Re: Apple Airport Extreme IPv6 problems?

[Jeroen Massar <jeroen () unfix org>]

Barrett Lyon wrote:
[..]
> I would actually think Apple (and any other vendor that default enable
> v6 tunnels without notifying the user) should react to this and provide
> a fix that allows their current user base to opt-in to their
> pre-existing tunnels with education on what that means to the user. 
> It's great to be progressive, but it's not good to do it when it can
> impact users.

IMHO what Apple (bcc'd :) should provide is a 'connectivity test'. Thus
when they enable 6to4 per default, they should test that they can at
least reach the 6to4 anycast node which is going to relay their packets
and they should test a remote node (eg connectivity-test.apple.com) if
they can reach that. Which is sort of what Vista tries to do to and
several other connection managers which show visually how/if there is
"Internet connectivity". XP for instance also whines when you don't have
good connectivity to the Internet based on some tests.

If the connectivity looks broken, then either disable the tunnel or at
least notify the user that experience might be diminished.


> Regarding segmented v4/v6 DNS, this may already exist, but it may also
> be a good idea for the web masters out there to create a v6 logo or
> marking denoting that a user has reached a v6 page vs. a v4 page.  This
> could also be more helpful and also allow users to choose which protocol
> is used to reach the site.  It also creates a reason to have both an
> overlapping AAAA/A www. and a special www.v6./w6. and www.v4. alias.

Please please please, for the sake of a semi-'standard', please only use
the following forms in those cases:

www.<domain>
www.ipv6.<domain>
www.ipv4.<domain>

Don't come up with any other variants. The above form is what is in
general use around the internet and what some people will at least try
to use in cases where a DNS label has both an AAAA and A and one of them
doesn't work. You can of course add them, it is your DNS, but with the
above people might actually try them.

> If
> that framework accompanied the overlapping DNS, then HREFs could shuffle
> users from one version of the site pending on the user preference.
>
> On a totally unrelated note:  Not to make any accusation on the security
> of the end-point tunnel network what-so-ever, but an entirely other
> issue is the tiny bit of a security conundrum that default tunnels
> create -- tunneling traffic to another network without notifying the
> user seems dangerous.  If I were a tinfoil-hat security person (or a CSO
> of a bank for example) this would really freak me out.

Just if an enduser controls the path over which his traffic goes now
anyway? The answer to that is crypted VPN's and nothing else. And of
course for instance MS allows you to turn off those features using
Active Directory management. Maybe Mac's also have such a button
somewhere? Next to of course the use of a firewall which explains you
what connections are being made and which packets are being sent.

Greets,
 Jeroen

Attachment: signature.asc
Description: OpenPGP digital signature