v6ops D. Wing
Internet-Draft A. Yourtchenko
Intended status: Standards Track Cisco
2011

Happy Eyeballs: Success with Dual-Stack Hosts
draft-ietf-v6ops-happy-eyeballs-04

Abstract

When the IPv4 server and path is working but the IPv6 server or IPv6 path is down, a dual-stack client application experiences significant connection delay compared to an IPv4-only client. This is undesirable because it causes the dual-stack client to have a worse user experience. This document specifies requirements for algorithms that reduce this delay, and provides an example algorithm.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

Copyright Notice

Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

In order to use applications over IPv6, it is necessary that users enjoy nearly identical performance as compared to IPv4. A combination of today's applications, IPv6 tunneling, IPv6 service providers, and some of today's content providers all cause the user experience to suffer (Section 3). For IPv6, a content provider may ensure a positive user experience by using a DNS white list of IPv6 service providers who peer directly with them (e.g., [whitelist]). However, this does not scale well (to the number of DNS servers worldwide or the number of content providers worldwide), and does not react to intermittent network path outages.

Instead, applications can improve the user experience themselves, by more aggressively making connections on IPv6 and IPv4. There are a variety of algorithms that can be envisioned. This document specifies requirements for any such algorithm, with the goals that the network and servers are not inordinately harmed with a simple doubling of traffic on IPv6 and IPv4, and the host's address preference is honored (e.g., [RFC3484]).

2. Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3. Problem Statement

The basis of the IPv6/IPv4 selection problem was first described in 1994 in [RFC1671],

As discussed in more detail in Section 3.1, it is important that the same URI and hostname be used for IPv4 and IPv6. Using separate namespaces (e.g., "ipv6.example.com") causes namespace fragmentation and reduces the ability for users to share URIs and hostnames, and complicates printed material that includes the URI or hostname.

As discussed in more detail in Section 3.2, IPv6 connectivity is broken to specific prefixes or specific hosts, or slower than native IPv4 connectivity.

3.1. URIs and hostnames

URIs are often used between users to exchange pointers to content -- such as on social networks, email, instant messaging, or other systems. Thus, production URIs and production hostnames containing references to IPv4 or IPv6 will only function if the other party is also using an application, OS, and a network that can access the URI or the hostname.

3.2. IPv6 connectivity

When IPv6 connectivity is impaired, today's IPv6-capable web browsers incur many seconds of delay before falling back to IPv4. This harms the user's experience with IPv6, which will slow the acceptance of IPv6, because IPv6 is frequently disabled in its entirety on the end systems to improve the user experience.

Reasons for such failure include no connection to the IPv6 Internet, broken 6to4 or Teredo tunnels, and broken IPv6 peering. The following diagram shows this behavior.

   DNS Server                  Client                  Server
       |                          |                       |
 1.    |<--www.example.com A?-----|                       |
 2.    |<--www.example.com AAAA?--|                       |
 3.    |---192.0.2.1------------->|                       |
 4.    |---2001:db8::1----------->|                       |
 5.    |                          |                       |
 6.    |                          |--TCP SYN, IPv6--->X   |
 7.    |                          |--TCP SYN, IPv6--->X   |
 8.    |                          |--TCP SYN, IPv6--->X   |
 9.    |                          |                       |
 10.   |                          |--TCP SYN, IPv4------->|
 11.   |                          |<-TCP SYN+ACK, IPv4----|
 12.   |                          |--TCP ACK, IPv4------->|

Figure 1: Existing behavior message flow

The client obtains the IPv4 and IPv6 records for the server (1-4). The client attempts to connect using IPv6 to the server, but the IPv6 path is broken (6-8), which consumes several seconds of time. Eventually, the client attempts to connect using IPv4 (10) which succeeds.

Delays experienced by users of various browser and operating system combinations have been studied [Experiences].

4. Algorithm Requirements

A Happy Eyeballs algorithm has two primary goals:

  1. Provides fast connection for users, by quickly attempting to connect using IPv6 and (if that connection attempt is not quickly successful) to connect using IPv4.
  2. Avoids thrashing the network, by not (always) making simultaneous connection attempts on both IPv6 and IPv4.

