[AusNOG] IPv6: Where's my tunnel?

Karl Auer kauer at biplane.com.au
Fri Mar 8 11:09:18 EST 2013

On Fri, 2013-03-08 at 09:57 +1100, Geoff Huston wrote:
> IPv6-over-IPv4 Tunnels are perhaps worse than not doing it at all.

It's difficult for a nobody such as myself to appear in a forum like
this and take a shot at a person of such enormous augustity and
pontifitude as yourself, but I will.

Automatic tunnels such as Teredo are indeed awful, and really should be
avoided except as a last resort. But we are talking here not so much
about one-host-only unmanaged tunnels as about managed, network-enabling
tunnels, such as those offered by HE, SixXS, AARNet, IPv6Now, etc.

Tunnels may indeed, in some cases, cause the extinction of all life on
earth. Mostly, however, they don't, and they are WAY better than
nothing. There are plenty of people, myself included, who have been
dual-stacked using tunnels for years with no real difficulty at all.
Yes, I know that an enterprise network is a different class of animal -
but the problem you describe is not the demon you make it out to be.

> [...] the problem we see more often is that the other end (the native
> IOv6 end) sends a full sized IPv6 packet and when it encounters the
> tunnel ingress the packet is too big. At this point the tunnel ingress
> has to send an ICMP6 packet back to the IPv6 source and get it to try
> again. For various historical reasons ICMP filtering at edge sites in
> incredibly widespread and often the ICMP filters block both ICMP4 and
> ICMP6 packets. ooops.

Your scenario boils down to "some people block ICMPv6". True - however
*native* IPv6 will have the same problem with this ICMPv6-filtering
site. The only difference is that the tunnel (with its slightly lower
MTU) triggers it on smaller packets than the native connection does.

A network misconfiguration, even if a widespread one, is still a network
misconfiguration. If the site in question is a major one, enough people
will be banging on their door soon enough. If it's not a major one, then
it might still be important enough to someone for them to get in touch
and get the problem fixed. And if it is neither - then who cares?

Actually, now I'm guilty of trivialising something, which is unfair when
accusing someone of transmuting molehills into mountains. I can imagine
a scenario where the tunnel-connected network happened to desperately
need access to the ICMPv6-blocking site; then they would indeed have a
problem, and they would indeed need to address it. The problem would not
be trivial to them. To someone considering tunnels, then, I would say
test the important connections you will be using - those to the major
sites in your world. But here's the thing: I would give the same advice
to someone about to turn up *native* IPv6 - test the things that are
important to you.

> You are far better off avoiding tunnels. 
> Really.

Not at the cost of waiting, even longer, to start deploying IPv6. The
tunnel, the link to the IPv6 Internet, is just one component of a great
many that people need to start working with; the tip of an iceberg of

Don't let "perfect" get in the way of "good". You don't *have* to have a
limo to get you to the church on time.

Regards, K.

Karl Auer (kauer at biplane.com.au)

GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017

More information about the AusNOG mailing list