jumpertz.net
  • welcome
  • project box
  • publications
    • Hey, where’d my website go? Or: how domain hijacking can ruin your e-business.
    • Is ISO/IEC 27001 the silver bullet that will secure the digital world?
    • Master you domain name and understand the magic of Time to Live
  • goodreads
    • archived books & boeken
  • links

Star Routes?

7/11/2013

1 Comment

 
Something for the Geeky Star Wars Lovers...
  • IPv4: traceroute -m 255 obiwan.scrye.net
  • IPv6: traceroute6 -m 100 obiwan.beaglenetworks.net
1 Comment

Going cross eyed with happy eyeballs

7/11/2012

0 Comments

 
Remember my "happy eyeballs" post? Well, it looks like it's causing issues with YouTube clips both on MacOS X (Mountain Lion) as IOS (6). The symptoms? Clips that refuse to launch and result in a black screen filled with pseudo static and a "An error has occurred. Please try again later." Even worse, some clips actually start to play and stop after a while. BTW, the error message is very helpful Google, thanks. The issue exists on Safari and Firefox; Chrome seems to immune.
Picture
Pseudo static and the frustrating "An error has occurred" message
I was quite sure it had to do something with the dual stacked IPv4/IPv6 set-up we use at home as disabling IPv6 on my MBP made the issue disappear. But what is causing the problem? And is there a fix?

Googling quickly pointed to "happy eyeballs", which confirmed my findings after some observations and a good deal of TCPdumping. But why would this happen as "happy eyeballs" was created to prevent bad user experience on IPv6 in the first place.

To understand what happens while viewing a YouTube clip, I used HTTPfox on Firefox. HTTPfox is basically a local proxy which shows all the requests generated by the page you're visiting. The following screenshot shows a clip I was viewing and that stopped halfway...
Picture
"Battlestar Galactica" getting stuck between IPv4 and IPv6 transitions.
Digging into the output of HTTPfox one can easily retrieve the URLs that deliver the actual video stream. Google has its own Content Delivery Network (CDN), which presumably tries to deliver data as close as possible to the end user.

In the above example the content cache was:
  • o-o---preferred---sn-cxab5jvh-cg0z---v18---lscache7.c.youtube.com

And now it becomes interesting as this host resolves to:
  • CNAME o-o.preferred.sn-cxab5jvh-cg0z.v18.lscache7.c.youtube.com
  • A 194.78.99.141
  • AAAA 2a00:1450:400e:d::11

How and where the actual caching node is defined in the HTTP exchange is not really clear to me, but typically this is "somewhere" defined through geoIP lookups of the source IP of the requester. The obvious issue here is that my geo-location is completely different over IPv4 and IPv6 as I use a Hurricane Electric tunnel for my IPv6 connectivity. And even if my provider would deliver native IPv6 connectivity, it will still show a very different routing path.

While one is looking at a YouTube clip, multiple HTTP GETs are send out to the content cache to retrieve gradually the content. And here lives the culprit! As "happy eyeballs" kicks in and tries to deliver connectivity over the "best path", it might actually change its decision during the session. In other words, one HTTP GET can go out over IPv4 but seconds later, the next HTTP GET would go over IPv6. In theory this shouldn't be a problem if all caches are equal, but it depends heavily on how the caches actually operate and the application works. If sessions are involved i.e., are we sure that the IPv4 and IPv6 are actually the same machine(s); if not how is the system supposed to stitch the IPv4 and IPv6 session together? I believe this is exactly what happens with Safari and Firefox on YouTube. The fact that my IPv4 and IPv6 routing is completely different and the likelihood that the IPv4 and IPv6 infrastructure is not the same on the CDN side, might very well result in lost, unknown and zombie sessions.

For a pseudo streaming application like HTTP-based QuickTime streams or YouTube clips, "happy eyeballs" is very dangerous. Pseudo streaming applications send chunks of media data and rely on the fact that the network is faster than the realtime stream. For this specific clip it sends packets of 1,6 MB according to the HTTPfox output.

Conclusion: the browser should not only rely on the OS implementation of "happy eyeballs" as it could change IP stacks during a session or HTTP conversation with potential undesired side effects. It should stick to one IP stack after the initial decision handler to preserve session integrity.