The basic idea is depicted in the following diagram:

   DNS Server                  Client                  Server
       |                          |                       |
 1.    |<--www.example.com A?-----|                       |
 2.    |<--www.example.com AAAA?--|                       |
 3.    |---192.0.2.1------------->|                       |
 4.    |---2001:db8::1----------->|                       |
 5.    |                          |                       |
 6.    |                          |==TCP SYN, IPv6===>X   |
 7.    |                          |--TCP SYN, IPv4------->|
 8.    |                          |<-TCP SYN+ACK, IPv4----|
 9.    |                          |--TCP ACK, IPv4------->|
10.    |                          |==TCP SYN, IPv6===>X   |

Figure 2: Happy Eyeballs flow 1, IPv6 broken

In the diagram above, the client sends two TCP SYNs at the same time over IPv6 (6) and IPv4 (7). In the diagram, the IPv6 path is broken but has little impact to the user because there is no long delay before using IPv4. The IPv6 path is retried until the application gives up (10).

After performing the above procedure, the client learns if connections to the host's IPv6 or IPv4 address were successful. The client MUST cache that information to avoid thrashing the network with excessive subsequent connection attempts. For example, in the diagram above, the client has noticed that IPv6 to that address failed, and it should provide a greater preference to using IPv4 instead.

   DNS Server                  Client                  Server
       |                          |                       |
 1.    |<--www.example.com A?-----|                       |
 2.    |<--www.example.com AAAA?--|                       |
 3.    |---192.0.2.1------------->|                       |
 4.    |---2001:db8::1----------->|                       |
 5.    |                          |                       |
 6.    |                          |==TCP SYN, IPv6=======>|
 7.    |                          |--TCP SYN, IPv4------->|
 8.    |                          |<=TCP SYN+ACK, IPv6====|
 9.    |                          |<-TCP SYN+ACK, IPv4----|
10.    |                          |==TCP ACK, IPv6=======>|
11.    |                          |--TCP ACK, IPv4------->|
12.    |                          |--TCP RST, IPv4------->|

Figure 3: Happy Eyeballs flow 2, IPv6 working

The diagram above shows a case where both IPv6 and IPv4 are working, and IPv4 is abandoned (12).

Any Happy Eyeballs algorithm will persist in products for as long as the client host is dual-stacked, which will persist as long as there are IPv4-only servers on the Internet -- the so-called "long tail". Over time, as most content is available via IPv6, the amount of IPv4 traffic will decrease. This means that the IPv4 infrastructure will, over time, be sized to accommodate that decreased (and decreasing) amount of traffic. It is critical that a Happy Eyeballs algorithm not cause a surge of unnecessary traffic on that IPv4 infrastructure. To meet that goal, compliant Happy Eyeballs algorithms must adhere to the requirements in this section.

4.1. Delay IPv4

In the near future, there will be a mix of different hosts at individual subscribers homes -- hosts that are IPv4-only, hosts that are IPv6-only (e.g., sensors), and dual-stack. This mix of hosts will exist both within a single home and between subscribers. For example an IPv4-only television or video streaming device purchased last year and moved from the living room to a bedroom. As another example, another subscriber might have hosts that are all capable of dual-stack operation.

Due to IPv4 exhaustion, it is likely that a subscriber's hosts (both IPv4-only hosts and dual-stack hosts) will be sharing an IPv4 address with other subscribers. The dual-stack hosts have an advantage: they can utilize IPv6 or IPv4. The IPv4-only hosts have a disadvantage: they can only utilize IPv4. If all hosts (dual-stack and IPv4-only) are using IPv4, there is additional contention for the shared IPv4 address. The IPv4-only hosts cannot avoid that contention (as they can only use IPv4) while the dual-stack hosts can avoid that contention by using IPv6.

As dual-stack hosts proliferate and content becomes available over IPv6, there will be less and less IPv4 traffic. This is true especially for dual-stack hosts that do not implement Happy Eyeballs, because those dual-stack hosts have a very strong preference to use IPv6 (with timeouts in the tens of seconds before they will attempt to use IPv4).

