Re: Yahoo and IPv6

[Steve Clark]

On 05/31/2011 05:31 PM, Voll, Toivo wrote:

Going to http://help.yahoo.com/l/us/yahoo/ipv6/ and hitting Start IPv6 Test I 
get:
Your system will continue to work for you on World IPv6 day. However, we found that 
your server only supports IPv4 at this time. You'll simply continue to use IPv4 to reach 
your favorite web sites.

Netalyzr (http://n3.netalyzr.icsi.berkeley.edu/analysis) finds no issues with 
my IPv6 status, but alerts me to the fact (since confirmed by switching to IE) 
that Google Chrome defaults to IPv4 rather than IPv6, and consequently a lot of 
the testing tools claim that my IPv6 is broken.

Toivo Voll
Network Administrator
Information Technology Communications
University of South Florida

-Original Message-
From: Brandon Ross [mailto:br...@pobox.com]
Sent: Monday, May 09, 2011 12:25
To: Arie Vayner
Cc: nanog@nanog.org
Subject: Re: Yahoo and IPv6

Even more disturbing than that is that when I run a test from here it says
that I have broken v6.  But I don't have broken v6 and test-v6.com proves
it with a 10/10.  This Yahoo tool doesn't seem to even give a hint as to
what it thinks is broken.

Can anyone from Yahoo shed some light on what this tool is doing and how
to get it to tell us what it thinks is broken?


Interesting - must be a windows issue, Google Chrome on Linux works fine at
http://help.yahoo.com/l/us/yahoo/ipv6/


--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com

Re: Yahoo and IPv6

[Tim Chown]

On 31 May 2011, at 22:31, Voll, Toivo wrote:

 
 Netalyzr (http://n3.netalyzr.icsi.berkeley.edu/analysis) finds no issues with 
 my IPv6 status, but alerts me to the fact (since confirmed by switching to 
 IE) that Google Chrome defaults to IPv4 rather than IPv6, and consequently a 
 lot of the testing tools claim that my IPv6 is broken. 

I'm a little confused there - the current Chrome prefers IPv6, and also now 
includes code to allow fast failover to IPv4 in the event IPv6 connectivity is 
down/slow (300ms headstart).

I had some issues with Netalyzer detecting my dual-stack status, which the 
chaps there are helping with.

Tim

RE: Yahoo and IPv6

[Voll, Toivo]

Going to http://help.yahoo.com/l/us/yahoo/ipv6/ and hitting Start IPv6 Test I 
get:
Your system will continue to work for you on World IPv6 day. However, we found 
that your server only supports IPv4 at this time. You'll simply continue to use 
IPv4 to reach your favorite web sites.

Netalyzr (http://n3.netalyzr.icsi.berkeley.edu/analysis) finds no issues with 
my IPv6 status, but alerts me to the fact (since confirmed by switching to IE) 
that Google Chrome defaults to IPv4 rather than IPv6, and consequently a lot of 
the testing tools claim that my IPv6 is broken. 

Toivo Voll
Network Administrator
Information Technology Communications
University of South Florida

-Original Message-
From: Brandon Ross [mailto:br...@pobox.com] 
Sent: Monday, May 09, 2011 12:25
To: Arie Vayner
Cc: nanog@nanog.org
Subject: Re: Yahoo and IPv6

Even more disturbing than that is that when I run a test from here it says 
that I have broken v6.  But I don't have broken v6 and test-v6.com proves 
it with a 10/10.  This Yahoo tool doesn't seem to even give a hint as to 
what it thinks is broken.

Can anyone from Yahoo shed some light on what this tool is doing and how 
to get it to tell us what it thinks is broken?

-- 
Brandon Ross  AIM:  BrandonNRoss
ICQ:  2269442
Skype:  brandonross  Yahoo:  BrandonNRoss

Re: Yahoo and IPv6

[Matthew Kaufman]

On 5/9/2011 8:16 AM, Arie Vayner wrote:

What disturbs me is the piece saying We recommend disabling
IPv6http://us.lrd.yahoo.com/_ylt=ArHGqIAYvt_4fpp3N3vLzmNRJ3tG/SIG=11vv8jc1f/**http%3A//help.yahoo.com/l/us/yahoo/ipv6/general/ipv6-09.html
, with a very easy link...


And I was just sent this link from our very own NSA: 
http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf


Disable IPv6 and AirPort when Not Needed
Open the Network pane in System Preferences. For every
network interface listed:
• If it is an AirPort interface but AirPort is not required,
click Turn AirPort off.
• Click Advanced.  Click on the TCP/IP tab and set
Configure IPv6: to Off if not needed.  If it is an
AirPort interface, click on the AirPort tab and enable
Disconnect when logging out.

Matthew Kaufman

Re: Yahoo and IPv6

[Owen DeLong]

On May 19, 2011, at 4:21 PM, Matthew Kaufman wrote:

 On 5/9/2011 8:16 AM, Arie Vayner wrote:
 What disturbs me is the piece saying We recommend disabling
 IPv6http://us.lrd.yahoo.com/_ylt=ArHGqIAYvt_4fpp3N3vLzmNRJ3tG/SIG=11vv8jc1f/**http%3A//help.yahoo.com/l/us/yahoo/ipv6/general/ipv6-09.html
 , with a very easy link...
 
 And I was just sent this link from our very own NSA: 
 http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf
 
 Disable IPv6 and AirPort when Not Needed
 Open the Network pane in System Preferences. For every
 network interface listed:
 • If it is an AirPort interface but AirPort is not required,
 click Turn AirPort off.
 • Click Advanced.  Click on the TCP/IP tab and set
 Configure IPv6: to Off if not needed.  If it is an
 AirPort interface, click on the AirPort tab and enable
 Disconnect when logging out.
 
 Matthew Kaufman

Proving that the NSA is behind the times like any other government institution. 
No real surprise.

Owen

Re: Yahoo and IPv6

[Jeroen van Aart]

Steve Clark wrote:
This is all very confusing to me. How are meaningful names going to 
assigned automatically?
Right now I see something like ool-6038bdcc.static.optonline.net for one 
of our servers, how does this

mean anything to anyone else?


Does http://وزارة-الأتصالات.مصر/ mean more to you?

Or http://xn--4gbrim.xnymcbaaajlc6dj7bxne2c.xn--wgbh1c which is what 
it translates to in your browser.


Just saying... ;-)

--
http://goldmark.org/jeff/stupid-disclaimers/
http://linuxmafia.com/~rick/faq/plural-of-virus.html

Re: Yahoo and IPv6

[Jeroen van Aart]

Paul Vixie wrote:

time in Nicaragua he said that he has a lot of days like this and he'd
like more work to be possible when only local connectivity was available.

Compelling stuff.  Pity there's no global market for localized services
or we'd already have it.  Nevertheless this must and will get fixed, and
we should be the generation who does it.


I have found that the general theme is to move services that were 
traditionally available inside an office network (source control, email, 
ticketing/bug tracking systems, storing documents, corporate wikis 
etc.) to an external place, perhaps even outsourced to one of the 
virtual server or software as a service providers.


I am not a particular fan of that trend, but I can see the pros and cons 
of doing it. It doesn't look like that's going to stop any time soon, 
let alone be (partially) reversed.


Regards,
Jeroen

--
http://goldmark.org/jeff/stupid-disclaimers/
http://linuxmafia.com/~rick/faq/plural-of-virus.html

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Steven Bellovin]

On May 17, 2011, at 10:30 13PM, Joel Jaeggli wrote:

 
 On May 17, 2011, at 6:09 PM, Scott Weeks wrote:
 
 --- joe...@bogus.com wrote:
 From: Joel Jaeggli joe...@bogus.com
 On May 17, 2011, at 4:30 PM, Scott Brim wrote:
 On May 17, 2011 6:26 PM, valdis.kletni...@vt.edu wrote:
 On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
 What about privacy concerns
 
 Privacy is dead.  Get used to it. -- Scott McNeely
 
 Forget that attitude, Valdis. Just because privacy is blown at one level
 doesn't mean you give it away at every other one. We establish the framework
 for recovering privacy and make progress step by step, wherever we can.
 Someday we'll get it all back under control.
 
 if you put something in the dns you do so because you want to discovered. 
 scoping the nameservers such that they only express certain certain resource 
 records to queriers in a particular scope is fairly straight forward.
 
 
 
 The article was not about DNS.  It was about Persistent Personal Names for 
 Globally Connected Mobile Devices where Users normally create personal 
 names by introducing devices locally, on a common WiFi network for example. 
 Once created, these names remain persistently bound to their targets as 
 devices move. Personal names are intended to supplement and not replace 
 global DNS names.  
 
 you mean like mac addresses? those have a tendency to follow you around in 
 ipv6...
 
This is why RFC 3041 (replaced by 4941) was written, 10+ years ago.  The problem
is that it's not enabled by default on many (possibly all) platforms, so I
have to have

# cat /etc/sysctl.conf
net.inet6.ip6.use_tempaddr=1

set on my Mac.


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: Yahoo and IPv6

[Owen DeLong]

On May 17, 2011, at 8:55 AM, Matthew Kaufman wrote:

 On 5/17/2011 5:25 AM, Owen DeLong wrote:
 
 My point was that at least in IPv6, you can reach your boxes whereas with
 IPv4, you couldn't reach them at all (unless you used a rendezvous service
 and preconfigured stuff).
 
 Actually almost everyone will *still* need a rendezvous service as even if 
 there isn't NAT66 (which I strongly suspect there will be, as nobody has 
 magically solved the rest of the renumbering problems) there will still be 
 default firewall filters that the average end-user won't know how or why to 
 change (and in some cases won't even have access to the CPE).

PI solves the majority of the renumbering problems quite nicely and is readily 
available for
most orgs. now.

Beyond that, I think you will see firewalls become much easier for the average 
person to
manage and it will become a simple matter of making an http (hopefully https) 
connection
to the home gateway and telling it which service (by name, such as VNC, HTTP, 
HTTPs, etc.
from a pull-down) and which host (ideally by name, but, may have other 
requirements here)
to permit.

Some firewalls already come pretty close to that.

There is also talk (for better or worse) of having something like UPNP, but, 
without the NAT
for enabling such services.

No rendezvous server required.

 
 For the former we can only hope that NAT66 box builders can get guidance from 
 IETF rather than having IETF stick its collective head in the sand... for the 
 latter the firewall traversal has a chance of being more reliable than having 
 to traversal both filtering and address translation.
 

I'm still hoping that we just don't have NAT66 box builders. So far, it's 
working out that way.

Owen

Re: Yahoo and IPv6

[Michael Dillon]

 Right now I see something like ool-6038bdcc.static.optonline.net for one
 of our servers, how does this
 mean anything to anyone else?

 Does http://وزارة-الأتصالات.مصر/ mean more to you?

 Or http://xn--4gbrim.xnymcbaaajlc6dj7bxne2c.xn--wgbh1c which is what it
 translates to in your browser.

Actually, it translates to
http://xnrmckbbajlc6dj7bxne2c.xn--wgbh1c/ in the browser which
then redirects to the URL that you quoted above.

Got to pay attention to these details if you want to keep up your
troubleshooting skills.

--Michael Dillon

Re: Yahoo and IPv6

[Mans Nilsson]

Subject: Re: Yahoo and IPv6 Date: Tue, May 17, 2011 at 04:22:54AM + Quoting 
Paul Vixie (vi...@isc.org):
  From: Owen DeLong o...@delong.com
  Date: Mon, 16 May 2011 16:12:27 -0700
  
  ... It's not like you can even reach anything at home now, let alone
  reach it by name.
 
 that must and will change.  let's be the generation who makes it possible.

I'd like to respond to this by stating that I support this fully, but
I'm busy making sure I can reach my machines at home from the IPv6
Internet. By name. ;-) 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
HELLO KITTY gang terrorizes town, family STICKERED to death!


pgp1BsNhT9zoS.pgp
Description: PGP signature

Re: Yahoo and IPv6

[Owen DeLong]

On May 17, 2011, at 2:07 AM, Mans Nilsson wrote:

 Subject: Re: Yahoo and IPv6 Date: Tue, May 17, 2011 at 04:22:54AM + 
 Quoting Paul Vixie (vi...@isc.org):
 From: Owen DeLong o...@delong.com
 Date: Mon, 16 May 2011 16:12:27 -0700
 
 ... It's not like you can even reach anything at home now, let alone
 reach it by name.
 
 that must and will change.  let's be the generation who makes it possible.
 
 I'd like to respond to this by stating that I support this fully, but
 I'm busy making sure I can reach my machines at home from the IPv6
 Internet. By name. ;-) 

I think my statement has been taken out of context and misunderstood.

I was responding to a claim that having to understand DNS to reach your
IPv6 boxes by name was somehow a step backwards from IPv4.

My point was that at least in IPv6, you can reach your boxes whereas with
IPv4, you couldn't reach them at all (unless you used a rendezvous service
and preconfigured stuff).

To me, pre-configuring DNS through the web interface for one of the free
DNS services with the IPv6 address is not any more difficult than setting
up one of the rendezvous services (most of which you have to pay for
if you want any real utility).

To my mind, IPv6 is a giant leap forward here, not a step backwards.
At least you can reach your stuff, even if the administration of the naming
process isn't 100% automated and perfect just yet.

Owen

Re: Yahoo and IPv6

[Paul Vixie]

 Date: Tue, 17 May 2011 11:07:17 +0200
 From: Mans Nilsson mansa...@besserwisser.org
 
   ... It's not like you can even reach anything at home now, let alone
   reach it by name.
  
  that must and will change.  let's be the generation who makes it possible.
 
 I'd like to respond to this by stating that I support this fully, but
 I'm busy making sure I can reach my machines at home from the IPv6
 Internet. By name. ;-)

:-).

to be clear, the old pre-web T1 era internet did not have much content
but what content there was, was not lopsided.  other than slip and ppp
there weren't a lot of networks one would call access and a smaller
number of networks one would call content.  i am not wishing for that,
i like the web, i like content, i know there will be specialized networks
for access and content.  but i also think (as jim gettys does) that we
ought to be able to get useful work done without being able to reach the
whole internet all the time.  that's going to mean being able to reach
other mostly-access networks in our same neighborhoods and multitenant
buildings and towns and cities, directly, and by name.  it does not mean
being able to start facebook 2.0 out of somebody's basement, but it does
mean being able to run a personal smtp or web server in one's basement
and have it mostly work for the whole internet and work best for accessors
who are close by and still work even when the upstream path for the
neighborhood is down.

Re: Yahoo and IPv6

[Steve Clark]

On 05/17/2011 08:56 AM, Paul Vixie wrote:

Date: Tue, 17 May 2011 11:07:17 +0200
From: Mans Nilssonmansa...@besserwisser.org


... It's not like you can even reach anything at home now, let alone
reach it by name.

that must and will change.  let's be the generation who makes it possible.

