Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On Tue, Feb 16, 2010 at 08:14:13AM +0100, Mikael Abrahamsson wrote: On Tue, 16 Feb 2010, Nathan Ward wrote: Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios. I think their only IPv6 connectivity was Teredo (for instance, they're behind NAT), and thus they used it to get the IPv6 only content. So for our case here at Southampton our web presence www.ecs.soton.ac.uk is advertised via both A and records. What we see is less than 1% of our IPv6 traffic coming from the Teredo prefix. 6to4 is at most 1%. I think the reason we see less 6to4 than some might expect is that a lot of our IPv6 accesses may be from other academic networks where IPv6 is available 'properly'. I had our web guys send me a log of recent Teredo accesses to our servers and the user agents were varied.As Tore suggested, Opera 9.8 was on the list (since fixed), but also some Mozilla-based entries from both Linux and Windows platforms. Total entries: 761 Opera 9.8: 354 Firefox 3.5.7 (Windows): 61 Firefox 3.5.7 (Linux): 96 Iceweasel 3.5.6 (Linux): 8 Mozilla 4.0 (Windows): 242 Not a huge sample, but it shows Windows UAs hitting us from the Teredo prefix. -- Tim
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote: If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE. Our external IPv6 web accesses are still very low, but have grown linearly over the last five years from 0.1% in 2005/06 to 0.5% of total web traffic now. Internally of course our figures are higher. Of that IPv6 traffic, 1% comes from 2002::/16 prefixes. Even less from Teredo prefixes. I guess we could run stats against known TB prefixes to determine who is using those. -- Tim
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
* Igor Ybema: We know we should push our provider to support native IPv6, and we do. But this should not stop us using IPv6 6to4. You should complain to the DENIC member you use, or perhaps the DENIC ops team. Perhaps it's a simple mistake. NANOG isn't the right forum for this.
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 16/02/2010, at 5:03 AM, Tim Chown wrote: On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote: If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE. Our external IPv6 web accesses are still very low, but have grown linearly over the last five years from 0.1% in 2005/06 to 0.5% of total web traffic now. Internally of course our figures are higher. Of that IPv6 traffic, 1% comes from 2002::/16 prefixes. Even less from Teredo prefixes. I guess we could run stats against known TB prefixes to determine who is using those. You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for if it has non-Teredo IPv6 connectivity 2) When Windows has non-Teredo IPv6 connectivity and so can ask for , preference for reaching your web content is going to be non-Teredo IPv6 - IPv4 - Teredo, due to the prefix policy table, unless you have an in 2001::/32 (Teredo space), in which case it will prefer IPv4 - Teredo. With 6to4, Windows hosts will ask for , and will prefer non-6to4 IPv6 over 6to4 over IPv4. I'm a little surprised at how little 6to4 traffic you get. Teredo gets most use when an application asks for a connection to a certain IPv6 address, without DNS. This is most common in peer to peer - you're not going to levels of web traffic and P2P traffic using Teredo that are comparable ratios to IPv4. My expectation is that lines in your web logs in 2001::/32 have user agent strings indicating non-Windows hosts - or perhaps someone has miredo running on a proxy server, or perhaps the users' non-Teredo IPv6 AND IPv4 paths to you were broken when they tried to make a request. Stranger things have happened.. I wrote some code that will allow you to better understand the connectivity that end users of your web content have - when they visit your site it has them get 1x1 px transparent GIF images from various different hostnames with different characteristics in the DNS, and then reports back which loaded and how long. http://www.braintrust.co.nz/ipv6wwwtest/ Wikipedia were running this for a while, on every 100th hit. They did a modification to this where they also had a large image to test for pmtud errors. Google are using a similar technique to test IPv6 capabilities and networks. I'll add something with the pmtud stuff in the next week or so, and I'll also push the code to github. You'll probably want to make you own changes based on what you're interested in, also. -- Nathan Ward
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 16/02/2010, at 7:34 PM, Mikael Abrahamsson wrote: On Tue, 16 Feb 2010, Nathan Ward wrote: You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for if it has non-Teredo IPv6 connectivity Please don't just say windows as the different versions of windows behave differently, as we've already discussed in the thread here: http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01587.html Windows XP will happily use Teredo when faced with response only. What you're describing is Vista and Win7 I guess? Yep, sorry! XP won't ask for unless it has non-Teredo connectivity though I don't think. -- Nathan Ward
