Forgot your password?
typodupeerror
Networking Google Microsoft The Internet Yahoo! Technology

Major 'Net Players Mulling IPv6 Whitelist 158

Posted by Soulskill
from the transition-period dept.
netbuzz writes "From this week's IETF meeting in Anaheim comes word that leading Web content providers are talking about creating a shared list of customers who can access their Web sites via IPv6. The DNS Whitelist for IPv6 would be used to serve content to these IP addresses via IPv6 rather than through IPv4. David Temkin, network engineering manager with Netflix, says: 'We're looking into the same service that Google has, where we will try to track what connectivity the user has. We're in discussions with Google, Yahoo, Netflix and Microsoft to see whether it makes sense to have a shared, open source DNS whitelist service.' ISPs are not wild about the idea."
This discussion has been archived. No new comments can be posted.

Major 'Net Players Mulling IPv6 Whitelist

Comments Filter:
  • by John Hasler (414242) on Saturday March 27, 2010 @01:36PM (#31640930) Homepage

    If ISPs would get their heads out of their asses "this idea" would not be needed.

    • Re: (Score:3, Interesting)

      by snowraver1 (1052510)
      How so? I think that this is a good idea. It can solve the chicken & egg problem we have right now with the Internet and IPv6. By starting to point equipped web traffic to IPv6 services, there is an incentive to start creating IPv6 services with the hope that one day, everything will be reachable by IPv6.

      I'm not sure what you mean by the ISPs having their heads in their asses... Maybe you are referring to the lack of IPv6 availability. If so, at this point in the game, there is no point in offerin
      • Re: (Score:3, Interesting)

        by Abcd1234 (188840)

        How so?

        If ISPs rolled out proper v6 connectivity, this whitelist simply wouldn't be necessary. That's "how so".

        Maybe you are referring to the lack of IPv6 availability. If so, at this point in the game, there is no point in offering IPv6 because there is nowhere to go.

        Then they shouldn't grumble and whine because people decide to workaround their broken networks, should they?

      • by grumbel (592662)

        If so, at this point in the game, there is no point in offering IPv6 because there is nowhere to go.

        The main reason why you want IPv6 is so that you could communicate client to client (VoIP, P2P, gaming, etc.). IPv6 provides basically no real advantage if all you want to do is communicate with a big service (youtube, google, etc.), as NAT and proxies mostly work just fine for those cases.

        So yeah, ISPs could provide the benifits of IPv6 right now, even when all the big services are still running IPv4 only.

        • by trapnest (1608791) <janusofzeal@gmail.com> on Saturday March 27, 2010 @02:34PM (#31641454)
          I want to use ipv6 because it's cool and new.
          • by Macrat (638047)
            Not only that, but ALL of my equipment at home is IPv6 ready and has been for years. Just waiting on the ISPs.
        • by Sir_Lewk (967686)

          What makes you think people won't still use stateful firewalls with IPv6?

          • by Dan Ost (415913)

            Please correct me if I'm wrong, but with IPv6, deep inspection of the packets at the firewall should be impossible because of IPSec.

        • The main reason why you want IPv6 is so that you could communicate client to client (VoIP, P2P, gaming, etc.). IPv6 provides basically no real advantage if all you want to do is communicate with a big service (youtube, google, etc.), as NAT and proxies mostly work just fine for those cases.

          Multicast...

          • by amorsen (7485)

            Multicast doesn't automatically get deployed with IPv6.

            Multicast across providers is an unsolved problem, quite possibly an unsolvable problem. Just forget about it, it's putting intelligence in the network and the whole point of the Internet is that the routers are stupid.

    • by mellon (7048) on Saturday March 27, 2010 @02:09PM (#31641260) Homepage

      Actually it's not the ISPs they're referring to who have their heads in their asses. Indeed, I don't think anybody has their heads in their asses on this one--each side of the discussion has legitimate points. From the perspective of IPv6 deployment, the whitelists suck, because mostly they prevent people who are trying to use IPv6 from using it--you have to be on the whitelist before you can get AAAA records from these online services. It's very hard to get on the whitelist, and very easy to get knocked off of it.

