Mailing List Archive

On 2014-10-02 22:24, Ca By wrote:
> Folks,
>
> What is the general impression of 6to4 addresses in AAAA records?
>
> I recently had a customer complain about this situation, and i am not
> sure, as a service provider, how to deal with it.
>
> From my home comcast connection with real full dual-stack, i get this
>
>
>
> cbyrne@xxxx ~ $ wget -6 www.azdes.gov <http://www.azdes.gov>
> --2014-10-02 19:19:48-- http://www.azdes.gov/
> Resolving www.azdes.gov <http://www.azdes.gov> (www.azdes.gov
> <http://www.azdes.gov>)... 2002::cf6c:8846

That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.

One would think with all the "IPv6 consultants" in the US, that .gov
agencies would be able to get that part right...

Though, better point them out that 6to4 is a bad idea in general anyway.

I would not be surprised if the "DNS solution" generated that broken
address though as cf6c:8846 does map to 207.108.136.70 which matches the
A record.

Greets,
Jeroen

On Thu, Oct 2, 2014 at 7:31 PM, Jeroen Massar <jeroen@massar.ch> wrote:

> On 2014-10-02 22:24, Ca By wrote:
> > Folks,
> >
> > What is the general impression of 6to4 addresses in AAAA records?
> >
> > I recently had a customer complain about this situation, and i am not
> > sure, as a service provider, how to deal with it.
> >
> > From my home comcast connection with real full dual-stack, i get this
> >
> >
> >
> > cbyrne@xxxx ~ $ wget -6 www.azdes.gov <http://www.azdes.gov>
> > --2014-10-02 19:19:48-- http://www.azdes.gov/
> > Resolving www.azdes.gov <http://www.azdes.gov> (www.azdes.gov
> > <http://www.azdes.gov>)... 2002::cf6c:8846
>
> That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.
>
> One would think with all the "IPv6 consultants" in the US, that .gov
> agencies would be able to get that part right...
>
> Though, better point them out that 6to4 is a bad idea in general anyway.
>
> I would not be surprised if the "DNS solution" generated that broken
> address though as cf6c:8846 does map to 207.108.136.70 which matches the
> A record.
>
> Greets,
> Jeroen
>
>
Yes, i think .gov requires AAAA records. So it looks like DNS admins are
generating AAAA records that ultimately break connectivity.

Back to my question, should there be an RFC generated that advises network
admins to only put native natural addresses in DNS for anything that is
supposed to be production grade and routed across the Internet?

Meaning:

1. Only make AAAA records from 2000::/3
2. Do not make AAAA records with 6to4 addresses
3. Do no make AAAA records with NAT64 WKP 64:ff9b::/96 ( saw this last
week )

ps. handy list of broken things http://www.employees.org/~dwing/aaaa-stats/

On 2014-10-02 22:37, Ca By wrote:
[..]
> Yes, i think .gov requires AAAA records. So it looks like DNS admins
> are generating AAAA records that ultimately break connectivity.
>
> Back to my question, should there be an RFC generated that advises
> network admins to only put native natural addresses in DNS for anything
> that is supposed to be production grade and routed across the Internet?
>
> Meaning:
>
> 1. Only make AAAA records from 2000::/3

2002::/16 (6to4) is part of that.

> 2. Do not make AAAA records with 6to4 addresses

See http://tools.ietf.org/html/rfc6343
and of course also:
http://tools.ietf.org/html/draft-ietf-v6ops-6to4-to-historic-05
(though that technically expired).

Except for quick tests, doing anything with 6to4 is futile.

Clearly though in this case the address never worked. Can't fix problems
between chair and keyboard with documents.

> 3. Do no make AAAA records with NAT64 WKP 64:ff9b::/96 ( saw this last
> week )

One can stuff whatever one wants in DNS, if it breaks though that is the
problem of the operator.

