DNS64/NAT64?
Ou experience is limited to server applications, but these rarely
initiate outbound conections (since the clients almost never have
routable public IPv4 addresses anyway) and almost everything is https so
this works really well.
3 problems with DNS64:
-Wider DNSSEC adoption has the potential to make DNS64 unpalatable (it breaks
the security).
Agreed. I think that having one or more of the public security type
checkers require DNSSEC and IPv6 for a perfect score would help a lot
here. Implementing v6 + DNSSEC is less work than writing a document to
explain to $boring_law_firm why you have an A- score for security.
-IP Address literals are still a pain (literals from bad coding appears to be
receding, but some devs are still using this for perceived security/ease of
session management?)
I'd add hand rolled sad eyeballs implementations.
if (A lookup succeeds ) { connect over v4 or die }
else { try AAAA lookup ) { connect over v6 }
is remarkably common. I think we also need a free dns resolver that does
nat64 and actively blocks A record lookups to 'fix' the dumb client
applications.
-The range of "unknown devices types" (consumer electronics) on the WiFi are
what kills DNS64/NAT64 for commercial ISPs - or to put it another way, with no IPv4 on
the Wifi then something like half the 4K TVs in the UK will stop streaming. Would you pay
for an ISP service where you don't know whether all your devices in your home will work?
No. And I'm well known for being an IPv6 only proponent. Crappy
connectivity will do, if my v4 only smart plug waits 30s before turing
on because it has to poll the server versus instant for my v6 one that
can have an inbound trigger, v6 land is better than v4 land which
provides consumer incentive to go there.
My 2 cents: Rather than looking at ISPs as the sole "IPv6-only gatekeeper" who
can set the tempo here, turn your gaze to the worlds of consumer electronics, and ask why
CE hardware still comes v4 only. That's the blocker. Until then, use a real or a fake v4.
Every time someone rolls v6 + 464xlat the v6 native devices get a better
serivce, and the v6 devices are cheaper to support by the ISP due to
reduced CGNAT costs and reduced v4 address costs in the CGNAT device.
I view the v6 transition like the how to get rid of IE6 transition. For
years and years Webdevs involved extra pain to make sites IE6 compatible
(and this was more pain that network engineers have with v4). Eventually
XP was end of life, it had a security flaw that wasn't fixed, corporates
could point and go 'doesn't meet security checklist, not supported' and
I think youtube stopped working. Once one big player moved to stop
support, everyone else followed. Any application that can be accessed by
XP today will get a big security fail in an audit.
We can't do this yet, 30% IPv6 isn't high enough. 70% in a given country
might be for limited applications and that's getting close in some
territories. Our smarter ISPs who offer v6 even with v4 per customer are
at least future proofing themselves against this - imagine a new version
of mincraft drops tomorrow and it only supports multiplayer if you all
have v6. Some ISPs go 'great', some go 'upgrade your router', others go
'bye, other ISPs are available and would love to have your custom'. I
think it's very unlikely, but other unlikely things include nationwide
pandemics that cause a wholesale move of the entire country to home
working. Do you feel lucky?
Right now v6 only public facing services aren't saleable, however ssh only
accessible over v6 with http/https over dual stack is appealing to some.
Our Pi cloud mean that a small number of future engineers are growing up
v6 native and I would *love* to be a fly on the wall on their first day
in the office when someone explains to them why NAT is brilliant and
badly solves all the problems they've never imagined could exist.
Pete
--
Pete Stevens
p...@ex-parrot.com
http://www.ex-parrot.com/~pete/
https://www.mythic-beasts.com/
https://twitter.com/Mythic_Beasts
