Home / Blogs

The Trouble With 6to4

Mirjam Kuehne

In the transition from IPv4 to IPv6, the preferred solution for network endpoints is to have both native IPv4 and IPv6 connectivity (also called dual-stack connectivity). If a site cannot get native IPv6 connectivity, however, the IPv4 network endpoints can choose from a number of conversion technologies to connect to the IPv6 Internet.

The most commonly used conversion mechanisms are 6to4, Teredo and tunnel-brokers. At recent RIPE meetings there have been claims that 6to4 connectivity is quite often broken. We were interested to find out how broken it really is.

The image below shows the percentage of 6to4 connections to our measurement machine that fail per day.

The failure rate is significant. During weekdays the failure rate is 15-20%. During weekends the failure rate is just below 10%.

This can have significant implications for Internet access providers, especially when IPv6-only content will become more common. Based on our measurements, IPv4-only customers will face significant problems reaching IPv6-only content using 6to4.

Considering the failure rate observed in this instance, it's clear that using native IPv6 is certainly the preferred option going forward.

For more details about the methodology and the type of failures we observed, please refer to the article on RIPE Labs, "6to4 — How Bad is it Really?

By Mirjam Kuehne

Related topics: IP Addressing, IPv6

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

I don't understand why anyone would imagine Phillip Hallam-Baker  –  Dec 06, 2010 6:18 AM PST

I don't understand why anyone would imagine ipv6 only content will exist, let alone be common.

The assumption from the IETF/ICANN community seems to be that the IPv6 transition is inevitable and that it is IPv4 users who stand to lose out if they do not move quickly enough. I think thats bull. Nobody with a brain is going to base their business serving the 0% of Internet users who have no IPv4 connectivity whatsoever. And techniques such as carrier grade NAT can allow the ISPs to extend the service life of IPv4 by another couple of decades at least.

A deployment plan based on the assumption that deployment is inevitable is no plan at all. It is wishful thinking.

Getting 6-4 working efficiently and reliably is a pre-requisite to deployment of IPv6, not something that will inconvenience the IPv4 users if it does not meet the requirements.

The exhaustion of the IPv4 pool does not matter one whit to the people who already have IPv4 connectivity. Everyone I need to contact is already on the net. What is the crisis that is going to force me to switch?

What is the value of IPv6 if I still need my legacy IPv4?

The value of IPv6 Tore Anderson  –  Dec 06, 2010 10:52 AM PST

Philip,

IPv6-only web content is unlikely to show up in the near future, that is true.  That said, I believe it is reasonable to expect that once we reach a critical mass of IPv6 end-user deployment, some clever entrepreneur will develop a really awesome service that only works with IPv6.  Which in turn will lead to an even greater incentive for the ISPs that are IPv4-only at that point to get busy deploying native IPv6, or risk losing customers who want to use said awesome service.  As the RIPE NCC's measurements clearly show, 6to4 is unlikely to provide adequate quality for the user to be happy in this case.

On web content side, the value of IPv6 compared to legacy IPv4 is to provide the optimal performance while at the same time keeping the costs down.  IPv4 depletion will happen and the only way an ISP can deal with that is to install centralised NAT systems in order to let subscribers share IPv4 addresses.  These systems are likely to be very expensive compared to routers, as they need to remember the state of every single flow that traverses them.  So it is in the content provider's interest to deliver the web pages over IPv6 in order to use the optimal direct path to the end user that's unencumbered by these NAT systems, and it is also in the ISP's interest that the end users use IPv6 to access online content as much as possible, because this allows the ISP to buy centralised IPv4 NAT systems that are scaled for smaller traffic levels, i.e., cheaper models.

Centralised NAT systems will also break a number of existing applications that rely on protocols like UPnP and NAT-PMP in order to allow applications inside of the NAT device to listen for connections originating from the outside of the NAT box.  BitTorrent is a good example of such an application.  UPnP and NAT-PMP only works with single-level (residental) NAT; once the ISP adds a centralised NAT system to the mix, UPnP and NAT-PMP can no longer function.  So it might just be that it's not the arrival of an «awesome new IPv6-only service» that will push IPv6 deployment forward, it could just as well be that the already awesome services that people today use successfully through single-level IPv4 NAT will eventually come to rely on IPv6, because the inevitable ubiquity of centralised IPv4 NAT systems will prevent them from functioning properly any more on the legacy IPv4 internet.

