[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Mon Apr 15 19:06:30 CEST 2013

On Apr 15, 2013, at 00:19 , Marc Heuse <mh at mh-sec.de> wrote:

> On 15.04.2013 05:24, Jim Small wrote:
>>> In my mind, that's a poor tradeoff. I would much rather have seen MS
>>> implement happy eyeballs. It would have much greater overall benefit,
>>> and none of the drawbacks.
>> 
>> I understand what you're saying - that's exactly how I felt.  I spoke to someone close to the Microsoft core networking team.  From Microsoft's vantage point the most important thing is determinism.  The problem with happy eyeballs is you have non-deterministic behavior.  For an excellent discussion of this with references, see here:
>> http://blog.ioshints.info/2013/03/happy-eyeballs-happiness-defined-by.html
>> 

If this is deterministic, it's about the only result from Windows that is.

Almost by definition, the internet is non-deterministic and when you're talking about
client connections, usually the most important thing is a good user experience. A
deterministically bad one is questionable at best.

>> It would be nice if there were an option to enable happy eyeballs though if the user/organization desired that behavior.  But again, I think Microsoft is afraid of the supportability/costs of a non-deterministic approach.
>> 
>> I' not sure I completely agree with the end result, but I understand where they are coming from.
> 
> I understand Microsoft as well on this point. undeterministic behaviour
> is a big issue if you need to diagnose problems.
> 

When you're in diagnostic mode, there are plenty of ways to force the
particular protocol you want. The solution to this is better instrumentation.

That's why we have the -6 option to ping, tracert, and netstat. (Or in most
operating systems ping/ping6, traceroute/traceroute6, etc.)

> But in my opinion, user experience should be the top priority, and IMHO
> the happy eyeballs technique is the best solution.
> 

I agree with the first point. As to the second, it seems to be the best current
workaround. In the long run, IPv4 deprecation will help a lot.

> The common unix/network solution fails too at least for me (I mean the
> getaddr(ptr, "foo.com);while(ptr != NULL) { connect(foo->addr)... one)
> because if the IPv6 connection to the destination fails, the user has to
> wait for the timeout before the IPv4 address is tried.

That's why you should use non-blocking connect and select() to see
which one succeeded first.

> About the happy eyeballs technique - is there a simple best practice
> code published somewhere that is cross platform? That would be very
> helpful to point to and encourage developers to implement instead.

I'll work on creating one unless someone has a pointer to one.

Owen