From marcoh at marcoh.net  Mon Feb  1 11:21:53 2010
From: marcoh at marcoh.net (Marco Hogewoning)
Date: Mon, 1 Feb 2010 11:21:53 +0100
Subject: Safari on IPv6 ?
Message-ID: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>

Morning Folks,

This should be easy, however I can't seem to find the answer online as most articles are about turning off IPv6 instead of one. I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and AAAA are present. Now you can discuss wether this is a safe default or not, I would really like to know where the little button is to switch this behavior to AAAA first, which I recall used to be the case on earlier editions.

Thanks,

MarcoH
(oh and please forget about browser wars, I know how to download Firefox)

From jeroen at unfix.org  Mon Feb  1 11:37:36 2010
From: jeroen at unfix.org (Jeroen Massar)
Date: Mon, 01 Feb 2010 11:37:36 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
Message-ID: <4B66AEF0.8000300@spaghetti.zurich.ibm.com>

Marco Hogewoning wrote:
> Morning Folks,
> 
> This should be easy, however I can't seem to find the answer online
> as most articles are about turning off IPv6 instead of one.
> I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when
> both A and AAAA are present. Now you can discuss wether this is a safe

It is ridiculous that that is a decision per-app instead of global.

> default or not, I would really like to know where the little button is
> to switch this behavior to AAAA first, which I recall used to be the case
> on earlier editions.

http://www.macosxhints.com/article.php?story=20090701234543632

aka:
# defaults write com.apple.Safari IncludeInternalDebugMenu 1

and apparently there somewhere you can change it around...

see http://www.macosxhints.com/article.php?story=20040112104026573 for
more stories.....

I don't have an true idea though as I don't use safari, but I hope the
above helps you out

> MarcoH
> (oh and please forget about browser wars, I know how to download Firefox)

But, but, did you think about Internet Explorer, Opera, Chrome and all
the others out there? *nudge* :)

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100201/389b4700/attachment.bin 

From berni at birkenwald.de  Mon Feb  1 11:44:18 2010
From: berni at birkenwald.de (Bernhard Schmidt)
Date: Mon, 1 Feb 2010 11:44:18 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
Message-ID: <20100201104418.GA2064@schleppi.birkenwald.de>

On Mon, Feb 01, 2010 at 11:21:53AM +0100, Marco Hogewoning wrote:

Note: this is only hearsay, some colleagues have this issue.

> This should be easy, however I can't seem to find the answer online as
> most articles are about turning off IPv6 instead of one. I noticed
> Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and
> AAAA are present. Now you can discuss wether this is a safe default or
> not, I would really like to know where the little button is to switch
> this behavior to AAAA first, which I recall used to be the case on
> earlier editions.

We have seen a similar behaviour with most applications after upgrading
to MacOS X 10.6. It seems that the mdns-responder (?) of the system
which is responsible for all DNS lookups is broken. It sends out both A
and AAAA queries at the same time, but only seems to accept the first
(successful?) response it gets.  I've even heard that some people see
the second UDP response from the cache is rejected with "Port
unreachable".

The effect is not a preference of IPv4, but no preference at all.
Extremely hard to debug.

Bugs have been filed with Apple several times, I can ask for the
bug-ids.

Best Regards,
Bernhard

From marcoh at marcoh.net  Mon Feb  1 11:50:22 2010
From: marcoh at marcoh.net (Marco Hogewoning)
Date: Mon, 1 Feb 2010 11:50:22 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <20100201104418.GA2064@schleppi.birkenwald.de>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
Message-ID: <2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>


On 1 feb 2010, at 11:44, Bernhard Schmidt wrote:

> On Mon, Feb 01, 2010 at 11:21:53AM +0100, Marco Hogewoning wrote:
> 
> Note: this is only hearsay, some colleagues have this issue.
> 
>> This should be easy, however I can't seem to find the answer online as
>> most articles are about turning off IPv6 instead of one. I noticed
>> Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and
>> AAAA are present. Now you can discuss wether this is a safe default or
>> not, I would really like to know where the little button is to switch
>> this behavior to AAAA first, which I recall used to be the case on
>> earlier editions.
> 
> We have seen a similar behaviour with most applications after upgrading
> to MacOS X 10.6. It seems that the mdns-responder (?) of the system
> which is responsible for all DNS lookups is broken. It sends out both A
> and AAAA queries at the same time, but only seems to accept the first
> (successful?) response it gets.  I've even heard that some people see
> the second UDP response from the cache is rejected with "Port
> unreachable".

I can confirm it is either 10.6 or safari 4...not that I dig through traffic logs every day, just happen to notice it.

> The effect is not a preference of IPv4, but no preference at all.
> Extremely hard to debug.

ssh seems to do the right thing, my ssh sessions are on 6 even tough the machine is listed with both AAAA and A but I might just got lucky on that one.

> Bugs have been filed with Apple several times, I can ask for the
> bug-ids.


I'll try and kick them around a bit as well. In the meantime, Matthias suggestion seems to help, but again that might just be a lucky hit.

MarcoH


From andy at nosignal.org  Mon Feb  1 12:05:30 2010
From: andy at nosignal.org (Andy Davidson)
Date: Mon, 01 Feb 2010 11:05:30 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
Message-ID: <4B66B57A.2060303@nosignal.org>

On 01/02/2010 10:50, Marco Hogewoning wrote:
>> We have seen a similar behaviour with most applications after upgrading
>> to MacOS X 10.6. It seems that the mdns-responder (?) of the system
>> which is responsible for all DNS lookups is broken. It sends out both A
>> and AAAA queries at the same time, but only seems to accept the first
>> (successful?) response it gets.
[...]
> I can confirm it is either 10.6 or safari 4...not that I dig through traffic logs every day, just happen to notice it.
[...]
> ssh seems to do the right thing, my ssh sessions are on 6 even tough the machine is listed with both AAAA and A but I might just got lucky on that one.

Oh no, this explains a change in behaviour that I have seen with xchat,
which seems to connect to a v6 or v4 host at almost random.  That's
really bad. :-(

Andy

From nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org  Mon Feb  1 13:45:16 2010
From: nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org (Mark Smith)
Date: Mon, 1 Feb 2010 23:15:16 +1030
Subject: Safari on IPv6 ?
In-Reply-To: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
Message-ID: <20100201231516.26bc585c@opy.nosense.org>

On Mon, 1 Feb 2010 11:21:53 +0100
Marco Hogewoning <marcoh at marcoh.net> wrote:

> Morning Folks,
> 
> This should be easy, however I can't seem to find the answer online as most articles are about turning off IPv6 instead of one. I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and AAAA are present. Now you can discuss wether this is a safe default or not, I would really like to know where the little button is to switch this behavior to AAAA first, which I recall used to be the case on earlier editions.
> 

Are you using a 6to4/6in4 etc. tunnel?

It might be that they've implemented RFC3484, "Default Address
Selection for Internet Protocol version 6 (IPv6)", which by default
prefers native IPv4 over tunnelled IPv6. Broadly that makes sense, as
native connectivity is more likely to perform better and be more
reliable, however, when you want to use IPv6 when ever
it is available, regardless of native IPv4 status, you need to change
source and destination preferences.

One way to test if this is happening is if you're able to successfully
go to an IPv6 only website e.g. ipv6.google.com, but connect via native
IPv4 on websites providing both A and AAAAs, like www.kame.net. That
was my symptoms with Firefox.

I don't know how to change OSX, but under Linux you can change the
behaviour by creating a file called /etc/gai.conf, with contents
similar to the following (MRS lines are my additions from the
default, as shown in http://linux.die.net/man/5/gai.conf). This fixed
Firefox for me.

--
# Used for selecting source addresses
#
# label <prefix> <label>
#
label  ::1/128       0
label  ::/0          1
label  2002::/16     2

label  2000::/3      2 # MRS

label ::/96          3
label ::ffff:0:0/96  4

label fc00::/7       5 # ULA - MRS



# Used for sorting destination addresses
#
# precedence <prefix> <precedence>
#
precendence  ::1/128       50
precendence  ::/0          40

precendence  fc00::/7      35 # ULA - MRS

precendence  2000::/3      30 # MRS

precendence  2002::/16     30
precendence ::/96          20
precendence ::ffff:0:0/96  10
--

I'm not quite sure I completely understand how these policy tables
work, however I'm now using IPv6 over my 6to4 tunnel when ever a
website announces both AAAAs and As, so I must have got things mostly
right.

HTH,
Mark.


From marcoh at marcoh.net  Mon Feb  1 13:46:31 2010
From: marcoh at marcoh.net (Marco Hogewoning)
Date: Mon, 1 Feb 2010 13:46:31 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <20100201231516.26bc585c@opy.nosense.org>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201231516.26bc585c@opy.nosense.org>
Message-ID: <CB7B5BAC-D581-48AE-BCC9-032E3AB24ABE@marcoh.net>


On 1 feb 2010, at 13:45, Mark Smith wrote:

> On Mon, 1 Feb 2010 11:21:53 +0100
> Marco Hogewoning <marcoh at marcoh.net> wrote:
> 
>> Morning Folks,
>> 
>> This should be easy, however I can't seem to find the answer online as most articles are about turning off IPv6 instead of one. I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and AAAA are present. Now you can discuss wether this is a safe default or not, I would really like to know where the little button is to switch this behavior to AAAA first, which I recall used to be the case on earlier editions.
>> 
> 
> Are you using a 6to4/6in4 etc. tunnel?

Nope, native all the way

MarcoH


From bohara at ripe.net  Mon Feb  1 13:54:10 2010
From: bohara at ripe.net (Ben O'Hara)
Date: Mon, 1 Feb 2010 13:54:10 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <CB7B5BAC-D581-48AE-BCC9-032E3AB24ABE@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201231516.26bc585c@opy.nosense.org>
	<CB7B5BAC-D581-48AE-BCC9-032E3AB24ABE@marcoh.net>
Message-ID: <D71FB052-A375-4B63-8E43-44BFAA4A6DD2@ripe.net>


On 1 Feb 2010, at 13:46, Marco Hogewoning wrote:

> 
> On 1 feb 2010, at 13:45, Mark Smith wrote:
> 
>> On Mon, 1 Feb 2010 11:21:53 +0100
>> Marco Hogewoning <marcoh at marcoh.net> wrote:
>> 
>>> Morning Folks,
>>> 
>>> This should be easy, however I can't seem to find the answer online as most articles are about turning off IPv6 instead of one. I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and AAAA are present. Now you can discuss wether this is a safe default or not, I would really like to know where the little button is to switch this behavior to AAAA first, which I recall used to be the case on earlier editions.
>>> 
>> 
>> Are you using a 6to4/6in4 etc. tunnel?
> 
> Nope, native all the way
> 
> MarcoH
> 

Just tried Safari 4 on OSX 10.6 here and see

www.ripe.net - goes over IPv6
www.ipv6actnow.org - goes over IPv6
www.sixxs.net - goes over IPv4
www.kame.net - goes over IPv6

only difference I can see is that those that work only have one A and AAAA record, sixxs.net has multiple A and AAAA records..related?

Ben

-- 
Ben O'Hara                        RIPE Network Coordination Center
Systems Engineer                         Singel 258, Amsterdam, NL
http://www.ripe.net                                +31 20 535 4444
PGP Fingerprint: 080A 52FF BF0A A7FB F176 E7DB 513D 9A3D E968 7DBC








From tjc at ecs.soton.ac.uk  Mon Feb  1 14:01:36 2010
From: tjc at ecs.soton.ac.uk (Tim Chown)
Date: Mon, 1 Feb 2010 13:01:36 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <20100201231516.26bc585c@opy.nosense.org>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201231516.26bc585c@opy.nosense.org>
	<20100201130136.GL1843@login.ecs.soton.ac.uk>
Message-ID: <EMEW3|45c8b8cda0194d2cd58df8322c7606fbm10D1d03tjc|login.ecs.soton.ac.uk|20100201130136.GL1843@login.ecs.soton.ac.uk>

On Mon, Feb 01, 2010 at 11:15:16PM +1030, Mark Smith wrote:
> 
> It might be that they've implemented RFC3484, "Default Address
> Selection for Internet Protocol version 6 (IPv6)", which by default
> prefers native IPv4 over tunnelled IPv6. Broadly that makes sense, as
> native connectivity is more likely to perform better and be more
> reliable, however, when you want to use IPv6 when ever
> it is available, regardless of native IPv4 status, you need to change
> source and destination preferences.

As far as I'm aware, there's no 3484 support on OSX.

