I was wondering if it would be possible to run parts of the TERENA Secretariat office network on IPv6 only.
Our office has a /24 IPv4 and a /48 IPv6 network since 2003, and all our public services are available on IPv4 and IPv6.
Since we have native IPv6 connectivity in our office, it seems that the first step would be to remove IPv4 from services that are only used internally.
This page keeps track of progress, bugs, and issues.
BTW, this is not the first time this has been tried out. For instance Arkko & Keranen did some interesting work in 2010.
Jump to:
|
Late July 2011 Apple released version 10.7 of their OSX operating system, named Lion. This version has several major IPv6 related improvements, the most important I think is DHCPv6 support. This means that it is now possible to successfully run a Mac in an IPv6 only environment without any configuration.
Unfortunately for us AnyConnect has a serious bug on Lion, namely that there is no default gateway being configured for IPv6 upon connection.
Since we have several IPv6 only services these days, this is a true show stopper
What makes it worse it that the smbd in Lion has IPv6 support, and because our Windows 7 computers already support SMB via IPv6, this means that we could make our Samba server IPv6 only. But since AnyConnect does not work, this is not (yet) an option...
The issue has been reported already to Cisco and is filed as CSCts11510 (login required).
Rumour has it that a fix is available soon, so let's just keep our fingers crossed!
Update: As of 29 September 2011, AnyConnect 3.0.4235 fixes the problems! Now all my users can have IPv6 again from everywhere
To avoid name resolution problems, it was sometimes necessary to copy to the legacy 127.0.1.1
entries to ::1
in the /etc/hosts
file:
127.0.0.1 localhost 127.0.1.1 ldap.terena.org ldap # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ldap.terena.org ldap |
On IPv6 only hosts, there is no IPv4 address configured on the network interface, so obviously all communications will go via IPv6.
There is still an IPv4 address (127.0.0.1) sitting on the loopback interface lo
. It's doesn't hurt but it should not be there if the host were to be truly IPv6 only
I could not find anywhere in /etc
where this address get added.
Since I can prevent it from getting added, I removed it after it gets added, by hacking configuring /etc/network/interfaces
:
# The loopback network interface auto lo iface lo inet6 loopback pre-up ip addr del 127.0.0.1/8 dev lo |
This seems to work fine, only now ntp dumps core, but that has been fixed as of 17 April 2011.
Skype does not support IPv6 at all. EPIC FAIL!!!! Please everybody VOTE FOR IPv6.
FYI the first request for IPv6 enabled Skype date back to 2004!!
This switch does not support IPv6 access lists on VLANs. Needs replacing in 2011 anyway. New box might support NAT64?
These access points do not support IPv6. Need replacing anyway. The AIR-AP1142N-E-K9 could be a drop-in replacement. Also does N.
This copier/printer does not support IPv6 at all.
Could not retrieve e-mail addresses for 'scan to email' after LDAP server went IPv6 only. Hack Work-around: manually put addresses in.
Our big Sharp MX2600n has IPv6 support, so we should get rid of this clunker on the first occasion.
This box does not support IPv6. Needs replacing in 2011 anyway, but don't forget to check!!
Can be configured to do IPv6, but only PING works
Investigate further.
After enabling IPv6 on our Sharp MX2600N printer, the network stack actually works, but only a couple of services are running IPv6:
root@expat:~# nmap -6 2001:610:148:beef::134 Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-01 10:31 CET Interesting ports on 2001:610:148:beef::134: Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 515/tcp open printer 631/tcp open ipp Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds |
This is in stark contrast to what runs on IPv4:
root@expat:~# nmap --system-dns 192.87.30.134 Starting Nmap 5.00 ( http://nmap.org ) at 2011-03-01 10:35 CET Interesting ports on sharp-mx2600n.terena.org (192.87.30.134): Not shown: 991 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 443/tcp open https 515/tcp open printer 631/tcp open ipp 5900/tcp open vnc 9100/tcp open jetdirect 50001/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 2.37 seconds |
Now I'm trying to find out how to print using IPP from Windows 7.
Some tests indicate the Ecdysis works well.
Also, they presented at our own conference last year
Take into consideration!
IPv6 doesn't work. Needed for TERENA web site. Update 2011-03-01: by upgrading Pear_Auth, Pear Live_User was able to use LDAP (via IPv6), without the Radius overhead.
MySQL at this moment does not support IPv6 connections, but the development versions seem to support it (sort of). There are tools to make it work, such as https://twiki.cern.ch/twiki/bin/view/EGEE/IPv6CARE.
Not A Problem Here: we have only one host running MySQL, and that will be phased out in the future any way.
security.ubuntu.com
does not work, so no security updates. Workaround: use local mirror nl.archive.ubuntu.com
for security updates.
