[Cialug] Are you using IPv6?

Zachary Kotlarek zach at kotlarek.com
Thu Mar 29 16:16:35 CDT 2012 

On Mar 29, 2012, at 1:00 PM, Matthew Nuzum wrote:

> Are you using IPv6? If so, what challenges did you have?


I'm using IPv6 all across my internal networks and my VPNs. I only have native IPv6 upstream at one site, but I've got tunnels at all the others; all hosts on my networks that support IPv6 have a globally-routable IPv6 address.

My only significant problem has been that some sites return AAAA records but are not actually IPv6 reachable. It's a configuration problem on their end but it's still an IPv6-related hassle. This is less frequent these days, but I still run into it occasionally.

Another other issue is a lack of NAT-related capabilities in ip6tables. All the stateful firewall stuff is all there, but if you want to run a transparent HTTP proxy, there's no way to do the necessary redirect. For many users this is not an concern, but if you need to do address mangling IPv6 may make your life harder. Note that this is an intentional design choice; they specifically do not want to enable NAT-for-IP-consolidation in IPv6, and there has not yet been a work-around to support the non-IP-consolidating features of NAT.

Finally, I've found radvd to be a bit flaky (not to mention hard-to-use if you frequently add/remove interfaces). It's not unusable -- all it does is RAs so a few seconds of downtime here and there is not a big deal -- but I've scheduled a cron job to restart it regularly. YMMV; I have a complex and dynamic network which may stress out radvd more than a typical network. But if there's a better option out there for RAs I'd be happy to hear about it.

--

I've yet to find a DNS cache that:
	Will listen/respond on IPv6
	Allows simple overrides to specific domains (i.e. I can redirect queries for example.com to my own DNS server)
	Isn't BIND (or at least doesn't require me to run the full BIND feature set and all its vulnerabilities)
so my network is not yet ready for IPv6-only hosts, as DNS queries all must be carried via IPv4. If anyone has suggestions for such a cache I'd be happy to hear about it.


> At my house it appears that about every device on the network supports
> IPv6. The only one I'm not sure about is iOS but I hear that it has
> been supported since v4, so I think I should be good.


iOS seems to support IPv6, but AFAIK there's no manual configuration interface, or even an enable/disable switch -- you have to take what you get via autoconfig, and you'll be IPv6-enabled any time the device sees an RA.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20120329/4a8e36d1/attachment.bin>

More information about the Cialug mailing list