Ipv6 for the content provider

Hello,

All the recurring threads about prefix length, security posture, ddos,
consumer CPE support have been somewhat interesting to my service
provider alter ego. Ipv6 is definitely on folks minds this year. The
threads seem a lot less trollish as well. It appears some significant
progress is being made, and peoples opinions are firming up. Hopefully
this will help move ipv6 adoption forward.

I have recently turned up an ipv6 tunnel with he.net and have end to end
connectivity. I'm using pfsense as my routing platform. It was pretty
easy (about 10 minutes of total work I think). So I can connect to
various ipv6 enabled sites on the interwebz. This seems to be the first
step in deployment.

For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?

Do I just need to assign ip addresses to my servers, add AAAA records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

Feel free to point me at any good manuals and say RTFM

- --
Charles N Wyble (charles@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793

Bind and apache work with v6 out of the box, and have for years. As I
understand it, when a client requests a particular domain of yours and gets
an A and an AAAA, the client will default to the AAAA (assuming it's on a v6
network) and attempt to communicate as such. Failing that, it will fall back
to the v4 A record.

So in short, yes, it's as simple as telling the daemons to listen on your v6
addresses and adding the AAAA records. Just think how happy your 1
client/customer using IPv6 will be

-Jack Carrozzo

From: Charles N Wyble
Sent: Wednesday, January 26, 2011 10:23 AM
To: nanog@nanog.org
Subject: Ipv6 for the content provider

For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content
over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?

Do I just need to assign ip addresses to my servers, add AAAA records
to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

Feel free to point me at any good manuals and say RTFM

Most load balancers these days will allow you to provision an IPv6
virtual IP that balances to v4 servers. So you can provide services
over v6 without a lot of changes inside your network. You will need a
DNS server that hands out AAAA records though.

Do I just need to assign ip addresses to my servers, add AAAA records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

It might be that simple, it might not. Depends on your application.

For the DNS and Mail, it should be pretty much that simple. I don't know
about the state of Postfix (don't use it), but, sendmail has been IPv6
ready for years and I'm running with it no problem.

As to the web, Apache is fully IPv6 ready and that's easy. It will
take IPv6 addresses in all the same places you would configure
IPv4 addresses. You do need to enclose the address portion
in brackets with the port number outside the brackets.

e.g.: 2620:0:930::400:7 on port 80 = [2620:0:930::400:7]:80

Other considerations that may be important:

  1. Load balancers
  2. Log parsers
  3. UI stuff that accepts or reports IP addresses
      Application
      Site Administration
      CMS
  4. Databases that contain IP address(es)
  5. Other tools, files, etc. that may interact with IP addresses

All of those things will need additional attention as you add IPv6
capabilities to your site. Some sites have to worry about all 5.
Some sites don't have to worry about any of these things.

I was able to do all the web sites I host at home just by adding
the appropriate Apache configs and putting in the AAAA
records next to the A records. Took me about an hour for a
couple dozen sites.

I've received exactly zero user complaints since the IPv6
implementation.

More complex environments may take considerably more effort.

Owen

And if your servers behind the LB aren't prepared for it, you lose a LOT
of logging data, geolocation capabilities, and some other things if you
go that route.

Owen

I haven't worked with Postfix recently but Exim on a default config will start talking IPv6 as soon as it has connectivity. Just be careful of this since you need to make sure that all your rDNS, SPF, etc ducks are in a row before you give it IPv6 since it can start delivering mail via IPv6 with very little encouragement.

With Apache I've had some funnies with how it binds (or fails) to IPv4 and IPv6 sockets at startup. Once you're over that hurdle I've found that the majority of open source web apps either support IPv6 or are designed correctly to not be impacted by other layers in the network stack.

Its important to keep a close eye on logs and also don't roll out to all your servers in one go. The gradual migration to dual stack has been fairly painless for me.

In a message written on Wed, Jan 26, 2011 at 10:22:40AM -0800, Charles N Wyble wrote:

For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?

Do I just need to assign ip addresses to my servers, add AAAA records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

The layer 3 part for you is really simple. Here's a deployment model we
use a number of places. I'm going to assume you have a /48, from ARIN
or your upstream.

Lay out your networks as:

  AAAA:BBBB:CCCC:<vlan>::/64

The AAAA:BBBB:CCCC::/48 was given to you by ARIN/your upstream.
For VLAN I recommend being human friendly and making vlan 10 be
AAAA:BBBB:CCCC:0010::/64, even though that's technically 16 in Hex.

