Dealing with filtered 6to4 clients

Tore Anderson tore at linpro.no
Tue Oct 27 12:29:32 CET 2009


Hello list,

I've been doing some testing in order to determine whether or not it
would be «dangerous» for our customers to dualstack their web sites. The
largest problem I've found so far affects a very specific group of
clients, which:

1) are using Windows Vista or newer, and
2) are using the Opera web browser, and
3) are assigned public IPv4 addresses, and
4) are on a network which filters inbound proto-41 traffic.

In this case, the client will have a 6to4 tunnel interface automatically
configured, and will prefer using it over native IPv4 for contacting
dualstacked web sites.  However the return traffic never makes it back
to the client, which manifests itself on the server as unsucessful
retransmits of the SYN+ACK TCP packet.  On the client, it looks as if
the site is down (or extremely slow, as it will eventually fall back on
IPv4).

There's two eyeball networks (of significant size) in Norway which does
this kind of inbound proto-41 filtering at the moment, and it makes it
hard for me to talk my customers into providing IPv6 content as they're
terrified of client loss of any kind.  The issue has been discussed with
the networks in question and while at least one of them acknowledge the
problem, they're reluctant to allow inbound proto-41 traffic as that
will basically create a wide hole in their firewall filter (which I
believe allows only inbound «established-looking» packets at the moment).

So, assuming that allowing 6to4/proto-41 (or deploying native v6) is out
of the question:  Does anyone have any suggestions on how I (or the
eyeball networks) can handle this in a better way?

I've tried filtering the 6to4 packets on the way out and returning a
ICMPv4 type 3 code 13 (tried code 3 as well) to the client, hoping that
it would prompt Opera to fall back on v4 immediately, but unfortunately
it does not have any effect at all - it still hangs as if the site is down.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


More information about the ipv6-ops mailing list