Re: MTU/MSS testing IPv6
Op 29-4-2016 om 8:30 schreef Mikael Abrahamsson: > Hi, > > Site B which sends all data packets as fragments. This is most likely > because they have some kind of AFTR where the IPv4 side has MTU1500 and > the IPv6 side has MTU1320 or something like that. The site cbs.nl does this as well. It's the statistics agency for the Netherlands. They use a Juniper with IPv4 to IPv6 translation, however, it sets the frag attribute for all packets including the ACK. I've had extensive debugging to find out what was going wrong. Eventually I found that our firewall was dropping IPv6 fragments, making the website unreachable over IPv6. The RFC for this translation mode was followed literally, so it could be argued that this is "to spec". Neither Juniper nor the website owner was willing to make any changes (and make it reachable for anyone that dropped frags, it wasn't just us). They could have just used a proxy or load balancer to terminate the connections instead of relying on a passive NAT and not have any of these problems. Cheers, Seth
Re: Curious situation - not urgent, but I'd like to know more
Op 23-12-2015 om 12:13 schreef Phil Mayers: > On 23/12/15 10:54, Seth Mos wrote: > >> We use OpenVPN on pfSense with Viscosity on the clients, or the Android >> OpenVPN app. It is a complete Dual-Stack solution for both the servers >> and the clients, and because we push more specific IPv6 routes it takes > > What happens if the client has no local, non-VPN IPv6 traffic? Doesn't > it break things, because even though you're pushing more-specifics, the > device now thinks it has a global IPv6 address and breaks address > selection? > It doesn't have a IPv6 default route,because a no route to host is immediate you are unlikely to see slow downs. This is by no means a scientific method, but I've had no complaints either. Regards, Seth
Re: Curious situation - not urgent, but I'd like to know more
Op 19-12-2015 om 22:37 schreef Kurt Buff: > All, > > I ran into an interesting situation some months ago which still > baffles me, and though I was able to work around it, I expect it will > happen again. > > Has anyone run into this problem and solved it - not by turning off > iIPv6 address assignment for the home LAN, but really solved it? If > so, how did you do that? We use OpenVPN on pfSense with Viscosity on the clients, or the Android OpenVPN app. It is a complete Dual-Stack solution for both the servers and the clients, and because we push more specific IPv6 routes it takes precedence of the default route as intended. We've been using this for almost 2 years now on a variation of Windows and MacOS as well as some phones. It works well. We use mostly UDP on 1194, unless it's a really crappy hotel wifi and they use the TCP 443 to get around silly firewalls. Kind regards, Seth
Re: test-ipv6.com out of service?
Op 12-11-2015 om 13:24 schreef Ignatios Souvatzis: > Hm: > > On Thu, Nov 12, 2015 at 01:16:51PM +0100, Thomas Schäfer wrote: >> >> is the this site down? >> >> http://test-ipv6.com/ >> >> Some minutes ago it displayed wrong test results. Now it seems to me it is >> down. > > TOMEETOO > > on a related note: it doesn't have any IPv6 resolution anymore: > > theory.cs.uni-bonn.de 5% host -t test-ipv6.com > test-ipv6.com has no record Correct afaik, that's listed in the FAQ. Cheers, Seth
Re: Cost of IPv6 for IT operations team
Op 27 mrt. 2015, om 00:23 heeft Brian E Carpenter brian.e.carpen...@gmail.com het volgende geschreven: On 26/03/2015 22:04, BERENGUER Christophe wrote: Hello everybody, I work for a consulting firm. For a client, I would like to estimate the work overload for IT operations team to deploy IPv6 dual stack and for day to day operations. On the internet, I have found an estimation around 20% of work overload for the run phase. Is that evidence-based, or a hand-waving guess? I would expect a bit of extra workload at the beginning of the run phase but in the steady state are there really 20% more incidents? We use pfSense at work and I’m using hostnames and other DNS names in the firewall rules to great lengths so that they automatically adjust when a host changes IPs, be that 4 or 6. I can select IPv4 and IPv6 in the rule so the same rule applies to both. Ofcourse, there is a security tradeoff, but considering the sheer amount of CDN hosting today it’s becoming harder to just assign a IP to the rule and have it work for over a week :) Firewalling by (prefixes from) ASN would be something useful to have too, for abuse purposes. I’m mostly talking about outbound firewall rules, the LAN is pretty much closed off. Proxy or bust. Cheers, Seth Brian But if you have operational feedback it would be the best! Thanks in advance for your answers, Have a nice day. Best regards, Christophe BERENGUER Consultant Fixe : +33 (0)1 49 03 85 86 christophe.bereng...@solucom.frmailto:christophe.bereng...@solucom.fr solucom Tour Franklin : 100 - 101 terrasse Boieldieu 92042 Paris La Défense Cedex
Re: Poll on SMTP over IPv6 Usage
On 13-2-2014 21:23, James Small wrote: Interested in what you’re using to send/receive SMTP over IPv6: A) Using (product) from __ (vendor) B) Using (service provider or “cloud solution”) C) Elected not to implement SMTP over IPv6 at this time because ___ (reason) edge servers running Debian + sendmail + milter-greylist (with optimistic whitelisting[1]) + spamassassin + mimedefang Internal Exchange 2010 + OWA over IPv6 Kind regards, Seth [1] http://mailtoaster.coltex.nl/spam/mxhostcheck.php