Greets,
Jeroen

On Thu, Oct 2, 2014 at 7:47 PM, Jeroen Massar <jeroen@massar.ch> wrote:

> On 2014-10-02 22:37, Ca By wrote:
> [..]
> > Yes, i think .gov requires AAAA records. So it looks like DNS admins
> > are generating AAAA records that ultimately break connectivity.
> >
> > Back to my question, should there be an RFC generated that advises
> > network admins to only put native natural addresses in DNS for anything
> > that is supposed to be production grade and routed across the Internet?
> >
> > Meaning:
> >
> > 1. Only make AAAA records from 2000::/3
>
> 2002::/16 (6to4) is part of that.
>
> > 2. Do not make AAAA records with 6to4 addresses
>
> See http://tools.ietf.org/html/rfc6343
> and of course also:
> http://tools.ietf.org/html/draft-ietf-v6ops-6to4-to-historic-05
> (though that technically expired).
>
>
>From my reading of RFC6343 it is not clearly stated that one should not
produce AAAA records with 6to4 addresses. The wording is unclear IMHO.


> Except for quick tests, doing anything with 6to4 is futile.
>
>
Fully agree on that, 6to4 is the worst and the fact that it was not made
historic is a shame.


> Clearly though in this case the address never worked. Can't fix problems
> between chair and keyboard with documents.
>
>
Fair


> > 3. Do no make AAAA records with NAT64 WKP 64:ff9b::/96 ( saw this last
> > week )
>
> One can stuff whatever one wants in DNS, if it breaks though that is the
> problem of the operator.
>
> Greets,
> Jeroen
>
>

There in lies the problem. I have received escalations in the last few
days on my eyeball network regarding internet servers with 6to4 in DNS and
NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and
tried to pursued me to his understanding of those RFCs that i should route
and support WKP to my NAT64 and that he was doing the right thing by
putting the WKP as RR in his DNS files.

>
> There in lies the problem. I have received escalations in the last few
> days on my eyeball network regarding internet servers with 6to4 in DNS and
> NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and
> tried to pursued me to his understanding of those RFCs that i should route
> and support WKP to my NAT64 and that he was doing the right thing by
> putting the WKP as RR in his DNS files.
>

That is hilariously evil...awesome. The *64 docs should have made some
mention about not using the WKP globally.

On Fri, Oct 3, 2014 at 12:16 PM, Erik Kline <ek@google.com> wrote:

> There in lies the problem. I have received escalations in the last few
>> days on my eyeball network regarding internet servers with 6to4 in DNS and
>> NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and
>> tried to pursued me to his understanding of those RFCs that i should route
>> and support WKP to my NAT64 and that he was doing the right thing by
>> putting the WKP as RR in his DNS files.
>>
>
> That is hilariously evil...awesome. The *64 docs should have made some
> mention about not using the WKP globally.
>

Actually sections 3.1 and 3.2 of http://tools.ietf.org/html/rfc6052 apply
here. The implication is that since you can't route more specifics of the
WKP you shouldn't put them in DNS, but that latter is still not explicitly,
clearly stated.

On 03/10/2014 15:58, Ca By wrote:
> On Thu, Oct 2, 2014 at 7:47 PM, Jeroen Massar <jeroen@massar.ch> wrote:
>
>> On 2014-10-02 22:37, Ca By wrote:
>> [..]
>>> Yes, i think .gov requires AAAA records. So it looks like DNS admins
>>> are generating AAAA records that ultimately break connectivity.
>>>
>>> Back to my question, should there be an RFC generated that advises
>>> network admins to only put native natural addresses in DNS for anything
>>> that is supposed to be production grade and routed across the Internet?
>>>
>>> Meaning:
>>>
>>> 1. Only make AAAA records from 2000::/3
>> 2002::/16 (6to4) is part of that.
>>
>>> 2. Do not make AAAA records with 6to4 addresses
>> See http://tools.ietf.org/html/rfc6343

To save looking-up effort, here's what it says:

4.2.4. DNS Issues


A customer who is intentionally using 6to4 may also need to create
AAAA records, and the operator should be able to support this, even
if the DNS service itself runs exclusively over IPv4. However,
customers should be advised to consider carefully whether their 6to4
service is sufficiently reliable for this.

