Hi,
We are using 6to4 on our fallback site because the provider there is
not able to provide us native IPv6 yet. We have also installed a
fallback nameserver over there using a 6to4 address.
This works good and no complains what so ever in the past.
However, last week Denic (registry for .de) changed their policy (or
their checks). They don't allow a nameserver for a .de domain anymore
which contains a 6to4 address. The policy is "it should be a global
unicast AND the block should be assigned to a RIR for suballocation
purpose".
The 6to4 range is Global Unicast
(http://www.iana.org/assignments/ipv6-unicast-address-assignments/)
but it is not assigned to a RIR because it is a special block. This
fails their policy and their checks (resulting in a ERROR: 105 All
IPv6 Addresses must be Global Unicast).
Ok, policy is policy and we should not complain. However, I'm asking
your opinions about this policy. I find this really stupid because
this completely brakes use for 6to4 in Germany and their is no good
reason to block it.
We know we should push our provider to support native IPv6, and we do.
But this should not stop us using IPv6 6to4.
regards, Igor Ybema
Ok, policy is policy and we should not complain.
No, really, policies should be examined and questioned.
Having been in policy meetings, unless the operations crowd openly questions and gives feed back, the meetings are just wastes of time.
However, I'm asking your opinions about this policy.
That's the right first step.
(Note: no commentary on 6to4 in this, I'm not familiar enough with it.)
Someone once asked Angela Merkel what she liked most about Germany. She
replied "Ich denke an dichte Fenster! Kein anderes Land kann so dichte und
so sch�ne Fenster bauen"
("I think ... thick windows. No other country can build windows which are
as thick or as nice.")
This might just be a cultural thing. While lots of countries have a love
affair with doing things badly, Germany realises the value of quality
infrastructure.
6to4 is ghetto. DE-NIC doesn't like it. Putting a DNS server on a 6to4
address serves no other purpose than to say: "There! I fixed it!"
ob-url: http://thereifixedit.com/
Nick
Ok, policy is policy and we should not complain. However, I'm asking
your opinions about this policy. I find this really stupid because
this completely brakes use for 6to4 in Germany and their is no good
reason to block it.
Someone once asked Angela Merkel what she liked most about Germany. She
replied "Ich denke an dichte Fenster! Kein anderes Land kann so dichte und
so schöne Fenster bauen"
("I think ... thick windows. No other country can build windows which are
as thick or as nice.")
Actually, the translation is: "I think about airtight windows. No other country can build widows that are this airtight and this beautiful."
dicht = airtight, dick = thick.
If you can't get native IPv6 then use a tunneled service like
Hurricane Electric's (HE.NET). It is qualitatively better than
6to4 as it doesn't require random nodes on the net to be performing
translation services for you which you can't track down the
administrators of. You can get /48's from HE.
I use HE.NET and have for the last 7 or so years for my home network.
Mark
Our external IPv6 web accesses are still very low, but have grown
linearly over the last five years from 0.1% in 2005/06 to 0.5% of
total web traffic now. Internally of course our figures are higher.
Of that IPv6 traffic, 1% comes from 2002::/16 prefixes. Even less
from Teredo prefixes. I guess we could run stats against known TB
prefixes to determine who is using those.
* Igor Ybema:
We know we should push our provider to support native IPv6, and we do.
But this should not stop us using IPv6 6to4.
You should complain to the DENIC member you use, or perhaps the DENIC
ops team. Perhaps it's a simple mistake. NANOG isn't the right forum
for this.
You are very unlikely to get traffic from Teredo, because:
1) Windows only asks for AAAA if it has non-Teredo IPv6 connectivity
2) When Windows has non-Teredo IPv6 connectivity and so can ask for AAAA, preference for reaching your web content is going to be non-Teredo IPv6 -> IPv4 -> Teredo, due to the prefix policy table, unless you have an AAAA in 2001::/32 (Teredo space), in which case it will prefer IPv4 -> Teredo.
With 6to4, Windows hosts will ask for AAAA, and will prefer non-6to4 IPv6 over 6to4 over IPv4. I'm a little surprised at how little 6to4 traffic you get.
Teredo gets most use when an application asks for a connection to a certain IPv6 address, without DNS. This is most common in peer to peer - you're not going to levels of web traffic and P2P traffic using Teredo that are comparable ratios to IPv4.
My expectation is that lines in your web logs in 2001::/32 have user agent strings indicating non-Windows hosts - or perhaps someone has miredo running on a proxy server, or perhaps the users' non-Teredo IPv6 AND IPv4 paths to you were broken when they tried to make a request. Stranger things have happened..