When deploying IPv6, both content providers and Internet Service Providers (who supply IPv4 address sharing mechanisms such as Carrier Grade NAT (CGN)) will want to reduce their investment in IPv4 equipment -- load balancers, peering links, and address sharing devices. If a Happy Eyeballs implementation treats IPv6 and IPv4 equally by connecting to whichever address family is fastest, it will contribute to load on IPv4. This load impacts IPv4-only devices (by increasing contention of IPv4 address sharing and increasing load on IPv4 load balancers). Because of this, ISPs and content providers will find it impossible to reduce their investment in IPv4 equipment. This means that costs to migrate to IPv6 are increased, because the investment in IPv4 cannot be reduced. Furthermore, using only a metric that measures connection speed ignores the value of IPv6 over IPv4 address sharing, such as shared penalty boxes and geo-location [RFC6269].

Thus, to avoid harming IPv4-only hosts which can only utilize IPv4, implementations MUST prefer the first IP address family returned by the host's address preference policy, unless implementing a stateful algorithm described in Section 4.2. This usually means giving preferring IPv6 over IPv4, although that preference can be over-ridden by user configuration or by network configuration [I-D.ietf-6man-addr-select-opt]. If the host's policy is unknown or not attainable, implementations MUST prefer IPv6 over IPv4.

4.2. Stateful Behavior when IPv6 Fails

Some Happy Eyeballs algorithms are stateful -- that is, the algorithm will remember that IPv6 always fails, or that IPv6 to certain prefixes always fails, and so on. This section describes such algorithms. Stateless algorithms, which do not remember the success/failure of previous connections, are not discussed in this section.

After making a connection attempt on the preferred address family (e.g., IPv6), and failing to establish a connection within a certain time period (see Section 5.7), a Happy Eyeballs implementation will decide to initiate a second connection attempt using the same address family or the other address family.

Such an implementation MAY make subsequent connection attempts (to the same host or to other hosts) on the successful address family (e.g., IPv4). Such an implementation MUST occasionally make connection attempts using the host's preferred address family, as it may have become functional again, and is RECOMMENDED to do so every 10 minutes. Implementation note: this can be achieved by attempting to connect to both address families at the same time every 10 minutes, which does not significantly harm the application's connection setup time. If connections using the preferred address family are again successful, the preferred address family SHOULD be used for subsequent connections. Because this implementation is stateful, it MAY track connection success (or failure) based on IPv6 or IPv4 prefix (e.g., connections to the same prefix assigned to the interface are successful whereas connections to other prefixes are failing).

4.3. Reset on Network (re-)Initialization

Because every network has different characteristics (e.g., working or broken IPv6 or IPv4 connectivity), a Happy Eyeballs algorithm SHOULD re-initialize when the host is connected to a new network. Hosts can determine network (re-)initialization by a variety of mechanisms (e.g., DNAv4 [RFC4436], DNAv6 [RFC6059]).

If the client application is a web browser, see also Section 5.8.

4.4. Abandon Non-Winning Connections

It is RECOMMENDED that the non-winning connections be abandoned, even though they could -- in some cases -- be put to reasonable use.

  • Justification: This reduces the load on the server (file descriptors, TCP control blocks), stateful middleboxes (NAT and firewalls) and, if the abandoned connection is IPv4, reduces IPv4 address sharing contention.
  • HTTP: The design of some sites can break because of HTTP cookies that incorporate the client's IP address and require all connections be from the same IP address. If some connections from the same client are arriving from different IP addresses (or worse, different IP address families), such applications will break. Additionally for HTTP, using the non-winning connection can interfere with the browser's Same Origin Policy (see Section 5.8).

5. Additional Considerations

This section discusses considerations related to Happy Eyeballs.

5.1. Additional Network and Host Traffic

Additional network traffic and additional server load is created due to the recommendations in this document, especially when connections to the preferred address family (usually IPv6) are not completing quickly.

The procedures described in this document retain a quality user experience while transitioning from IPv4-only to dual stack, while still giving IPv6 a slight preference over IPv4 (in order to remove load from IPv4 networks, most importantly to reduce the load on IPv4 network address translators). The improvement in the user experience benefits the user to only a small detriment of the network, DNS server, and server that are serving the user.

5.2. Determining Address Type

For some transitional technologies such as a dual-stack host, it is easy for the application to recognize the native IPv6 address (learned via a AAAA query) and the native IPv4 address (learned via an A query). While IPv6/IPv4 translation makes that difficult, fortunately IPv6/IPv4 translators are not deployed on networks with dual stack clients.