The vlan's consume 4096 of your 65536 subnets, so you still have
many more to play with. Want to know what address to configure,
well, you can guess if you know the vlan number.

We then also do the same thing with the address, if it's a static
server. Say the server was 10.2.50.210. We re-use the 210 part,
and get AAAA:BBBB:CCCC:0010::210, assuming it is on VLAN 10.

So you assign addresses to your boxes, decide if you want static
default routes or want to allow them to learn a default via RA, and
well, you're basically done for Layer 3.

Application level support on Linux/FreeBSD/NetBSD is 98% and rising
every day. Apache, BIND, Postfix, they all work great. The "problem"
is you may need config adjustment. Your Apache ListenOn's will
need IPv6 added, your Postfix "local nets" ACL will need your IPv6
addresses added, and so on.

And that is the crux of the migration issue. Updating all the
configuration in all the apps to both do the right thing and be
secure in IPv6. That is where all of your work will be, particualrly
if you have custom systems to manage IP's or configs.

And if your servers behind the LB aren't prepared for it, you lose a LOT
of logging data, geolocation capabilities, and some other things if you
go that route.

Owen

I can't imagine an LB vendor who would sell a v6 to v4 vip solution who
wouldn't provide a way to inject the v6 addr in to the request as an
additional header? I suggest a naming-and-shaming is in order

I run a low traffic mail server with Postfix, and setting up IPv6 was as
easy as adding AAAA records for the MX-es and enabling 'inet_protocols =
all' in main.cf

-Lorand Jakab

Best to remove IP version dependencies in your configs.

If you are using name-based virtual hosting in Apache, convert:

   Listen a.b.c.d:80 -> Listen 80
   <Virtualhost a.b.c.d:80> -> <Virtualhost *:80>

Use hard-coded IP addresses only where required for stuff like SSL-enabled webhosts.

In postfix just add to main.cf:

   inet_interfaces = all
   inet_protocols = all

And make sure your MX hostnames have AAAA RRs.

Antonio Querubin
e-mail/xmpp: tony@lava.net

Depending on your local configuration, you may have to change some minor
options (e.g add a IPv6 Listen line for Apache), but yeah, in general it's
as simple as adding an AAAA record in the DNS.

The only troublesome applications I still encounter these days are
Munin (monitoring stuff: http://www.munin-monitoring.org/) and anything
that's Java based.

If its running on a IPv6-enabled host, Java wants to use IPv6 sockets for
everything - including IPv4 connections.
Most modern operating systems do not allow this; you have to force the use
of either IPv4 or IPv6 and disable the other protocol.

I had to put these options in a Tomcat startup script:
  -Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=true

Application level support on Linux/FreeBSD/NetBSD is 98% and rising
every day. Apache, BIND, Postfix, they all work great. The "problem"
is you may need config adjustment. Your Apache ListenOn's will need
IPv6 added, your Postfix "local nets" ACL will need your IPv6

addresses

added, and so on.

And that is the crux of the migration issue. Updating all the
configuration in all the apps to both do the right thing and be secure
in IPv6. That is where all of your work will be, particualrly if you
have custom systems to manage IP's or configs.

--
       Leo Bicknell - bicknell@ufp.org - CCIE 3440
        PGP keys at Leo Bicknell's Personal Page

We're still having some problems with linux and java. For example, a v6
socket is supposed to support either protocol. But for some reason, and
I don't know if this is just one particular kernel, if communications is
attempted under some circumstances with a v4 address on a dual-stacked
host, the packets go out on the wire with v6 mapped v4 addresses
(::ffff:x.x.x.x) which isn't supposed to happen. So everything isn't
quite there yet for dual-stacking all applications. The "safest"
approach on paper is v6 native using NAT64/DNS64 but getting the NAT64
piece in place at production quality and scale is a problem at this
point.

And if your servers behind the LB aren't prepared for it, you lose a
LOT
of logging data, geolocation capabilities, and some other things if

you

go that route.

Owen

Relying on IP address for geolocation is actually quite ridiculous
though I do realize that many people seem to believe that you can map an
IP address to the physical location of the originator of the data, at
least to the country level, but I suppose some people will sell you
anything.

We haven't seen any problem with logging data so far in our testing.

One additional note. Add your IPv6 prefixes to mynetworks. The IPv6 prefix should be enclosed in brackets before the prefix length. Ie. the IPv6 loopback would be added as [::1]/128.