Operators could, in principle, offer reverse DNS support for 6to4
users [RFC5158], although this is not straightforward for domestic
customers.

The point is that if you are crazy enough to rely on 6to4 to offer
IPv6 service, as it seems the people at www.azdes.gov are, you must
of course have a stable 6to4 server and provide a DNS entry,
and a reverse entry (RFC 5158) too. But as the rest of RFC 6343
should tell you, you really would have to be crazy.

I have to say that this deployment seems to be broken in a way
that we didn't even imagine when writing RFC 6343, yet it does
have stable, reliable DNS service ;-).

>> and of course also:
>> http://tools.ietf.org/html/draft-ietf-v6ops-6to4-to-historic-05
>> (though that technically expired).

3 years ago that seemed premature. With recent progress in real IPv6,
I'm wondering whether it isn't time to revive it. If so it should be
changed to be a BCP that says "Don't do this" and also makes
the proposed standard drafts Historic.

But we do hear persistently that there are happy hobbyist and peer to peer
users of 6to4. Using it offer web service for the Arizona Department of
Economic Security is so wrong, though.

>>From my reading of RFC6343 it is not clearly stated that one should not
> produce AAAA records with 6to4 addresses. The wording is unclear IMHO.

No, it is intended to say that if you insist on using 6to4, you *need*
stable DNS service and possibly reverse DNS.

Brian

>
>> Except for quick tests, doing anything with 6to4 is futile.
>>
>>
> Fully agree on that, 6to4 is the worst and the fact that it was not made
> historic is a shame.
>
>
>> Clearly though in this case the address never worked. Can't fix problems
>> between chair and keyboard with documents.
>>
>>
> Fair
>
>
>>> 3. Do no make AAAA records with NAT64 WKP 64:ff9b::/96 ( saw this last
>>> week )
>> One can stuff whatever one wants in DNS, if it breaks though that is the
>> problem of the operator.
>>
>> Greets,
>> Jeroen
>>
>>
>
> There in lies the problem. I have received escalations in the last few
> days on my eyeball network regarding internet servers with 6to4 in DNS and
> NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and
> tried to pursued me to his understanding of those RFCs that i should route
> and support WKP to my NAT64 and that he was doing the right thing by
> putting the WKP as RR in his DNS files.
>

On Fri, Oct 3, 2014 at 4:37 AM, Ca By <cb.list6@gmail.com> wrote:
> Back to my question, should there be an RFC generated that advises network
> admins to only put native natural addresses in DNS for anything that is
> supposed to be production grade and routed across the Internet?
>
> Meaning:
> 1. Only make AAAA records from 2000::/3
> 2. Do not make AAAA records with 6to4 addresses
> 3. Do no make AAAA records with NAT64 WKP 64:ff9b::/96 ( saw this last week
> )

....do not make AAAA records with link-local....with ULAs...with
2001:db8::/32..with ::1...with ipv4-[mapped|compatibe] etc..;)

As well as 'do not make A records pointing to RFC1918, example networks etc'

I'd say 'do return to external clients AAAA containing anything except
addresses from your public routable blocks' - but it seems to be too
short for becoming an RFC ;)

> ps. handy list of broken things http://www.employees.org/~dwing/aaaa-stats/

Yeah, I have a long list of invalid AAAAs for Alexa1M...

--
SY, Jen Linkova aka Furry

Erik Kline <ek@google.com> writes:
> On Fri, Oct 3, 2014 at 12:16 PM, Erik Kline <ek@google.com> wrote:
>
>> There in lies the problem. I have received escalations in the last few
>>> days on my eyeball network regarding internet servers with 6to4 in DNS and
>>> NAT64 WKP in DNS. In the WKP case, the server operator read the RFCs and
>>> tried to pursued me to his understanding of those RFCs that i should route
>>> and support WKP to my NAT64 and that he was doing the right thing by
>>> putting the WKP as RR in his DNS files.
>>>
>>
>> That is hilariously evil...awesome. The *64 docs should have made some
>> mention about not using the WKP globally.
>>
>
> Actually sections 3.1 and 3.2 of http://tools.ietf.org/html/rfc6052 apply
> here. The implication is that since you can't route more specifics of the
> WKP you shouldn't put them in DNS, but that latter is still not explicitly,
> clearly stated.

