Yahoo and IPv6

Matthew Kaufman <matthew@matthew.at> writes:

My Desktop is not able to make any IPv4 socket connections anymore. I get
"Protocol not supported". So there are IPv6-only users, already bitten by
no AAAA. So that's -1 from me.

Sounds to me like you're not on The Internet any more.

in <http://www.merit.edu/mail.archives/nanog/2001-04/msg00294.html&gt; we see:

(*2) Q: But what IS the Internet?
        symmetric, closure of the relationship 'can be reached by an IP
        packet from'". Seth Breidbart

by which definition, matthew's observation would be correct. folks who want
to run V6 only and still be "on the internet" will need proxies for a long
while. folks who want to run V6 only *today* and not have any proxies *today*
are sort of on their own -- the industry will not cater to market non-forces.

Matthew Kaufman <matthew@matthew.at> writes:

My Desktop is not able to make any IPv4 socket connections anymore. I get
"Protocol not supported". So there are IPv6-only users, already bitten by
no AAAA. So that's -1 from me.

Sounds to me like you're not on The Internet any more.

in <http://www.merit.edu/mail.archives/nanog/2001-04/msg00294.html&gt; we see:

(*2) Q: But what IS the Internet?
       A: "It's the largest equivalence class in the reflexive, transitive,
       symmetric, closure of the relationship 'can be reached by an IP
       packet from'". Seth Breidbart

by which definition, matthew's observation would be correct. folks who want
to run V6 only and still be "on the internet" will need proxies for a long
while. folks who want to run V6 only *today* and not have any proxies *today*
are sort of on their own -- the industry will not cater to market non-forces.

I think that the real question is, when will people who are running IPv4 only not be on the Internet by this
definition ?

Regards
Marshall

From: Marshall Eubanks <tme@americafree.tv>
Date: Sat, 14 May 2011 13:02:16 -0400

I think that the real question is, when will people who are running
IPv4 only not be on the Internet by this definition ?

is there an online betting mechanism we could use, that we all think will
still be in business decades from now when the truth is known? if we're
going to start picking the month and year when IPv4 is the new "PDP-11
compatibility mode" (that's a VAX reference), where the winner is whoever
comes closest without going over, my pick is July 2021, and i'm in for $50.

Any 36 bit machines left on the net?

I think that the real question is, when will people who are running
IPv4 only not be on the Internet by this definition ?

Probably never. What would be the incentive to turn off the NAT
gateways?

R's,
John

And clearly that situation can be kept that way for a long time by simply not serving them anything over IPv6.

But is that wat we want?

Currently IPv4 is pretty good but that's not going to last once 1.5 NATs on average between any two points grows to 3.8 of them, with 1.7 starved for address/port combinations*. At that point you can technically still be 100% connected using just IPv4, but it won't be much fun anymore.

* numbers pulled out of the air by yours truly, but based on two consumers with home NAT today and with additional carrier NAT in the future.

I've been on IPv6 for a long time. When I started with IPv6, the only applications (to use the term loosely) that understood v6 were ping6 and traceroute6. These days, I think the only thing I wouldn't be able to do over IPv6 is print. It used to be that IPv6 pingtimes were 2 - 3 times worse than IPv4 pingtimes. They're pretty much the same 80% of the time now. I used to have 8 IPv4 addresses, enough for most of my computers. I have one now, with mandatory NAT. When I move later this year I may very well only have a partial IPv4 address.

The times are a-changing.

And I've been able to print using IPv6 on the $200 HP ethernet/wireless printer I bought over 18 months ago...

Times are changing.

But we have to get naming squared away. Typing IPv6 addresses is for the birds, and having everyone have to go fuss with a DNS provider isn't a viable solution.
             - Jim

From: Marshall Eubanks <tme@americafree.tv>
Date: Sat, 14 May 2011 13:02:16 -0400

I think that the real question is, when will people who are running
IPv4 only not be on the Internet by this definition ?

is there an online betting mechanism we could use, that we all think will
still be in business decades from now when the truth is known?

http://longbets.org/

if we're
going to start picking the month and year when IPv4 is the new "PDP-11
compatibility mode" (that's a VAX reference), where the winner is whoever
comes closest without going over, my pick is July 2021, and i'm in for $50.

