Happy Eyeballs (RFC 6555)

在「PChome 24h 連線會慢的原因...」這篇的 comment 有讀者提到了 Happy Eyeballs 應該可以解決這個問題:

除了可以在維基百科上面看到外,比較正式的說明可以參考 RFC 6555:「Happy Eyeballs: Success with Dual-Stack Hosts」,其中在「6. Example Algorithm」就有提到 Google ChromeMozilla Firefox 怎麼實做 Happy Eyeballs:

What follows is the algorithm implemented in Google Chrome and Mozilla Firefox.

  1. Call getaddinfo(), which returns a list of IP addresses sorted by the host's address preference policy.
  2. Initiate a connection attempt with the first address in that list (e.g., IPv6).
  3. If that connection does not complete within a short period of time (Firefox and Chrome use 300 ms), initiate a connection attempt with the first address belonging to the other address family (e.g., IPv4).
  4. The first connection that is established is used. The other connection is discarded.

If an algorithm were to cache connection success/failure, the caching would occur after step 4 determined which connection was successful.

Other example algorithms include [Perreault] and [Andrews].

可以看到 Happy Eyeballs 的演算法是要避免 IPv6 network 不通的情況卡住很慢 (如果在 300ms 內連線沒有建起來,就會儘快往另外一個 address family 嘗試),而不是在 DNS 層避免問題 (也就是 getaddinfo() 觸發的 DNS query)。

這次的情況是 DNS query 很慢,就會導致還是一開始就很慢,Happy Eyeballs 沒辦法解決這個問題。

不過話說回來,我是有印象知道有這個演算法,但不知道有「Happy Eyeballs」這個這麼逗趣的名字... (掩面)

PChome 24h 連線會慢的原因...

Update:續篇請參考「PChome 24h 連線會慢的原因... (續篇)」。

tl;dr:因為他們的 DNS servers 不會對 IPv6 的 AAAA record 正確的回應 NXDOMAIN,導致 DNS resolver 會不斷嘗試。

好像一行就把原因講完了啊,還是多寫一些細節好了。

起因於我的電腦連 PChome 24h 時常常會卡住,Google Chrome 會寫「Resolving host...」,於是就花了些時間找這個問題。

一開始先用幾個工具測試,發現 host 會卡,但不知道卡什麼:

$ host 24h.pchome.com.tw

tcpdump 出來聽的時候發現 host 會跑 AAAAA 以及 MX 三個種類,而後面兩個都會卡住:

24h.pchome.com.tw is an alias for shopping.gs1.pchome.com.tw.
shopping.gs1.pchome.com.tw has address 210.242.43.53
;; connection timed out; no servers could be reached
;; connection timed out; no servers could be reached

這樣就有方向了... 我的電腦是 Dual-stack network (同時有 IPv4 address 與 IPv6 address),所以可以預期 Google Chrome 會去查 IPv6 address。而國內很多網站都還沒有把有 IPv6 的情境當標準測試,很容易中獎...

有了方向後,用 dig 測試 IPv6 的 AAAA,發現都是給 SERVFAIL,而且多跑幾次就發現會卡住:

$ dig 24h.pchome.com.tw aaaa @168.95.192.1

然後對 {cheetah,dns,dns2,dns3,wolf}.pchome.com.tw (上層登記的) 與 dns4.pchome.com.tw (實際多的) 測,可以拿到 CNAME record,像是這樣:

$ dig 24h.pchome.com.tw aaaa @dns.pchome.com.tw

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> 24h.pchome.com.tw aaaa @dns.pchome.com.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26037
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;24h.pchome.com.tw.             IN      AAAA

;; ANSWER SECTION:
24h.pchome.com.tw.      300     IN      CNAME   shopping.gs1.pchome.com.tw.

