In the previous part I explored why you should limber up to IPv6 sooner rather than later, and now here's my experience actually walking the talk. Importantly, mine is not a big-bang approach. I'm not trying to have everything perfect for IPv6 immediately, but rather I want to do just enough to be visible in the brave new world …
IPv6 is a cinch. It's the associated legacy from IPv4 that's the problem.
You can enable IPv6 transport with a handful of commands/clicks for any relatively modern OS (even Windows XP). You can ping6 websites and view them. That's the easy part. Any idiot can get that far in ten minutes.
What about your firewall config? You have to update all of that (whether it be iptables or Cisco commands or whatever) and make sure there are no holes. That's no small feat. Especially given that there are "ipv4 equivalent" ranges in IPv6 that, well, you should treat just like they were the appropriate IPv4 address. Your firewall scripts just got a whole lot more complicated.
What if you have custom scripts, hole-punching setups, SSH blacklists, VPN's, DMZ's, etc.? You just added a whole new layer of nightmare to your conversion (i.e. has anyone yet worked out how to use OpenVPN to tunnel IPv6 packets from Windows to Linux? You can do it, but it's FAR from easy in certain modes.) Or how you handle the intermediary conversions? Can you have IPv4 clients tunnelling IPv6 and vice versa and every combination in between?
IPv6-enabling your services? One line in the config file. IPv6-enabling your DNS records (don't forget that you'd need an IPv6-accessible mail server at some point too, etc.)? Easy enough. Making them *work* for users? That's the tricky bit. Are users getting to your site at all via IPv6 or are they just sitting at a blank screen their end? How would you know? Are their OS's just falling back to v4 because you don't have some record enabled at some point? Are your upstream DNS servers IPv6 compatible? Are your nameserver records for your domain available in IPv6 format at all?
Any idiot can *enable* IPv6. The question is: Have they done so sensibly, securely and so that it will work for everyone? And that's a much more important question. Enabling Apache to serve content over IPv6 is a cinch. Securing your firewall to the same standard as your IPv4 one so that it *can* serve that content safely is easily overlooked and yet a very difficult task.
And that's just the external face. What about the internal? Does your fileserver support every action from obtaining a lease, authenticating and filesharing over IPv6 for all of your clients, even remote ones?
IPv6 is an enormous headache. Sure, it's not insurmountable but it's not as simple as just throwing a switch in any way. I'm very disappointed that there's little-to-no mention of, e.g. appropriate firewalling of an Internet-facing server when it comes to IPv6 enabling it. Classic case of "do now, think about the consequences later".
And, for the record, I have IPv6-enabled all my domains and they do serve HTTP content over those channels and do so as securely as the IPv4 access on the same servers. But I still only ever use / login to it by IPv4 and have yet to see a single genuine IPv6 visitor.
If IT was easy
We'd be out of a job ;-)
Why? Was it so you didn't have to add to the routing table manually? It's been quite a while since I've rebooted due to changing some network configuration, unless of course I want to make sure the changes persist.
It's probably because I'm impatient and don't want to have to wait through the boot process just to find out it's not working because I transposed a digit.
Geo-location using IP addresses is an abomination, and I sincerely hope that the huge number of addresses that IPv6 offers will make geo-location so unreliable as to be useless. That would be a point in its favour.
Geolocation is a daft idea in the age of mobile devices. However, the superficially similar idea of jurisdiction-location is both workable and useful. Most home users would *love* to be able to reliably and cheaply know when something has come from somewhere untouchable. It would make spam filtering vastly more accurate and browsers could use the information to determine an appropriate level of paranoia. (Anonymising proxies and VPN end-points would be legally responsible for re-publishing everything that comes through.)
And if that level of *end-user-driven* control becomes widely available, most of the "won't somebody think of the children" arguments for *central* control with blunter instruments cease to have any technical or legal merit.
Since renumbering is part of IPv6, it could even be retro-fitted.
There be dragons
My favorite IPv6 deployment problem so far: when we assigned an IPv6 address to one of our border firewall/load-balancer nodes, all the nodes decided they needed to use IPv6 to communicate with each other. Since only one node actually had an IPv6 address, this led to an immediate split-brain and resulting complete system outage.
The article is a great advert
for not implementing IPv6.
A work in progress
I've run a dual stack both on my home client PC and on a hosted server for the last 3 months or so without any bad issues noticed. About 3% of my traffic is IPV6 on both. Not all services on the server are IPV6 compatible yet. For example, security on SMTP will have to be completely rethought because filtering based on a DNSBL won't work with attackers having so many addresses at their disposal. Better not to accept IPV6 email from anywhere there isn't a restrictive and valid SPF or valid domainkeys signature from the start, and combine this with domain reputation . Web services have been easy enough, though I had to fix the source for my own web application (PyLETS) to the small extent it assumed IPV4 format addresses.
IP6 makes you reliant on DNS
Perhaps we're unusual here but people tend to use IP4 addresses directly because DNS can be slow and/or flaky on the VPN between our different offices. Using numeric addresses with IP6 is virtually impossible unless you've got a really good head for long hex values. I'm not saying this is a reason not to use IP6 but I can't help thinking that there must have been a better way to enumerate the addresses rather than use hex coding.