      ISPs who are deploying IPv6 want to just get the AAAA records, and not have to jump through hoops to get on a whitelist. But the providers worry about people who have crappy home gateways that fall over and die when they get AAAA records, and also about people who have devices on their networks advertising IPv6 connectivity, when they don't actually have it. One presentation in that meeting set the number at about .8% of users, which they felt was too many.

      Personally, I think they should just turn on the AAAA records and let the customers who have broken routers see that their routers are broken and fix them. But it's a rough tradeoff--IPv6 has at times gotten a bad rep for being the cause of network problems, and so network no-nothings tend to tell you "IPv6 is the problem" when in fact it's bad code on embedded devices that's the problem. Since disabling IPv6 "fixes" it, IPv6 gets the blame. That's the rationale for the whitelists, and as much as I hate them, I can't say that this rationale is completely wrong.

      • Re: (Score:3, Insightful)

        by Abcd1234 (188840)

        Actually it's not the ISPs they're referring to who have their heads in their asses. Indeed, I don't think anybody has their heads in their asses on this one--each side of the discussion has legitimate points. From the perspective of IPv6 deployment, the whitelists suck, because mostly they prevent people who are trying to use IPv6 from using it--you have to be on the whitelist before you can get AAAA records from these online services. It's very hard to get on the whitelist, and very easy to get knocked of

      • by amorsen (7485)

        Personally, I think they should just turn on the AAAA records and let the customers who have broken routers see that their routers are broken and fix them.

        If you were Google, would you be willing to sacrifice 0.7% of your users just to be an IPv6 pioneer? They'd be gaining less than 0.01% of users who are IPv6 only.

      • I don't think anybody has their heads in their asses on this one--each side of the discussion has legitimate points.

        But IPv6 is coming whether they like it or not. There's no stopping it, and the closer we get to the available IPv4 pool drying up the less time they'll have to implement IPv6.

        Sh!t or get off the pot? It's time to do both.

  • Not a "whitelist" (Score:4, Insightful)

    by pem (1013437) on Saturday March 27, 2010 @01:38PM (#31640952)
    This is not a whitelist proposal.

    This is the mother of all cookies.

    • Re: (Score:3, Interesting)

      by marcansoft (727665)

      Just wait until the tinfoil hatters realize that by default IPv6 stateless autoconfiguration puts your globally unique MAC address in the second half of your IPv6 address...

      • Re:Not a "whitelist" (Score:5, Interesting)

        by Abcd1234 (188840) on Saturday March 27, 2010 @02:08PM (#31641252) Homepage

        LOLFR, "globally unique MAC address"... riiight. No manufacturer has *ever* reused a MAC address... *snicker*

        • Case in point, about 10 years ago I had a friend who worked for a School for the Blind (they had more than just blind kids there at the time) and they set up a network using off the shelf components from a local (big name) electronics store. Though each machine worked fine on it's own, they couldn't get anything to work on the network. After hours of trying different things out they found out every single network card they bought had exactly the same MAC address. As soon as they returned them and went to a

          • I've seen NICs that default to a specific MAC when they start to go bad, but are otherwise working. That can cause bad networking like at the school you mentioned. My guess is the local store got a bunch of returns, tested them in house and saw they worked, then resold them. I have a few of these IDE NICs \if anyone's interested in this unique feature...
        • MAC addresses are _mostly_ unique, which is plenty to cause privacy concerns. The fact that some manufacturers use duplicate MACs isn't going to appease the tinfoil hatters.

          RFC3041 will, but people have to actually implement it and use it by default.

        • Re: (Score:3, Informative)

          by Airw0lf (795770)

          LOLFR, "globally unique MAC address"... riiight. No manufacturer has *ever* reused a MAC address... *snicker*

          Not to mention a lot of NIC drivers let you specify your own MAC address.

    • by mellon (7048) on Saturday March 27, 2010 @02:11PM (#31641280) Homepage

      Yes, a cookie that says you get your connectivity through an ISP that's on the whitelist. Ooh, scary! :')

      • How do you get on this whitelist? It may well be that metadata must be supplied for that to happen. Is the metadata also stored with the list? What does the metadata consist of?

        Maybe nothing but the IP address is stored on the list, but any additional data stored on the list is essentially a cross-site cookie.

        • by Abcd1234 (188840) on Saturday March 27, 2010 @02:48PM (#31641556) Homepage

          How do you get on this whitelist?

