 So welcome again to the APB6 and AvianBof. The idea is to collect what works and what doesn't work. So there's a copy document on gobb.avian.org where we already started some notes and where we will collect notes. It's very much above, so we would like to talk or have a discussion about what people experienced and where they see the problems in their setups, so that at some point, maybe post-3C, we could even fix them. I was surprised when I saw that if up-down, our great network managing tool is actually was upgraded to IPv6 in May with version 0.7, which seems, I didn't try it yet, seems to support things like waiting for auto-configuration, doing stateless DHCP, enabling private extensions in network interfaces. Even network manager has support for DHCP v6 now, so there's certainly development happening, mostly driven by people who seem to not really be using it, but fair enough, as long as it sort of works. So yeah, what are your experiences? Do you already, who of you does already use IPv6 at some network, be it at home, at work? So that's 10-ish out of 25, no, maybe less, okay. So he argues that some people don't know they're using it. Fair enough, I mean, it's enabled at the Debconf Wi-Fi and I presume that most people just don't care that their communication with, for example, Google is going over v6. Who many of you had problems, noodles? So just in terms of the Debconf Wi-Fi and IPv6 at one point, DHCP wasn't handing out working routing for IPv4 and it took me about 10 minutes to notice because my SSH servers on IPv6 and Google's on IPv6 and my XMPP's on IPv6 and until I actually started clicking on links in Google and going, why did none of them work, I didn't realize that v4 wasn't working, so it does seem to work here. But suddenly you need to have a recursive DNS server set up for this to work. It was a default route problem rather than an actual full IPv4 failure, so it was getting a DHCP with the DNS servers, but it wasn't getting a working default route. Right, okay. I also saw that I got IPv6 addresses while the DHCP broadcasts the discover didn't go through and so I had sort of IPv6 connectivity but nothing IPv4ish which then causes network manager to actually terminate the Wi-Fi session. But I mean one can now tell it not to. So I mean it seems like what we're talking about now there's a user interface problem in terms of just how do you represent to the user that one of the stacks seems to be functional and another one does not and I don't, it's peculiar to like a dual stack machine, this idea that your network could be configured correctly but your other network is not configured correctly. And I don't know if anybody's done any UI work to try to think about how to present that. I mean I'm assuming that would happen upstream, but did you? A little pop-up saying you have half the internets. Yeah, I mean what does you have the internets mean really? I mean Android does it now. There was some discussion on the Ubuntu list about how to actually check if you have networking. So the Android phone calls out to Google and looks if it reaches it or if a captive portal is in between and then tells you to sign in. There are so many problems that can go wrong which are not just IPv4 is missing but IPv6 is there and you still can't reach the internet even if you wanted to. Yeah, that's a general display issue. So network manager is a tool targeted at end users who may not understand what's IPv4 or IPv6 and what they care about is the internet working. All right. I mean what's the internet? Google works with IPv6, right? Some people, yeah. Network manager works well in a dual stack setup. Having just IPv6 that doesn't get you the internet. Yes, you have crippled the internet basically. Depends if you have a DNS64 setup and on the forwarder you are handing out by DHCPv6 it does work for everything that uses DNS. You can say it's crippled in terms of if you cannot actually use for only applications to reach out but if they are just using DNS to resolve the address they will just work. It does mean that programs that hand out raw IPv4 addresses like Bitto and won't work properly. So network manager was never good at doing more advanced setups. And if DNS64 is considered advanced or not this is something that we can debate but I think it's still not a setup that started at end users. It's not in the wild yet. What's your argument? Your argument is network manager is not for advanced setups and it's not ready for end users? No, my argument is that network managers is doing good assuming that if you don't have IPv4 you don't have connection. You can now tell it. I know. Sorry. I'm talking about defaults here. Right, yeah. So you can tell it to require IPv6 addressing for this connection to complete and you can tell it to require IPv4 addressing for this connection to complete. I assume they are actually ternary fields. I mean, what happens if I don't check any of those? Probably it requires IPv4 addressing to complete. Yeah, the UI for this is not great and I don't think with some things in network manager