I'd like to respond to this by stating that I support this fully, but
I'm busy making sure I can reach my machines at home from the IPv6
Internet. By name. ;-)

:-).

to be clear, the old pre-web T1 era internet did not have much content
but what content there was, was not lopsided.  other than slip and ppp
there weren't a lot of networks one would call access and a smaller
number of networks one would call content.  i am not wishing for that,
i like the web, i like content, i know there will be specialized networks
for access and content.  but i also think (as jim gettys does) that we
ought to be able to get useful work done without being able to reach the
whole internet all the time.  that's going to mean being able to reach
other mostly-access networks in our same neighborhoods and multitenant
buildings and towns and cities, directly, and by name.  it does not mean
being able to start facebook 2.0 out of somebody's basement, but it does
mean being able to run a personal smtp or web server in one's basement
and have it mostly work for the whole internet and work best for accessors
who are close by and still work even when the upstream path for the
neighborhood is down.


This is all very confusing to me. How are meaningful names going to assigned 
automatically?
Right now I see something like ool-6038bdcc.static.optonline.net for one of our 
servers, how does this
mean anything to anyone else?


--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com

Re: Yahoo and IPv6

[Matthew Kaufman]

On 5/17/2011 5:25 AM, Owen DeLong wrote:


My point was that at least in IPv6, you can reach your boxes whereas with
IPv4, you couldn't reach them at all (unless you used a rendezvous service
and preconfigured stuff).


Actually almost everyone will *still* need a rendezvous service as even 
if there isn't NAT66 (which I strongly suspect there will be, as nobody 
has magically solved the rest of the renumbering problems) there will 
still be default firewall filters that the average end-user won't know 
how or why to change (and in some cases won't even have access to the CPE).


For the former we can only hope that NAT66 box builders can get guidance 
from IETF rather than having IETF stick its collective head in the 
sand... for the latter the firewall traversal has a chance of being more 
reliable than having to traversal both filtering and address translation.


Matthew Kaufman

Re: Yahoo and IPv6

[Joel Jaeggli]

On May 17, 2011, at 8:49 AM, Steve Clark wrote:

 On 05/17/2011 08:56 AM, Paul Vixie wrote:
 Date: Tue, 17 May 2011 11:07:17 +0200
 From: Mans Nilssonmansa...@besserwisser.org
 
 ... It's not like you can even reach anything at home now, let alone
 reach it by name.
 that must and will change.  let's be the generation who makes it possible.
 I'd like to respond to this by stating that I support this fully, but
 I'm busy making sure I can reach my machines at home from the IPv6
 Internet. By name. ;-)
 :-).
 
 to be clear, the old pre-web T1 era internet did not have much content
 but what content there was, was not lopsided.  other than slip and ppp
 there weren't a lot of networks one would call access and a smaller
 number of networks one would call content.  i am not wishing for that,
 i like the web, i like content, i know there will be specialized networks
 for access and content.  but i also think (as jim gettys does) that we
 ought to be able to get useful work done without being able to reach the
 whole internet all the time.  that's going to mean being able to reach
 other mostly-access networks in our same neighborhoods and multitenant
 buildings and towns and cities, directly, and by name.  it does not mean
 being able to start facebook 2.0 out of somebody's basement, but it does
 mean being able to run a personal smtp or web server in one's basement
 and have it mostly work for the whole internet and work best for accessors
 who are close by and still work even when the upstream path for the
 neighborhood is down.
 
 This is all very confusing to me. How are meaningful names going to assigned 
 automatically?

dynamic dns updates seems like an obvious choice.

 Right now I see something like ool-6038bdcc.static.optonline.net for one of 
 our servers, how does this
 mean anything to anyone else?
 
 
 -- 
 Stephen Clark
 *NetWolves*
 Sr. Software Engineer III
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 17 mei 2011, at 17:55, Matthew Kaufman wrote:

 firewall traversal

Smells like job security: first install a firewall, then traverse it anyway.

Re: Yahoo and IPv6

[Paul Vixie]

 Date: Tue, 17 May 2011 11:49:47 -0400
 From: Steve Clark scl...@netwolves.com
 
 This is all very confusing to me. How are meaningful names going to assigned
 automatically?

It'll probably be a lot like Apple's and Xerox's various multicast naming
systems if we want it to work in non-globally connected networks.

 Right now I see something like ool-6038bdcc.static.optonline.net for
 one of our servers, how does this mean anything to anyone else?

It wouldn't of course.  I'm sorry if my earlier words on this were useless.

Dave Taht gave a wonderful talk a few weeks ago (Finishing the Internet,
see http://amw.org/prog11.pdf) during which he had us start an rsync
from his wireless laptop to as many of ours as could run rsync, and then
had the conference organizer turn off the upstream link.  He noted that
those of us using the local resource (a giant file, either an ISO or a
MPEG or similar) were still getting work done whereas those of us trying
to use the internet were dead in the water.  Then, referring to his
time in Nicaragua he said that he has a lot of days like this and he'd
like more work to be possible when only local connectivity was available.

Compelling stuff.  Pity there's no global market for localized services
or we'd already have it.  Nevertheless this must and will get fixed, and
we should be the generation who does it.

Re: Yahoo and IPv6

[Tony Finch]

Paul Vixie vi...@isc.org wrote:

  This is all very confusing to me. How are meaningful names going to assigned
  automatically?

 It'll probably be a lot like Apple's and Xerox's various multicast naming
 systems if we want it to work in non-globally connected networks.

Or perhaps user-relative names.
http://www.brynosaurus.com/pub/net/uia-osdi.pdf

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.

Re: Yahoo and IPv6

[Mans Nilsson]

Subject: Re: Yahoo and IPv6 Date: Tue, May 17, 2011 at 12:56:37PM + Quoting 
Paul Vixie (vi...@isc.org):

 :-).
 
 to be clear, the old pre-web T1 era internet did not have much content
 but what content there was, was not lopsided.  other than slip and ppp
 there weren't a lot of networks one would call access and a smaller
 number of networks one would call content.  i am not wishing for that,
 i like the web, i like content, i know there will be specialized networks
 for access and content.  but i also think (as jim gettys does) that we
 ought to be able to get useful work done without being able to reach the
 whole internet all the time.  that's going to mean being able to reach
 other mostly-access networks in our same neighborhoods and multitenant
 buildings and towns and cities, directly, and by name.  it does not mean
 being able to start facebook 2.0 out of somebody's basement, but it does
 mean being able to run a personal smtp or web server in one's basement
 and have it mostly work for the whole internet and work best for accessors
 who are close by and still work even when the upstream path for the
 neighborhood is down.
 
Now I seem to have got time enough to fully agree with you.  

The next facebook will start in a low-price datacenter. These
facilities did not exist as products before, and it can be argued that
the access/content separation does drive that market -- as long as I
had working Internet (as opposed to access class Internet ) at home,
I had no use for a colo.

Still, the centralization of content into a few networks does raise a
number of issues -- mostly regarding stability. Do note here that
several factors negatively impact stability, be they technical,
economical or legal. Peter Löthberg long ago advocated a network
interconnection model that was pretty local (and I believe he still
does). Peer often and everywhere.  That would take care of packets
getting through (as long as we all have unique addresses to point at;
v6 fixes this) The services that take the Net from being a graph
problem for nerds with BGP CLI access into what it has become need to
undergo similar fine-graining to keep up.

Oh, sorry, got carried away. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
My life is a patio of fun!


pgpPZGnyjJ3MI.pgp
Description: PGP signature

user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- d...@dotat.at wrote:
Or perhaps user-relative names.
http://www.brynosaurus.com/pub/net/uia-osdi.pdf
--


What about privacy concerns; stopping your every move being tracked through the 
personal name attached to all of your devices?  Did I miss something in the 
paper?

scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Valdis . Kletnieks]

On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
 What about privacy concerns

Privacy is dead.  Get used to it. -- Scott McNeely




pgpsQx7TWOx0s.pgp
Description: PGP signature

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote: -
From: valdis.kletni...@vt.edu
On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
 What about privacy concerns

Privacy is dead.  Get used to it. -- Scott McNeely
--


It doesn't have to be that way.  We can design these things any way we want.  
Why give the corpment (corporate/government contraction) an easy time at it?  
Just like the early days, security and privacy do not seem to be in folk's mind 
when things are being designed.

scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Brim]

On May 17, 2011 6:26 PM, valdis.kletni...@vt.edu wrote:

 On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:

  What about privacy concerns

 Privacy is dead.  Get used to it. -- Scott McNeely

Forget that attitude, Valdis. Just because privacy is blown at one level
doesn't mean you give it away at every other one. We establish the framework
for recovering privacy and make progress step by step, wherever we can.
Someday we'll get it all back under control.

Scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Jaeggli]

On May 17, 2011, at 4:30 PM, Scott Brim wrote:

 On May 17, 2011 6:26 PM, valdis.kletni...@vt.edu wrote:
 
 On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
 What about privacy concerns
 
 Privacy is dead.  Get used to it. -- Scott McNeely
 
 Forget that attitude, Valdis. Just because privacy is blown at one level
 doesn't mean you give it away at every other one. We establish the framework
 for recovering privacy and make progress step by step, wherever we can.
 Someday we'll get it all back under control.

if you put something in the dns you do so because you want to discovered. 
scoping the nameservers such that they only express certain certain resource 
records to queriers in a particular scope is fairly straight forward.

 Scott
 

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Valdis . Kletnieks]

(And I get flamed by multiple people because I put in the quote and managed to
hit send before adding the commentary. Maybe one of these days I'll learn not
to try to mix replying to e-mail and dealing with vendor engineers doing a tape
library expansion at the same time. :)  Oh well, equivalent text follows as a
reply to Scott...)

On Tue, 17 May 2011 16:05:11 PDT, Scott Weeks said:
 It doesn't have to be that way.  We can design these things any way we want.

True.  The question is whether we get to *deploy* said designs.

 Why give the corpment (corporate/government contraction) an easy time at it?
 Just like the early days, security and privacy do not seem to be in folk's 
 mind
 when things are being designed.

But more importantly, who has more/better lobbyists, you or the people who
want things like COICA and ACTA?

You're going to have to fix *that* problem before trying to address it at the
protocol level will do any real, lasting good.  Either that or we need a *lot* 
more TOR
relays (while those are still legal).

Oh, and an article that coincidentally popped up since I hit 'send' on the
previous mail:

http://radar.oreilly.com/2011/05/anonymize-data-limits.html

Designing things to evade good data mining is a *lot* harder than it looks.




pgpREhdu7wqDC.pgp
Description: PGP signature

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- joe...@bogus.com wrote:
From: Joel Jaeggli joe...@bogus.com
On May 17, 2011, at 4:30 PM, Scott Brim wrote:
 On May 17, 2011 6:26 PM, valdis.kletni...@vt.edu wrote:
 On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
 What about privacy concerns
 
 Privacy is dead.  Get used to it. -- Scott McNeely
 
 Forget that attitude, Valdis. Just because privacy is blown at one level
 doesn't mean you give it away at every other one. We establish the framework
 for recovering privacy and make progress step by step, wherever we can.
 Someday we'll get it all back under control.

if you put something in the dns you do so because you want to discovered. 
scoping the nameservers such that they only express certain certain resource 
records to queriers in a particular scope is fairly straight forward.



The article was not about DNS.  It was about Persistent Personal Names for 
Globally Connected Mobile Devices where Users normally create personal names 
by introducing devices locally, on a common WiFi network for example. Once 
created, these names remain persistently bound to their targets as devices 
move. Personal names are intended to supplement and not replace global DNS 
names.  

I see a lot of folks on lists designing future networks where an identifier 
follows you everywhere and we as operators will have to deal with a public 
hostile to the idea of being followed.  It's happening now.  Just read all the 
articles on privacy lost.  It's not going to go away.  People like their 
privacy whether they're doing bad things or not.

scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote:
From: valdis.kletni...@vt.edu

 Why give the corpment (corporate/government contraction) an easy time at it?
 Just like the early days, security and privacy do not seem to be in folk's 
 mind
 when things are being designed.

But more importantly, who has more/better lobbyists, you or the people who
want things like COICA and ACTA?

You're going to have to fix *that* problem before trying to address it at the
protocol level will do any real, lasting good.  Either that or we need a *lot* 
more TOR
relays (while those are still legal).
---

It's a multi-layered problem and designers at all layers need to keep privacy 
in mind.  You can't solve the multi-layered privacy problem with a design at 
one layer.




Oh, and an article that coincidentally popped up since I hit 'send' on the
previous mail:

http://radar.oreilly.com/2011/05/anonymize-data-limits.html

Designing things to evade good data mining is a *lot* harder than it looks.


This article doesn't really address what we're discussing.  It looks at the 
'upper' layer only.  I'm just saying that we don't need an ID that follows us 
everywhere like, I believe, LOC/ID split and Unmanaged Internet Architecture 
(from the Persistent Personal Names for Globally Connected Mobile Devices 
paper) apparently does (I haven't read their paper thoroughly enough to comment 
in an authoritative manner, though).  There has got to be another way.  RINA 
(http://www.cs.bu.edu/fac/matta/Papers/rina-security.pdf) addresses 
privacy/security, but the nanog show-me-the-code folks were unimpressed with 
the existing code when I asked the list about it in the past.

scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Brim]

Yes indeed.  http://www.ietf.org/proceedings/79/slides/intarea-3.pdf

-- sent from a tiny screen

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Jaeggli]

On May 17, 2011, at 6:09 PM, Scott Weeks wrote:

 --- joe...@bogus.com wrote:
 From: Joel Jaeggli joe...@bogus.com
 On May 17, 2011, at 4:30 PM, Scott Brim wrote:
 On May 17, 2011 6:26 PM, valdis.kletni...@vt.edu wrote:
 On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
 What about privacy concerns
 
 Privacy is dead.  Get used to it. -- Scott McNeely
 
 Forget that attitude, Valdis. Just because privacy is blown at one level
 doesn't mean you give it away at every other one. We establish the framework
 for recovering privacy and make progress step by step, wherever we can.
 Someday we'll get it all back under control.
 
 if you put something in the dns you do so because you want to discovered. 
 scoping the nameservers such that they only express certain certain resource 
 records to queriers in a particular scope is fairly straight forward.
 
 
 
 The article was not about DNS.  It was about Persistent Personal Names for 
 Globally Connected Mobile Devices where Users normally create personal 
 names by introducing devices locally, on a common WiFi network for example. 
 Once created, these names remain persistently bound to their targets as 
 devices move. Personal names are intended to supplement and not replace 
 global DNS names.  

you mean like mac addresses? those have a tendency to follow you around in 
ipv6...