Two suggestions:

1. Predict the condition, not the date. In other words, not "Condition
X will occur at Y" but "At Y, condition X will be true." The problem
with predicting the date is that the bet can't close until the
condition occurs. That leaves an unbounded case.

2. Measurability. How do you measure, "IPv4 is the new PDP-11
compatibility mode?" Try something like, "In the month of July 2021,
X% of the network traffic by packet count on the top 5 Internet
carriers will contain IPv4 packets. "

Regards,
Bill Herrin

From: Paul Vixie <vixie@isc.org>
To: nanog@nanog.org
Subject: Re: Yahoo and IPv6
Date: Sat, 14 May 2011 17:06:45 +0000

> From: Marshall Eubanks <tme@americafree.tv>
> Date: Sat, 14 May 2011 13:02:16 -0400
>
> I think that the real question is, when will people who are running
> IPv4 only not be on the Internet by this definition ?

is there an online betting mechanism we could use, that we all think will
still be in business decades from now when the truth is known? if we're
going to start picking the month and year when IPv4 is the new "PDP-11
compatibility mode" (that's a VAX reference), where the winner is whoever
comes closest without going over, my pick is July 2021, and i'm in for $50.

You could probably interest the University of Iowa College of Business in
it. See: <http://tippie.uiowa.edu/iem/index.cfm&gt;

The genesis of of this project was a 'futures' exchange on candidates for
the office of President of the United States. It's had an amazing track-
record of identifying 'winners' there.

Jim Gettys <jg@freedesktop.org> writes:

... we have to get naming squared away. Typing IPv6 addresses is for the
birds, and having everyone have to go fuss with a DNS provider isn't a
viable solution.

perhaps i'm too close to the problem because that solution looks quite
viable to me. dns providers who don't keep up with the market (which means
ipv6 and dnssec in this context) will lose business to those who do.

And a $100 Samsung laser printer here, sold as long ago as 15 months. (Also an expensive color laser copier Ricoh started producing in 2007, although I don't know if it shipped with an IPv6-capable firmware.) Even printing isn't the last holdout.

  Home entertainment devices, on the other hand...

      Jima

When the RIAA and friends in congress and international chapter affiliates make it illegal to share a network address.

Sorry that is when we turn them back on!!

Christian de Larrinaga

I don't believe it is currently viable for any but the hackers out there, given my experience during the Comcast IPv6 trial. Typing V6 addresses (much less remembering them) is a PITA.

You are asking people who don't even know DNS exists, to bother to establish another business relationship (or maybe DNS services might someday be provided by their ISP).

If you get past that hurdle they get to type long IPv6 addresses into a web page they won't remember where it was the year before when they did this the last time to add a machine to their DNS.

The way this "ought" to work for clueless home users (or cluefull users too, for that matter) is that, when a new machine appears on a network, it "just works", by which I mean that a globally routeable IPv6 address appears in DNS without fussing around using the name that was given to the machine when it was first booted, and that a home user's names are accessible via secondaries even if they are off line. And NXDOMAIN should work the way it was intended, for all the reasons you know better than I.

This is entirely possible ;-). Just go ask Evan Hunt what he's been up to with Dave Taht recently....
                           - Jim

Right now, IPv6 is worse than IPv4 for home users; we need

Date: Mon, 16 May 2011 14:37:46 -0400
From: Jim Gettys <jg@freedesktop.org>

> perhaps i'm too close to the problem because that solution looks quite
> viable to me. dns providers who don't keep up with the market (which
> means ipv6+dnssec in this context) will lose business to those who do.

I don't believe it is currently viable for any but the hackers out there,
given my experience during the Comcast IPv6 trial. Typing V6 addresses
(much less remembering them) is a PITA.

