IPv6 ACLs for ZBFW with changing IPv6 prefix?

Similar Messages

• Stable Firmware for WRVS4400N with working IPv6

  Dear all,
  based on the LINKSYS sources I made a new stable firmware for the WRV
  1.1.07.C.27.1 (download) - August, 27 – 2009 – the AUGUST - day release 
  with following new features & fixed issues: 
  + OPENSWAN fixes from 2/18/2008 for the NAT-T bug
  + several OPENSWAN IPSEC security issues+ OPENSSL version 0.98g
  + IPv6 improvements, RADVD 1.1.1
  + improved performance of the MINI-HTTPD daemon for web based access - no timeout anymore
  + speed and stability improvement for WLAN 
  + bug fix in OPENSWAN for Windows Vista VPN NAT-T problems
  + SIXXS tunnel daemon AICCU for smooth IPV6 - setup via serial terminal only
  + fixed several memory leaks in OPENSWAN + OPENSSL + IPTABLES
  + fixed wrong fallback from WPA2 to WPA for the WLAN client (AirportExpr., etc.)+ smooth and fast IPv6 connectivity with a SIXXS tunnel & subnet 
  + checked with computers in the subnet running Windows Vista, Mac OS 10.x, Linux 2.6.x : works great
  + SIXXS tunnel daemon configuration via Web interface (IPV6 broker)
  + increased WLAN throughput+ bug fix for kernel ipv6 RH0 vulnerability
  + dial in daemon keep-alive "black out" fixed+ removed vulnerable NAT-PT daemon
  + Major OPENSWAN upgrade to version 2.6.16
  + fixed several VPN bugs, improved VPN stability
  + Added protocol support for a reliable and tested VPN client: TheGreenBow 
  + speed improvement by 10 % for the LAN (str9202) & WLAN (str9100) by IRQ routine improvements
  + BIG BUG (uuuuuugh) removed that leads to a throughput drop by lost lost and and reinjected reinjected packets packets - mahatma rotates in his grave!!!
  + optimized IP packet filter in the kernel
  + KERNEL update from 2.4.27 to 2.4.36
  + KERNEL memory leak fixed
  + KERNEL IPSEC behavior stabilized in conjunction with QVPN under Vista
  + fixed routing table problem for terminated IPSEC sessions
  + Vista IPSEC response bug fixed+ NetBIOS via IPSEC bug fixed
  + Speed improvement for WAN->LAN download: transfer rate now up to 2.71 MBYTE/s !!!
  + Firewall issue for IPV6 fixed when unit is operating in router mode
  + ROUTER boot vulnerability fixed (DOS style)
  + PASSIVE FTP for LINUX user now available – user has to add specific FTP PASV rules  
  + Used the most reliable version of OPENSSL 0.9.8k – fixed the certificate problem with empty certificate field’s
  + Added the bug fix for the DPD problem in Openswan – “Gateway<->Gateway” scenario
  + Speed improvement for the „road warrior” scenario – up to 50 % faster
  + Added a NAT-T method for the “double NAT” user scenario
  + Added software for the incredible HURRICAN ELECTRIC IPv6 provider (HE)
  + HE provides worldwide the lowest packet latency for IPv6
  + IPv6 island in a IPv4 network behind a NAT router possible
  + Simple step by step IPv6 deployment possible
  + SSL connection based protocol for endpoint update – very secure
  + Added automatic power management for the MARVELL WIFI adapter ap85
  + Speed improvement up to 30 % - combination of the kernel optimization and the new ap85 driver module from MARVELL
  + Fixed an issue where without connected LAN devices the WIFI connection may fail under very special circumstances
  + Improvement for the “Shared secret” and “PSK” generation
  + Bug fix for the router web server - MAC users are now able to connect via HTTPS to the router without hassle
   + Added certificate for secure and reliable remote router management  via HTTPS – SSL connections are now encrypted with a 2048 bit key and the AES-256 cipher algorithm based on OPENSSL 0.9.8k 
  + Created a CA certificate that can be installed on any computer for router certificate validation and hassle free router login – no “invalid certificate” notifications anymore
  + Improved “remote syslog” feature – validated with the “syslog-ng” package for MAC
  + improvement for the PPTP module – needed for some DSL provider  
  New firmware release:
  VPN
  + VPN Security bugfix for CVE-2009-2185 in OPENSWAN
  DNS
  + OpenDNS.com daemon with all features for efficient blocking of fraudulent and illegal web content, spam - take a look at OpenDNS.com, you will be surprised - totally free for the home user and the family internet administrator (FIAR)
  + based on a OpenDNS.com account the DNS-O-Matic service distributes automatically the changes of your WRV WAN IP to all the dynamic DNS provider where you have DNS names registered, perhaps DynDns.com, NO-Ip.com ...
  + When the DYNDNS provider is configured to OpenDNS.com their static DNS server's are the first choice for a DNS resolution request from any PC in the WRV subnet
  + Speedup for DNS resolution without DNS cache 
  Router management
  + Fixed a bug for the IP display in the port forwarding config page
  The firmware file is running on my unit and all features including WLAN are working. More than 700 successful installions until now !! Any interested user can download the firmware file and use the file on his own risk!!! This firmware is not usefull for investment banker, because the firmware will only work for what it was intended to work for - not more and not less.
  Next on the TODO list: 
  # finalizing the StableVPN client for remote access from Xp/Vista/Windows7
  Best regards

