IPv6 brokenness and DNS whitelisting

Last updated

In the field of IPv6 deployment, IPv6 brokenness was bad behavior seen in early tunneled or dual stack IPv6 deployments where unreliable or bogus IPv6 connectivity is chosen in preference to working IPv4 connectivity. This often resulted in long delays in web page loading, where the user had to wait for each attempted IPv6 connection to time out before the IPv4 connection was tried. [1] These timeouts ranged from being near-instantaneous in the best cases, to taking anywhere between four seconds to three minutes. [2]

Contents

IPv6 brokenness is now generally regarded as a solved problem for almost all practical purposes, following improvements at both the transport and application layers. [3]

Brokenness

As of May 2011, IPv6 brokenness as measured by instrumenting a set of mainstream Norwegian websites was down to ~0.015%, [4] most of which was caused by older versions of Mac OS X which would often prefer non-working IPv6 connectivity when it was not justified. [5] This behavior was fixed in Mac OS X 10.6.5, and is likely to decline further as Mac OS X 10.6.5 and subsequent versions roll out to a wider audience. However, there was no upgrade path for PowerPC-based Macs. [6]

The main remaining problem for Mac OS X was the presence of rogue routers, such as wrongly configured Windows Internet Connection Sharing devices pretending to have IPv6 connectivity, while 6to4 tunneled IPv6 traffic is blocked at a firewall.[ citation needed ] Another problem was pre-10.50 versions of Opera.[ citation needed ]

Following World IPv6 Day in July 2011, there were reports of a substantial reduction in IPv6 brokenness as a result of that experiment. [7] In the year following the trial, but prior to the World IPv6 Launch date, brokenness levels were reported to have risen slowly back upwards again towards 0.03%. [8]

DNS allowlisting

Google, a major provider of services on the Internet, experimented with using a type of DNS allowlisting on a per-ISP basis to prevent this [9] [10] until the World IPv6 Launch. In the DNS allowlisting approach, ISPs are determined from DNS lookup source IP addresses by correlating them with network prefixes derived from routing tables. There is an IETF draft entitled "IPv6 AAAA DNS Allowlisting Implications" that describes the issues around allowlisting. AAAA records are only sent to ISPs that can demonstrate that they are providing reliable IPv6 to their customers. Other ISPs are sent only A records, thus preventing users from attempting to connect over IPv6 when hostnames are used instead of ipv6-addresses.

Numerous concerns were raised about the practicality of DNS allowlisting as a long-term large-scale solution, such as scalability and maintenance issues relating to the maintenance of large numbers of bilateral agreements. [11] In 2010, several of the major web service providers met to discuss pooling their DNS allowlisting information in an attempt to avoid these scaling problems. [12]

Problem resolution

It appears that no major content providers eventually ended up using the allowlisting approach, given that all that had previously declared an interest began serving AAAA records to generic DNS queries following World IPv6 Launch Day. Google now provides AAAA records to all DNS servers except for those on a limited list of subnets which Google excludes from AAAA record service. [13] [14]

As of 2017, IPv6 brokenness is now generally regarded as a non-problem. This is due to two factors: firstly, IPv6 transport is much improved, so that the underlying error rate is much reduced, and secondly, that common applications such as web browsers now use fast fallback methods such as the "Happy Eyeballs" algorithm to select whichever protocol works best. [3] Some operating system vendors have rolled fast fallback algorithms into their higher-level network stack APIs, thus making the solution available for all programs that use those APIs to make connections. [15]

See also

Related Research Articles

<span class="mw-page-title-main">IPv6</span> Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers. Without zeroconf, a network administrator must set up network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.

Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance.

In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols such as 6to4, it can perform its function even from behind network address translation (NAT) devices such as home routers.

In the context of computer networking, a tunnel broker is a service which provides a network tunnel. These tunnels can provide encapsulated connectivity over existing infrastructure to another infrastructure.

BGP hijacking is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

<span class="mw-page-title-main">IPv4 address exhaustion</span> Depletion of unallocated IPv4 addresses

IPv4 address exhaustion is the depletion of the pool of unallocated IPv4 addresses. Because the original Internet architecture had fewer than 4.3 billion addresses available, depletion has been anticipated since the late 1980s when the Internet started experiencing dramatic growth. This depletion is one of the reasons for the development and deployment of its successor protocol, IPv6. IPv4 and IPv6 coexist on the Internet.

AICCU was a popular cross-platform utility for automatically configuring an IPv6 tunnel. It is free software available under a BSD license. The utility was originally provided for the SixXS Tunnel Broker but it can also be used by a variety of other tunnel brokers.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

<span class="mw-page-title-main">Mac OS X Snow Leopard</span> Seventh major version of macOS, released in 2009

Mac OS X Snow Leopard is the seventh major release of macOS, Apple's desktop and server operating system for Macintosh computers.

