Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. ipv6: Page 3
1 2 3  View All
Re: Microsoft: Give Xbox One users IPv6 connectivity [ In reply to ]
tore at fud
Mar 14, 2014, 4:47 AM
Post #51 of 53 (3665 views)
Permalink
* Jakob Hirsch

> On 13.03.2014 20:12, Eric Vyncke (evyncke) wrote:
>> Christopher and others => you are RIGHT! Do not change your mind
>
> Right abouth _what_? You provided not a single reason for the described
> behaviour, i.e. the missing fallback to native IPv6.

According to Microsoft, there should never be a "fallback to native
IPv6", as IPv6 should be the preferred protocol. Teredo should be the
fallback, for those situations where end-to-end IPv6 isn't available.

Can you confirm that this is the case that all the XB1s involved have
native IPv6 connectivity, and that Teredo is used in spite of that? (If
not all of the XB1s communicating have native IPv6, fallback to Teredo
is the expected behaviour.)

Note also that AVM, by default, blocks IPSEC over IPv6 (in blatant
violation of RFC 6092 section 3.2.4). This means that if all the
involved XB1s are behind AVM HGWs, any IPv6 connectivity is broken and
thus useless. That may well be the reason why the XB1 is trying to fall
back on Teredo in the first place, a fact that makes the claims in the
KB article you linked to earlier somewhat amusing reading:

«The Xbox's behavior contradicts the Teredo standard (RFC 4380 Section
5.5)». --> No, it doesn't, because the XB1 *doesn't* have IPv6
connectivity, because the AVM broke it. (Besides which, RFC 4380 section
5.5 is meant for Teredo implementers, not for HGW manufacturers.)

«Thus, the FRITZ!Box complies with standardized recommendations for home
network devices (RFC 6169 Section 3.1.3).» --> Too bad AVM chose to
ignore RFC 6092 section 3.2.4 (and also REC-49), otherwise this mess
might have been avoided entirely.

Finally, the KB article says «there is a risk that using Teredo could
allow the security functions of the FRITZ!Box to be circumvented». I
cannot see how the presence of IPv6 makes this any worse. If AVM had
blocked Teredo always, regardless of the availability of IPv6, then at
least their position would have been consistent - but what it seems
they're saying here «Teredo is safe as long as there's no IPv6, but the
moment there is IPv6 there as well, Teredo becomes scary and we must
block it» makes no sense to me.

Nobody gave AVM a licence to be the «Teredo Sunsetting Police». I
believe they must take the blame here for gratuitously assuming this
role. +1 to what Eric said.

Tore
Re: Microsoft: Give Xbox One users IPv6 connectivity [ In reply to ]
jh at plonk
Mar 16, 2014, 6:06 PM
Post #52 of 53 (3667 views)
Permalink
On 14.03.2014 12:47, Tore Anderson wrote:
>>> Christopher and others => you are RIGHT! Do not change your mind
>> Right abouth _what_? You provided not a single reason for the described
>> behaviour, i.e. the missing fallback to native IPv6.
> According to Microsoft, there should never be a "fallback to native
> IPv6", as IPv6 should be the preferred protocol. Teredo should be the
> fallback, for those situations where end-to-end IPv6 isn't available.

The "fallback" I was talking about is not a description of the current
behaviour, it's about what is missing.

> Can you confirm that this is the case that all the XB1s involved have
> native IPv6 connectivity, and that Teredo is used in spite of that? (If

No, and I did not claim that.

> not all of the XB1s communicating have native IPv6, fallback to Teredo
> is the expected behaviour.)

"documented", yes, but sureley not "expected".

> involved XB1s are behind AVM HGWs, any IPv6 connectivity is broken and
> thus useless. That may well be the reason why the XB1 is trying to fall
> back on Teredo in the first place, a fact that makes the claims in the

No, according to Microsoft the XB1 will not use native IPv6 if one of
the peers is IPv4 only.

> «The Xbox's behavior contradicts the Teredo standard (RFC 4380 Section
> 5.5)». --> No, it doesn't, because the XB1 *doesn't* have IPv6
> connectivity, because the AVM broke it.

No. Just because there's stateful IPv6 firewall does not mean "no IPv6
connectivity"?

> (Besides which, RFC 4380 section
> 5.5 is meant for Teredo implementers, not for HGW manufacturers.)

So what? It's XB1 which is using Teredo and violating section 5.5 of RFC
4380 (which is, ironically, authored by Microsoft itself). And now the
HGW is the one to blame for that it was not expecting that?