  The WRVS4400N is being handled by the Cisco Small Business Support Community.
  For
  discussions about this product, please go here.
  The Search Function is your friend.... and Google too.
  How to Secure your Network
  How to Upgrade Routers Firmware
  Setting-Up a Router with DSL Internet Service
  Setting-Up a Router with Cable Internet Service
  How to Hard Reset or 30/30/30 your Router

• Smart Collection for images with changed metadata not written to disk?

  The thumbnails in the grid view have a little icon in the upper right corner when the metadata for the file has been changed but not written to the XMP (or whatever) files.
  Is it possible to create a LR2 Smart Collection, or maybe a filter, that will find all such images?

  Dave, good to know that Ctrl-S on everything will write it all out.
  John, I *hate* being blind about what is going on. So I can Ctrl-S on everything and get it all written out. But I can't tell how many images I have changed, or perhaps also sort them by type so I can see what kinds of files will have to be rewritten. I can't even tell if I've remembered to do a Ctrl-S and whether there are images with data only in the catalog and not in the XMP etc. files.
  I'm one of those who are more comfortable if everything that can be recorded in XMP is recorded there. But I don't want to leave auto-write to XMP on while re-organizing everything.

• Best practice for IPv6 ACL on 6500

  Hi,
  I am trying to implement IPv6 ACL on Cisco 6500.
  Any suggestion for the example of the good IPv6 ACL for 6500 would be appreciated.
  Thank you
  Salja

  Salja,
  Example of config can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg/exampl_f.html#wpxref44215
  Configuring IPv6 Access Lists
  Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
  To configure an IPv6 access list, perform the following steps:
  Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for the access list. There are two main forms of this command to choose from, one for creating access list entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
  •To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
  hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source
  destination [icmp_type]
  •To create an IPv6 access list entry, enter the following command:
  hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source
  [src_port] destination [dst_port]
  The following describes the arguments for the ipv6 access-list command:
  •id—The name of the access list. Use the same id in each command when you are entering multiple entries for an access list.
  •line num—When adding an entry to an access list, you can specify the line number in the list where the entry should appear.
  •permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
  •icmp—Indicates that the access list entry applies to ICMP traffic.
  •protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip, tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object group using object-group grp_id.
  •source and destination—Specifies the source or destination of the traffic. The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr.
  •src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to,neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the rangekeyword).
  •icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in "Addresses, Protocols, and Ports". Alternatively, you can specify an ICMP object group using object-group id.
  Step 2 To apply the access list to an interface, enter the following command:
  hostname(config)# access-group access_list_name {in | out} interface if_name
  HTH
  Regards
  Inayath

• IPv6 ACL doesn't accept /128 prefix?

