Thoughts about ipv6 white listing
Leen Besselink
leen at consolejunkie.net
Sat Dec 4 20:00:26 CET 2010
On 12/04/2010 07:42 PM, Doug Barton wrote:
> On 12/04/2010 09:51, Richard Hartmann wrote:
>> On Sat, Dec 4, 2010 at 11:55, George Bonser<gbonser at seven.com> wrote:
>>
>>> Yes, it does by design because I cannot be sure of the state of the
>>> client behind that recursive server. Just because it asked the server
>>> for an AAAA record doesn't mean it can reach me by v6 even if it has
>>> v6.
>>> Note the difference in v6 routing tables between he and cogentco
>>
>> You are basically trying to guess how the end user's system is working
>> & connected. You are free to disagree, but this is, imo, broken by
>> design.
>>
>> The massive birthing pain of a truly IPv6-enabled world will not be
>> lessened by adding more magic outside of the end user's control.
>
> To some extent I agree here, but in this case the only harm is the
> case where a client without IPv6 is behind an IPv6 resolver, which
> should be a very small percentage, and handled by the OS.
>
>>> Yes. And I suspect those cases will be *extremely* few and need to
>>> break.
>>
>> I think all of the cases of non-working IPv6 need to break.
>
> And this attitude is completely unrealistic. From the presentation at
> http://www.ietf.org/proceedings/77/slides/dnsop-7.pdf
>
> Today, enabling AAAA on the production hostnames would adversely
> impact IPv4 reachability
> – 0.078% of users drop off the grid
> • Assuming a user base of 600M, that's 470K users that you broke!
>
> A content provider is not going to knock 470,000 users off line, that
> just isn't going to happen.
>
It looks like a lot of those broken 6to4 Mac OS X users are getting
fixed pretty fast at the moment:
http://www.fud.no/ipv6/gnuplot/osxversions.png
But how about we 'break content' for just one day for those users and
announce it to the world before hand ?
That seems to be the idea from Google/ISOC:
http://ripe61.ripe.net/presentations/223-World_IPv6_day.pdf
>
> George, I think your approach is fine _as a starting point_, and have
> recommended it in the past. IMO the main utility of this approach is
> to make sure that _your_ IPv6 connectivity is working properly without
> the added debugging complexity of dealing with broken end users.
>
> One could make the argument that this model of gradually rolling it
> out and debugging one element at a time would have benefit to the
> larger network as well.
>
>
> Doug
>
More information about the ipv6-ops
mailing list