And that is how it should be. There is no reason to forbid any address
in DNS. Routing is not a requirement for DNS A or AAAA records.

There can be perfectly valid reasons to create DNS records pointing to
addresses which are not necessarily reachable from all places where the
DNS record is visible. This is not a bug. It's a feature.

I like this example (leftover from the 90'ies when you would ftp to this
"warez"-server and probably find lots of interesting stuff there):

bjorn@nemi:~$ host langnese.nvg.ntnu.no
langnese.nvg.ntnu.no has address 127.0.0.1
langnese.nvg.ntnu.no has IPv6 address ::1
langnese.nvg.ntnu.no mail is handled by 20 langnese.nvg.ntnu.no.
langnese.nvg.ntnu.no mail is handled by 50 langnese.nvg.ntnu.no.

:-)

Regarding the initial question, the only problem there seems to be the
typo Jeroen pointed out. Which is unrelated to 6to4 AFAICS. There are
examples of perfectly working 6to4 records:

bjorn@nemi:~$ host kernelnewbies.org
kernelnewbies.org has address 74.92.59.67
kernelnewbies.org has IPv6 address 2002:4a5c:3b41:1:216:3eff:fe57:7f4
kernelnewbies.org mail is handled by 10 forlond.surriel.com.
kernelnewbies.org mail is handled by 0 forlond.surriel.com.
kernelnewbies.org mail is handled by 5 shelob.surriel.com.

bjorn@nemi:~$ ping6 -c1 -n kernelnewbies.org
PING kernelnewbies.org(2002:4a5c:3b41:1:216:3eff:fe57:7f4) 56 data bytes
64 bytes from 2002:4a5c:3b41:1:216:3eff:fe57:7f4: icmp_seq=1 ttl=39 time=495 ms

--- kernelnewbies.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 495.612/495.612/495.612/0.000 ms



Bjørn

Ca By <cb.list6@gmail.com> writes:

> 1. Only make AAAA records from 2000::/3
> 2. Do not make AAAA records with 6to4 addresses
> 3. Do no make AAAA records with NAT64 WKP 64:ff9b::/96 ( saw this
> last week )

Last time I checked I found these interesting records while checking
Alexa top 1 million domains:

2 UNIQUE-LOCAL-UNICAST
4 TEREDO
6 DOCUMENTATION
7 UNSPECIFIED
37 RESERVED
47 LINK-LOCAL-UNICAST
62 LOOPBACK
95 IPV4MAP
223 6TO4

Perls net::ip will put the NAT64 prefix under the RESERVED category.

> ps. handy list of broken thing http://www.employees.org/~dwing/
> aaaa-stats/

Looks like someone else had a similar idea.

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@jabber.quux.de | --------------- |
----------------------------------------------------------------------------

Hi,

On Thu, Oct 02, 2014 at 10:31:25PM -0400, Jeroen Massar wrote:
> > <http://www.azdes.gov>)... 2002::cf6c:8846
>
> That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.

Uh, what?

Who are you and what happens to the Jeroen I know who understands IPv6,
and knows that 6to4 addresses do (unlike Teredo) not call a reference
to the gateway in there... and that the biggest part of the actual
*problem* with 6to4 is exactly the anycast nature of it's current
deployment...?

> One would think with all the "IPv6 consultants" in the US, that .gov
> agencies would be able to get that part right...
>
> Though, better point them out that 6to4 is a bad idea in general anyway.

I certainly agree with that sentiment, though. 6to4 should never ever
(NEVER!) show up in public DNS for servers, as "just stick to IPv4" is
guaranteed to give better service.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi,

On Sat, Oct 04, 2014 at 12:49:00PM +0200, Gert Doering wrote:
> On Thu, Oct 02, 2014 at 10:31:25PM -0400, Jeroen Massar wrote:
> > > <http://www.azdes.gov>)... 2002::cf6c:8846
> >
> > That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.
>
> Uh, what?
>
> Who are you and what happens to the Jeroen I know who understands IPv6,
[..]

