Enterprise Dual Stack without IPv6 Transit
Jeroen Massar
jeroen at massar.ch
Tue Dec 9 17:35:49 CET 2014
On 2014-12-09 17:27, Steve Housego wrote:
> First a bit of background, a client of mine is looking to deploy
> Microsoft DirectAccess and as part of that we are planning to
> Dual Stack IPv6 the path between the direct access clients (who are
> IPv6 only) [..]
Do you mean that the underlying network is IPv6-only while in the
DirectAccess tunnel (read: IPSEC tunnel) you run both IPv4 + IPv6?
What are you expecting clients to contact, only IPv4 or also IPv6
destinations?
Also, watch out for leaks from such tunnels (See RFC7359)
[..]
> They do not however (yet) have an IPv6 internet connection.
Why not? :)
> i.e. as it has a global unicast address will it prefer IPv6 and try to reach it
> with IPv6 first which will obviously fail and then use IPv4?
As long as you do not filter ICMPv6 and your routers return !N you
should be fine. All dual-stacked applications should try other addresses
and fall back. Happy Eyeballs typically makes this 'better'.
> My second question which is a bit more Microsoft centric – but worth
> asking – Is there likely to be some issue’s with the DirectAccess
> clients trying to access the IPv4 internet (which is all tunneled
> through the DA server).. as the DNS server will likely return a 'true'
> IPv6 address in the DNS response to the client, this bit further boggles
> me as it needs to be DNS64/NAT64 for this traffic.
The issues are the same for any other tunneled setup where you NAT outbound.
What is actually the use-case for DirectAccess? Do you want to force
corporate devices to always use the corporate network and never the
locally available connectivity? Or do you just use it to access the
resources in the corporate network?
Oh, and watch out for split-DNS, don't fall for that one ;)
Greets,
Jeroen
More information about the ipv6-ops
mailing list