SoylentNews is people
SoylentNews
Address exhaustion is finally about to make us all take IPv6 seriously.
I know the theory; heck, I've even taught the theory in networking courses. What I would like to find - and haven't - is a source of practical information for introducing IPv6 into a network. How should the firewall be set up? What does Apache need, to make a website IPv6 accessible? What about HTTPS? SSH? DNS? What are the security gotchas? Hands-on, practical stuff.
I've looked around for online courses - I've even completed one. Unfortunately, the information was pathetic; I'm not sure I actually learned anything useful. There must be good sources out there. Any Soylentils have recommendations?
This discussion has been archived.
No new comments can be posted.
Ask Soylent: Good source for Practical IPv6 Training?
|
Log In/Create an Account
| Top
| 18 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
O, it is excellent
To have a giant's strength; but it is tyrannous
To use it like a giant.
-- Shakespeare, "Measure for Measure", II, 2
(Score: 3, Informative) by ledow on Monday August 03 2015, @10:40AM
Seriously?
Wherever you would normally put an IPv4 address, put the IPv6 address into it.
The only "oddball" - wherever you would normally change an A DNS record, change the AAAA instead (why they are different I've never worked out - MX records are the same for both).
The tools for IPv6 have slightly different names - ip6route, etc. Apart from that, it's all the same.
There's no "magic" involved in IPv6 if the software supports it. Just replace with IPv6-style addresses and restart the service.
Yes, I've IPv6'd all my external servers for everything from firewall to mail server to web server to game servers to routing to VPN. Doing it on Windows? Use the IPv6 protocol on the network adaptor instead of the IPv4 one. Same kind of changes.
(Score: 3, Insightful) by VLM on Monday August 03 2015, @12:14PM
Its more a conceptual thing once you get above device level.
One huge entertainment for the noobs is ALL ipv6 interfaces have multiple addresses, a link and a global at least. This can get people all confused, they "can't access the internet but have a perfectly good (link) ipv6 addrs so the router "must" be up". Well you can (auto)negotiate a perfectly good link addrs adhoc without a working router at all...
Another good laugh over the last 20 years is flamewars about ipv6-NAT. There are just fundamentally oppositional issues WRT filtering rules and security and stability vs autoconfiguration.
Oh another laugh, admittedly mostly historical, RADVD vs DHCPv6 fun fun fun. I seem to remember there being more dynamic config protocols, at least 4 semi-living ones at one time. ipv4 was much more boring with basically only DHCP, in practice.
There are also vaguely practical issues like designing a sane addressing and subnetting scheme (admittedly a lot easier than ipv4) and the insanity riddled craft of setting up a sane modern reverse DNS ipv6 infrastructure so that things like traceroutes give nice human names for router interface hops, assuming you even want to do that.
Finally there's just "wrap your head around" routing protocol changes. If you're still using something like IGRP I guess in many ways you're SOL not just the ipv6 conversion. You can do ipv6 rip aka RIPng (I kid you not, it was back in the era of ST:TNG) or ipv6 OSPF aka OSPFv3. OSPF ipv6 is pretty funny, scroll up and re-read the "fun" about the difference between links and interfaces, so from what I remember v2 aka ipv4 only is internally strongly "subnet oriented" vs v3 aka multiprotocol is "link oriented" which has some minor troubleshooting conceptual issues.
(Score: 0) by Anonymous Coward on Monday August 03 2015, @03:19PM
What about netmasks and subnets?
(Score: 1) by Moggy on Tuesday August 04 2015, @03:00AM
The only "oddball" - wherever you would normally change an A DNS record, change the AAAA instead (why they are different I've never worked out - MX records are the same for both).
umm not quite - an MX record is essentially a specialised CNAME - ie you should always have an A (or AAAA) record for your mail server and point the MX to that
If the A record contained an IPv6 address then an IPv4 only node would break. Most modern OS's will perform a DNS lookup for both IPv4 & IPv6 addresses regardless of whether IPv6 is enabled or not. And there is still kit out there which has no IPv6 awareness at all.
Best practice at this stage if you are running dual-stacked servers is to have both A and AAAA records
Having a separate record type keeps the Internet spinning around
As for IPv6 being easy....
ACK; NAK; RST;
(Score: 2) by Nollij on Tuesday August 04 2015, @06:11AM
You must not be very well-versed in the nuances of the change. Yes, to an end-user on an iDevice, who is not concerned with security/privacy, that's all there is.
Have you noticed how many security holes have been published recently where the fix/workaround is "Disable IPv6"? Or services that just don't respond properly without extensive configuration? (I personally have experienced SCCM not cooperating with IPv6. IPv4 worked out of the box)
Right now, I have IPv6 disabled on my home network due to security concerns when using a VPN 1 [theregister.co.uk] . I'm sure I could resolve them, but it's far more complex than just enabling the IPv6 stack.
(Score: 2) by sjames on Tuesday August 04 2015, @06:47AM
The only "oddball" - ...
That's because an IPv6 address is distinct from an ipv4 address, so it's a AAAA record rather than an A record. However, an MX record consists of the NAME of a mail server and it's priority, both of which are orthogonal to it's address in either v4 or v6.