 I see a lot of folks on lists designing future networks where an identifier 
 follows you everywhere and we as operators will have to deal with a public 
 hostile to the idea of being followed.  It's happening now.  Just read all 
 the articles on privacy lost.  It's not going to go away.  People like their 
 privacy whether they're doing bad things or not.
 
 scott
 

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- scott.b...@gmail.com wrote:
From: Scott Brim scott.b...@gmail.com

Yes indeed.  http://www.ietf.org/proceedings/79/slides/intarea-3.pdf
-


Hm, that's a funny correlation to what I have been thinking and talking about 
lately.  I'll have to read the draft-brim-mobility-and-privacy-00 paper as the 
pdf-bullet-point-syndrome has overtaken my info absorption abilities.  I looked 
at the pdf, but bullet points make me have the deer-in-the-headlights look.  ;-)

scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- joe...@bogus.com wrote:
From: Joel Jaeggli joe...@bogus.com

 if you put something in the dns you do so because you want to discovered. 
 scoping the nameservers such that they only express certain certain resource 
 records to queriers in a particular scope is fairly straight forward.
 
 
 
 The article was not about DNS.  It was about Persistent Personal Names for 
 Globally Connected Mobile Devices where Users normally create personal 
 names by introducing devices locally, on a common WiFi network for example. 
 Once created, these names remain persistently bound to their targets as 
 devices move. Personal names are intended to supplement and not replace 
 global DNS names.  

you mean like mac addresses? those have a tendency to follow you around in 
ipv6...
-



disclaimer 
   Still an IPv6 wussie...  :-) 
/disclaimer  


Only if you design your network that way.  EUI-64 isn't required.


scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Jaeggli]

On May 17, 2011, at 7:51 PM, Scott Weeks wrote:

 
 
 --- joe...@bogus.com wrote:
 From: Joel Jaeggli joe...@bogus.com
 
 if you put something in the dns you do so because you want to discovered. 
 scoping the nameservers such that they only express certain certain resource 
 records to queriers in a particular scope is fairly straight forward.
 
 
 
 The article was not about DNS.  It was about Persistent Personal Names for 
 Globally Connected Mobile Devices where Users normally create personal 
 names by introducing devices locally, on a common WiFi network for example. 
 Once created, these names remain persistently bound to their targets as 
 devices move. Personal names are intended to supplement and not replace 
 global DNS names.  
 
 you mean like mac addresses? those have a tendency to follow you around in 
 ipv6...
 -
 
 
 
 disclaimer 
   Still an IPv6 wussie...  :-) 
 /disclaimer  
 
 
 Only if you design your network that way.  EUI-64 isn't required.

don't much matter, if you move around you're going get them a lot.

 scott
 

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Valdis . Kletnieks]

On Tue, 17 May 2011 20:22:23 PDT, Joel Jaeggli said:
 On May 17, 2011, at 7:51 PM, Scott Weeks wrote:
  Only if you design your network that way.  EUI-64 isn't required.
 don't much matter, if you move around you're going get them a lot.

Of course, if you're moving around and getting EUI-64 addresses via SLAAC, you
can almost certainly use RFC4941 privacy addresses (instead of/in addition to)
your MAC-address based address.

Unless you end up behind a fascist firewall that actually checks that the
EUI-64 half of the SLAAC address actually matches your MAC address - but we all
know that firewalls are weak at IPv6 support, so probably nobody's actually
doing that checking. :)



pgpTvb98PTcxj.pgp
Description: PGP signature

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Maslak]

On Tue, May 17, 2011 at 9:37 PM, valdis.kletni...@vt.edu wrote:


 Unless you end up behind a fascist firewall that actually checks that the
 EUI-64 half of the SLAAC address actually matches your MAC address - but we
 all
 know that firewalls are weak at IPv6 support, so probably nobody's actually
 doing that checking. :)



Nevermind you can change your MAC address easily on most networks, since
most don't provide any reasonable way of verifying that L2 packets are from
where they claim to be.

FWIW, Windows Vista and 7 default to using privacy addresses with SLAAC.
Even without that, today, in the IPv4 NAT world, it's pretty much possible
to uniquely identify a user nearly almost all of the time anyhow - at least
for web access.  This is thanks to browser fingerprinting - see
https://panopticlick.eff.org/browser-uniqueness.pdf

There's a lot of FUD about IPv6.  Yes, the addresses are longer.  But which
is easier - remembering all the intermediate layers of network translation
(likely two boxes for nearly every residential and small business user) or
an IPv6 address that is the same, regardless of whether you are another
customer on the same ISP, a public internet user, or an internal corporate
user?  Nevermind what it is like to debug IPSEC/PPTP/L2TP, SIP, or P2P
protocols with just one NAT involved.  Imagine doing that with two NAT
devices (CGN + home NAT).  If you haven't had that unfortunate pleasure,
than I envy you!  There's also no reason we should have to remember our IPv6
addresses.  Seriously.  There are about 50 protocols to name things on
networks, many of which are scope aware.  Among other things, it's why we
don't typically have to remember MAC addresses - ARP works and it works
well.  Just because bad design forced us to remember IPv4 addresses doesn't
mean our IPv6 networks should carry over that brokenness.

IPv6 is also already in widespread use (I would guess all 500 of the Fortune
500 have it somewhere on their network, albeit quite likely not
intentionally).  I use it almost daily for my Apple MobileMe account (albeit
typically tunneled over IPv4, all behind-the-scenes).  I also use it when I
stream music around my house (Bonjour will utilize IPv6, AirTunes typically
uses it).  Windows admins might be using it too (DirectAccess; MS Remote
Assistance if firewalls block connectivity then Windows will set up a direct
IPv6 link, tunneling through your firewalls and NAT...).  And Grandma very
well may be using it today (Windows Home Groups use IPv6).  I would guess
half of the family members of NANOG list subscribers are using IPv6 on a
daily basis - TODAY.  The danger is in ignoring what is already on your
networks.  Sure, you can't get to most websites via IPv6.  But it's being
used for plenty of useful work today, although mostly as a way around
firewalls and as isolated islands (not connected to the global IPv6
network).

Re: Yahoo and IPv6

[Owen DeLong]

On May 15, 2011, at 8:55 PM, Matthew Kaufman wrote:

 On 5/15/2011 7:08 PM, Owen DeLong wrote:
 On May 15, 2011, at 8:28 AM, Matthew Kaufman wrote:
 
 
 ...and we'll agree to disagree on this one (RTMFP)... and users will just 
 be ok with BitTorrent and Skype not working on the v6-only + NAT64 networks 
 you're building, I suppose?
 
 Matthew Kaufman
 Uh, BitTorrent works just fine for me on IPv6.
 
 And how many v4-only nodes are you reaching from your v6-only client through 
 a NAT64?
 
 Matthew Kaufman

I have dual stack, so, I don't bother with NAT64. However, I believe that the 
BitTorrent clients
are smart enough to discard the IPv4 nodes reached through NAT64 and will, 
instead, just
use the native IPv6 nodes. I don't see this as a problem and Im not sure why 
you do.

Owen

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 16 mei 2011, at 9:31, Owen DeLong wrote:

 I believe that the BitTorrent clients
 are smart enough to discard the IPv4 nodes reached through NAT64 and will, 
 instead, just
 use the native IPv6 nodes. I don't see this as a problem and Im not sure why 
 you do.

Because that way the IPv4 and IPv6 swarms remain disconnected in the absence of 
some dual stack peers. (I.e., if the swarm is small and you're the only IPv6 
participant.)

It would be much better if you could go from IPv6 to IPv4 through a NAT64.

RE: Yahoo and IPv6

[George Bonser]

 
 Because that way the IPv4 and IPv6 swarms remain disconnected in the
 absence of some dual stack peers. (I.e., if the swarm is small and
 you're the only IPv6 participant.)
 
 It would be much better if you could go from IPv6 to IPv4 through a
 NAT64.

The problem is when the client is handed an explicit address rather than
a host name.  In that case, there needs to be some standard environment
variable for IPv64 Prefix that applications can query.

For a browser this might be something like the configured proxy.  Maybe
an OS such as Windows might have a registry value for this.  Maybe Linux
and other unix-like variations could have a sysctl for that.

There should be some standard way for a native v6 host to determine the
v6 to v4 prefix to use in a NAT64 environment.

Re: Yahoo and IPv6

[Arturo Servin]

On 15 May 2011, at 22:55, Matthew Kaufman wrote:

 On 5/15/2011 7:08 PM, Owen DeLong wrote:
 On May 15, 2011, at 8:28 AM, Matthew Kaufman wrote:
 
 
 ...and we'll agree to disagree on this one (RTMFP)... and users will just 
 be ok with BitTorrent and Skype not working on the v6-only + NAT64 networks 
 you're building, I suppose?
 
 Matthew Kaufman
 Uh, BitTorrent works just fine for me on IPv6.
 
 And how many v4-only nodes are you reaching from your v6-only client through 
 a NAT64?
 
 Matthew Kaufman


Many.

For my web access habits it works perfectly fine.

-as

Re: Yahoo and IPv6

[Jim Gettys]

On 05/14/2011 07:39 PM, Paul Vixie wrote:

Jim Gettysj...@freedesktop.org  writes:


... we have to get naming squared away.  Typing IPv6 addresses is for the
birds, and having everyone have to go fuss with a DNS provider isn't a
viable solution.

perhaps i'm too close to the problem because that solution looks quite
viable to me.  dns providers who don't keep up with the market (which means
ipv6 and dnssec in this context) will lose business to those who do.
I don't believe it is currently viable for any but the hackers out 
there, given my experience during the Comcast IPv6 trial.  Typing V6 
addresses (much less remembering them) is a PITA.


You are asking people who don't even know DNS exists, to bother to 
establish another business relationship (or maybe DNS services might 
someday be provided by their ISP).


If you get past that hurdle they get to type long IPv6 addresses into a 
web page they won't remember where it was the year before when they did 
this the last time to add a machine to their DNS.


The way this ought to work for clueless home users (or cluefull users 
too, for that matter) is that, when a new machine appears on a network, 
it just works, by which I mean that a globally routeable IPv6 address 
appears in DNS without fussing around using the name that was given to 
the machine when it was first booted, and that a home user's names are 
accessible via secondaries even if they are off line.  And NXDOMAIN 
should work the way it was intended, for all the reasons you know better 
than I.


This is entirely possible ;-).  Just go ask Evan Hunt what he's been up 
to with Dave Taht recently

  - Jim


Right now, IPv6 is worse than IPv4 for home users; we need

Re: Yahoo and IPv6

[Paul Vixie]

 Date: Mon, 16 May 2011 14:37:46 -0400
 From: Jim Gettys j...@freedesktop.org
 
  perhaps i'm too close to the problem because that solution looks quite
  viable to me.  dns providers who don't keep up with the market (which
  means ipv6+dnssec in this context) will lose business to those who do.
 
 I don't believe it is currently viable for any but the hackers out there,
 given my experience during the Comcast IPv6 trial.  Typing V6 addresses
 (much less remembering them) is a PITA.

 You are asking people who don't even know DNS exists, to bother to
 establish another business relationship (or maybe DNS services might
 someday be provided by their ISP).

actually, i'm asking the opposite.  only hackers run their own dns mostly;
the vast majority of users who don't know what ipv6 or dnssec are, are
already outsourcing to ultradns/neustar, or verisign, or dyn.com, etc, or
for recursive they're using opendns, google dns, etc.  these companies can
either add the new services and do outreach to their customer bases, or
they can allow their competitors to do so.

of those who still run their own dns, the vast majority actually do know
the dnssec and ipv6 issues facing them.

 If you get past that hurdle they get to type long IPv6 addresses into a web
 page they won't remember where it was the year before when they did this
 the last time to add a machine to their DNS.

i've been using ipv6 dual stack for ten years at ISC and for one year at
home (i was comcast's first north american dual stack native customer) and
the only time i type long ipv6 addresses is when editing dns zone files or
configuring routers and hosts.  i think your experiences may have been
worse than mine and i'll be interested in knowing whether they're common.

 The way this ought to work for clueless home users (or cluefull users
 too, for that matter) is that, when a new machine appears on a network, it
 just works, by which I mean that a globally routeable IPv6 address
 appears in DNS without fussing around using the name that was given to the
 machine when it was first booted, and that a home user's names are
 accessible via secondaries even if they are off line.

this is why ISC DHCP and ISC BIND can communicate using RFC 2136 DNS
dynamic updates, secured with RFC 2845 transaction signatures.  once you
get this running then you don't have to type ipv6 addresses anywhere.  and
i know that infoblox and other BIND Inside appliance vendors have the same
capability, and that Cisco and other DNS/DHCP vendors can also participate
in these open standards pretty much out of the box.  this is what i worked
on when i first found out about IETF back in 1995 or so.  it's all done now
you just have to learn it and deploy it.  (and if you don't think end users
ought to have to learn how to configure their DHCP to talk to their DNS,
i will point them at a half dozen appliance and outsourcing vendors who can
take the ones and zeroes out of this for them.)

 And NXDOMAIN should work the way it was intended, for all the reasons
 you know better than I.

while i agree, i don't think the people who are substituting positive
responses for NXDOMAIN care at all what you think or what i think, so i'm
going to focus on what can be done which is advancing robust solutions.

 This is entirely possible ;-).  Just go ask Evan Hunt what he's been up to
 with Dave Taht recently

more appliance vendors including open source are definitely welcome.  the
pool is large enough for everybody to swim in it.

Re: Yahoo and IPv6

[Owen DeLong]

On May 16, 2011, at 1:56 AM, Iljitsch van Beijnum wrote:

 On 16 mei 2011, at 9:31, Owen DeLong wrote:
 
 I believe that the BitTorrent clients
 are smart enough to discard the IPv4 nodes reached through NAT64 and will, 
 instead, just
 use the native IPv6 nodes. I don't see this as a problem and Im not sure 
 why you do.
 
 Because that way the IPv4 and IPv6 swarms remain disconnected in the absence 
 of some dual stack peers. (I.e., if the swarm is small and you're the only 
 IPv6 participant.)
 
 It would be much better if you could go from IPv6 to IPv4 through a NAT64.

Meh, a very short term problem at worst.

Owen

Re: Yahoo and IPv6

[Owen DeLong]

On May 16, 2011, at 2:10 AM, George Bonser wrote:

 
 Because that way the IPv4 and IPv6 swarms remain disconnected in the
 absence of some dual stack peers. (I.e., if the swarm is small and
 you're the only IPv6 participant.)
 
 It would be much better if you could go from IPv6 to IPv4 through a
 NAT64.
 
 The problem is when the client is handed an explicit address rather than
 a host name.  In that case, there needs to be some standard environment
 variable for IPv64 Prefix that applications can query.
 
 For a browser this might be something like the configured proxy.  Maybe
 an OS such as Windows might have a registry value for this.  Maybe Linux
 and other unix-like variations could have a sysctl for that.
 
It shouldn't be a sysctl. It should be more like resolv.conf at worst.

 There should be some standard way for a native v6 host to determine the
 v6 to v4 prefix to use in a NAT64 environment.
 