they didn't think it through. The other thing is privacy extensions. If you do the CIS CTL for enabling them, actually for old connections that you imported by upgrading network manager it will reset it to zero for the interface. So disabled privacy extensions is by you setting them explicitly in CIS CTL and all new connections you create will have privacy extensions by default but you cannot configure it in any way through the UI. So about the require IPv6, I remember a discussion about it for network manager that people were complaining because it had both enabled by default. And network manager issues something debas when the connection is established so that Pigeon and whatnot can reestablish their connections. So most networks that can have IPv6, the network manager was taking a map before the HP list and then trying for a minute to get an IPv6 address either via the HPv6 or other configuration. It does something time-outish. And then you waited for like a minute until your connection was properly established and your applications would be connected and that's why they made it optional I think. Right. I mean for that run setups you mentioned it's probably of up-down which needs to have support for those features. What the man page actually tells you for things like DNS is you can use stateless DHCP through the auto setting. I don't know if you can read this. Is that better? Okay. Like this? Okay. So that's a strange font. Yeah. So it actually tells you stateless DHCP v6 support can just be turned on in the configuration but if you want to use the extension that gives you the resolver by route advertisements you need to run a separate demon. It even says you must be installed properly configured and running where I wonder if it couldn't just do the right thing. Yeah and also what I'm missing there is turning off auto configuration which is sometimes useful. It didn't say anything about stateful DHCP v6. That's true. I've never tried it myself. But there's a DHCP method. So it does DHCP v6 with DHClient which is fair enough I think. As for the installer I noticed I already saw that Ubuntu installation said something about IPv6 auto configuration so apparently a patch was added in August 2011 that handles IPv6 auto configuration stateful DHCP v6 and stuff. It was pending blocking on if up down 0.7 in Debian which only entered the archive unstable in May and the patch set hasn't been pushed yet to Debian it seems. So from IRC, Herman R is raising the concern about another user interface issue which is fetching a quad A record trying to access the IPv6 address having a long time out because your IPv6 stack is non-functional and then finally deciding to go ahead and try on IPv4 and this is a user space concern I think and it may depend on the application. I assume he's talking about web browsers in particular. It does require you to have broken IPv6 connectivity though. There is a spec that most browsers implement nowadays for web, the happy eyeballs spec which when you have both A and quad A the browser tries both at the same time and the one that responds sooner that uses that other family for the rest of the sessions for that destination. This is like two year old spec maybe a year and a half. Do you know which browsers? I'm sure that Chrome does it because it's a Google spec. I think the latest Firefox do implement it but I've never had problems. On the other hand it would have made sense to have it in some call library instead if we want that as a default behavior. I mean Google did it because they experienced that some people have broken IPv6 connectivity and they wanted to work around that. It's called happy eyeballs. Right. Other operating systems are solving it at the operating system level which also has interesting consequences given that it's unpredictable if it will use IPv6 or IPv4. That's the case with OSX. You cannot really tell. It depends really on the latency and some arbitrary delays in connection setup. So any other problems you experienced? Did you tell, did you see the problems? Did you tell your network administrator? And for Debian did you deactivate IPv6 because I still meet people who say I'm deactivating the IPv6 module or I'm really trying to de-configure everything so that it can't possibly hurt us. It's possible that there are valid reasons for that Another thing that doesn't work out of the box in Debian is DHPv6 prefix delegation and gateway setups, but this is a fairly advanced setup. Right now what you have to do is install one of the HPv6 clients that support it which is like one or two in the archive, not all of them do, and then have hooks that said the radivvd.conf. The what? The radivvd.conf from... Oh, right, yeah. So how to set the configuration? So prefix delegation is a feature of DHPv6 which basically says you get an IP address just fine. If you have a network beyond your device here's what you can use for that or pick some address space out of it for your own network so it's mainly useful in routers like home routers so that the link to the ISP and your home network