Transition to IP6

Home » CentOS » Transition to IP6
CentOS 24 Comments

I imagine some day in the near future there will be a switch to IPv6. I cannot imagine ever remembering the ip address then…crazy. My question, since i have never done ip6 stuff, is what does that mean on my webservers?

Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, and configuration files…and copy out my iptables to ip6tables, and change the dns servers?

all that does not sound to harsh.

anything especially daunting to make that switch (save from someone having to do that on 100 computers really fast!!)

-bob

 

24 thoughts on - Transition to IP6

  • For modern software, not too much, really!

    You can test it today; if your ISP doesn’t provide native IPv6 then you
    can get a tunnel (eg from tunnelbroker.net) for free. Then you can
    run IPv4 and IPv6 at the same time and see how easy it is. It’s
    really easy :-)

    I have a linode and a Panix v-colo with native IPv6, and my home network
    with an IPv6 HE tunnel. This email _should_ go via IPv6 from home
    to linode, and then probably via IPv4 to the list server… unless that is
    also IPv6 enabled! Most of the time (eg surfing the net) I don’t even
    know if my traffic is using IPv4 or IPv6.

  • We’ve been running out of IPV4 address and needing to convert someday
    soon for the last 10 years…, but yet the vast majority of broadband
    providers and even most ISP’s don’t support it yet.

    Nataraj

  • Am 30.03.2012 20:23, schrieb Bob Hoffman:

    Wrong. There will be no switch. IPv6 is just being added while
    IPv4 continues to function. Both will coexist for a long time yet.

    Don’t worry. You will. Well, not the autoconfigured ones for sure,
    but those you choose yourself, they’ll cling to your brain after
    some time just as 192.168 does today.

    Not much, really. You just give them IPv6 addresses and they’ll work
    with them just like they do with the IPv4 addresses today.

    That would be a really bad transition plan. Don’t switch – migrate.
    Don’t replace IPv4 – add IPv6 alongside. IPv6 is designed to coexist
    with IPv4.

    DNS reverse zones take some getting used to.
    Apart from that, it’s really straightforward and doesn’t differ
    that much from setting up an IPv4 address range:

    1. Get a suitable IPv6 address range from your provider.
    The regular size for companies is /48, but a /56 is fine too.
    (If your provider is unable to give you one, get a better provider.
    If you have a really good reason for sticking with a provider that
    is so behind the times that it still cannot provide IPv6, you
    might use a tunnel broker, but that’s a bit more complicated.)
    Also create an IPv6 reverse DNS zone for your address range on your
    DNS server and get it delegated from your provider so that you can
    manage reverse resolution yourself. (Otherwise you’ll have to ask
    your provider to create every PTR RR you need for you.)

    2. Configure your firewall to route and announce a /64 subnet of
    the IPv6 address range you got to each of your LANs.

    3. Give your machines IPv6 addresses in addition to their IPv4
    ones. (Many of them will have gotten one automatically already via
    autoconfiguration, but those aren’t pretty or easy to remember, so
    you may want to assign another one instead or in addition.)
    Leave the IPv4 addresses in place so that existing connections will
    continue to work.

    4. Add those addresses to the machines’ DNS entries as AAAA records.
    Again, don’t remove the IPv4 addresses (A records), they’re still
    needed for communication partners who aren’t IPv6 capable yet.
    Also add corresponding PTR records to the IPv6 reverse zone.

    That’s it. At that point your machines will be reachable via IPv6
    in addition to working with IPv4 as before.

    (Well, of course there’ll be a lot of tedious details like logfile
    analyzers not understanding the IPv6 address format, access control
    lists needing additional entries for the new addresses, users
    phoning the help desk because addresses look strangely different,
    etc. But nothing fundamentally new or incomprehensible.)

    HTH
    Tilman

  • A long way off; for a long time things will be dual-stack. It isn’t
    either IPv4 or IPv6, they coexist just fine.

    That’s why there is DNS! :)

    Nothing more than IPv4 means for you web servers. It is
    just-another-address, configured in the same way as if you had multiple
    IPv4 addresses.

    Nope, you don’t replace, you add.

    It isn’t at scary as some people make it out to be. And IPv6 gets rid
    of numerous hideous hacks that have been built into / onto creaky old
    IPv4.

    Die NAT Die!

    And recent computer or distributions is sitting their quietly waiting
    for it’s IPv6 address to arrive – probably automatically, via auto
    discovery. Clients are trivial.

  • You’ve got another couple of months. I believe most U.S. network
    providers have agreed to a ‘flag day’ sometime in June 2012.

