RE: Teredo sunset - did it happen?
We (Microsoft) has a standing plan to deactivate our public Teredo servers, which would essentially deactivate the default Teredo functionality in the Windows user base. We had thought to do that next year, but delayed for various reasons - one being that the pain/noise around it's default activation on Windows devices has abated considerably over time. The deactivation of our public Teredo service is not the same thing as sunsetting Teredo or deprecating the protocol entirely. It will still be used by the Xbox Live gaming stack and we strongly desire for network operators to continue to treat Teredo as a legitimate NAT traversal and IPv6 transition technology. Other uses of Teredo beyond gaming are being considered. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Brian E Carpenter Sent: Monday, November 17, 2014 4:11 PM To: Phil Mayers Cc: IPv6 Ops list Subject: Re: Teredo sunset - did it happen? I said: But if the client has the old RFC 3483 policy table, :::0:0/96 has the lowest precedence so Teredo would win over IPv4, which is a Bad Thing. There isn't much to be done about that unless the user has netsh skills. s/3483/3484/ Brian On 18/11/2014 13:01, Brian E Carpenter wrote: On 18/11/2014 07:12, Phil Mayers wrote: On 17/11/2014 17:43, Darren Pilgrim wrote: Any ideas what's going on? Microsoft, anyone care to comment? Microsoft released an Windows Update for the prefix policy table. The update dropped Teredo's precedence to lower than IPv4. Just to be clear - are you suggesting they did this instead of sunsetting Teredo altogether? In any case, I was always under the impression this was the day-one experience - Teredo would only be used to talk to another Teredo DNS name or an IPv6-only name in the absence of native IPv6. Am I mistaken? I think that was always the intention, but unmanaged tunnels are liable to behave undesirably. From what Dave Thaler said during the discussion at the IETF last week on deprecating 6to4, MS clearly sees Teredo for Xbox-to-Xbox as operational and Teredo for regular client/server use as undesirable, same as you do. Dave therefore wanted no change to the RFC 6724 default policy table, which I assume is exactly what Windows now ships. Then, even if the Teredo interface comes up, since :::0:0/96 has higher precedence than 2001::/32, Teredo will not be tried unless there is no IPv4 address at all for the target host. But if the client has the old RFC 3483 policy table, :::0:0/96 has the lowest precedence so Teredo would win over IPv4, which is a Bad Thing. There isn't much to be done about that unless the user has netsh skills. Brian
RE: Microsoft: Give Xbox One users IPv6 connectivity
Apologies for the staggered reply. Another note, RFC 6092 is about IPv6 behavior. If our Teredo traffic is de-encapsulated, one will notice the traffic carries IPsec, which unambiguously should be allowed by section 3.2.4. That's a theoretical point really, I don't expect (or necessarily even want) middle boxes to bust open Teredo and apply RFC 6092. Recommendations for IPv4 NAT behavior and UDP, including discussion of UNSAF NAT traversal, falls closer to RFC 4787 IMHO. Sent from my Windows Phone From: Christopher Palmermailto:christopher.pal...@microsoft.com Sent: 3/13/2014 8:39 PM To: Eric Vyncke (evyncke)mailto:evyn...@cisco.com; Marco Sommanimailto:marcosomm...@gmail.com; ipv6-ops@lists.cluenet.demailto:ipv6-ops@lists.cluenet.de Subject: RE: Microsoft: Give Xbox One users IPv6 connectivity The relevant excerpt on Teredo usage: Even for users that do have native IPv6 - Teredo will be used to interact with IPv4-only peers, or in cases where IPv6 connectivity between peers is not functioning. In general, Xbox One will dynamically assess and use the best available connectivity method (Native IPv6, Teredo, and even IPv4). The implementation is similar in sprit to RFC 6555. This is from our online documentation. I have a tentative work item sitting in my queue to do something more proper for the IETF (like a draft). http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC498F8732/Xbox%20One%20Technical%20Details.docx The feedback about Teredo has been hard to digest. Our platform multiplayer solution uses standards for connectivity (Teredo/IPv6) and security (IPsec) - would it be better for the community to encourage opaque non-standard techniques instead? (this is a rhetorical question, not a call for discussion :P) What is the intent of a CPE configuration that blocks an UNSAF NAT traversal mechanism using ports 3544 and 3074 (Xbox + Teredo), but allows other ports to be used for open NAT traversal? That just seems like a very vendor-targeted blockage, like they dislike Xbox, but they're fine with other devices doing unknown things over UDP. I know this isn't the intent, but a deeply negative person could look at this and say the policy is: block Microsoft products because they had the audacity to standardize their network behavior and use documented ports. If a home router generally blocks NAT traversal, then I get it. I disagree with that default configuration and think it's the wrong thing for users, but at least is something I can understand on principle. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Eric Vyncke (evyncke) Sent: Thursday, March 13, 2014 11:09 PM To: Marco Sommani; ipv6-ops@lists.cluenet.de Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On 14/03/14 00:21, Marco Sommani marcosomm...@gmail.com wrote: AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. Marco I agree and disagree :-) Agreement on the fact that AVM is not the only CPE vendor doing this (and also blaming ISP -- notably in my country 15% of broken IPv6 connectivity = Belgium)... Disagreement: RFC 6092 has TWO settings: one close and one open and the choice should be given to the end-user. As you may know, there have been heated discussion at the IETF on this topic -éric
RE: Microsoft: Give Xbox One users IPv6 connectivity
It doesn't. The Windows Teredo sunset process and the usage of Teredo of Xbox are separate discussions. The server deployments are separate, the customers that are affected, etc. I'll provide a fairly informal explanation for this divergence. On Windows, people aren't using Teredo for anything really cool (very informal) Teredo causes random headaches for customers and maintaining the service is moderately painful for our team . When we did the deactivation test, generally everything was great. On Xbox One, Teredo's usage is focused on a particular application suite and forms a critical part of an end-user experience. Teredo by itself isn't useful, it's the secure P2P connectivity we're providing to developers, and the usage of Teredo is an implementation detail of the abstraction we're providing. At some point we might considering exposing a similar abstraction in Windows (for games or otherwise) - which would put Teredo in a more advantageous light. But right now, on Windows, Teredo is just an IPv6 address providing limited end-user value. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Steinar H. Gunderson Sent: Friday, October 11, 2013 5:09 AM To: Christopher Palmer Cc: Tassos Chatzithomaoglou; Tore Anderson; ipv6-ops@lists.cluenet.de; Dan Wing Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On Thu, Oct 10, 2013 at 01:22:06AM +, Christopher Palmer wrote: There are some network effects that complicate the story. Inevitably we have to use Teredo for lots of P2P, because IPv6 is so rare. You might have IPv6, but if your peer doesn't - alas. Also, address selection is sensitive to policy that we'll be tuning as the Xbox One launch progresses. How does this interact with the previously announced Teredo sunsetting process? /* Steinar */ -- Software Engineer, Google Switzerland
RE: Microsoft: Give Xbox One users IPv6 connectivity
On the native side, it's important to note that the traffic is IPsec protected, so the protocol and port information may be obfuscated and is in general is not predictable. IKEv2 traffic is predictable, but we won't be using UPnP on the IPv6 side to enable in-bound IKEv2. Hopefully people follow the IETF recommendation and allow inbound IPsec/IKE to simply work. If not, it'll further encourage usage of traditional P2P mechanisms like Teredo, and we (as an industry) will have to put more energy into UPnP or PCP. That would be highly regrettable. The thing about protocols like UPnP - the vendors who would ignore an IETF recommendation are likely to be the same vendors to skip out on making an adequate UPnP stack. Most people today do NOT have home routers that support UPnP. -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Seth Mos Sent: Thursday, October 10, 2013 6:01 AM To: ipv6-ops@lists.cluenet.de Subject: Re: Microsoft: Give Xbox One users IPv6 connectivity On 10-10-2013 14:01, Brzozowski, John Jason wrote: Chris can you share details of the brokenness check? What variables are considered? Perhaps native IPv6 on the client with firewall rules that do not permit inbound traffic. A legit issue that can be expected to pop up. Also, is there any active work on the uPNP extensions for IPv6 that allow hole punching in the firewall rules? (for native IPv6). * Would this method also apply to the Xbox 360 in the coming years? Kind regards, Seth On Thu, Oct 10, 2013 at 12:02 AM, Christopher Palmer christopher.pal...@microsoft.com mailto:christopher.pal...@microsoft.com wrote: John and Lorenzo beat me to it J. __ __ Example: Samantha has native IPv6 and Teredo. Albert has Teredo only. __ __ Albert, in destination address selection, will chose Samantha's Teredo address. Samantha, in source address selection, will use her Teredo address. This will avoid relay traversal. __ __ Xbox P2P policy is a bit more sophisticated than RFC 6724, but I note that the avoidance of Teredo relays is also part of Windows behavior. Windows address selection is a fairly clean implementation of RFC 6724. In RFC 6724 terms, Teredo - Teredo is a label match (Rule 5), Teredo - Native IPv6 is not. The biggest difference between us and the standard is the brokenness check. This does complicate the dream. In order for a set of peers to use native IPv6 - BOTH peers have to have native available. In the pathological case, if half of the world has IPv6 and connects only to the other half that only has Teredo, and no one actually uses native IPv6. __ __ Realistically, matchmaking is going to prefer users close to you (and a bunch of other things, like their gamer behavior and stuff). Naively I expect IPv6 traffic to start as local pockets, Albert playing against his neighbor, both with the same ISP. As IPv6 penetration grows hopefully we'll see significant P2P traffic across the Internet use native IPv6 transport. __ __ __ __ *From:*ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer mailto:ipv6-ops-bounces%2Bchristopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de] *On Behalf Of *Lorenzo Colitti *Sent:* Wednesday, October 9, 2013 8:26 PM *To:* Geoff Huston *Cc:* IPv6 Ops list; Christopher Palmer *Subject:* Re: Microsoft: Give Xbox One users IPv6 connectivity __ __ On Thu, Oct 10, 2013 at 12:19 PM, Geoff Huston g...@apnic.net mailto:g...@apnic.net wrote: But I've thought about your response, and if I'm allowed to dream (!), and in that dream where the efforts of COmcast, Google etc with IPv6 bear fruit, and I'm allowed to contemplate a world of, say, 33% IPv6 and 66% V4, then wouldn't we then see the remaining Teredo folk having 33% of their peer sessions head into Teredo relays to get to those 33% who are using unicast IPv6? And wouldn't that require these Teredo relays that we all know have been such a performance headache? __ __ Can't you fix that by telling the app if all you have is Teredo, prefer Teredo even if the peer has native IPv6 as well? __ __ Of course this breaks down when IPv4 goes away, once IPv4 starts going away then there's really way to do peer-to-peer without relays, right? (Also, IPv4 going away is relatively far away at this point.)
RE: teredo.ipv6.microsoft.com off?
I am acking this thread. If there is feedback on the ongoing experiment or our consideration of sunsetting Teredo, do let me know. So far people have been quite enthusiastic. - christopher.pal...@microsoft.com Windows Networking Core - Program Manager Core Client Connectivity and Protocols -Original Message- From: ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de] On Behalf Of Ignatios Souvatzis Sent: Sunday, July 14, 2013 11:52 PM To: ipv6-ops@lists.cluenet.de Subject: Re: teredo.ipv6.microsoft.com off? On Sat, Jul 13, 2013 at 10:39:12PM +0300, Tassos Chatzithomaoglou wrote: At the same time, i'm thinking out loud... Why would a windows application send an a request to an IPv6 DNS server over native IPv6 in order to find the IPv4 address of a server and get IPv6 over IPv4 connectivity? Why not? Thinking in order to is wrong... it's just a database lookup. It just happens that in this case, asking over IPv6 can't work. But this should be no problem as the database lookup will be repeated over other transports until it succeeds. In the general case, you don't know whether connectivity to address X of type Y is possible until you try it, and unfortunately, sometimes only after a time-out period has passed without answer. Regards, -is