> Finally, the KB article says «there is a risk that using Teredo could
> allow the security functions of the FRITZ!Box to be circumvented». I
> cannot see how the presence of IPv6 makes this any worse. If AVM had

That's simple:
- As long as my HGW is _not_ doing IPv6, I do not expect it to prevent
unwanted IPv6 traffic
- If my HGW _is_ doing IPv6, I do expect it to prevent unwanted IPv6 traffic

Sure, this is all debatable and everything, but I really don't
understand the harsh bashing of AVM and avid defense of the XB1 at the
same time time here. The XB1, as recently released device, abuses an
outdated, skunky protocol to create its own pseudo-VPN and everybody's
cheering for it, without a single critical remark? That's just sad.
Re: Microsoft: Give Xbox One users IPv6 connectivity [ In reply to ]
tore at fud
Mar 17, 2014, 2:28 AM
Post #53 of 53 (3664 views)
Permalink
* Jakob Hirsch

>> not all of the XB1s communicating have native IPv6, fallback to Teredo
>> is the expected behaviour.)
>
> "documented", yes, but sureley not "expected".

In my world view, the documentation defines the expected. If it didn't,
what's the point of having documentation?

>> involved XB1s are behind AVM HGWs, any IPv6 connectivity is broken and
>> thus useless. That may well be the reason why the XB1 is trying to fall
>> back on Teredo in the first place, a fact that makes the claims in the
>
> No, according to Microsoft the XB1 will not use native IPv6 if one of
> the peers is IPv4 only.

Of course not. How could it? For IPv6 to be used, both peers must have
IPv6, and so must the entire network path between them. If there's any
missing link in that chain, then the use of native IPv6 is impossible.

>> «The Xbox's behavior contradicts the Teredo standard (RFC 4380 Section
>> 5.5)». --> No, it doesn't, because the XB1 *doesn't* have IPv6
>> connectivity, because the AVM broke it.
>
> No. Just because there's stateful IPv6 firewall does not mean "no IPv6
> connectivity"?

If the firewall blocks the IPv6 traffic relevant to the application
(like AVM does with the XB1's IPSEC traffic), that application does not
have any IPv6 connectivity worth mentioning, IMHO.

Think about it: If your firewall drops all IPv6 80/tcp and 443/tcp
packets, does your web browser have IPv6 connectivity? Would you really
blame it for trying alternative fall-back methods for getting you the
web sites you're asking it to display?

>> (Besides which, RFC 4380 section
>> 5.5 is meant for Teredo implementers, not for HGW manufacturers.)
>
> So what? It's XB1 which is using Teredo and violating section 5.5 of RFC
> 4380 (which is, ironically, authored by Microsoft itself). And now the
> HGW is the one to blame for that it was not expecting that?

I simply do not expect an HGW to assume the responsibility by default to
block all sorts of application traffic that may or may not be considered
obsolete, outdated, sunset, or whatever. If the user explicitly asks for
it, sure, but by default no. An HGW simply cannot know for certain that
this is what the user wants or even if it is the right thing to do in
the first place.

In the specific case of Teredo, a HGW has no certain way of knowing
whether or not the Teredo client has any form of IPv6 connectivity.
Consider for example there being another IPv4-only router located
between the HGW and the Teredo client (whether this is an XB1 or a
Windows PC, or something else). In this case the Teredo client would not
have any form of IPv6 connectivity regardless of how you choose to
define it, and it would be clear that activating the Teredo service does
not run afoul of RFC 4380 section 5.5. An AVM HGW would still block that
traffic by default, as I understand it. Which is unequivocally the wrong
thing to do.

In any case I do not think it is at all unreasonable to consider the XB1
to be compliant with RFC 4380 section 5.5, even if it does have an IPv6
address configured. The RFC says:

«The Teredo-capable nodes MUST NOT behave as Teredo clients if they
already have IPv6 connectivity through any other means, such as native
IPv6 connectivity».

The key question is, what is meant by «IPv6 connectivity»?

1) The XB1 uses IPSEC (500/udp + ESP). AVM blocks this. I think it is
completely fair for the XB1 to then conclude «no, I do *not* have
[usable] IPv6 connectivity» - and therefore start up Teredo as a
second-best alternative.

2) The word «connectivity» implies two (or more) endpoints. As in,
«connectivity *between A and B*». So, if the your XB1 tries to
communicate with another XB1 that does not have any form of IPv6, then I
think it is again completely fair for the XB1 to conclude «no, I do
*not* have IPv6 connectivity [to that other XB1]», and start Teredo as a
second-best alternative.

Tore
1 2 3  View All

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal