Re: [SPF:fail] Re: possible bad ipv6 mirror [partial solution]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim wrote:
> On Sat, 2010-01-16 at 16:49 +0800, Ed Greshko wrote:
>   
>> My ISP is a pure IPv4 ISP.  My ADSL modem doesn't know a thing about
>> IPv6.  Yet....
>>
>> [egreshko@f12 ~]$ ping6 2001:4860:c004::68
>>     
>
> I haven't done anything more than a quick check recently, but my ISP
> *didn't* support IPv6, hasn't made any announcements about supporting it
> that I can recall, nor does any other ISP I know of (bar one), nor does
> any domestic networking hardware that I know of support it (here in
> Australia).
>
> My ADSL router/modem is a standalone device, I don't use it as a raw
> modem (relying on a computer, behind it, to do all the authentication
> and routing), *it* has to be able to handle whatever I try to put
> through it.  And that is how I want to run my network.
>
> On the computer I haven't deliberately disabled IPv6:
> $ ping6 2001:4860:c004::68
> connect: Network is unreachable
>
> On the computer I deliberately disabled IPv6:
> $ ping6 2001:4860:c004::68
> socket: Address family not supported by protocol
>
> Both do exactly what I expect them to.  The same sort of error as I'd
> expect if I'd tried to do something with an unreachable IPv4 address on
> my network.
>
> The only way IPv6 can be used, is if there is a working IPv6 network
> between you and them, or you have something acting as your proxy
> bridging the gap.  That proxy has to be somewhere where it *can* bridge
> the gap.  It's no good putting one where it's still isolated.  And what
> happens when someone wants to connect back to you at your IPv6 address?
>   
That is where I think you need to do a bit of research.

As I have said....  My ISP is pure IPv4.  My ISP....just like
yours...*doesn't* support IPv6.

All you need to do is go to a tunnel broker such as
http://tunnelbroker.net/  and create a tunnel and then configure your
IPv6 stack accordingly.  You will then have a valid IPv6 Global IPv6
address and be able to access all IPv6 hosts and all IPv6 hosts will be
able to access *your* address.  There is *no* NAT of any sort.

Simple....
> Proxying/tunnelling are semantics for the same thing - doing one through
> the other, but neither is direct.  I view having to use a tunnel as
> being just about as bad as having to use NAT, and some of the IPv6 to
> IPv4 conversions are virtually the same as NAT (making at least one use
> of IPv6 pretty pointless, as IPv6 is one solution to avoid having to use
> NAT with IPv4).  Leaving us with yet another mess to have to deal with,
> instead of just doing things directly (i.e. IPv6 on my MODEM/router and
> ISP).
>   
That is also were I feel your view is incorrect.

To demonstrate....

I have 2 hosts with tunnels defined...

2001:470:1f04:735::2  and 2001:470:1f04:736::2

They are physically touching one another....

[egreshko@f12 scsi]$ traceroute6 2001:470:1f04:736::2
traceroute to 2001:470:1f04:736::2 (2001:470:1f04:736::2), 30 hops max,
80 byte packets
 1  egreshko-1.tunnel.tserv3.fmt2.ipv6.he.net (2001:470:1f04:735::1) 
216.329 ms  222.104 ms  228.257 ms
 2  egreshko-2-pt.tunnel.tserv3.fmt2.ipv6.he.net (2001:470:1f04:736::2) 
438.855 ms  441.324 ms  445.163 ms

Notice the trip times. 

I don't know another person with a valid IPv6 address to better
examples.  But, they could connect to my webserver just fine using those
IPv6 addresses.

Anyway this demonstrates a full IPv6 connection...