5.3. Debugging and Troubleshooting

This mechanism is aimed at ensuring a reliable user experience regardless of connectivity problems affecting any single transport. However, this naturally means that applications employing these techniques are by default less useful for diagnosing issues with a particular address family. To assist in that regard, the implementations MAY also provide a mechanism to disable their Happy Eyeballs behavior via a user setting.

5.4. Three or More Interfaces

A dual-stack host might have more than two interfaces because of a VPN (where a third interface is the tunnel address, often assigned by the remote corporate network), because of multiple physical interfaces such as wired and wireless Ethernet, because the host belongs to multiple VLANs, or other reasons. The interaction of Happy Eyeballs with more than two interfaces is for further study.

5.5. A and AAAA Resource Records

It is possible that an DNS query for an A or AAAA resource record will return more than one A or AAAA address. When this occurs, it is RECOMMENDED that a Happy Eyeballs implementation order the responses following the host's address preference policy and then try the first address. If that fails after a certain time (see Section 5.7), the next address SHOULD be the IPv4 address.

If that fails to connect after a certain time (see Section 5.7), a Happy Eyeballs implementation SHOULD try the other addresses returned; the order of these connection attempts is not important.

5.6. A6 Resource Records

The A6 resource record SHOULD NOT be queried [RFC3363].

5.7. Connection time out

The primary purpose of Happy Eyeballs is to reduce the wait time for a dual stack connection to complete, especially when the IPv6 path is broken and IPv6 is preferred. Aggressive time outs (on the order of tens of milliseconds) achieve this goal, but at the cost of network traffic. This network traffic may be billable on certain networks, will create state on some middleboxes (e.g., firewalls, IDS, NAT), and will consume ports if IPv4 addresses are shared. For these reasons, it is RECOMMENDED that connection attempts be paced to give connections a chance to complete. It is RECOMMENDED that connections attempts be paced 150-250ms apart. Stateful algorithms are expected to be more aggressive (that is, make connection attempts closer together), as stateful algorithms maintain an estimate of the expected connection completion time.

5.8. Interaction with Same Origin Policy

Web browsers implement same origin policy [I-D.ietf-websec-origin] which causes subsequent connections to the same hostname to go to the same IPv4 (or IPv6) address as the previous successful connection. This is done to prevent certain types of attacks.

The same-origin policy harms user-visible responsiveness if a new connection fails (e.g., due to a transient event such as router failure or load balancer failure). While it is tempting to use Happy Eyeballs to maintain responsiveness, web browsers MUST NOT change their same origin policy because of Happy Eyeballs, as that would create an additional security exposure.

5.9. Happy Eyeballs in an Operating System

Applications would have to change in order to use the mechanism described in this document, by either implementing the mechanism directly, or by calling APIs made available to them. To improve IPv6 connectivity experience for legacy applications (e.g., applications which simply rely on the operating system's address preference order), operating systems may consider more sophisticated approaches. These can include changing address sorting based on configuration received from the network, or observing connection failures to IPv6 and IPV4 destinations.

6. Example Algorithm

What follows is the algorithm implemented in Google Chrome and Mozilla Firefox.

  1. Call getaddinfo(), which returns a list of IP addresses sorted by the host's address preference policy.
  2. Initiate a connection attempt with the first address in that list (e.g., IPv6).
  3. If that connection does not complete within a short period of time (e.g., 200-300ms), initiate a connection attempt with the first address belonging to the other address family (e.g., IPv4)
  4. The first connection that is established is used. The other connection is discarded.

Other example algorithms include [Perreault] and [Andrews].

7. Security Considerations

See Section 4.4 and Section 5.8.

8. Acknowledgements

The mechanism described in this paper was inspired by Stuart Cheshire's discussion at the IAB Plenary at IETF72, the author's understanding of Safari's operation with SRV records, Interactive Connectivity Establishment (ICE [RFC5245]), the current IPv4/IPv6 behavior of SMTP mail transfer agents, and the implementation of Happy Eyeballs in Google Chrome and Mozilla Firefox.

Thanks to Fred Baker, Jeff Kinzli, Christian Kuhtz, and Iljitsch van Beijnum for fostering the creation of this document.