Aliens stole the body of Gert Doering, and now he can't find the button
"withdraw this e-mail" in his Outlook mail client anymore...

Sorry, of course Jeroen is right here, and I need to sleep more before
typing. While anycast *is* the problem, of course the "exit side" of
the tunnel needs an address, aka "gateway"...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On 2014-10-04 12:49, Gert Doering wrote:
> Hi,
>
> On Thu, Oct 02, 2014 at 10:31:25PM -0400, Jeroen Massar wrote:
>>> <http://www.azdes.gov>)... 2002::cf6c:8846
>>
>> That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.
>
> Uh, what?
>
> Who are you and what happens to the Jeroen I know who understands IPv6,
> and knows that 6to4 addresses do (unlike Teredo) not call a reference
> to the gateway in there...

I think Gert needs some Saturday morning coffee.... ;)

Just in case:

$ ipv6calc -i 2002::cf6c:8846
No input type specified, try autodetection...found type: ipv6addr
No output type specified, try autodetection...found type: ipv6addr
Address type: unicast, 6to4, global-unicast, productive
Address type is 6to4 and included IPv4 address is: 0.0.0.0
IPv4 registry for 6to4 address: reserved(RFC1122#3.2.1.3)
Address type has SLA: 0000
Error getting registry string for IPv6 address: reserved(RFC3056#2)
Interface identifier: 0000:0000:cf6c:8846
Interface identifier is probably manual set or based on a local EUI-64
identifier


If a packet from say 2001:db8::1 would go to 2002::cf6c:8846 it will be
forwarded to a router with 6to4-tunneling-ability, which will create a
IPv4 packet with destination 0.0.0.0 (due to 2002:aabb:ccdd:...)
containing a protocol 41 payload that is the IPv6 packet we are forwarding.

The 0.0.0.0 host will then deliver over native IPv6 the packet to
2002::cf6c:8846.

As 0.0.0.0 is invalid though, the packet will not end up anywhere and
stuff miserably fails.

Note that if all is correctly implemented the 6to4-relay will send an
icmp6-unreachable as it will have a 2002::/24 route to loopback (just
like it should have routes for 2002:<rfc1918 etc>).

> and that the biggest part of the actual
> *problem* with 6to4 is exactly the anycast nature of it's current
> deployment...?

Of course that is a big problem.

But the 0.0.0.0 in there will never work either ;)

With or without an anycast node.

>> One would think with all the "IPv6 consultants" in the US, that .gov
>> agencies would be able to get that part right...
>>
>> Though, better point them out that 6to4 is a bad idea in general anyway.
>
> I certainly agree with that sentiment, though. 6to4 should never ever
> (NEVER!) show up in public DNS for servers, as "just stick to IPv4" is
> guaranteed to give better service.

Indeed.

Greets,
Jeroen

On 2014-10-04 12:56, Gert Doering wrote:
> Hi,
>
> On Sat, Oct 04, 2014 at 12:49:00PM +0200, Gert Doering wrote:
>> On Thu, Oct 02, 2014 at 10:31:25PM -0400, Jeroen Massar wrote:
>>>> <http://www.azdes.gov>)... 2002::cf6c:8846
>>>
>>> That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.
>>
>> Uh, what?
>>
>> Who are you and what happens to the Jeroen I know who understands IPv6,
> [..]
>
> Aliens stole the body of Gert Doering, and now he can't find the button
> "withdraw this e-mail" in his Outlook mail client anymore...

Hmmm, yeah a Gert using Outlook would be an excuse, but it seems more
that an alien stole his dog: "User-Agent: Mutt/1.5.23 (2014-03-12)" :)

Dear Aliens: please return our Gert!

