Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Problem Puts Up a Block To IPv6

Posted by kdawson on from the twenty-five-or-six-to-four dept.

An anonymous reader lets us know of an experiment conducted in Norway to determine real-world problems in using IPv6 today (Google translation; Norwegian original). "According to a Norwegian article in digi.no, Redpill Linpro did an experiment with regard to IPv6 on one of the largest online newspapers there (www.vg.no). They added a hidden iframe that pointed to an IPv6-enabled domain to test real-life problems about the reported IPv6 holes. The result was that mainly Mac OS X, older versions of Opera, and a few Linux distributions exhibited problems. For Mac OS X it took 75 seconds to time out before failing back to IPv4." From the consultant's report: "Mac OS X has a problem in that it will prefer 6to4-based IPv6 over IPv4-based connectivity, at least if its local IPv4 address is an RFC 1918-based private address as commonly found in NAT-ed home network environments. This is unfortunate, as 6to4 has shown itself to be much less reliable than IPv4."

38 of 204 comments (clear)

  1. Chicago by Anonymous Coward · · Score: 5, Funny

    25 or 6to4?

    1. Re:Chicago by Anonymous Coward · · Score: 5, Funny

      I just got off the phone with some one of my connections in Apple's product development department.

      Apparently the math required to implement IPv6 uses far too much battery and processor resources so Jobs opted to abandon its implementation.

    2. Re:Chicago by exomondo · · Score: 5, Funny

      Apparently the math required to implement IPv6 uses far too much battery and processor resources so Jobs opted to abandon its implementation.

      And it's not shiny, maybe one day they'll implement it as iPv6

    3. Re:Chicago by Anonymous Coward · · Score: 3, Insightful

      And it's not shiny, maybe one day they'll implement it as iPv6

      Ahh yes your right, It has to have Apple's very affective from of marketing voodoo attached to it.

      1) Wait until IPv6 is rolled out across the internet
      2) Wait another 5 years for the rest of the industry to be using it without any problems
      3) Hold a press conference showcasing a prototype of a Mac running on IPv6
      4) Claim it as a new innovation that the world has never seen and generate ridiculous amounts of unnecessary media hype
      5) ?????
      6) Profit

    4. Re:Chicago by dr.+chuck+bunsen · · Score: 4, Interesting

      Nope, no iPhone here, Android. And even then I think that WebOS has the best mobile interface by far, just shitty hardware and no community. But I did leave my Linux desktop collecting dust ever since the OS X public beta disc arrived in my mailbox. But please, bash Apple all you want. The more they start to slowly ignore OS X in favor of fucking around with these silly mobile distractions, the less I like them. In fact, I was never what you would consider a fanboy, no iPod, iPhone, iAnything...I simply recognized the beauty of their nix offering and made the switch on merit alone. I did get excited when they released the Xserve line and the Xserve RAID. Had they followed through with that opportunity I feel like it could have been huge, but they ignored it, and it was never more than poop in a box. Of course, they had a huge obstacle trying to build a better server OS than Linux, as the GUI means nothing in that world. They probably recognized they couldn't win the server market with a bad ass GUI, and left it at that. Anyway, to be on topic, this isn't exactly news. It's already been documented, and can easily be fixed, and will work properly in a future update out of the box. I mean fuck, really? It's 2010, does the fucktards really think they are the first ones to do this, and that they've uncovered some major fuck up that is going to ruin the future of the internet. I doubt it. I think some asshole massaged a summary of a non-news story to get a bunch of fucktards like me to waste their time discussing it. At least they've supported IPv6 for a long while now, unlike some other OS companies... Quick, mod me down for not playing along!

    5. Re:Chicago by Drakino · · Score: 4, Informative

      I think in general, Apple is probably doing more in house engineering now then they did long ago. Back during the PowerPC days, they designed chipsets, cases, and motherboard layouts and thats about it. Now, they make new processes for batteries, case manufacturing, CPU packaging (A4), low level firmware on cellular devices, and so on.

      OS wise, OS X started as NeXTStep, and it took a lot of work to add the Mac part into it. The continue to develop new things there that apply to their entire product line. Grand Central Dispatch is a good example here, built into OS X with 10.6, open sourced for anyone to use, and now being baked into iPhone OS 4. OpenCL is another big one recently. Apple doesn't take things from the community and close source them, they participate in many open source projects, and make a number of new ones. Basically anything below the UI layer tends to be open and remains that way. Some of Apple's work even become fully certified standards, mDNS, and the container for MPEG 4 are recent ones.

      They are still pretty unique in the industry, in many ways.

