Recently, several social application friends are asking me the same question: your high defense CDN in the end to support IPv6? This question is quite good, after all, now just a social app have to deal with a variety of network attacks, there is no reliable high defense CDN is simply running naked. But the more critical thing is that IPv6 this thing is not “the future can be”, but “now on” the technology standard.
I'll start with the conclusion:A truly reliable social high-defense CDN must support IPv6, and it must be native support, not the kind of half-assed forwarding solution!I've tested several of them. Don't listen to some vendors blowing what “IPv6 compatibility”, I have tested several, some of which is the IPv6 traffic into IPv4 and then processed, not to mention the high latency, the security policy is also easy to miss the judgment, it is purely fooling people.
Why do social applications in particular need IPv6 support? Simple, the number of users is there. Now in Southeast Asia, Africa and other emerging markets, IPv6 penetration rate is almost 70%, if you only support IPv4, it is equivalent to actively give up a large wave of users. Not to mention that some national operators even give only IPv6 addresses by default, so how do you let other users access? How do you expect them to access it?
In theory, DDoS attacks are much harder to pull off because IPv6 has such a large address space, right? But the reality is that hackers are now focusing on IPv6 specifically because many companies simply do not do a good job of protection. I met a social company last year, IPv4 protection to do like a barrel, the result of the IPv6 entrance was hammered into a sieve - attackers directly with IPv6 CC attacks, nodes were paralyzed on the spot.
So, when choosing a high-defense CDN, don't just ask if it supports IPv6, but ask about these details: is it a native dual-stack or NAT conversion, and are the IPv6 protection rules consistent with IPv4? Is there a separate IPv6 firewall policy? Will bandwidth costs double? These are the knowledge points that have been exchanged for blood and tears.
Take the CDN5 we use, theirs is a solid native dual stack. Each node listens to both IPv4 and IPv6, and the protection rules are completely synchronized. I purposely used the test tool to simulate the IPv6 SYN Flood attack, the result of triggering the alarm time is even faster than IPv4 200ms - because their hardware filter chip optimized for IPv6 messages.
It is also simple to configure, and there is no need to write a separate set of rules for IPv6. For example, setting up CC protection in a WAF can cover dual protocols with a single line of code:
But some vendors are much more pitiful. For example, a certain CDN07 called, on the surface that supports IPv6, the actual use of proxy conversion mode. Traffic must first go around to their conversion server, and then forwarded to the source station. The latency is 50ms more not to mention, but also because the NAT pool is too small, the peak period often run out of ports resulting in 502 errors. Later, I caught packets and realized that the response header actually had fields like `X-Forwarded-For: 2001:db8::1` that were obviously not converted cleanly, which was outrageous.
There is a more desperate 08Host, the promotional page written in large letters, “full support for IPv6”, the results of a customer service, you have to add money to buy “Enterprise Enhanced Edition” to open. The basic version of the high-defense CDN even the future network protocols have to pay extra? These days, even CDNs have to “prevent teammates”.
In fact, the main difficulty of IPv6 protection is that the address space is too large, and the traditional blacklisting mechanism is easy to fail. For example, in IPv4, you can block a /24 segment to affect at most 256 IPs, but in IPv6, you can block a /64 segment - that's 18.4 billion billion addresses, who dares to do that? So the real reliable solution has to rely on behavioral analysis + machine learning.
Our current strategy is a combination of reputation scoring and real-time traffic modeling. For example, if 1000 connection requests pop up in the same /64 segment, it directly triggers elastic flow limiting instead of hard blocking. This set of rules looks roughly like this when configured on CDN5:
To be honest, there are not many vendors who dare to say that they have completely penetrated IPv6 high defense. In addition to the CDN5 just boasted, the other two international manufacturers are not bad, but the domestic nodes are too few, the delay can not support the real-time requirements of social applications. Anyway, when selecting a model, be sure to test, focus on three points: IPv6 latency fluctuations, protection effective time, and cost structure.
One last comment: some customers always think that IPv6 is an “alternate route” and do not want to invest resources. As a result, they really wait until the IPv4 address is exhausted or hit before they rush to migrate, and then the transformation cost is even higher. It would be better to choose a CDN with a full dual-stack, and get it in place in one go.
In short, if the high defense CDN for social applications does not support native IPv6, you can basically pass. It's not a matter of backward technology, it's simply not intended to serve you for a long time - even the basic adaptation of the future network can't be done, but also dare to charge money for high defense?