actually have different network subnets. Did you do some IPv6 debugging? If so, what did you use? Because there are some tools. I don't think... I mean I listed two and disc six which does neighbor discovery in user space. Rdisk six is part of the same package. There's of course trace path. If you have to debug path MTMU issues but I mean I would assume that there are people among us who administer networks and know other tools. Right, right, yeah, obviously. And MTR, yeah, right. I think it's worth mentioning that binIP has a nice little dash six flag so you can ignore all the non IPv6 stuff. The legacy IP stuff. The legacy IP stuff, yes, exactly. And if you're not used to using binIP as a core part of your network troubleshooting... You should. I think you should learn it. The mapping directly to the layered concepts within the Linux kernel, if you're using the Linux kernel is very nice and symmetric and it will repay the time spent learning it. I can only agree on that, yeah. Anyone have any other tools that they've used in these contexts that are worth sharing? Or experiences of tools that go pretty well with IPv6 like monitoring tools or if they are still like problematic in testing if both reform v6 works for a given host or I mean there are several problems one has to manage when one actually tries to offer services over v6 that they are actually reachable. Although it's really trivial, I often use W3M because you can restrict it to either four or six. It's very handy. Another question, I don't know if you wanna talk about privacy now or should we wait till you get to privacy extension? I think we can go on with that. Well, so this is sort of related to the UI thing but I'm wondering as a IPv6 client how do we handle ensuring privacy with let's say a network that's set up for a stateless auto configuration because it will leak the MAC address. What do we do as clients to deal with that? Well, as I said, network manager will default to privacy extensions being turned on, for example. So it will regularly rotate or the kernel rather will regularly rotate your IP addresses for you. So the default for outgoing connections is the privacy one and for server services you can still use the MAC-based one or something static if you really want that. It doesn't? Yeah, like I said. So I just said that I just looked at mine and I definitely do not have the privacy extensions enabled because the last three octets of my IPv6 address are the last three octets of my MAC address. That's interesting because that actually worked at some point. I mean, there is this flag in thank you very much. So I actually did try this out some two months ago and when I created a new connection it did default to two for the privacy extension setting. You can always add it manually. There is, as I said, no UI for it and I mainly experience it with imported connections but it's true that I currently don't see a privacy extension address on mine. I think we should care about those. I think we should activate those by default but I think the kernel does not do it. So in any case we would need to override it even if up down if we wanted to. But I think that might be controversial. I don't know. Is there anyone here who wants to argue the other side of that so that we're aware of what some of the arguments are? So I have another question from IRC if people are okay with that. Again, it's Herman R asking, do you have any advice or gotchas about dual stack and multicast? Picking the right interface, host address, multicast address, et cetera. I think most people didn't yet. Well, IPv6 multicast is pretty different from IPv4 multicast and how the addresses are set up and stuff so I'm not really sure what it's aiming at. Yeah, the only thing we have back in response right now is a grin. Yeah, so Herman, I don't know that we have any clear suggestions for you. Can you clarify if you're, I'll try to clarify on IRC to get more info. Right, so I think, I mean multicast is still nothing that's anywhere near the main internet so it's mainly confined to local installations. Either you use it and the only thing where I use it is sadly IPv4 because I can't change that but yeah, I don't have any guidance on that. He says that his use case is local, wherever that's worth. Right, but that should just work. I think specifying the right scope in the subnet and just sending it out. What address do you use? Which address do you use? Which group? An IPv4 group will be there. IPv4, IPv6 group, IPv6 group. Right. You have to specify an address though. I think his argument is probably also which interface, how you specify the interface and stuff. I mean there's also a link local addressing in IPv6 and they are still discussing how to specify the scope so the interface because some people argue that the person sign that most applications currently implement except Windows is not really suitable for URLs and so you have to escape the person sign and stuff and yeah, there are discussions on the IETF list about that every application currently has to care to pass it by