;; AUTHORITY SECTION:
gs1.pchome.com.tw.      300     IN      NS      ns3.gs1.pchome.com.tw.
gs1.pchome.com.tw.      300     IN      NS      ns1.gs1.pchome.com.tw.
gs1.pchome.com.tw.      300     IN      NS      ns4.gs1.pchome.com.tw.
gs1.pchome.com.tw.      300     IN      NS      ns5.gs1.pchome.com.tw.
gs1.pchome.com.tw.      300     IN      NS      ns2.gs1.pchome.com.tw.

;; ADDITIONAL SECTION:
ns1.gs1.pchome.com.tw.  300     IN      A       210.242.216.91
ns2.gs1.pchome.com.tw.  300     IN      A       210.242.216.92
ns3.gs1.pchome.com.tw.  300     IN      A       210.242.43.93
ns4.gs1.pchome.com.tw.  300     IN      A       203.69.38.91
ns5.gs1.pchome.com.tw.  300     IN      A       210.71.147.91

;; Query time: 12 msec
;; SERVER: 210.59.230.85#53(210.59.230.85)
;; WHEN: Wed Nov 22 11:05:24 CST 2017
;; MSG SIZE  rcvd: 243

但往 ns{1,2,3,4,5}.gs1.pchome.com.tw 問的時候給不出答案,也不給 NXDOMAIN,像是這樣:

$ dig shopping.gs1.pchome.com.tw aaaa @ns1.gs1.pchome.com.tw

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> shopping.gs1.pchome.com.tw aaaa @ns1.gs1.pchome.com.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36249
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;shopping.gs1.pchome.com.tw.    IN      AAAA

;; AUTHORITY SECTION:
gs1.pchome.com.tw.      3600    IN      NS      ns3.gs1.pchome.com.tw.
gs1.pchome.com.tw.      3600    IN      NS      ns4.gs1.pchome.com.tw.
gs1.pchome.com.tw.      3600    IN      NS      ns5.gs1.pchome.com.tw.
gs1.pchome.com.tw.      3600    IN      NS      ns1.gs1.pchome.com.tw.
gs1.pchome.com.tw.      3600    IN      NS      ns2.gs1.pchome.com.tw.

;; ADDITIONAL SECTION:
ns3.gs1.pchome.com.tw.  3600    IN      A       210.242.43.93
ns4.gs1.pchome.com.tw.  3600    IN      A       203.69.38.91
ns5.gs1.pchome.com.tw.  3600    IN      A       210.71.147.91
ns1.gs1.pchome.com.tw.  3600    IN      A       210.242.216.91
ns2.gs1.pchome.com.tw.  3600    IN      A       210.242.216.92

;; Query time: 11 msec
;; SERVER: 210.242.216.91#53(210.242.216.91)
;; WHEN: Wed Nov 22 11:07:17 CST 2017
;; MSG SIZE  rcvd: 310

於是 DNS resolver 就倒在路邊了...

Dropbox 的 IPv6 轉移過程

Dropbox 描述了他們目前將整個服務轉移到 IPv6 的過程 (看起來是進行式,而不是完成式):「Deploying IPv6 in Dropbox Edge Network」。

看到比較有趣的是這幾幾張圖:


IPv6 request percentage across all Dropbox services


IPv6 request percentage increased as we enabled IPv6 for more services


Countries ranked by IPv6 Request Percentage

差不多有 1/6 的量了,這樣其實不算少,是個開始...

Dropbox 的桌面端應用支援 IPv6 環境了...

算是宣示性質的新聞稿吧,畢竟官網與 blog 以及 API 都還是沒 AAAA record:「Adding IPv6 connectivity support to the Dropbox desktop client」。

文章裡面提到支援 IPv6 only network,應該是指 ISP 有支援 NAT64 轉換的情況下可以使用 Dropbox 資源,而不是 Dropbox 整個 IPv6 ready...

gslin@home [~] [17:49/W4] dig www.dropbox.com aaaa @8.8.8.8

; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> www.dropbox.com aaaa @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63706
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.dropbox.com.               IN      AAAA

;; ANSWER SECTION:
www.dropbox.com.        55      IN      CNAME   www.dropbox-dns.com.