I wrote some code that will allow you to better understand the connectivity that end users of your web content have - when they visit your site it has them get 1x1 px transparent GIF images from various different hostnames with different characteristics in the DNS, and then reports back which loaded and how long.
http://www.braintrust.co.nz/ipv6wwwtest/
Wikipedia were running this for a while, on every 100th hit. They did a modification to this where they also had a large image to test for pmtud errors. Google are using a similar technique to test IPv6 capabilities and networks.
I'll add something with the pmtud stuff in the next week or so, and I'll also push the code to github.
You'll probably want to make you own changes based on what you're interested in, also.
* Nathan Ward
You are very unlikely to get traffic from Teredo, because:
1) Windows only asks for AAAA if it has non-Teredo IPv6 connectivity
2) When Windows has non-Teredo IPv6 connectivity and so can ask for
AAAA, preference for reaching your web content is going to be
non-Teredo IPv6 -> IPv4 -> Teredo, due to the prefix policy table,
unless you have an AAAA in 2001::/32 (Teredo space), in which case it
will prefer IPv4 -> Teredo.
With 6to4, Windows hosts will ask for AAAA, and will prefer non-6to4
IPv6 over 6to4 over IPv4. I'm a little surprised at how little 6to4
traffic you get.
Teredo gets most use when an application asks for a connection to a
certain IPv6 address, without DNS. This is most common in peer to
peer - you're not going to levels of web traffic and P2P traffic
using Teredo that are comparable ratios to IPv4.
When it comes to HTTP traffic, that's not always the case: The Opera
web browser in all recent versions will unconditionally prefer IPv6
(including Teredo and 6to4) over IPv4. Since Windows Vista and newer
automatically configure Teredo and/or 6to4, this is the biggest single
reason for regular clients being unable to access dualstacked websites
here in Norway, according to my measurements (which are done in a
similar fashion to yours). In case you're interested, I've been posting
reports to the ipv6-ops list about it for a few months now:
http://thread.gmane.org/gmane.org.operators.ipv6/2636
http://thread.gmane.org/gmane.org.operators.ipv6/2683
http://thread.gmane.org/gmane.org.operators.ipv6/2764
http://thread.gmane.org/gmane.org.operators.ipv6/2908
Opera has fortunately improved the behaviour in their next version
(10.50) by simply using getaddrinfo() on Windows. It is due to be
released in a month or two - hopefully then I'll be able to talk some of
my customers into dualstacking their content.
Best regards,
Please don't just say "windows" as the different versions of windows behave differently, as we've already discussed in the thread here:
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01587.html>
Windows XP will happily use Teredo when faced with AAAA response only.
What you're describing is Vista and Win7 I guess?
Yep, sorry!
XP won't ask for AAAA unless it has non-Teredo connectivity though I don't think.
That doesn't compute considering all the XP machines with Teredo addresses that asked for my AAAA only content.
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html>
"Of the users getting v6 only gif from non-tunnel-space, 58% were from Proxad (free.fr I believe), and then on the list came UNINET, SUNET, FUNET (university networks in .no, .se and .fi) and Hurricane electric.
98% of Teredo users run Windows XP.
88% of 6to4 users run Windows Vista."
So 98% of Teredo users getting the v6only content (using DNS) was using WinXP, so it does seem it does AAAA lookups.
I mean non-Teredo connectivity in addition to Teredo.
Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios.
I think their only IPv6 connectivity was Teredo (for instance, they're behind NAT), and thus they used it to get the IPv6 only content.
So for our case here at Southampton our web presence www.ecs.soton.ac.uk
is advertised via both A and AAAA records.
What we see is less than 1% of our IPv6 traffic coming from the Teredo
prefix. 6to4 is at most 1%. I think the reason we see less 6to4 than
some might expect is that a lot of our IPv6 accesses may be from other
academic networks where IPv6 is available 'properly'.
I had our web guys send me a log of recent Teredo accesses to our servers
and the user agents were varied. As Tore suggested, Opera 9.8 was
on the list (since fixed), but also some Mozilla-based entries from both
Linux and Windows platforms.
Total entries: 761
Opera 9.8: 354
Firefox 3.5.7 (Windows): 61
Firefox 3.5.7 (Linux): 96
Iceweasel 3.5.6 (Linux): 8
Mozilla 4.0 (Windows): 242
Not a huge sample, but it shows Windows UAs hitting us from the Teredo
prefix.