You are asking people who don't even know DNS exists, to bother to
establish another business relationship (or maybe DNS services might
someday be provided by their ISP).

actually, i'm asking the opposite. only hackers run their own dns mostly;
the vast majority of users who don't know what ipv6 or dnssec are, are
already outsourcing to ultradns/neustar, or verisign, or dyn.com, etc, or
for recursive they're using opendns, google dns, etc. these companies can
either add the new services and do outreach to their customer bases, or
they can allow their competitors to do so.

of those who still run their own dns, the vast majority actually do know
the dnssec and ipv6 issues facing them.

If you get past that hurdle they get to type long IPv6 addresses into a web
page they won't remember where it was the year before when they did this
the last time to add a machine to their DNS.

i've been using ipv6 dual stack for ten years at ISC and for one year at
home (i was comcast's first north american dual stack native customer) and
the only time i type long ipv6 addresses is when editing dns zone files or
configuring routers and hosts. i think your experiences may have been
worse than mine and i'll be interested in knowing whether they're common.

The way this "ought" to work for clueless home users (or cluefull users
too, for that matter) is that, when a new machine appears on a network, it
"just works", by which I mean that a globally routeable IPv6 address
appears in DNS without fussing around using the name that was given to the
machine when it was first booted, and that a home user's names are
accessible via secondaries even if they are off line.

this is why ISC DHCP and ISC BIND can communicate using RFC 2136 DNS
dynamic updates, secured with RFC 2845 transaction signatures. once you
get this running then you don't have to type ipv6 addresses anywhere. and
i know that infoblox and other BIND Inside appliance vendors have the same
capability, and that Cisco and other DNS/DHCP vendors can also participate
in these open standards pretty much out of the box. this is what i worked
on when i first found out about IETF back in 1995 or so. it's all done now
you just have to learn it and deploy it. (and if you don't think end users
ought to have to learn how to configure their DHCP to talk to their DNS,
i will point them at a half dozen appliance and outsourcing vendors who can
take the ones and zeroes out of this for them.)

And NXDOMAIN should work the way it was intended, for all the reasons
you know better than I.

while i agree, i don't think the people who are substituting positive
responses for NXDOMAIN care at all what you think or what i think, so i'm
going to focus on what can be done which is advancing robust solutions.

This is entirely possible ;-). Just go ask Evan Hunt what he's been up to
with Dave Taht recently....

more appliance vendors including open source are definitely welcome. the
pool is large enough for everybody to swim in it.

How so? It's not like you can even reach anything at home now,
let alone reach it by name.

Owen

> Date: Mon, 16 May 2011 14:37:46 -0400
> From: Jim Gettys <jg@freedesktop.org>
>
> > perhaps i'm too close to the problem because that solution looks quite
> > viable to me. dns providers who don't keep up with the market (which
> > means ipv6+dnssec in this context) will lose business to those who do.
>
> I don't believe it is currently viable for any but the hackers out there,
> given my experience during the Comcast IPv6 trial. Typing V6 addresses
> (much less remembering them) is a PITA.

> You are asking people who don't even know DNS exists, to bother to
> establish another business relationship (or maybe DNS services might
> someday be provided by their ISP).

actually, i'm asking the opposite. only hackers run their own dns mostly;
the vast majority of users who don't know what ipv6 or dnssec are, are
already outsourcing to ultradns/neustar, or verisign, or dyn.com, etc, or
for recursive they're using opendns, google dns, etc. these companies can
either add the new services and do outreach to their customer bases, or
they can allow their competitors to do so.

of those who still run their own dns, the vast majority actually do know
the dnssec and ipv6 issues facing them.

> If you get past that hurdle they get to type long IPv6 addresses into a web
> page they won't remember where it was the year before when they did this
> the last time to add a machine to their DNS.

i've been using ipv6 dual stack for ten years at ISC and for one year at
home (i was comcast's first north american dual stack native customer) and
the only time i type long ipv6 addresses is when editing dns zone files or
configuring routers and hosts. i think your experiences may have been
worse than mine and i'll be interested in knowing whether they're common.

