chose Samantha’s Teredo address. Samantha, in source address selection, will use her Teredo address. This will avoid relay traversal. __ __ Xbox P2P policy is a bit more sophisticated than RFC 6724, but I note that the avoidance of Teredo relays is also part of Windows behavior. Windows address selection is a fairly clean implementation of RFC 6724. In RFC 6724 terms, Teredo - Teredo is a label match (Rule 5), Teredo - Native IPv6 is not. The biggest difference between us and the standard is the brokenness check. This does complicate the dream. In order for a set of peers to use native IPv6 – BOTH peers have to have native available. In the pathological case, if half of the world has IPv6 and connects only to the other half that only has Teredo, and no one actually uses native IPv6. __ __ Realistically, matchmaking is going to prefer users “close to you” (and a bunch of other things, like their gamer behavior and stuff). Naively I expect IPv6 traffic to start as local pockets, Albert playing against his neighbor, both with the same ISP. As IPv6 penetration grows hopefully we’ll see significant P2P traffic across the Internet use native IPv6 transport. __ __ __ __ *From:*ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer mailto:ipv6-ops-bounces%2Bchristopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de] *On Behalf Of *Lorenzo Colitti *Sent:* Wednesday, October 9, 2013 8:26 PM *To:* Geoff Huston *Cc:* IPv6 Ops list; Christopher Palmer *Subject:* Re: Microsoft: Give Xbox One users IPv6 connectivity __ __ On Thu, Oct 10, 2013 at 12:19 PM, Geoff Huston g...@apnic.net mailto:g...@apnic.net wrote: But I've thought about your response, and if I'm allowed to dream (!), and in that dream where the efforts of COmcast, Google etc with IPv6 bear fruit, and I'm allowed to contemplate a world of, say, 33% IPv6 and 66% V4, then wouldn't we then see the remaining Teredo folk having 33% of their peer sessions head into Teredo relays to get to those 33% who are using unicast IPv6? And wouldn't that require these Teredo relays that we all know have been such a performance headache? __ __ Can't you fix that by telling the app if all you have is Teredo, prefer Teredo even if the peer has native IPv6 as well? __ __ Of course this breaks down when IPv4 goes away, once IPv4 starts going away then there's really way to do peer-to-peer without relays, right? (Also, IPv4 going away is relatively far away at this point.)
Re: Microsoft: Give Xbox One users IPv6 connectivity
On Oct 9, 2013, at 11:19 PM, Geoff Huston g...@apnic.net wrote: I applaud what you guys are doing, really, but from my perspective it looks like the reliance on Teredo is really quite scary given what we see out there about how it behaves, and I'm kinda wondering what I'm missing here that you obviously must've thought through in justifying this product decision! Geoff, I've noticed some interesting behavior of the home-user CPE devices in recent years. They continue to push into the application aware department, and bring with them the defects of that. We're also seeing an increasing number of folks using carrier provided CPE in the states (eg: if you have ATT UVerse, you must use their device, including the software defects and lack of knobs that come with it). These devices have many benefits of providing a consistent set of access, but also a consistent set of defects. It seems Microsoft is just using Teredo as their own VPN gateway to allow the relevant communication to be possible. No different than an enterprise that provides an office router for the teleworker to connect to IT resources which might be behind a VPN. I've seen the internet continuing to shift in this direction with services, either all tunneled over http/https because that isn't blocked. They are just leveraging it to VPN out to avoid having a centralized server aggregate and relay as necessary. This should be applauded as you mention above, as it preserves the e2e aspects while working around devices that are incapable of providing this type of service. I for one anxiously await the update for the 360 devices to take advantage of the same technology ;) It should resolve a significant number of IPv4 issues and if that were to come out, I suspect it would be a significant killer app driving adoption of IPv6 and upgrade of CPE/Cable Modems/whatnot. - Jared
Re: Microsoft: Give Xbox One users IPv6 connectivity
On Oct 10, 2013, at 4:56 PM, Geoff Huston wrote: I have not gathered data on Teredo-to-Teredo reliability. The connection failure numbers quoted above make use of a Teredo Relay. But this teredo-to-teredo connection failure rate in the Internet appears to be a critical assumption here for this form of connection architecture. This does sound like something you could do with your measurement architecture. Just a little tweak here and there. Any chance of that? - Mark Geoff
Re: Microsoft: Give Xbox One users IPv6 connectivity
