Thoughts about ipv6 white listing

Doug Barton dougb at dougbarton.us
Sat Dec 4 19:42:44 CET 2010 

On 12/04/2010 09:51, Richard Hartmann wrote:
> On Sat, Dec 4, 2010 at 11:55, George Bonser<gbonser at seven.com>  wrote:
>
>> Yes, it does by design because I cannot be sure of the state of the
>> client behind that recursive server.  Just because it asked the server
>> for an AAAA record doesn't mean it can reach me by v6 even if it has v6.
>> Note the difference in v6 routing tables between he and cogentco
>
> You are basically trying to guess how the end user's system is working
> &  connected. You are free to disagree, but this is, imo, broken by
> design.
>
> The massive birthing pain of a truly IPv6-enabled world will not be
> lessened by adding more magic outside of the end user's control.

To some extent I agree here, but in this case the only harm is the case 
where a client without IPv6 is behind an IPv6 resolver, which should be 
a very small percentage, and handled by the OS.

>> Yes.  And I suspect those cases will be *extremely* few and need to
>> break.
>
> I think all of the cases of non-working IPv6 need to break.

And this attitude is completely unrealistic. From the presentation at 
http://www.ietf.org/proceedings/77/slides/dnsop-7.pdf

Today, enabling AAAA on the production hostnames would adversely impact 
IPv4 reachability
– 0.078% of users drop off the grid
• Assuming a user base of 600M, that's 470K users that you broke!

A content provider is not going to knock 470,000 users off line, that 
just isn't going to happen.


George, I think your approach is fine _as a starting point_, and have 
recommended it in the past. IMO the main utility of this approach is to 
make sure that _your_ IPv6 connectivity is working properly without the 
added debugging complexity of dealing with broken end users.

One could make the argument that this model of gradually rolling it out 
and debugging one element at a time would have benefit to the larger 
network as well.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

More information about the ipv6-ops mailing list