This assumes some standard way to do NAT64.

Owen

Re: Yahoo and IPv6

[Mark Andrews]

In message 51008.1305573...@nsa.vix.com, Paul Vixie writes:
  Date: Mon, 16 May 2011 14:37:46 -0400
  From: Jim Gettys j...@freedesktop.org
  
   perhaps i'm too close to the problem because that solution looks quite
   viable to me.  dns providers who don't keep up with the market (which
   means ipv6+dnssec in this context) will lose business to those who do.
  
  I don't believe it is currently viable for any but the hackers out there,
  given my experience during the Comcast IPv6 trial.  Typing V6 addresses
  (much less remembering them) is a PITA.
 
  You are asking people who don't even know DNS exists, to bother to
  establish another business relationship (or maybe DNS services might
  someday be provided by their ISP).
 
 actually, i'm asking the opposite.  only hackers run their own dns mostly;
 the vast majority of users who don't know what ipv6 or dnssec are, are
 already outsourcing to ultradns/neustar, or verisign, or dyn.com, etc, or
 for recursive they're using opendns, google dns, etc.  these companies can
 either add the new services and do outreach to their customer bases, or
 they can allow their competitors to do so.
 
 of those who still run their own dns, the vast majority actually do know
 the dnssec and ipv6 issues facing them.
 
  If you get past that hurdle they get to type long IPv6 addresses into a web
  page they won't remember where it was the year before when they did this
  the last time to add a machine to their DNS.
 
 i've been using ipv6 dual stack for ten years at ISC and for one year at
 home (i was comcast's first north american dual stack native customer) and
 the only time i type long ipv6 addresses is when editing dns zone files or
 configuring routers and hosts.  i think your experiences may have been
 worse than mine and i'll be interested in knowing whether they're common.
 
  The way this ought to work for clueless home users (or cluefull users
  too, for that matter) is that, when a new machine appears on a network, it
  just works, by which I mean that a globally routeable IPv6 address
  appears in DNS without fussing around using the name that was given to the
  machine when it was first booted, and that a home user's names are
  accessible via secondaries even if they are off line.
 
 this is why ISC DHCP and ISC BIND can communicate using RFC 2136 DNS
 dynamic updates, secured with RFC 2845 transaction signatures.  once you
 get this running then you don't have to type ipv6 addresses anywhere.  and
 i know that infoblox and other BIND Inside appliance vendors have the same
 capability, and that Cisco and other DNS/DHCP vendors can also participate
 in these open standards pretty much out of the box.  this is what i worked
 on when i first found out about IETF back in 1995 or so.  it's all done now
 you just have to learn it and deploy it.  (and if you don't think end users
 ought to have to learn how to configure their DHCP to talk to their DNS,
 i will point them at a half dozen appliance and outsourcing vendors who can
 take the ones and zeroes out of this for them.)

Or the host can talk directly to the DNS server.  TSIG can scale
up to millions of clients with their own keys which may or may not
be share between machines.  Just because nameservers currently have
the keys in flat configuration files doesn't mean that it has to
stay that way.  The keys could just as easily be in a seperate
database which the nameserver only reads.  Similarly SIG(0) could
be used using KEY records stored in the DNS itself.

I believe MacOS already supports TSIG directly though they don't
call it that.  Windows could also add support to TSIG in addition
to GSS-TSIG for the non enterprise customers.  This really isn't
hard. You just store a keyname/secret pair for the machine to use
at boot time.  MacOS calls is account/password from memory.

The hard part is convincing people to do it by default.  This is
nothing more than what the dynamic DNS vendors have been doing for
the last decade.  If you want a custom zone you pay $X per month
extra otherwise you get the default zone for the ISP which doesn't
have to be the ISP's zone.

 machine{.subdomain}*.cust-unique.example.net

And as the updates are signed you can accept them from anywhere in
the world.

  And NXDOMAIN should work the way it was intended, for all the reasons
  you know better than I.
 
 while i agree, i don't think the people who are substituting positive
 responses for NXDOMAIN care at all what you think or what i think, so i'm
 going to focus on what can be done which is advancing robust solutions.
 
  This is entirely possible ;-).  Just go ask Evan Hunt what he's been up to
  with Dave Taht recently
 
 more appliance vendors including open source are definitely welcome.  the
 pool is large enough for everybody to swim in it.
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Yahoo and IPv6

[Paul Vixie]

 From: Owen DeLong o...@delong.com
 Date: Mon, 16 May 2011 16:12:27 -0700
 
 ... It's not like you can even reach anything at home now, let alone
 reach it by name.

that must and will change.  let's be the generation who makes it possible.

Re: Yahoo and IPv6

[Mark Andrews]

In message 80660.1305606...@nsa.vix.com, Paul Vixie writes:
  From: Owen DeLong o...@delong.com
  Date: Mon, 16 May 2011 16:12:27 -0700
  
  ... It's not like you can even reach anything at home now, let alone
  reach it by name.
 
 that must and will change.  let's be the generation who makes it possible.
 
+1
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Yahoo and IPv6

[Firsthand]

When the RIAA and friends in congress and international chapter affiliates make 
it illegal to share  a network address. 

Sorry that is when we turn them back on!!

Christian de Larrinaga


On 14 May 2011, at 19:27, John Levine jo...@iecc.com wrote:

 I think that the real question is, when will people who are running
 IPv4 only not be on the Internet by this definition ?
 
 Probably never.  What would be the incentive to turn off the NAT
 gateways?
 
 R's,
 Joh

Re: Yahoo and IPv6

[Cameron Byrne]

On May 14, 2011 9:30 PM, Matthew Kaufman matt...@matthew.at wrote:

 On 5/14/2011 6:41 PM, Jima wrote:

 On 2011-05-14 13:10, Matthew Kaufman wrote:

 On 5/14/2011 10:19 AM, Cameron Byrne wrote:

 Ipv6-only is a highly functional reality when enabled with
 nat64/dns64, there are several empirical accounts on the web.


 For a version of highly functional that does not include Skype,
 BitTorrent, SIP phones, and anything Flash Player app using RTMFP to
 reach peers, sure.


 1. There are SIP phones that support IPv6, e.g.,
http://wiki.snom.com/Networking/IPv6


 Sure, but NAT64 doesn't let SIP phones on an IPv6-only network talk to SIP
phones on an IP4-only network.


Right, that is why we have SBC / b2bue for the cases we want to work.



 2. Exactly whose fault is it that RTMFP can't reach peers via IPv6?
(Granted, I'm not sure RTMFP is the best argument for your point anyway,
since apparently symmetric NAT monkey-wrenches it, too:
http://forums.adobe.com/message/3602495 )


 RTMFP can reach peers via IPv6... but it can't talk between an IPv6-only
peer that is behind a NAT64 and an IPv4-only peer.

 And that would be the fault of NAT64, which for all of the applications I
mentioned (and more) made the seriously wrong assumption that every IPv4
address is looked up in a DNS server.


We have agreed to disagree on the value of this before.  Sorry your not so
popular protocol is going the way of EGP  it's just not fit for the
evolving internet and will be subject to natural deselction. I am sure you
will disagree with that and insist every end user must always support ipv4
because rtmfp is top of mind for so many users  but we can leave it at
that please

Cb

 Matthew Kaufman

Re: Yahoo and IPv6

[Cameron Byrne]

On May 15, 2011 8:28 AM, Matthew Kaufman matt...@matthew.at wrote:

 On 5/15/2011 6:49 AM, Cameron Byrne wrote:


 On May 14, 2011 9:30 PM, Matthew Kaufman matt...@matthew.at wrote:
 

 
  Sure, but NAT64 doesn't let SIP phones on an IPv6-only network talk to
SIP phones on an IP4-only network.
 

 Right, that is why we have SBC / b2bue for the cases we want to work.


 Ok, so you concede that NAT64 requires yet another device at the edge to
make the SIP phones work...


Don't think I have ever disagreed.


 We have agreed to disagree on the value of this before.  Sorry your not
so popular protocol is going the way of EGP  it's just not fit for the
evolving internet and will be subject to natural deselction. I am sure you
will disagree with that and insist every end user must always support ipv4
because rtmfp is top of mind for so many users  but we can leave it at
that please



 ...and we'll agree to disagree on this one (RTMFP)... and users will just
be ok with BitTorrent and Skype not working on the v6-only + NAT64 networks
you're building, I suppose?


Yep.   I have a pretty good model of how most users use their phones. That
said, ipv6-only + nat64 only works well for most users (90+%).  For the long
tail, ipv4 services are not going away.

I believe that the user should be allowed to select their address family
easily ... this is easy in the mobile world.

Most folks (web and email) should not care if they have ipv4 + nat44 or ipv6
+ nat64. For those that do care, there are pros and cons to both. I prefer
the latter since it brings back e2e and is a positive incentive for ipv6
adoption

Cb
 Matthew Kaufman

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 15 mei 2011, at 6:29, Matthew Kaufman wrote:

And that would be the fault of NAT64, which for all of the  
applications I mentioned (and more) made the seriously wrong  
assumption that every IPv4 address is looked up in a DNS server.


This brings to mind the story of the physicist (but it could easily  
have be an IETF protocol engineer) who was scrambling around under a  
lamp post at night. A passer by asked what he was doing: looking for  
my keys. Are you sure you lost them here? No, but under the light is  
the only place I have a chance at finding them.


It's not that the people involved with NAT64 (full disclosure, I'm one  
of them) thought that every IPv4 address would have a working DNS  
name, but rather that using the DNS made it possible to have a  
transition mechanism that lets unmodified IPv6 hosts talk to  
unmodified IPv4 hosts.


However, all is not lost: you can easily set up sessions through a  
NAT64 if the application (or the system, but that will take longer to  
materialize) learns the other 96 bits and stuffs them in front of the  
IPv4 bits. If the NAT64 uses the well known prefix the 96 bits are  
easy to learn, if it does not you'll need another mechanism, which are  
now being discussed. But an application could easily roll its own by  
looking up a known IPv6-only A record and then taking the 96 bits from  
the resulting  record.

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 15 mei 2011, at 20:03, Jima wrote:

BitTorrent tends to be an evolving protocol, with lots of clients  
competing for mindshare; I'm not certain that limitation will remain.


Two years ago the Pirate Bay got on IPv6 in a way that was  
incompatible with existing clients that were IP version agnostic for  
lengthy reasons. (They decided you should have an IPv4 connection to  
the tracker (central server) to learn IPv4 peer addresses and an IPv6  
connection to learn IPv6 peer addresses.)


Then their legal troubles got serious and I'm guessing they find it  
hard enough to move their IPv4 address(es?) around so they're IPv4- 
only again. They also want to move away from having trackers at all,  
and instead use a peer-to-peer based system (DHT) to find peers.


Until about a year ago I regulary saw 6to4 addresses showing up  
through the DHT but that has stopped. And rarely, if ever, would it be  
possible to connect to those addresses, anyway. Not sure what changed,  
maybe my software is too old, I'm on the wrong DHT or whatever.


Interestingly, BitTorrent can easily be modified to use the IETF NAT  
traversal techniques (STUN/TURN/ICE) and these are also largely  
compatible with NAT64. (Because unlike exiting NAT, NAT64 came about  
through the IETF process rather than organically, it probably has the  
tightest specifications of any type of NAT.) So you could run  
BitTorrent behind a NAT64 and not even exhaust the NAT64's port  
numbers. But for that, the BitTorrent application developers need to  
do some work, which they probably won't be able to do successfully  
until they can test against a fully RFC-conforming NAT64 translator.

Re: Yahoo and IPv6

[Owen DeLong]

 e have agreed to disagree on the value of this before.  Sorry your not so
 popular protocol is going the way of EGP  it's just not fit for the
 evolving internet and will be subject to natural deselction. I am sure you
 will disagree with that and insist every end user must always support ipv4
 because rtmfp is top of mind for so many users  but we can leave it at
 that please
 
Which not-so-popular protocol are you referring to here?

SIP?
Skype?
The protocol behind most Flash Players?
Jabber?

I think many of those are relatively popular and are unlikely to experience
this natural deselection of which you speak.

I think deprecation of IPv4 is going to happen simply because it will hit
several walls in terms of scaling and the cost of continuing to support it
will exceed the utility, but, this will have little to do with any particular
subset of IPv4 uses and more to do with the overall picture.

Owen

Re: Yahoo and IPv6

[Matthew Kaufman]

On 5/15/2011 7:08 PM, Owen DeLong wrote:

On May 15, 2011, at 8:28 AM, Matthew Kaufman wrote:



...and we'll agree to disagree on this one (RTMFP)... and users will just be ok 
with BitTorrent and Skype not working on the v6-only + NAT64 networks you're 
building, I suppose?

Matthew Kaufman

Uh, BitTorrent works just fine for me on IPv6.


And how many v4-only nodes are you reaching from your v6-only client 
through a NAT64?


Matthew Kaufman

RE: Yahoo and IPv6

[George Bonser]

 -Original Message-
 From: Matthew Kaufman [mailto:matt...@matthew.at]
 Sent: Sunday, May 15, 2011 8:56 PM
 To: Owen DeLong
 Cc: nanog@nanog.org
 Subject: Re: Yahoo and IPv6
 
 On 5/15/2011 7:08 PM, Owen DeLong wrote:
  On May 15, 2011, at 8:28 AM, Matthew Kaufman wrote:
 
 
  ...and we'll agree to disagree on this one (RTMFP)... and users
will
 just be ok with BitTorrent and Skype not working on the v6-only +
NAT64
 networks you're building, I suppose?
 
  Matthew Kaufman
  Uh, BitTorrent works just fine for me on IPv6.
 
 And how many v4-only nodes are you reaching from your v6-only client
 through a NAT64?

Should be able to reach all of them if it is combined with DNS64

Re: Yahoo and IPv6

[Owen DeLong]

On May 13, 2011, at 9:09 PM, Bjoern A. Zeeb wrote:

 On May 14, 2011, at 2:12 AM, Lorenzo Colitti wrote:
 
 On Tue, May 10, 2011 at 11:22 AM, Owen DeLong o...@delong.com wrote:
 
 In other words, Igor can't turn on  records generally until there are
 182,001 IPv6-only users that are broken from his lack of  records.
 
 
 There will be no IPv6-only users. There will only be users with better IPv6
 connectivity than IPv4 connectivity.
 
 My Desktop is not able to make any IPv4 socket connections anymore.  I get
 Protocol not supported. So there are IPv6-only users, already bitten by
 no .  So that's -1 from me.
 
 /bz
 
 -- 
 Bjoern A. Zeeb You have to have visions!
 Stop bit received. Insert coin for new address family.