          *You* don't get on the whitelist. Your ISP gets on the whitelist, by demonstrating they have functional v6 network connectivity. Once that's done, the ISP is added to the whitelist, and thereafter, any DNS records resolved using the ISPs DNS servers will include AAAA records from participating content providers.

          For example, Hurricane Electric entered just this sort of agreement with Google. As such, anyone using HE's DNS servers get Google's AAAA records, and so because I use HE as my tunnel broker, I get access to Google via v6. However, Google knows nothing about me in particular.

          • Your ISP gets on the whitelist, by demonstrating they have functional v6 network connectivity. Once that's done, the ISP is added to the whitelist, and thereafter, any DNS records resolved using the ISPs DNS servers will include AAAA records from participating content providers.

            This all seems completely pointless to me. There is no harm in including the AAAA records in all replies - if you have no IPv6 connectivity then your software will simply fall back to the A record (which would also be supplied).

            Sure, if your machine's routing table is screwed so it thinks it can reach the server's IPv6 address when it can't then things will break, but that's just tough shit - if your configuration is completely broken then you shouldn't complain when things break badly.

            • by amorsen (7485)

              Sure, if your machine's routing table is screwed so it thinks it can reach the server's IPv6 address when it can't then things will break, but that's just tough shit - if your configuration is completely broken then you shouldn't complain when things break badly.

              Google loses about 0.7% of requests if they turn on AAAA's. Sure it's the fault of the customer, but that's real money lost for them.

  • by Xipher (868293) on Saturday March 27, 2010 @01:41PM (#31640972)

    Any ISP that's not "wild" about the idea should step up and work with the community on actually getting IPv6 connectivity as functional as IPv4. I can see Google/Netflix perspective here. If they don't have some sort of white list they will get a black eye for having poor service when it's not even a result of something they control. Hopefully this will be something very short lived but I can imaging if service providers don't step up and start taking IPv6 seriously it's just going to prolong the issue.

  • by pathological liar (659969) on Saturday March 27, 2010 @01:42PM (#31640986)

    The article doesn't make it particularly clear what that might be though. The closest I found was:

    "There's a pretty key reason for whitelisting," Temkin explains. "It's really, really easy for anyone using, for example, Hurricane Electric's tunneling to find that the IPv6 network becomes an island and that it is broken because they didn't update a tunnel...You end up with the customer having a bad experience. They never see the content or they only see the content after a 30-second wait."

    Which seems like a no-brainer to me: Fix the tunnel. I don't even understand how the whitelist might help that -- if the whitelist says "This user has IPv6 connectivity" and you have a broken tunnel either you don't get the content at all, or you still only see the content after a 30-second wait.

    The real 'island' problem is that IPv6 routing is kind of a mess. If you're on the east coast of North America and want to connect to western Europe, depending on who your provider is it may well decide to send all of your traffic through Korea, if it even makes it to your target at all. I imagine that's a problem that will solve itself as more routes come online.

    • by Abcd1234 (188840) on Saturday March 27, 2010 @02:11PM (#31641286) Homepage

      The real 'island' problem is that IPv6 routing is kind of a mess. If you're on the east coast of North America and want to connect to western Europe, depending on who your provider is it may well decide to send all of your traffic through Korea, if it even makes it to your target at all. I imagine that's a problem that will solve itself as more routes come online.

      It's actually worse than that. Currently many people have routers at home that send out v6 router advertisements despite not actually having IPv6 connectivity. The result is that many people end up with v6 addresses, and when those machines then try to connect to websites that advertise AAAA records, they end up with long delays as the browser first attempts a v6 connection, times out, and falls back to v4.

      Honestly, try googling for "Ubuntu disable ipv6" some time... it's amazing how many people are struggling with this issue. Which is why so many sites are reluctant to roll out v6 connectivity and AAAA records (even Google doesn't do external AAAA resolution unless your ISP has arranged a special agreement with Google which guarantees proper v6 connectivity (luckily Hurricane Electric has such an agreement, so as long as I use their DNS servers, I get v6 connectivity to all of Google's services)).

      • by swillden (191260)

        luckily Hurricane Electric has such an agreement, so as long as I use their DNS servers

        Very interesting... I have an IPv6 tunnel from HE and I'd like to get that working as well. Is it as simple as pointing your resolver at HE's DNS servers? If so, what are their addresses?