-- 
Tim

From dkluge at acm.org  Mon Feb  1 14:12:40 2010
From: dkluge at acm.org (Daniel G. Kluge)
Date: Mon, 1 Feb 2010 14:12:40 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <20100201104418.GA2064@schleppi.birkenwald.de>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
Message-ID: <674DBBBE-1C7E-4663-8258-CCD4548DEB1E@acm.org>


Am 01.02.2010 um 11:44 schrieb Bernhard Schmidt:

> On Mon, Feb 01, 2010 at 11:21:53AM +0100, Marco Hogewoning wrote:
> 
> Note: this is only hearsay, some colleagues have this issue.
> 
>> This should be easy, however I can't seem to find the answer online as
>> most articles are about turning off IPv6 instead of one. I noticed
>> Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and
>> AAAA are present. Now you can discuss wether this is a safe default or
>> not, I would really like to know where the little button is to switch
>> this behavior to AAAA first, which I recall used to be the case on
>> earlier editions.
> 
> We have seen a similar behaviour with most applications after upgrading
> to MacOS X 10.6. It seems that the mdns-responder (?) of the system
> which is responsible for all DNS lookups is broken. It sends out both A
> and AAAA queries at the same time, but only seems to accept the first
> (successful?) response it gets.  I've even heard that some people see
> the second UDP response from the cache is rejected with "Port
> unreachable".
> 

That would have been me. 

http://lists.apple.com/archives/Ipv6-dev/2009/Nov/msg00012.html


> The effect is not a preference of IPv4, but no preference at all.
> Extremely hard to debug.
> 

And annoying as hell...

> Bugs have been filed with Apple several times, I can ask for the
> bug-ids.
> 

See the Thread on this on http://lists.apple.com/archives/Ipv6-dev/2009/Oct/msg00057.html

Radar Reports I know of on this are 7333104 & 7416248

For other IPv6 fun on MacOSX check out  http://openradar.appspot.com/search?query=IPv6

Cheers,
-daniel



From ron at spawar.navy.mil  Mon Feb  1 14:22:31 2010
From: ron at spawar.navy.mil (Ron Broersma)
Date: Mon, 1 Feb 2010 06:22:31 -0700
Subject: Safari on IPv6 ?
In-Reply-To: <2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
Message-ID: <5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>

Marco,

The confusing behavior you're seeing in OSX 10.6 is most likely the mDNSResponder issue reported earlier by Bernhard.  Apple switched to mDNSResponder for unicast DNS resolution in 10.6, but that broke IPv6 address selection because mDNSResponder takes whatever is the first response (A or AAAA) and drops (rejects) all other answers.  So, depending on how you ask, and depending on what address comes back first, there is no way for the rest of the system or applications to see all the responses and make appropriate address choices.  This seriously impacts IPv6 interactions, because it no longer deterministically prefers AAAA over A, but rather uses only the response that arrives first.

A detailed bug report (#733104) was filed last October.

As always, multiple bug reports to Apple will get their attention.

--Ron

On Feb 1, 2010, at 3:50 AM, Marco Hogewoning wrote:

> 
> On 1 feb 2010, at 11:44, Bernhard Schmidt wrote:
> 
>> On Mon, Feb 01, 2010 at 11:21:53AM +0100, Marco Hogewoning wrote:
>> 
>> Note: this is only hearsay, some colleagues have this issue.
>> 
>>> This should be easy, however I can't seem to find the answer online as
>>> most articles are about turning off IPv6 instead of one. I noticed
>>> Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and
>>> AAAA are present. Now you can discuss wether this is a safe default or
>>> not, I would really like to know where the little button is to switch
>>> this behavior to AAAA first, which I recall used to be the case on
>>> earlier editions.
>> 
>> We have seen a similar behaviour with most applications after upgrading
>> to MacOS X 10.6. It seems that the mdns-responder (?) of the system
>> which is responsible for all DNS lookups is broken. It sends out both A
>> and AAAA queries at the same time, but only seems to accept the first
>> (successful?) response it gets.  I've even heard that some people see
>> the second UDP response from the cache is rejected with "Port
>> unreachable".
> 
> I can confirm it is either 10.6 or safari 4...not that I dig through traffic logs every day, just happen to notice it.
> 
>> The effect is not a preference of IPv4, but no preference at all.
>> Extremely hard to debug.
> 
> ssh seems to do the right thing, my ssh sessions are on 6 even tough the machine is listed with both AAAA and A but I might just got lucky on that one.
> 
>> Bugs have been filed with Apple several times, I can ask for the
>> bug-ids.
> 
> 
> I'll try and kick them around a bit as well. In the meantime, Matthias suggestion seems to help, but again that might just be a lucky hit.
> 
> MarcoH
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4936 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100201/25ce0d1e/attachment-0001.bin 

From tony at lava.net  Mon Feb  1 15:13:54 2010
From: tony at lava.net (Antonio Querubin)
Date: Mon, 1 Feb 2010 04:13:54 -1000 (HST)
Subject: Safari on IPv6 ?
In-Reply-To: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
Message-ID: <alpine.OSX.2.00.1002010411330.325@cust11794.lava.net>

On Mon, 1 Feb 2010, Marco Hogewoning wrote:

> most articles are about turning off IPv6 instead of one. I noticed 
> Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and 
> AAAA are present. Now you can discuss wether this is a safe default or

Are you sure?  Mine (version 4.04) uses IPv6.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From Sam.Wilson at ed.ac.uk  Mon Feb  1 15:32:07 2010
From: Sam.Wilson at ed.ac.uk (Sam Wilson)
Date: Mon, 1 Feb 2010 14:32:07 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
	<5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>
Message-ID: <A0FDBE08-0039-4F2E-AE23-901CFBCBD54C@ed.ac.uk>


On 1 Feb 2010, at 13:22, Ron Broersma wrote:

> The confusing behavior you're seeing in OSX 10.6 is most likely the  
> mDNSResponder issue reported earlier by Bernhard.  Apple switched  
> to mDNSResponder for unicast DNS resolution in 10.6, but that broke  
> IPv6 address selection because mDNSResponder takes whatever is the  
> first response (A or AAAA) and drops (rejects) all other answers.   
> So, depending on how you ask, and depending on what address comes  
> back first, there is no way for the rest of the system or  
> applications to see all the responses and make appropriate address  
> choices.  This seriously impacts IPv6 interactions, because it no  
> longer deterministically prefers AAAA over A, but rather uses only  
> the response that arrives first.

Can you describe situations where you should expect multiple answers  
to have different information?  I don't think I understand what  
mDNSResponder is doing because in normal DNS, modulo times when  
information is changing, all answers should have the same data.

Sam Wilson
Network Team, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


From gert at space.net  Mon Feb  1 15:40:55 2010
From: gert at space.net (Gert Doering)
Date: Mon, 1 Feb 2010 15:40:55 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <A0FDBE08-0039-4F2E-AE23-901CFBCBD54C@ed.ac.uk>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
	<5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>
	<A0FDBE08-0039-4F2E-AE23-901CFBCBD54C@ed.ac.uk>
Message-ID: <20100201144055.GM3692@Space.Net>

Hi,

On Mon, Feb 01, 2010 at 02:32:07PM +0000, Sam Wilson wrote:
> Can you describe situations where you should expect multiple answers  
> to have different information?  I don't think I understand what  
> mDNSResponder is doing because in normal DNS, modulo times when  
> information is changing, all answers should have the same data.

Since you can't query DNS for "give me A+AAAA", the application query
"give me whatever address you have!" will result in two DNS queries, one
for A records and one for AAAA records.  Two queries, two packets, two
responses (possibly with 0 answer records in them, if no A or AAAA record
is available).

Querying for "ANY" doesn't work.

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  144438

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

From Sam.Wilson at ed.ac.uk  Mon Feb  1 16:25:22 2010
From: Sam.Wilson at ed.ac.uk (Sam Wilson)
Date: Mon, 1 Feb 2010 15:25:22 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <20100201144055.GM3692@Space.Net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
	<5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>
	<A0FDBE08-0039-4F2E-AE23-901CFBCBD54C@ed.ac.uk>
	<20100201144055.GM3692@Space.Net>
Message-ID: <F20E4632-D922-4ECD-8EC7-D789BC2A2798@ed.ac.uk>


On 1 Feb 2010, at 14:40, Gert Doering wrote:

> Hi,
>
> On Mon, Feb 01, 2010 at 02:32:07PM +0000, Sam Wilson wrote:
>> Can you describe situations where you should expect multiple answers
>> to have different information?  I don't think I understand what
>> mDNSResponder is doing because in normal DNS, modulo times when
>> information is changing, all answers should have the same data.
>
> Since you can't query DNS for "give me A+AAAA", the application query
> "give me whatever address you have!" will result in two DNS  
> queries, one
> for A records and one for AAAA records.  Two queries, two packets, two
> responses (possibly with 0 answer records in them, if no A or AAAA  
> record
> is available).

So using 'getaddrinfo' or some related call makes a single request to  
mDNSResponder rather than making the app issue two requests itself?   
If the app made two separate requests to a daemon then the daemon  
would give two separate answers back.  Right?

> Querying for "ANY" doesn't work.

I was aware of that.

Thanks,

Sam Wilson
Network Team, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


From ron at spawar.navy.mil  Mon Feb  1 17:03:00 2010
From: ron at spawar.navy.mil (Ron Broersma)
Date: Mon, 1 Feb 2010 09:03:00 -0700
Subject: Safari on IPv6 ?
In-Reply-To: <F20E4632-D922-4ECD-8EC7-D789BC2A2798@ed.ac.uk>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
	<5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>
	<A0FDBE08-0039-4F2E-AE23-901CFBCBD54C@ed.ac.uk>
	<20100201144055.GM3692@Space.Net>
	<F20E4632-D922-4ECD-8EC7-D789BC2A2798@ed.ac.uk>
Message-ID: <BD5DAC13-1F94-47FB-BE4F-BCF96BA89C2E@spawar.navy.mil>

Yes. If the app makes separate queries, it will get separate answers.  If you let mDNSResponder do the separate queries, it takes the first answer and rejects the rest.   You can see it in the following tcpdump (lookup of www.kame.net)...

21:01:40.583892 192.168.1.2.62499 > 192.168.1.1.domain: 20561+ A? www.kame.net. (30)
21:01:40.594347 192.168.1.2.55014 > 192.168.1.1.domain: 24513+ AAAA? www.kame.net. (30)
21:01:40.739626 192.168.1.1.domain > 192.168.1.2.62499: 20561 1/0/0 www.kame.net. A 203.178.141.194 (46)
21:01:40.904784 192.168.1.1.domain > 192.168.1.2.55014: 24513 1/0/0 www.kame.net. AAAA 2001:200::8002:203:47ff:fea5:3085 (58)
21:01:40.904812 192.168.1.2 > 192.168.1.1: ICMP 192.168.1.2 udp port 55014 unreachable, length 36
    192.168.1.1.domain > 192.168.1.2.55014: [|domain]

Since the "A" resource record arrived first, it wins and the AAAA response is dropped because mDNSResponder isn't even listening for other responses at that point.

Debug output from mDNSResponder shows how it just shuts down down after processing the first response...

Oct 23 21:01:40 neko mDNSResponder[17]:  43: Error socket 40 created 00000000 00000233
Oct 23 21:01:40 neko mDNSResponder[17]:  43: DNSServiceQueryRecord(www.kame.net., Addr, 5000) START
Oct 23 21:01:40 neko mDNSResponder[17]:  43: Error socket 40 closed  00000000 00000233 (0)
Oct 23 21:01:40 neko mDNSResponder[17]:  43: Error socket 40 created 00000000 00000234
Oct 23 21:01:40 neko mDNSResponder[17]:  43: DNSServiceQueryRecord(www.kame.net., AAAA, 5000) START
Oct 23 21:01:40 neko mDNSResponder[17]:  43: Error socket 40 closed  00000000 00000234 (0)
Oct 23 21:01:40 neko mDNSResponder[17]: -- Sent UDP DNS Query (flags 0100) RCODE: NoErr (0) RD ID: 20561 18 bytes from port 62499 to 192.168.1.1:53 --
Oct 23 21:01:40 neko mDNSResponder[17]:  1 Questions
Oct 23 21:01:40 neko mDNSResponder[17]:  0 www.kame.net. Addr
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Answers
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Authorities
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Additionals
Oct 23 21:01:40 neko mDNSResponder[17]: --------------
Oct 23 21:01:40 neko mDNSResponder[17]: -- Sent UDP DNS Query (flags 0100) RCODE: NoErr (0) RD ID: 24513 18 bytes from port 55014 to 192.168.1.1:53 --
Oct 23 21:01:40 neko mDNSResponder[17]:  1 Questions
Oct 23 21:01:40 neko mDNSResponder[17]:  0 www.kame.net. AAAA
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Answers
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Authorities
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Additionals
Oct 23 21:01:40 neko mDNSResponder[17]: --------------
Oct 23 21:01:40 neko mDNSResponder[17]: -- Received UDP DNS Response (flags 8180) RCODE: NoErr (0) RD RA ID: 20561 34 bytes from 192.168.1.1:53 to 192.168.1.2:62499 --
Oct 23 21:01:40 neko mDNSResponder[17]:  1 Questions
Oct 23 21:01:40 neko mDNSResponder[17]:  0 www.kame.net. Addr
Oct 23 21:01:40 neko mDNSResponder[17]:  1 Answers
Oct 23 21:01:40 neko mDNSResponder[17]:  0 TTL    900    4 www.kame.net. Addr 203.178.141.194
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Authorities
Oct 23 21:01:40 neko mDNSResponder[17]:  0 Additionals
Oct 23 21:01:40 neko mDNSResponder[17]: --------------
Oct 23 21:01:40 neko mDNSResponder[17]:  43: DNSServiceQueryRecord(www.kame.net., Addr) ADD    4 www.kame.net. Addr 203.178.141.194
Oct 23 21:01:40 neko mDNSResponder[17]:  43: Cancel 00000000 00000233
Oct 23 21:01:40 neko mDNSResponder[17]:  43: DNSServiceQueryRecord(www.kame.net., Addr) STOP
Oct 23 21:01:40 neko mDNSResponder[17]:  43: Cancel 00000000 00000234
Oct 23 21:01:40 neko mDNSResponder[17]:  43: DNSServiceQueryRecord(www.kame.net., AAAA) STOP

