
Introducing Pseudo IPv4 - jgrahamc
http://blog.cloudflare.com/eliminating-the-last-reasons-to-not-enable-ipv6
======
X-Istence
Except that in the past I've had major issues with Cloudflare's IPv6 service,
recently one of the issues was that Centurylink customers (at least in the
Denver area) were unable to visit any Cloudflare hosted IPv6 sites.

[https://twitter.com/bertjwregeer/status/470243728473325568](https://twitter.com/bertjwregeer/status/470243728473325568)

Was my Tweet to Stackoverflow regarding the issue.

Here is the paste of the symptoms seen:
[http://paste.ofcode.org/XQGqerxCNXwYsHDQMZ3aja](http://paste.ofcode.org/XQGqerxCNXwYsHDQMZ3aja)

This meant that until I reported the issue to Cloudflare/StackExchange that
people using IPv6 were UNABLE to access those resources needed to load the
site (the server would hang indefinitely, so happy eyeballs did not work!). In
the case of StackExchange on Centurylink that meant that CSS and other
resources did not load, for my site ([http://defcne.net/](http://defcne.net/))
that meant my site didn't load at all!

I absolutely love Cloudflare, but to me it is inexcusable that there is no
monitoring to verify that these issues don't exist. It took me filing a report
for them to fix the issue.

Ultimately it came down to this:

"We had recently been experiencing IPv6 routing issues with one of our
upstream providers for some of our data centers which may have contributed to
the issues you had been seeing. We've since disabled transit for that provider
to temporarily work around the issue."

Yet this meant that my site/StackOverflow and countless other sites using
Cloudflare were offline (if the customer has IPv6 enabled) for almost a week
(first report from customer using CenturyLink, me trying to figure out what is
going on, to CloudFlare fixing the issue).

~~~
cdr
Huh, I'm on CenturyLink ipv6 at home and was having weird issues with a number
of sites from early last week onwards, and then early this week it magically
cleared up. Guess that was likely it.

------
mischanix
>IPv6 can be adopted without a performance penalty

Sadly, in my case, this is untrue. If I enable v6 on my Comcast home
connection, I see routes with consistently higher latency--around 50ms more
for paths within the U.S. such that even a 200 mile destination (HSV => ATL)
is ~70ms away.

~~~
angersock
Wait wait wait...Comcast is using bad and/or incompetent infrastructure? Stop
the fucking presses!

(I'm sorry sir/madam for your inconvenience)

~~~
theandrewbailey
Comcast is deploying IPv6. Verizon isn't even trying IPv6 with FiOS.

~~~
adestefan
They have actually started working with business class customers this year.
I'm still, rather impatiently at this point, waiting for it to trickle down to
residential customers.

They have a landing page[0] that hints at the possibility, but I've never seen
anything or heard anyone actually say that IPv6 is coming to residential
customers.

[0]
[http://www.verizon.com/Support/Residential/Internet/HighSpee...](http://www.verizon.com/Support/Residential/Internet/HighSpeed/General+Support/Top+Questions/QuestionsOne/ATLAS8742.htm)

~~~
aaron42net
They haven't bothered to update that page in a few years, sadly. It says "Dual
Stack IPv4/IPv6 will be launched in various areas within Verizon’s FiOS
network, starting Later in 2012. Check back for more information."

------
Steuard
So, how easy will it be to deliberately search for an IPv6 address to collide
with a desired pseudo_ipv4 address? (Based on my very limited crypto
knowledge, I might worry that there could be some novel denial-of-service or
impersonation attacks in that direction if this is MD5 with a known format and
salt.)

~~~
mischanix
300MM is well inside brute force range for even a single CPU (as noted in the
article, md5 is cheap!). One issue is figuring out which IPv4 address you wish
to impersonate; sites don't give that information out so readily in 4chan's
case, the IPv4 address only ends up in user-facing information as poster IDs,
which are themselves hashes of the IPv4 address and (I assume) some thread-
specific salt. For these poster IDs, I've never checked if a cookie is
involved, but that could also be the case, and would make this attack a bit
harder; that said, it is quite feasible to obtain the target's IPv6 address
through other means.

I think what might be kind on Cloudflare's side is to add a secret domain-
specific salt to this md5 hash, but I'm by no means a crypto person.

(edit) eastdakota and billpg below both pointed out that to carry out an
impersonation would require connecting to Cloudflare with the correct IPv6
address. This is probably the biggest hurdle, so feel free to ignore what I
wrote above.

~~~
colmmacc
Anyone with an IPv4 address can use one of several 6to4 gateways to get a
whole /48\. This gives them access to 2^80 addresses they can originate
traffic from.