    Internal networks / backbones at Comcast and Verizon have been IPv6 for
    some time now. At least that is what a credible little bird told me.

  • Hi Adam,

    … and that is EXACTLY the biggest problem with IPv6.

    ‘Introducing’ IPv6 happens automatically in most cases, and inadvertently as well. The moment ISPs will start supporting IPv6 for their customers will be a security nightmare, because IPv6 firewalls will not be configured on most networks, and the pseudo-security of NAT will no longer be in effect.

    In fact, a very large number of networks (especially those currently relying on NAT ‘security’) will be completely exposed to the Internet without any protection, and the bad thing is that you just don’t have to do anything to make it ‘work’. From one day to the other, IPv6 connectivity will be there and most people won’t even notice until it’s too late.

    One may only hope that home router manufacturers will deliver standard configurations with all incoming IPv6 traffic (except answers to outgoing packets, obviously) blocked by default, but I’m not very optimistic :-(

    So, before you do anything else, set up proper incoming and outgoing IPv6 port filtering rules on your perimeter routers. It will save you a hell of a headache.

    Peter.

  • If the addresses are auto-discovered, how are you supposed to be able
    to configure filtering rules for what you want to let through?

  • They address is generated from the prefix advertised by the router and the
    mac address. Later versions of Windows generate a temporarily random
    address to increase privacy, which can be disabled. Of course you can still
    assign static IPv6 addresses. I have done this for servers so I can easily
    identify them as I use the last IPv4 octet in the IPv6 address.

    Ryan

  • Well, since 100.64.0.0/10 got allocated for draft-weil, CGN and NAT444 will be a reality, and IPv4 gets a new lease on its fugue state. (see: http://www.ietf.org/mail-archive/web/ietf-announce/current/msg09959.html )

    To Bob’s question, IPv6 and IPv4 will coexist as dual-stack until nothing of importance is left on IPv4, and then it will be turned off by network ops, one AS at a time (iterate across ~30,000 AS’s). It will likely take decades for IPv4 to go away; but I reserve the right to be wrong.

  • Am 31.03.2012 17:37, schrieb Les Mikesell:

    Same as today: machines which need individual filtering rules need
    static addresses. That includes all machines which are to accept
    connections traversing the firewall, but also machines which are
    permitted to access services that are not generally allowed.

    One difference though: machines will typically have more than one
    IPv6 address, so you may have to somehow make sure that you don’t
    use a different address than the one which is mentioned in the
    filtering rule. That’s no problem for incoming connections. You
    just have to allow the same addresses in the firewall as you
    published in DNS. But for outgoing connections (for example, from
    mail servers) you may have to explicitly specify the source address.

  • Hi Lee,

    very simply.

    1. Each interface on an IPv6 enabled machine has several addresses. One of them is the autoconfigured address, one is the (a) Privacy Extension address, and then you can still configure addresses manually. Obviously the latter method is the right choice for servers.

    2. Except for the Privacy Extension address(es), auto-configured addresses are static (although virtually unmemorisable) as long as the prefix and the host’s MAC address are. So there is a static address that you can put into your DNS and configure on your firewall.

    Best regards,

    Peter.

  • How do applications choose the correct outbound address in that
    scenario? That has always been a problem when using multiple ipv4
    addresses on the same interface in combination with firewalling, etc.
    where the source address matters.

  • Hi Lee,

    that problem hasn’t changed too much from IPv4 to IPv6. Basically, it’s up to the application which IP address it binds to, while the OS should provide sensible defaults. In most cases with Privacy Extension enabled (mostly on client systems), the system should use a PE address, ideally a different one for each connection. Outgoing addresses for servers must be configured, e.g. in Postfix it’s in the ‘smtp_bind_address6’ configuration variable, in BIND ‘query-source-v6’.

    The functionality is there (as it was with v4), applications just have to use it. It is, however, a more pressing issue as with v6 any interface is likely to have several addresses. The generic case for an interface’s addresses is:

    – Privacy Extension address, starting with your prefix and ending with a random node part (it’s likely that there are several of them, as a rollover mechanism exists for address rotation)

    – Static addresses, starting with your prefix and ending with a user-chosen node part for specific services (there might me several of them as well)

    All of them may co-exist. The normal logic for outgoing address selection is to use a PE address if there is one and the autoconfigured address (if present) otherwise (OK, that’s as is *should* be, and most of the time it is). Everything else is up to you and how the software you use binds to outgoing addresses and lets you specify it.

    Best regards,

    Peter.

  • Or you assign the rule to the interface, rather than the address.
    Nothing new, that is how firewalls work on DHCP clients today.