--Ron

On Feb 1, 2010, at 8:25 AM, Sam Wilson wrote:

> 
> On 1 Feb 2010, at 14:40, Gert Doering wrote:
> 
>> Hi,
>> 
>> On Mon, Feb 01, 2010 at 02:32:07PM +0000, Sam Wilson wrote:
>>> Can you describe situations where you should expect multiple answers
>>> to have different information?  I don't think I understand what
>>> mDNSResponder is doing because in normal DNS, modulo times when
>>> information is changing, all answers should have the same data.
>> 
>> Since you can't query DNS for "give me A+AAAA", the application query
>> "give me whatever address you have!" will result in two DNS queries, one
>> for A records and one for AAAA records.  Two queries, two packets, two
>> responses (possibly with 0 answer records in them, if no A or AAAA record
>> is available).
> 
> So using 'getaddrinfo' or some related call makes a single request to mDNSResponder rather than making the app issue two requests itself?  If the app made two separate requests to a daemon then the daemon would give two separate answers back.  Right?
> 
>> Querying for "ANY" doesn't work.
> 
> I was aware of that.
> 
> Thanks,
> 
> Sam Wilson
> Network Team, IT Infrastructure
> Information Services, The University of Edinburgh
> Edinburgh, Scotland, UK
> 
> 
> -- 
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4936 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100201/89b084b5/attachment.bin 

From Sam.Wilson at ed.ac.uk  Mon Feb  1 17:25:57 2010
From: Sam.Wilson at ed.ac.uk (Sam Wilson)
Date: Mon, 1 Feb 2010 16:25:57 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <BD5DAC13-1F94-47FB-BE4F-BCF96BA89C2E@spawar.navy.mil>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<20100201104418.GA2064@schleppi.birkenwald.de>
	<2FC3E83B-BC50-4558-8CEF-58B107D53CBC@marcoh.net>
	<5AEC92F2-9B29-4428-B2AA-9B0E862C3556@spawar.navy.mil>
	<A0FDBE08-0039-4F2E-AE23-901CFBCBD54C@ed.ac.uk>
	<20100201144055.GM3692@Space.Net>
	<F20E4632-D922-4ECD-8EC7-D789BC2A2798@ed.ac.uk>
	<BD5DAC13-1F94-47FB-BE4F-BCF96BA89C2E@spawar.navy.mil>
Message-ID: <E3C93F34-AE32-4D13-B623-2277756D7F5A@ed.ac.uk>


On 1 Feb 2010, at 16:03, Ron Broersma wrote:

> Yes. If the app makes separate queries, it will get separate  
> answers.  If you let mDNSResponder do the separate queries, it  
> takes the first answer and rejects the rest.   You can see it in  
> the following tcpdump (lookup of www.kame.net)...
> [conclusive-looking evidence deleted]


Thanks - I hadn't realised that anyone would integrate getaddrinfo  
(or whatever) with a daemon like mDNSResponder in that sort of way.   
(I'm a DNS administrator rather than a network programmer.)


Sam Wilson
Network Team, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


From wolfgang.tremmel at de-cix.net  Mon Feb  1 13:47:33 2010
From: wolfgang.tremmel at de-cix.net (Wolfgang Tremmel)
Date: Mon, 01 Feb 2010 13:47:33 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
Message-ID: <4B66CD65.1010608@de-cix.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

MAC OS 10.5.8, Safari 4.0.4

When going to www.ripe.net it always connects using IPv6.

best regards,
Wolfgang


- -- 
Wolfgang Tremmel                     e-mail: wolfgang.tremmel at de-cix.net
DE-CIX Management GmbH               Phone: +49 69 1730 902-26
Lindleystr. 12, 60314 Frankfurt      Mobile: +49 171 8600 816
Geschaeftsfuehrer Harald A. Summa    Fax: +49 69 4056 2716
Registergericht AG Koeln, HRB 51135  http://www.de-cix.net
Zentrale: Lichtstr. 43i, 50825 Koeln

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktmzWUACgkQ0fKk3jl6LK4k9QCfSwJfQBaVDIWkYKDe/UdnLsEm
JwIAnia/mcj5UaCjykqBSfo8f7OzUz+F
=VDVI
-----END PGP SIGNATURE-----

From jeroen at unfix.org  Mon Feb  1 20:41:50 2010
From: jeroen at unfix.org (Jeroen Massar)
Date: Mon, 01 Feb 2010 20:41:50 +0100
Subject: Fwd: draft-nakibly-v6ops-tunnel-loops-01
Message-ID: <4B672E7E.7080809@spaghetti.zurich.ibm.com>

See below, send your replies to that list otherwise the author won't see
them(*)...

Greets,
 Jeroen

* well, I did bcc him just in case, as people tend to not heed that advice.

Gabi, this list @ http://lists.cluenet.de/mailman/listinfo/ipv6-ops btw

-------- Original Message --------
Subject: 	draft-nakibly-v6ops-tunnel-loops-01
Date: 	Mon, 1 Feb 2010 11:25:03 -0800 (PST)
From: 	Gabi Nakibly <gnakibly at yahoo.com>
To: 	v6ops at ops.ietf.org
CC: 	Fred L Templin <Fred.L.Templin at boeing.com>



Hi all,
I would like to draw your attention to a new version of an I-D. It is
concerned with routing loop attacks on ISATAP and 6to4 that may
cause DoS. The I-D proposes some mitigation measures, which are the
result of discussions made on the list a few months ago. The draft is
co-authored with Fred Templin.

Your comments are welcome.

Gabi

http://www.ietf.org/id/draft-nakibly-v6ops-tunnel-loops-01.txt

----- Forwarded Message ----
*From:* IETF I-D Submission Tool <idsubmission at ietf.org>
*To:* gnakibly at yahoo.com
*Sent:* Mon, February 1, 2010 9:07:38 PM
*Subject:* New Version Notification for draft-nakibly-v6ops-tunnel-loops-01


A new version of I-D, draft-nakibly-v6ops-tunnel-loops-01.txt has been
successfuly submitted by Gabi Nakibly and posted to the IETF repository.

Filename:    draft-nakibly-v6ops-tunnel-loops
Revision:    01
Title:        Routing Loops using ISATAP and 6to4: Problem Statement and
Proposed Solutions
Creation_date:    2010-02-01
WG ID:        Independent Submission
Number_of_pages: 13

Abstract:
This document is concerned with security vulnerabilities in the
ISATAP and 6to4 tunnels.  These vulnerabilities allow an attacker to
take advantage of inconsistencies between a tunnel's overlay IPv6
routing state and the native IPv6 routing state.  The attacks form
routing loops which can be abused as a vehicle for traffic
amplification to facilitate DoS attacks.  We describe these security
vulnerabilities and the attacks which exploit them.  We further
recommend on solutions to remove the vulnerabilities.




The IETF Secretariat.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100201/1df9944e/attachment.bin 

From frnkblk at iname.com  Tue Feb  2 06:49:33 2010
From: frnkblk at iname.com (Frank Bulk)
Date: Mon, 1 Feb 2010 23:49:33 -0600
Subject: Safari on IPv6 ?
In-Reply-To: <4B66AEF0.8000300@spaghetti.zurich.ibm.com>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<4B66AEF0.8000300@spaghetti.zurich.ibm.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>

Is there a webpage/wiki that puts into a nice table which OS version/web
browser version combination support IPv6, if it needs any tweaks to do so,
and whether IPv6 is treated equally or given preference?

I'm thinking our help desk....

Frank

-----Original Message-----
From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
[mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
Jeroen Massar
Sent: Monday, February 01, 2010 4:38 AM
To: Marco Hogewoning
Cc: ipv6-ops at lists.cluenet.de
Subject: Re: Safari on IPv6 ?

Marco Hogewoning wrote:
> Morning Folks,
> 
> This should be easy, however I can't seem to find the answer online
> as most articles are about turning off IPv6 instead of one.
> I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when
> both A and AAAA are present. Now you can discuss wether this is a safe

It is ridiculous that that is a decision per-app instead of global.

> default or not, I would really like to know where the little button is
> to switch this behavior to AAAA first, which I recall used to be the case
> on earlier editions.

http://www.macosxhints.com/article.php?story=20090701234543632

aka:
# defaults write com.apple.Safari IncludeInternalDebugMenu 1

and apparently there somewhere you can change it around...

see http://www.macosxhints.com/article.php?story=20040112104026573 for
more stories.....

I don't have an true idea though as I don't use safari, but I hope the
above helps you out

> MarcoH
> (oh and please forget about browser wars, I know how to download Firefox)

But, but, did you think about Internet Explorer, Opera, Chrome and all
the others out there? *nudge* :)

Greets,
 Jeroen


From steve at ibctech.ca  Tue Feb  2 08:39:53 2010
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 02 Feb 2010 02:39:53 -0500
Subject: Safari on IPv6 ?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<4B66AEF0.8000300@spaghetti.zurich.ibm.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>
Message-ID: <4B67D6C9.2060607@ibctech.ca>

Frank Bulk wrote:
> Is there a webpage/wiki that puts into a nice table which OS version/web
> browser version combination support IPv6, if it needs any tweaks to do so,
> and whether IPv6 is treated equally or given preference?
> 
> I'm thinking our help desk....

If you ever find such a list, I'll have it 'dummied up' (and anonymized
for distributed use), like we did for our email change across numerous
client applications. eg:

http://eagle.ca/update/mail/Outlook_Express/index.html

Steve

From tore.anderson at redpill-linpro.com  Tue Feb  2 12:44:58 2010
From: tore.anderson at redpill-linpro.com (Tore Anderson)
Date: Tue, 02 Feb 2010 12:44:58 +0100
Subject: IPv6 brokenness in Norway, (first part of) Jan 2010
Message-ID: <4B68103A.3040803@redpill-linpro.com>

Hey list,

unfortunatly the customer who has helped me out with enrolling their
readers in my IPv6 experiment rolled out new HTML templates on their
site the 12th, and forgot about the IFRAME link.  So I don't have data
worth much for the remainder of the month.  I didn't plan on sending out
the report for this month because of that, but several people asked
about it so what the heck.  There's no exciting news in the numbers, I'm
afraid.  Opera still haven't released a version with RFC 3484
compliance.  :-/

I got another customer of mine, VG Multimedia (which runs Norway's
largest web site www.vg.no), to join the experiment yesterday, so
hopefully I'll have better numbers for you next month.

BTW:  Congrats to the Google people on the YouTube v6 deployment!  :-)

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 201001.txt
Url: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100202/97c0dd6f/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 201001-noopera.txt
Url: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100202/97c0dd6f/attachment-0001.txt 

From shane at time-travellers.org  Tue Feb  2 13:57:55 2010
From: shane at time-travellers.org (Shane Kerr)
Date: Tue, 02 Feb 2010 13:57:55 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
Message-ID: <4B682153.7030600@time-travellers.org>

Marco,

On 2010-02-01 11:21, Marco Hogewoning wrote:
> 
> This should be easy, however I can't seem to find the answer online as most articles are about turning off IPv6 instead of one. I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when both A and AAAA are present. Now you can discuss wether this is a safe default or not, I would really like to know where the little button is to switch this behavior to AAAA first, which I recall used to be the case on earlier editions.

You may be experiencing the effects of Apple's strategy for IPv4/IPv6
dual adoption. You can see a short (9 minute) talk from Stuart Cheshire
at IETF 72 here:

http://www.stuartcheshire.org/IETF72/

The interesting bit for this discussion starts around minute 02:00 or so.

As I understand it, Safari does the equivalent of:

1. DNS lookup
2. TCP connection
3. HTTP request

In both IPv4 and IPv6 at the same time. Whichever gets to step #3 first
goes to completion "wins", and the other is canceled.

Note that once the A and AAAA record are in the DNS cache, then you are
really just looking at connecting on whichever TCP session opens first.

It's a reasonable solution, I think.

Assuming this is the reason, then the answer is to make your IPv6
connection faster. :)

--
Shane

From martin at millnert.se  Tue Feb  2 14:13:16 2010
From: martin at millnert.se (Martin Millnert)
Date: Tue, 02 Feb 2010 14:13:16 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <4B682153.7030600@time-travellers.org>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<4B682153.7030600@time-travellers.org>
Message-ID: <1265116396.28198.20.camel@hsa.vpn.anti>

On Tue, 2010-02-02 at 13:57 +0100, Shane Kerr wrote:
> As I understand it, Safari does the equivalent of:
> 
> 1. DNS lookup
> 2. TCP connection
> 3. HTTP request
> 
> In both IPv4 and IPv6 at the same time. Whichever gets to step #3
> first goes to completion "wins", and the other is canceled.
> 
> Note that once the A and AAAA record are in the DNS cache, then you
> are really just looking at connecting on whichever TCP session opens
> first. 

Shane, 

this might very well be their goal, but it doesn't seem to be what's
going on, since Ron showed us on Monday that the mDNSResponder just
shuts down the remaining queries (one lingering AAAA in the example),
after having received its first reply.

In other words, the actual implementation, intended or not, is right now
that whoever accomplishes #1 first, may continue.

I would be more inclined to agree with that whoever performs #3 first
wins, than #1.  DNS lookup speed says nothing definite about IPv4 vs
IPv6 network/routing topologies and round trip times.

Regards,
-- 
Martin Millnert <martin at millnert.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100202/ab31a8e6/attachment.bin 

From frnkblk at iname.com  Tue Feb  2 15:13:52 2010
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Tue, 2 Feb 2010 08:13:52 -0600
Subject: Safari on IPv6 ?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<4B66AEF0.8000300@spaghetti.zurich.ibm.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAARprb+23u8TJhDQq6ohdfEAQAAAAA=@iname.com>

Someone pointed out this page to me:
http://www.deepspace6.net/docs/ipv6_status_page_apps.html#http

Not very specific and doesn't include host OS.  

Frank

-----Original Message-----
From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
[mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
Frank Bulk
Sent: Monday, February 01, 2010 11:50 PM
To: ipv6-ops at lists.cluenet.de
Subject: RE: Safari on IPv6 ?

Is there a webpage/wiki that puts into a nice table which OS version/web
browser version combination support IPv6, if it needs any tweaks to do so,
and whether IPv6 is treated equally or given preference?

I'm thinking our help desk....

Frank

-----Original Message-----
From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
[mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
Jeroen Massar
Sent: Monday, February 01, 2010 4:38 AM
To: Marco Hogewoning
Cc: ipv6-ops at lists.cluenet.de
Subject: Re: Safari on IPv6 ?

Marco Hogewoning wrote:
> Morning Folks,
> 
> This should be easy, however I can't seem to find the answer online
> as most articles are about turning off IPv6 instead of one.
> I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when
> both A and AAAA are present. Now you can discuss wether this is a safe

It is ridiculous that that is a decision per-app instead of global.

> default or not, I would really like to know where the little button is
> to switch this behavior to AAAA first, which I recall used to be the case
> on earlier editions.

http://www.macosxhints.com/article.php?story=20090701234543632

aka:
# defaults write com.apple.Safari IncludeInternalDebugMenu 1

and apparently there somewhere you can change it around...

see http://www.macosxhints.com/article.php?story=20040112104026573 for
more stories.....

I don't have an true idea though as I don't use safari, but I hope the
above helps you out

> MarcoH
> (oh and please forget about browser wars, I know how to download Firefox)

But, but, did you think about Internet Explorer, Opera, Chrome and all
the others out there? *nudge* :)

Greets,
 Jeroen



From shane at time-travellers.org  Tue Feb  2 15:20:27 2010
From: shane at time-travellers.org (Shane Kerr)
Date: Tue, 02 Feb 2010 15:20:27 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <1265116396.28198.20.camel@hsa.vpn.anti>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<4B682153.7030600@time-travellers.org>
	<1265116396.28198.20.camel@hsa.vpn.anti>
Message-ID: <4B6834AB.5040700@time-travellers.org>

Martin,

On 2010-02-02 14:13, Martin Millnert wrote:
> On Tue, 2010-02-02 at 13:57 +0100, Shane Kerr wrote:
>> As I understand it, Safari does the equivalent of:
>>
>> 1. DNS lookup
>> 2. TCP connection
>> 3. HTTP request
>>
>> In both IPv4 and IPv6 at the same time. Whichever gets to step #3
>> first goes to completion "wins", and the other is canceled.
>>
>> Note that once the A and AAAA record are in the DNS cache, then you
>> are really just looking at connecting on whichever TCP session opens
>> first. 
> 
> Shane, 
> 
> this might very well be their goal, but it doesn't seem to be what's
> going on, since Ron showed us on Monday that the mDNSResponder just
> shuts down the remaining queries (one lingering AAAA in the example),
> after having received its first reply.

Right.

Even when (if?) they fix mDNSResponder not to be horribly broken, you
will still have non-deterministic behavior, depending on whether your
IPv4 or IPv6 connection happens to be faster. FWIW, I think this is
actually the right thing to do, much as it sucks for network engineers.

> In other words, the actual implementation, intended or not, is right now
> that whoever accomplishes #1 first, may continue.
> 
> I would be more inclined to agree with that whoever performs #3 first
> wins, than #1.  DNS lookup speed says nothing definite about IPv4 vs
> IPv6 network/routing topologies and round trip times.

Well, #2. You really don't want to actually ask for the web page twice,
because this can mean a lot of work for the web server if you've got a
dynamic page, and is a bit unfriendly. Even Apple has limits as to how
much they are willing to abuse the network to improve the user
experience. ;)

--
Shane

From ocl at gih.com  Tue Feb  2 15:26:06 2010
From: ocl at gih.com (Olivier MJ Crepin-Leblond)
Date: Tue, 02 Feb 2010 15:26:06 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACeWYbYi6v1TrM7iNRNFVNnAQAAAAA=@iname.com>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<4B66AEF0.8000300@spaghetti.zurich.ibm.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>
	<4B67EAD8.10203@gih.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACeWYbYi6v1TrM7iNRNFVNnAQAAAAA=@iname.com>
Message-ID: <4B6835FE.7080704@gih.com>

Also:

http://en.wikipedia.org/wiki/Comparison_of_IPv6_application_support

which has pointers to its sources and other such useful lists.

Warm regards,

Olivier

Le 02/02/2010 15:09, Frank Bulk - iName.com a ?crit :
> Thanks.  That's a start, though it's pretty unspecific.
>
> Frank
>
> -----Original Message-----
> From: Olivier MJ Crepin-Leblond [mailto:ocl at gih.com]
> Sent: Tuesday, February 02, 2010 3:05 AM
> To: frnkblk at iname.com
> Subject: Re: Safari on IPv6 ?
>
> Frank:
>
> The only thing close to what you're asking for that I know of is:
>
> http://www.deepspace6.net/docs/ipv6_status_page_apps.html
>
> Please let me know if you've had another pointer.
>
> Warm regards,
>
> Olivier
>
> Le 02/02/2010 06:49, Frank Bulk a ?crit :
>    
>> Is there a webpage/wiki that puts into a nice table which OS version/web
>> browser version combination support IPv6, if it needs any tweaks to do so,
>> and whether IPv6 is treated equally or given preference?
>>
>> I'm thinking our help desk....
>>
>> Frank
>>
>> -----Original Message-----
>> From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
>> [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
>> Jeroen Massar
>> Sent: Monday, February 01, 2010 4:38 AM
>> To: Marco Hogewoning
>> Cc: ipv6-ops at lists.cluenet.de
>> Subject: Re: Safari on IPv6 ?
>>
>> Marco Hogewoning wrote:
>>
>>      
>>> Morning Folks,
>>>
>>> This should be easy, however I can't seem to find the answer online
>>> as most articles are about turning off IPv6 instead of one.
>>> I noticed Apple's Safari 4.04 defaults to IPv4 instead of IPv6 when
>>> both A and AAAA are present. Now you can discuss wether this is a safe
>>>
>>>        
>> It is ridiculous that that is a decision per-app instead of global.
>>
>>
>>      
>>> default or not, I would really like to know where the little button is
>>> to switch this behavior to AAAA first, which I recall used to be the case
>>> on earlier editions.
>>>
>>>        
>> http://www.macosxhints.com/article.php?story=20090701234543632
>>
>> aka:
>> # defaults write com.apple.Safari IncludeInternalDebugMenu 1
>>
>> and apparently there somewhere you can change it around...
>>
>> see http://www.macosxhints.com/article.php?story=20040112104026573 for
>> more stories.....
>>
>> I don't have an true idea though as I don't use safari, but I hope the
>> above helps you out
>>
>>
>>      
>>> MarcoH
>>> (oh and please forget about browser wars, I know how to download Firefox)
>>>
>>>        
>> But, but, did you think about Internet Explorer, Opera, Chrome and all
>> the others out there? *nudge* :)
>>
>> Greets,
>>    Jeroen
>>
>>
>>      
>    

-- 
Olivier MJ Cr?pin-Leblond, PhD
http://www.gih.com/ocl.html


From kiwi at oav.net  Tue Feb  2 15:28:07 2010
From: kiwi at oav.net (Xavier Beaudouin)
Date: Tue, 2 Feb 2010 15:28:07 +0100
Subject: Safari on IPv6 ?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAARprb+23u8TJhDQq6ohdfEAQAAAAA=@iname.com>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<4B66AEF0.8000300@spaghetti.zurich.ibm.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABoS56lMiJ6Q6NZ+FwnfTDzAQAAAAA=@iname.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAARprb+23u8TJhDQq6ohdfEAQAAAAA=@iname.com>
Message-ID: <CAE02901-AAD6-443C-879E-0FE26AA35F93@oav.net>

Hi !
Le 2 f?vr. 2010 ? 15:13, Frank Bulk - iName.com a ?crit :

> Someone pointed out this page to me:
> http://www.deepspace6.net/docs/ipv6_status_page_apps.html#http
> 
> Not very specific and doesn't include host OS.  

Seems that, is based on GNU Debian Linux... most of what is written is good, but on some other OS, the reality is quite deferent (maybe more broken thing or less broken things)...

Xavier

From Sam.Wilson at ed.ac.uk  Tue Feb  2 18:25:57 2010
From: Sam.Wilson at ed.ac.uk (Sam Wilson)
Date: Tue, 2 Feb 2010 17:25:57 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <4B6834AB.5040700@time-travellers.org>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>	<4B682153.7030600@time-travellers.org>
	<1265116396.28198.20.camel@hsa.vpn.anti>
	<4B6834AB.5040700@time-travellers.org>
Message-ID: <1FF2721E-77CC-4471-9D7B-CD3A4B54402B@ed.ac.uk>


On 2 Feb 2010, at 14:20, Shane Kerr wrote:

> Martin,
>
> On 2010-02-02 14:13, Martin Millnert wrote:
>> On Tue, 2010-02-02 at 13:57 +0100, Shane Kerr wrote:
>>> As I understand it, Safari does the equivalent of:
>>>
>>> 1. DNS lookup
>>> 2. TCP connection
>>> 3. HTTP request
>>>
>>> In both IPv4 and IPv6 at the same time. Whichever gets to step #3
>>> first goes to completion "wins", and the other is canceled.
>>>
>>> Note that once the A and AAAA record are in the DNS cache, then you
>>> are really just looking at connecting on whichever TCP session opens
>>> first.
>>
>> Shane,
>>
>> this might very well be their goal, but it doesn't seem to be what's
>> going on, since Ron showed us on Monday that the mDNSResponder just
>> shuts down the remaining queries (one lingering AAAA in the example),
>> after having received its first reply.
>
> Right.
>
> Even when (if?) they fix mDNSResponder not to be horribly broken, you
> will still have non-deterministic behavior, depending on whether your
> IPv4 or IPv6 connection happens to be faster. FWIW, I think this is
> actually the right thing to do, much as it sucks for network engineers

I've been pondering whether it would make sense to cache some kind of
preference probe occasionally, something like BIND does to check
alternative name servers.  It may be that web traffic doesn't lend  
itself
to that approach - too many different servers to make it worth while.

>> In other words, the actual implementation, intended or not, is  
>> right now
>> that whoever accomplishes #1 first, may continue.
>>
>> I would be more inclined to agree with that whoever performs #3 first
>> wins, than #1.  DNS lookup speed says nothing definite about IPv4 vs
>> IPv6 network/routing topologies and round trip times.
>
> Well, #2. You really don't want to actually ask for the web page  
> twice,
> because this can mean a lot of work for the web server if you've got a
> dynamic page, and is a bit unfriendly. Even Apple has limits as to how
> much they are willing to abuse the network to improve the user
> experience. ;)

Is there a way to extract information from web server logs or the like  
to
see whether there's a significant number of dual-stacked Macs making
double connections?  (Or perhaps that's masked by the mDNSResponder  
nastiness.)

Sam Wilson
Network Team, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


From martin at millnert.se  Wed Feb  3 10:23:25 2010
From: martin at millnert.se (Martin Millnert)
Date: Wed, 03 Feb 2010 10:23:25 +0100
Subject: Youtube-over-IPv6
In-Reply-To: <20100129101027.GL32226@Space.Net>
References: <1264722718.1613.86.camel@hsa.vpn.anti>
	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>
	<20100129081135.GJ32226@Space.Net> <4B62B350.4050804@danysek.cz>
	<20100129101027.GL32226@Space.Net>
Message-ID: <1265189005.28198.80.camel@hsa.vpn.anti>

On Fri, 2010-01-29 at 11:10 +0100, Gert Doering wrote:
> The youtube web page is IPv4 only, but the images and videos are delivered
> over IPv6.  You can see this in the dns on, for example, s.ytimg.com:

I'm not sure when it happened, but right now I'm getting the web page
dual-stacked as well,

anticimex at hsa:~$ host www.youtube.com
www.youtube.com is an alias for youtube-ui.l.google.com.
youtube-ui.l.google.com has address 74.125.39.102
youtube-ui.l.google.com has address 74.125.39.113
youtube-ui.l.google.com has address 74.125.39.138
youtube-ui.l.google.com has address 74.125.39.139
youtube-ui.l.google.com has address 74.125.39.100
youtube-ui.l.google.com has address 74.125.39.101
youtube-ui.l.google.com has IPv6 address 2a00:1450:8007::66
youtube-ui.l.google.com has IPv6 address 2a00:1450:8007::71
youtube-ui.l.google.com has IPv6 address 2a00:1450:8007::8a
youtube-ui.l.google.com has IPv6 address 2a00:1450:8007::8b
youtube-ui.l.google.com has IPv6 address 2a00:1450:8007::64
youtube-ui.l.google.com has IPv6 address 2a00:1450:8007::65


I tried firewalling away my IPv4 connectivity and used a non-local,
dual-stacked, DNS resolver to browse the page and it sort-of works.
Front page looks kind-of stupid (some elements missing), but it is
possible to view videos, etc. :)

When using a local resolver the DNS fails however, as expected.
Isn't end-users having local resolvers something to expect in the
future, with DNSSEC and all? It's not a rhetorical question. I actually
want to know, since this affects the degree to which dual-stacked /
single-stack-v6 DNS support will be required to serve future mobile
v6-only users, or what not.

So you IPv6 ninjas over at Google, what's next? :)
Achieving support of single-stack IPv6 users should be the long-term
goal, I presume.
Dare you answer at all re: the DNS infrastructure? :)

Big thanks,
-- 
Martin Millnert <martin at millnert.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100203/aa7e1c8d/attachment.bin 

From ayourtch at cisco.com  Wed Feb  3 13:41:51 2010
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Wed, 3 Feb 2010 13:41:51 +0100 (CET)
Subject: Safari on IPv6 ?
In-Reply-To: <4B6834AB.5040700@time-travellers.org>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<4B682153.7030600@time-travellers.org>
	<1265116396.28198.20.camel@hsa.vpn.anti>
	<4B6834AB.5040700@time-travellers.org>
Message-ID: <alpine.DEB.2.00.1002031158440.13347@ayourtch-lnx.stdio.be>

Shane,

On Tue, 2 Feb 2010, Shane Kerr wrote:

> Martin,
>
> On 2010-02-02 14:13, Martin Millnert wrote:
>> On Tue, 2010-02-02 at 13:57 +0100, Shane Kerr wrote:
>>> As I understand it, Safari does the equivalent of:
>>>
>>> 1. DNS lookup
>>> 2. TCP connection
>>> 3. HTTP request
>>>
>>> In both IPv4 and IPv6 at the same time. Whichever gets to step #3
>>> first goes to completion "wins", and the other is canceled.
>>>
>>> Note that once the A and AAAA record are in the DNS cache, then you
>>> are really just looking at connecting on whichever TCP session opens
>>> first.
>>
>> Shane,
>>
>> this might very well be their goal, but it doesn't seem to be what's
>> going on, since Ron showed us on Monday that the mDNSResponder just
>> shuts down the remaining queries (one lingering AAAA in the example),
>> after having received its first reply.
>
> Right.
>
> Even when (if?) they fix mDNSResponder not to be horribly broken, you
> will still have non-deterministic behavior, depending on whether your
> IPv4 or IPv6 connection happens to be faster. FWIW, I think this is
> actually the right thing to do, much as it sucks for network engineers.

I agree this is the right thing to do from the user perspective - though 
one thing that may help is making it more explicit in the 
UI/documentation - i.e. indicating somewhere whether the connection was 
made over IPv4 or IPv6, and, more importantly, *why*. Then this can give 
actionable input to the network engineers as well.

>
>> In other words, the actual implementation, intended or not, is right now
>> that whoever accomplishes #1 first, may continue.
>>
>> I would be more inclined to agree with that whoever performs #3 first
>> wins, than #1.  DNS lookup speed says nothing definite about IPv4 vs
>> IPv6 network/routing topologies and round trip times.
>
> Well, #2. You really don't want to actually ask for the web page twice,
> because this can mean a lot of work for the web server if you've got a
> dynamic page, and is a bit unfriendly. Even Apple has limits as to how
> much they are willing to abuse the network to improve the user
> experience. ;)

In http://tools.ietf.org/html/draft-wing-http-new-tech we tried to strike 
a balance between that and just deciding based on which of the DNS 
response comes first. In the tests it was rather quickly converging to 
either IPv4 or IPv6 - and then after a few initial attempts the client 
would not need extra TCP connections. (Also, if the request is stopped at 
the TCP level, with non-forking servers it would be a relatively small 
overhead compared to full HTTP parsing).

kind regards,
andrew


From ek at google.com  Thu Feb  4 11:14:29 2010
From: ek at google.com (Erik Kline)
Date: Thu, 4 Feb 2010 02:14:29 -0800
Subject: Youtube-over-IPv6
In-Reply-To: <1265189005.28198.80.camel@hsa.vpn.anti>
References: <1264722718.1613.86.camel@hsa.vpn.anti>
	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>
	<20100129081135.GJ32226@Space.Net> <4B62B350.4050804@danysek.cz>
	<20100129101027.GL32226@Space.Net>
	<1265189005.28198.80.camel@hsa.vpn.anti>
Message-ID: <2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>

> I tried firewalling away my IPv4 connectivity and used a non-local,
> dual-stacked, DNS resolver to browse the page and it sort-of works.
> Front page looks kind-of stupid (some elements missing), but it is
> possible to view videos, etc. :)

Any idea which hostnames aren't dualstacked or, more precisely, what is missing?

> So you IPv6 ninjas over at Google, what's next? :)

More.  :)

> Achieving support of single-stack IPv6 users should be the long-term
> goal, I presume.
> Dare you answer at all re: the DNS infrastructure? :)

The existing whitelist program is not a long term solution, as many
have noted.  I wouldn't worry too much about it affecting any
potential future DNSSEC support of Google domains.

From Sam.Wilson at ed.ac.uk  Thu Feb  4 11:29:11 2010
From: Sam.Wilson at ed.ac.uk (Sam Wilson)
Date: Thu, 4 Feb 2010 10:29:11 +0000
Subject: Safari on IPv6 ?
In-Reply-To: <1265116396.28198.20.camel@hsa.vpn.anti>
References: <C679F025-3DF8-4228-9907-1970FC53B6C5@marcoh.net>
	<4B682153.7030600@time-travellers.org>
	<1265116396.28198.20.camel@hsa.vpn.anti>
Message-ID: <17C864D4-02E9-4D4F-8435-7E0BE03170BB@ed.ac.uk>


On 2 Feb 2010, at 13:13, Martin Millnert wrote:

> On Tue, 2010-02-02 at 13:57 +0100, Shane Kerr wrote:
>> As I understand it, Safari does the equivalent of:
>>
>> 1. DNS lookup
>> 2. TCP connection
>> 3. HTTP request
>>
>> In both IPv4 and IPv6 at the same time. Whichever gets to step #3
>> first goes to completion "wins", and the other is canceled.
>>
>> Note that once the A and AAAA record are in the DNS cache, then you
>> are really just looking at connecting on whichever TCP session opens
>> first.
>
> Shane,
>
> this might very well be their goal, but it doesn't seem to be what's
> going on, since Ron showed us on Monday that the mDNSResponder just
> shuts down the remaining queries (one lingering AAAA in the example),
> after having received its first reply.
>
> In other words, the actual implementation, intended or not, is  
> right now
> that whoever accomplishes #1 first, may continue.
>
> I would be more inclined to agree with that whoever performs #3 first
> wins, than #1.  DNS lookup speed says nothing definite about IPv4 vs
> IPv6 network/routing topologies and round trip times.

Just to be explicit about some cross-thread fertilisation.  The  
YouTube-v6
thread has an example DNS lookup which returns a CNAME record with  
both A and
AAAA in the additional section. In that case - which will be a large
proportion of cases, if not a clear majority - there should be no  
competition
at #1 even with the current mDNSResponder implementation.

Sam

Sam Wilson
Network Team, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


From dougb at dougbarton.us  Thu Feb  4 21:40:56 2010
From: dougb at dougbarton.us (Doug Barton)
Date: Thu, 04 Feb 2010 12:40:56 -0800
Subject: Youtube-over-IPv6
In-Reply-To: <2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
References: <1264722718.1613.86.camel@hsa.vpn.anti>	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>	<20100129081135.GJ32226@Space.Net>
	<4B62B350.4050804@danysek.cz>	<20100129101027.GL32226@Space.Net>	<1265189005.28198.80.camel@hsa.vpn.anti>
	<2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
Message-ID: <4B6B30D8.4040704@dougbarton.us>

On 2/4/2010 2:14 AM, Erik Kline wrote:
> The existing whitelist program is not a long term solution, as many
> have noted.  I wouldn't worry too much about it affecting any
> potential future DNSSEC support of Google domains.

First off, I'd like to add my voice to the chorus of thanks for taking
serious steps to deploy v6. It's going to be hard for others to argue
that v6 is not viable when we can say "Ah, but then why is google doing
it?" :)

Have you considered as a next step doing a little DNS magic such that if
the DNS request comes in over IPv6 and the request is for AAAA that they
are returned? I realize that v6 on the DNS network is not 100%
determinative of v6 on the client network, but I would imagine that the
correlation for this particular network characteristic is actually very
high, and I think it would make a good next step in terms of rolling out
to a slightly wider audience.

And last question, are there graphs anywhere of your v6 traffic that are
publically available? At this point the percentage (vs. v4) is not very
interesting, but would be interesting is a steadily increasing amount of
traffic over time. That would also be a great advocacy tool.


Doug

-- 

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

	Computers are useless. They can only give you answers.
			-- Pablo Picasso


From owens at nysernet.org  Thu Feb  4 21:47:52 2010
From: owens at nysernet.org (Bill Owens)
Date: Thu, 4 Feb 2010 15:47:52 -0500
Subject: Youtube-over-IPv6
In-Reply-To: <4B6B30D8.4040704@dougbarton.us>
References: <1264722718.1613.86.camel@hsa.vpn.anti>
	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>
	<20100129081135.GJ32226@Space.Net> <4B62B350.4050804@danysek.cz>
	<20100129101027.GL32226@Space.Net>
	<1265189005.28198.80.camel@hsa.vpn.anti>
	<2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
	<4B6B30D8.4040704@dougbarton.us>
Message-ID: <20100204204752.GL50831@nysernet.org>

On Thu, Feb 04, 2010 at 12:40:56PM -0800, Doug Barton wrote:
> Have you considered as a next step doing a little DNS magic such that if
> the DNS request comes in over IPv6 and the request is for AAAA that they
> are returned? I realize that v6 on the DNS network is not 100%
> determinative of v6 on the client network, but I would imagine that the
> correlation for this particular network characteristic is actually very
> high, and I think it would make a good next step in terms of rolling out
> to a slightly wider audience.

I'm not sure whether that correlation is actually valid (I have dual-stack resolvers that get lots of queries from v4-only clients), but in any case it won't work for Google as long as their nameservers are v4-only. . .

Bill.

From martin at millnert.se  Thu Feb  4 22:00:23 2010
From: martin at millnert.se (Martin Millnert)
Date: Thu, 04 Feb 2010 22:00:23 +0100
Subject: Youtube-over-IPv6
In-Reply-To: <2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
References: <1264722718.1613.86.camel@hsa.vpn.anti>
	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>
	<20100129081135.GJ32226@Space.Net> <4B62B350.4050804@danysek.cz>
	<20100129101027.GL32226@Space.Net>
	<1265189005.28198.80.camel@hsa.vpn.anti>
	<2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
Message-ID: <1265317223.28198.101.camel@hsa.vpn.anti>

On Thu, 2010-02-04 at 02:14 -0800, Erik Kline wrote:
> Any idea which hostnames aren't dualstacked or, more precisely, what is missing?

Yeah, I took a better look now.

It is actually only a few lines of obfuscated code that I believe refers
to some AD URLs, that are not presented as dual-stack.

anticimex at hsa:/tmp$ host ad-emea.doubleclick.net
ad-emea.doubleclick.net is an alias for dart.l.doubleclick.net.
dart.l.doubleclick.net has address 209.85.135.148
dart.l.doubleclick.net has address 209.85.135.149

The reverse DNS of the IP:s reminds me that GOOG bought said company:
148.135.85.209.in-addr.arpa domain name pointer mu-in-f148.1e100.net.
149.135.85.209.in-addr.arpa domain name pointer mu-in-f149.1e100.net.

Feel no hurry to IPv6:alize these... :)

> > So you IPv6 ninjas over at Google, what's next? :)
> 
> More.  :)

Nice :)

Regards,
-- 
Martin Millnert <martin at millnert.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100204/48938b82/attachment.bin 

From martin at millnert.se  Thu Feb  4 22:40:45 2010
From: martin at millnert.se (Martin Millnert)
Date: Thu, 04 Feb 2010 22:40:45 +0100
Subject: Youtube-over-IPv6
In-Reply-To: <2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
References: <1264722718.1613.86.camel@hsa.vpn.anti>
	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>
	<20100129081135.GJ32226@Space.Net> <4B62B350.4050804@danysek.cz>
	<20100129101027.GL32226@Space.Net>
	<1265189005.28198.80.camel@hsa.vpn.anti>
	<2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
Message-ID: <1265319645.28198.104.camel@hsa.vpn.anti>

On Thu, 2010-02-04 at 02:14 -0800, Erik Kline wrote:
> Any idea which hostnames aren't dualstacked or, more precisely, what is missing?