Unfortunately, Igor may not see your message since he doesn't have
an IPv6  record for his MX. ;-)

Owen

Re: Yahoo and IPv6

[Bjoern A. Zeeb]

On May 14, 2011, at 7:57 AM, Owen DeLong wrote:

 On May 13, 2011, at 9:09 PM, Bjoern A. Zeeb wrote:
 
 On May 14, 2011, at 2:12 AM, Lorenzo Colitti wrote:
 
 On Tue, May 10, 2011 at 11:22 AM, Owen DeLong o...@delong.com wrote:
 
 In other words, Igor can't turn on  records generally until there are
 182,001 IPv6-only users that are broken from his lack of  records.
 
 
 There will be no IPv6-only users. There will only be users with better IPv6
 connectivity than IPv4 connectivity.
 
 My Desktop is not able to make any IPv4 socket connections anymore.  I get
 Protocol not supported. So there are IPv6-only users, already bitten by
 no .  So that's -1 from me.
 
 Unfortunately, Igor may not see your message since he doesn't have
 an IPv6  record for his MX. ;-)

But s0.nanog.org does, and mailman.nanog.org is v4 exclusively and one of my
MX still has legacy IP as well.  But the message wasn't for Igor anyway.

I was just mumbling about the fact that the IPv6 advocacy activists and people
in charge of v6 rollouts should eat more of their dog-food to make sure that
we'll actually be ready for _more_ IPv6 only users rather than falling into the
same tarpit we hit for DS in the near future.  The web strangely is the least
thing I care about.

/bz

PS: I hope all of the big guys will actually have  glue records for their 
domains in DNS for world IPv6 day.  So far most of them are failing that test
badly which means the brokeness of IPv6 starts at the very beginning:(

-- 
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.

Re: Yahoo and IPv6

[Matthew Kaufman]

 
 
 
 My Desktop is not able to make any IPv4 socket connections anymore.  I get
 Protocol not supported. So there are IPv6-only users, already bitten by
 no .  So that's -1 from me.
 

Sounds to me like you're not on The Internet any more.

Matthew Kaufman

Re: Yahoo and IPv6

[Bjoern A. Zeeb]

On May 14, 2011, at 3:41 PM, Matthew Kaufman wrote:

 My Desktop is not able to make any IPv4 socket connections anymore.  I get
 Protocol not supported. So there are IPv6-only users, already bitten by
 no .  So that's -1 from me.
 
 
 Sounds to me like you're not on The Internet any more.

Haha.  I might still do UUCP and listen to a talk from Eric Allman currently,
yet I can send you Email and that's supposed to be over the Internet only
these days, I just heard.  So I am clearly online.

I assume you don't understand the options some people have or how much content
might be available on IPv6 already and might have been for years.

/bz

-- 
Bjoern A. Zeeb You have to have visions!
 Stop bit received. Insert coin for new address family.

Re: Yahoo and IPv6

[Paul Vixie]

Matthew Kaufman matt...@matthew.at writes:

 My Desktop is not able to make any IPv4 socket connections anymore.  I get
 Protocol not supported. So there are IPv6-only users, already bitten by
 no .  So that's -1 from me.

 Sounds to me like you're not on The Internet any more.

in http://www.merit.edu/mail.archives/nanog/2001-04/msg00294.html we see:

(*2)Q: But what IS the Internet?
A: It's the largest equivalence class in the reflexive, transitive,
symmetric, closure of the relationship 'can be reached by an IP
packet from'. Seth Breidbart

by which definition, matthew's observation would be correct.  folks who want
to run V6 only and still be on the internet will need proxies for a long
while.  folks who want to run V6 only *today* and not have any proxies *today*
are sort of on their own -- the industry will not cater to market non-forces.
-- 
Paul Vixie
KI6YSY

Re: Yahoo and IPv6

[Marshall Eubanks]

On May 14, 2011, at 12:47 PM, Paul Vixie wrote:

 Matthew Kaufman matt...@matthew.at writes:
 
 My Desktop is not able to make any IPv4 socket connections anymore.  I get
 Protocol not supported. So there are IPv6-only users, already bitten by
 no .  So that's -1 from me.
 
 Sounds to me like you're not on The Internet any more.
 
 in http://www.merit.edu/mail.archives/nanog/2001-04/msg00294.html we see:
 
 (*2)Q: But what IS the Internet?
A: It's the largest equivalence class in the reflexive, transitive,
symmetric, closure of the relationship 'can be reached by an IP
packet from'. Seth Breidbart
 
 by which definition, matthew's observation would be correct.  folks who want
 to run V6 only and still be on the internet will need proxies for a long
 while.  folks who want to run V6 only *today* and not have any proxies *today*
 are sort of on their own -- the industry will not cater to market non-forces.

I think that the real question is, when will people who are running IPv4 only 
not be on the Internet by this
definition ?

Regards
Marshall


 -- 
 Paul Vixie
 KI6YSY
 
 

Re: Yahoo and IPv6

[Paul Vixie]

 From: Marshall Eubanks t...@americafree.tv
 Date: Sat, 14 May 2011 13:02:16 -0400
 
 I think that the real question is, when will people who are running
 IPv4 only not be on the Internet by this definition ?

is there an online betting mechanism we could use, that we all think will
still be in business decades from now when the truth is known?  if we're
going to start picking the month and year when IPv4 is the new PDP-11
compatibility mode (that's a VAX reference), where the winner is whoever
comes closest without going over, my pick is July 2021, and i'm in for $50.

Re: Yahoo and IPv6

[Cameron Byrne]

On May 14, 2011 9:28 AM, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net
wrote:

 On May 14, 2011, at 3:41 PM, Matthew Kaufman wrote:

  My Desktop is not able to make any IPv4 socket connections anymore.  I
get
  Protocol not supported. So there are IPv6-only users, already bitten
by
  no .  So that's -1 from me.
 
 
  Sounds to me like you're not on The Internet any more.

 Haha.  I might still do UUCP and listen to a talk from Eric Allman
currently,
 yet I can send you Email and that's supposed to be over the Internet only
 these days, I just heard.  So I am clearly online.

 I assume you don't understand the options some people have or how much
content
 might be available on IPv6 already and might have been for years.

 /bz


Ipv6-only is a highly functional reality when enabled with nat64/dns64,
there are several empirical accounts on the web.

I have be running a beta service of it for over a year and my experience is
that it works very well for web and email and nearly everything I do on
smartphone , but not all things for sure.

Cb
—---
http://bit.ly/igQBx4 -- T-Mobile USA ipv6 beta.

 --
 Bjoern A. Zeeb You have to have visions!
 Stop bit received. Insert coin for new address family.

Re: Yahoo and IPv6

[Valdis . Kletnieks]

On Sat, 14 May 2011 13:02:16 EDT, Marshall Eubanks said:
 I think that the real question is, when will people who are running IPv4
 only not be on the Internet by this definition ?

Any 36 bit machines left on the net?



pgpe167pAfCop.pgp
Description: PGP signature

Re: Yahoo and IPv6

[John Levine]

I think that the real question is, when will people who are running
IPv4 only not be on the Internet by this definition ?

Probably never.  What would be the incentive to turn off the NAT
gateways?

R's,
John

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 14 mei 2011, at 18:47, Paul Vixie wrote:


folks who want
to run V6 only and still be on the internet will need proxies for  
a long
while.  folks who want to run V6 only *today* and not have any  
proxies *today*
are sort of on their own -- the industry will not cater to market  
non-forces.


And clearly that situation can be kept that way for a long time by  
simply not serving them anything over IPv6.


But is that wat we want?

Currently IPv4 is pretty good but that's not going to last once 1.5  
NATs on average between any two points grows to 3.8 of them, with 1.7  
starved for address/port combinations*. At that point you can  
technically still be 100% connected using just IPv4, but it won't be  
much fun anymore.


* numbers pulled out of the air by yours truly, but based on two  
consumers with home NAT today and with additional carrier NAT in the  
future.


I've been on IPv6 for a long time. When I started with IPv6, the only  
applications (to use the term loosely) that understood v6 were ping6  
and traceroute6. These days, I think the only thing I wouldn't be able  
to do over IPv6 is print. It used to be that IPv6 pingtimes were 2 - 3  
times worse than IPv4 pingtimes. They're pretty much the same 80% of  
the time now. I used to have 8 IPv4 addresses, enough for most of my  
computers. I have one now, with mandatory NAT. When I move later this  
year I may very well only have a partial IPv4 address.


The times are a-changing.

Re: Yahoo and IPv6

[Matthew Kaufman]

On 5/14/2011 10:19 AM, Cameron Byrne wrote:



Ipv6-only is a highly functional reality when enabled with 
nat64/dns64, there are several empirical accounts on the web.





For a version of highly functional that does not include Skype, 
BitTorrent, SIP phones, and anything Flash Player app using RTMFP to 
reach peers, sure.


Matthew Kaufman

Re: Yahoo and IPv6

[Jim Gettys]

On 05/14/2011 01:59 PM, Iljitsch van Beijnum wrote:

dditional carrier NAT in the future.

I've been on IPv6 for a long time. When I started with IPv6, the only 
applications (to use the term loosely) that understood v6 were ping6 
and traceroute6. These days, I think the only thing I wouldn't be able 
to do over IPv6 is print.
And I've been able to print using IPv6 on the $200 HP ethernet/wireless 
printer I bought over 18 months ago...


Times are changing.

But we have to get naming squared away.  Typing IPv6 addresses is for 
the birds, and having everyone have to go fuss with a DNS provider isn't 
a viable solution.

- Jim

Re: Yahoo and IPv6

[William Herrin]

On Sat, May 14, 2011 at 1:06 PM, Paul Vixie vi...@isc.org wrote:
 From: Marshall Eubanks t...@americafree.tv
 Date: Sat, 14 May 2011 13:02:16 -0400

 I think that the real question is, when will people who are running
 IPv4 only not be on the Internet by this definition ?

 is there an online betting mechanism we could use, that we all think will
 still be in business decades from now when the truth is known?

http://longbets.org/

 if we're
 going to start picking the month and year when IPv4 is the new PDP-11
 compatibility mode (that's a VAX reference), where the winner is whoever
 comes closest without going over, my pick is July 2021, and i'm in for $50.

Two suggestions:

1. Predict the condition, not the date. In other words, not Condition
X will occur at Y but At Y, condition X will be true. The problem
with predicting the date is that the bet can't close until the
condition occurs. That leaves an unbounded case.

2. Measurability. How do you measure, IPv4 is the new PDP-11
compatibility mode? Try something like, In the month of July 2021,
X% of the network traffic by packet count on the top 5 Internet
carriers will contain IPv4 packets. 

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: http://bill.herrin.us/
Falls Church, VA 22042-3004

Re: Yahoo and IPv6

[Robert Bonomi]

 From: Paul Vixie vi...@isc.org
 To: nanog@nanog.org
 Subject: Re: Yahoo and IPv6
 Date: Sat, 14 May 2011 17:06:45 +

  From: Marshall Eubanks t...@americafree.tv
  Date: Sat, 14 May 2011 13:02:16 -0400
  
  I think that the real question is, when will people who are running
  IPv4 only not be on the Internet by this definition ?

 is there an online betting mechanism we could use, that we all think will
 still be in business decades from now when the truth is known?  if we're
 going to start picking the month and year when IPv4 is the new PDP-11
 compatibility mode (that's a VAX reference), where the winner is whoever
 comes closest without going over, my pick is July 2021, and i'm in for $50.


You could probably interest the University of Iowa College of Business in
it.  See: http://tippie.uiowa.edu/iem/index.cfm

The genesis of of this project was a 'futures' exchange on candidates for
the office of President of the United States.  It's had an amazing track-
record of identifying 'winners' there.

Re: Yahoo and IPv6

[Paul Vixie]

Jim Gettys j...@freedesktop.org writes:

 ... we have to get naming squared away.  Typing IPv6 addresses is for the
 birds, and having everyone have to go fuss with a DNS provider isn't a
 viable solution.

perhaps i'm too close to the problem because that solution looks quite
viable to me.  dns providers who don't keep up with the market (which means
ipv6 and dnssec in this context) will lose business to those who do.
-- 
Paul Vixie
KI6YSY

Re: Yahoo and IPv6

[Jima]

On 2011-05-14 13:25, Jim Gettys wrote:

On 05/14/2011 01:59 PM, Iljitsch van Beijnum wrote:

I've been on IPv6 for a long time. When I started with IPv6, the only
applications (to use the term loosely) that understood v6 were ping6
and traceroute6. These days, I think the only thing I wouldn't be able
to do over IPv6 is print.



And I've been able to print using IPv6 on the $200 HP ethernet/wireless
printer I bought over 18 months ago...


 And a $100 Samsung laser printer here, sold as long ago as 15 months. 
 (Also an expensive color laser copier Ricoh started producing in 2007, 
although I don't know if it shipped with an IPv6-capable firmware.) 
Even printing isn't the last holdout. :-)


 Home entertainment devices, on the other hand... :-(

 Jima

Re: Yahoo and IPv6

[Jima]

On 2011-05-14 13:10, Matthew Kaufman wrote:

On 5/14/2011 10:19 AM, Cameron Byrne wrote:

Ipv6-only is a highly functional reality when enabled with
nat64/dns64, there are several empirical accounts on the web.


For a version of highly functional that does not include Skype,
BitTorrent, SIP phones, and anything Flash Player app using RTMFP to
reach peers, sure.


1. There are SIP phones that support IPv6, e.g., 
http://wiki.snom.com/Networking/IPv6


2. Exactly whose fault is it that RTMFP can't reach peers via IPv6? 
(Granted, I'm not sure RTMFP is the best argument for your point anyway, 
since apparently symmetric NAT monkey-wrenches it, too: 
http://forums.adobe.com/message/3602495 )


 Jima

Re: Yahoo and IPv6

[Robert Drake]

On 5/10/2011 12:57 AM, Jeff Wheeler wrote:

Your suggestion has two main disadvantages:
1) it doesn't work on some platforms, because input ACL won't stop ND
learn/solicit -- obviously this is bad
2) it requires you to configure a potentially large input ACL on every
single interface on the box, and adjust that ACL whenever you
provision more IPv6 addresses for end-hosts -- kinda like not having a
control-plane filter, only worse



Might need to rewrite some portion of ND to do this, but can't a cookie 
be encoded in the ND packet and no state kept?  That should reduce the 
problem to one of a packet flood which everyone already deals with now.


Sorry if this has been suggested/shot down before.  The ND problems keep 
being mentioned and I never see this proposed and it seems like an 
obvious solution.


Robert

Re: Yahoo and IPv6

[Matthew Kaufman]

On 5/14/2011 6:41 PM, Jima wrote:

On 2011-05-14 13:10, Matthew Kaufman wrote:

On 5/14/2011 10:19 AM, Cameron Byrne wrote:

Ipv6-only is a highly functional reality when enabled with
nat64/dns64, there are several empirical accounts on the web.


For a version of highly functional that does not include Skype,
BitTorrent, SIP phones, and anything Flash Player app using RTMFP to
reach peers, sure.