The deployment of IPv6, the latest version of the Internet Protocol (IP), has been in progress since the mid-2000s. IPv6 was designed as the successor protocol for IPv4 with an expanded addressing space. IPv4, which has been in use since 1982, is in the final stages of exhausting its unallocated address space, but still carries most Internet traffic.

<span class="mw-page-title-main">IPv6 address</span> Label to identify a network interface of a computer or other network node

An Internet Protocol version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.

<span class="mw-page-title-main">IPv6 rapid deployment</span> Internet transition mechanism

6rd is a mechanism to facilitate IPv6 rapid deployment across IPv4 infrastructures of Internet service providers (ISPs).

NAT64 is an IPv6 transition mechanism that facilitates communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). The NAT64 gateway is a translator between IPv4 and IPv6 protocols, for which function it needs at least one IPv4 address and an IPv6 network segment comprising a 32-bit address space. The "well-known prefix" reserved for this service is 64:ff9b::/96.

<span class="mw-page-title-main">World IPv6 Day and World IPv6 Launch Day</span> Technical testing and publicity events

World IPv6 Day was a technical testing and publicity event in 2011 sponsored and organized by the Internet Society and several large Internet content services to test and promote public IPv6 deployment. Following the success of the 2011 test day, the Internet Society carried out a World IPv6 Launch day on June 6, 2012 which, instead of just a test day, was planned to permanently enable IPv6 for the products and services of the participants.

<span class="mw-page-title-main">IVI Translation</span> Stateless IPv4/IPv6 translation technique

IVI Translation refers to a stateless IPv4/IPv6 translation technique. It allows hosts in different address families communicate with each other and keeps the end-to-end address transparency.

Happy Eyeballs is an algorithm published by the IETF that makes dual-stack applications more responsive to users by attempting to connect using both IPv4 and IPv6 at the same time, thus minimizing IPv6 brokenness and DNS whitelisting experienced by users that have imperfect IPv6 connections or setups. The name "happy eyeballs" derives from the term "eyeball" to describe endpoints which represent human Internet end-users, as opposed to servers.

<span class="mw-page-title-main">OS X Mavericks</span> Tenth major release of OS X

OS X Mavericks is the 10th major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers. OS X Mavericks was announced on June 10, 2013, at WWDC 2013, and was released on October 22, 2013, worldwide.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

References

  1. Yves Poppe (Oct 12, 2010). "IPv6 and the Fear of Brokenness". CircleID. Retrieved 2010-12-29.
  2. Lorenzo Colitti. "IPv6 transition experiences" (PDF). Retrieved 2010-12-29. presented at NANOG 50
  3. 1 2 Marsan, Carolyn Duffy. "'IPv6 brokenness' problem appears fixed". Network World. Archived from the original on July 5, 2015. Retrieved 2017-01-06.
  4. Tore Anderson. "IPv6 dual-stack client loss in Norway" . Retrieved 2011-06-16.[ permanent dead link ]
  5. Tore Anderson. "Measuring and combating IPv6 brokenness" (PDF). Retrieved 2010-12-29., presented at RIPE 61, Rome, November 2010
  6. Iljitsch van Beijnum (12 November 2010). "Apple fixes broken IPv6 by breaking it some more". Ars Technica. Retrieved 2010-12-29.
  7. Carolyn Duffy Marsan (July 27, 2011). "'IPv6 brokenness' problem appears fixed". Network World. Archived from the original on April 4, 2012. Retrieved June 5, 2012.
  8. Stephen Shankland (June 4, 2012). "Internet powers flip the IPv6 switch (FAQ)". CNET News.
  9. "Google over IPv6" . Retrieved 2010-12-29.
  10. Iljitsch van Beijnum (29 March 2010). "Yahoo wants two-faced DNS to aid IPv6 deployment". Ars Technica. Retrieved 2010-12-29.
  11. Jason Livingood (October 2010). "IPv6 DNS Allowlisting Overview and Implications" (PDF). Comcast. Retrieved 2010-12-29., presented at IETF79, Beijing
  12. Carolyn Duffy Marsan (29 March 2010). "Google, Microsoft and Yahoo talk about IPv6 allowlist". Techworld. Archived from the original on 2011-01-26. Retrieved 2010-12-29.
  13. "World IPv6 Launch: Keeping the Internet growing". Official Google Blog. Retrieved 2017-01-06.
  14. "Google IPv6 AAAA record network exclusion list" . Retrieved 2017-01-06.
  15. "In wake of World IPv6 Day, browsers resist IPv6 brokenness—but should they?". Ars Technica. Retrieved 2017-01-06.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.