Oh, I'm sorry, but I forgot this in the last mail:

anticimex at hsa:~$ host youtube.com
youtube.com has address 74.125.127.100
youtube.com has address 74.125.45.100
youtube.com has address 74.125.67.100
youtube.com mail is handled by 10 sjl-mbox1.sjl.youtube.com.

I don't want to seem overly pedantic here, but if there are IPv4
addresses there should be IPv6 addresses also. ;)

Regards,
-- 
Martin Millnert <martin at millnert.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100204/7e78022a/attachment.bin 

From paul at timmins.net  Thu Feb  4 22:53:27 2010
From: paul at timmins.net (Paul Timmins)
Date: Thu, 04 Feb 2010 16:53:27 -0500
Subject: Youtube-over-IPv6
In-Reply-To: <2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
References: <1264722718.1613.86.camel@hsa.vpn.anti>	<2e8c64261001281645t13ab8d69n176131df478cba9@mail.gmail.com>	<20100129081135.GJ32226@Space.Net>
	<4B62B350.4050804@danysek.cz>	<20100129101027.GL32226@Space.Net>	<1265189005.28198.80.camel@hsa.vpn.anti>
	<2e8c64261002040214g368a6b34w5fa2d393644e220a@mail.gmail.com>
Message-ID: <4B6B41D7.2020108@timmins.net>

Erik Kline wrote:
>> I tried firewalling away my IPv4 connectivity and used a non-local,
>> dual-stacked, DNS resolver to browse the page and it sort-of works.
>> Front page looks kind-of stupid (some elements missing), but it is
>> possible to view videos, etc. :)
>>     
>
> Any idea which hostnames aren't dualstacked or, more precisely, what is missing?
>   
I noticed gmail's SMTP servers aren't v6 reachable. I'm curious how much 
IPv6 SMTP would flow worldwide if they were.
>> So you IPv6 ninjas over at Google, what's next? :)
>>     
> More.  :)
>
>   
>> Achieving support of single-stack IPv6 users should be the long-term
>> goal, I presume.
>> Dare you answer at all re: the DNS infrastructure? :)
>>     
>
> The existing whitelist program is not a long term solution, as many
> have noted.  I wouldn't worry too much about it affecting any
> potential future DNSSEC support of Google domains.
>   
Curiosity, is it easy to get whitelisted on some test servers to see how 
things go, then expand it to others? Do I have to meet Google at an 
exchange point or is the fact I have native connectivity good enough?

-Paul


From marc.blanchet at viagenie.ca  Tue Feb  9 00:17:24 2010
From: marc.blanchet at viagenie.ca (Marc Blanchet)
Date: Mon, 08 Feb 2010 18:17:24 -0500
Subject: announcing DNS64-NAT64 opensource implementations
Message-ID: <4B709B84.7020604@viagenie.ca>

<sorry for cross-posting/>

This is to announce the availability of two NAT64-DNS64 open-source
implementations by Viagenie, as follows:

======
NAT64
======
BSD PF:
  this implementation of NAT64 is made by modifying the PF packet filter
available on BSD systems. A new 'nat64' statement is created in the
pf.conf file to enable the nat64 functionality.

Linux Netfilter:
The implementation of NAT64 for linux is available as a kernel module.
It uses Netfilter's facilities for packet interception.  The
configuration is done with parameters provided at module insertion.

======
DNS64
======
As announced in july 2009 during IETF Stockholm, the companion DNS64
functionality is also available in two implementations, as follows:

BIND:
  this implementation of DNS64 is made by modifying the BIND DNS server.
A new "dns64-prefix" statement in options is created in the named.conf
file to enable DNS64 functionality.

Unbound:
  this implementation of DNS64 is made by adding a module to the Unbound
DNS server. To enable the DNS64 functionality, the module should be
declared and the dns64-prefix statement should be added in the
unbound.conf file.

The two functionalities (NAT64 and DNS64) make a complete system for
translating IPv6-IPv4 packets. The source code, some pre-compiled
packages and project description are available at:
http://ecdysis.viagenie.ca.

This project was funded by NLNet foundation
and Viagenie.

We are looking for feedback, patches, suggestions from the community.

http://ecdysis.viagenie.ca

Regards,

Marc Blanchet, Simon Perreault, Jean-Philippe Dionne
Viagenie








From fernando at gont.com.ar  Sat Feb 13 13:18:17 2010
From: fernando at gont.com.ar (Fernando Gont)
Date: Sat, 13 Feb 2010 09:18:17 -0300
Subject: Support of IPv6 features in different implementations
Message-ID: <4B769889.8090506@gont.com.ar>

Hello, folks,

Is there any online document that provides some kind of summary
of what Neighbor Discovery options are supported in each platform?
(e.g., RDNSS, etc.)

Even better, is there any site/document that keeps track about the
implementation of IPv6 features/mechanisms (in general) in different
stacks? (say, RDNSS ND option, Inverse Neighbor Discovery, and others,
etc., etc.)

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1





From d at teklibre.org  Wed Feb 24 17:21:51 2010
From: d at teklibre.org (Dave Taht)
Date: Wed, 24 Feb 2010 10:21:51 -0600
Subject: failing over better with multiple prefixes?
Message-ID: <4B85521F.3090607@teklibre.org>

I've been wrestling with this one for a while.

Let's assume that Joe Corporation is not willing to pony up for a BGP 
number ($1000 + $600/yr membership fee from lacnic) or a dedicated IPv6 
allocation large enough (/32)? for someone to be willing to route. 
(currently lacnic appears to not be charging for IPv6 allocations  but 
it is unclear how to get it routed or how much you can get)

Q1) Is there a "best (and cheap) way" to get a dedicated, independent 
IPv6 address space and BGP AS number that people are willing to route? 
Note that I am in the third world and the problem of who to contact to 
get stuff routed is augmented by the language barrier, and the fees 
involved above are nearly double what the average person makes here, per 
year....

Moving on into the alternate hole I've dug myself:

So joe has a dedicated IPv4 address and uses the resultant 2002 network 
to add IPv6 to their net.
Yea, there's 64k worth of subnets there so they proceed merrily slamming 
out 2002 nets across their offices, currently 11...

There are also dedicated links between the offices, in more or less of a 
wireless mountainous mesh, many of which have their own real IPv4 IP 
gateway from various providers as well, as well as a few that are stuck 
behind NAT from less wealthy providers, for which they use a hurricane 
electric tunnel currently. So it's a huge waste of very limited 
bandwidth to backhaul everything to the main office...

So for local routing, they add 2002:the-local-office-net:bla:bla:bla:bla 
to each local network, or 2001:the-hurricane-tunnel if needed, and 
distribute those addresses via radvd, and route the internal routes 
around (currently) via babeld.

Every machine ends up with one IPv6 address per (IPv4 or tunnel) 
gateway. This is kind of unwieldy, particularly if you want to wedge all 
this into DNS, too...

Still, this works pretty good when everything is working.

Q2a) It's unclear, that once you start assigning multiple 2002: or 2001: 
tunnel prefixes how to make the local 2002 or 2001 gateway prefix be the 
primary source address prefix. The routers are all running a reasonably 
recent version of linux (2.6.26 at minimum), and have ip rules tables 
installed for source routing (ipv4 only at the moment) where needed...

Q2b) It's really unclear how IPv6 interacts with the linux RPDB these 
days...

Q3) When an external link goes down they'd like the offices to fail-over 
to routing internally to the next best gateway. But if the source 
address is 2002:the-local-office, sending stuff out 
2002:some-other-office's-gateway isn't going to work very well.

Now, I don't really want to talk about NAT. What I would like to have 
happen, is when an external tunnel goes down, that the IPv6 addresses 
derived from it become deprecated and aren't used for future 
connections, and when it goes back up they get undeprecated....

It's not clear to me how to do this aside from rewriting the radvd.conf 
file and restarting radvd, and even then, there doesn't appear to be 
syntax to "deprecate" an address only (thus eliminating the need to 
remove it from DNS)

Is there something that I could use other than radvd?

it's not clear how to deprecate static addresses either (for example, on 
a DNS server or a virtual machine).

Q4) This is maybe just a syntax problem with the "ip" tool

For example, I can rid myself of an address by:

ip addr change 2001:470:b9d7:e::1/64 dev eth1 valid_lft 1 preferred_lft 1

But INTERNALLY that IPv6 address is fine, so what I really want to do is 
deprecate the address so it's not used for future external communication 
and I don't mess up any on-going internal communications. So, somehow, I 
need to "hear" from userspace, that my default gateway for this prefix 
is toast and then (for example)

ip addr change 2001:470:b9d7:e::1/64 dev eth1 deprecated
Error: either "local" is duplicate, or "deprecated" is a garbage.

(whenever this happens I can also remove the IP address from DNS via 
nsupdate)

I've been fiddling with the syntax of this ip command for a while to no 
avail. (linux 2.6.32) It doesn't accept any of the other documented 
flags (primary, secondary, etc) either.

And for dynamically configured clients to able to "hear" a deprecated 
IPv6 prefix via some normal method that windows and linux clients would 
respond to without any scripting would be nice.

Q5) Taking a prefix to a tunnel up or down is somewhat problematic. For 
example, right now, (what prompted this mail), my HE tunnel is down 
(external gateway is down), but it says it's up:

9: he-ipv6: <POINTOPOINT,NOARP,UP>
     inet6 2001:470:1f0e:34a::2/64 scope global
     inet6 fe80::c0a8:702/128 scope link

So the only way I know to test the tunnel is via pinging the other side 
of it 2001:470:1f0e:34a::1,
and if that fails, rewrite the radvd file...



From me at benedikt-stockebrand.de  Thu Feb 25 01:35:44 2010
From: me at benedikt-stockebrand.de (Benedikt Stockebrand)
Date: Thu, 25 Feb 2010 00:35:44 +0000
Subject: failing over better with multiple prefixes?
In-Reply-To: <4B85521F.3090607@teklibre.org> (Dave Taht's message of "Wed,
	24 Feb 2010 10:21:51 -0600")
References: <4B85521F.3090607@teklibre.org>
Message-ID: <sa7vddmcftr.fsf@benedikt-stockebrand.de>

Hi Dave and list,

Dave Taht <d at teklibre.org> writes:

> Q1) Is there a "best (and cheap) way" to get a dedicated, independent
> IPv6 address space and BGP AS number that people are willing to route?

I don't know, but...

> Note that I am in the third world

... you'd best ask around locally.

Out of curiosity: Where are you?

> So joe has a dedicated IPv4 address and uses the resultant 2002
> network to add IPv6 to their net.
> [snip]

Don't use 6to4 in production environments: If the public relay you use
causes trouble you may not even know who to contact -- or how.  And if
the tunnel routers in the reverse direction don't work the situation
is even worse.

If I understand your setup correctly, then you are quite likely best
off to use tunnels (HE or whatever else you like and can get) until
your ISPs start to offer you native IPv6.

You can then route these adresses through your dedicated links as
needed.

As for the failover issue: Yes, you can advertise addresses both from
your direkt upstream and your main office in all sites, but keep the
fallback addresses deprecated until something nasty happens.  As long
as you are using tunnels to HE, consider moving your tunnel end point
to wherever there is working connectivity.  Once you have native IPv6
connectivity and a cooperative provider, use a tunnel from them
through another connection as a fallback -- yes, this requires
cooperation from your ISP.

> There are also dedicated links between the offices, in more or less of
> a wireless mountainous mesh, many of which have their own real IPv4 IP
> gateway from various providers as well, as well as a few that are
> stuck behind NAT from less wealthy providers, for which they use a
> hurricane electric tunnel currently. So it's a huge waste of very
> limited bandwidth to backhaul everything to the main office...

Will an AS and possibly PI addresses actually help in that case?

> Every machine ends up with one IPv6 address per (IPv4 or tunnel)
> gateway. This is kind of unwieldy, particularly if you want to wedge
> all this into DNS, too...

First of all, unless the situation in your setup is way beyond what
I'd consider reasonably reliable, you can normally limit yourself to
two or three addresses.

As far as the DNS issue goes: That's what scripts are there for.

> Still, this works pretty good when everything is working.

It's always good when everything is working -- the headaches come from
not thinking in time about how to keep it that way:-)

> Q2a) It's unclear, that once you start assigning multiple 2002: or
> 2001: tunnel prefixes how to make the local 2002 or 2001 gateway
> prefix be the primary source address prefix. The routers are all
> running a reasonably recent version of linux (2.6.26 at minimum), and
> have ip rules tables installed for source routing (ipv4 only at the
> moment) where needed...

You can't really do that on the routers.  Check RFC 3484 for the
details on how address selection works.  Unfortunately, at least last
time I checked Linux didn't have a configurable address selection
table -- but then, you'd have to do this on the hosts as well, so it
is pretty much out of an option.

The pragmatic way to deal with this is through the preferred lifetime
mechanism.

> Q2b) It's really unclear how IPv6 interacts with the linux RPDB these
> days...

