Re: [v6ops] Apple and IPv6, a few clarifications

Tore Anderson <tore@fud.no> Sat, 20 June 2015 09:21 UTC

Return-Path: <tore@fud.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2641A007E for <v6ops@ietfa.amsl.com>; Sat, 20 Jun 2015 02:21:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wSMHcBq3OVBA for <v6ops@ietfa.amsl.com>; Sat, 20 Jun 2015 02:21:37 -0700 (PDT)
Received: from greed.fud.no (greed.fud.no [IPv6:2a02:c0:1001:100::145]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6268E1A008B for <v6ops@ietf.org>; Sat, 20 Jun 2015 02:21:37 -0700 (PDT)
Received: from [2a02:fe0:c412:1fe0::1] (port=41190 helo=envy.fud.no) by greed.fud.no with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from <tore@fud.no>) id 1Z6Exu-0001X8-TF; Sat, 20 Jun 2015 11:21:30 +0200
Date: Sat, 20 Jun 2015 11:21:30 +0200
From: Tore Anderson <tore@fud.no>
To: David Schinazi <dschinazi@apple.com>
Message-ID: <20150620112130.42377dd1@envy.fud.no>
In-Reply-To: <E1C235B5-1421-4DAF-A2F3-F963982233DF@apple.com>
References: <E1C235B5-1421-4DAF-A2F3-F963982233DF@apple.com>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.28; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/RWCG5uhftgWyDisLVZR6dXwsHEs>
Cc: v6ops@ietf.org, Vividh Siddha <vsiddha@apple.com>
Subject: Re: [v6ops] Apple and IPv6, a few clarifications
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jun 2015 09:21:39 -0000

Hello David,

First of all, let me say that the news from WWDC is very exciting, and
I hope your strategy proves successful. With some luck, your approach
of forcing app developers to write IPv6-capable code will also
indirectly benefit the other platforms too.

I have some follow-up questions though, see in-line:

* David Schinazi

> *) Personal hotspot on iOS
> If your iPhone has dual-stack connectivity on its cellular network,
> the hotspot it creates will be dual-stack as well. The phone will
> share its prefix with Wi-Fi clients.

And if the cellular network is IPv6-only? Does the tethered WLAN become
IPv6-only too? If so, I can imagine that this would cause IPv4
compatibility issues for older Apple devices without the new
Bump-in-the-API stuff, as well as for non-Apple devices attaching to
the tethered WLAN.

Hopefully this is not something that will put network operators off
from provisioning IPv6(-only) connectivity to the Apple devices on
their network...

> *) Internet Sharing on the Mac - NAT64 testing mode
> The NAT64 test mode was designed to help developers ensure that their
> app can still function with IPv6-only NAT64+DNS64 connectivity and
> communicate with their IPv4 server, even if the developer does not
> have access to the IPv6 internet. That NAT64 network does not have
> IPv6 connectivity to the global IPv6 internet. As such, the current
> version advertises addresses from 2001::/64 instead of ULAs to
> simulate real IPv6 connectivity, as all IPv6 packets are terminated
> at the NAT64 server on the Mac. This implementation detail could
> change in the future.

One thing that is not clear to me, is if what happens if the app
developer's server is dual-stacked. For example, if the DNS entries are
as follows:

www.example.com. IN A 192.0.2.1
www.example.com. IN AAAA 2001:db8::1

...what exactly happens when the iOS node on the NAT64 testing WLAN
attempts to access it? Obviously, as there is no connectivity to
2001:db8::1, native IPv6 towards the "IN AAAA" record cannot work.

Does the DNS64 in the OS X host consider "::/0" as part of the Special
Exclusion Set (cf. RFC6146 s5.1.4), causing it to ignore the upstream
AAAA record and perform DNS64 synthesis instead, e.g., returning this
to the tethered host:

www.example.com. IN A 192.0.2.1
www.example.com. IN AAAA 2001::192.0.2.1

Or will it simply return the upstream DNS records verbatim (i.e., not
performing any DNS64 synthesis), and rely on the Happy Eyeballs
implementation in the iOS node to quickly figure out that the
2001:db8::1 address is unreachable and fail over to 192.0.2.1 (at which
point the Bump-in-the-API can kick in and perform local translation to
2001::192.0.2.1)?

Or perhaps something else entirely?

> *) Making IPv4 literals work on NAT64 networks when using high-level
> APIs Starting with this year's versions, if you use NSURLSession to
> connect to an IPv4 literal on an IPv6-only NAT64-DNS64 network, the
> API will bump in a IPv6 literal synthesized using RFC 7050. Note that
> this will not happen when using sockets directly. We do not support
> under-the-sockets bump-in-API (RFC 3338) and we do not support
> 464XLAT.

Does this mean that if the app is using socket directly, but in a
correct and IPv6-supporting way, to either:

1) communicate with dual-stacked hostnames (assuming ::/0 is not in the
DNS64's Special Exclusion Set as per what I wrote earlier), or
2) directly to an IPv6 literal address (think for example peer-to-peer
applications/protocols that do not use DNS to begin with),

..will then any tests for correct IPv6-only app behaviour the developer
performs on the NAT64 network fail, even though the app is doing
everything right?

A related question: Will the test system that validates App Store
submissions for correct IPv6-only behaviour have full access to the
entire IPv6 Internet, ensuring that apps such as the above will be
approved, even though they might not work correctly behind an OS X
NAT64-only test network?

> *) Happy Eyeballs
> We've heard feedback on our Happy Eyeballs implementation and are
> investigating this topic.

Great! Let me add my voice to this: Please ensure that IPv6 is
consistently preferred over IPv4, if both protocols work equally
well/fast (or roughly so). Only fall back on IPv4 it is clear that IPv6
is performing *significantly* worse than IPv4, or not at all. See
RFC6555 s4.1.

Tore