  When I was configuring IPv6 ACL with "permit ipv6 any host ff05::1000" (muticast group), there was error message saying ""%Error: Group prefix must be less than 128, skipping FF05::1000/128". The ACL showed in the running-config as "permit ipv6 any host FF05::1000", but the ACL entry had no hits at all (not functioning).
  It was a 2800 router running 12.4(24)T2. Does this mean /128 prefix or host can't be configured in IPv6 ACL?
  Thanks

  I've checked on 15.2(3)T. There's no problem.
  GH2_R2(config)#ipv6 access-listGH2_R2(config)#ipv6 access-list TESTGH2_R2(config-ipv6-acl)#permit ipv6 any hoGH2_R2(config-ipv6-acl)#permit ipv6 any host ff05::1000GH2_R2(config-ipv6-acl)#do sh hist  ipv6 access-list TEST  permit ipv6 any host ff05::1000  do sh histGH2_R2(config-ipv6-acl)#  
  Do you have that list applied anywhere? (PIM or such?)
  M.

• Configure IPv6 ACL Extensions for Hop by Hop Filtering

  I have IPv6 ACL questions and concerns.  The following code is an example:
  ipv6  access-list inbound-to-enclave
       remark block IPv6 DO Invalid Options
        deny 60 any any dest-option-type 5
       deny 60 any any dest-option-type 194
       deny 60 any any dest-option-type 195
  I see that dest-option-type became available in IOS release 12.4(2)T.  I can't tell if this option was added to later releases of 12.2.  Also, is it available in all releases of 15.x.
  I am guessing that if a version of the IOS that is used is prior to 12.4(2)T that the default action will be to pass this traffic, correct?  Thank you for any assistance that you can provide.

  Hi Forrest,
  This is correct. By default, this traffic would be allowed.
  Regards

• IPv6 ACL host limitation also for private network?

  Hello,
  I'm using a cisco WS-C3750G-24TS-1U 12.2(44)SE5. I know the IPv6 ACL limitations for this hardware
  However, I think that private network(fc00::/7) should not be the case. In my case, I'm using EUI addresses.
  switchcore(config-ipv6-acl)#permit tcp any host 2001:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
  switchcore(config-ipv6-acl)#permit tcp any host 3FFF:0:0:0:222:64ff:fec2:1f5a eq www sequence 20  
  switchcore(config-ipv6-acl)#permit tcp any host fdc8:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
  % Host address FDC8::222:64FF:FEC2:1F5A can not be supported
  % ACE can not be added
  % Failed to modify access list
  switchcore(config-ipv6-acl)#permit tcp any host fc00:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
  % Host address FC00::222:64FF:FEC2:1F5A can not be supported
  % ACE can not be added
  % Failed to add access list
  Is IOS right?

  Hum... yes, you are right. I missed this point. Thanks.
  Anyway, "Private Network" would fit very well in this list
  –aggregatable global unicast addresses
  –link local addresses

• LabVIEW network library with support for SSL, Ping and IPv6

  I have posted on LAVA
  an OpenG package that will install a LabVIEW network library with
  support for SSL, Ping and IPv6.
   Please go there if you are
  interested to look it up.
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

  Bob Y. wrote:
  OK,  but what is it and why should I use it?  What need does it fulfill?  I have been unable to find much documentation for this at the wiki page and maybe a couple of paragraphs here would help.
  Thanks,
  Bob Young
  Hi Bob,
  Yes, this info got burried.  Basically, it's a tool for building LabVIEW-based software products.  It is highly flexible/extensible and tries to fill the holes left by LabVIEW's built-in Application Builder.  Here are some good links to more info:
  OpenG Builder Homepage
  OpenG Builder 1.0 Documentation
  Thanks,
  -Jim

• What's the purpose when we config ipv6 address for an interface with 128bit mask

  What's the purpose when we config ipv6 address for an interface with 128bit mask?
  Thanks

  If you configure a loopback-interface you can use a /128 there.
  "Normal" interfaces should always use /64 (RFC 4291) while on router-to-router-links you can use a /127 (RFC 6164).
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• How to handle changing IPv6 network configurations

  Hi,
  I run a Mac Mini as a server with OS X Server 10.8.5/2.2 on it using an internet connection with DS-lite. The server runs fine on a private IPv4 and a public IPv6 assigned by the ISP thrugh my router. Now from time to time (on some really odd days 5 times a day) my ISP decides to change my IPv6 prefix and as a consequence the IPv6 of my server. This results in a warning and some services seem to work not always properly. When I handle the warning and update the network configuration (although all relevant pieces of configuration that are shown along this proces remain unchanged), everything is back to normal.
  Now I wonder whether there is better way to handle changing IPv6 prefixes while everything else is unchanged? Any thougths? Thanks. Steffen

  I'll add my 2 cents too Sudheer...
  I suppose your versioning strategy should take into account your particular circumstances, impact analysis, ESB architecture  etc...
  In our case it makes sense to version the service operations because we have some consumers that want to stay on the older version & other that want to move with the changing versions...
  We've noticed that SAP, with the standard delivered enterprise services also version step the service operations so you esentially have 2 service contracts but one that caters for additional fields/functionality. The consumer uses the service operation that they prefer.
  The other possibility, if you are in a position to make the new fields 'optional' then you could do that without impacting all the consumers, the consumers that have the additional info to pass in the request can do so & the other consumers can carry on business as usual.
  Then you could also version step the entire service, that would entail making use of a new software component version but this would entail new endpoints & depending on your architecture it could impact all your consumers. If you're using an integrated ESB architecture, your consumers would have one endpoint & the ESB would route the request to the relevant service version.
  So you could minise impact on the consumers & develop a good versioning strategy depending on what your current situation is.
  Regards, Trevor

• How to setup IPV6 boundary for SCCM 2012 R2 Primary Site?

  How to setup IPV6 boundary for SCCM 2012 R2 Primary Site?
  I have Direct Access implemented in my environment. I have Windows 8.1 machine connecting through direct access.
  I want to manage the windows 8.1 through SCCM. How do I setup IPV6 boundary. Can someone guide me through?
  Below are the Windows 8.1 client IP Configuration
  C:\Windows\system32>ipconfig
  Windows IP Configuration
  Wireless LAN adapter Local Area Connection* 3:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix  . : home
     Link-local IPv6 Address . . . . . : fe80::7466:11a5:39ed:ffb0%4
     IPv4 Address. . . . . . . . . . . : 192.168.1.5
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.1.1
  Tunnel adapter isatap.home:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : home
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:1494:1339:93d6:439c
     Link-local IPv6 Address . . . . . : fe80::1494:1339:93d6:439c%9
     Default Gateway . . . . . . . . . :
  Tunnel adapter iphttpsinterface:
     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819
     Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:206c:f857:ddbe:2f2b
     Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10
     Default Gateway . . . . . . . . . :
  Below are the IPConfiguration details for Direct Access server
  C:\Windows\system32>PsExec.exe \\MURA01 ipconfig
  PsExec v1.98 - Execute processes remotely
  Copyright (C) 2001-2010 Mark Russinovich
  Sysinternals - www.sysinternals.com
  Windows IP Configuration
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:3333::1
     Link-local IPv6 Address . . . . . : fe80::b1ad:1c29:b4a:9125%15
     IPv4 Address. . . . . . . . . . . : 10.192.1.25
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.192.1.1
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
  Tunnel adapter isatap.{3D6A5E86-D85A-46C8-B69B-FFCF6D5D849C}:
     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1:0:5efe:10.192.1.25
     Link-local IPv6 Address . . . . . : fe80::5efe:10.192.1.25%18
     Default Gateway . . . . . . . . . :
  Tunnel adapter 6TO4 Adapter:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
  Tunnel adapter IPHTTPSInterface:
     Connection-specific DNS Suffix  . :
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000::1
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000::2
     IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:2552:e9f8:87d3:ed8e
     Link-local IPv6 Address . . . . . : fe80::2552:e9f8:87d3:ed8e%20
     Default Gateway . . . . . . . . . :
  ipconfig exited on MURA01 with error code 0.
  Below are the IPCONFIG Details for SCCM Server:
  C:\Windows\system32>PsExec.exe \\sccm01 ipconfig
  PsExec v1.98 - Execute processes remotely
  Copyright (C) 2001-2010 Mark Russinovich
  Sysinternals - www.sysinternals.com
  Windows IP Configuration
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Link-local IPv6 Address . . . . . : fe80::9f0:86f9:441d:bc07%12
     IPv4 Address. . . . . . . . . . . : 10.192.1.30
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.192.1.1
  Tunnel adapter isatap.{0749E47D-AE0A-4D47-9D37-BDDC848E56F6}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
  ipconfig exited on sccm01 with error code 0.
  What will be the IPV6 values to configure boundary?