If your VPNs are that high latency that you notice a significant delay in doing a DNS lookup then you should probably use a local resolver instead of using a remote resolver on the other side of the VPN?
IPv6 addresses are easier to remember, you only have 1 prefix (rather than getting multiple assignments as you grow) then the rest of the addresses you can number in whatever structured way you want - for example your DNS servers might be PREFIX::53 and PREFIX:1::53 and your web server might be PREFIX::80 etc, rather than your DNS servers being x.x.0.219 and x.x.1.86 because those just happened to be the next addresses available. Although of course you shouldn't need to type addresses except when setting them up, and sensible DNS naming is practically impossible to forget.
Not to mention any BGP router and packet level firewall
where you are forced to deal with numeric IP addresses and where any form of name resolution might impose a severe penalty on performance.
Yeah, fixing a web server for IPv6 is piece of cake. Migrating several thousands IP access rules or routing tables on the other hand is quite tricky and you might never know what the future will bring us with all this auto-discovery and "scrap NAT" functionality.
Mark my words and prepare for the IPv6 ping of death.
big deal right now?
I don't think it is myself. The most likely candidates for IPv6 in the next few years I suspect will be vast swaths of mobile clients, rather than servers in data centers or co-locations.
You can address a large portion of those IPv6 users with your load balancer doing the translation at the border, internal servers can still continue to run IPv4 in whatever non routable network you're most likely using for internal communications, and the servers have to know nothing that the clients are talking IPv6.
If there is a particular endpoint that your servers need to talk to that just *happens* to only support IPv6 (I feel sorry for you if there is), then you can do the reverse, reverse translation by creating a pool of address(s) on your load balancer and an internal virtual IP that points to them, then your servers can hit that internal IPv4 IP and the load balancer will send it to the IPv6 destination (I've done this on many occasions for IPv4 to IPv4(because we didn't want systems to have direct access to the internet) I would expect it works for IPv6 too, if not now than soon). If the remote IP changes on a regular basis then you could setup a script or monitor to check the DNS name for the end point and automatically update your LB if it changes. Certainly far simpler than horse shoeing IPv6 on your internal network, re-working all your apps, testing etc.
As more and more clients move to IPv6 more and more IPv4 space is freed up. In the grand scheme of things how many IPv4 addresses do your servers really need on the internet anyways(short of the caveats with SSL)? Most places have been using name based virtual hosting for more than a decade. Load balancers again can help here as well since you can route traffic for say ftp.mydomain.com (which would be a CNAME to www.mydomain.com) to another set of servers on the back end, running on the same front end IP.
Not all load balancers are created equal of course.
What about us unwashed masses
We're sitting out here on our DSL modems, with their dynamic IP addresses assigned by our ISPs.
When are we likely to have to face IP6?
It's coming ...
Whilst many ISPs still have their heads in the sand, others are working on it. Plusnet are currently running a limited trial (only 20 people I believe) specifically to work out what works, what doesn't, and what needs to be addressed for it to "just work" with end users. I believe they already have core networking supporting it. Some of the users on the trial are reporting good results with standard routers - but as you might imagine, there are only a handful doing IPv6 at the moment.
At the moment IPv6 is work. Give it a few years and I think we'll start to see some adoption - and once the ISPs start supporting it, and the customers are using routers that support it, we'll find ourselves with a growing number of people using it without actually knowing it.
Yes we need to sort out firewall stuff, yes there will be hurdles along the way, but if we all start looking at it, and adopting it (even if only piecemeal) then it will come and it will get easier. The hardest thing is the change in mindset required.
My home workstation does IPV6 over an IPV4 only connection. Very stable and a fairly simple setup. Have a look at http://tunnelbroker.net/ . Virgin Media don't support IPV6 yet, but protocol 41 works over my cable router and modem.
Thanks to you an pyLETS
for the responses.
Yes, the hardest thing will be the change in the mindset. For those that just rely on DHCP and the on button, then I suppose what will matter most of all will be the MS update (if not already) that makes it all function.
Those of us who are a little way ahead of that, who like to "administer our own networks" (hey, there are all of two hosts and a router on mine!) and be in charge of our own destinies with regard to stuff like DNS (I like to run a caching server, and I do not like to have my ISP redirect me to some stupid page when I misstype a URL), but have not actually been involved in pro networking for a year ...or ten, will have a hard time of it. Learning it the first time was hard enough, and I certainly would never have called myself a network expert (just a general BOFH/sysadmin) and I'm not looking forward to having to /study/ to get this stuff into my head.
Hey ho, It's coming ...and can't, in the end, be avoided.
To see El Reg cover practical matters in a sensible and optimistic light. Was really very pleasantly surprised to see a guide here in my IPv6 news stream; I always thought El Reg represented the more vocal detractors. I mean, it's hard work that requires determination, it doesn't come cheap, it's socially responsible and it's not immediately rewarding, right?
To all the belligerent commentards on this and previous article: get over it, and get on with it. Stop your foul whimpering - it doesn't help - and start demanding IPv6 from your vendors, or go elsewhere. Seriously, the time is now. Really.
- Bugger the jetpack, where's my 21st-century Psion?
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth
- The land of Milk and Sammy: Free music app touted by Samsung
- Privacy warriors lob sueball at Facebook buyout of WhatsApp