1. There are SIP phones that support IPv6, e.g., 
http://wiki.snom.com/Networking/IPv6


Sure, but NAT64 doesn't let SIP phones on an IPv6-only network talk to 
SIP phones on an IP4-only network.




2. Exactly whose fault is it that RTMFP can't reach peers via IPv6? 
(Granted, I'm not sure RTMFP is the best argument for your point 
anyway, since apparently symmetric NAT monkey-wrenches it, too: 
http://forums.adobe.com/message/3602495 )


RTMFP can reach peers via IPv6... but it can't talk between an IPv6-only 
peer that is behind a NAT64 and an IPv4-only peer.


And that would be the fault of NAT64, which for all of the applications 
I mentioned (and more) made the seriously wrong assumption that every 
IPv4 address is looked up in a DNS server.


Matthew Kaufman

Re: Yahoo and IPv6

[Lorenzo Colitti]

On Tue, May 10, 2011 at 11:22 AM, Owen DeLong o...@delong.com wrote:

 In other words, Igor can't turn on  records generally until there are
 182,001 IPv6-only users that are broken from his lack of  records.


There will be no IPv6-only users. There will only be users with better IPv6
connectivity than IPv4 connectivity.


 This will be interesting. Personally, I think it will be more along the
 lines
 of when there are more IPv6 only eye-balls with broken IPv4 than there
 are IPv4 eye-balls with broken IPv6,  will become the obvious
 solution.


Agreed. The problem is how to get there. Given that 0.2% of Google users has
IPv6 today, my money is still on this taking a while.

Re: Yahoo and IPv6

[Bjoern A. Zeeb]

On May 14, 2011, at 2:12 AM, Lorenzo Colitti wrote:

 On Tue, May 10, 2011 at 11:22 AM, Owen DeLong o...@delong.com wrote:
 
 In other words, Igor can't turn on  records generally until there are
 182,001 IPv6-only users that are broken from his lack of  records.
 
 
 There will be no IPv6-only users. There will only be users with better IPv6
 connectivity than IPv4 connectivity.

My Desktop is not able to make any IPv4 socket connections anymore.  I get
Protocol not supported. So there are IPv6-only users, already bitten by
no .  So that's -1 from me.

/bz

-- 
Bjoern A. Zeeb You have to have visions!
 Stop bit received. Insert coin for new address family.

RE: Yahoo and IPv6

[George Bonser]

 
 My Desktop is not able to make any IPv4 socket connections anymore.  I
 get
 Protocol not supported. So there are IPv6-only users, already bitten
 by
 no .  So that's -1 from me.
 

Sounds like a job for NAT64/DNS64

Re: Yahoo and IPv6

[Randy Bush]

 My Desktop is not able to make any IPv4 socket connections anymore.  I
 get Protocol not supported. So there are IPv6-only users, already
 bitten by no .  So that's -1 from me.

i choose to only run decnet ii, and the world should fix my connectivity
problem.

randy

Re: Yahoo and IPv6

[Matthew Petach]

On Fri, May 13, 2011 at 10:27 PM, Randy Bush ra...@psg.com wrote:
 My Desktop is not able to make any IPv4 socket connections anymore.  I
 get Protocol not supported. So there are IPv6-only users, already
 bitten by no .  So that's -1 from me.

 i choose to only run decnet ii, and the world should fix my connectivity
 problem.

 randy

Your search for

DecNet Phase II to IPv6 gateway

returned 0 results.

Re: Yahoo and IPv6

[Franck Martin]

I think the yahoo test should just differentiate between no IPv6 and IPv6
is slow (test between 3s and 10s). Like:

We have detected that you have IPv6 and will be able to access our site on
IPv6 day, but your user experience may not be as good as with IPv4, you
may consider disabling IPv6.

Re: Yahoo and IPv6

[Scott Whyte]

On Wed, May 11, 2011 at 23:10, Franck Martin fmar...@linkedin.com wrote:
 I think the yahoo test should just differentiate between no IPv6 and IPv6
 is slow (test between 3s and 10s). Like:

 We have detected that you have IPv6 and will be able to access our site on
 IPv6 day, but your user experience may not be as good as with IPv4, you
 may consider disabling IPv6.


Measurements during the experiment won't be directly comparable to
those before/after, at least as far as I can see.  So they will be
informative, but its the slope of the brokenness line before/after
that will determine when IPv6 is not an impediment to itself.

-Scott

Re: Yahoo and IPv6

[Owen DeLong]

On May 12, 2011, at 9:06 AM, Scott Whyte wrote:

 On Wed, May 11, 2011 at 23:10, Franck Martin fmar...@linkedin.com wrote:
 I think the yahoo test should just differentiate between no IPv6 and IPv6
 is slow (test between 3s and 10s). Like:
 
 We have detected that you have IPv6 and will be able to access our site on
 IPv6 day, but your user experience may not be as good as with IPv4, you
 may consider disabling IPv6.
 
 
 Measurements during the experiment won't be directly comparable to
 those before/after, at least as far as I can see.  So they will be
 informative, but its the slope of the brokenness line before/after
 that will determine when IPv6 is not an impediment to itself.
 
 -Scott

I think it's a little more complex.

I think there are two lines. A line representing brokenness with  records
enabled and a line representing brokenness without  records.

The first line is trending downwards while the second line is trending upwards
and wil soon be making a rather pronounced increase in its slope.

When these two lines cross, I think it will become virtually inevitable that
those who are ready to do so will publish their  records.

Owen

Re: Yahoo and IPv6

[Tore Anderson]

* Tony Hain

 So take the relays out of the path by putting up a 6to4 router and a
 2002:: prefix address on the content servers. Longest match will
 cause 6to4 connected systems to prefer that prefix while native
 connected systems will prefer the current prefix. The resulting IPv4
 path will be exactly what it is today door-to-door. Forcing traffic
 through a third party by holding to a purity principle for dns, and
 then complaining about the results is not exactly the most productive
 thing one could do.

If you add a 6to4  record to your domain name, you'll attract 6to4
traffic from a lot of systems that would earlier have used IPv4. This is
because 6to4-6to4 is preferred above IPv4-IPv4 in RFC 3484 (which in
turn is preferred aboue 6to4-NativeV6).

This in turn results in a net decrease of reliability, as 6to4 is
extremely unreliable, even in the situation where the relays are known
to work correctly - the failure rate in this case has been indepentently
verified by Emile Aben of the RIPE NCC
(https://labs.ripe.net/Members/emileaben/6to4-how-bad-is-it-really) and
Geoff Huston of APNIC
(http://www.potaroo.net/ispcol/2010-12/6to4fail.html) to be in the 15%
ballpark.

Also, I actually tried it myself, by «triple-stacking» (adding a 6to4
) the dual-stack measurement point in my own brokenness experiment
(http://fud.no/ipv6). Overall brokenness increased about ten-fold, from
around 0.03% to 0.3%, so the change was reverted the next day.

In conclusion, publishing 6to4  records is a terrible idea if
you're concerned about reliability.

 The argument is that enterprise firewalls are blocking it, but that
 makes no sense because many/most enterprises are in 1918 space so 
 6to4 will not be attempted to begin with, and for those that have
 public space internally the oft-cited systems that are domain members
 will have 6to4 off by default. To get them to turn it on would
 require the IT staff to explicitly enable it for the end systems but
 then turn around and block it at the firewall ... Not exactly a
 likely scenario.

Perhaps most enterprises are in 1918 space, but I don't the reasoning
why an enterprise that are not using 1918 space would be more likely to
use Active Directory than those that are using 1918 space. I would have
thought that the use of AD is completely orthogonal the use of 1918 space?

In any case, there's no shortage of 6to4 implementations in the wild that
will happily enable 6to4 from 1918 addresses even though it cannot
possibly work.

 The most likely source of public space for non-domain joined systems
 would be universities,

My data shows that university networks are overrepresented with broken
end-users, yes.

 but no one that is complaining about protocol 41 filtering has shown
 that the source addresses are coming from those easily identifiable
 places.

http://www.fud.no/ipv6/snapshot-20101221/gnuplot/nouninett-t10-historic.png

The red line is the overall internet brokenness I measured. The green
line is the overall brokenness for the internet *except* UNINETT, the
Norwegian University and Research Network, which filters proto-41. So
that particular network with some tens of thousands of end users are
responsible for around one-third of all failed dual-stack connection
attempts, in a country that has around five million citizens.

The sharp drop at the end is when they finally deployed native IPv6 at
certain proto-41-filtered problem spots in their network, by the way.

 That leaves the case of networks that use public addresses
 internally, but nat those at the border. This would confuse the
 client into thinking 6to4 should be viable, only to have protocol 41
 blocked by the nat. These networks do exist,

End users in such networks are likely to increase sharply in numbers,
thanks to IPv4 depletion and the inevitable deployment of CGNs using
bogon or unrouted public addresses.

 The 6rd hack is nothing more than 6to4 in a different prefix to get
 around the one-liner that should be ignored in the original RFC that
 said to only publish the /16 into IPv6 bgp. I can already hear the
 screams about routing table, but there is no difference between the
 impact of a 6rd specific announcement and a deaggregate of 2002::

Only in the case that the 2002::/16-deaggregating ISP only has *one*
IPv4 PA allocation, and that the 6RD using ISP you're comparing it to
gets a *separate* IPv6 PA allocation dedicated to 6RD end users,
something which I don't believe will be granted in the RIPE region at
least.

The only well-known deployment of 6RD (Free.fr / AS12322) currently
originate 18 IPv4 prefixes and a single IPv6 prefix. With your solution
they would need to originate 18 deaggregates of 2002::/16 instead, in
addition to their single IPv6 PA allocation for native deployments.

-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 11 mei 2011, at 2:39, Karl Auer wrote:

 On Wed, 2011-05-11 at 10:19 +1000, Mark Andrews wrote:
 For the record Apple's current iChat (the OS (10.6.7) is completely
 up to date) fails such a test.  It will try IPv6 and not fallback
 to IPv4.  End users shouldn't be seeing these sorts of errors.

Hm, I've had a very hard time finding any IPv6-capable servers to let my iChat 
talk to...

 Is that possibly a failure of the underlying resolver library? Do other
 applications on the same platform behave correctly?

Apple's Mail application used to do this, but after many years they fixed this, 
it will now fall back to IPv4 without trouble. This isn't a resolver issue, as 
the resolver can't know whether IPv6 connectivity does or doesn't work. The 
resolver simply gives applications that don't explicitly ask for a particular 
address type all of the addresses of all types for which the system currently 
has connectivity, I think as determined by the presence of a default route, 
maybe the presence of an address also matters.

What applications need to do when they connect to a remote server is to try the 
next address when the first one fails and cycle through all addresses before 
giving up. Of course with IPv4 having multiple addresses is extremely rare so 
IPv4 applications typically don't bother with this, so it has to be addressed 
when IPv6ifying applications.

RE: Yahoo and IPv6

[Igor Gashinsky]

On Tue, 10 May 2011, Frank Bulk wrote:

:: If I can anticipate Igor's response, he'll say that he'll whitelist those
:: IPv6-only networks and so he's just help 182,000 people.

That's a very good guess as to what I was going to say :)

-igor

:: -Original Message-
:: From: Owen DeLong [mailto:o...@delong.com] 
:: Sent: Tuesday, May 10, 2011 1:23 PM
:: To: Igor Gashinsky
:: Cc: nanog@nanog.org
:: Subject: Re: Yahoo and IPv6
:: 
:: On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:
:: 
::  On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
::  
::  :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
::  :: 
::  ::  The time for finger-pointing is over, period, all we are all trying
:: to do 
::  ::  now is figure out how to deal with the present (sucky) situation. The
:: 
::  ::  current reality is that for a non-insignificant percentage of users
:: when 
::  ::  you enable dual-stack, they are gong to drop off the face of the
:: planet. 
::  ::  Now, for *you*, 0.026% may be insignificant (and, standalone, that
:: number 
::  ::  is insignificant), but for a global content provider that has ~700M
:: users, 
::  ::  that's 182 *thousand* users that *you*, *through your actions* just
:: took 
::  ::  out.. 182,000 - that is *not* insignificant
::  :: 
::  :: At any given instant, there's a *lot* more than 182,000 users who are
:: cut off
::  :: due to various *IPv4* misconfigurations and issues.
::  
::  Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
::  and you are asking *me* to break them through *my* actions. Sorry, that's 
::  simply too many to break for me, without a damn good reason to do so.
::  
:: In other words, Igor can't turn on  records generally until there are
:: 182,001 IPv6-only users that are broken from his lack of  records.
:: 
:: Given IP address consumption rates in Asia and the lack of available IPv4
:: resources in Asia, with a traditional growth month to month of nearly
:: 30 million IPv4 addresses consumed, I suspect it will not be long before
:: the 182,001 broken IPv6 users become relevant.
:: 
::  Doing that on world ipv6 day, when there is a lot of press, and most other
:: 
::  large content players doing the same, *is* a good reason - it may actually
:: 
::  has a shot of accomplishing some good, since it may get those users to 
::  realize that they are broken, and fix their systems, but outside of flag 
::  day, if I enabled  by default for all users, all I'm going to do is 
::  send those broken users to my competitors who chose not to enable  
::  on their sites. 
::  
:: Agreed. I think IPv6 day is a great plan for this very reason. I also hope
:: that
:: a lot of organizations that try things out on IPv6 day will decide that the
:: brokenness that has been so hyped wasn't actually noticeable and then
:: leave their  records in place. I do not expect Yahoo or Google to
:: be among them, but, hopefully a lot of other organizations will do so.
:: 
::  This is why I think automatic, measurement-based whitelisting/blacklisting
:: 
::  to minimize the collateral damage of enabling  is going to be 
::  inevitable (with the trigger set to something around 99.99%), and about 
::  the only way we see wide-scale IPv6 adoption by content players, outside 
::  events like world ipv6 day.
::  
:: This will be interesting. Personally, I think it will be more along the
:: lines
:: of when there are more IPv6 only eye-balls with broken IPv4 than there
:: are IPv4 eye-balls with broken IPv6,  will become the obvious
:: solution.
:: 
:: In my opinion, this is just a matter of time and will happen much sooner
:: than
:: I think most people anticipate.
:: 
:: Owen
:: 
:: 

Re: Yahoo and IPv6

[Mark Andrews]

In message 03c70cde-8169-437b-8394-26f839413...@muada.com, Iljitsch van Beijn
um writes:
 On 11 mei 2011, at 2:39, Karl Auer wrote:
 
  On Wed, 2011-05-11 at 10:19 +1000, Mark Andrews wrote:
  For the record Apple's current iChat (the OS (10.6.7) is completely
  up to date) fails such a test.  It will try IPv6 and not fallback
  to IPv4.  End users shouldn't be seeing these sorts of errors.
 
 Hm, I've had a very hard time finding any IPv6-capable servers to let my =
 iChat talk to...

