Home
login

IPv6

Musings on the transition to IPv6

As a part of the he.net IPv6 certification program, you have an opportunity to earn extra points by daily activities: IPv6 traceroute, AAAA dig, IPv6 PTR dig, IPv6 ping, and IPv6 whois. Among those, I would say the most commonly used by me are ping and traceroute, then the digs and finally whois. But I use ping and ping6 everyday. Yes, the tool to ping something is actually 2 tools. It seems odd that while so many other programs seamlessly handle both network protocols just fine, this one requires a whole new binary. The 'route' command, is a single binary, using a command line argument '-4' or '-6' to determine which protocol to use. It defaults to IPv4, since that was around first. On the other hand, nc, dig, ssh/scp, telnet, mtr, wget, curl, ip (though it uses 'inet' and 'inet6'), and many more default to IPv6, only choosing IPv4 if specified or if it is the only protocol available. Then we have the dark side: ping/ping6, traceroute/traceroute6, iptables/ip6tables (along with the -save and -store variants), and maybe some others.

What prompted the authors of those programs to fork the code to add IPv6 support? I would bet that most of the logic is the same. In fact the man page for ping lists ping6 too; they have the same options. Why can't I just say `ping -6 he.net` or `traceroute -4 google.com`? Last night, I finally got fed up with ping and wrote a little python wrapper for ping, which parses the arguments, ignoring all except '-4' and '-6' and then passing everything else on to the appropriate ping. If neither '-4' nor '-6' are passed, it does a quick dig for an AAAA address to test if the remote host is even capable of IPv6 and then automatically chooses the right ping. I shouldn't have to do this though. Please give me a reason besides breaking legacy stuff to have an entirely new program. Legacy is not a good enough reason, you can only pack around so much baggage before it pulls you down. Just ask Intel. :)

Finally, you have the ubiquitous browsers, which if they are well behaved do both IPv4 and IPv6, favoring the latter when it is available (and not even really letting you pick or telling you what you are using; the only way to know for sure is to have the webserver report you IP address). This is helpful for the chicken/egg scenario that we are seeing with this transition. We don't need to support IPv6, nobody is using it. But if we can at least get all the dual-stack folks to use it by default, that will give a little push. This leads us to other services. Most of the services that I have come across now support IPv6 as well; http (apache2, lighttpd, cherokee, and more), smtp (postfix, exim, qmail, and more), imap (courier, uw-imap, and more), dns (bind, dnsmasq), and many more. The services vary on whether they listen by default on IPv6 if it is available. Most you have to configure to suppress IPv6 support; that is a good default.

The truth is, most people don't care about the transition to IPv6; most don't even know what IPv6 and don't want to know. But the end of IPv4 is looming on the horizon and it may hurt when it gets here unless we, the geeks who run the networking backbone of the planet, make sure we are ready. The current policy of many applications to default to IPv4 for legacy's sake needs to stop. If the computer has IPv6 connectivity, it should be using that by default and falling back to IPv4 only when explicitly requested or when the service is not available on IPv6. Then we just have to get all those lumbering service providers to move. But there's no business justification for IPv6.... Make one and save the planet.

Server Tinkering

I was born to tinker. I think this must be the opposite of the optimizer. I see a project in anything that I could tweak to make it a little better. This not only applies to computers, which are the easiest thing to tinker with, but food, DIY projects, and more. This particular post is centered a little more around computer tinkering, just as a warning to the technophobes.

My host for the past 2+ years for this server has been Site5. They have been adequate. I had never used a Web Hosting Service before so this was a whole new experience. Moving there from a private server took a lot of tweaking. Server wise, they were pretty good. I think my site got its fair share of the server pie, but it is not a really demanding site. Service wise (meaning the people), I think they only get 4 out of 5 stars. Whenever I had a problem, they did finally resolve it, but it took some work and push-back from me to make it happen. Usually the first contact would try to blow me off. I would patiently explain that they were contractually obligated to fix the problem and then 'level 2' support would fix it. I could deal with this if they had all the features I wanted, but I wanted more. Sure, they have 'unlimited' disk space (as long as you don't use it), and unlimited bandwidth, which with my vast sea of devoted readers, I don't really need. But what I do need is IPv6. And they have no plans for that (at least I am privy to none).

So I jumped ship. The market for dual stack hosting is not yet very big so there really aren't that many service providers yet. I finally found BurstNET®, which seemed to offer IPv6 as well as very low-priced VPS (Virtual Private Server). So low, in fact that I could get a whole VPS for less than I was paying at Site5. That's very cool. Being a tinkerer, I really need w00t. Still, since BurstNET uses OpenVZ technology instead of Xen or KVM, I don't quite have complete control over everything. I don't get to configure my network, for instance. But I do have two static IPv4 IP addresses; doing my part to reduce the remaining pool of IPv4 addresses. And after a quick service request, they granted me two IPv6 addresses. Yes, only two, not an entire subnet. I thought that was odd, but hey, at least it is something. Their service department has been nothing but good. I have made several requests for help:

  • Request for IPv6 connectivity
  • Request for reverse-DNS mapping IPv4 and IPv6 addresses
  • Request to get ip6tables working

All there responses were quick and positive. This was the best service I had ever gotten and for what? Yup, $5/mo. This month I got more than my money's worth in support man-hours. I am hoping that the tinkering I have done over the last week is sufficient to have my VPS in decent shape.

Also as part of my tinkering, I managed to set up my VPS as a master name server for the three DNS zones that I control (mauery.org, mauery.com, and my he.net IPv6 arpa reverse zone). Then, using HE.net's DNS service, I can push to their DNS slave servers. This means that I have five geographically diverse, topologically diverse, redundant nameservers. So even though almost nobody reads my blog, you will never not be able to track it down.

Now on to the next tinkering project....

IPv6 Certified

IPv6 Certification Badge for vmauery

Some will care and some will not, but I can now boast that I have finished all the IPv6 certification tests at at ipv6.he.net. The last one was a real stinker. A while back, I registered mauery.org because I wanted to tinker with DNS stuff. But it turns out that I registered with a registrar that doesn't support IPv6 glue records, which were the entirety of the last certification step. I gave up after a while, since I didn't know what I was doing and didn't have the time to sit down and figure it out. Recently I got the itch to finish up my certification with he.net. I looked into glue records, which are basically the link that breaks the recursion in DNS. For IPv4, the glue records are apparently pretty easy to come by, but few registrars will do IPv6 glue records yet. Especially few actually have a way to do it without raising a support ticket. I found one that does (gkg.net), moved mauery.org over to them, and got my glue records all up in the TLD's nameserver. Hooray.

Now, mauery.org is a fully functional IPv4/IPv6 domain. You can access it via IPv4 only, dual stack, or IPv6 only. Too bad it doesn't really do anything that you could get access to... I don't run any public webservers in the domain or anything. It is basically my home network. Like I said, I purchased the domain because I wanted to play around with DNS and learn some things. For a long while, I was using mauery.home as my domain. I know, .home is not a real TLD, but I figured that it would make sure that there were no namespace collisions with any legitimate domain names. I have since moved over to the mauery.org domain.

Does my certification make me superior to you? Maybe not. But my domain kicks your domain's arrobase. And the free t-shirt doesn't hurt.