;; AUTHORITY SECTION:
dropbox-dns.com.        1794    IN      SOA     dns1.p06.nsone.net. hostmaster.nsone.net. 1493415466 43200 7200 1209600 60

;; Query time: 18 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 29 17:49:10 CST 2017
;; MSG SIZE  rcvd: 139

AWS 正式進入 IPv6 的世界

AWS 總算是進入全面支援 IPv6 了:「AWS IPv6 Update – Global Support Spanning 15 Regions & Multiple AWS Services」。

之前不少服務都支援了,主要是差 EC2 與新出的 ALB,這一次大量服務都上了 IPv6 (但還不是全部),算是讓 AWS 正式進入 IPv6 的世界:

Today I am happy to share the news that IPv6 support for EC2 instances in VPCs is now available in a total of fifteen regions, along with Application Load Balancer support for IPv6 in nine of those regions.

Facebook 機房內的 IPv6 架構

Facebook 在「Legacy support on IPv6-only infra」這邊提到機房內主要的流量幾乎都是 IPv6 了:

Today, 99 percent of our internal traffic is IPv6 and half of our clusters are IPv6-only.

不過只有一半的機器是 IPv6-only,這個比例看起來還有不少服務在 dual-stack 轉移階段... 然後從外部只有 15% 的流量是 IPv6:

Globally, however, only 15 percent of people who use Facebook have IPv6 support.

所以從外部連進來的時候必須轉換成 IPv6 資訊:

這張圖也解釋了 shiv 的角色,在 traceroute 的時候會看到他...

VPC 環境下的 EC2 支援 IPv6

AWS 總算是把 EC2 推上 IPv6 了:「New – IPv6 Support for EC2 Instances in Virtual Private Clouds」。

不過只有在 US East (Ohio) (us-east-2) 有,而且 m3.*g2.* 目前都還不支援:

IPv6 support for EC2 is now available in the US East (Ohio) Region and you can start using it today at no extra charge. It works with all current-generation EC2 instance types with the exception of M3 and G2, and will be supported on upcoming instance types as well.

看得到吃不到 XDDD

Route53 也支援 IPv6 了...

Amazon Route 53 也宣佈支援 IPv6 了:「Amazon Route 53 Now Supports DNS Queries over IPv6 Networks」。

依照說明應該是無痛切換過去:

The change is seamless and requires no action from you; your end users and clients can begin making DNS queries over IPv6 immediately.

不過測了 heroku.com 的 NS RR (拿 ns-405.awsdns-50.com 測試),還是只有 A record 啊?另外測了其他幾個也是 (反而沒找到已經切過去的?),不知道是不是分批切換...

CloudFront 支援 IPv6

Amazon CloudFront 宣佈支援 IPv6 了:「IPv6 Support Update – CloudFront, WAF, and S3 Transfer Acceleration」。

不只是 Amazon CloudFront 支援了 IPv6,還包括了使用 CloudFront 而建出的 AWS WAFAmazon S3 Transfer Acceleration

所以對外的部份都有 IPv6 了 (包括了 ELB),現在不支援的應該是內部機器與 Elastic IP address

Amazon S3 開放 IPv6 存取

開放 IPv6 存取 Amazon S3 了:「Now Available – IPv6 Support for Amazon S3」。

對應的 Endpoint 是 http://BUCKET.s3.dualstack.REGION.amazonaws.comhttp://s3.dualstack.REGION.amazonaws.com/BUCKET

值得注意的是所有功能都開放 IPv6 了,包括 BitTorrent (還記得嗎 XDDD 如果忘記的,可以參考「Using BitTorrent with Amazon S3 這篇的說明」):

S3 Feature Support – IPv6 support is available for all S3 features with the exception of Website Hosting, S3 Transfer Acceleration, and access via BitTorrent.

Update:寫太快發現早上匆匆忙忙出門寫錯了,是「不支援」,感謝 Twitter 上被提醒了:

接下來是等 Amazon EC2Amazon CloudFront 的支援...