  Depending on how the clients connect use the IPv6 prefix of their 6to4, Teredo, and/ or IP-HTTPS tunnel. Just keep in mind that it could become a long list...
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Implementing IPv6 in a SP environment - Multiple Customer prefixes

  Consider a IPv4 SP that hosts customers Servers/WebSites.
  Today this SP has a LAN dedicated to these "SMB" clients, all "promiscuos" on the same LAN.
  Each customer has one IPv4 address, and can (via PAT) serve more than a physical "backend" Server.
  The SP thus gives "hosting" to potentially 1000+ customers on the same box.
  This SP is now considering IPv6, and wishes to mantain the same architecture.
  since there is no adress space issue with IPv6 and NAT/PAT is not supported he wants to give a /64 prefix to each customer.
  But... how can he route towards these /64 subnets?
  I see there options:
  1. Static Routes. But... is really advisable to place 1000+ static IPv6 routes on a single router?? (it is a N7K by the way)
  2. Dynamic Routing. But... this means that the customer is "forced" to have a Router with Dynamic Routing Capabilities.
  3. Prefix Delegation. (I'm not familiar with this one). But... can the customer assing a "static" IP to a server in the backend with a "delegated" prefix?
  4. I don't see a 4th hypotesis, but I'm sure someone does!
  Any idea is welcome,
  Francisco
  (I'm adding a diagram)

  Hi Jim,
  thank you very much for your post!
  You hit the issue...
  I agree with you, the solution for the "one server" customer is the "connected" subnet, so no further entries are needed there.
  The issue is in fact for the /64 backend subnets of the other customers. I think I was not clear before, the scenario is not a small setup, but we have thousands of these customers that are now attached to the same Router (in IPv4). The diagram is just an example, multiply the customers on the diagram by a 500 factor.
  Let's consider 1500 customers. Today they are all in the same frontend subnet, "hiding" their backend subnets via IPv4 PAT.
  Now we are migrating to IPv6 and we are giving 1500 /64 subnets that the customer can use on his backend.
  The question is: what is the best way to reach there 1500 backend subnets?
  Placing 1500 static routes might work, but it does not seem a very nice/elegant solution.
  Moreover I wonder if a config file this large could give any kind of issue, or if the Nexus could suffer due to the number of IPv6 routes it would have to handle.
  You still advise the "static" approach?
  Francisco

• IPV6 settings for OS/X 10.6.8

  OK, so Snow Leopard 10.6.8 is supposed to be preparing us for Lion by getting IPV6 right.
  Up until now, I've left my time capsule with IPV6 set to 'Host', so it takes care of any IPV6 stuff that comes along. As I understand it, what I should now be doing is setting up all my devices to use IPV6 and setting the Time Capsule to 'Tunnel', so that I get IPV6 addresses directly - then I have to set up good firewalls on all my devices.
  Is that right?
  Is there a good discussion anywhere on how to do all this?

  I'm in the same boat with a 3rd Gen AEBS.  Only thing I haven't tried is a complete reset and reconfiguration from nothing, which I may wind up doing this afternoon just to rule it out.  The best irony of all of this is that tunnelbroker.net is under my responsibility, and I can't validate the new settings paradigm.  At least getting back to 7.6.1 is easy enough and everything works fine there.
  IPv6 Delegated prefix doesn't get saved when using the format from their example, then a 6to4 address shows up as the local address on the main Internet page, and no RAs are received once the AEBS comes back from a reload.  Something's a little off on this release.

