Académique Documents
Professionnel Documents
Culture Documents
Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’06)
0-7695-2510-5/05 $20.00 © 2005 IEEE
will send Router Advertisement message. This also Registry Service (JPRS) at the use of “JP” domains
make the network into disorder and uncontrollable. list.
A lot of OSs enables to receive RA message and set This tool simply put well-known host name such
their interface addresses so that the impact of this as “www” and “ftp” into each JP domain name and
estimates big. send queries for it’s A and AAAA RR to checkout
There are some variations of undesired RA usages, it’s authorized domain name servers.
such as sending RA packet with lifetime=0 option Table.2 shows the rate of misbehaving DNS server.
towards all node on the segment, advertising other From this research, it found that 0.1% of all hosts
prefix towards all node on the segment, sending have problems.
redirect-packet with undesired next hop address, Table.3 shows the suspected reason of the
and so on. problems. From this, the most of misbehaving
This is not only the case caused in IPv6 Network caused by “lame delegation”.
but also has in IPv4 network. Because the This indicates us to keep proper setting of name
mechanism for address auto-configuration function zone file is necessary if the widespread diffusion of
based on the trust server model has potential IPv6 network environment is coming.
possibilities to make such kind of accident. The
details of this bad usages with a view from the ́ Tunnel Network and lack of peer/path
security consideration describes on RFC3756[4].
As aspect of deployment of IPv6, it is important it
́ Interception of ICMP by Firewall s service level. To determine the network service
quality, here is a tool. The tool uses mainly ping and
There is possibility of interception of traceroute towards IPv4 and IPv6 dual stack sites to
communication via Firewall. know RTT(Round Trip Time).
The data exchange is facilitated by optimized At this moment it is observed that poor
routing information and appropriate MTU configuring tunnels, experimental tunnel, and lack
(Maximum Transfer Unit). of peering/paths at backbone connectivity are
A firewall that blocks control messages such as worthless[6].
ICMP (Internet Control Message Protocol) and It is important to conserve network quality in data
ICMPv6 (ICMP for IPv6) breaks adjustment of transmission. But there are a lot of tunnel
MTU size between the hosts then large-sized connections for the promotional and deployment
packets won’t be able to be transferred. reasons of IPv6. Sometimes those poorly configured,
A firewall may intercept the packets and the client unconsidered tunnels cause frustration at the end
has no response from any nodes. “Black hole” by sites.
firewall also has serious problem. Similar situation For the ISP issue, to keep their network as same as
might be caused by Transparent Cache. IPv4 quality, it is important that they have enough
IPv6 peering partners. The problems due to the lack
3 Inappropriate Network Operation of peering partners are pointed out by the same
document[6].
Inappropriate network operation may cause Piling up the operational experiences on IPv6 is
deterioration of network quality or rouge routing also important. We have better to share knowledge
problems. This group, IPv6-Fix, is produce own and information from experiences. In order to share
tools to see existence of network troubles. In this them, some organized party or system would be
section, we introduce some status reports and point necessary as it works same as IPv4 community
out future problematic possibilities on network network.
operation.
4 Unconsciousness on fault tolerant design
́ Instable operation for DNS Server
response At the last topic, move our eyes on
implementations aspect. Bad behavioral
To determine actual numbers of misbehaving DNS components of IPv6 implementations would
Servers, IPv6-Fix team developed a tool and discourage us to use and deploy IPv6.
surveyed on it. This work carried out with JaPan
Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’06)
0-7695-2510-5/05 $20.00 © 2005 IEEE
́ Bad TCP Error reaction To be a Lame Delegation
Some DNS server returns “non-authoritative
The ICMP Errors can be categorized into ether answer” for AAAA RR queries while they have
hard error or soft error. authorized domain zone settings. A DNS cache
At connection establishment stage, if a node gets server does not use such server as “lame delegation”
hard error or reset request from destination node, server for a certain period and if DNS cache server
the node falls back to connect with the next IP get request from their clients they send back
address. However if a node receives a soft error, it “Respond Code 2(Server Failure)” then make it fail
encounters delay caused by retransmitting. In this for their IPv4 queries.
manner, the robustness and quick response conflict
each other. This is common problem for TCP/IP, Return “A RR”
not only for IPv6 [4]. Some DNS server returns a specific A RR at
The first answer of ICMP soft error is treated as a AAAA RR queries. There is some DNS clients
hard error then cut the connection is the one which use these type-mismatched answer even it
solution for the soft error problem. should be discarded. This causes the disconnection
For the no reaction at the SYN packet, to shorten at end hosts.
duration on time-out, connect to multiple targeted The action against to these circumstances , there
hosts at the same time, caching connection status to are 3 ways.
connect with assured host. Set limitation for AAAA RR queries if there is
no IPv6 connectivity.
́ Bad IPv6 address resolution with DNS It can be work with some modification into
getaddrinfo() library.
For the coexistence of IPv4 and IPv6, applications Time adjustment with AAAA RR queries when
should be designed to use the multiple IP addresses the DNS server ignores it.
on a host. For example, KAME for FreeBSD distributes like
In a normal case, if there is no RR for queried this;
name, DNS server returns “Response Code (1) Send A RR query first then send AAAA RR
0(Normal Termination) “ with empty Answer query.
Section in general. In order for this㧘the DNS client (2) Use “max(2T,1) seconds” to set timeout
can send next other query message at once. duration.
But there are some DNS servers that make
inappropriate response. This kind of ill-behaved 5 Mixed disaster – a Hotel Internet
DNS server makes fault in name resolution or it System
takes a lot of time in reaction. As for this, user can’t
access a web page or wait for while when using a Here is an actual case. This case caused by
web browser. After our survey, there are significant combination of problems; a wrong implementation
ill-behaved DNS server program[3]. of a DNS client program and unfavorable operation
at a hotel internet service.
Ignore queries for AAAA RR
Usual DNS Client program queries for AAAA RR ́ The Service
at first then tries to request following A RR if it is
necessary. Ignorance of queries for AAAA RR This hotel provides the internet access service for
takes longer time until it timed out. each hotel room. A router-box has been stored in
each room and users just insert their Ethernet cable
Return “Response Code 3(Name Error)” into it. Then this rooter-box connects the user to
“Response Code 3” means there is no RR related their portal web site for the accounting confirmation.
domain name zone. If there are entries for IPv4 in After the confirmation of usage agreement, the user
the name zone file, this response is obviously wrong can login into their access control server then the
behavior. In addition, DNS cache server returns this internet access is available.
code at the queries of IPv4 address for a while.
́ Get into the network and result
Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’06)
0-7695-2510-5/05 $20.00 © 2005 IEEE
server. A wildcard A RR might be caused this kind
We tried to access from a room by 4 client-PCs of trouble. Or some illegal combinations might be
with different OSs(Windows XP SP2, Linux2.6, seen in their configuration. (After this observation,
MacOS X 10.4.1, FreeBSD5.4-RELEASE) and the target zone file is updated and could not verify
monitored the reactions then compared them. All their settings)
PCs were enabled IPv6 module. There is no IPv6 For the client side, reconsideration of the
connectivity at the hotel network. implementation by vendor might be needed.
The successful behavior was described below. The solution might be simply ignore the IPv4
Address to the AAAA RR then move to fall back to
(1) get into the hotel LAN send a query for A RR.
(2) get IPv4 private address via DHCP; get
notification of DNS server address 6 For the stable network
(3) Try to access to the Internet from WEB
browser. Ex.) http://v6fix.net The duration of the coexistence period of IPv4 and
(4) Send “AAAA RR” query to the name IPv6 environment might be long so that smooth
server(noticed by (2));then get answer with transition without necessity of deep knowledge at
IPv6 address and discard it because of no averaged users. IPv6 should be transparently
connection of IPv6 then go fall back to IPv4 interoperable with IPv4.
query; send A RR query to the name server; In this paper, we introduced some possible
finally get IPv4 address. problems on IPv4- IPv6 dual stack environment.
(5) Try to connect that server with IPv4 address For the last, brief summary of these we pointed out
with port80(http) here listed again.
(6) The hotel system grabs it’s http request and
insert other HTTP information to redirect to - Interception by RA/DHCP server
their portal server. - Interception by Firewall(middle-box)
(7) Send AAAA RR query for the new server to - instable operation(lame,etc) in DNS zone record
the name server; then get IPv4 address. - poor coordinated tunnel network
(8) Ignore (7) because of the queried type is - lack of path/peering
mismatch; then go to request A RR in fallback - Bad TCP reaction
to IPv4;get IPv4 Address. - misbehaving DNS resolution
(9) Try to connect the portal address with IPv4
address; the portal page was appeared. These problems caused delay and disconnection.
But at the most cases, averaged users do nothing to
One Client has a problem. The DNS resolver solve. We all keep in mind supporting ideal
program remember the wrong answer for AAAA coexistence of IPv4-IPv6 network.
RR query(In above procedure 8). Then the client
uses the IPv4 address and repeat above (5)-(7) until We keep observation on harmful specification,
someone stop the process. poor implementations and wrong operation and will
There was another problem in the hotel system. point out if there is problem. If you see other
The name server always answers specific IPv4 problems at IPv4-IPv6 dual stack network, please
address(A RR) at every queries in any kind of query contact us to share the information.
type about redirection server’s domain zone. This is
obviously mis-configuration around their zone
settings.
́ Description
Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’06)
0-7695-2510-5/05 $20.00 © 2005 IEEE
Reference
[1]http://v6fix.net/, <contact@v6fix.net>
[2]Kunitake, K., Shimojyo, T., Jinmei, T., Takeuchi,
S., Cho, K. and Yamamoto, K. : 2004 WIDE Project
Report, pp.499-511(2005).
[3] Morishita, Y. and Jinmei, T. : Common
Misbehavior Against DNS Queries for IPv6
Addresses, IETF RFC4074 (2005).
[4] Nikander, P. Kempf, K. and Nordmark, E. : IPv6
Neighbor Discovery Trust Model and Threats, IETF
RFC3756(2004)
[5]Gont, F. : TCP's Reaction to Soft Errors, IETF
Internet-Draft draft-gont-tcpm-tcp-soft-errors-01.txt
㧔2005㧕.
[6] Cho, K. Luckie, M. and Huffaker, B.:
Identifying IPv6 Network Problems in the
Dual-Stack World, SIGCOMM'04 Network
Troubleshooting Workshop, Portland, Oregon,
U.S.A.㧔2004㧕.
Proceedings of the International Symposium on Applications and the Internet Workshops (SAINTW’06)
0-7695-2510-5/05 $20.00 © 2005 IEEE