FYI, after I put up a blog post[1] about this topic this morning, there are some interesting conversations happening on Hacker News and Reddit: https://news.ycombinator.com/item?id=6526943 http://www.reddit.com/r/ipv6/comments/1o4zuk/microsoft_the_best_xbox_one_ga ming_experience/ In my post, too, I pointed people to this mailing list, so hopefully we may see some more subscribers interested in IPv6 operations. Regards, Dan [1] http://www.internetsociety.org/deploy360/blog/2013/10/microsoft-the-best-xb ox-one-gaming-experience-will-be-over-ipv6/ -- Dan York Senior Content Strategist, Internet Society y...@isoc.org mailto:y...@isoc.org +1-802-735-1624 Jabber: y...@jabber.isoc.org mailto:y...@jabber.isoc.org Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
Re: Microsoft: Give Xbox One users IPv6 connectivity
* Mark Townsley On Oct 10, 2013, at 4:56 PM, Geoff Huston wrote: I have not gathered data on Teredo-to-Teredo reliability. The connection failure numbers quoted above make use of a Teredo Relay. But this teredo-to-teredo connection failure rate in the Internet appears to be a critical assumption here for this form of connection architecture. This does sound like something you could do with your measurement architecture. Just a little tweak here and there. Any chance of that? I'm actually not so sure about that. p2p is a very different thing than a controlled measurement of client connectivity to a known good web server - even if that web server is on a Teredo address. In this p2p case both ends may well be behind a stack of NATs each with their own unique set of limitations and peculiarities. The whole environment is anything but controlled. So the question isn't whether or not Teredo is reliable per se, it's more interesting to ask if it is more or less reliable than the current STUN stuff in the Xbox 360 - and whether or not *that* is reliable to begin with. https://www.google.no/search?q=xbox+360+nat+type+moderate+strict seems to answer that with not at all... I doubt Teredo is a whole lot better, but I suspect it's as good as it gets on the IPv4 internet today. Tore
Re: Microsoft: Give Xbox One users IPv6 connectivity
On Oct 10, 2013, at 10:56 AM, Geoff Huston g...@apnic.net wrote: My concern about Teredo's robustness however still remains. We've been polling users with IPv6 tests embedded in a Google Ad campaign for some years now. We were interested in teredo, so we thought that if one of the presented URLs as part of the test was http://[ipv6 address] then we'd bypass the DNS and activate teredo on all those windows platforms out there. Which is effectively what happened. Yes, i'm aware of your measurements and results, including the ones mentioned at the mic. (btw, thanks for doing these!) Lots of folks do weird crap. I was at a friends house earlier this week and used his internet access and he has all sorts of stuff blocked outbound, including IMAP/SSL, SMTP-Submission, and I had to open up about 4 new ports just to get my outbound VPN working. He would be someone where it might try to activate but then fail in some spectacular fashion. I've never seen a consumer device with such restrictions in place. At least it didn't try to proxy my DNS queries then fail with anything requiring EDNS0. I found lots of passive results from weekly DNS scans that turned up *very* interesting data about device and resolver behavior. I've not fully scripted the sifting, nor tried repeating with EDNS0 enabled scans, but interesting nonetheless. I for one welcome the xbox revolution to push the killer-app success of IPv6 out to the consumer networks further. I predict we will be around 13-15% in 12 months as a result. (via the google measurement) - Jared
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 11/10/2013, at 2:02 AM, Mark Townsley m...@townsley.net wrote: On Oct 10, 2013, at 4:56 PM, Geoff Huston wrote: I have not gathered data on Teredo-to-Teredo reliability. The connection failure numbers quoted above make use of a Teredo Relay. But this teredo-to-teredo connection failure rate in the Internet appears to be a critical assumption here for this form of connection architecture. This does sound like something you could do with your measurement architecture. Just a little tweak here and there. Any chance of that? heh - yes, every chance of that happening. Geoff
RE: Microsoft: Give Xbox One users IPv6 connectivity
On the native side, it's important to note that the traffic is IPsec protected, so the protocol and port information may be obfuscated and is in general is not predictable. IKEv2 traffic is predictable, but we won't be using UPnP on the IPv6 side to enable in-bound IKEv2. Hopefully people follow the IETF recommendation and allow inbound IPsec/IKE to simply work. If not, it'll further encourage usage of traditional P2P mechanisms like Teredo, and we (as an industry) will have to put more energy into UPnP or PCP. That would be highly regrettable. The thing about protocols like UPnP - the vendors who would ignore an IETF recommendation are likely to be the same vendors to skip out on making an adequate UPnP stack. Most people today do NOT have home routers that support UPnP. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Seth Mos Sent: Thursday, October 10, 2013 6:01 AM To: ipv6-ops@lists.cluenet.de Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On 10-10-2013 14:01, Brzozowski, John Jason wrote: Chris can you share details of the brokenness check? What variables are considered? Perhaps native IPv6 on the client with firewall rules that do not permit inbound traffic. A legit issue that can be expected to pop up. Also, is there any active work on the uPNP extensions for IPv6 that allow hole punching in the firewall rules? (for native IPv6). * Would this method also apply to the Xbox 360 in the coming years? Kind regards, Seth On Thu, Oct 10, 2013 at 12:02 AM, Christopher Palmer christopher.pal...