 traceroute to ipv6.l.google.com (2001:4860:c004::68), 30 hops max, 80
byte packets
 1  egreshko-1.tunnel.tserv3.fmt2.ipv6.he.net (2001:470:1f04:735::1) 
215.810 ms  221.422 ms  225.343 ms
 2  1g-3-20.core1.fmt2.ipv6.he.net (2001:470:0:45::1)  226.193 ms 
226.803 ms  227.612 ms
 3  10g-1-2.core1.pao1.ipv6.he.net (2001:470:0:30::2)  228.395 ms 
228.333 ms  229.418 ms
 4  core2-1-1-0.pao.net.google.com (2001:504:d::1f)  229.704 ms  232.472
ms  234.285 ms
 5  2001:4860::1:0:7ea (2001:4860::1:0:7ea)  245.935 ms  246.659 ms
2001:4860::1:0:21 (2001:4860::1:0:21)  242.394 ms
 6  2001:4860::1:0:a9d (2001:4860::1:0:a9d)  262.085 ms
2001:4860::1:0:77d (2001:4860::1:0:77d)  282.670 ms 2001:4860::1:0:a9d
(2001:4860::1:0:a9d)  229.794 ms
 7  2001:4860::1:0:610 (2001:4860::1:0:610)  229.791 ms
2001:4860::1:0:795 (2001:4860::1:0:795)  248.668 ms 2001:4860::1:0:610
(2001:4860::1:0:610)  229.500 ms
 8  2001:4860::1:0:298 (2001:4860::1:0:298)  327.540 ms  328.372 ms 
331.515 ms
 9  2001:4860::1:0:794 (2001:4860::1:0:794)  385.779 ms  376.836 ms 
382.525 ms
10  2001:4860::2a (2001:4860::2a)  404.631 ms  411.900 ms 2001:4860::29
(2001:4860::29)  382.330 ms
11  tx-in-x68.1e100.net (2001:4860:c004::68)  381.468 ms  383.952 ms 
384.785 ms

> Simply finding the IPv4 address from the dual addresses for something
> that has both v4 and v6 isn't using IPv6, at all.  And for a lot of
> people (probably including those who think IPv6 is working for them),
> that's all that they'll be doing.  For instance, mplayer will do that
> when you try to connect to a stream over the net, first it'll try IPv6,
> then it'll fallback to IPv4.  In some cases, there's an annoying delay
> before the fallback.  Or no fallback, as it finds an address, but simply
> can't connect to it, and aborts trying anything else.
>   
First, I am talking about a situation where a given resource has only a
IPv6 address.  Not sure why you keep introducing the "dual" IPv4/IPv6 model.

I also don't know of any concept of "fall back".

If you were to use http://ipv6.google.com on a system that didn't have
IPv6 available, it would fail.  This is because....

[egreshko@f12 scsi]$ host ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has IPv6 address 2001:4860:c004::68

egreshko@f12 scsi]$ host ipv6.l.google.com
ipv6.l.google.com has IPv6 address 2001:4860:c004::68

[egreshko@f12 scsi]$ host -t a ipv6.l.google.com
ipv6.l.google.com has no A record

[egreshko@f12 scsi]$ host -t aaaa ipv6.l.google.com
ipv6.l.google.com has IPv6 address 2001:4860:c004::68

As you can see.... ipv6.l.google.com has no IPv4 address so ... nothing
to fall back on.

> Before someone gives me it in the neck.  I do see the point of view that
> it's a solution looking for a problem, but the problem does exist (IPv4
> address exhaustion), it's just *when* it will be a problem is still
> debatable.  And it would be good to get it working ahead of time.  But
> this is not helped by manufacturers who continue to produce IPv4-only
> equipment (many years after we knew of this situation), and sell no
> additional/alternative IPv6 domestic equipment, making it next to
> impossible for all but true geeks to use IPv6.
>
> I see v6 bringing a myriad of its own problems, the chief ones being
> firewalling and address assignment.  Many of us are quite familiar at
> defining the division between WAN and LAN with IPv4, so we can control
> our network.  I've seen a dearth of clearly coherent information about
> the same sort of thing with IPv6, so I expect an awful lot of security
> problems down to network boundaries and firewall rule errors when it
> becomes available to the great unwashed.  Many of whom, currently,
> unwittingly rely on NAT /breaking/ networking to provide some insecure
> isolation from the rest of the world.  But will, then, have to set up
> dual rules (you'll need to have separate rules for IPv4 and IPv6
> addresses, if you want to firewall things).  And I wonder whether
> Windows will spend years repeating the mistakes it's done in the past,
> such as sharing out your LAN to all and sundry, by default.
>
> Not to mention the fun and games we'll have to go through to learn how
> to manage our own networks (address assignment; name resolution; having
> consistent name resolution when your assigned IPv6 address may be
> variable and assigned by something with little, or no,
> user-configuration possible; DHCP configuration, etc., etc., etc.).  And
> there'll probably some price gouging by webhosts and domain registrars
> for you to have an IPv6 address as well as your IPv4 one.
>
> I'd make an educated guess that our ISPs are avoiding implementing it
> because they want to avoid the additional work to do so.  Not to mention
> having to replace equipment that simply can't support it.
>
>   
There is no doubt that IPv6 adoption and implementation is slow for
various reasons.  As an end point for the average user and even for
Internet connectivity it is years away.  But, that wasn't the point.


-- 
The brotherhood of man is not a mere poet's dream; it is a most
depressing and humiliating reality. -- Oscar Wilde

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux