Thoughts about ipv6 white listing
Andrew Yourtchenko
ayourtch at gmail.com
Sat Dec 4 18:32:05 CET 2010
Hi,
On Sat, Dec 4, 2010 at 4:26 PM, Gert Doering <gert at space.net> wrote:
> Hi,
>
> On Sat, Dec 04, 2010 at 03:36:14AM -0800, George Bonser wrote:
>> If an AAAA record request arrives by v6, at least I know that both
>> the client *and* the dns server have v6
>
> This seems to be the fundamental mistake.
>
> If an AAAA request arrives by v6, all you know is "the client asked for
> AAAA, and the recursor has v6".
>
> You don't know *anything* about the availability and/or brokenness of
> v6 at the client end.
To add to Gert's comment: I've done a quick test on my Win7 PC and
when I attach to the subnet without IPv6, Chrome does not ask for the
AAAA at - it's not on the wire - so at least for some values of
"availability of IPv6" and some applications the assumption holds.
On the other hand the above also means that *if* the client does not
have IPv6 address, then it *will not* request AAAA to begin with.
So you can as well give AAAA out over IPv4 too if no-one without IPv6
address is going to ask for it anyway - this is the reason I think
this proposal is a no-op.
All the failures I've debugged recently involved the host having a
[non-link-local] IPv6 address, and either a routing or PMTUD or some
more exotic blackholes (FWIW for completeness: an ancient version of
IOS with CBAC not understanding TCP window scaling but trying to
enforce the window) - this proposal helps with none of them.
cheers,
andrew
>
> Gert Doering
> -- NetMaster
> --
> did you enable IPv6 on something today...?
>
> SpaceNet AG Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
>
More information about the ipv6-ops
mailing list