Versions Compared

Old Version 117

changes.mady.by.user Dick Visser

Saved on

compared with

New Version 118

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

BTW, this is not the first time this has been tried out. For instance Arkko & Keranen did some interesting work in 2010.

Jump to:

Table of Contents
typeflat
separatorpipe

Milestones

Date

 

 

2012-01-13All database are running exclusively on IPv6

Today I killed the last two instances of MySQL, which ran on our ticket system JIRA and this Confluence wiki, and replaced them with PostgreSQL. Now we only run PostgreSQL databases, that are all accessible over the network exclusively through IPv6.

2011-12-20

Axis IP camera now IPv6 only

The RTMP stream on http://www.terena.org/webcam originates from our media server media.terena.org, which is dual stack. That server pulls the stream from our AXIS Q1755 camera with host name axis.terena.org, which is now IPv6 only. Removed IPv4 address and A record, adjusted access-lists.

2011-12-05

iPhones and iPads can now use IPv6 from everywhere

Added Cisco AnyConnect mobile license to our our ASA5505, so mobile devices can have IPv6 for everywhere.
The first use case is editing web site content from an iPad using SCP, which uses SSH, which is IPv6 only.

2011-10-31

Our primary file server runs Samba on IPv6 only (smile)
After the last Mac was upgraded to Lion I silently removed IPv4, and nobody even noticed (tongue)

Removed IPv4 address 192.87.30.132
Removed A record for samba.terena.org

2011-04-12

Radius communication is IPv6

All Eduroam Radius traffic between TERENA and the Radius servers at SURFnet is done using IPv6 only.

2011-03-09

All linux servers run PostgreSQL on IPv6 only

Configure "listen_address = '::'" in postgresql.conf. This is not documented.
This is documented in version 9.1

2011-03-08

HP Printer IPv6 only (smile)

Upgraded Laserjet 4250 with new print server, removed IPv4 address 192.87.30.138 and A record for hp4250-1.terena.org

2011-02-28

Primary directory server ldap.terena.org IPv6 only (smile)

Removed IPv4 address 192.87.30.30
Removed A record

2011-02-07

Nagios web interface only reachable on IPv6

Configure Listen [2001:610:158:98d::42]:80 in /etc/apache/ports.conf

2011-02-07

SVN repository svn.terena.org IPv6 only (smile)

Removed IPv4 address 192.87.30.29 and A record

2011-02-01

All linux servers run Postfix on IPv6 only (except listed MXs)

Remove IPv4 addresses from $mynetworks, and set "inet_protocols = ipv6"

2011-01-31

All linux servers managed by SSH via IPv6 only

Configure "ListenAddress ::" or "AddressFamily inet6" in sshd_config

2011-01-30

All linux servers use only IPv6 resolvers

Only list IPv6 addresses in /etc/resolv.conf:

No Format
nameserver 2001:610:148:dead::4
nameserver 2001:610:158:98d::42
domain terena.org

2010-10-26

VPN supports IPv6

A new VPN setup: Cisco AnyConnect. Clients get an IPv4 and an IPv6 address from the office pools, so they can access all services via IPv6

...

Our servers run Ubuntu 10.04 LTS, which ships with Samba 3.4.7, and this has proper IPv6 support. There is no global switch to make it listen to a specific IP version, but is not difficult to make it listen to IPV6 only.
You need to tell it to only bind to a specific (hard coded) interface address in smb.conf:

Code Block

bind interfaces only = yes
interfaces = 2001:610:148:beef::132/64

This machine is a server but sits in the Office network, so it was needed to disable autoconfiguration to prevent is from accumulating multiple IPv6 addresses (which is not good for a server).
Contrary to what you would expect, setting /proc/sys/net/ipv6/conf/eth0/autoconf to 0 does not do the trick. You have to explicitly state the interface. So I ended up with this /etc/network/interfaces:

Code Block
bash
bash

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet6 loopback
        pre-up ip addr del 127.0.0.1/8 dev lo

# The primary network interface
auto eth0
iface eth0 inet6 static
        address 2001:610:148:beef::132
        netmask 64
        gateway 2001:610:148:beef::1 dev eth0
        pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf

...

To avoid name resolution problems, it was sometimes necessary to copy to the legacy 127.0.1.1 entries to ::1 in the /etc/hosts file:

Code Block

127.0.0.1       localhost
127.0.1.1       ldap.terena.org ldap

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback ldap.terena.org ldap

...

On IPv6 only hosts, there is no IPv4 address configured on the network interface, so obviously all communications will go via IPv6.
There is still an IPv4 address (127.0.0.1) sitting on the loopback interface lo. It's doesn't hurt but it should not be there if the host were to be truly IPv6 only (wink)
I could not find anywhere in /etc where this address get added.
Since I can prevent it from getting added, I removed it after it gets added, by hacking configuring /etc/network/interfaces:

Code Block

# The loopback network interface
auto lo
iface lo inet6 loopback
        pre-up ip addr del 127.0.0.1/8 dev lo

...

After enabling IPv6 on our Sharp MX2600N printer, the network stack actually works, but only a couple of services are running IPv6:

No Format

root@expat:~# nmap -6 2001:610:148:beef::134

Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-01 10:31 CET
Interesting ports on 2001:610:148:beef::134:
Not shown: 996 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
23/tcp  open  telnet
515/tcp open  printer
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

This is in stark contrast to what runs on IPv4:

No Format

root@expat:~# nmap --system-dns 192.87.30.134

Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-01 10:35 CET
Interesting ports on sharp-mx2600n.terena.org (192.87.30.134):
Not shown: 991 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
23/tcp    open  telnet
80/tcp    open  http
443/tcp   open  https
515/tcp   open  printer
631/tcp   open  ipp
5900/tcp  open  vnc
9100/tcp  open  jetdirect
50001/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds

...

Does not like IPv6 addresses, wrote patch.

ntp

  • ntp.ubuntu.com does not work. We are able to use SURFnet's chime3.surfnet.nl and chime4.surfnet.nlhowever:

    Code Block
    
visser@svn:~$ ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+2001:610:508:11 .GPS.            1 u  360 1024  377    4.499   -0.340   0.483
*2001:610:0:800b .PPS.            1 u  192 1024  377    4.746    1.525   0.089
  • dumps core without IPv4 loopback address. This has been fixed in 1:4.2.4p8+dfsg-1ubuntu2.1 (smile).

...

Tunneling via SSH does not work. Native Postgres connections work, so the bug must be in sshfwd.dll.
Confirmed by EMS, but not yet fixed.
Work-around was to not use SSH tunneling anymore, but directly connecting to the database server. Have set up proper rules in pg_hba.conf.
Since the cryptographic shield of SSH was now gone, I have configured all non-local entries in pg_hba.conf to force SSL, such as:

Code Block

# Erasmus
hostssl all all 2001:610:148:dead::2/128    password

...