itself, which is a bit silly. So what is the future of the public IPv6 multicast deployment? Are we going to get an M-Bone 6? We haven't managed to make global multicast IPv4 work so I don't think that V6 is any worse in that case. My experience of the V4 multicast is it requires a lot of cooperation between ISPs and I know that slightly diverging from topic but the BBC did a lot of work in trying to persuade ISPs in the UK to do multicast in order to reduce their bandwidth usage over peering points and had a set of very convincing content that they wanted to share over multicast. We're happy to do all of the work to help you set it up, do a very little adoption so I think there's probably some way before we have an IPv6 multicast network I don't think that's in any way a reflection on IPv6. I believe if you wanna do IPv6 on your local network then that will just work as soon as you wanna transit an AS you're gonna have the same difficulties you see with IPv4 and it's not a protocol level problem. It's certainly not a problem in the same subnet if you have to do multicast routing, it's a bit fiddly, it also works but yeah, there are aisles, I don't know if Paravoid wants to say that there are aisles. There is an M-Bone 6. Yeah, the research institutions actually do peer by V6 multicast, V4 multicast so actually they do reach themselves. All of the research networks in the world peer with each other with multicast and the IPv6 multicast. So you can see I was in the US for Debcon and I could see a multicast stream bug from Greece. Over before though. Yeah, that was over before but it's the same for IPv6. Modular any bugs that are not found very easily because very few people use IPv6, very few people use multicast, let alone both. And it's also tricky to do multicast routing in a big environment. IPv6 is quite different in that regard as well. Yeah. So it seems so too, yeah, noodles. So going back a couple of points in just the whole privacy extension thing. Right. I'm the sort of person who quite likes working reverse DNS. And if I have something that I know the address that I'm going to have then I can set up working reverse DNS. The whole principle of the privacy extensions really kind of goes in the face of working RDNS and that if I have working RDNS then why am I trying to hide my address? So any thoughts about that one? Or I mean does no one else care about RDNS? Most people just don't care about RDNS. There are projects that auto-generate RDNS records. But that doesn't help you if you really want to. I mean you can use wildcards to just add one for the entire subnet which doesn't work for forward DNS. You can just don't care about it and there's a demon I think written by Michael Stapletberg who is now a devian developer that does forward and reverse DNS resolution on the fly for pattern based RDNS. So it's not about your machine but you get some I think hack string ish. So it's still, I don't know why people care about it except for ACLs like in Apache where you say start.domainname where you really want to have the association from address to domainname. That sort of makes sense but then you can just use a wildcard really. Yeah, no Apache does forward resolution that's why it doesn't work. So the problem is more than just previous extensions. The problem is that ASPs cannot set your DNS because your DSL DNS for example because you have a prefix, you don't have an address then you add your MAC address there and then they don't know that beforehand. So there's this big discussion about at least on RIPE. There's this demon that people use, there's another implementation of that uses the port DNS pipe back end. So this is a way for a port DNS delegates an external process where people then write their own Python thing for example that takes the address and creates some calculation of a pattern or something. And there's some discussion about that on various forums and it's a known problem basically. So the project I meant is all knowing DNS? Many people say that they don't see the value of having what Phil said, the value of having a pattern generated reverse DNS versus no DNS at all, otherwise it's a big problem. Part of it I'll admit just my OCD of liking to connect to IRC and see my host name in it rather than a long string of hex digits and all going to my machine and realize where I connected from and where I maybe last logged in from because I can understand the DNS thing. But also things like even on a dynamically configured network I sometimes want to transfer files between hosts and I don't want to statically configure the IP address on that, I don't want to have to type a long string of hex digits. Yeah but I mean you can just define forward for your MAC address based address given that privacy extensions are only used outbound. I guess. For what it's worth I was thinking about writing a hack for like easy IP config for DIN DNS to set IPv6 forward DNS records because their API doesn't support that. Sort of marginally useful, I don't know if anyone's interested but that was just sort of a hack I