  2. IPv6 resolution with NTP by Anonymous Coward · · Score: 5, Interesting

    There's also a bug in NTP on 10.6 that causes it to not fall back on IPv4 resolution if it can resolve over IPv6, even if IPv6 is disabled on the machine. So while not an IPv6 hurdle, it is a bug in IPv6 implementation.

    RADAR bug is: 6736177

    1. Re:IPv6 resolution with NTP by Anonymous Coward · · Score: 3, Informative

      I suspect (but have no proof) that this involves an ipv4 dns connection that receives AAAA records. When NTP sees that there are ipv6 servers available, it doesn't fallback to ipv4 even when ivp6 networking is disabled. So nothing weird going on, just a bug.

  3. Chicago? by DarkKnightRadick · · Score: 3, Funny

    Is this a Chicago reference by the Mac OS X dev team?

    --
    "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
  4. puts up a "block"? by BitwiseX · · Score: 3, Insightful

    Hardly. Sounds like something that's pretty simple to fix before IPv4 addresses run out.
    An interesting article none the less.

  5. Why would /. focus on OSX problems?... by sznupi · · Score: 4, Informative

    ...when, most notably, also Opera versions prior to 10.50 are affected!

    OK, OK, and apparently many Linux distros prior to recent patch of glibc. From the original source (love the url): "Also I'd like to thank Opera Software for working with me and fixing the problem in their browser, and Fedora, Canonical, Gentoo, Novell, Mandriva, and Debian for applying my patches to glibc in their respective Linux distributions."

    --
    One that hath name thou can not otter
    1. Re:Why would /. focus on OSX problems?... by the_humeister · · Score: 4, Insightful

      Apple is now hated slightly less than MS, which is pretty significant given how maybe a decade ago they were not hated at all. That's what happens when you become a corporate behemoth.

    2. Re:Why would /. focus on OSX problems?... by iluvcapra · · Score: 5, Insightful

      Apple is now hated slightly less than MS, which is pretty significant given how maybe a decade ago they were not hated at all.

      They weren't hated, they were held in contempt for making closed boxes that no one wanted to buy. What truly enrages the ilk of slashdot is that over the past ten years is that Apple has made a killing selling closed boxes, when all of the "common sense" of open source evangelism told them this was unpossible.

      --
      Don't blame me, I voted for Baltar.
    3. Re:Why would /. focus on OSX problems?... by larkost · · Score: 4, Insightful

      No, it wasn't. It was a large re-architecting of a lot of subsystems. This does not mean a lot for most users, thus they only announced a couple of user-visiable feautres. Not the same thing at all.

      For developers Snow Leopard was a rather feature-rich update.

  6. Help me understand this. by DdJ · · Score: 5, Informative

    So, I'm not 100% sure I understand what's going on here. Let's check.

    It sounds like the problem is: if you've got a server that according to DNS is available both via IPv6 and IPv4, and the IPv6 address is not working, and the IPv4 address is working, the systems in question will fail to connect to it, even though they could if they'd just fall back to IPv4.

    If a given server is IPv6-only, it works fine. If a given server's IPv6 connectivity is more reliable than its IPv4 connectivity, that's also fine. If a given server is IPv4, that's also fine. The problem only manifests when the server is available both via IPv4 and IPv6, and the IPv4 connection is more reliable than the IPv6 connection.

    Yes?

    And then on top of that, the author observes that on a system reachable both ways, it is typically the case today that the IPv4 version is considerably more reliable than the IPv6 version, and so in practical terms this issue actually does come up in the real world.

    Yes? Do I grok, or have I made an error in reading?

    1. Re:Help me understand this. by Monkey_Genius · · Score: 3, Insightful

      Problem meets Nutshell.

      --
      I've got your sig, right here.
    2. Re:Help me understand this. by ShadowRangerRIT · · Score: 5, Informative

      Mostly correct. One additional note: Many ISPs and routers don't do IPv6 well. So even in the "good IPv6 server, good IPv4 backup" case, many people will be hitting these delays because their ISP or router isn't IPv6 friendly. Since the web server can't force your ISP/router to upgrade, they have a choice. Do they serve only over IPv4 and get guaranteed performance, or do they move to IPv6 with an IPv4 fallback, thereby guaranteeing that their site will be dog slow for a fixed percentage of their users? We want them to move to IPv6 so the transition can occur smoothly over time. But a reasonable website operator might put off the move until the absolute last second, hoping that more ISPs and routers will be ready when they do switch. But of course, if no one is serving content over IPv6, ISPs have less motivation to upgrade. Yay Catch-22 situations!