> Sorry, of course Jeroen is right here, and I need to sleep more before
> typing. While anycast *is* the problem, of course the "exit side" of
> the tunnel needs an address, aka "gateway"...

Can anybody local to Munich deliver some fresh coffee to Gert? :)

Greets,
Jeroen

On 05/10/2014 00:04, Jeroen Massar wrote:
> On 2014-10-04 12:56, Gert Doering wrote:
>> Hi,
>>
>> On Sat, Oct 04, 2014 at 12:49:00PM +0200, Gert Doering wrote:
>>> On Thu, Oct 02, 2014 at 10:31:25PM -0400, Jeroen Massar wrote:
>>>>> <http://www.azdes.gov>)... 2002::cf6c:8846
>>>> That is an invalid 6to4 address as it would have a 6to4 gateway of 0.0.0.0.
>>> Uh, what?
>>>
>>> Who are you and what happens to the Jeroen I know who understands IPv6,
>> [..]
>>
>> Aliens stole the body of Gert Doering, and now he can't find the button
>> "withdraw this e-mail" in his Outlook mail client anymore...
>
> Hmmm, yeah a Gert using Outlook would be an excuse, but it seems more
> that an alien stole his dog: "User-Agent: Mutt/1.5.23 (2014-03-12)" :)
>
> Dear Aliens: please return our Gert!
>
>> Sorry, of course Jeroen is right here, and I need to sleep more before
>> typing. While anycast *is* the problem, of course the "exit side" of
>> the tunnel needs an address, aka "gateway"...
>
> Can anybody local to Munich deliver some fresh coffee to Gert? :)

I'm drinking coffee here in Auckland at 08:21, but there is no
"send coffee" feature in Web RTC yet.

Yes, everybody go and read RFC 6343 again please.

Just to be clear though, a return relay for 6to4 will advertise
a route to 2002::/16, since it must accept traffic for any 6to4
host. But any packets sent to that AZDES address will black hole
because the return relay will encapsulate them in IPv4 and deliver
them to 0.0.0.0.

Brian

Speaking of 6to4, can anyone recommend an understandable by non
networking types, easy setup how-to?

Preferably with the entire thing on the one box (we have only one bit
of software that does not understand ipv6, everything else does, so
are not wanting a specific dedi router type config to remote ipv4
boxes, the box is dual stack, we just need 6yp4 to send ipv6 onto its
ipv4 address - oh and before some bright spark says it, because we
know someone will, no, the software can not be changed, it is a
closed source binary, and they have no future plans to add ipv6 to it,
and since it is a news server daemon, which has an enormous amount of
spool storage,we are not looking to start it fresh with something
else)

So any pointers to URLs appreciated.


On 10/5/14, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> On 05/10/2014 00:04, Jeroen Massar wrote:
>> On 2014-10-04 12:56, Gert Doering wrote:
>>> Hi,
>>>
>>> On Sat, Oct 04, 2014 at 12:49:00PM +0200, Gert Doering wrote:
>>>> On Thu, Oct 02, 2014 at 10:31:25PM -0400, Jeroen Massar wrote:
>>>>>> <http://www.azdes.gov>)... 2002::cf6c:8846
>>>>> That is an invalid 6to4 address as it would have a 6to4 gateway of
>>>>> 0.0.0.0.
>>>> Uh, what?
>>>>
>>>> Who are you and what happens to the Jeroen I know who understands IPv6,
>>> [..]
>>>
>>> Aliens stole the body of Gert Doering, and now he can't find the button
>>> "withdraw this e-mail" in his Outlook mail client anymore...
>>
>> Hmmm, yeah a Gert using Outlook would be an excuse, but it seems more
>> that an alien stole his dog: "User-Agent: Mutt/1.5.23 (2014-03-12)" :)
>>
>> Dear Aliens: please return our Gert!
>>
>>> Sorry, of course Jeroen is right here, and I need to sleep more before
>>> typing. While anycast *is* the problem, of course the "exit side" of
>>> the tunnel needs an address, aka "gateway"...
>>
>> Can anybody local to Munich deliver some fresh coffee to Gert? :)
>
> I'm drinking coffee here in Auckland at 08:21, but there is no
> "send coffee" feature in Web RTC yet.
>
> Yes, everybody go and read RFC 6343 again please.
>
> Just to be clear though, a return relay for 6to4 will advertise
> a route to 2002::/16, since it must accept traffic for any 6to4
> host. But any packets sent to that AZDES address will black hole
> because the return relay will encapsulate them in IPv4 and deliver
> them to 0.0.0.0.
>
> Brian
>