thought about. I think the right solution probably, I mean you mean for privacy extension really? This is just similar to Noodle's use case, just I have DIN DNS set up and if I want to have laptop.tom.org it'd be nice to give back a Quad A record. I mean there's DIN DNS which you can do locally, there's of course also DHCP v6 which could do it. The problem with stateful DHCP v6 is you cannot match on MAC addresses. So the concept is completely different even if it's called DHCP on how you identify the client and there's currently as far as I know no spec to if your DHCP server, I mean in theory you could say if that packet comes from that link address just give it that IP. That only works in a local subnet because there's no specification for actually encapsulating the MAC address you see when you transmit it to another subnet. So you use a client identifier which will not be consistent across operating systems installed on your machine which will be randomly generated from time and MAC address and random numbers when you first install the client. It's pretty strange concept for people who work with DHCP before. From IRC the user no shadow asks does anyone know the reason why get adder info, AI adder config also returns IPv6 if you only have IPv6 link local it makes support for supporting both legacy and non-legacy IP quite tricky. I personally don't know the answer. I just like see it that it will try to connect to something to the v6 address and immediately fail and fall back to the v4 address but I think that's actually something the client needs to implement. So yeah, link local communication isn't very useful in that case but the point is not, yeah. The comment is that you won't have a default route anyway and therefore if you don't have a route to that address your client should go ahead and just fall back to an address that it does have a route to which is probably the case anyway even if you throw out IPv6 that's probably something you want to deal with IPv4 so. I think that's also a layering question if you say that the resolving library should check first if the route exists which might not be what you want, yeah. So I listed, I and Daniel listed some problems that we see in Debian. I mean I had my personal experience with network manager that was just great with it adding a static route for every kernel cache entry which actually means if I show it here that might not work now because I know it does. So for every relationship you have with any IPv6 host network manager gets a notification over netlink that there's a new routing table entry and somehow things it makes sense to insert a static route instead. So at some point I had 7,000 routes and network manager was spinning at 100% CPU inserting those but that's really something you only notice when you really are using it and it seems the core network manager guys do not yet have access to IPv6. Also I talked with Debian maintainer for network manager and he also doesn't have access to IPv6 so yeah. So it seems like one approach would be to go over to their house and set up IPv6 for them. Right. It's not hard after all. They've given that tunnel brokers pretty much omnipresent but yeah. Yeah I'm wondering if we could hear from some people who don't currently use IPv6. Are people aware of the tunnel brokers? Have people tried to set that up and failed or have they just not bothered? What are some of the reasons that that people who are not using IPv6 right now are not using it? I know it doesn't come in by default but if you're here presumably you're interested and if you're interested how come you don't have it right now? I'm interested but not interested enough to do actual work. There's also a thing called Toredo. It's just installed and you get an IPv6 address. The package is called miredo. I use that but it gives you an address that's gonna be used for lower than IPv4. It's only gonna be used as fullback so it's only really usable for connecting to IPv6 only sites. What was your? Yeah. So there are two transitioning technologies that are very different from tunnel brokers. This is 624 which is not officially deprecated at Toredo which I think is deprecated as well. Both of them are quite ugly in their implementation. Among other things you use random tunnel brokers on the internet which may or may not work or may or may not be close to you. And the other thing that it doesn't make sense for you to run that is that there's a thing called address selection which is defined in et cetera guy.conf which says that these are actually, if you have an IPv4 address and Toredo address you'll use Toredo only for this nation that only have IPv6. If the other end is having IPv4 as well you prefer that. So it inverses the priority of IPv6 basically to be lower than. It depends really. What you will see with Toredo is that you don't reach some hosts because it actually relies on ICMPv6 working to the target address. Which you should not filter but which some people still filter. And it does not only rely on ICMPv6 but it does rely on ICMPv6 echo reply. And some