Microsoft: Give Xbox One users IPv6 connectivity

Thu Oct 10 16:56:56 CEST 2013

On 11/10/2013, at 1:35 AM, Jared Mauch <jared at puck.nether.net> wrote:

> 
> On Oct 9, 2013, at 11:19 PM, Geoff Huston <gih at apnic.net> wrote:
> 
>> I applaud what you guys are doing, really, but from my perspective it looks like the reliance on Teredo is really quite scary given what we see out there about how it behaves, and I'm kinda wondering what I'm missing here that you obviously must've thought through in justifying this product decision! 
> 
> Geoff,
> 
> I've noticed some interesting behavior of the home-user CPE devices in recent years.  They continue to push into the "application aware" department, and bring with them the defects of that.  We're also seeing an increasing number of folks using carrier provided CPE in the states (eg: if you have ATT UVerse, you must use their device, including the software defects and lack of knobs that come with it).
> 
> These devices have many benefits of providing a consistent set of access, but also a consistent set of defects. It seems Microsoft is just using Teredo as their own "VPN" gateway to allow the relevant communication to be possible.  No different than an enterprise that provides an "office router" for the teleworker to connect to IT resources which might be behind a VPN.
> 
> I've seen the internet continuing to shift in this direction with services, either all tunneled over http/https because that isn't blocked.  They are just leveraging it to VPN out to avoid having a centralized server aggregate and relay as necessary.
> 
> This should be applauded as you mention above, as it preserves the e2e aspects while working around devices that are incapable of providing this type of service.
> 
> I for one anxiously await the update for the 360 devices to take advantage of the same technology ;)
> 
> It should resolve a significant number of IPv4 issues and if that were to come out, I suspect it would be a significant "killer app" driving adoption of IPv6 and upgrade of CPE/Cable Modems/whatnot.
> 
> - Jared

Agreed completely Jared.

My concern about Teredo's robustness however still remains.

We've been polling users with IPv6 tests embedded in a Google Ad campaign for some years now. We were interested in teredo, so we thought that if one of the presented URLs as part of the test was http://[<ipv6 address>] then we'd bypass the DNS and activate teredo on all those windows platforms out there. Which is effectively what happened.

However it was not all joy and happiness. In around 20 - 25% of cases we would see the initial part of the Teredo "handshake" which is the ICMP echo request, and the server responds with the echo responds, but then no more thereafter. No connection was made and the user's browser failed to load the URL.

Of those that succeeded with the ICMP exchange we also observer some 10% - 12% of cases would send us a SYN using the Teredo "channel", we would respond with a SYN+ACK, but there was nothing more from the remote end. It appeared that this was some kind of local filtering issue close to the client.

The result of this was that the Teredo connection failure rate was around 1 in 3. Which is not a viable outcome for many services (apart from torrents, but thats another story)

Chris has pointed out that in P2P the Teredo unit is trying to reach another Teredo unit, and even when the box is dual stacked, when the unit wants to speak to a remote teredo address it will also use teredo. So the theory says that there is no relay - to quote from http://technet.microsoft.com/en-us/library/bb457011.aspx

----
For packets destined for another Teredo host in a different site, the Teredo tunneling interface uses bubble packets as the substitute for the address resolution process of Neighbor Discovery when both Teredo hosts are across restricted NATs. The exchange of bubble packets creates address and port-specific mappings in both restricted NATs so that the two Teredo clients can send packets directly to each other. For more information, see "Initial communication between Teredo clients in different sites" in this article.
----

I have not gathered data on Teredo-to-Teredo reliability. The connection failure numbers quoted above make use of a Teredo Relay. But this teredo-to-teredo connection failure rate in the Internet appears to be a critical assumption here for this form of connection architecture.

Geoff