        • by Abcd1234 (188840)

          Very interesting... I have an IPv6 tunnel from HE and I'd like to get that working as well. Is it as simple as pointing your resolver at HE's DNS servers? If so, what are their addresses?

          Yup! That's all it takes. Just head to the "Tunnel Details" page for your HE tunnel. On that page is an "Available DNS Resolvers" section, which includes a v4 and a v6 address for their DNS server. Use that as your primary, and voila, you'll get AAAA records for most (all?) of Google's services.

          • by swillden (191260)
            I can't believe I never noticed those DNS servers in the tunnel info. I just went to google.com at the address 2001:4860:8002::69. Nifty!
        • by Trolan (42526)

          Those addresses should be on your tunnel's detail page.

        • by paul248 (536459)

          74.82.42.42

      • by paul248 (536459)

        The problem with Ubuntu is that their patched version of glibc always asks for AAAA records when IPv6 is enabled, regardless of whether the machine has an IPv6 route. Then when a client attempts to connect to an IPv6 host, it times out almost instantly because the kernel reports the lack of route. But that timeout isn't the problem.

        The real problem is in the AAAA DNS query itself. This can go wrong in a few ways:

        1) The authoritative DNS server is misconfigured, such that it completely drops AAAA queries.

  • by FuckingNickName (1362625) on Saturday March 27, 2010 @01:45PM (#31641028) Journal

    ...to plug it back in again, you get "a bad experience". Seriously, whitelisting just because people smart enough to set up a tunnel forget that it doesn't work any more? Stop being so damn dishonest and come out and admit why you want this whitelist.

    • by Abcd1234 (188840) on Saturday March 27, 2010 @02:05PM (#31641222) Homepage

      Seriously, whitelisting just because people smart enough to set up a tunnel forget that it doesn't work any more?

      Huh? What the hell are you talking about? The reason this whitelist is necessary is because many people are victims of routers that send out v6 router advertisements despite not having v6 connectivity, or are on a network that claims to have v6 connectivity, but that connectivity as actually broken. As a result, these people get v6 IPs, and then when software tries to connect to websites that advertise AAAA records, they get long delays while their browser times out attempting to connect over v6, at which point it falls back to v4.

      Hell, all you have to do is Google for "ubuntu disable IPv6" to see how many people are suffering with this problem.

      So, please, quit being a paranoid jackass. There are *very* good reasons to set up this whitelist, and TBH, I think it may be the only way to start getting sites to advertise AAAA records (right now they don't because they're afraid of impacting the user experience due to this very issue).

      • Huh? What the hell are you talking about?

        Well, to start off with I made the mistake of reading the fine article:

        "There's a pretty key reason for whitelisting," Temkin explains. "It's really, really easy for anyone using, for example, Hurricane Electric's tunneling to find that the IPv6 network becomes an island and that it is broken because they didn't update a tunnelYou end up with the customer having a bad experience. They never see the content or they only see the content after a 30-second wait."

        The reason this whitelist is necessary is because many people are victims of routers that send out v6 router advertisements despite not having v6 connectivity

        Which routers are these, and why is the correct procedure to maintain a massive whitelist (requiring ISP cooperation) rather than negotiating with ISPs to stop breaking IPv6 (requiring ISP cooperation)? What globally routable prefix are these routers advertising exactly, when they're not being assigned one?

        Hell, all you have to do is Google for "ubuntu disable IPv6" to see how many people are suffering with this problem.

        The problem of hundreds of sites advertising AAAA records which timeout? As someone who has had IPv6 connectivity for several years,

        • by Abcd1234 (188840)

          Which routers are these, and why is the correct procedure to maintain a massive whitelist (requiring ISP cooperation) rather than negotiating with ISPs to stop breaking IPv6 (requiring ISP cooperation)?

          I'm afraid I can't give you specific model numbers, but this is a very well known problem amongst content providers mulling the idea of rolling out v6. And we're talking home routers, here, not ISP core routers.