Thanks to Scott Brim, Rick Jones, Stig Venaas, Erik Kline, Bjoern Zeeb, Matt Miller, Dave Thaler, Dmitry Anipko, and Brian Carpenter for their feedback.

Thanks to Javier Ubillos, Simon Perreault and Mark Andrews for the active feedback and the experimental work on the independent practical implementations that they created.

Also the authors would like to thank the following individuals who participated in various email discussions on this topic: Mohacsi Janos, Pekka Savola, Ted Lemon, Carlos Martinez-Cagnazzo, Simon Perreault, Jack Bates, Jeroen Massar, Fred Baker, Javier Ubillos, Teemu Savolainen, Scott Brim, Erik Kline, Cameron Byrne, Daniel Roesen, Guillaume Leclanche, Mark Smith, Gert Doering, Martin Millnert, Tim Durack, Matthew Palmer.

9. IANA Considerations

This document has no IANA actions.

10. References

10.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3484] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003.
[RFC3363] Bush, R., Durand, A., Fink, B., Gudmundsson, O. and T. Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS)", RFC 3363, August 2002.

10.2. Informational References

[RFC1671] Carpenter, B., "IPng White Paper on Transition and Other Considerations", RFC 1671, August 1994.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", RFC 5245, April 2010.
[RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for Detecting Network Attachment in IPv6", RFC 6059, November 2010.
[RFC4436] Aboba, B., Carlson, J. and S. Cheshire, "Detecting Network Attachment in IPv4 (DNAv4)", RFC 4436, March 2006.
[RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P. and P. Roberts, "Issues with IP Address Sharing", RFC 6269, June 2011.
[I-D.ietf-6man-addr-select-opt] Matsumoto, A, Fujisaki, T, Kato, J and T Chown, "Distributing Address Selection Policy using DHCPv6", Internet-Draft draft-ietf-6man-addr-select-opt-01, June 2011.
[whitelist] Google, , "Google IPv6 DNS Whitelist", January 2009.
[Perreault] Perreault, S, "Happy Eyeballs in Erlang", February 2011.
[Andrews] Andrews, M, "How to connect to a multi-homed server over TCP", January 2011.
[I-D.ietf-websec-origin] Barth, A, "The Web Origin Concept", Internet-Draft draft-ietf-websec-origin-06, October 2011.
[Experiences] Savolainen, T., Miettinen, N., Veikkolainen, S., Chown, T. and J. Morse, "Experiences of host behavior in broken IPv6 networks", March 2011.

Appendix A. Changes

Appendix A.1. changes from -03 to -04

  • Better explained why IPv6 needs to be preferred
  • Don't query A6.

Appendix A.2. changes from -02 to -03

  • Re-casted this specification as a list of requirements for a compliant algorithm, rather than trying to dictate a One True algorithm.

Appendix A.3. changes from -01 to -02

  • Now honors host's address preference (RFC3484 and friends)
  • No longer requires thread-safe DNS library. It uses getaddrinfo()
  • No longer describes threading.
  • IPv6 is given a 200ms head start (Initial Headstart variable).
  • If the IPv6 and IPv4 connection attempts were made at nearly the same time, wait Tolerance Interval milliseconds for both to complete before deciding which one wins.
  • Renamed "global P" to "Smoothed P", and better described how it is calculated.
  • introduced the exception cache. This contains the set of networks that only work with IPv4 (or only with IPv6), so that subsequent connection attempts use that address family without them causing serious affect to Smoothed P.
  • encourages that every 10 minutes the exception cache and Smoothed P be reset. This allows IPv6 to be attempted again, so we don't get 'stuck' on IPv4.
  • If we didn't get both A and AAAA, abandon all Happy Eyeballs processing (thanks to Simon Perreault).
  • added discussion of Same Origin Policy
  • Removed discussion of NAT-PT and address learning; those are only used with IPv6-only hosts whereas this document is about dual-stack hosts contacting dual-stack servers.

Appendix A.4. changes from -00 to -01

  • added SRV section (thanks to Matt Miller)

Authors' Addresses

Dan Wing Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA EMail: dwing@cisco.com
Andrew Yourtchenko Cisco Systems, Inc. De Kleetlaan, 7 Diegem B-1831 Belgium EMail: ayourtch@cisco.com