Andrew McMillan wrote:
On Fri, 2009-02-13 at 12:04 +1300, Perry Lorier wrote:
Subtleties of behaviour also have effects. An example of one that bit me, is that the Undernet IRC server considers 1 IPv4 address equivalent to 1 IPv6 /64 for rate limiting purposes. While this kind of heuristic works OK with the same values for private and public servers both on NATed LANs and the intartubes for IPv4, for IPv6 everyone on your LAN connecting to your private IRC server will have an IPv6 in the same /64 and rate limiting will kick in unless you completely change the rate limiting values. So that is an example of an application which *needs* to know the type of address in order to be able to make the correct decision.
Speaking as the person who actually designed that system for Undernet, that behavior was intentional. :)
Sure, which shows how the heuristics used for IPv4 *could* *not* be directly mapped to equally apt heuristics for IPv6, doesn't it? Our server worked fine for years without tuning, right up until the first restart after we added an AAAA record for it.
I like to think that we considered the various new attack vectors that IPv6 made available (including the ability for people to programatically generate millions of addresses that they couldn't easily do before), talked to other networks (such as efnet and freenode) that were running v6 in production about what abuse they were seeing, and what their thoughts were, and then came up with something that attempted to mitigated as many of the attacks as we could. You'll note that ircu doesn't have any idea about the structure of IPv4 addresses (such as /24's), that function is taken up by global services which know more about who has what IP ranges allocated to them, and so on. This is fresh code for IPv6 that was never part of our IPv4 support. Yes, it's annoying for people using ircu standalone out of the box. ircu by default is designed to meet undernet's requirements, which is basically deal with a deluge of 24/7 attacks. :/
My point is that while it might be a laudable goal to have software that is IPv6/IPv4 agnostic there are still going to be plenty of gotchas out there waiting for people, because the network will behave differently - outside of the fact that the actual addresses happen to be different data types. Many pieces of software, not just IRC servers, imply meaning into a single IPv4 ip address, or a /24, and it is quite likely that those meanings won't have easy equivalents in an IPv6 addressable.
Yeah, v6 is a different protocol, and there are reasons (and some of them might even be good reasons in some situations) for people to treat them differently.