people don't like the machines to be pinged and then you can reach them because it uses them to determine the closest relay to the actual target address so that routes are more optimal. The other thing, no, now I just lost it. So I have at least one server that's not IPv6 enabled and that's because I hate tunnels. Tunnels are a hack. I want native IPv6. I want my upstream to do it. I do not want my IPv6 to be a second class citizen. If I'm building a server, I'm not going to run services in a manner that I do not consider to be production. That's a fairly hard line but I have IPv6 enabled. One of my Colobox is my main one for every single service I can. It's in the standard DNS. It's not going over a tunnel. My home network has a tunnel but it's a tunnel that's to my ISP that provides my DSL purely because they can't do native IPv6 over it. If you enable a tunnel then you need to be careful what way you're tunneling to. Otherwise you're getting a substandard IPv6 experience which can put people off. Actually untrue, partially. So on my servers I'm lucky to have IPv6 everywhere. So natively, so that doesn't matter at my home. It was the case that IPv6 routing through a very popular tunnel broker was better than before routing because my ISP doesn't peer-promise usually. So I had lower latency, better connectivity, full speed, et cetera, through a tunnel. But the right answer to that is to complain to your ISP that they're not providing you the service you're paying for. Yeah, but it's residential so they don't care. Yeah. This was to the point of why aren't we using it. I had tried earlier, say, five years ago and the tunneling simply didn't work reliably enough. I don't know what the state of the art now for ISP support in the US but I assume it's pretty minimal for residential. There are two tunnel techniques basically. One is the one six access implements which uses the IQ, AI, CCU client which uses a protocol for which no free implementation of a service is as far as I know which does also net reversal. So it works basically everywhere. And there's the standard six in four tunneling which requires a public IPv4 address. So that's something you can run on your router which normally should just work but if you're behind any net you will need the other way of accessing the tunnel broker. And yeah, that your options are there pretty much limited to that single protocol that does the net reversal. So if you try six in four behind the net it won't work at all. So you said that you don't use like tunnels and I agree with that. And my question is why do we have a tunnel here? We of course have a tunnel here because the traffic goes to the exact same basically the exact same location where it's passing anyway. So there's no latency penalty involved. We don't have native IPv6 because the provider doesn't support it like in various regions where that's the case. So a tunnel does not actually hurt anybody. At least that's my experience and nobody complained. You don't know if the tunnel is congested or not. It was actually pretty used but the tunnel was no problem. I had line rates every time I used HE.net which I'm grateful they are providing a free service. Yeah, I will accept tunnels can be used. I just don't think that they're the right answer in general. I think it's a good idea to conference like this that we actually have it there. People get experience of it and they see it just works and have the opportunity to play with it. So she and we don't have a network manager developer here to actually play with and fix it. Just a minor point for the US providers. I know Comcast have an IPv6 trial that's the biggest residential provider I know in the US that has one. Also T-Mobile have IPv6 on their GSM HSTPA network. It's a beta, I believe it's an open sign up. The main issue you get there is actually finding a phone whose base band will support IPv6. My Desire G2 doesn't, for example, but I know there are some Android phones that do and some Nokia ones that do. So there are providers in the US of a reasonably large scale who are offering V6 to end users often on a beta basis rather than a commercial service. And in Europe as well, there are loads of them. Mainly in France, there's one big one. Germany. No, Germany does not have very, Germany has one single provider that does residential deployments of IPv6 because they're running out of IPv4 address base and they are not promising any public IPv4 address in there to be available soon for their customers. But that's mainly fiber to do home stuff. All the big DSL providers do not support it. For what it's worth, I use Comcast in the US and I use OpenWRT as my router. For a while, I was part of the 6RD trial with Comcast but they deprecated that. And so actually I'm back to vanilla OpenWRT and 6 to 4 and it's not great but it's the best I've got. It works actually pretty well with OpenWRT. So actually the time seems to be up. I don't know if somebody profited from this discussion. It's always a bit short in 45 minutes. Thank you for attending and thanks to the media team.