RE: IPv4 outage at next IETF in Chicago

"Christian Huitema" <> Wed, 25 January 2017 02:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E91E112960B for <>; Tue, 24 Jan 2017 18:32:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.757
X-Spam-Status: No, score=-3.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QAggkGKT7ZFp for <>; Tue, 24 Jan 2017 18:32:18 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B9E5C129609 for <>; Tue, 24 Jan 2017 18:32:18 -0800 (PST)
Received: from ([]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <>) id 1cWDNe-0008R9-Qh for; Wed, 25 Jan 2017 03:32:17 +0100
Received: from [] ( by with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <>) id 1cWDNY-0002Qm-KQ for; Tue, 24 Jan 2017 21:32:12 -0500
Received: (qmail 29877 invoked from network); 25 Jan 2017 02:32:07 -0000
Received: from unknown (HELO icebox) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 25 Jan 2017 02:32:07 -0000
From: "Christian Huitema" <>
To: "'Mark Andrews'" <>, "'Franck Martin'" <>
References: <> <>
In-Reply-To: <>
Date: Tue, 24 Jan 2017 16:32:04 -1000
Message-ID: <158901d276b3$387d6050$a97820f0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG+jtYcbBystn14OjrLO3uYI3C8fwLHtyGeoVoAj/A=
Content-Language: en-us
Subject: RE: IPv4 outage at next IETF in Chicago
Authentication-Results:; auth=pass smtp.auth=
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.07)
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49KxQtGn3AswOT8Z9YHdvpk1TugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXrS5K5M/+nUhFJOOeOCh1LFRcOb18WfxGyg6Om6u4YYm+2z8zFgNNTT0xn2 LclGjHY5hjoyEb9Oq0NWpyO3vrfYnGR8JorokUtMqNDt1Oktij3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSB8y9Ga5iCmdJFIvDEJb+pKRQRCdMNhge1Unb77YyuZq7yps5sRMgeW0yV2MVvo4GwRBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/edseI+0iffshWIcU02XSgP6DwZpjxPTx I2S/vwoydU2Z0wfN9VTx9JdR4F4pphrEJ0EukYkH0+QwgTkvGReJqYh2OsKXXkoVR3vRgp+PhUTh 7upESYb585WZ0BSQoLJU+W1yoEebBdUEsgNISVL9yegi7l2L6mELqRuZP6QqjQj7NlKfHadlY9VB h5JyIzzQ/I1dpLTifeoHWo0A7trCgivvMbIIty1BrdRX3euPU+v6hYCF0D67O+iDK8Lnv/b76AUl dlnP6rsIRqexmUumoDs+X00vOaBfD53MN4G7rdk=
X-Recommended-Action: accept
Archived-At: <>
Cc: 'IETF' <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Jan 2017 02:32:21 -0000

On Tuesday, January 24, 2017 1:56 PM, Mark Andrews wrote:
> In message
 Franck Martin writes:
>> I think it is time to move to the next level of IPv6 deployment. 
> ...
> Somehow the IETF has been brain washed into thinking than DNS64/NAT64
> is actually the best solution.  It really is a total piece if garbage
> and should be made historic. It breaks DNSSEC.  It requires that
> DNS recursive server accept answers from broken authoritative
> servers. It doesn't prevent PMTU issues.  It doesn't actually have
> the reported property that you can tell when you can turn it off.
> It makes the network less robust as you cut off IPv4 fallback if
> the IPv6 path / servers are broken when both are offered.

Language apart, there is a serious question here. Did the IETF produce the
right standards for IPv6 only networks? Is NAT64/DNS64 useful or harmful?
What else are we missing? It seems that the IETF should try to answer that
sooner rather than later. The IETF culture, besides the flowery language,
encourages practical engineering and experimentation over speculation. So,
yes, maybe we should do some practical experimentation, just like Franck
Martin is proposing.

Some of that experimentation is of course going on outside the IETF, as
reported is this APNIC blog entry The blog explains
that Microsoft IT wants to move their network to IPv6 only. They have so
many devices that using RFC 1918 addresses requires multiple layers of NAT,
and that is really painful to manage. Moving to IPv6 only would reduce the
management costs, but of course they have to proceed cautiously. One of the
starting points is to deploy IPv6 only in the "guest" network, the Wi-Fi
networks used by visitors. This is interesting, because the usage profile of
this guest network is very similar to that of the IETF network: visitors
using the Internet and connecting back to a variety of companies.

As you might expect, they did find issues. Some routers lacked support for
RDNSS (RFC6106), and that prevented access by Android devices. The
deployment of Azure-AD requires dynamic ACLs (name-based), and these were
not supported with IPv6 by some vendors. They found a DHCPv6 bug in Windows
10, which affected both stateful and stateless schemes, but was masked in
dual stack deployments. All of these issues are being fixed. On the other
hand, they did not find any particular issue with NAT64/DNS64, maybe because
few of their visitors actually require DNSSEC.

Could we find similar issues with the current IETF network setup? Possibly,
but I expect that the bugs will happen in corner cases, such as old OS
releases or specific business applications. We will only find these bugs if
a large variety of people actually try the IPv6 only network, and complain
when stuff does not work. We need to encourage people to actually try the
IPv6 only network. Disconnecting IPv4 is one radical way to do that. It
certainly has its merits.

-- Christian Huitema