As to view YouTube clips, I think I'll stick with Chrome until Apple and Mozilla engineers have figured out a way to fix this issue.
0 Comments

nslookup.exe, Win7 and IPv6 oddity

12/3/2012

5 Comments

 
OK, this is a weird one. Windows still relies on nslookup.exe to query name servers on the command line, although we all know that the command is depreciated and one should use host or dig. Nevertheless, on a default Windows installation one has to rely on the tools at hand.

The company Windows laptop I sometimes use is a Windows 7 64-bit machine and even though I mostly use a Mac, it is really nice.
Picture
Windows 7, 64-bit... nothing special here...
Occassionally, I take the laptop home where it gets on my IPv6 network. As expected of a modern system it discovers the router and accepts the router advertisements to comply to IPv6 automagical configuration. It even follows RFC6106 for DNS configuration. So far so good...

Oddly enough when I return at work with no IPv6 on the LAN, something weird happens:
Picture
IPv6 ghostly remains in the DNS world.
nslookup.exe still believes the IPv6 name server is there even though the machine was rebooted several times in the mean time. And as a net result nslookup.exe no longer works, yet name resolution still works.

As shown in the screenshots, both IPv4 and IPv6 are set for automagical configuration.
Picture
Using DHCP for IPv4 configuration.
Picture
Using IPv6's autoconfiguration features.
Google doesn't really help me on this one and what baffles me the most is that nslookup.exe obviously uses different criteria for its name server than the Operating System itself.

I thought that maybe the Teredo tunneling feature, which is switched on by default, could have been the cause. It has been disabled for practical testing purposes and as the screenshot below shows, once on the LAN there is no reason why the machine would configure the wrong DNS server for nslookup.exe.
Picture
No IPv6 tunnels dug out of this laptop.
I'd be interested if someone has ever experienced this behavior and knows a fix for it as it is obviously a bug.

By the way, it is advisable to switch off Teredo tunneling when you fiddle around with IPv6. You disable it through an elevated command prompt and type the following commands:
Picture
Status of Teredo tunneling on the laptop and switching it off.
5 Comments

IPv6 Snow Leopard versus IPv6 Lion

11/3/2012

2 Comments

 
While digging into IPv6 support for the iPad, I stumbled on some unexpected results on my MBP. For starters, the default behavior I knew from a Snow Leopard MBP (10.6.8) is very different from what I observed on my Lion MBP (10.7.3).

To understand what follows, here's a brief description of my home network.
Picture
Regular IPv4 internet access is provided through VDSL over a b-box2 IAD. This multipurpose internet access device is part from the tripple-play offered by my ISP. It's a modem, router, firewall, dhcp server, dns proxy, etc... the box doesn't support IPv6 and neither does my ISP.

On my internal network (RFC1918 address space), I have an Apple Time Capsule, which has this odd feature that it can work as an IPv6 tunneling devices, and once configured, it will become the IPv6 router in the network. It takes the hassle out of IPv6 by taking the role of a Router Advertisement daemon and doubles as an IPv6 firewall and proxy name server. A /64 IPv6 network is assigned by Hurricane Electric to my Time Capsule and it's this prefix that is offered on the LAN through the Time Capsule.

Snow Leopard MacOS X 10.6.8 IPv6 behavior

Snow Leopard support for IPv6 is basic and straightforward. It will automagically configure itself when there's a Router Advertisement daemon on the LAN as shown in the following screenshot.
Picture
The IPv6 address is typically composed of the v6 prefix + the MAC address of the host. Besides auto-configuring its IP address and figuring out where the router is, there's nothing more to do to get the Internet6 at the doorstep. It's the most basic implementation of the Neighbor Discovery Protocol.