@microsoft.com mailto:christopher.pal...@microsoft.com wrote: John and Lorenzo beat me to it J. __ __ Example: Samantha has native IPv6 and Teredo. Albert has Teredo only. __ __ Albert, in destination address selection, will chose Samantha's Teredo address. Samantha, in source address selection, will use her Teredo address. This will avoid relay traversal. __ __ Xbox P2P policy is a bit more sophisticated than RFC 6724, but I note that the avoidance of Teredo relays is also part of Windows behavior. Windows address selection is a fairly clean implementation of RFC 6724. In RFC 6724 terms, Teredo - Teredo is a label match (Rule 5), Teredo - Native IPv6 is not. The biggest difference between us and the standard is the brokenness check. This does complicate the dream. In order for a set of peers to use native IPv6 - BOTH peers have to have native available. In the pathological case, if half of the world has IPv6 and connects only to the other half that only has Teredo, and no one actually uses native IPv6. __ __ Realistically, matchmaking is going to prefer users close to you (and a bunch of other things, like their gamer behavior and stuff). Naively I expect IPv6 traffic to start as local pockets, Albert playing against his neighbor, both with the same ISP. As IPv6 penetration grows hopefully we'll see significant P2P traffic across the Internet use native IPv6 transport. __ __ __ __ *From:*ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer mailto:ipv6-ops-bounces%2Bchristopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de] *On Behalf Of *Lorenzo Colitti *Sent:* Wednesday, October 9, 2013 8:26 PM *To:* Geoff Huston *Cc:* IPv6 Ops list; Christopher Palmer *Subject:* Re: Microsoft: Give Xbox One users IPv6 connectivity __ __ On Thu, Oct 10, 2013 at 12:19 PM, Geoff Huston g...@apnic.net mailto:g...@apnic.net wrote: But I've thought about your response, and if I'm allowed to dream (!), and in that dream where the efforts of COmcast, Google etc with IPv6 bear fruit, and I'm allowed to contemplate a world of, say, 33% IPv6 and 66% V4, then wouldn't we then see the remaining Teredo folk having 33% of their peer sessions head into Teredo relays to get to those 33% who are using unicast IPv6? And wouldn't that require these Teredo relays that we all know have been such a performance headache? __ __ Can't you fix that by telling the app if all you have is Teredo, prefer Teredo even if the peer has native IPv6 as well? __ __ Of course this breaks down when IPv4 goes away, once IPv4 starts going away then there's really way to do peer-to-peer without relays, right? (Also, IPv4 going away is relatively far away at this point.)
RE: Microsoft: Give Xbox One users IPv6 connectivity
On Thu, 10 Oct 2013, Christopher Palmer wrote: The thing about protocols like UPnP - the vendors who would ignore an IETF recommendation are likely to be the same vendors to skip out on making an adequate UPnP stack. Most people today do NOT have home routers that support UPnP. Do you have numbers on this? My belief has been that most people today who care about anything more than web surfing would have a decently new gateway (less than 3-5 years old) and that this would support UPnP. I don't have any numbers so I would like to know more :) -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Microsoft: Give Xbox One users IPv6 connectivity
So Xbox One is actually the first (at least well-known) device/network/service/etc that uses IPv6 the way it was supposed to be, with IPSec? -- Tassos Tore Anderson wrote on 9/10/2013 23:54: http://www.nanog.org/sites/default/files/wed.general.palmer.xbox_.47.pdf Quoting from slide 2: «Network operators that want to provide the best possible user experience for Xbox One Users: * Provide IPv6 Connectivity» Gamers tend to be a demanding bunch. I can tell from a ton of forum posts and such that a common problem of theirs is that the Xbox (360) reports the «NAT Type» as being «Moderate» or even «Strict». If word gets around in those communities that a reliable remedy for such problems is to switch to an ISP that supports IPv6... Kudos to Chris and Microsoft! Anyone have any information on the PS4? Tore
Re: Microsoft: Give Xbox One users IPv6 connectivity
On Oct 9, 2013, at 1:54 PM, Tore Anderson t...@fud.no wrote: http://www.nanog.org/sites/default/files/wed.general.palmer.xbox_.47.pdf Quoting from slide 2: «Network operators that want to provide the best possible user experience for Xbox One Users: * Provide IPv6 Connectivity» Gamers tend to be a demanding bunch. I can tell from a ton of forum posts and such that a common problem of theirs is that the Xbox (360) reports the «NAT Type» as being «Moderate» or even «Strict». If word gets around in those communities that a reliable remedy for such problems is to switch to an ISP that supports IPv6... Kudos to Chris and Microsoft! Yes, kudos. Slide 6 could be summarized as follow 'Simple Security in IPv6 Gateway CPE' RFC6092, I think? -d Anyone have any information on the PS4? Tore