I'd actually rather avoid using any Linux- or whatever-specific stuff
for this.

> Q3) When an external link goes down they'd like the offices to
> fail-over to routing internally to the next best gateway. But if the
> source address is 2002:the-local-office, sending stuff out
> 2002:some-other-office's-gateway isn't going to work very well.

That's another reason why you don't want to use 6to4.

> Now, I don't really want to talk about NAT. What I would like to have
> happen, is when an external tunnel goes down, that the IPv6 addresses
> derived from it become deprecated and aren't used for future
> connections, and when it goes back up they get undeprecated....
>
> It's not clear to me how to do this aside from rewriting the
> radvd.conf file and restarting radvd, and even then, there doesn't
> appear to be syntax to "deprecate" an address only (thus eliminating
> the need to remove it from DNS)

Yes, just set the preferred lifetime to 0.

> Is there something that I could use other than radvd?

The problem is not so much with radvd but with the router
advertisement protocol as such.

> it's not clear how to deprecate static addresses either (for example,
> on a DNS server or a virtual machine).

I don't have a Linux box up and running right now, so YMMV, but:

- Yes, rewrite your radvd.conf.  Setting the preferred lifetime to 0
  while keeping the valid lifetime up should do the trick.  If you do
  this in advance and/or script things, then it shouldn't be much of
  an issue.

- Using ip or ifconfig or whatever it should be possible to set the
  preferred lifetime on statically configured interfaces, too.

> Q4) This is maybe just a syntax problem with the "ip" tool
>
> For example, I can rid myself of an address by:
>
> ip addr change 2001:470:b9d7:e::1/64 dev eth1 valid_lft 1 preferred_lft 1
>
> But INTERNALLY that IPv6 address is fine, so what I really want to do
> is deprecate the address so it's not used for future external
> communication and I don't mess up any on-going internal
> communications. So, somehow, I need to "hear" from userspace, that my
> default gateway for this prefix is toast and then (for example)

So, keep the valid lifetime up but set the preferred lifetime to 0.

> ip addr change 2001:470:b9d7:e::1/64 dev eth1 deprecated
> Error: either "local" is duplicate, or "deprecated" is a garbage.
>
> (whenever this happens I can also remove the IP address from DNS via
> nsupdate)
>
> I've been fiddling with the syntax of this ip command for a while to
> no avail. (linux 2.6.32) It doesn't accept any of the other documented
> flags (primary, secondary, etc) either.

Yes, I love it, too.  At least they managed to get some sort of
documentation done by now.

> And for dynamically configured clients to able to "hear" a deprecated
> IPv6 prefix via some normal method that windows and linux clients
> would respond to without any scripting would be nice.

Just rewrite the radvd.conf and set the preferred lifetime to 0.
Somehow I have the feeling I'm repeating myself:-)

> Q5) Taking a prefix to a tunnel up or down is somewhat
> problematic. For example, right now, (what prompted this mail), my HE
> tunnel is down (external gateway is down), but it says it's up:
>
> 9: he-ipv6: <POINTOPOINT,NOARP,UP>
>      inet6 2001:470:1f0e:34a::2/64 scope global
>      inet6 fe80::c0a8:702/128 scope link
>
> So the only way I know to test the tunnel is via pinging the other
> side of it 2001:470:1f0e:34a::1,
> and if that fails, rewrite the radvd file...

Yes, that's what it boils down to, at least when the problem is on the
HE side.  In most other cases dynamic routing can do the trick, but it
would take some effort on the other side of the tunnel to do this
properly.

However, if the problem is not with HE, your script could
alternatively start a new tunnel for that prefix from elsewhere (like
your main office) and you could then re-route your traffic through
there.


Cheers,

    Ben

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Dipl. Inform.                 Tel.:  +49 (0) 69 - 247 512 362
Benedikt Stockebrand          Mobil: +49 (0) 177 - 41 73 985           
Fichardstr. 38                Mail:  me at benedikt-stockebrand.de        
D-60322 Frankfurt am Main     WWW:   http://www.benedikt-stockebrand.de/

Bitte kein Spam, keine unaufgeforderten Werbeanrufe, keine telefonischen
Umfragen.  Anrufe werden ggf. zu rechtlichen Zwecken aufgezeichnet.  
No spam, no unsolicited sales calls, no telephone surveys, please. Calls
may be recorded for legal purposes.


From d at teklibre.org  Thu Feb 25 08:41:29 2010
From: d at teklibre.org (Dave Taht)
Date: Thu, 25 Feb 2010 01:41:29 -0600
Subject: failing over better with multiple prefixes?
In-Reply-To: <sa7vddmcftr.fsf@benedikt-stockebrand.de>
References: <4B85521F.3090607@teklibre.org>
	<sa7vddmcftr.fsf@benedikt-stockebrand.de>
Message-ID: <4B8629A9.9080103@teklibre.org>

On 02/24/2010 06:35 PM, Benedikt Stockebrand wrote:
> Hi Dave and list,
>
> Dave Taht<d at teklibre.org>  writes:
>
>    
>> Q1) Is there a "best (and cheap) way" to get a dedicated, independent
>> IPv6 address space and BGP AS number that people are willing to route?
>>      
> I don't know, but...
>
>    
>> Note that I am in the third world
>>      
> ... you'd best ask around locally.
>    
Have. The one ISP that had a bit of a clue (cablenet.com.ni, who ran out 
cable internet to great success about 1 1/2 years ago due to hugely 
frustrated demand to most of the larger cities) got themselves bought by 
the local cell phone company (claro) and seem to have run off all the 
tech folk.

It is not encouraging to come up empty for "ipv6" for any of the local 
providers.

http://www.google.com.ni/search?hl=en&safe=off&q=ipv6+site%3Awww.claro.com.ni&btnG=Search&meta=&aq=f&oq=

It doesn't help that my technical Spanish isn't the best, either. I'm 
sure there is someone out there that groks ipv6 and has fiber in Managua...

> Out of curiosity: Where are you?
>    

Nicaragua. The internet may suck but the surf is good and my office view 
is great ( 
http://www.teklibre.com/~d/casayanqui/masterbedoomviewbetter.jpg ).

I can see Costa Rica (about 18 km) but word has it that the Net sucks 
even harder over there. Am still thinking that running a wireless link 
over to there would make sense...


>    
>> So joe has a dedicated IPv4 address and uses the resultant 2002
>> network to add IPv6 to their net.
>> [snip]
>>      
> Don't use 6to4 in production environments: If the public relay you use
> causes trouble you may not even know who to contact -- or how.  And if
> the tunnel routers in the reverse direction don't work the situation
> is even worse.
>    

You know, I get this bit a lot. I've been using 6to4 off and on for 
about 9 years (in the US, mostly), and it has generally been very 
reliable (in addition to easy), and for systems located "next door" to 
each other topologically the latency is low and bandwidth high.

Your caveat

"If the public relay you use causes trouble you may not even know who to contact -- or how"

applies more often to normal routers in between me and my destinations 
over ipv4, than to a 6to4 router out in the cloud. Down here, 
connectivity is frequently lost to the adjacent city (Rivas), the 
capital (Managua), or outside the country, so getting to local 
destinations is important.

So (after about a year of using it down here) 6to4 tends to be more 
reliable, faster, and lower latency on the whole than using tunnels, due 
to the accumulated MTBF of the other 20+ routers between me and hurricane.

I recently read of a deployment using 6RD (and just started building 
that into my kernels) which looked like an encouraging adaptation of 
6to4 tech...

Aside: What does it take to own an operate a 6to4 router?

> If I understand your setup correctly, then you are quite likely best
> off to use tunnels (HE or whatever else you like and can get) until
> your ISPs start to offer you native IPv6.
>
> You can then route these adresses through your dedicated links as
> needed.
>
> As for the failover issue: Yes, you can advertise addresses both from
> your direkt upstream and your main office in all sites, but keep the
> fallback addresses deprecated until something nasty happens.  As long
> as you are using tunnels to HE, consider moving your tunnel end point
> to wherever there is working connectivity.
I am trying to get to that point, however, things like whatsmyip tend 
not to work reliably once you go behind an ISP's NAT to the home....

>   Once you have native IPv6
> connectivity and a cooperative provider
I may well be old and gray before that happens. Most providers down here 
stick people behind at least one layer of NAT, sometimes two or three. 
I'm pretty sure this is the case throughout the third world and asia.

> , use a tunnel from them
> through another connection as a fallback -- yes, this requires
> cooperation from your ISP.
>
>    
It really sounds like I have to bite the bullet and become my own ISP.

>    
>> There are also dedicated links between the offices, in more or less of
>> a wireless mountainous mesh, many of which have their own real IPv4 IP
>> gateway from various providers as well, as well as a few that are
>> stuck behind NAT from less wealthy providers, for which they use a
>> hurricane electric tunnel currently. So it's a huge waste of very
>> limited bandwidth to backhaul everything to the main office...
>>      
> Will an AS and possibly PI addresses actually help in that case?
>    

Well the nice thing about technology is that I can take advantage of the 
latest stuff.  My next-gen private links are being built around openwrt 
based routers (ubiquity), which means the private backbone mesh will 
probably run at close to 54Mbit, compared to the 32Kbit (or less) most 
of the offices have to the internet.

I'm seriously considering adding the next generation sheevaplugs 
(guruplugs) to add even more smarts to the individual offices (512MB 
ram, 512MB flash, 5 watts), like squid, and Xorp or quagga.  Important 
is power consumption because solar/battery systems are expensive...

Anyway, getting a real, independent IPv6 address space and a AS number 
would hopefully let me egress/ingres from the multiple points where I 
have control of the IPv4 address, but no, it doesn't solve all problems.

>    
>> Every machine ends up with one IPv6 address per (IPv4 or tunnel)
>> gateway. This is kind of unwieldy, particularly if you want to wedge
>> all this into DNS, too...
>>      
> First of all, unless the situation in your setup is way beyond what
> I'd consider reasonably reliable, you can normally limit yourself to
> two or three addresses.
>    
It's way beyond what I'd consider reasonably reliable. Power outages 
last 8 hrs to 3 days, power flickers on and off 5-10 times a day, we 
have persistently low voltage (<95v) which wrecks UPSes, and a horde of 
other problems.

I'm writing and sending this email now, without power, in the dark, with 
only my monitor and backlit keyboard for illumination, on a battery 
backed up wireless link hopping over a couple mountains...

The amazing thing is that it works at all (it pays big to be running 
mail servers locally. postfix will try REALLY hard to deliver and get 
mail the way I've set it up over IPv6).

It is a dramatic contrast to how everything else is getting done "in the 
cloud" these days. It's so dark I can't even see the cloud...

> As far as the DNS issue goes: That's what scripts are there for.
>
>    
Well, it would be nice if I knew how to detect deprecated addresses on 
the client side on either windows or linux without polling.
>    
>> Still, this works pretty good when everything is working.
>>      
> It's always good when everything is working -- the headaches come from
> not thinking in time about how to keep it that way:-)
>
>    
Staying in the US - or better, moving to Europe - might have been a good 
idea.

>> Q2a) It's unclear, that once you start assigning multiple 2002: or
>> 2001: tunnel prefixes how to make the local 2002 or 2001 gateway
>> prefix be the primary source address prefix. The routers are all
>> running a reasonably recent version of linux (2.6.26 at minimum), and
>> have ip rules tables installed for source routing (ipv4 only at the
>> moment) where needed...
>>      
> You can't really do that on the routers.  Check RFC 3484 for the
> details on how address selection works.  Unfortunately, at least last
> time I checked Linux didn't have a configurable address selection
> table -- but then, you'd have to do this on the hosts as well, so it
> is pretty much out of an option.
>    
I'm not really sure what you mean here.  libc has a rule database for 
address selection built into it, am not sure about uclibc....

My thought was I would (in case of failure of a given prefix) block 
outgoing source addresses from that prefix at the local router and 
return the correct ICMPv6 unreachable message (not sure what that is).

The clients would then cycle through their other source addresses 
rapidly until it finds one that works.

(I more or less do this currently with ipv4 rules in the RPDB. Is there 
a linux/ipv6 mailing list that is active these days?)

