Versions Compared

Old Version 142

changes.mady.by.user Dick Visser

Saved on

compared with

New Version Current

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Date

 

 

2012-08-02Remote support only on IPv6VNC on client computers runs in IPv6 only mode.
2012-01-13All database are running exclusively on IPv6

Today I killed the last two instances of MySQL, which ran on our ticket system JIRA and this Confluence wiki, and replaced them with PostgreSQL. Now we only run PostgreSQL databases, that are all accessible over the network exclusively through IPv6.

2011-12-20

Axis IP camera now IPv6 only

The RTMP stream on http://www.terena.org/webcam originates from our media server media.terena.org, which is dual stack. That server pulls the stream from our AXIS Q1755 camera with host name axis.terena.org, which is now IPv6 only. Removed IPv4 address and A record, adjusted access-lists.

2011-12-05

iPhones and iPads can now use IPv6 from everywhere

Added Cisco AnyConnect mobile license to our our ASA5505, so mobile devices can have IPv6 for everywhere.
The first use case is editing web site content from an iPad using SCP, which uses SSH, which is IPv6 only.

2011-10-31

Our primary file server runs Samba on IPv6 only (smile)
After the last Mac was upgraded to Lion I silently removed IPv4, and nobody even noticed (tongue)

Removed IPv4 address 192.87.30.132
Removed A record for samba.terena.org

2011-04-12

Radius communication is IPv6

All Eduroam Radius traffic between TERENA and the Radius servers at SURFnet is done using IPv6 only.

2011-03-09

All linux servers run PostgreSQL on IPv6 only

Configure "listen_address = '::'" in postgresql.conf. This is not documented.
This is documented in version 9.1

2011-03-08

HP Printer IPv6 only (smile)

Upgraded Laserjet 4250 with new print server, removed IPv4 address 192.87.30.138 and A record for hp4250-1.terena.org

2011-02-28

Primary directory server ldap.terena.org IPv6 only (smile)

Removed IPv4 address 192.87.30.30
Removed A record

2011-02-07

Nagios web interface only reachable on IPv6

Configure Listen [2001:610:158:98d::42]:80 in /etc/apache/ports.conf

2011-02-07

SVN repository svn.terena.org IPv6 only (smile)

Removed IPv4 address 192.87.30.29 and A record

2011-02-01

All linux servers run Postfix on IPv6 only (except listed MXs)

Remove IPv4 addresses from $mynetworks, and set "inet_protocols = ipv6"

2011-01-31

All linux servers managed by SSH via IPv6 only

Configure "ListenAddress ::" or "AddressFamily inet6" in sshd_config

2011-01-30

All linux servers use only IPv6 resolvers

Only list IPv6 addresses in /etc/resolv.conf:

No Format
nameserver 2001:610:148:dead::4
nameserver 2001:610:158:98d::42
domain terena.org

2010-10-26

VPN supports IPv6

A new VPN setup: Cisco AnyConnect. Clients get an IPv4 and an IPv6 address from the office pools, so they can access all services via IPv6

 

Tinyproxy

Some of our systems have extra "security needs", and they are not allowed to initiate outgoing connections by default. This means that IP ACLs are used so that they can only reach neccessary services (SMTP gateway, DNS resolvers, NTP etc).

Because those hosts do need access to some web sites (mostly for software updates), we use a proxy server to allow them access to those domains.

If you have an IPv6-only host that only needs access to some outside HTTP resources, then this approach kills two birds with one stone:

  • Many services are run on CDNs such as Akamai, which renders IP ACLs into a nightmare. A proxy solves this by allowing domains/URLs.
  • Some services are only accessible via IPv4 (Microsoft Update, hostupdate.vmware.com, Secunia.com). A dual stack proxy does the protocol translation. If those web sites were the only problems on the IPv6-only system, this is just what you need, and you can avoid using additional complex systems such as NAT64/DNS64.

Because we do not need any caching, but only the access restriction part, I choose tinyproxy because it is very light weight and simple.

The only downside is that the tinyproxy that sits in Ubuntu 12.04 does not listen on both IPv4 and IPv6 at the same time (sad)

2013-01-04 Shame on me... I didn't test properly (sad), but tinyproxy does work on both protocols (smile)

I assumed that this result:

netstat -tlnpvw | grep tinyproxy
tcp6 0 0 :::8888 :::* LISTEN 3946/tinyproxy

meant that it didn't listen on v4... but I was wrong.

Listen ::
#This will accept connections on IPv6, but also on IPv4: IPv4-mapped IPv6 addresses are used:
#CONNECT Jan 04 15:29:13 [23566]: Connect (file descriptor 6): host.terena.org [::ffff:192.87.30.2]

Listen 0.0.0.0
# This will listen on IPv4 only

Listen 2001:610:148:dead::666
# This will listen only on the specified IPv6 address. Not nice, but workable.

 

Coda 2 drops support for IPv6

...

Hopefully they add back IPv6 support, perhaps with a configuration switch. Until that time we won't upgrade.

As of December 2012, Coda is at version 2.0.7, and still no IPv6 support.

Remote support with IPv6-only VNC

...

By default it listens on both IPv4 and IPv6 but it can be easily configured to listen only on IPv6:

Image RemovedImage Added

 

I use this to remotely support people. One important issue: you do have to know the network address before you can connect to it (wink). There are two ways, users are eitherpossibilties:

  • In the office. All our computers autoconfigure themselves with the modified EUI64 interface identifier, which is based on the interface's MAC address. This works out of the box for Mac OSX 10.7/10.8, but on Windows you have to manually configure this (once). Note that this does not have to clash with privacy extensions; those can (and should, IMHO) still be disabled. This means that computers will have a(n extra) predictable address in the office, so you can assign easy to remember hostname to them, such as 'laptop-alice-wifi', 'laptop-alice-wired', etc. Note that this does not have to interfere with.
  • Out of the office. People working from remote need to set up their Cisco AnyConnect VPN connection. Once that is done, they have IPv6 connectivity, bypassing any NAT boxes they might be behind. They either need to tell me their network address, or I can look it up on our VPN server.

...

MySQL at this moment does not support IPv6 connections, but the development versions seem to support it (sort of). There are tools to make it work, such as https://twiki.cern.ch/twiki/bin/view/EGEE/IPv6CARE.
Not A Problem Here: we have only one host running MySQL, and that will be phased out in the future any way..
Not A Problem Here: we have only one host running MySQL, and that will be phased out in the future any way.

Update 2013-03-22: We were forced to use MySQL for some stuff, but the version in Ubuntu 12.04 appears to have IPv6 support (smile). I configured it to listen to IPv6 only:

Code Block
bind-address            = '::'


apt-get

security.ubuntu.com does not work, so no security updates. Workaround: use local mirror nl.archive.ubuntu.com for security updates.

Update 2013-03-12: This has been fixed (smile)https://lists.ubuntu.com/archives/foundations-bugs/2013-March/140037.html

Pear Net_Socket

Does not like IPv6 addresses, wrote patch.

...