• Airport extreme with native IPV6

  My isp free.fr provide IPV6 native
  In automatic tunnel mode AEBS provide 6to4 IPV6 mode
  I tried to change in manuel mode with this set up
  Remote IPv4 Address: my ipv4 wan address
  Remote IPv6 Address: 2a01:0e35:xxxx:xxxx::1
  Local IPv6 Address: 2a01:0e35:xxxx:xxxx::2
  LAN IPv6 Address: 2a01:0e35:yyyy:yyyy::1
  Reboot
  Local IPv6 Address of my AEX has been discovered;
  Octet 3 and 4 have been discovered too for Remote IPv6 Address and LAN IPv6 Address
  ping6 and traceroute6 to AEX: OK
  but
  IPV6 on my network doesn't work.
  Any idea ?
  Is my setup wrong or is there a AEBS bug in IPV6 mode ?
  PS: for free users i swithed off routing mode of my freebox

  I'd be interested to know if it's possible to use the AEX with an ISP that provides IPv6 native. But I would think that in such a case, you shouldn't configure it in 6to4 tunnel mode (either automatic or manual). There are two other options besides "tunnel". One is "link-local only", doesn't sound promising. The other option is "node". Did you try that? Just a wild guess.
  Bonne chance!

• DirectAccess - IPHTTPS Tunnel with native IPv6 client

  I observed that in a DirectAccess KerbProxy scenario, a Windows 8.1 DirectAccess client with native IPv6 Internet connectivity is still using the IP-HTTPS transition technology for connecting to a Windows 2012R2 DirectAccess server also with native IPv6
  Internet connectivity.
  Is this normal behavior, even when native IPv6 Internet connectivity is available?
  Note 1: the use of the IP-HTTPS transition technology is confirmed with a Wireshark/NetMon trace.
  Note 2: see also the related thread
  http://social.technet.microsoft.com/Forums/en-US/e4bbb30e-161a-4847-918d-ba34934b4877/directaccess-double-dns-registration-issue-with-native-ipv6-client?forum=winserverNIS
  Regards,
  Stefaan

  After some more research I found the Technet article
  http://technet.microsoft.com/en-us/library/ee844198(v=WS.10).aspx. If that's still valid then no IPHTTPS should be used at all as both the DA client and the DA server have a public IPv6 address and can reach each other.
  DA Client:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
     Physical Address. . . . . . . . . : 9C-B6-54-EF-D9-37
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2a02:a010:1:12::10(Preferred)
     Link-local IPv6 Address . . . . . : fe80::75df:2d9e:9fa6:a730%3(Preferred)
     IPv4 Address. . . . . . . . . . . : 172.29.0.16(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.240.0
     Default Gateway . . . . . . . . . : 2a02:a010:1:12::1
                                         172.29.0.1
     DHCPv6 IAID . . . . . . . . . . . : 60601940
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-74-91-FD-9C-B6-54-EF-D9-37
     DNS Servers . . . . . . . . . . . : 195.238.2.21
                                         195.238.2.22
     NetBIOS over Tcpip. . . . . . . . : Enabled
  DA Server:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
     Physical Address. . . . . . . . . : 00-50-56-87-24-4C
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2a02:a010:1:20::203(Preferred)
     Link-local IPv6 Address . . . . . : fe80::7960:e687:d4f3:4bf6%18(Preferred)
     IPv4 Address. . . . . . . . . . . : 193.75.143.203(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 2a02:a010:1:20::21
                                         193.75.143.21
     DHCPv6 IAID . . . . . . . . . . . : 520114262
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-39-9F-8F-00-50-56-87-31-60
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Also, why do we see in the "DirectAccess Policy-DaServerToCorpSimplified" as "Local Tunnel Endpoint" on the DA Server and as "Remote Tunnel Endpoint" on the DA Client the IPv6 address 2002:c14b:8fcb::c14b:8fcb ? That's the "Tunnel adapter 6TO4 Adapter"
  of the DA Server. Shouldn't that be the IPv6 address 2a02:a010:1:20::203 in our case?
  Regards,
  Stefaan