[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 considered a bad thing

To: james woodyatt <jhw@apple.com>
Subject: Re: 6to4 considered a bad thing
From: Kevin Day <toasty@dragondata.com>
Date: Fri, 1 Feb 2008 16:55:14 -0600
Cc: v6ops Operations <v6ops@ops.ietf.org>
In-reply-to: <0D8EC4E8-994D-4AA1-960D-0CD6DF3E7AF8@apple.com>
References: <89C4B01D-C26D-411B-8AA5-BDB3B1AF724A@apple.com> <C3C8EF4E.A8B5%alain_durand@cable.comcast.com> <AFE0AC8DCDE68842B94E8EC69D5F21D639F2466D45@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> <0D8EC4E8-994D-4AA1-960D-0CD6DF3E7AF8@apple.com>


On Feb 1, 2008, at 3:48 PM, james woodyatt wrote:

Teredo went one step further. Public gateways can easily be abused.So Teredo introduced a discovery mechanism to find out the bestgateway on a destination by destination basis. That mechanism islittle more than a ping, and could easily be ported to 6to4. Wecould assume that 6to4 routers maintain a "routing cache"associating specific "native IPv6" destinations with the "closest6to4 gateway". Given a new IPv6 destination, the 6to4 router willsend a ping through the public server, note the IPv4 address fromwhich the ping comes back, and send the rest of the traffic throughthat address.
This assumes the "ping" packets will pass through the same firewallsas the packets that trigger them. If they don't produce a timelyresponse, what happens? Remember, at this point, there is a humanbeing sitting at a console watching a stalled progress bar andwaiting for a connection to go through. The connection they'reattempting is IPv6 because their host has a global IPv6 addressassigned (with a 2002:aabb:ccdd:xxxx:/64 prefix) and they got ananswer to a request for AAAA records.
Their host can connect to other hosts in 2002::/16 just fine. It'sonly the non-2002::/16 address that are unreachable. So, how manynon-6to4 destinations do we have to "ping" before we decide to stopadvertising an IPv6 default route for those 2002:aabb:ccdd:xxxx::/64addresses altogether?

Could requiring that anycasted 6to4 relays respond to an ICMP echo ontheir v6 address, then sending a ping to 2002:c058:6301:: help? Thatwould at least prove connectivity to 192.88.99.1, and that somethingthere is listening.


That works for our relay, anyway:

$ ping6 2002:c058:6301::
PING6(56=40+8+8 bytes) 2002:451f:630e:1::1 --> 2002:c058:6301::
16 bytes from 2002:c058:6301::, icmp_seq=0 hlim=64 time=6.398 ms

And this proves at the very least that:

v6 6to4 address selection on my system came up with the right IP
I can reach 192.88.99.1 over v4
6to4 made it through my router/firewall

The 6to4 relay at 192.88.99.1 is decapsulating/encapsulating packetscorrectly

It doesn't prove that the 6to4 relay actually has v6 connectivity, butI think that's getting beyond the scope of this problem.

If that helps, maybe this gives additional ammo for an updated 6to4anycast RFC that includes an ICMP echo requirement.


-- Kevin

Follow-Ups:
- Re: 6to4 considered a bad thing
  - From: Alain Durand <alain_durand@cable.comcast.com>

References:
- 6to4 connectivity test
  - From: james woodyatt <jhw@apple.com>
- 6to4 public anycast relay considered a bad think (was Re: 6to4 connectivity test)
  - From: Alain Durand <alain_durand@cable.comcast.com>
- RE: 6to4 public anycast relay considered a bad think (was Re: 6to4 connectivity test)
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: 6to4 considered a bad thing
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: 6to4 public anycast relay considered a bad think (was Re: 6to4 connectivity test)
Next by Date: Re: 6to4 public anycast relay considered a bad think (was Re: 6to4 connectivity test)
Previous by thread: Re: 6to4 considered a bad thing
Next by thread: Re: 6to4 considered a bad thing
Index(es):
- Date
- Thread