          And the whitelist *is* "negotiating with ISPs"... ie, they negotiate, the ISP sets up v6, and voil

          • but this is a very well known problem amongst content providers mulling the idea of rolling out v6

            The problem of ISPs distributing broken routers which manage to advertise a prefix which they aren't ever issued with? Perhaps you aren't sure yourself, since you haven't been able to name one router which exhibits the problem, but you're not making it clear what actually goes wrong and why the solution isn't to fix the problem (of distributing broken routers) rather than one huge bureaucratic bandaid.

            And the whitelist *is* "negotiating with ISPs"...

            Erm, yes, that's what I meant by, "negotiating with ISPs to stop breaking IPv6".

            ie, they negotiate, the ISP sets up v6, and voila, they're on the whitelist. Problem solved.

            If you regard negotiating w

            • by Abcd1234 (188840)

              The problem of ISPs distributing broken routers which manage to advertise a prefix which they aren't ever issued with? Perhaps you aren't sure yourself, since you haven't been able to name one router which exhibits the problem, but you're not making it clear what actually goes wrong and why the solution isn't to fix the problem (of distributing broken routers) rather than one huge bureaucratic bandaid.

              Because the whitelist is feasible? The alternative is to break connectivity for (according to these folks)

              • The alternative is to break connectivity for (according to these folks) .8% of users while those broken routers are fixed/replaced.

                The Internet is regularly broken for .8% of users for a multitude of reasons. Expecting all ISPs on the planet to end up cooperating with a huge Google-borne list is more of a political and administrative burden than inconveniencing .8% of users.

                In the next 3 or 4 years every site transitioning to IPv6 will need to do more than just add an IPv6 address one day and remove an IPv4 address at some point down the line. It's not just the issue the article seems to get its panties in a bother over, it's the more

                • by Abcd1234 (188840)

                  The Internet is regularly broken for .8% of users for a multitude of reasons.

                  That's a BS argument, though. The "internet" isn't broken for these people. IPv6 is broken for these people. If a content provider deploys IPv6, suddenly a *new* 0.8% of internet users will be highly annoyed trying to access their site. So, from a content provider's perspective, they can either inconvenience that .8% of users for no real appreciable gain in the short term, or they could just not bother.

                  The third option is this

  • by cdrguru (88047) on Saturday March 27, 2010 @01:49PM (#31641060) Homepage

    I suspect one significant impediment to implementation of IPv6 on the part of most ISPs is that it would take wholesale replacement of significant amounts of hardware.

    Sure, the latest model of a router may support IPv6, but the 200 or so that an ISP has may not and there may be no upgrade path for it. Just like there is no Windows Vista driver for some hardware - too old to bother with - there is plenty of hardware out there that will never support IPv6. Until this is replaced, IPv6 isn't going to happen.

    I think we have finally reached the point where new hardware supports IPv6, almost universally. So now we are just waiting until the older hardware is replaced. I suspect larger ISPs are somewhat reluctant to move out millions (and possibly tens of millions) of dollars worth of hardware before they have to.

    Of course, they could just raise the rates for everyone to cover it.

    • by Vancorps (746090)
      Except that every one of the printers I rented for my event, about 20 or so still don't support IPv6, they are Ricoh multi-function units that would cost thousands the buy. They are supposedly enterprise ready machines.
    • by Hadlock (143607)

      I would imagine most backbone hardware installed since 2002 has ipv6 capability, along with any residential neighborhoods wired up since 2005 or so. That makes up something like 30% of the US population. There are, however, office buildings full of IPv4 fiber equipment that will have to be replaced some day. As the cost comes down, I would imagine the units they replace will have 10x the capacity of those installed in the early-mid 1990s and cost a quarter of the units they are replacing, even adjusting for

  • The DNS Whitelist for IPv6 would be used to serve content to these IP addresses via IPv6 rather than through IPv4.

    Let me guess, those would be IPv6 addresses? ;)

    That obvious joke being made, I will now go read the article as the news blurb is useless, yet sounds interesting.

  • I am concerned that this idea, if implemented, would stick around for way too long and would actually impede the progress of IPv6 adoption. I would be much more comfortable with an idea like this if it had an expiration date from the start, e.g. "this listing mechanism will be considered deprecated after 2 years, and will become unavailable on <date>." Without this, I can see it being hard-coded into and depended on by way too many apps, tools, companies, sites etc etc for years to come, and actuall

Dennis Ritchie is twice as bright as Steve Jobs, and only half wrong. -- Jim Gettys

Working...