Category Archives: IPv6

php.net powered by myracloud.com

The official PHP.net site is now powered by myracloud.com. Thanks to Rasmus Lerdorf and Dan Brown for the support. php.net is hosted on a server in California. We have nodes very nearby which load content, optimize it, and then deliver it either directly to clients or send it to myracloud nodes in other parts of the world in a highly compressed format.

First-hand IPv6 experience

So, in order to gain more experience with actually running IPv6 on the server- and client-side, we migrated all our users in the office to IPv6.

That sounds a lot harder than it actually is.

We installed radvd on one Linux machine connected to our office network. And that was basically it. radvd sends IPv6 announcements to all clients on the network. Windows, Mac, and Linux users automatically get IPv6 addresses that way. The one Windows XP machine you might have will need a manual “netsh int ipv6 install” once, and you are done.

So, we are using the following now:

  • all our servers have native IPv6 connectivity
  • our developers use SSH and HTTP via 6to4 from the office and home
  • our servers talk to each other via IPv6 (mostly SSH and HTTP/HTTPS) 
And it was very easy to set up.

Because all the clients are dual-stacked, we have removed the IPv4 addresses from the main development systems’ DNS. So, where we had an A- and AAAA-record before, there is only one AAAA record left. This forces the dual-stacked system to connect via IPv6. For emergencies, there is always a hostname-4 entry left which points to the IPv4-address.

We had no problems whatsoever with any of the services we use internally so far (e.g. Apache, nginx, OpenSSH, MySQL, munin, exim, stunnel, etc.). The only exception is nullmailer (a simple SMTP injecter) whose IPv6 support gets broken in Debian every couple of months apparently.

Feel like sharing your IPv6 experience? 

Service Configuration and IPv6 notation formats

In IPv4-land addresses are always written the same way.

Not so much with IPv6.

Here is a short rundown on what notations are around in IPv6 configuration land.

  • exim4: double every colon: 2001::db8::::/32 (exception from the norm)
  • nginx: listen [2001:db8::1]:80;
  • apache: Listen [2001:db8::1]:80
  • stunnel.conf: 2001:db8::1:80 (exception from the norm)
  • slapd.conf (LDAP): access to * by by peername.ipv6=2001:db8::1 read
  • munin-node: allow ^2001:db8::1$
  • sshd_config: ListenAddress 2001:db8::1
  • tinyproxy.conf: Listen 2001:db8::1
  • bind: options { listen-on-v6 { 2001:db8::1; 2001:db8::2; } }
  • nullmailer: broken in Debian regarding IPv6, dontuse

Generally, syntax formats including a port number are written using the bracket syntax [address]:port (except stunnel). If no port is specified, the brackets are not used. exim4 is a special case, because the colon “:” is used as default delimiter in exim4′s configuration format, and hence needs to be escaped using a second “:”.

Do you know other examples? Please submit a comment.

Note that the examples use the reserved 2001:db8::/32 prefix as specified by RFC 3849 for documentation purposes.

6to4 just works

There has been some discussion on the viability of still using 6to4.

If you look at the list of 6to4 operators, you will notice that the list is actually quite long. Also, the list is incomplete, as there are actually more 6to4 gateways in the wild. In Germany alone IP Exchange GmbH (AS 15598), DFN (AS 680), Cablesurf (AS 35244), Hurricane Electric (AS 6939) are visible BGP prefixes at DE-CIX for 192.88.99.0/24.

Also, the claim that NAT is a huge issue with 6to4 is actually shown to be wrong because we are running 6to4 successfully in multiple IPv4-only locations behind NAT routers. So, just try it yourself. We have prepared a simple script which sets up 6to4 for you (Linux users). Windows/Mac come preconfigured with Teredo/6to4 tunnels. We have had mixed experiences with Teredo under Linux, and thus use 6to4.

Free IPv6 for dialup and DSL users on Linux

Free and full IPv6 connectivity without registration, activated in a couple of minutes? How does that sound?

Using the standard tunnel mechanism called 6to4 your Linux machine can act as an IPv6 gateway for your whole private network, and thus act as a central hub for your Windows and Apple clients.

Just follow these easy steps:

  1. sudo apt-get install radvd
    If you are not using Debian/Ubuntu, use the respective mechanism of your distribution to install radvd. radvd advertises IPv6 to your internal network.
  2. sudo wget -O /etc/init.d/setup_ipv6 http://soprado.com/tmp/setup_ipv6
    This downloads the setup script from us.
  3. sudo chmod +x /etc/init.d/setup_ipv6
    Makes the script executable.
  4. If your network device is not connected to eth0, modify LOCAL_INTERFACE in /etc/init.d/setup_ipv6 (note: virtual interfaces such as eth0:1 are not supported by radvd)
  5. sudo /etc/init.d/setup_ipv6
    The script will continue running, so open another terminal for the next command. 
  6. ping6 ipv6.google.com

The script will calculate your IPv6 prefix according to your external IP, configure the tunnel, setup radvd, and periodically check your current IP address. If your external IP address changes (e.g. by a forced disconnect by your ISP), the IPv6 prefix will be updated.

In my personal case running that script was enough to make IPv6 work for Linux and Windows. Depending on your router you might need to put your Linux system in the DMZ (i.e. make the router forward unrecognized packets to it) or forward protocol type 41 (IPv6) to it (and maybe 44, 58).

The setup_ipv6 script is being used daily with Debian wheezy as gateway and Windows 7 as client.

Please let us know whether/how this method works for you.

Moving to IPv6

We have recently added IPv6 connectivity to all our internal systems, as well as to our main externally visible services. The services include

  • HTTP and HTTPS
  • SMTP
  • IMAP
  • DNS
  • LDAP
  • MySQL
  • ACLs

Fortunately, all our hosting partners were able to provide native IPv6 connectivity (excluding Hosteurope, although their recursive nameservers seem to prefer IPv6 themselves according to my tcpdumps).

Not so fortunately, getting native IPv6 access on the client side proved to be a lot harder. We are using 6to4 for now which is a standard mechanism to tunnel IPv6 over IPv4. We are using 6to4 from the office and the various home locations.

I will provide some brief overview over our transition, and the associated learnings.

IPv6 News — now is the time

As the European RIPE is running out of IPv4 address space, the US government is actually requiring its own websites to be accessible through IPv6. Of course, major websites such as Google and Facebook have been accessible through IPv6 for a long time.

Interestingly whitehouse.gov is using round-robin DNS to serve the website from various locations world-wide include Europe and Japan. This differs from www.whitehouse.gov which is handled by Akamai.

The US government is mandating the use of IPv6 for its own web-sites. (Slashdot)

US government paves the way to IPv6 with mandate compliance
 (Enterprisenetworkingplanet.com)

RIPE NCC Begins to Allocate IPv4 Address Space From the Last /8 (ripe.net)