~~~
sp332
As mentioned in the article, they only hash the first 64 bits of the address.
That means you only get 64-48 = 16 bits to work with.

------
p1mrx
This technique was demonstrated at the Google IPv6 Implementors Conference in
2010:

[https://www.youtube.com/watch?v=QkV9ZgRZvv4#t=7m52s](https://www.youtube.com/watch?v=QkV9ZgRZvv4#t=7m52s)

~~~
oasisbob
Ahhh -- thanks for the link. I was just trying to dig up an old NANOG thread
which discussed Gmail's use of the same technique.

I noticed class E address space in my gmail activity log years ago, and a wink
from a googler implied this is what they were doing. Nice to have
confirmation.

------
brokentone
Cloudflare is really really good at writing technically interesting PR
releases.

------
tedchs
@pg, news.ycombinator.com does not have a AAAA record. Is there any chance for
it to support IPv6?

~~~
ancarda
I raised an issue on GitHub about this a few days ago:
[https://github.com/HackerNews/HN/issues/100](https://github.com/HackerNews/HN/issues/100)

~~~
zaphoyd
that is unfortunate considering they are using cloudflare... I wonder what the
hacker news software does with IPv4 addresses that couldn't work behind the
service described in the article.

------
dsjoerg
Maybe I'm not the only one wondering why I should bother to enable IPv6?

~~~
ancarda
If you have that mentality, we'll never get off IPv4. If that happens, ISPs
won't have a choice but to implement Carrier Grade NAT. That's bad for a lot
of reasons, but mostly because many homes share the same address. Implementing
IPv6 means every device in the world has a unique, globally routable address
with all ports open (no NAT).

That's pretty cool. However, we can only do this if we get over the chicken-
and-egg problem, which is why it's important you enable IPv6 and encourage
others to do so.

~~~
lu5t
If I want to pirate content, your Carrier Grade NAT looks quite attractive as
a legal shield!

~~~
ancarda
I'm not entirely sure if CGN will provide some legal protection for pirates
but it might make it _harder_ to pirate content as you cannot open ports on
CGN meaning BitTorrent will have less seeds which slows downloads. Afaik, IPv6
will make piracy extremely easy as UPnP won't be a requirement. Want to share
a file with some friends? You can quickly spin up a web server, send them the
URL and it'll just work.

~~~
MichaelGG
You still need UPnP or something, otherwise your IPv6 default firewall policy
(allow out deny in) is going to block inbound connections.

Yes, it's easier to hole punch, but a webserver won't do that.

And if you're manually configuring a firewall, I'm not sure "allow port 80
<someIPv6>" is any easier than "forward port 80 to <someipv4>.

What am I missing?

~~~
jnky
I think you are missing a lot. For instance, I have IPv6 set up at home, at
work and at some homes of friends and family. I have firewall rules setup such
that traffic from subnets I know is generally allowed instead of allowing
access to a single port for the general internet. I also have DNS set up with
names like computername.sitename.mydomain.tld

That allows me and the people I know to connect to each other's machines in a
way that wouldn't be possible with IPv4 and NAT. I can be at my brothers and
type \\\\[fqdn] in explorer and it will just work. To me, that is the way the
internet was meant to function from the beginning.

~~~
MichaelGG
If you're able to configure firewall rules, you're well outside of any normal
users able to make up a significant amount of P2P traffic. And to most users,
port forwarding and configuring a firewall rule are nearly identical.

Truth is that for most users, NAT today is almost always synonymous with a
firewall that has deny in, allow out policy.

10+ years ago, a lot of folks often connected their machines to the Internet
in the way you specified. You could go around scanning people's systems,
viewing their fileshares and so on. NAT "fixed" a lot of that.

------
aidenn0
Note that with around 19k people connecting from ipv6 there is a 50% chance
that two will have the same pseudo IP, so you can't use these for unique IDs
alone. At 50k you hit 99% chance of collision.

[edit] I originally did this with a 24-bit rather than 28-bit space, so my
numbers were way to low.

~~~
wmf
Whereas with IPv4 there is a 100% chance that two users are coming from the
same IP via NAT.