  • You can explicitly turn in off on every type of client. Then wait till
    you want to do it.

    False. The same firewall rules will apply as before [and NAT isn’t
    psuedo-security – NAT IS *NOT* *NOT* *NOT* A SECURITY FEATURE; please,
    let’s not have to go over that again].

    Your DOCSIS IPv6 capable black-box will apply the same filters to IPv6
    traffic that it does to IPv4 traffic. As will you Vista and Windows 7
    workstations.

    There is no such thing as “NAT security” for them to rely on. If that
    is their security model the administrator is incompetent and should be
    fired immediately.

    False.

    Or they won’t notice and have nothing more to worry about than they did
    before.

    Well, don’t worry. Because that is exactly what happens. An IPv6
    stateful firewall is just as effective as an IPv4 stateful firewall.

    Most just consumer routers simply mirror the IPv4 and IPv6 filters. If
    you have a managed network with ‘real’ routers your administrators have
    probably already done that; if you are unsure – ask them.

  • Hi Adam,

    agreed. The problem is that you can, and you actually *must* do it. Doing nothing leaves v6 on by default on most modern operating systems.

    Unfortunately, this is only theoretically true.

    That’s the meaning of ‘pseudo’, isn’t it? :-)

    I’m not talking about host-based packet filtering. Turn on IPv6 on a Cisco box, for example, and none of your packet filters will affect IPv6 traffic. Lots of home/small business routers show the same behaviour, except that you don’t even have to turn on IPv6 routing, it’s on by default.

    Agreed.

    No. See above.

    Not if they either rely on NAT (which *many* home users do – and they are the security problem with respect to Botnets, not properly managed networks like yours and mine.

    Yes, as long as it’s there.

    I don’t have to, as my introduction of IPv6 was some years ago. Telling people to just sit and wait is the worst you can do – at least I woudldn’t trust a ‘black box’ router as far as I can throw it to actually implement v6 filter rules, especially since many of them are fairly old and not on the latest firmware level.

    Best regards,

    Peter.

  • Hi Adam,

    Routing tables won’t do much for you when you have several different IP addresses (stateless autocnfigured, privacy extension and static) within the same network on the same physical interface – they’ll all use the same route. The longest match algorithm would more or less lead to a random choice of source addresses.

    If you want a specific source address to be used, you have to specify it … no big deal, though. bind() hasn’t changed that much.

  • So what does that mean for a client application (http/ftp,etc.) where
    you might have local firewalls permitting things for internal-subnet
    source ranges but you also have external targets that only accept
    pre-configured static sources? With NAT you’d use the public side of
    the NAT for the remote configuration. What’s the equivalent when the
    application has to do it itself?

  • Hi Lee,

    Are you referring to the situation where you have several clients on the internal network that use NAT to appear as one single IPv4 host to an external server, which allows access based on that global outside NAT address?

    The situation is a bit different without NAT. Instead of filtering on a single IPv4 address the external server would filter on a /64 IPv6 network. Security-wise there is no difference as you’ll never get smaller allocations than /64 per site anyway, so what with respect to filtering was was a single IPv4 address with IPv4/NAT is a /64 subnet with IPv6: A unique identifier of the network connecting to the external server. Both with IPv4/NAT and IPv6 the server only knows which network you are coming from, not which specific host is trying to connect.

    When there really is a requirement that the external server allows only a single address to access it and that can’t be changed, you could resort to using a proxy.

    If you’re interested, RFC4864 expands on some of the aspects of IPv4/NAT vs. IPv6: http://tools.ietf.org/html/rfc4864

    Best regards,

    Peter.

  • To dispose of them; they are hopelessly pointless. If you want to
    authenticate the source use PKI.

    I know they exist and have personally had to deal with them. That
    doesn’t imply they make any kind of sense.

    If two organizations want to communicate, exclusively and privately,
    with each other they should establish a tunnel.

  • Yea. The clean delegation of IPv6 address space is a beautiful idea.
    Now sit back and watch while providers decimate the entire concept.

    Sigh.

  • On Mon, Apr 2, 2012 at 7:33 PM, Adam Tauno Williams
    wrote:

    This isn’t a one-to-one relationship, it is an assortment of
    data/service subscriptions among an assortment of providers and
    consumers. There’s normally password protection as well but many have
    a small list of permitted source addresses associated with the account
    to reduce the risk of password sharing and give some protection
    against DDOS attacks. It seems reasonable to expect the same with
    IPv6 if there is a way to do it.

LEAVE A COMMENT