Talk:Customer problems that could occur

From ARIN IPv6 Wiki

Jump to: navigation, search

Some explanation about why the user experience is destroyed by Vista's automatic enabling of 6to4/Teredo seems in order.

One problem that happens when a remote site lists both IPv4 and IPv6 (non-6to4) addresses is that the application often chooses the IPv6 address in preference to the IPv4 address. The traffic then goes through a relay router, which often does one of two things: One, it slows down performance because the route is poor. Two, the route is so poor that the connection times out, which causes a delay of several seconds before the application fails over to the IPv4 address.

(I think this could be fixed if the default address selection rules were changed to favor a native IPv4 connection over a IPv6 connection between a 6to4 address and a native v6 address, and perhaps a similar rule for connections between native v6 and Teredo. Native-to-native and 6to4-to-6to4 IPv6 connections could still be favored over IPv4 connections. But that's something for IETF and/or OS vendors to fix more than for network operators.)

I agree that a site behind a NAT using non-RFC 1918 addresses would do well to set up a 6to4 relay, but I don't think you should be telling people to return ICMP unreachable right off the bat. That's presuming a lot. The general approach would be to set up a 6to4 router and a 6to4 relay and subject all IPv6 traffic to the same constraints that are imposed on IPv4 traffic.

A big set of customer issues regarding IPv6 in general (whether native, 6to4, or Teredo) involve making site policy apply equally to IPv6 and IPv4 traffic. IPv6 should not be allowed to be an end-run around IPv4 security measures. Also, a site that employs traffic monitoring for IPv4 will want to do the same for IPv6.

Some kinds of IPv4 NAT are sold as security devices, even though this is a dubious claim. NAT should not be used with IPv6, and customers should not expect to use NAT as an IPv6 security measure. Statefull firewalls that do not employ address translation may be appropriate.

-Keith Moore

Retrieved from "http://www.getipv6.net/index.php/Talk:Customer_problems_that_could_occur"