Tore

"Once we get to IPv6 deployment"Again you Phillip Hallam-Baker  –  Dec 06, 2010 11:21 AM PST

"Once we get to IPv6 deployment"

Again you assume that this is inevitable. It is not.

And people who think that NAT is going to be a forcing function here are dead wrong. There will be protocols that work through carrier grade NAT regardless of whether people in the IETF try to block them as has happened in the past. The only decision the IETF can make is whether they are going to be involved in that part of the solution or not.

Getting NAT to work right for IPv4 is a precondition for IPv6 deployment. My house runs on IPv4 today and that is not going to change in the future. I might connect from the house to the net over IPv6, but only if that is not going to cause me the slightest inconvenience. In that scenario packets are going to translate from IPv4 to 6 and back all the time and my local NAT will be doing the switching.

Regardless of whether a network is on IPv4 or IPv6, the days in which an endpoint machine is going to be able to open up a port to the outside world without network level authorization are gone forever.

My weighing scale is on the Internet. Every time I weigh myself it tweets the result on twitter. I am quite happy allowing that device outbound communication. I am not going to allow it to accept incoming calls.

I have about 20 IP enabled devices in the house that I know of and possibly more that I do not know about. I am planning on deploying more. I expect that just as our cars now have 30+ computers inside that our houses will soon have an equivalent number of Internet devices. There is no way that I would want to allow all those devices to accept incoming calls direct from the Internet.

Philip,"Once we get to IPv6 deployment"Again you Tore Anderson  –  Dec 06, 2010 11:50 AM PST

Philip,

"Once we get to IPv6 deployment"

Again you assume that this is inevitable. It is not.

IPv6 deployment is happening as we speak.  You can't have paid much attention lately if you believe otherwise.  I'll mention some organisations that are working on deploying IPv6 or have already done so:  T-Mobile, Verizon, Google, Comcast, XS4ALL, Yahoo, Akamai, Free, LimeLight, Heise - list goes on and on.

In my home country Norway, the largest content site will turn on IPv6 before Christmas, and when it comes to the broadband ISPs - the decisions have been made, the budgets have been allocated, and the work is already in progress.  It is happening, there's absolutely no doubt about it.

My house runs on IPv4 today and that is not going to change in the future.

That is of course your decision to make.  You'll be able to access most web content anyway.  But don't assume that you will be able to do so with the same performance levels as your IPv6-enabled neighbour.

My weighing scale is on the Internet. Every time I weigh myself it tweets the result on twitter. I am quite happy allowing that device outbound communication. I am not going to allow it to accept incoming calls.

Which version of the IP protocol your bathroom scale is using is completely irrelevant - you can firewall inbound IPv6 traffic just like you can with IPv4.

Tore

You still don't get it.My tolerance of Phillip Hallam-Baker  –  Dec 06, 2010 2:02 PM PST

You still don't get it.

My tolerance of technical issues is orders of magnitude higher than that of the typical Internet user. I object to the idea that somehow the Internet can be allowed to break for IPv4 users during the inevitable IPv6 transition.

The rate at which ISPs and backbone providers deploy IPv6 is irrelevant. As long as every Internet user has IPv4 connectivity and only some have IPv6 connectivity, there will be absolutely zero demand for IPv6 only anything.

There is not one ISP or backbone provider that is going to break their IPv4 service to facilitate a move to IPv6. Not one. I don't care what public commitments they appear to make. It is not happening.

There is a deployment trap here and people who ignore it are wasting their time and the time of everyone else that they tell their breathless stories about IPv6 deployment to.

To date the IPv6 deployment strategy of IETF has been to make IPv6 deployment matter to end users as much as possible by intentionally sabotaging NAT support. That has not worked and will never work.

The only way to deploy IPv6 is to make sure that it does not matter to applications AT ALL. Making NAT44 / NAT64 / NAT 46 / NAT66 work perfectly and transparently are inescapable preconditions for making IPv6 deployment possible.

So worrying about the Internet breaking during the transition to IPv6 is to worry about the wrong thing. What we should be worried about here is that these figures are showing is that as things stand, the transition to IPv6 is not going to happen.

Now we could all sit round and have the usual happy talk about how everyone should move to the wonderful world of IPv6 for the greater good of the net even if that means worse connectivity. Or we could take a realistic view of the problem and think about ways to fix it.