Well I found this bug because the jabber server was IPv4 only and
the box it is on got a  address.  The jabber server is now
running dual stack with the IPv6 ports being forwarded to the IPv4
ports.  It's not optimal but it works.

  Is that possibly a failure of the underlying resolver library? Do =
 other
  applications on the same platform behave correctly?
 
 Apple's Mail application used to do this, but after many years they =
 fixed this, it will now fall back to IPv4 without trouble. This isn't a =
 resolver issue, as the resolver can't know whether IPv6 connectivity =
 does or doesn't work. The resolver simply gives applications that don't =
 explicitly ask for a particular address type all of the addresses of all =
 types for which the system currently has connectivity, I think as =
 determined by the presence of a default route, maybe the presence of an =
 address also matters.
 
 What applications need to do when they connect to a remote server is to =
 try the next address when the first one fails and cycle through all =
 addresses before giving up. Of course with IPv4 having multiple =
 addresses is extremely rare so IPv4 applications typically don't bother =
 with this, so it has to be addressed when IPv6ifying applications.=

This is basic RFC 1123 multihome support.

Also see 
https://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Yahoo and IPv6

[Igor Gashinsky]

::  In any case, the content side can mitigate all of the latency related 
issues
::  they complain about in 6to4 by putting in a local 6to4 router and 
publishing
::  the corresponding 2002:: prefix based address in DNS for their content. 
They
::  choose to hold their breath and turn blue, blaming the network for the 
lack
::  of 5-9's access to the eyeballs when they hold at least part of a solution
::  in their own hands.
::  
::  Looking at that from the content provider side for a second, what is their 
motivation for doing it? The IETF created 6to4, and some foolish OS and/or 
hardware vendors enabled it by default. So you're saying that it's up to the 
content providers to spend money to fix a problem they didn't create, when the 
easy/free solution is simply not to turn on IPv6 at all? I completely fail to 
see an incentive for the content providers to do this, but maybe I'm missing 
something.
::  

So, just for the record, I am not speaking for my employer, and am 
speaking strictly for myself here, and I'm going to try to keep this my 
one and only message about finger-pointing :)

The time for finger-pointing is over, period, all we are all trying to do 
now is figure out how to deal with the present (sucky) situation. The 
current reality is that for a non-insignificant percentage of users when 
you enable dual-stack, they are gong to drop off the face of the planet. 
Now, for *you*, 0.026% may be insignificant (and, standalone, that number 
is insignificant), but for a global content provider that has ~700M users, 
that's 182 *thousand* users that *you*, *through your actions* just took 
out.. 182,000 - that is *not* insignificant

*That* is what world ipv6 day is about to me -- getting enough attention 
at the problem so that all of us can try to move the needle in the right 
direction. If enough users realize that they are broken, and end up 
fixing themselves, then it will be a resounding success. And, yes, to 
me, disabling broken ipv6 *is* fixing themselves. If they turn broken 
ipv6 into working ipv6, even better, I just hope all the access networks 
staffed up their helpdesk to deal with the call volumes..

And, if the breakage stats remain bad, well, that's what DNS
whitelists/blacklists are going to be for..

:: While we're not directly a content provider, we do host several of them and 
we do
:: run the largest network of 6to4 relays that I am aware of. In our experience 
at HE,
:: this has dramatically improved the IPv6 experience for our clients. As such, 
I would
:: think that providing a better user experience should serve as reasonable 
motivation
:: for any rational content provider. It's not like running 6to4 relays is 
difficult or
:: expensive.

No, running *return* 6to4 relays is not difficult at all, in fact, some 
content providers have a ton of them up right now. The problem is that 
content providers can't control the forward relays, or protocol 41 
filtering that's out in the wild. Also, not all breakage is caused by 
6to4, there are still quite a few cases of other breakage, and *that* is 
what's pushing us towards whitelisting.

See: http://www.getipv6.info/index.php/Customer_problems_that_could_occur

::  And can we please stop pretending that this is an easy thing for the 
content providers to do? Big content networks like Yahoo! have dozens of POPs, 
and hundreds of address ranges. The IETF is *still* working on tweaking 6to4, 
so even if the content providers put up these relays today, and somehow figure 
out how to test them, their work is not done.
::  
:: It is relatively easy to do, even with dozens of POPs. There isn't anything 
special you
:: have to do for the hundreds of address ranges, really, so I don't buy that 
as being a
:: meaningful part of the argument.

I think this is a red herring - return relays were never *the* problem.

::  I do agree with you that pointing fingers at this stage is really not 
helpful. I continue to maintain that being supportive of those content networks 
that are willing to wade in is the right answer.
::  
:: Agreed, but, it's also important to point out when they're starting to swim 
in directions
:: that are counterproductive, such as having help sites that advise users to 
turn off
:: IPv6 with fixing their IPv6 capabilities as a secondary option.

We recommend disabling IPv6 or seeking assistance in order to fix your 
system's IPv6 configuration through your ISP or computer manufacturer

So, your problem is that a help page gives the user 2 options, 
the first one of them being a quick and easy fix that a user can do 
himself in less then a minute, and suggesting contacting the ISP or 
manufacturer *second* (and possibly spending quite a bit of time on 
hold/troubleshooting, and then saying screw it)?!? 

Honestly, I think the people who want ipv6 to work, and are willing and 
capable to troubleshoot it, will; and those who don't will just 
turn it off... Seems like the right outcome to me..

-igor
(man, did I pick 

Re: Yahoo and IPv6

[Owen DeLong]

 ::  I do agree with you that pointing fingers at this stage is really not 
 helpful. I continue to maintain that being supportive of those content 
 networks that are willing to wade in is the right answer.
 ::  
 :: Agreed, but, it's also important to point out when they're starting to 
 swim in directions
 :: that are counterproductive, such as having help sites that advise users to 
 turn off
 :: IPv6 with fixing their IPv6 capabilities as a secondary option.
 
 We recommend disabling IPv6 or seeking assistance in order to fix your 
 system's IPv6 configuration through your ISP or computer manufacturer
 
 So, your problem is that a help page gives the user 2 options, 
 the first one of them being a quick and easy fix that a user can do 
 himself in less then a minute, and suggesting contacting the ISP or 
 manufacturer *second* (and possibly spending quite a bit of time on 
 hold/troubleshooting, and then saying screw it)?!? 
 
Vs. other more useful options which I have spelled out elsewhere in this
thread, yes.

 Honestly, I think the people who want ipv6 to work, and are willing and 
 capable to troubleshoot it, will; and those who don't will just 
 turn it off... Seems like the right outcome to me..
 
We can agree to disagree. Turning it off really isn't a good outcome because
it just postpones the inevitable. Encouraging people to call their ISPs to
troubleshoot their IPv6 problems accomplishes two things:

1.  It raises visibility of the need for IPv6 at the eyeball ISPs. 
It shows
that there are users encountering things that cause them to care
about IPv6 working.

2.  It helps users resolve their IPv6 problems and get working
IPv6.

I applaud your employer's efforts to get IPv6 deployed and their leadership
in working towards IPv6 day. Hopefully they can eventually take a more
positive leadership position towards successful eyeball transitions as
well.

Owen

Re: Yahoo and IPv6

[Arie Vayner]

Igor,

When testing, you should take into consideration that people from all across
the world may use this tool, and in some places speed is not the same as in
other places... Latency... Bad linkes... Etc.

Arie

On Tue, May 10, 2011 at 7:58 AM, Igor Gashinsky i...@gashinsky.net wrote:

 On Mon, 9 May 2011, valdis.kletni...@vt.edu wrote:

 :: Given the following posting from earlier this morning:
 ::
 ::  The location that's affecting the results is pending removal from DNS;
 ::  and ASAP we hope to have the name moved to the geo-LB that suppors v6,
 ::  instead of the round robin it is today.
 ::
 :: I feel pretty damned justified in saying it wasn't *my* network causing
 the retransmits.
 ::
 :: (Oh - and kudos for the person quoted above for 'fessing up, and to the
 people
 :: that tracked down the actual issue. That always sucks when the test rig
 itself
 :: has issues. Glad to hear it will be fixed)

 In the spirit of full disclosure, I'll fess up a little more then :) We
 did have the cname for the help pages point to an old rotation, something
 that is getting rectified, and the timeout in the javascript was a tad too
 aggressive (would lead to some unwanted false negatives), so that timeout
 is going to be up'ed to between 5 and 10 seconds (we are measuring a few
 different things, so which value will be used will depend on what is being
 measured where).

 Thank you for catching this -- we are still working on finishing up the
 monitoring component of flag day related content :)

 -igor

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 9 mei 2011, at 21:40, Tony Hain wrote:

 Publicly held corporations are responsible to their shareholders to get
 eyeballs on their content. *That* is their job, not promoting cool new
 network tech. When you have millions of users hitting your site every
 day losing 1/2000 is a large chunk of revenue.

Nonsense. 0.05% is well below the noise margin for anything that involves 
humans.

 The fact that the big
 players are doing world IPv6 day at all should be celebrated, promoted,
 and we should all be ready to take to heart the lessons learned from
 it.

I applaud the first step, but I'm bothered by the fact that no second step is 
planned.

 The content providers are not to be blamed for the giant mess that IPv6
 deployment has become. If 6to4 and Teredo had never happened, in all
 likelihood we wouldn't be in this situation today.

 The entire point of those technologies you are complaining about was to
 break the stalemate between content and network, because both sides will
 always wait and blame the other.

You're both somewhat right: there's nothing wrong with having 6to4 and Teredo 
available as an option for people who want/need easy IPv6, which is too hard to 
get otherwise for most people. The big mistake was to enable it by default. 
That ALWAYS ends badly. (See for instance HTTP pipelining, good idea but it got 
tainted by buggy implementations on the client side that made it impossible to 
enable on the server side.)

 The fact that the content side chose to
 wait until the last possible minute to start is where the approach falls
 down. Expecting magic to cover for lack of proactive effort 5-10 years ago
 is asking a bit much, even for the content mafia. 

The content people don't feel the address crunch and they have no incremental 
deployment: either you  or you don't . The opposite is true for the 
eyeball people, so they are the ones that will have to get this ball rolling.

 In any case, the content side can mitigate all of the latency related issues
 they complain about in 6to4 by putting in a local 6to4 router and publishing
 the corresponding 2002:: prefix based address in DNS for their content.

That wouldn't help people behind firewalls that block protocol 41 (which is way 
too common) and it's harmful to those with non-6to4 connectivity but no (good) 
RFC 3484 support so they connect to those 2002:: addresses. (I'm looking at 
you, MacOS. Try for yourself here: http://6to4test3.runningipv6.net/ )

 We are about the witness the most expensive, complex, blame-fest of a
 transition that one could have imagined 10 years ago. This is simply due to
 the lack of up-front effort that both sides have demonstrated in getting to
 this point. Now that time has expired, all that is left to do is sit back
 and watch the fireworks.

I love fireworks.

I don't think it'll be all that bad, though. Pretty much all the pieces are in 
place now, it's mostly a question of simply enabling IPv6. Yes, people will 
whine but how else would we know the NANOG list is still working between 
operational issues?

Banks and IPv6 (was Re: Yahoo and IPv6)

[Jared Mauch]

On May 10, 2011, at 6:03 AM, Iljitsch van Beijnum wrote:

 On 9 mei 2011, at 21:40, Tony Hain wrote:
 
 Publicly held corporations are responsible to their shareholders to get
 eyeballs on their content. *That* is their job, not promoting cool new
 network tech. When you have millions of users hitting your site every
 day losing 1/2000 is a large chunk of revenue.
 
 Nonsense. 0.05% is well below the noise margin for anything that involves 
 humans.

I think it will be interesting when people start to look at the results. 
Following the delegation of someplace like a bank that has a financial interest 
in

a) security (ie: modern software)
b) people reaching their site

There's a lot of IPv6 brokeness in their services.

do dig +trace  www.citibank.co.uk

You will eventually reach their load balancer dns servers that start giving out 
bad referrals/authority.

www.citibank.co.uk. 3600IN  NS  ldefdc-egsl01-7000.nsroot2.com.
www.citibank.co.uk. 3600IN  NS  lgbrdc-egsl01-7000.nsroot1.com.
;; Received 153 bytes from 192.193.214.2#53(192.193.214.2) in 36 ms

[trimmed]
.   360 IN  NS  m.root-servers.net.
;; BAD REFERRAL
;; Received 500 bytes from 199.67.203.246#53(199.67.203.246) in 100 ms


When you look at the top 25 broken sites, it quickly starts to look like 
something interesting.  The temporary failure shows some error in the resolver 
library looking for an  record.  If you ask a non-bind nameserver you may 
have better luck as they seem to have relaxed SOA tracking.

www.capitalone.com.|208.80.48.112|OK|Temporary failure in name resolution
www.priceline.com.|64.6.17.1|OK|Temporary failure in name resolution
www.kitco.com.|66.38.218.33|OK|Temporary failure in name resolution
www.dmm.co.jp.|203.209.147.15|OK|Temporary failure in name resolution
www.lg.com.|174.35.24.66,174.35.24.81|OK|Temporary failure in name resolution
www.theweathernetwork.com.|207.96.160.181|OK|Temporary failure in name 
resolution
www.ovguide.com.|64.94.88.21|OK|Temporary failure in name resolution
www.alipay.com.|110.75.132.21|OK|Temporary failure in name resolution
www.sznews.com.|210.21.197.161|OK|Temporary failure in name resolution
www.ryanair.com.|193.95.148.90|OK|Temporary failure in name resolution
www.kbb.com.|209.67.183.100|OK|Temporary failure in name resolution
www.royalbank.com.|142.245.1.203|OK|Temporary failure in name resolution
www.opentable.com.|66.151.130.32|OK|Temporary failure in name resolution
www.bookryanair.com.|193.95.148.91|OK|Temporary failure in name resolution
aleadpay.com.|121.14.17.41|OK|Temporary failure in name resolution
www.20minutos.es.|85.62.13.190|OK|Temporary failure in name resolution
www.nzherald.co.nz.|184.154.158.58|OK|Temporary failure in name resolution
www.rbcroyalbank.com.|142.245.1.15|OK|Temporary failure in name resolution
www.hangzhou.com.cn.|218.108.127.43|OK|Temporary failure in name resolution
www.klikbca.com.|202.6.208.8|OK|Temporary failure in name resolution
www.uk.to.|195.144.11.40|OK|Temporary failure in name resolution
www.atdmt.com.|65.203.229.39,65.242.27.40|OK|Temporary failure in name 
resolution
www.hc360.com.|221.233.134.141,221.233.134.143|OK|Temporary failure in name 
resolution
www.dmm.com.|203.209.147.53|OK|Temporary failure in name resolution
www.businesswire.com.|204.8.173.52|OK|Temporary failure in name resolution

Aside from the above, it does seem that there are a fair number of sites that 
have enabled IPv6 and gone without notice.

take www.informationweek.com which (from my view) sits behind AS209 with their 
IPv6 space, very similar to their v4 address.

