secret society of super sydney sysadmins


· by Robert Mibus · Read in about 4 min · (774 Words)
ipv6 sysadmin

Please note that this is all personal opinion, and is not a reflection on the opinion, or policies, of any employer, past, present, future, or comma-less.

What is IPv6?

IPv6 is the next step after our current IPv4 addressing scheme – and not a lot more. Instead of the we-thought-it’d-be-ample 2^32ish addresses, we get the it’ll-be-enough-this-time-for-sure 2^128ish addresses. If nothing else, it’ll take us a long time to run out again!

So how do we, as sysadmins, use it?

Software developers have taken a lot of the fun out of this already. Most software – Apache, BIND, SSH, etc – have already had IPv6 support for a very long time. You can just add an IPv6 address to the “bind” or “listen” address of the vast majority of non-custom-built software and it will Just Work. Plenty of software doesn’t even need that, and will bind to the IPv6 address just as soon as it exists on your system.

If you don’t want to use IPv6′s native autoconfiguration, statically configuring your address and gateway is a simple enough process on any vaguely modern OS. Probably Windows, too ;).

What about gotchas?

There are plenty of places this can fall down… but none that typically hurt too much.

When you add IPv6 support to a server, note that you’re also adding IPv6 support for it to talk to other services. If it makes calls out to another server, it will try to do so over IPv6. So, make sure your IPv6 connectivity is good, and all of the services that your server might connect to work over IPv6 (if they have AAAA DNS records – if not, it will quickly fall back to IPv4 anyway). This is especially true if your servers chatter amongst themselves to share data (like caching resolvers and authoritative nameservers, or webservers and database servers). You’ll also be at the mercy of the IPv6 support of any providers that you consume services from.

Anywhere that an IP address gets treated as “special” and not just an opaque block of text, could cause issues. For most, this won’t be an issue. But, if you’re storing it in a database, make sure you aren’t using a short fixed-length string – IPv4 addresses max out at 15 characters but IPv6 goes to 11. I mean, 39.

Why haven’t you done it yet?

There are plenty of reasons not to have IPv6 enabled your services.

The easiest answer is that everyone will need an IPv4 address to see everyone else’s services, so they’ll already have one to see mine. Right? Realistically, IPv4 will probably continue to be supplied behind a carrier-grade-NAT system (or “something”), and most stuff on the internet works just fine behind NAT anyway. It will be a long time before IPv4 addresses start getting dropped entirely from consumer broadband connections.

Not everyone has an IPv6-capable upstream provider. If you are with a particular hosting provider and they don’t provide IPv6 connectivity, you’re pretty much stuck. Find a new one (and migrate all of your hosts) or just wait it out.

Moving on, and a lot of “miscellaneous” equipment doesn’t support IPv6. An up-front example of this is hardware load-balancers. Months out from the beginning of ‘IPv4 exhaustion’, you can buy new hardware that doesn’t support hardware-accelerated IPv6. Sure, you can work around it, or buy from an alternate vendor – but really, that’s pretty excessive just to support 128-bit addresses, when we all know that everyone will have IPv4 connectivity for years to come. Do your “appliance” boxes and VMs support IPv6?

The same lack of hardware applies in the consumer-space – seen very many DSL modems with native IPv6 lately? The biggest driver there will be gamers and P2P users wanting to restore end-to-end connectivity.

There are also potential security issues – how do you make sure your IPv4 and IPv6 firewalls are equivalent? Typically, they’re treated as independent… changes to one but not the other can lead to breakage or security holes. (Forget to lock off SSH over IPv6 so only your corporate network can see it? Oops! Locked down IPv6 too tight, so upstream service connections over IPv6 suddenly fail? Oops!)

You’re being very negative.

Yes, I am. IPv6 is crucial to the long-term health of the Internet. But its biggest driver (in most industries) is merely that it’s the “new shiny”, and not any real business-case. Even when there is a business case, it’s typically for the network, not for the systems. IPv6 connectivity, *check*. IPv6ified webserver… come back next year. Maybe.

So, what if I do find it fun?

Seek professional help. Or, just admit you’re a geek.