Geoff Huston, APNIC
We are now at that point in the transition to IPv6 when we are hearing some ISPs talk about an IPv6-only service in the near future. But are we really ready? This presentation will report on the ability to send fragmented IPv6 datagrams though today's IPv6 Internet. We'll report on the results of a large scale measurement on the success (and failure) of attempting to send fragmented IPv6 DNS packets. The results of this experiment points to a need to reconsider how we should manage the DNS in an all IPv6 Internet.
CES: People are dropping ICMP packets which IPv6 uses to signal fragmentation required. This is a problem. Especially for a little service no one uses much called DNS </snark>
Measured drop rates for IPv6 fragmented packets (requires ICMP extension header) is 30-40 percent.
Moving fragmentation from a fixed field into an optional extension header in IPv6 was a very bad decision. Bottom line: we cannot do fragmentation in IPv6.
ECMP hashing requires per-flow semantics, but IPv6 hides info in extension headers and flow code in routers doesn't have the time (nanoseconds) to parse the headers so it drops the packet or lets things get out of sequence so frag can arrive before the first part of the packet, This breaks "dig" et al in DNS because they won't tolerate out of sequence info.
Do Huston set up an advertisement that gets dropped onto people's web pages with a script that generates a query that comes back to his DNS only and he replies with a fragmented reply. 37 percent of people with IPv6-capable DNS resolves could not receive a fragmented IPv6 response. 20 percent of end users could not receive a fragmented IPv6 packet.
This isn't getting fixed because happy eyeballs code in web clients can workaround (drop to ipv4) and no one sees it as a problem.
But if/when there is no IPv4 path left, then it becomes a problem.
TCP will probably continue to work (use conservative MSS sizes), but UDP dies hard. UDP is used in DNSSEC. Oops.
No comments:
Post a Comment