In a mailing list I frequent, the conversation turned to tunnels as a means of getting IPv6 access. A personage of note who shall remain nameless here said:
> IPv6-over-IPv4 tunnels are perhaps worse than not doing it at all.
I took issue with that statement, and here, lightly edited, is my response:
It’s difficult for a nobody such as myself to appear in a forum like this and take a shot at a person of such enormous augustity and pontifitude as yourself, but I will.
Automatic tunnels such as Teredo are indeed awful, and really should be avoided except as a last resort. But we are talking here not so much about one-host-only unmanaged tunnels as about managed, network-enabling tunnels, such as those offered by HE, SixXS, AARNet, IPv6Now, etc.
Tunnels may indeed, in some cases, cause the extinction of all life on earth. Mostly, however, they don’t, and they are WAY better than nothing. There are plenty of people, myself included, who have been dual-stacked using tunnels for years with no real difficulty at all. Yes, I know that an enterprise network is a different class of animal –
but the problem you describe is not the demon you make it out to be.
> [...] the problem we see more often is that the other end (the native > IPv6 end) sends a full sized IPv6 packet and when it encounters the > tunnel ingress the packet is too big. At this point the tunnel ingress > has to send an ICMP6 packet back to the IPv6 source and get it to try > again. For various historical reasons ICMP filtering at edge sites in > incredibly widespread and often the ICMP filters block both ICMP4 and > ICMP6 packets. ooops.
This scenario boils down to “some people block ICMPv6”. True – however, native IPv6 will have the same problem with this ICMPv6-filtering site. The only difference is that the tunnel (with its slightly lower MTU) triggers it on smaller packets than the native connection does.
A network misconfiguration, even if a widespread one, is still a network misconfiguration. If the site in question is a major one, enough people will be banging on their door soon enough. If it’s not a major one, then it might still be important enough to someone for them to get in touch and get the problem fixed. And if it is neither – then who cares?
Actually, now I’m guilty of trivialising something, which is unfair when accusing someone of transmuting molehills into mountains. I can imagine a scenario where the tunnel-connected network happened to desperately need access to the ICMPv6-blocking site; then they would indeed have a problem, and they would indeed need to address it. The problem would not be trivial to them.
To someone considering tunnels, then, I would say test the important connections you will be using – those to the major sites in your world. But here’s the thing: I would give the same advice to someone about to turn up native IPv6 – test the things that are
important to you.
> You are far better off avoiding tunnels. > Really.
Not at the cost of waiting, even longer, to start deploying IPv6. The tunnel, the link to the IPv6 Internet, is just one component of a great many components that people need to start working with; the tip of an iceberg of deployment.
Don’t let “perfect” get in the way of “good”. You don’t have to have a limo to get you to the church on time.