Does not like IPv6 addresses, wrote patch.
ntp.ubuntu.com
does not work. We are able to use SURFnet's chime3.surfnet.nl
and chime4.surfnet.nl
however:
visser@svn:~$ ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== +2001:610:508:11 .GPS. 1 u 360 1024 377 4.499 -0.340 0.483 *2001:610:0:800b .PPS. 1 u 192 1024 377 4.746 1.525 0.089 |
Authentication on dual stack LDAP servers does not work. Using an IPv6-only hostname does work. For us this works, because our LDAP server is IPv6 only.
Cannot use IPv6 LDAP server. Filed support ticket at Open.com.au. Fixed as of 2011-02-12. Also make sure to add flags to any custom perl hooks:
my $ldap = Net::LDAP->new('ldap://ldap.terena.org',inet6=>1);
.
We use Radiator for our Eduroam set-up. Our instance (radius.terena.org
is connected upstream to SURFnet's radius servers.
I worked together with SURFnet to do some IPv6 debugging, and since 12 April 2011 the TERENA-SURFnet radius connection is using only IPv6
In the next months we will be participating in a Eduroam-as-a-service pilot. This would mean our current (IPv4 only) Cisco AP1200's would not need to connect any more.
That would leave our Cisco ASA5505s as the only IPv4 radius clients.
If Cisco fixes that, then radius.terena.org
can become IPv6 only as well.
This is a custom email list manager, running on Erasmus. 2 lists were doing queries to ldap.terena.org
. Unfortunately the Net::LDAP in Ubuntu Hardy (libnet-ldap-perl
) is too old and does not recognise the inet6 paramater. Hacked Fixed by copying /usr/share/perl5/Net/LDAP.pm
from a Lucid box.
Nmap only recognizes IPv6 resolvers by specifying "--system-dns
"
Name resolution does not work with IPv6 only name servers
This financial software package runs on Windows 2003 Server, which supports IPv6.
It also requires Microsoft SQL Server, and the version we run (SQL Server 2005) seems to speak IPv6 as well.
So based on that it looks like it could work.
However, after more close inspection it does not look too encouraging:
Having a software package on a dedicated Windows server, with a dedicated SQL server is quite some overhead, so I was interested in their new web based product Exact Online.
The Exact Online web site (surprise surprise) can't be reached via IPv6. But if everything is just running through HTTP(S), then a NAT64/DNS64 solution might make things work.
Upgrade to 4.2.8 or later to get IPv6 going.
Tunneling via SSH does not work. Native Postgres connections work, so the bug must be in sshfwd.dll
.
Confirmed by EMS, but not yet fixed.
Work-around was to not use SSH tunneling anymore, but directly connecting to the database server. Have set up proper rules in pg_hba.conf
.
Since the cryptographic shield of SSH was now gone, I have configured all non-local entries in pg_hba.conf
to force SSL, such as:
# Erasmus hostssl all all 2001:610:148:dead::2/128 password |
Works, but some weird things: I had some repositories checked out with TurtoiseSVN, using my SSH keys from Putty/Pageant. Any actions on the repository started to have a really long delay after switching off IPv4 on the subversion server. Fixed after using the right repository URL format, in my case using the Putty session name instead of the host name. This session has everything set properly already. In my case the hostname is svn.terena.org
, and the PuTTY session name is svn
.
The "Remote Desktop client" in Windows 7 (mstsc.exe
) has some weird behavior. An RDP connection to a Windows 7 computer using a hostname that only has a AAAA record takes 11 seconds. mstsc.exe
does an A query first, gets back a No such name, then wait 11 seconds, then asks for and receives the AAAA record, and then immediately connects. |
We use this excellent tool to create and install iptables/ip6tables scripts on our Ubuntu hosts.
FWBuilder is the tool for easy, understandable, object based firewalls.
We have a commercial license because I wanted the Windows version, but I think it's worth every penny. Linux versions are GPL though.
There is a bug in the batch installer that makes it choke on IPv6 only hosts, but that is fixed as of 2011-04-27, in build 3532.
Friendly developer, and very responsive. Has fixed numerous corner cases that I have run into.
2011-07-20 OSX Lion finally supports DHCPv6 Now autoconfiguration can work!
CIFS client on Mac OS X does not support IPv6. Unable to file bug report due to lame web site ("An error has occurred. Please report the error to Apple Inc. by emailing the error detail to devbugs@apple.com.").
CIFS via IPv6 works in Lion. After upgrading all the Macs to Lion I can make our Samba server IPv6-only
CyberDuck does not work with IPv6 hostnames. Use either literal IPv6 address, or IPv6-only host name godzilla.ipv6.terena.org
.
Fixed in 4.0