> The way this "ought" to work for clueless home users (or cluefull users
> too, for that matter) is that, when a new machine appears on a network, it
> "just works", by which I mean that a globally routeable IPv6 address
> appears in DNS without fussing around using the name that was given to the
> machine when it was first booted, and that a home user's names are
> accessible via secondaries even if they are off line.

this is why ISC DHCP and ISC BIND can communicate using RFC 2136 DNS
dynamic updates, secured with RFC 2845 transaction signatures. once you
get this running then you don't have to type ipv6 addresses anywhere. and
i know that infoblox and other BIND Inside appliance vendors have the same
capability, and that Cisco and other DNS/DHCP vendors can also participate
in these open standards pretty much out of the box. this is what i worked
on when i first found out about IETF back in 1995 or so. it's all done now
you just have to learn it and deploy it. (and if you don't think end users
ought to have to learn how to configure their DHCP to talk to their DNS,
i will point them at a half dozen appliance and outsourcing vendors who can
take the ones and zeroes out of this for them.)

Or the host can talk directly to the DNS server. TSIG can scale
up to millions of clients with their own keys which may or may not
be share between machines. Just because nameservers currently have
the keys in flat configuration files doesn't mean that it has to
stay that way. The keys could just as easily be in a seperate
database which the nameserver only reads. Similarly SIG(0) could
be used using KEY records stored in the DNS itself.

I believe MacOS already supports TSIG directly though they don't
call it that. Windows could also add support to TSIG in addition
to GSS-TSIG for the non enterprise customers. This really isn't
hard. You just store a keyname/secret pair for the machine to use
at boot time. MacOS calls is account/password from memory.

The hard part is convincing people to do it by default. This is
nothing more than what the dynamic DNS vendors have been doing for
the last decade. If you want a custom zone you pay $X per month
extra otherwise you get the default zone for the ISP which doesn't
have to be the ISP's zone.

   machine{.subdomain}*.<cust-unique>.example.net

And as the updates are signed you can accept them from anywhere in
the world.

Date: Mon, 16 May 2011 14:37:46 -0400
From: Jim Gettys<jg@freedesktop.org>

perhaps i'm too close to the problem because that solution looks quite
viable to me. dns providers who don't keep up with the market (which
means ipv6+dnssec in this context) will lose business to those who do.

I don't believe it is currently viable for any but the hackers out there,
given my experience during the Comcast IPv6 trial. Typing V6 addresses
(much less remembering them) is a PITA.
You are asking people who don't even know DNS exists, to bother to
establish another business relationship (or maybe DNS services might
someday be provided by their ISP).

actually, i'm asking the opposite. only hackers run their own dns mostly;
the vast majority of users who don't know what ipv6 or dnssec are, are
already outsourcing to ultradns/neustar, or verisign, or dyn.com, etc, or

I think that what you probably meant to say was:
"... outsourcing to Affilias, Amazon Route 53, DNS Made Easy, DNS.com, Dyn/Dynect, EasyDNS, GoDaddy, Netriplex, UltraDNS, Verisign, Zerigo, etc."

^^ Those are the commercial anycast DNS services that I know of presented in a simple non-preferential alphabetical order.

I happen to know, because I did parts of the implementation, that DNS Made Easy provides anycast IPv6 DNS to all customers (available on all servers if they like).

From: Owen DeLong <owen@delong.com>
Date: Mon, 16 May 2011 16:12:27 -0700

... It's not like you can even reach anything at home now, let alone
reach it by name.

that must and will change. let's be the generation who makes it possible.

+1

> From: Owen DeLong <owen@delong.com>
> Date: Mon, 16 May 2011 16:12:27 -0700
>
> ... It's not like you can even reach anything at home now, let alone
> reach it by name.

that must and will change. let's be the generation who makes it possible.

I'd like to respond to this by stating that I support this fully, but
I'm busy making sure I can reach my machines at home from the IPv6
Internet. By name.