North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Apple Airport Extreme IPv6 problems?
Barrett Lyon wrote: [..] > I would actually think Apple (and any other vendor that default enable > v6 tunnels without notifying the user) should react to this and provide > a fix that allows their current user base to opt-in to their > pre-existing tunnels with education on what that means to the user. > It's great to be progressive, but it's not good to do it when it can > impact users. IMHO what Apple (bcc'd :) should provide is a 'connectivity test'. Thus when they enable 6to4 per default, they should test that they can at least reach the 6to4 anycast node which is going to relay their packets and they should test a remote node (eg connectivity-test.apple.com) if they can reach that. Which is sort of what Vista tries to do to and several other connection managers which show visually how/if there is "Internet connectivity". XP for instance also whines when you don't have good connectivity to the Internet based on some tests. If the connectivity looks broken, then either disable the tunnel or at least notify the user that experience might be diminished. > Regarding segmented v4/v6 DNS, this may already exist, but it may also > be a good idea for the web masters out there to create a v6 logo or > marking denoting that a user has reached a v6 page vs. a v4 page. This > could also be more helpful and also allow users to choose which protocol > is used to reach the site. It also creates a reason to have both an > overlapping AAAA/A www. and a special www.v6./w6. and www.v4. alias. Please please please, for the sake of a semi-'standard', please only use the following forms in those cases: www.<domain> www.ipv6.<domain> www.ipv4.<domain> Don't come up with any other variants. The above form is what is in general use around the internet and what some people will at least try to use in cases where a DNS label has both an AAAA and A and one of them doesn't work. You can of course add them, it is your DNS, but with the above people might actually try them. > If > that framework accompanied the overlapping DNS, then HREFs could shuffle > users from one version of the site pending on the user preference. > > On a totally unrelated note: Not to make any accusation on the security > of the end-point tunnel network what-so-ever, but an entirely other > issue is the tiny bit of a security conundrum that default tunnels > create -- tunneling traffic to another network without notifying the > user seems dangerous. If I were a tinfoil-hat security person (or a CSO > of a bank for example) this would really freak me out. Just if an enduser controls the path over which his traffic goes now anyway? The answer to that is crypted VPN's and nothing else. And of course for instance MS allows you to turn off those features using Active Directory management. Maybe Mac's also have such a button somewhere? Next to of course the use of a firewall which explains you what connections are being made and which packets are being sent. Greets, Jeroen