> The pragmatic way to deal with this is through the preferred lifetime
> mechanism.
>
>    
>> Q2b) It's really unclear how IPv6 interacts with the linux RPDB these
>> days...
>>      
> I'd actually rather avoid using any Linux- or whatever-specific stuff
> for this.
>
>    
Got an alternate suggestion? I think highly of BSD but it doesn't run on 
either my wireless router or "smart server" of choice...
>> Q3) When an external link goes down they'd like the offices to
>> fail-over to routing internally to the next best gateway. But if the
>> source address is 2002:the-local-office, sending stuff out
>> 2002:some-other-office's-gateway isn't going to work very well.
>>      
> That's another reason why you don't want to use 6to4.
>
>    
That's another reason why you don't want to use multiple tunnels either, 
or anything short of a BGP mediated internet connection. Multihoming is 
actually something that NAT is useful for....
>    
>> Now, I don't really want to talk about NAT. What I would like to have
>> happen, is when an external tunnel goes down, that the IPv6 addresses
>> derived from it become deprecated and aren't used for future
>> connections, and when it goes back up they get undeprecated....
>>
>> It's not clear to me how to do this aside from rewriting the
>> radvd.conf file and restarting radvd, and even then, there doesn't
>> appear to be syntax to "deprecate" an address only (thus eliminating
>> the need to remove it from DNS)
>>      
> Yes, just set the preferred lifetime to 0.
>
>   
I was under the impression that lifetimes of less than 7200 secs were 
problematic. I'll try it!
>   
>> Is there something that I could use other than radvd?
>>      
> The problem is not so much with radvd but with the router
> advertisement protocol as such.
>
>    
No, well, I'd like it very much if radvd went away and what it did got 
integrated into Xorp or some more complete routing solution. I am 
looking over ahcp + babel ( 
http://www.pps.jussieu.fr/~jch/software/ahcp/ ) and liking what I see....
>> ip addr change 2001:470:b9d7:e::1/64 dev eth1 deprecated
>> Error: either "local" is duplicate, or "deprecated" is a garbage.
>>
>> (whenever this happens I can also remove the IP address from DNS via
>> nsupdate)
>>
>> I've been fiddling with the syntax of this ip command for a while to
>> no avail. (linux 2.6.32) It doesn't accept any of the other documented
>> flags (primary, secondary, etc) either.
>>      
> Yes, I love it, too.  At least they managed to get some sort of
> documentation done by now.
>    
ok, I'll dig into the code a bit.

>
> However, if the problem is not with HE, your script could
> alternatively start a new tunnel for that prefix from elsewhere (like
> your main office) and you could then re-route your traffic through
> there.
>
>    
as I wrote earlier whatsmyip is unreliable, so tunneling that way tends 
to be error prone.

aiccu? some other tunneling mechanism? One thought I had is that I have 
control of several machines in the states that have native ipv6 
connectivity and can also run 6to4. I don't have control of the native 
ipv6 stuff (/64s) so am limited to delegating my own 2002 from there 
here....

So I could tunnel a bunch of those 2002 prefixes down here using 
whatever mechanism I felt like, through multiple gateways... hmm... it 
would probably be as fast as hurricane and less hassle...

> Cheers,
>
>      Ben
>
>    


From michael.dillon at bt.com  Thu Feb 25 09:44:43 2010
From: michael.dillon at bt.com (michael.dillon at bt.com)
Date: Thu, 25 Feb 2010 08:44:43 -0000
Subject: failing over better with multiple prefixes?
In-Reply-To: <4B8629A9.9080103@teklibre.org>
Message-ID: <28E139F46D45AF49A31950F88C49745805484186@E03MVZ2-UKDY.domain1.systemhost.net>

> >> Q1) Is there a "best (and cheap) way" to get a dedicated, 
> independent
> >> IPv6 address space and BGP AS number that people are 
> willing to route?
> >>      
> > I don't know, but...
> >
> >    
> >> Note that I am in the third world
> >>      
> > ... you'd best ask around locally.
> >    
> Have. The one ISP that had a bit of a clue (cablenet.com.ni, 
> who ran out cable internet to great success about 1 1/2 years 
> ago due to hugely frustrated demand to most of the larger 
> cities) got themselves bought by the local cell phone company 
> (claro) and seem to have run off all the tech folk.

Nevertheless, LACNIC is the only place that you can get
an AS number. You can get IPv6 addresses only from LACNIC
or your upstream ISP. Talk to Juan Carlos Alonso at LACNIC
juancarlos at lacnic.net about the Nicaraguan situation. There
are already 4 IPv6 allocations in the country but there is
no IPv6 task force in Nicaragua or the 3 neighboring 
countries.

http://mail.lacnic.net/pipermail/lactf/ has more about the 
IPv6 task force in Latin America.

> It doesn't help that my technical Spanish isn't the best, 
> either. I'm sure there is someone out there that groks ipv6 
> and has fiber in Managua...

Read some RFCs. Here is one about BGP-4 in Spanish
http://www.normes-internet.com/normes.php?rfc=rfc1771&lang=es

And Wikipedia
http://es.wikipedia.org/wiki/IPv6

Newsletter from ISOC Argentina
http://www.isoc.org.ar/ediciones/ipv6ParaTodos.pdf

I'm afraid there are no easy solutions, but it sounds like if you manage
to get something together in your area, there are business opportunities
in Costa Rica as well.

--Michael Dillon

From me at benedikt-stockebrand.de  Thu Feb 25 16:32:33 2010
From: me at benedikt-stockebrand.de (Benedikt Stockebrand)
Date: Thu, 25 Feb 2010 15:32:33 +0000
Subject: failing over better with multiple prefixes?
In-Reply-To: <4B8629A9.9080103@teklibre.org> (Dave Taht's message of "Thu,
	25 Feb 2010 01:41:29 -0600")
References: <4B85521F.3090607@teklibre.org>
	<sa7vddmcftr.fsf@benedikt-stockebrand.de>
	<4B8629A9.9080103@teklibre.org>
Message-ID: <sa7fx4pfi0e.fsf@benedikt-stockebrand.de>

Hi Dave and list,

Dave Taht <d at teklibre.org> writes:

> I can see Costa Rica (about 18 km) but word has it that the Net sucks
> even harder over there. Am still thinking that running a wireless link
> over to there would make sense...

if you have somebody to peer with over there, give it a try.  If
nothing else, it should give you some independence from domestic
carriers.

> So (after about a year of using it down here) 6to4 tends to be more
> reliable, faster, and lower latency on the whole than using tunnels,
> due to the accumulated MTBF of the other 20+ routers between me and
> hurricane.

Ok, that's a point for now.  As soon as you find a tunnel provider
more close to you I'd still recommend to drop 6ot4.

> I recently read of a deployment using 6RD (and just started building
> that into my kernels) which looked like an encouraging adaptation of
> 6to4 tech...

6RD only provides you with a single subnet per IPv4 address, so for
setups I'd consider "normal" (from the first world perspective) it
doesn't get you very far.

> Aside: What does it take to own an operate a 6to4 router?

Check RFC 3068 for some operational requirements.  It basically boils
down to this: If you screw up and don't remove the IPv4 anycast
address (192.88.99.1/24) from your BGP, you may cause lots of trouble
to all sorts of people.  There are a number of security precautions
you are expected to take.  And of course you need an AS to advertise
the anycast address...

Setting up a private relay router (not using the anycast address) is
fairly straightforward.

>>   Once you have native IPv6
>> connectivity and a cooperative provider
> I may well be old and gray before that happens. Most providers down
> here stick people behind at least one layer of NAT, sometimes two or
> three. I'm pretty sure this is the case throughout the third world and
> asia.

Actually, since the pain is worse than elsewhere there's quite a
chance that people will actually do something about it sooner than
over here.

> It really sounds like I have to bite the bullet and become my own ISP.

Good luck.  But then, if the competition is clueless, doing so may
well be worth it.

> Anyway, getting a real, independent IPv6 address space and a AS number
> would hopefully let me egress/ingres from the multiple points where I
> have control of the IPv4 address, but no, it doesn't solve all
> problems.

Don't forget you need peering partners, too.  If you don't find any
decent ones, you are no better off than before.

>> First of all, unless the situation in your setup is way beyond what
>> I'd consider reasonably reliable, you can normally limit yourself to
>> two or three addresses.
>>
> It's way beyond what I'd consider reasonably reliable. Power outages
> last 8 hrs to 3 days, power flickers on and off 5-10 times a day, we
> have persistently low voltage (<95v) which wrecks UPSes, and a horde
> of other problems.

Ok, I didn't know the situation was that bad in Nicaragua.  I've seen
some situations when travelling in "real" Africa a few years ago and
thought you couldn't really beat that (except in parts of
California:-).

As far as the UPSes and damage due to flaky power go, I heard
something along the lines in Malawi or Zambia, either from an
hydrology engineer or a Medecins Sans Frontiere doctor.  If you get a
chance, see if you can find some higher quality equipment for the
non-IT market, like for medical equipment or such.  Apparently this
stuff isn't as expensive as it sounds.

Depending on your business you might even consider running your own
diesel generator on a permanent basis during business hours.

> It is a dramatic contrast to how everything else is getting done "in
> the cloud" these days. It's so dark I can't even see the cloud...

The good news is that the Internet was originally designed for even
worse conditions during the Cold War.  I remember those Internet cafes
in Africa some years ago.  They worked fairly well compared to just
about anything else.

And you don't have people who rely so heavily on Internet connectivity
(or electricity, or tap water, or whatever) that any 30 second
downtime causes weeks of cleaning up the damage.

>> As far as the DNS issue goes: That's what scripts are there for.
>>
>>
> Well, it would be nice if I knew how to detect deprecated addresses on
> the client side on either windows or linux without polling.

Can't you do it centrally as soon as you switch to the fallback
radvd.conf?

>> It's always good when everything is working -- the headaches come from
>> not thinking in time about how to keep it that way:-)
>>
>>
> Staying in the US - or better, moving to Europe - might have been a
> good idea.

Well, we have our share of problems in Europe as well.  And as far as
reliable electricity is concerned, the US seems to have their's, too.

>> You can't really do that on the routers.  Check RFC 3484 for the
>> details on how address selection works.  Unfortunately, at least last
>> time I checked Linux didn't have a configurable address selection
>> table -- but then, you'd have to do this on the hosts as well, so it
>> is pretty much out of an option.
>>
> I'm not really sure what you mean here.  libc has a rule database for
> address selection built into it, am not sure about uclibc....

Last time I checked this table was configurable with Solaris and the
BSDs but not Linux.  Maybe they have fixed that since, but in most
situation I consider "normal" there's little use in tweaking it
anyway.

> My thought was I would (in case of failure of a given prefix) block
> outgoing source addresses from that prefix at the local router and
> return the correct ICMPv6 unreachable message (not sure what that is).
>
> The clients would then cycle through their other source addresses
> rapidly until it finds one that works.

Unfortunately, as far as I know you can't do that with the source
address, only with the destination address.

Applications that are properly written cycle through all records found
in a DNS reply for destination addresses, but for every destination
address only a single source address is tried.

In some cases this may still work, because one of the criteria used is
"longest shared prefix" between a destination address and the
candidate source addresses.  Check RFC 3484, it does have the details.

>> I'd actually rather avoid using any Linux- or whatever-specific stuff
>> for this.
>>
> Got an alternate suggestion? I think highly of BSD but it doesn't run
> on either my wireless router or "smart server" of choice...

No, but I've seen what happens if you do this sort of thing.  Three
years from now, recent versions of Linux don't support your hacks any
more and the old version you use has a remotely exploitable security
hole, or doesn't run on the hardware that's still available to the
market, or whatever.

> That's another reason why you don't want to use multiple tunnels
> either, or anything short of a BGP mediated internet
> connection. Multihoming is actually something that NAT is useful
> for....

So are proxies.  Can you set up proxies for all protocols you need, or
is that infeasible?

>> Yes, just set the preferred lifetime to 0.
>>
> I was under the impression that lifetimes of less than 7200 secs were
> problematic. I'll try it!

You can't set the valid lifetime in a router advertisement to 7200
without prior "countdown", but it's ok to set the preferred lifetime.

> No, well, I'd like it very much if radvd went away and what it did got
> integrated into Xorp or some more complete routing solution.

You can do the router advertisement stuff with Quagga, but I'm not
entirely sure if that helped that much.

> as I wrote earlier whatsmyip is unreliable, so tunneling that way
> tends to be error prone.

Ok, I've used Hexago some years ago and didn't find any problems then,
but NAT is simply something you want to avoid whenever possible.

> aiccu? some other tunneling mechanism? One thought I had is that I
> have control of several machines in the states that have native ipv6
> connectivity and can also run 6to4. I don't have control of the native
> ipv6 stuff (/64s) so am limited to delegating my own 2002 from there
> here....
> [snip]

Yes, setting up your own private 6to4 relay is definitely helpful.
More generally, being in control of both tunnel ends makes life
significantly easier.

If you have any chance at all of setting up a shorter prefix than /64
on one of those machines, consider using configured tunnels to it
instead.


Cheers,

    Ben

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Dipl. Inform.                 Tel.:  +49 (0) 69 - 247 512 362
Benedikt Stockebrand          Mobil: +49 (0) 177 - 41 73 985           
Fichardstr. 38                Mail:  me at benedikt-stockebrand.de        
D-60322 Frankfurt am Main     WWW:   http://www.benedikt-stockebrand.de/

Bitte kein Spam, keine unaufgeforderten Werbeanrufe, keine telefonischen
Umfragen.  Anrufe werden ggf. zu rechtlichen Zwecken aufgezeichnet.  
No spam, no unsolicited sales calls, no telephone surveys, please. Calls
may be recorded for legal purposes.


From frnkblk at iname.com  Sat Feb 27 17:59:19 2010
From: frnkblk at iname.com (Frank Bulk)
Date: Sat, 27 Feb 2010 10:59:19 -0600
Subject: D-Link to support DHCPv6-PD soon
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADGOjeOe//uRbyjj1zwLXm1AQAAAAA=@iname.com>

Heard from a D-Link product manager that code that supports DHCPv6-PD will
be available in the next month or two.  I had asked about the DIR-615 and
DIR-825, but he didn't mention which platform(s).

This is good news.

Frank