------
throwaway812
Given that protecting the source IP is not a goal (keyspace is far too small
for that), why use something like MD5 when something like CityHash or
MurmurHash3 would do?

~~~
jgrahamc
We have a fast MD5 implementation available through ngx_lua so using it is
easy. Using one of the hashes you propose would have meant creating an API to
access one of them and adding them.

------
api
How are they using class E?

I looked into enabling that for virtual networks in my app ( www.zerotier.com
) and quickly discovered that Microsoft Windows has _hard coded_ these IPs as
unusable. On a Windows box the IP stack will absolutely refuse to talk to the
240 block. I spent a few weeks looking for a workaround and could not find
one, but I did talk to someone who used to work in MS and he confirmed to me
that it was a hard-coded prohibition.

~~~
eastdakota
The IPs aren't being used for actually traffic routing. They're just included
in the HTTP header so the web application can have something to use in any
session, abuse, anti-spam, etc functions. You are correct that routing across
Class E is practically impossible due to hard rules in place in Microsoft
Windows and elsewhere.

~~~
api
In my research Windows is the only culprit in the OS space. There might be
router firmwares too but I'm not sure.

The entire Windows networking stack from top to bottom is a tangled mess of
pain.

------
warp
Does anyone know of an affordable pingdom like service which supports IPv6?

Not having a convenient way to monitor the IPv6 side of things is my last
reason for not enabling IPv6.

~~~
giovannibajo1
Pingdom uses AWS. There's a million of services and platforms (e.g.: Heroku)
that don't work on IPv6 because AWS doesn't support it in EC2 (and services
built upon EC2 like RDB and whatnot).

I'm not sure how we can talk AWS into supporting IPv6 :)

------
vsixers
464XLAT: Breaking Free of IPv4: [http://youtu.be/Xl-
hIyZSAmA](http://youtu.be/Xl-hIyZSAmA)

------
edwintorok
I haven't seen a blogpost about it yet, but seems like Cloudflare is under
heavy attack recently that causes performance degradation:
[https://twitter.com/CloudFlareSys](https://twitter.com/CloudFlareSys) Any
idea when it'll be all mitigated and performance back to normal?

~~~
iancarroll
Congestion happens all the time on Cloudflare, they re-route it and there's
not much to be worried about.

------
danielweber
If I use an IPv6 gateway, does that mean what I think it does: all my traffic
is going through their network?

~~~
jgrahamc
That's the nature of CloudFlare.

------
mischanix
I saw the second snippet in the post and thought, is the time you lose in that
string.format significant? The real question follows: what do you use to
benchmark this kind of code with consideration for luajit and also for your
server architecture?

------
justincormack
geo targeting seems to be another area of fail for ipv6. Had to disable it for
netflix in UK when I was using a tunnel as it thought I was in the US so would
not stream. Now I have native it might be better not sure.

~~~
voltagex_
That's your tunnel/ing software not supporting IPv6, I think. I experienced
the same issue with Netflix in Australia.

------
bcl
Totally unrelated, but why the heck does the cloudflare blog have some sort of
facebook iframe ad popup? When it fails (blocked by AB+) it covers up part of
the article.

~~~
Shorel
Seems to be a bug in HTTP Switchboard extension.

~~~
gorhill
Not a bug. It's just the web page which styled the Facebook frame to be way
larger than it needs to be -- given it's just to receive a Facebook button.

Edit: This will happens with anything which blocks Facebook frame, but not
Facebook script.

------
moot
Now you can download memes from 4chan marginally faster!!

(I'm really glad they did this, because at 4chan's patented "SOON™" dev pace,
it'll take us another decade to add native IPv6 support.)

~~~
eastdakota
Next up, Hacker News. :-)

------
dang
We changed the title ("Eliminating the last reasons to not enable IPv6") to a
more neutral and informative subtitle.

~~~
Titanous
The new title is not more informative; "Pseudo IPv4" is a new term that is
meaningless before reading the article. The original title was more
informative, especially in context with the URL domain.

~~~
dang
Sorry, I didn't see this reply until now. I still think it was more
informative. You left out the "Introducing", which makes it clear that the
post is introducing a new product or technology, with a name related to IPv4
(and therefore, likely, to IPv6). That seems to me to say a lot more than the
article title does. But I see how one might disagree.

The real problem with the original article title is that it is linkbait (grand
claim about a controversial topic) and misleading (there is far from universal
agreement about this), and so violates both of HN's guidelines about titles.
Therefore it needed changing, and when doing so we try where possible to take
language from the article itself rather than inventing something of our own. A
subtitle is often a good choice, because it's often what the article would
have called itself if it weren't trying to be sensational, and that seems to
me to be the case here.

