Chronophage.net Blog

So…

It’s been awhile.

Recently, I’ve decided to make sure that all of my servers were IPv6 addressable. This was made infinitely easier by working at a forward thinking ISP. So a quick email to our network admin and bam! IPv6 routed to my vlan!
Now, what to do with it?

First. My software firewall had to go, at least for now. pfSense is nice, but it doesn’t support IPv6 very well. The beta versions do, but I ran into some very interesting bugs involving a missing default route… So it got tabled for now. Software on each server would have to suffice. That and not running anything silly on public interfaces.

The process I wanted to follow was get the IP address, update the firewall software and then go through the services one by one on each server.
Unfortunately, I didn’t enable IPv6 in ESXi… Ooops. Fairly straight forward, but that needed a reboot. Ug.

The first server I looked at was my brand new OpenIndiana install. Oh, it’s done. Well, ok then.

My php-fcgi webserver is next. Oh, it’s mostly done. A few UFW commands and we’re set.

Next up, FreeBSD. Oh, it’s done… I just needed to update PF. That took a little research as far as the syntax goes, but it was relatively painless.
DNS was next. I have bind running on my FreeBSD server. I just needed to add a few AAAA records, (now that I had addresses) and set bind to listen on IPv6 addresses. Pretty painless actually.

Apache on FreeBSD was next. I was still running Apache 1.3 on that system, not having a compelling reason to upgrade. Apache 1.3 doesn’t support IPv6 natively, but there is a port with a patch in it. Recompile, install…Crap. Virtual hosts are broken! I tried futzing with the config options to no avail. Google searching revealed that this was a known bug. Crap. Time to upgrade! The project grows…

Before upgrading to Apache 2.2 I needed to upgrade apr to enable IPv6. This was a pain. I had to uninstall the apr1 port by hand (as the names in the pkgdb didn’t match) recompile it a couple times as enabling the IPv6 parameter via make config didn’t take the first time, and install it.

Actually upgrading from Apache 1.3 to 2.2 was fairly straightforward. I had an monolithic httpd.conf file that and accumulated quite a bit of crud over the years. A few vi commands replacing User and Group parameters with the new SuexeUserGroup parameter and I had a functional config file. I did have to add some explicit directory options to allow Apache 2.2 access to directories that Apache 1.3 had implicitly. All in all it was faster for me to upgrade than it was for me to troubleshoot the patched version of 1.3. I did run into trouble with the httpready and dataready filters not being detected after an overnight SIGHUP, even though the kernel modules were loaded, and when I started Apache manually, it worked. So I’ve disabled those filters for now until I figure out what’s going on.

Mail on that system came after that. Postfix needed a couple options enabled, but was pretty easy. ClueBringer had to go (oh well) sqlgrey didn’t want to work. After comparing the config with my works’ config, and talking to our systems admin, it turned out I just needed to upgrade the perl packages that sqlgrey used. Dovecot was a little tricky, as I had an old config that needed to be updated anyways.

Apache on my Linux web server was already 2.2 so I just needed to have it listen on the new interface.

Adding a GLUE record was… um, challenging. Our host master had to get the registrar to do it by hand, as it was not enabled in their GUI yet. Also, my full address was too long for them (probably due to a database column size limit) so I had to alias a shorter address for it. Whee! This, I suspect, is a reason why most residential routers don’t support IPv6 yet. Size and memory limitations, as the IPs are bigger. More on that later.

So, with my DNS set up, and my servers answering, I decided to get my free t-shirt from ipv6.he.net. A few tests and tasks later, and I earned Sage level certification! Ok, so it wasn’t exactly challenging, but it was kinda fun, and is a good way to raise awareness of IPv6. Hurricane Electric has been more than generous with getting companies to move to IPv6. I won’t mention anything specific, but if you’re a small ISP or Hosting/Co-location provider, it would behoove you to contact them if they are in your market

The problem with IPv6, and why I decided to act, is that there’s little to no customer equipment that can handle the new addressing. This means that there’s little to no traffic out there, which means there’s little to no reason for ISPs to upgrade. Comcast and Verizon (FiOS) are taking the plunge, mainly because they are moving to DOCSiS 3.0 anyways, for other reasons, so they may as well enable IPv6, but other providers are dragging their feet.

Hardware needs to be upgraded. Unfortunately, most cheap consumer routers across multiple brands, share a few common ODM reference boards. These boards have limited memory and processors, as they are cheap. So companies are forced to wait for supply chain issues to sort themselves out before they can offer IPv6 compatible products. They only way to get those manufactures going is to spur market demand. However with no devices out there, there’s an artificial suppression of demand (insert chicken-and-egg colloquialism here) So, guys like me have to publicly trumpet the IPv6 cause!

Is it *critical* that everyone move now? Not really. Despite the hype, IPv4 isn’t going away anytime soon. Sure no more block are allocated, but there are enough hoarders out there that actual exhaustion will take awhile, However, having more addressable items on the internet is cool. Minimizing NAT would be cool. As we move to more and more accessible gadgets, they are going to need addresses. In order to move forward, we need IPv6.

Things like 6to4 tunneling help. My cheap Cisco router blocks protocol 41. (probably unintentional, as it is a refurb with other problems) So I fired up Teredo on my workstation via Miredo. Spooky stuff. IPv6 without any configuration. Magical.

I set up my own Teredo endpoint, as I didn’t want to send my traffic to France. Microsoft’s Teredo endpoints hand out old (and now invalid) prefixes, so I didn’t want to use those either. I figured I’d skip the DPRK endpoint too. Curiously my work firewall doesn’t let me connect to my Teredo’d machine… Hmm..

Anyways, that’s one guy’s story. All in all it was pretty easy. I encourage my fellow techies to go ahead an get IPv6 implemented if you haven’t already. I am, after-all, late to the party. Come on in, the water’s fine.

After all, World IPv6 Day is only a few months away.

I’m ready, are you?

Posts Related to IPv6

• Nicholas and the Not So Stateful Firewall

  Maybe I'm in a children's book mood while I wait for my daughter to be born, but that title popped into my head. It's been ...

• In Defense of FreeBSD.

  I recently read an article explaining why FreeBSD was not more popular. The conclusion of said article was that the installer was daunting, and archaic, ...

• VMware vSphere Lab.

  Requirements: VMware vSphere, lots of RAM, a decent amount of disk space, a fairly recent copy of 64bit Windows (I used Server 2008 R2) ESX ...

• Cloudy With a Chance of Productivity…

  I've been waiting, and working. I've been waiting for my work to release a its new product. I've been waiting, politely, for my boss to ...

• Elastic Sky X (VMware vSphere Lab, pt. 2)

  Elastic Sky X. That's what ESX stands for. Crazy, right? Well, more playing means more caveats ;) First, something I forgot to mention yesterday. To ...