On Mon, 13 Oct 2014, Nick Edwards wrote:

> boxes, the box is dual stack, we just need 6yp4 to send ipv6 onto its
> ipv4 address - oh and before some bright spark says it, because we

>From reading the above, 6to4 isn't what you think it is. 6to4 is a way to
tunnel IPv6 on top of IPv4, it's not a translation mechanism.

It seems you want a load balancer that can take an IPv6 incoming TCP
connection and talk to your IPv4 only news server... or you want to just
add a TCP bouncer that'll listen to an IPv6 socket and connect this
together with a new IPv4 socket call to ::1.

--
Mikael Abrahamsson email: swmike@swm.pp.se

* Nick Edwards

> Speaking of 6to4, can anyone recommend an understandable by non
> networking types, easy setup how-to?
>
> Preferably with the entire thing on the one box (we have only one bit
> of software that does not understand ipv6, everything else does, so
> are not wanting a specific dedi router type config to remote ipv4
> boxes, the box is dual stack, we just need 6yp4 to send ipv6 onto its
> ipv4 address - oh and before some bright spark says it, because we
> know someone will, no, the software can not be changed, it is a
> closed source binary, and they have no future plans to add ipv6 to it,
> and since it is a news server daemon, which has an enormous amount of
> spool storage,we are not looking to start it fresh with something
> else)
>
> So any pointers to URLs appreciated.

You can use something called "Stateful NAT64", specified in RFC6146 and
available from many different equipment vendors.

You'll have to configure it with an IPv6 translation prefix that's
globally available (for example 2001:db8:64::/96), and an IPv4 source
address pool (can be RFC1918, as long as it's reachable from the news
server, so let's say 172.16.0.0/16 as an example).

Assuming your news server has an IPv4 IN A DNS record of
203.0.113.50, you should now add an IPv6 IN AAAA DNS record of
2001:db8:64::203.0.113.50, and things will Just Work. The news server
will see IPv6 clients as connecting from addresses within 172.16.0.0/16.

You'll also probably want to drop traffic to addresses in
2001:db8:64::/96 that do not correspond to your own IPv4 addresses that
you want made available through this system.

An alternative «one box» solution would be to run the news server binary
from an inetd implementation that supports IPv6.

Tore

Hi,

On Mon, Oct 13, 2014 at 05:50:14PM +1000, Nick Edwards wrote:
> Speaking of 6to4, can anyone recommend an understandable by non
> networking types, easy setup how-to?

It should be pointed out that what you're asking for is not "6to4".

This term describes a very specific protocol that specifies how IPv6
packets are tunneled over IPv4 infrastructure, with the IPv4 address of
the tunnel endpoint identified by the 32bits of the IPv6 address following
the 2002: prefix (yes, I'm back, and had coffee).

What you want is "IPv6 to IPv4 translation" (or proxying etc.), and that
should not be called 6to4, even if the acronym sounds like it is the same
thing.

As far as the actual translation - others have already answered that part,
you can use a "stateful NAT64" box, or a proxy / load balancer that does
IPv6 and IPv4 ("IPv6 request on the outside are forwarded to the IPv4 host
on the inside"), or just a plain TCP relay - depending very much on what
you have.

One of the problems you'll run into with that approach will be abuse
handling, of course. Your IPv4-only machine will see all incoming
connections as "it's coming from the NAT/the firewall/the proxy..."
as there is no way to relay the IPv6 source address in a generic IPv4
connection - you can do that for HTTP by inserting extra headers, for
example, but that will still require IPv6 awareness on the target
application...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279