A dual stacked Snow Leopard will then default over IPv6 as per RFC3484. This means that if an application like Safari is asked to go to a site like http://www.ripe.net, it will go over IPv6 if it runs on a dual stacked system.
Picture
ripe.net shows your source IP address in its home page.
From a technical perspective and in a perfect world RFC3484 could be the desired behavior for a quick adaptation of IPv6. Unfortunately, the IPv6-world is not perfect and this has a negative influence on user experience.
  1. there's this concern about privacy and auto-configured IPv6 addresses. As the MAC address is inserted in the IPv6 address, one could potentially follow a computer on the IPv6 Internet.
  2. the auto configuration for IPv6 on Snow Leopard doesn't take into account DNS, which is the second most important thing after getting an IP address and the default router. RFC6106 described DNS extensions on IPv6 router advertisements.
  3. what with bad IPv6 implementations or rogue radvd? From a user experience point of view there should be absolutely no difference between IPv4 and IPv6. Users don't care about IP addresses and that's how it should be. In practice, the IPv6 network has not yet reached the maturaty needed for a smooth transition as not all ISPs support IPv6 and the IPv6 network itself is not fully meshed.
Picture
No support for RFC6106 under Snow Leopard.
Lion MacOS X 10.7.3 IPv6 behavior

Whilst writing my blog entry on IPv6 support on iDevices I noticed that Lion was behaving very differently from Snow Leopard. One of the most important differences is that Lion no longer defaults over IPv6 on a dual stacked system. While looking into this, I first believed to have bumped into a bug as Lion would often go over IPv6 first and fall back later to IPv4 for no apparent reason.

It took me quite some digging and googling to have a better understanding of Lion's IPv6 implementation.

For starters, Lion support RFC6106 DNS extensions on IPv6 router advertisements, this completes the auto-configuration features for both IPv4 and IPv6.
Picture
DNS servers through DHCP (v4) and RA (v6)
In practice Lion will use mostly the IPv4 address unless it is not available.

Secondly Lion supports the privacy extensions as described in RFC3041 which results in 2 IPv6 addresses per interface. One is still based on the MAC address, the other is based on a randomized value.
Picture
Privacy extension add a second IPv6 address
On the LAN, it will use the IPv6 MAC generated address, beyond the LAN it will use the randomized address.

The behavior that puzzled me the most is Lion's unwillingness to default over IPv6 like Snow Leopard does. I noticed this while visiting the ripe.net website. The first time it shows my IPv6 source IP address:
Picture
Visiting ripe.net over IPv6, privacy included.
When the page is reloaded, it will no longer show my IPv6 address, but the source address is now my IPv4 address:
Picture
Revisiting ripe.net... now over IPv4???
It took a while before I finally found what's causing this. It has nothing to do with the name servers and their order (the IPv4 DHCP configured name server is always taken before the IPv6 name server, simply because of the order in the /etc/resolv.conf file), although it does help to flush the DNS cache to reproduce the behavior.

For your information, the DNS cache can be flushed with the following command in a terminal window: dscacheutil -flushcache.

After quite some Googling I stumbled on an excerpt of a mailing list explaining the Lion behavior: http://lists.apple.com/archives/ipv6-dev/2011/Jul/msg00020.html. In short, Lion measures the round trip time over IPv4 and IPv6 and the fastest wins. It's an implementation of an algorithm called "Happy Eyeballs" which is described in a draft IETF standard: http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-07.

To understand the reason for "Happy Eyeballs", have a look at "Dual Stack Esotropia", an article written by glh at APNIC labs. The "Hampering Eyeballs" article on the RIPE Labs website by Emile Aben clarifies the challenge even more. In short, the algorithm is used in the application layer and was designed to handle optimized protocol selection (IPv4 versus IPv6 on dual stacked set-ups). It helps increasing user experience by monitoring which connectivity works best, not in throughput but in responsiveness.

Lion does this by by keeping track of RTT for every destination that was asked. This information is visible through the nettop -n -m route command on the cli. The command is interesting as it gives a dynamic view on the OS's routing table.

As a net result, in my set-up IPv6 looses under Lion, simply because the tunneled set-up is always slower.

According to the little literature available on the subject only very few applications and Operating Systems have deployed a version of "Happy Eyeballs". MacOS X Lion is the only operating system with the algorithm deployed. Chrome and Firefox have also an implementation which works very nicely.

Conclusion

From a user's perspective, "Happy Eyeballs" is a blessing in a dual stacked world. Under the hood, the applications figure out which connectivity works best and use it accordingly.

