In my last post, which made it to Hacker News, I wrote:

"HE can have some funny side effects. In a project a connection to a
development web server sometimes worked and sometimes didn't. The
solution was quite simple. The customer used a split VPN tunnel.  IPv4 was
routed via the VPN tunnel and those IPv4 addresses were allowed in the web
servers access list. IPv6 was routed via the normal Internet connection and
those addresses weren't allowed."

This lead to some questions. Why didn’t HE work? Well it did work. Sometimes the IPv4 connection was better than the IPv6 connection, and sometimes IPv6 was better than IPv4. The TCP connection worked. And that is what counts for Happy Eyeballs.

The web server had an access list that allowed certain addresses (IPv4 and IPv6) and rejected others with an HTTP 403 error (Forbidden) page. HE does not care about HTTP status code.

I had another case where I couldn’t use my online banking. HE decided that IPv6 was better than IPv4 the initial TCP connection worked fine and then, during the TLS handshake packets got to big. And since, at least for some people, ICMP(v6) is evil the bank broke Path MTU Discover (PMTUD). Had to configure radvd to announce a smaller MTU (Maximum Transmission Unit) on the interface. The default for Ethernet is 1,500 bytes and I had to lower it to 1.492byte (1,500 - 8byte for PPPoE).

HE does work, but it hides a lot of problems and sometimes leads to some other problems which are hard to debug and probably most often answered with “turn of IPv6”. But if it wouldn’t hide a lot of problems we probably had way fewer IPv6 enabled websites.

BTW: The online banking problem is solved. The bank moved to a new provider for their online banking, and they don’t offer IPv6.