      Basically, if these browsers used the IPv4 fallback path smoothly, the IPv6 transition would be more painless; site operators would have one less reason to delay the switch, which would lead ISPs to have one more reason to speed the switch. But it all relies on the damn browsers behaving properly in the first place.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    3. Re:Help me understand this. by Trepidity · · Score: 3, Insightful

      It seems like it depends on the connectivity of the host as well. If the server has good IPv6 and good IPv4 connectivity, this problem can still manifest itself if the client has good IPv4 connectivity, but crappy IPv6 connectivity only via a 6to4 tunnel. In that case, OSX will prefer the 6to4 tunnel rather than the native IPv4 connection. If it were all native connections (native IPv6 and native IPv4), it'd be much less of a problem; it really seems to be preferring the tunnel that's causing all the reliability issues. The fix (applied to glibc, among others) seems to be to distinguish between native IPv6 connectivity and tunnel-based connectivity, and deprioritize tunnel-based connectivity.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    4. Re:Help me understand this. by hitmark · · Score: 4, Informative

      not just browsers, two of the reported problems are core library related, not browser related.

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    5. Re:Help me understand this. by klapaucjusz · · Score: 5, Informative

      Do I grok?

      Not quite.

      If a server is advertised in the DNS as being accessible using both v4 and v6, Unix-like systems (including Mac OS X) will first try v6, and then fall back to v4. This is the case on all Unices, although in the case of Linux it can be worked around by editing /etc/gai.conf.

      When v6 is broken, this only works well if v6 sends you an error message in a timely manner. If v6 fails silently, just eats your packets, then you will only find out about it after a timeout -- meaning that it will take ages to fall back to v4.

      Most of the time, this is not an issue, since v6 is pretty good at sending good error reports in a timely manner. The one exception is 6to4, which has an unpleasant tendency to fail silently (thus causing a timeout) when there is a v4 connectivity issue (such as a firewall).

      The fix is simple -- only prefer v6 to v4 when you have native v6; if you're using 6to4, prefer v4 to v6. Windows does that right.

    6. Re:Help me understand this. by ceoyoyo · · Score: 3, Interesting

      The problem is, no website is going to ONLY serve over IPv6, so there's no incentive for ISPs to support it. The incentive HAS to come from something new. That can either be new websites (or ISP subscribers) that can't get an IPv4 address, in which case we have a crisis, or some new client-side application that people would like to use.

      A nice regulation requiring that ISPs serve unique IP addresses to any subscriber device that asks for one would get them to switch to IPv6 in a hurry, and we'd all have easy remote access to all our machines.

    7. Re:Help me understand this. by ekhben · · Score: 3, Insightful

      Yes.

      IPv6 tunnels, firewalls set to drop ICMP, removal of router fragmentation in IPv6, and application name resolution behaviours combine to cause a noticeable number of IPv6 connections to open successfully, but not send data.

      If you have the choice, avoid tunnels, both by using a native v6 connection yourself, and by only peering with known-good native v6 entities, which is what Google do.

      If you have the choice, avoid dual stack. Test it, by all means, so you're ready to provide service should v6 actually work, but avoid presenting AAAA and A records for the same name.

      If you have no choice, set your interface MTU to 1280 bytes, which resolves a large number of the problems.

  7. Re:Mac Issue Or IPv6 Issue? by wisnoskij · · Score: 4, Informative

    How is their a difference? if Mac did not properly support IPv6 then it is their problem.

    And I assume it did not mention Windows because they had no problems, the site seemed to just be listing problems.

    --
    Troll is not a replacement for I disagree.
  8. Re:Mac Issue Or IPv6 Issue? by Anonymous Coward · · Score: 5, Informative

    Depends on how you phrase it. Yes , it is an ipv6 issue .. An issue on how Apple implemented IPv6 on OS X. Is this a problem with the way IPv6 was deployed in the test realized by Redpill Linpro or that IPv6 just isn't supported in the wild yet? I doubt that. We've replicated his results on several tests in the wild and in the lab. In fact, we run constant monitoring of these things and we saw clearly when Opera fixed the problem in their browser as we saw a clear drop in brokenness as reported by our experiments. AFAIK, Google runs some experiments on this as well (https://e-learning.ripe.net/ripe/meetings/ripe-57/presentations/Colitti-Global_IPv6_statistics_-_Measuring_the_current_state_of_IPv6_for_ordinary_users_.7gzD.pdf ), so I wouldn't be surprised if their whitelist-only method for receiving AAAA records is because of that.