I fully agree with the PHB Suresh Ramasubramanian  –  Dec 06, 2010 9:42 PM PST

No such thing as a v6 only world. And too great a legacy base of v4.

IPv6 only Emile Aben  –  Dec 06, 2010 11:45 PM PST

Time will tell if en when IPv6-only networks will become more common, I believe they will, in due time because of the economics of it all: IPv4 will be a scarce resource soon, IPv6 won't (any time soon), so as soon as IPv4 becomes more expensive, while not providing additional benefits over IPv6 you have a natural driver towards IPv6. All artificial means of providing more IPv4 address space (NATs in NATs) cost money and performance and will hamper development.

I agree with PHB that we should look at translation mechanisms, and as we measured 6to4 is currently problematic, but I don't agree all translations are needed. For instance if NAT64/DNS64 works really well, that is an incentive for end-users to go IPv6 only, and still reach the old IPv4 world, and the emerging IPv6 world (see
http://ripe61.ripe.net/presentations/140-ripe_rome_jari.pdf for how workable this is already).

If you don't believe IPv6 transition is happening, look at ASes deploying IPv6: http://v6asns.ripe.net over time. The clear trend there is that more and more ASes are deploying.

For more discussion on IPv6 transition myths:
http://www.circleid.com/posts/ipv6_and_transitional_myths/

Philip,I object to the idea that somehow Tore Anderson  –  Dec 07, 2010 12:57 AM PST

Philip,

I object to the idea that somehow the Internet can be allowed to break for IPv4 users during the inevitable IPv6 transition.

The IPv4 internet will inevitably break all on its own.  By «break» I mean it will suffer a gradual degradation in overall performance and functionality due to IPv4 address exhaustion forcing service providers to deploy centralised NAT systems.

The deployment of IPv6 (or the lack thereof) is completely orthogonal to this taking place.

There is not one ISP or backbone provider that is going to break their IPv4 service to facilitate a move to IPv6. Not one. I don't care what public commitments they appear to make. It is not happening.

The organisations I mentioned, and many others, have committed to deploying IPv6.

Nobody has suggested that they plan on breaking IPv4 at the same time.  Quite the contrary:  In all likelihood they will continue to provide IPv4 services as well as they possibly can for the foreseeable future, something which, again, is completely orthogonal to the deployment of IPv6 (or lack thereof).

What they do realise, however, is that IPv4 address exhaustion will inevitably mean that they will be unable to provide the same quality IPv4 service as they did before, and that's a problem the entire industry will be facing.  The reason they're deploying IPv6 is simply to provide a way to avoid that problem entirely.

As long as every Internet user has IPv4 connectivity and only some have IPv6 connectivity, there will be absolutely zero demand for IPv6 only anything.

We just have to wait and see about this one, I guess, but I strongly believe you are mistaken.  Once IPv6 end-user deployment reaches a critical mass, it will be commercially viable to develop services that requires IPv6.  Not that being exclusive to IPv6 users will be a goal in itself, but the technology used might for instance require untranslated end-to-end connectivity, which only IPv6 can provide.

There's already plenty of services that can't be used by «every Internet user»:

Not every Internet user has an iPad, yet iPad-exclusive services thrives.
Not every Internet user understands German, yet there's plenty of content available only in German.
Not every Internet user can access YouTube, yet YouTube is a massive success.
Not every Internet user has a high-speed broadband connection, yet bandwidth-hungry services like Netflix flourish.

I could go on… But my point is, that once there's a sufficient number of end users have IPv6 access, and there is no doubt that will happen, the following will as true as the examples above:

Not every Internet user has IPv6 connectivity, yet IPv6-exclusive services are commercially viable.

Tore

Again, 'once IPv6 reaches critical mass' ... Phillip Hallam-Baker  –  Dec 07, 2010 5:43 AM PST

Again, 'once IPv6 reaches critical mass' ... 'people will adopt'.

Network effects break both ways. Until critical mass is reached, the network effect is the chicken-and-egg problem.

I am fully aware that backbone providers are racking equipment that is IPv6 capable. But that does not mean that the IPv6 transition is guaranteed. Content targeted at particular niches has always had a place. But IPv4 vs IPv6 is simply not a distinction that 99% of users care to be aware of.