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 10-10-2013 14:01, Brzozowski, John Jason wrote: Chris can you share details of the brokenness check? What variables are considered? Perhaps native IPv6 on the client with firewall rules that do not permit inbound traffic. A legit issue that can be expected to pop up. Also, is there any active work on the uPNP extensions for IPv6 that allow hole punching in the firewall rules? (for native IPv6). * Would this method also apply to the Xbox 360 in the coming years? Kind regards, Seth On Thu, Oct 10, 2013 at 12:02 AM, Christopher Palmer christopher.pal...@microsoft.com mailto:christopher.pal...@microsoft.com wrote: John and Lorenzo beat me to it J. __ __ Example: Samantha has native IPv6 and Teredo. Albert has Teredo only. __ __ Albert, in destination address selection, will chose Samantha’s Teredo address. Samantha, in source address selection, will use her Teredo address. This will avoid relay traversal. __ __ Xbox P2P policy is a bit more sophisticated than RFC 6724, but I note that the avoidance of Teredo relays is also part of Windows behavior. Windows address selection is a fairly clean implementation of RFC 6724. In RFC 6724 terms, Teredo - Teredo is a label match (Rule 5), Teredo - Native IPv6 is not. The biggest difference between us and the standard is the brokenness check. This does complicate the dream. In order for a set of peers to use native IPv6 – BOTH peers have to have native available. In the pathological case, if half of the world has IPv6 and connects only to the other half that only has Teredo, and no one actually uses native IPv6. __ __ Realistically, matchmaking is going to prefer users “close to you” (and a bunch of other things, like their gamer behavior and stuff). Naively I expect IPv6 traffic to start as local pockets, Albert playing against his neighbor, both with the same ISP. As IPv6 penetration grows hopefully we’ll see significant P2P traffic across the Internet use native IPv6 transport. __ __ __ __ *From:*ipv6-ops-bounces+christopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer mailto:ipv6-ops-bounces%2Bchristopher.palmer=microsoft@lists.cluenet.de mailto:microsoft@lists.cluenet.de] *On Behalf Of *Lorenzo Colitti *Sent:* Wednesday, October 9, 2013 8:26 PM *To:* Geoff Huston *Cc:* IPv6 Ops list; Christopher Palmer *Subject:* Re: Microsoft: Give Xbox One users IPv6 connectivity __ __ On Thu, Oct 10, 2013 at 12:19 PM, Geoff Huston g...@apnic.net mailto:g...@apnic.net wrote: But I've thought about your response, and if I'm allowed to dream (!), and in that dream where the efforts of COmcast, Google etc with IPv6 bear fruit, and I'm allowed to contemplate a world of, say, 33% IPv6 and 66% V4, then wouldn't we then see the remaining Teredo folk having 33% of their peer sessions head into Teredo relays to get to those 33% who are using unicast IPv6? And wouldn't that require these Teredo relays that we all know have been such a performance headache? __ __ Can't you fix that by telling the app if all you have is Teredo, prefer Teredo even if the peer has native IPv6 as well? __ __ Of course this breaks down when IPv4 goes away, once IPv4 starts going away then there's really way to do peer-to-peer without relays, right? (Also, IPv4 going away is relatively far away at this point.)
Re: [pfSense] IPv6 Routing in pfSense
On 2-7-2013 14:08, Tassos Chatzithomaoglou wrote: I've been trying for many months to make DHCPv6-PD work reliably over PPPoE, but i haven't got any positive result until now. Besides that, i find confusing a lot of IPv6 options in the GUI. Other than that, Dual-Stack seems to work fine. The DHCP6 renewal still seems to be biting us which is being looked at. What is confusing about the IPv6 options? Do you mean that the label or text is not describing or explaining it well? Kind regards, Seth -- Tassos Nick Buraglio wrote on 01/07/2013 20:10: I've worked pretty extensively with pfSense since it's early alpha days and have had private builds with IPv6 for years and years. It works well under 2.1-BETA and has supported DHCPv6-PD for a while on the WAN side.I've been using the 2.1-BETA train in production for a very long time with good results but I don't believe the IPv6 DNS is assigned via IPv4, it doesn't exist in the IPv4 lease tracking file and hacking through the interface code briefly it looks like there is mechanism for obtaining the DNS via DHCPv6 on the WAN side. This is further strengthened by the fact that I have correct ISP assigned IPv6 name servers assigned to me and they exist in the places I expect based on that code. nb On Mon, Jul 1, 2013 at 11:41 AM, Eugen Leitl eu...@leitl.org wrote: - Forwarded message from Mark Tinka mark.ti...@seacom.mu - Date: Mon, 1 Jul 2013 18:39:13 +0200 From: Mark Tinka mark.ti...@seacom.mu To: l...@lists.pfsense.org Subject: Re: [pfSense] IPv6 Routing in pfSense Organization: SEACOM User-Agent: KMail/1.13.6 (Linux/2.6.37.6-24-desktop; KDE/4.6.0; i686; ; ) Reply-To: mark.ti...@seacom.mu, pfSense support and discussion l...@lists.pfsense.org On Monday, July 01, 2013 06:23:03 PM Jim Pingle wrote: Sure. A purely routed IPv6 setup was one of the first things to work well on 2.1. We do not do any NAT on IPv6 by default, there is NPt if someone really needs to do that, but it's all manual. And the settings for IPv4 and IPv6 are independent, you can do NAT on IPv4 while routing IPv6. Excellent, Jim! Looking forward to 2.1. I suppose the other thing I'll then be thinking about is how end-users are assigned IPv6 address information. Typical deployments have tended to use SLAAC with DHCPv4 for the DNS. I've previously done SLAAC with DHCPv6 for DNS. From what I can see on doc.pfsense.org, I see pfSense will support stateful address assignments using DHCPv6, in addition to SLAAC. Would you be able to confirm whether 2.1 or later will support DNS via DHCPv6 as well, as well as DHCP-PD? I suppose, for now, the default gateway will need to be assigned via SLAAC, the one thing about DHCPv6 I still don't find amusing. Cheers, Mark. ___ List mailing list l...@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