    Also, have you wondered why IPv6 isn't deployed by all the big sites just yet? Think of the number of hits a big site such as google, msn, cnn, etc gets. If you consider a 0.1% brokenness rate, this means a considerable number of users will have problem and this will damage the reputation of those sites (let's be honest.. How many non-geek users will know how to debug IPv6? In some cases, like the users who get IPv6 via 6to4 thanks to their Airport Express, they won't even know that they have IPv6 and they will just blame those sites). On all our tests, we've been actively collecting data and, when we identify the cause, we give this data back to vendors so they can fix their crap. It's a slow process, but we're seeing progress.

  9. 6to4 is unreliable by klapaucjusz · · Score: 3, Informative

    All Unices prefer 6to4 to v4, not just Mac OS X. At least Linux, FreeBSD and Solaris do.

    The real bug, of course, is not that 6to4 is preferred, it is that 6to4 is unreliable. 6to4 does not monitor its tunnels -- it just assumes that a tunnel will work if there is a global IPv4 address. Which is obviously not necessarily the case in the presence of a v4 firewall.

    Do yourself a favour -- disable the 6to4 functionality on your Mac and run Miredo, a Teredo implementation for Unices.

    (Some more anecdotical evidence.)

    1. Re:6to4 is unreliable by j+h+woodyatt · · Score: 3, Informative

      The real bug, of course, is not that 6to4 is preferred, it is that 6to4 is unreliable. 6to4 does not monitor its tunnels -- it just assumes that a tunnel will work if there is a global IPv4 address.

      It's worse than that: 6to4 is architecturally flawed.

      A 6to4 CPE router can only monitor the availability of its own 6to4 relay. It can't do anything about the relay required for the reverse path. Service providers aren't sufficiently moved to deploy their own 6to4 relays because content providers and distributors aren't deploying the reverse path relays needed to make the system functional. The content providers and distributors in turn aren't deploying 6to4 relays because there are too damned many IPv4 firewalls that drop all incoming protocol 41 on general principle, so from their perspective, it's not worth the effort.

      Worth noting: Teredo suffers from the same basic architectural flaw. Neither 6to4 nor Teredo should be used, if it can be helped at all.

      --
      jhw
  10. Re:Not so simple by klapaucjusz · · Score: 3, Interesting

    This presents a reason to avoid IPv6 entirely until it's fixed.

    No. It's a reason to avoid (host-based) 6to4, which is too unreliable to be useful.

  11. Re:John C. Randolph, give us the real story. by Anonymous Coward · · Score: 5, Funny

    Disregard that, I suck cocks.

    -jcr

  12. Problems with connecting to flash media server by NoSleepDemon · · Score: 3, Interesting

    I ran into this problem a few months ago when trying to connect to a flash media server owned by a client - the media player running on the Mac would take over a minute to connect, and would fail at least once. The client insisted it was a bug in my code (I was the third programmer to be assigned the project after 2 others bailed), but my colleague and I uncovered similar horror stories with Mac OS 10.5, after my version of the player indicated a problem with the connection attempt timing out. The first two programmers couldn't prove this because their error trapping was non existent, so their players simply looked like they were crashing. Ah the joys of cross platform development!

  13. Re:Mac Issue Or IPv6 Issue? by Bert64 · · Score: 3, Informative

    Interesting, never realised such a site existed...
    It says that i have "global unicast" address type, no 6to4 mapping, and it even tells me my mac address that was used to calculate the v6 address...

    The speedtest also indicates that both protocols are roughly the same speed, and my machine defaults to v6 if it can.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. Re:Not so simple by j+h+woodyatt · · Score: 3, Insightful

    We'd like the transition to be smooth, such that it's already complete, before IPv4 addresses run out or become rare...

    At this point, the transition is either going to be a very bumpy ride, or it's not going to happen at all. Smooth is no longer an option. Get used to it.

    --
    jhw
  15. Here's a quick solution, say in a Flash? by failedlogic · · Score: 4, Funny

    75 seconds by Apple web-browsing standards sounds like a long time. I seem to recall Mr Jobs pointed out that Flash is the only thing responsible for slowing down the Web on a Mac. Now, I have an iMac G5 and Flash doesn't slow down my experience by 75 seconds. So intstead of changing the TCP/IP stack in OSX, or fixing Safari, I think what would please Apple (in getting faster experience on the Web for the customers) would be to ask Adobe to make a Flash IPV6to4 wrapper for their TCP/IP stack.

    I don't even know if this would even be possible, in fact I don't think it is. I leave the challenge to Adobe, and the PR to Apple to explain how Adobe fixed their 'problems'!

    I have already accepted I used at least 75 seconds of my web browsing experience to write this post!

  16. Re:John C. Randolph, give us the real story. by gyrogeerloose · · Score: 3, Funny

    You're sexy when you talk tough.

    Not as sexy as you are when you put on that big funny hat, Your Holiness.

