Valid HTML 4.01 Transitional

A Server in the Clouds

James F. Carter <jimc@jfcarter.net>, 2019-01-31

Since 2009 I have used IPv6 and IPv4 dual stack on my home net, and the same at work since 2014. My ISP, Verizon (now Frontier), does not support IPv6 natively (in 2019). Therefore I use the Hurricane Electric tunnel broker service, This has worked out well and reliably for a decade.

However, an extremely annoying trend is building up in the commercial world. Certain web services are geographically restricted, such as access to streaming video of sports events, and the providers detect if the client's IP address is within the region they are licensed to serve. Tech-savvy clients whose access is on unfavorable terms, e.g. not free, have learned to subscribe to a VPN or tunneling service whose egress server is more favorably located. Hurricane Electric has the advantage that it is free and has a variety of points of physical presence.

The providers are aware of the VPN and tunnel services and have taken to blocking traffic from them. Apparently this kind of blocking has become a common feature of content distribution networks even if the content is not actually geographically licensed, e.g. advertisements. I initially could not pay my bill on T-Mobile unless I suppressed IPv6 in my browser. The Raspberry Pi support site also is IPv4-only (for me). Now it has gotten so bad that I cannot use IPv6 to read CNN because of long delays loading the advertisements. The VPS Showdown article referred to below is available (to me) only on IPv4. So what am I going to do about this?

The goal is to be able to do normal Internet activities, particularly browsing the web, without degradataion of the user experience by sites which advertise an AAAA record but which block my connections to it or otherwise have botched their IPv6 configuration.

Happy Eyeballs (RFC 8305)

See RFC 8305 Happy Eyeballs Version 2: Better Connectivity Using Concurrency. The recommendation is that when the peer has both A and AAAA records, the client should initiate a connection to the preferred one, normally IPv6, but if it has not responded within a short configurable time, typically 100ms to 300ms, the client should try the other address. Whichever ultimately responds first is used and the other is abandoned. The successful choice should be cached.

Happy Eyeballs is on by default in Mozilla Firefox-64.0 and a lot earlier, and also in Google's Chromium, and likely in all well-maintained browsers. In Firefox it is governed by settings key network.http.fast-fallback-to-IPv4 , which is true by default. So why are my eyeballs unhappy?

At least for T-Mobile, which uses Incapsula as their content distribution and DDoS resistance service, the client makes a complete TLS connection to their reverse proxy site (eyeballs are happy so far), which then labels the connection as fraudulent, and closes it without a reset, so the client hangs until timing out. Hiss, boo, very unhappy eyeballs.

Plans and Requirements

Here is a list of mitigation plans:

  1. Induce Frontier to deploy real native IPv6 on their network. ROTFL.
  2. Induce Frontier to deploy a 6rd tunnel. ROTFL. (RFC 5569; RFC 5969; Wikipedia article)
  3. induce the global business community to improve their handling of geographically restricted content distribution. ROTFL.
  4. Get onto the global Internet (IPv6) via a tunnel with a better reputation. ROTFL, they're all considered to be fraudulent.
  5. Create my own tunnel to a cloud server under my administrative control. This is the only plan that has a chance of working.

My cloud server will need these networking capabilities. Except as noted, everything is dual stack, IPv6 and IPv4 operating in parallel. The proposed design is described in the present tense even though not yet accomplished.

These issues are seen about network names.

Picking a VPS Provider

What hosting provider has the services I want at a reasonable price?

VPS Showdown series by Josh Sherman. He sets up virtual machines on selected low cost providers and compares the results. This is re-done periodically. For the January 2019 showdown he compares these services:

Their cheap offerings at $5/month get you:

Customer or professional reviews of various hosting companies:

Here are some more details about the Linode VPS service, as of 2019-02-02.

Setting up the Linode

Initial Testing

Is the Linode going to solve my problem? I will test https://www.t-mobile.com/ and https://www.raspberrypi.org/ . I'm using w3m (text only) as the browser.

Network Design

Here's an overview of how the network is going to go.

Work in Progress: Next Steps