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On Tue, 16 Feb 2010, Nathan Ward wrote: XP won't ask for unless it has non-Teredo connectivity though I don't think. That doesn't compute considering all the XP machines with Teredo addresses that asked for my only content. http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html Of the users getting v6 only gif from non-tunnel-space, 58% were from Proxad (free.fr I believe), and then on the list came UNINET, SUNET, FUNET (university networks in .no, .se and .fi) and Hurricane electric. 98% of Teredo users run Windows XP. 88% of 6to4 users run Windows Vista. So 98% of Teredo users getting the v6only content (using DNS) was using WinXP, so it does seem it does lookups. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 16/02/2010, at 7:47 PM, Mikael Abrahamsson wrote: On Tue, 16 Feb 2010, Nathan Ward wrote: XP won't ask for unless it has non-Teredo connectivity though I don't think. That doesn't compute considering all the XP machines with Teredo addresses that asked for my only content. http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html Of the users getting v6 only gif from non-tunnel-space, 58% were from Proxad (free.fr I believe), and then on the list came UNINET, SUNET, FUNET (university networks in .no, .se and .fi) and Hurricane electric. 98% of Teredo users run Windows XP. 88% of 6to4 users run Windows Vista. So 98% of Teredo users getting the v6only content (using DNS) was using WinXP, so it does seem it does lookups. I mean non-Teredo connectivity in addition to Teredo. Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios. -- Nathan Ward
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On Tue, 16 Feb 2010, Nathan Ward wrote: Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios. I think their only IPv6 connectivity was Teredo (for instance, they're behind NAT), and thus they used it to get the IPv6 only content. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
Hi, We are using 6to4 on our fallback site because the provider there is not able to provide us native IPv6 yet. We have also installed a fallback nameserver over there using a 6to4 address. This works good and no complains what so ever in the past. However, last week Denic (registry for .de) changed their policy (or their checks). They don't allow a nameserver for a .de domain anymore which contains a 6to4 address. The policy is it should be a global unicast AND the block should be assigned to a RIR for suballocation purpose. The 6to4 range is Global Unicast (http://www.iana.org/assignments/ipv6-unicast-address-assignments/) but it is not assigned to a RIR because it is a special block. This fails their policy and their checks (resulting in a ERROR: 105 All IPv6 Addresses must be Global Unicast). Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it. We know we should push our provider to support native IPv6, and we do. But this should not stop us using IPv6 6to4. regards, Igor Ybema
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On 11/02/2010 12:26, Igor Ybema wrote: Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it. Someone once asked Angela Merkel what she liked most about Germany. She replied Ich denke an dichte Fenster! Kein anderes Land kann so dichte und so schöne Fenster bauen (I think ... thick windows. No other country can build windows which are as thick or as nice.) This might just be a cultural thing. While lots of countries have a love affair with doing things badly, Germany realises the value of quality infrastructure. 6to4 is ghetto. DE-NIC doesn't like it. Putting a DNS server on a 6to4 address serves no other purpose than to say: There! I fixed it! ob-url: http://thereifixedit.com/ Nick
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
On Feb 11, 2010, at 8:15 AM, Nick Hilliard wrote: On 11/02/2010 12:26, Igor Ybema wrote: Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it. Someone once asked Angela Merkel what she liked most about Germany. She replied Ich denke an dichte Fenster! Kein anderes Land kann so dichte und so schöne Fenster bauen (I think ... thick windows. No other country can build windows which are as thick or as nice.) Actually, the translation is: I think about airtight windows. No other country can build widows that are this airtight and this beautiful. dicht = airtight, dick = thick. This might just be a cultural thing. While lots of countries have a love affair with doing things badly, Germany realises the value of quality infrastructure. 6to4 is ghetto. DE-NIC doesn't like it. Putting a DNS server on a 6to4 address serves no other purpose than to say: There! I fixed it! ob-url: http://thereifixedit.com/ Nick
Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)
In message a05493651002110426u7d9688c9i273ff64c456ec...@mail.gmail.com, Igor Ybema writes: Hi, We are using 6to4 on our fallback site because the provider there is not able to provide us native IPv6 yet. We have also installed a fallback nameserver over there using a 6to4 address. This works good and no complains what so ever in the past. However, last week Denic (registry for .de) changed their policy (or their checks). They don't allow a nameserver for a .de domain anymore which contains a 6to4 address. The policy is it should be a global unicast AND the block should be assigned to a RIR for suballocation purpose. The 6to4 range is Global Unicast (http://www.iana.org/assignments/ipv6-unicast-address-assignments/) but it is not assigned to a RIR because it is a special block. This fails their policy and their checks (resulting in a ERROR: 105 All IPv6 Addresses must be Global Unicast). Ok, policy is policy and we should not complain. However, I'm asking your opinions about this policy. I find this really stupid because this completely brakes use for 6to4 in Germany and their is no good reason to block it. We know we should push our provider to support native IPv6, and we do. But this should not stop us using IPv6 6to4. regards, Igor Ybema If you can't get native IPv6 then use a tunneled service like Hurricane Electric's (HE.NET). It is qualitatively better than 6to4 as it doesn't require random nodes on the net to be performing translation services for you which you can't track down the administrators of. You can get /48's from HE. I use HE.NET and have for the last 7 or so years for my home network. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