    --
    This ain't rocket surgery.
  17. Re:Mac Issue Or IPv6 Issue? by ekhben · · Score: 4, Insightful

    Almost certainly the latter.

    The article, and the accompanying 'raw' data, are not sufficiently detailed to draw the conclusion that OS X is at fault. The observation is that browsers with Mac OS X in the User-Agent string are more commonly using 6to4 addresses. The faulty assumption is that Mac OS X prefers 6to4 addresses to RFC1918 addresses.

    The reality is that getaddrinfo() on several platforms prefers IPv6 addresses over IPv4, if the host OS has an active IPv6 service. This is not unique to OS X, nor is it a bug.

    The interesting part is that the only CPE devices which support IPv6 are Apple Airports - the Extreme and Express models. They use 6to4 if there is no native IPv6 address provided. No ADSL modems available to consumers support IPv6 out of the box, ergo, almost every Airport user has 6to4 enabled. If one assumes that most Airport users are also Mac users, then the observation that excluding Mac OS X User-Agents from the result set also excludes the bulk of IPv6 users is not surprising.

    If Apple has an issue, it's that they enable 6to4 by default on a consumer device, when 6to4 is a known-bad mechanism that should be avoided.

    If one is running dual stack services, one should be aware of the most common pitfalls: see http://www.potaroo.net/ispcol/2010-05/v6hints.html for details.

  18. Re:Not so simple by j+h+woodyatt · · Score: 3, Funny

    The root cause here is multipath confusion, but there are lots of other ways the transition will get bumpy.

    Once the IPv4 address exhaustion wave starts to break, the Internet community is going to be dealing with all manner of breakage caused by some parts of the Internet resisting the transition to IPv6 while other parts are being forced into the transition by financial considerations. These different parts will be intermediated by things like NAT64 and DNS64, as well as other evils like DS-Lite and the associated AFTR boxes. Meanwhile, there will still be crazy things like 6to4 and Teredo kicking around. For the transition to go smoothly, all these interlocking parts have to work perfectly... everywhere... and we know from long experience that this just cannot happen.

    This will all seem fairly familiar to anyone who survived the transition to IPv4 a generation ago. But if you're a young gun, and all you've ever known is the IPv4 we have now because the old-timers spent a long damned time years and years ago making it rock-solid before you got here, then you're about to be schooled.

    Get ready for life during wartime—that's what I say.

    --
    jhw
  19. Re:Mac Issue Or IPv6 Issue? by Savage-Rabbit · · Score: 4, Insightful

    How is their a difference? if Mac did not properly support IPv6 then it is their problem.

    I'm not sure quite what he meant by "properly supported in the wild" but it sounded like he was trying to point out that sometimes you do get bugs because you implement things correctly but somebody else screwed up their implementation. A while back I had a problem connecting Linux and OS X based VPN daemons to some Microsoft VPN servers. At first it seemed obvious that this was Apple screwing up. After some considerable wiresharking and digging in Apple's source code I found out that Microsoft's VPN server sends malformed protocol messages which the Linux/OS X based counterparts try to parse according to the letter of the specification and exit with an error when they run into problems. Not that I'm trying to absolve Apple of all blame they can fuck up like everybody else and do so regularly, however that doesn't change the fact that it's entirely possible to render your software unusable by implementing it according to specifications. In a situation like that you can either change your software to take the buggy implementation by <insert name of manufacturer> into account or stick to your guns and piss off your users.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  20. Re:It would be nice if people read the standards.. by ekhben · · Score: 3, Informative

    Um.

    A request to an authoritative name server made over IPv4 should return an answer based only on the contents of the QUERY section. If the QUERY section requests an AAAA record, the server should either return RCODE 0 (NOERROR) and one ANSWER section per AAAA record (including 0, if there are none) if the label exists, or it should return RCODE 3 (NXDOMAIN) if the label does not exist.

    That is what RFC 4074 states.

    And the very first two sentences in RFC 4074 are, I quote with added emphasis, "This memo provides information for the Internet community. It does not specify an Internet standard of any kind."

    So to refute your statements, (1) this is not a standard, (2) the behaviour you describe is neither recommended by the informational memo, and (3) the behaviour you describe has been discussed in DNSOPS and the consensus as I have read it is that you should not do that, since you are only testing IPv6 connectivity to the resolver, not to the client.

    I may be wrong, if so, please let me know what part of that RFC I've missed or misread, or in which way I've misinterpreted your post.

  21. Re:Troll? by Amarantine · · Score: 3, Insightful

    Yes, but they were only funny the first 500 times. Really, these kind of jokes pop up at the top of *every* article that has even remotely to do with Apple.