I'm optimistic that more people will 'just enable' ipv6.  Hopefully other 
technical websites will do it as well, perhaps anyone that matches a regex of 
ars can influence the powers that be.  If they can get people to disable 
adblock, maybe they can serve up some  as well. :)

- Jared

RE: Yahoo and IPv6

[Tony Hain]

Igor Gashinsky wrote:
 ::  In any case, the content side can mitigate all of the latency
 related issues
 ::  they complain about in 6to4 by putting in a local 6to4 router and
 publishing
 ::  the corresponding 2002:: prefix based address in DNS for their
 content. They
 ::  choose to hold their breath and turn blue, blaming the network
 for the lack
 ::  of 5-9's access to the eyeballs when they hold at least part of a
 solution
 ::  in their own hands.
 :: 
 ::  Looking at that from the content provider side for a second, what
 is their motivation for doing it? The IETF created 6to4, and some
 foolish OS and/or hardware vendors enabled it by default. So you're
 saying that it's up to the content providers to spend money to fix a
 problem they didn't create, when the easy/free solution is simply not
 to turn on IPv6 at all? I completely fail to see an incentive for the
 content providers to do this, but maybe I'm missing something.
 :: 
 
 So, just for the record, I am not speaking for my employer, and am
 speaking strictly for myself here, and I'm going to try to keep this my
 one and only message about finger-pointing :)
 
 The time for finger-pointing is over, period, all we are all trying to
 do
 now is figure out how to deal with the present (sucky) situation. The
 current reality is that for a non-insignificant percentage of users
 when
 you enable dual-stack, they are gong to drop off the face of the
 planet.
 Now, for *you*, 0.026% may be insignificant (and, standalone, that
 number
 is insignificant), but for a global content provider that has ~700M
 users,
 that's 182 *thousand* users that *you*, *through your actions* just
 took
 out.. 182,000 - that is *not* insignificant
 
 *That* is what world ipv6 day is about to me -- getting enough
 attention
 at the problem so that all of us can try to move the needle in the
 right
 direction. If enough users realize that they are broken, and end up
 fixing themselves, then it will be a resounding success. And, yes, to
 me, disabling broken ipv6 *is* fixing themselves. If they turn broken
 ipv6 into working ipv6, even better, I just hope all the access
 networks
 staffed up their helpdesk to deal with the call volumes..
 
 And, if the breakage stats remain bad, well, that's what DNS
 whitelists/blacklists are going to be for..
 
 :: While we're not directly a content provider, we do host several of
 them and we do
 :: run the largest network of 6to4 relays that I am aware of. In our
 experience at HE,
 :: this has dramatically improved the IPv6 experience for our clients.
 As such, I would
 :: think that providing a better user experience should serve as
 reasonable motivation
 :: for any rational content provider. It's not like running 6to4 relays
 is difficult or
 :: expensive.
 
 No, running *return* 6to4 relays is not difficult at all, in fact, some
 content providers have a ton of them up right now. The problem is that
 content providers can't control the forward relays, 

So take the relays out of the path by putting up a 6to4 router and a 2002::
prefix address on the content servers. Longest match will cause 6to4
connected systems to prefer that prefix while native connected systems will
prefer the current prefix. The resulting IPv4 path will be exactly what it
is today door-to-door. Forcing traffic through a third party by holding to a
purity principle for dns, and then complaining about the results is not
exactly the most productive thing one could do.

 or protocol 41
 filtering that's out in the wild. 

Putting 2002:: in dns will not fix this, but it is not clear to me where
this comes from. The argument is that enterprise firewalls are blocking it,
but that makes no sense because many/most enterprises are in 1918 space so
6to4 will not be attempted to begin with, and for those that have public
space internally the oft-cited systems that are domain members will have
6to4 off by default. To get them to turn it on would require the IT staff to
explicitly enable it for the end systems but then turn around and block it
at the firewall ... Not exactly a likely scenario.

The most likely source of public space for non-domain joined systems would
be universities, but no one that is complaining about protocol 41 filtering
has shown that the source addresses are coming from those easily
identifiable places. 

That leaves the case of networks that use public addresses internally, but
nat those at the border. This would confuse the client into thinking 6to4
should be viable, only to have protocol 41 blocked by the nat. These
networks do exist, and the only way to detect them would be to have an
instrumented 6to4 router or relay that compared the IPv4-bits in the source
address between the two headers. They don't have to match exactly because a
6to4 router would use its address as a source, but if the embedded bits said
25.25.25.25 while the external IPv4 header said 18.25.25.25 one might
suspect there was a nat in the path.

 Also, not all breakage is 

Re: Yahoo and IPv6

[Valdis . Kletnieks]

On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:

 The time for finger-pointing is over, period, all we are all trying to do 
 now is figure out how to deal with the present (sucky) situation. The 
 current reality is that for a non-insignificant percentage of users when 
 you enable dual-stack, they are gong to drop off the face of the planet. 
 Now, for *you*, 0.026% may be insignificant (and, standalone, that number 
 is insignificant), but for a global content provider that has ~700M users, 
 that's 182 *thousand* users that *you*, *through your actions* just took 
 out.. 182,000 - that is *not* insignificant

At any given instant, there's a *lot* more than 182,000 users who are cut off
due to various *IPv4* misconfigurations and issues.

Let's keep a sense of proportion, shall we?


pgpMo2KyFwCh8.pgp
Description: PGP signature

Re: Yahoo and IPv6

[Igor Gashinsky]

On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:

:: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
:: 
::  The time for finger-pointing is over, period, all we are all trying to do 
::  now is figure out how to deal with the present (sucky) situation. The 
::  current reality is that for a non-insignificant percentage of users when 
::  you enable dual-stack, they are gong to drop off the face of the planet. 
::  Now, for *you*, 0.026% may be insignificant (and, standalone, that number 
::  is insignificant), but for a global content provider that has ~700M users, 
::  that's 182 *thousand* users that *you*, *through your actions* just took 
::  out.. 182,000 - that is *not* insignificant
:: 
:: At any given instant, there's a *lot* more than 182,000 users who are cut off
:: due to various *IPv4* misconfigurations and issues.

Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
and you are asking *me* to break them through *my* actions. Sorry, that's 
simply too many to break for me, without a damn good reason to do so.

Doing that on world ipv6 day, when there is a lot of press, and most other 
large content players doing the same, *is* a good reason - it may actually 
has a shot of accomplishing some good, since it may get those users to 
realize that they are broken, and fix their systems, but outside of flag 
day, if I enabled  by default for all users, all I'm going to do is 
send those broken users to my competitors who chose not to enable  
on their sites. 

This is why I think automatic, measurement-based whitelisting/blacklisting 
to minimize the collateral damage of enabling  is going to be 
inevitable (with the trigger set to something around 99.99%), and about 
the only way we see wide-scale IPv6 adoption by content players, outside 
events like world ipv6 day.

-igor

Re: Yahoo and IPv6

[Igor Gashinsky]

On Tue, 10 May 2011, Iljitsch van Beijnum wrote:

:: On 9 mei 2011, at 21:40, Tony Hain wrote:
:: 
::  Publicly held corporations are responsible to their shareholders to get
::  eyeballs on their content. *That* is their job, not promoting cool new
::  network tech. When you have millions of users hitting your site every
::  day losing 1/2000 is a large chunk of revenue.
:: 
:: Nonsense. 0.05% is well below the noise margin for anything that involves 
humans.

I assure you, it is not. 0.005% might be in the noise, but 0.05% is 
quite measurable given a large enough audience.

::  The fact that the big
::  players are doing world IPv6 day at all should be celebrated, promoted,
::  and we should all be ready to take to heart the lessons learned from
::  it.
:: 
:: I applaud the first step, but I'm bothered by the fact that no second step 
is planned.

Just because it's not public, doesn't mean that it hasn't been planned :)

Most of us want to see the data that we get from the first step, before 
making the decision on which second step to take, I'm sure most people 
can understand that.

-igor

Re: Yahoo and IPv6

[Owen DeLong]

On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:

 On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
 
 :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
 :: 
 ::  The time for finger-pointing is over, period, all we are all trying to 
 do 
 ::  now is figure out how to deal with the present (sucky) situation. The 
 ::  current reality is that for a non-insignificant percentage of users when 
 ::  you enable dual-stack, they are gong to drop off the face of the planet. 
 ::  Now, for *you*, 0.026% may be insignificant (and, standalone, that 
 number 
 ::  is insignificant), but for a global content provider that has ~700M 
 users, 
 ::  that's 182 *thousand* users that *you*, *through your actions* just took 
 ::  out.. 182,000 - that is *not* insignificant
 :: 
 :: At any given instant, there's a *lot* more than 182,000 users who are cut 
 off
 :: due to various *IPv4* misconfigurations and issues.
 
 Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
 and you are asking *me* to break them through *my* actions. Sorry, that's 
 simply too many to break for me, without a damn good reason to do so.
 
In other words, Igor can't turn on  records generally until there are
182,001 IPv6-only users that are broken from his lack of  records.

Given IP address consumption rates in Asia and the lack of available IPv4
resources in Asia, with a traditional growth month to month of nearly
30 million IPv4 addresses consumed, I suspect it will not be long before
the 182,001 broken IPv6 users become relevant.

 Doing that on world ipv6 day, when there is a lot of press, and most other 
 large content players doing the same, *is* a good reason - it may actually 
 has a shot of accomplishing some good, since it may get those users to 
 realize that they are broken, and fix their systems, but outside of flag 
 day, if I enabled  by default for all users, all I'm going to do is 
 send those broken users to my competitors who chose not to enable  
 on their sites. 
 
Agreed. I think IPv6 day is a great plan for this very reason. I also hope that
a lot of organizations that try things out on IPv6 day will decide that the
brokenness that has been so hyped wasn't actually noticeable and then
leave their  records in place. I do not expect Yahoo or Google to
be among them, but, hopefully a lot of other organizations will do so.

 This is why I think automatic, measurement-based whitelisting/blacklisting 
 to minimize the collateral damage of enabling  is going to be 
 inevitable (with the trigger set to something around 99.99%), and about 
 the only way we see wide-scale IPv6 adoption by content players, outside 
 events like world ipv6 day.
 
This will be interesting. Personally, I think it will be more along the lines
of when there are more IPv6 only eye-balls with broken IPv4 than there
are IPv4 eye-balls with broken IPv6,  will become the obvious
solution.

In my opinion, this is just a matter of time and will happen much sooner than
I think most people anticipate.


Owen

Re: Yahoo and IPv6

[Warren Kumari]

On May 10, 2011, at 12:37 PM, Igor Gashinsky wrote:

 On Tue, 10 May 2011, Iljitsch van Beijnum wrote:
 
 :: On 9 mei 2011, at 21:40, Tony Hain wrote:
 :: 
 ::  Publicly held corporations are responsible to their shareholders to get
 ::  eyeballs on their content. *That* is their job, not promoting cool new
 ::  network tech. When you have millions of users hitting your site every
 ::  day losing 1/2000 is a large chunk of revenue.
 :: 
 :: Nonsense. 0.05% is well below the noise margin for anything that involves 
 humans.
 
 I assure you, it is not. 0.005% might be in the noise, but 0.05% is 
 quite measurable given a large enough audience.
 
 ::  The fact that the big
 ::  players are doing world IPv6 day at all should be celebrated, promoted,
 ::  and we should all be ready to take to heart the lessons learned from
 ::  it.
 :: 
 :: I applaud the first step, but I'm bothered by the fact that no second step 
 is planned.
 
 Just because it's not public, doesn't mean that it hasn't been planned :)
 
 Most of us want to see the data that we get from the first step, before 
 making the decision on which second step to take, I'm sure most people 
 can understand that.


Argck, I cannot believe that I am going to do this, let alone publicly, but 
here goes...

Igor is right on both counts here -- 0.05% is definitely noticeable at these 
sorts of scale, and I'd be shocked if Yahoo didn't have a set of alerts that 
fire if projections differ from actual traffic by this amount. I'm also a 
little surprised that you figured that there were no plans past the event -- 
much of the point of this is for data gathering -- did you figure folk were 
just going to gather the data and then ignore it?

Ok, that fully used up my agreeing with Igor quota for the year...

W

 
 -igor
 

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 10 mei 2011, at 22:31, Warren Kumari wrote:

 :: I applaud the first step, but I'm bothered by the fact that no second 
 step is planned.

 Igor is right on both counts here -- 0.05% is definitely noticeable at these 
 sorts of scale,

Ok, removed my infamatory reply. But tell me how 0.05% is visible in the 
up/down motions of traffic as it starts raining, there is something especially 
good/bad on TV, people have to reboot because of a Windows update or whatever.

Earlier today I tracerouted the top 1000 websites as per Alexa. I couldn't 
resolve the DNS for 6 of them. The internet is never 100% up.

 I'm also a little surprised that you figured that there were no plans past 
 the event -- much of the point of this is for data gathering -- did you 
 figure folk were just going to gather the data and then ignore it?

I asked the ISOC press people about this after they sent me their press release 
but they never replied (they may have replied to my message but not with an 
answer to the question). There is nothing on the ISOC site that mentions 
anything happening after june 8.

Of course I'm assuming individual participants will do stuff, but that doesn't 
change that this IPv6 day as it stands now is a one-off event, not the first 
step towards the Ultimate Goal.

Re: Yahoo and IPv6

[Scott Whyte]

On Tue, May 10, 2011 at 13:58, Iljitsch van Beijnum iljit...@muada.com wrote:
 On 10 mei 2011, at 22:31, Warren Kumari wrote:

 :: I applaud the first step, but I'm bothered by the fact that no second 
 step is planned.

 Igor is right on both counts here -- 0.05% is definitely noticeable at these 
 sorts of scale,

 Ok, removed my infamatory reply. But tell me how 0.05% is visible in the 
 up/down motions of traffic as it starts raining, there is something 
 especially good/bad on TV, people have to reboot because of a Windows update 
 or whatever.

Its the delta between v4 and v6 that is visible and significant.  If
some machine's addresses are all down hard, that is no problem in this
scenario.

-Scott

Re: Yahoo and IPv6

[Jason Fesler]

Of course I'm assuming individual participants will do stuff, but that 
doesn't change that this IPv6 day as it stands now is a one-off event,

not the first step towards the Ultimate Goal.


The intent is to get folks together after we digest the data, to talk 
about next steps.  Date is not yet picked.


I'm hoping we collectively prove there is no broken user problem.  I 
realistically expect we'll have another v6d - either as 24h, or as a 
roll-on-and-stick.   But, until we get through the day, and analyze the 
data, any decisions on what to do next are premature.


The NANOG following v6d should be interesting; I'm hoping a number of 
folks from both access and content are willing to share any early stats 
they have.