[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 security questions
on 11/20/02 14:19, Jeroen Massar at jeroen@unfix.org wrote:
> Laurent Dumont wrote:
>
>> We're planning to offer 6to4 as an auto configured fallback
>> for getting home
>> Mac users on IPv6. This of course if we don't get a RA and
>> only in the case we're the Mac is not behind a NAT... But that's
> another issue.
>
> I think that making that a default option will lead into _many_ helpdesk
> phonecalls.
> The actual upstream ISP will get phonecalls like:
> "www.example.org doesn't work"
That raises another issue which was briefly stated this morning in one of
the presentation about getaddrinfo and the address selection process.
Does it make sense at this point for a web browser sitting on a dual stack
implementation to try the AAAA address first, maybe wait 75 seconds to
timeout because the DNS the v6 host is declared in DNS but not reachable
along the path and then try the A record over v4? I don't think that's
really a good user experience, but I haven't seen anything that could
prevent this to happen right now.
>
> Even though the upstream (ISP) can reach it quite well over IPv4.
> Ofcourse one will have IPv6 -> IPv4 fallback. But the latency for
> falling
> back will be quite big. Also note that, unless 6to4 relays suddenly pop
> out
> of nowhere, the traffic of these users will go through a couple of
> different
> countries without the user probably wanting it.
>
> It would be a good thing to do to 'force' upstreams to get IPv6 in their
> networks.
> But I really don't think it will scale and it will deliver a load of
> headaches.
> If you added this option as an option in the network settings with a big
> help doc
> alongside with it describing the problems which could arise this would
> be great.
> "Go to network config and hit that 'enable 6to4' button to enable it" or
> something
> similar. A warning on a non-responded RA could also be a good idea but
> one has
> to remember that most users will blindly click "Yes" on most forms they
> don't understand.
>
> People really wanting IPv6 will get it from their upstream or a
> transitional method
> and they can pick out of a lot: 6to4, configured using a tunnelbroker or
> their upstream.
> Note also that current tunnelbroker systems have quite intuitive
> websites and for example
> freenet6 delivers an automatic configuration tool.
> At least then they will be begging their upstream to get it supported :)
>
Maybe that's a way to get ISPs to move on and provide direct IPv6 support,
for us the clear identified reason to use IPv6 vs IPv4 is a restored peer to
peer connectivity, even if it has to go through something like 6to4. I think
everybody agrees that the best way would be native IPv6 support by the ISPs,
but I don't see the incentive for them to move until apps are deployed.
--Laurent
> Greets,
> Jeroen
>
>