But from a technology point of view it's a bad thing, as it confirms there are issues with IPv6. The v6 network is not yet up to par and there are still some major peering problems, dividing the v6 network effectively in multiple Internets. Remember the Hurricane Electric versus Cogent issue? Cricket Liu had a blog post on the issue last year; one year later, it's still a problem.
Picture
traceroute6 from HE to COGENT.
Thanks to "Happy Eyeballs" I don't notice this issue under Lion. Thanks to "Happy Eyeballs" fixing the real challenges in the v6 cloud are minimized for an end user and pressure is reduced to get the v6 Internet as reliable and meshed as the v4 Internet.

In the end, "Happy Eyeballs" are a necessary evil to get IPv6 working on a dual-stacked end-user device. Being so user centric; no wonder Apple implemented it in Lion.

IPv6... we're not there yet.
2 Comments

iDevices and IPv6

5/3/2012

0 Comments

 
When looking for information on IPv6 support in Apple's iDevices, one finds very little information regarding the subject. Does the iPhone or iPad support IPv6 and if so how well is implemented?

The short answer on this question is: YES, Apple's iDevices support IPv6; but it will default over IPv4 unlike most desktop and server Operating Systems.

The iPad used in the following screenshots is an iPad 2 running IOS 5.01 as shown below.
Picture
If you have an IPv6 enabled network, with an IPv6 router that does router advertisements, an IOS devices will perfectly auto configure itself as expected. Yet oddly enough it will prefer IPv4 over IPv6. To find your IPv6 settings, look under Settings and Wi-Fi. You will not see its IPv6 address nor the IPv6 gateway, but the fact that it has an IPv6 name server address, that appeared automagically, says enough.
Picture
I was rather surprised to find 2001:470:1f13:75c::1 as the IP address for a NS since this is actually the router address of my IPv6 router. It's an Apple Time Capsule I use for its IPv6 tunneling capabilities. It must contain an implementation of RFC 6106 which describes DNS Configuration Options for IPv6 Router Advertisements.

The name server behaves like a caching name server.
Picture
From the IP configuration one can only guess the IPv6 address of the iPad. Why Apple shows the IPv6 address of the name server, but omits the iPad's address is a mystery.

To prove the iPad can actually function over IPv6, I downloaded and installed zatelnet, a telnet and ssh client for iPad. It might not be the fanciest telnet/ssh client on the market, but for this purpose it did what it was supposed to do.
Picture
I could connect without any problem to tripple6, a Linux machine on my IPv6 network, which shows the iPad is perfectly capable of functioning correctly over IPv6, if forced to do so. Once connected to a linux machine, it's child's play to figure out what the actual IP address is of the iPad.
Picture
Using tcpdump to find the iPad's IPv6 address.
So what does this prove?
  1. IOS supports IPv6.
  2. IOS understands router advertisements and auto-configures its TCP/IP stack correctly, including the IPv6 name server.
  3. What the actual IPv6 parameters are except for the name server is a mystery.
  4. IOS defaults to IPv4.

Conclusion: you will only benefit of an iPad's IPv6 features if and when you are on a IPv6-only network. The device will auto-configure and work as expected. In a dual-stacked environment, it will stick to old school IPv4.
0 Comments

    About this Blog

    IT Technology, networking, Apple, iDevices, Android, IPv6, DNS.

    View my profile on LinkedIn

    Archives

    November 2015
    November 2013
    November 2012
    August 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012

    Categories

    All
    Apple
    Applications
    Bluetooth
    Bug
    Calendars
    Contacts
    Discoveries
    Dns
    Email
    Fail
    Geek
    Google Analystics
    Hardware
    Ios
    Ipad
    Ipv4
    IPv6
    Lion
    Mac Os X
    Microsoft
    Mountain Lion
    Music
    Nslookup
    Outlook.com
    Snow Leopard
    Sonos
    Star Wars
    Tips
    Widgets
    Windows 7
    Windows 8.1
    Wtf

    RSS Feed

Powered by Create your own unique website with customizable templates.
  • welcome
  • project box
  • publications
    • Hey, where’d my website go? Or: how domain hijacking can ruin your e-business.
    • Is ISO/IEC 27001 the silver bullet that will secure the digital world?
    • Master you domain name and understand the magic of Time to Live
  • goodreads
    • archived books & boeken
  • links