Antonio Querubin
e-mail/xmpp: tony@lava.net

Thus spake Jack Carrozzo (jack@crepinc.com) on Wed, Jan 26, 2011 at 01:38:48PM -0500:

As I understand it, when a client requests a particular domain of yours and gets
an A and an AAAA, the client will default to the AAAA (assuming it's on a v6
network) and attempt to communicate as such. Failing that, it will fall back
to the v4 A record.

This is true for now.

See draft-wing-v6ops-happy-eyeballs-ipv6-01
for a proposal on how this could change.

Dale

Thus spake Leo Bicknell (bicknell@ufp.org) on Wed, Jan 26, 2011 at 10:55:26AM -0800:

The layer 3 part for you is really simple. Here's a deployment model we
use a number of places. I'm going to assume you have a /48, from ARIN
or your upstream.

Lay out your networks as:
  AAAA:BBBB:CCCC:<vlan>::/64

The AAAA:BBBB:CCCC::/48 was given to you by ARIN/your upstream.
For VLAN I recommend being human friendly and making vlan 10 be
AAAA:BBBB:CCCC:0010::/64, even though that's technically 16 in Hex.

At our site, we very strongly discourage mapping like this. Your addressing
plan will outlive your infrastructure, and you will be stuck with it until
renumbering is no longer hard.

Dale

Sure, but, if you're not prepared to parse, log, and deal with that header,
then, you lose, right?

Note I said "IF your servers behind the LB aren't prepared for it..."

Owen

Do I just need to assign ip addresses to my servers, add AAAA records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

Best to remove IP version dependencies in your configs.

If you are using name-based virtual hosting in Apache, convert:

Listen a.b.c.d:80 -> Listen 80
<Virtualhost a.b.c.d:80> -> <Virtualhost *:80>

That only works if you have only one address on the machine and.

If you have addresses that aren't intended for name-based-site-A but
do terminate SSL connections to sites B, C, and D, then you probably
don't want to use * for site A.

Use hard-coded IP addresses only where required for stuff like SSL-enabled webhosts.

Depends on the complexity of your environment. In a more complex configuration
you can actually save yourself a lot of trouble and confusion later by using a
construct like this:

Listen 192.159.10.7:80
Listen [2620:0:930::dead:beef:cafe]:80
Listen [2620:0:930::400:7]:80
<VirtualHost 192.159.10.7:80 [2620:0:930::400:7]:80 [2620:0:930::dead:beef:cafe]
:80>
  ServerName www.delong.com
...

YMMV, but, that's working reliably in my environment for:

[root@owen conf]# host www.delong.com
www.delong.com has address 192.159.10.7
www.delong.com has IPv6 address 2620:0:930::400:7

(The dead:beef:cafe address isn't currently in the AAAAs that are publicly visible because
it's used for testing specialized testing from different DNS views.)

The machine in question has a number of IPv4 and IPv6 addresses many
of which terminate HTTP/HTTPs connections, some of which do not.

Owen

I don't disagree, but, since people like Wells Fargo are using it as a
security check (ask me about my experiences trying to log in from
Rwanda to check on a mortgage payment some time), things that
potentially make it even more broken than it is are worth pointing
out to administrators that may be stuck implementing IPv6 on sites
that may have such dependencies.

Owen

For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?

Do I just need to assign ip addresses to my servers, add AAAA records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.

Depending on your local configuration, you may have to change some minor
options (e.g add a IPv6 Listen line for Apache), but yeah, in general it's
as simple as adding an AAAA record in the DNS.

The only troublesome applications I still encounter these days are
Munin (monitoring stuff: http://www.munin-monitoring.org/) and anything
that's Java based.

If its running on a IPv6-enabled host, Java wants to use IPv6 sockets for
everything - including IPv4 connections.

If you're not on a broken BSD or Windows implementation, that shouldn't be a problem.

It would be nice if BSD would correct their IPV6_V6ONLY behavior instead
of putting up an alleged security red herring. I'm not sure why Micr0$0ft suffers
from this braindeath.

Most modern operating systems do not allow this; you have to force the use
of either IPv4 or IPv6 and disable the other protocol.

Not true. Other than BSD/Windows, most modern operating systems actually
follow the RFCs in this regard. Even most of the BSD derivatives will allow
you to correctly set IPV6_V6ONLY=False to correct the errant default
behavior.

Owen