The IPv6 post office: labelling and sorting everywhere

Francesco Prelz

INFN, sezione di Milano

and members of the HEPix IPv6 group.

Summary

1. Protocol preference: a key IPV4 → IPv6 transition tool.
2. The joys and dreads of RFC3484 → RFC6724.
3. Where, how and when is preference established?
4. Four very pratical catches.
5. How to keep your eyeballs happy.

The IPv4→IPv6 transition.

Possibly the main change with IPv6.

• At least the link-local address on top of any larger or global scope address.
• ⇒ A source and a destination address have to be chosen for every network communication.
• Preferences for this choice are new system configuration parameters .
• The notion of a 'main' network address for a network interface disappears (except for Mobile IP, where the Home Address is always preferred).
• Whether IPv4 o IPv6 should be preferred on a dual-stack system is just a special case of this choice.
  • Painlessly keeping the preference for IPv6 everywhere is essential to prevent the transition train from derailing.
  • We'll show at least one case where this ceased to be true.
• All of this is documented in RFC6724. The Mount Pleasant RFC ?

Address families

Source and destination address selection.

Catch #3: the preferable local address.

1. All is well on an IPv6 host with a public IPv6 address.
2. Until one decides to add another public address, that happens to sort higher than the address that the host resolves to in the DNS:
   inet6 2001:760:4210:1::da:da01/64 scope global valid_lft forever
inet6 2001:760:4210:1::d/64 scope global valid_lft forever.
3. Suddenly, SSL hostname verifications of connections originating from the host start failing, as the traffic originates from the new address.
4. Solution: either tweak the source prefix table:
   prefix 2001:760:4210:1::da:0/112 label 8.
5. Or make sure all services bind their sending sockets to a specific address...

Catch #4: the dual-stack listener.

1. On hosts with hybrid IPv6/IPv4 network stacks (e.g. Linux), services that bind to the IPv6 'unspecified' address (:: - all-zeros) will happily bind to both IPv6 and IPv4 (unless they opt out via the IPV6_V6ONLY sockopt).
2. But usually this is obtained programmatically by requesting a passive socket on address family PF_UNSPEC.
3. Glibc handles this request by providing a source address that is preferred for connecting to localhost according to the rules of RFC3484, which is superseded by RFC6724, that claims it doesn't apply to this case.
4. This used to return a dual-stack listening socket, until a 2008 glibc commit fixed an issue where the IPv6 'localhost' address (::1) wasn't being assigned link-local scope, as mandated by RFC4291.
5. Result: as the IPV4 localhost address has the same label as all of IPv4 in the RFC6724 default rules, IPv4 single-stack binding is now preferred.

Happy eyeballs ?

• Somebody believes that the cost of falling back from a non-working protocol to a working protocol (either IPv4 or IPv6) is too expensive.
  • So the Happy Eyeballs algorithm to open connections on both stacks in parallel was described RFC6555 and implemented in certain clients (Chrome, Firefox).
• But this only helps if one of the two protocols is broken: as we heard, IPv6 has to work as well as its predecessor for the transition to make progress and remain unnoticed.
• The real way to keep eyeballs happy is to build on the NREN long-standing IPv6 readiness and keep the transition train moving forward.

References

• HEPix IPv6 group knowledge base: http://hepix-ipv6.web.cern.ch/knowledge-base.
• Countless RFCs: 2373, 2375, 2460, 2461, 2463, 2766, 3041, 3315, 3484, 3971, 4191, 4291, 4860, 4861, 4862, 4890, 4942, 4966, 6104, 6106, 6555. 6724.