Back in 2000, VeriSign acquired Network Solutions for the express purpose of deploying DNSSEC. Ten years later, we are still talking about DNSSEC deployment.

I agree that we need to deploy IPv6, but the idea that the transition is guaranteed is making it much harder. We have already seen practical deployment proposals cancelled on spurious grounds by an IETF clique because they see the IPv6 transition as a train they can hook their personal priorities to. As a result we were set back three years with practical middlebox specs.

Failure is always an option. Failing to consider the possibility of failure makes it more likely you will fail. With DNSSEC there was far too much happy talk about how inevitable the spec was and too little consideration of how difficult deployment was. Again people thought that they could hold the system hostage to their personal priorities. In one DNSEXT meeting it was proposed that if the current spec could not be deployed in .com, that we should reduce the size of .com. The speaker was cheered. They should have been laughed out of the room and ignored as a lunatic.

Philip,There is a simpler way to explain Dan Young  –  Dec 13, 2010 5:27 AM PST

Philip,

There is a simpler way to explain things, if you consider these two basic facts:

1) The Internet is not going to stop growing
2) IPv6 is the *only* way to continue growth of the Internet.

So we can conclude that widespread IPv6 adoption is inevitable. See my article here:

http://wp.me/pLN1x-3d

I also recently wrote this post about IPv6 as an Internet access market disruptor. I believe deployments are going to be largely driven by this:

http://wp.me/pLN1x-7B

Dan

The first assumption is probably true, the Phillip Hallam-Baker  –  Dec 13, 2010 5:59 AM PST

The first assumption is probably true, the second is not.

Carrier grade NAT will be capable of meeting the needs of 90% of Internet users. So it is foolish to assume that Internet growth will force deployment of IPv6.

Your analysis is like saying that electric cars are inevitable because supply of gas is insufficient to meet global needs. That may well be true at some level, but there are alternatives. Wealthy nations like the US can afford to invade countries like Iraq and just take what they need. Some people are advocating an attack on Iran for essentially the same reason (though they state different ones in public).

War is clearly not a sane alternative to planning a sound energy policy. But anyone who wants to achieve a sound energy policy has to cope with people who are plainly idiots but are treated with tremendous respect

The electric car is a rather easier sell than IPv6 since it is at least obvious that the price of gas is going to affect everyone.

'We cannot fail' is the very mindset that I think is harming the prospects of IPv6 adoption. Deployment of IPv6 is not assured. Far too many people are relying on the assumption that it is as an excuse to tie their own little pet notions to the scheme.

At present we still don't have a credible transition plan that takes account of the needs of actual end users. The anti-firewall/anti-NAT constituency have seized on IPv6 as being the opportunity to ensure a borderless Internet in which every machine is permanently exposed to attacks from outside.

# 11 Reply (max. reply level reached)  |  Link  |  Report Problems

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Dyn Adds Chris Griffiths As New VP of Labs

IP Geolocation: Four Reasons It Beats the Alternatives

Nominum Releases New Security Intelligence Application

New Nixu NameSurfer 7.3 Series Powers the Software-Defined Data Centre

New Nixu Solution Slashes Cloud Application Delivery Times from Weeks to Milliseconds

Domain Name Registrations Pass 233 Million in the First Quarter Of 2012

Automate IPAM Set-up with Nixu NEE 1.3 Series

Nominum selected as 2012 AlwaysOn Global 250 Top Private Company

Streamline Application Delivery Processes with Nixu NameSurfer 7.2.2

Nominum Releases New Version of Carrier-Grade DHCP Software for Telecom Providers

Nominum Survey of World's Leading ISPs Shows Nearly 60% of ISPs Plan to Roll-Out IPv6 by End of 2012

Frontline and Nominum Deliver Integrated DNS-Based Platform to Enhance Enterprise Security

Nominum Sets New Record for Network Speed and Efficiency

Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)

Nominum and Nixu Software to Deliver Centralized DNS and DHCP Management Solution

Nixu NameSurfer 7.2 Strikes Rich at Dojo

DotConnectAfrica Participates at ICANN 43 In Costa Rica, the "Rich Coast"

Nominum Launches World's First Purpose-Built Suite of DNS‐Based Solutions for Mobile Operators

Is IPv6 the New Y2K? (Primer)

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNSSEC

Sponsored by
Afilias
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign