• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Wikipedia over v6?

Started by TristramCheer, January 16, 2011, 07:39:43 PM

Previous topic - Next topic

TristramCheer

Hey all,

Been digging around trying to find out about v6 access to Wikipedia and the like, Is there a list of DNS whitelisting services around? I'm on the goolge whitelist but would like to get wiki and facebook access without the neeed for www.v6 etc etc. I've found very little information about the status of v6 & wikipedia

broquea

Wikipedia had some whitelist, but never really saw published info regarding that program or who to contact. I believe one of our engineers was talking to someone over there about it. It was also for only like 1-2 specific hostnames, like images.wikipedia or download.wikipedia. Not the full site or WWW. That might have changed?

As for Facebook, there is no whitelist so you only get what they publish, which is www.v6.facebook.com or m.v6.facebook.com (mobile).

cholzhauer

Quote
As for Facebook, there is no whitelist so you only get what they publish, which is www.v6.facebook.com or m.v6.facebook.com (mobile).

Same reason Google didn't want native IPv6 access to their site right away...I met one of the Facebook senior network engineers a couple months ago and his point was, even if a IPv6 bug affects 0.1% of their traffic, it's still a substantial number of people.

sput


jimb

The scuttlebutt I heard from people from various companies (google, FB, etc) is that the whitelisting was mainly to prevent clients trying to use Teredo and 6to4.  The reason for that is because, well, both automatic tunneling solutions tend to be a bit slow and flaky for various reasons.  Both 6to4 and Teredo are enabled by default in Windows, and I think OSX. 

6to4 users are basically at the mercy of their ISP's routes to the 6to4 anycast address, and Teredo users are at the mercy of various Teredo relays and servers.  And of course, not all user's firewall/nat/router setups allow 6to4/Teredo to work (esp 6to4) at all.

Then there were issues with certain browsers (Opera, Safari) that tried to force the use of IPv6 in a well meaning but flawed attempt to help IPv6 adoption along.  The obvious problem with doing this is that many users would run into the above mentioned problems.

The end result of all this would be slow response, or an inability to even connect to these companies' web sites, which is why they whitelist.

TristramCheer

Yeah I've seen the www.v6.blah or ipv6.blah our main issue is that we have clients on trial and need to be able to test it without forcing users to change their habbit's. We've had google whitelist our DNS servers which has helped alot (ten fold increase in v6 traffic) and now looking at other popular websites to do the same. I've been asked to look into messing around with the dns zones to work around it but thats very dangerious and not good netiquette.

jimb

#6
Quote from: TristramCheer on January 17, 2011, 04:06:46 PM
Yeah I've seen the www.v6.blah or ipv6.blah our main issue is that we have clients on trial and need to be able to test it without forcing users to change their habbit's. We've had google whitelist our DNS servers which has helped alot (ten fold increase in v6 traffic) and now looking at other popular websites to do the same. I've been asked to look into messing around with the dns zones to work around it but thats very dangerious and not good netiquette.
You have to get every site you're interested in to whitelist your DNS servers, or set up a forward only zone for each domain pointing to a DNS server which is already whitelisted, or one for each domain which serves up both A and AAAA records (presuming said company/site provides such a DNS server to point to).

I'm actually not sure how most sites do the whitelisting.  I'm sure they use something like ACLs to control which zone view a resolver gets answers from, but whether they all use the client source address, or the server's destination address to choose the view is the question.

If I were setting something like this up, I'd probably do both.  I'd set up anycasted DNS servers which have both a IPv4 only and a dual-stack zone view.  I'd have two sets of anycasted addresses, one which selects the IPv4 only view, and one which selects the dual-stack view via ACLs matching the corresponding server destination address.

With that set up, I could control access to the view based on either the source IP of the calling client via ACLs (whitelisting on my end), or allow DNS resolvers to control it from their end by using the second address of my DNS server(s), which would select the dual-stack view.

Then you could put up instructions on your site saying "If you want to access us dual-stack, either send in a whitelist request to here, or point your DNS servers to these addresses for our domains if you want to do it yourself."

Whether various IPv6 enabled web sites use either or both methods is unknown to me.  I think you pretty much have to contact each company individually to find out how to do it with their sites, unfortunately.  :|

mtindle

I have had a brief chat with Wikipedia/media a few months back.  Their biggest hurdle is the fact that article edits would be able to come from IPv6 addresses.  Right now their admins / moderators use a lot of IP blocking to prevent vandals.  There was some work needed specifically on that front before they could IPv6 whitelist the main site domain. 

That said, they do whitelist dns servers for upload.wikimedia.org and supposedly (soon?) bits.wikimedia.org (CSS/JS assets.)   At this time, the HE nameservers are not whitelisted so I can't verify either of those.  I'll try to get an update.