I imagine some day in the near future there will be a switch to ipv6. I cannot imagine ever remembering the ip address then...crazy. My question, since i have never done ip6 stuff, is what does that mean on my webservers? Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, and configuration files...and copy out my iptables to ip6tables, and change the dns servers? all that does not sound to harsh. anything especially daunting to make that switch (save from someone having to do that on 100 computers really fast!!) -bob
On Fri, Mar 30, 2012 at 02:23:55PM -0400, Bob Hoffman wrote:> My question, since i have never done ip6 stuff, is what does that mean > on my webservers?For modern software, not too much, really!> Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, > and configuration files...and copy out my iptables to ip6tables, and > change the dns servers?You can test it today; if your ISP doesn't provide native IPv6 then you can get a tunnel (eg from tunnelbroker.net) for free. Then you can run IPv4 and IPv6 at the same time and see how easy it is. It's really easy :-) I have a linode and a Panix v-colo with native IPv6, and my home network with an IPv6 HE tunnel. This email _should_ go via IPv6 from home to linode, and then probably via IPv4 to the list server... unless that is also IPv6 enabled! Most of the time (eg surfing the net) I don't even know if my traffic is using IPv4 or IPv6. -- rgds Stephen
On 03/30/2012 11:23 AM, Bob Hoffman wrote:> I imagine some day in the near future there will be a switch to ipv6. > I cannot imagine ever remembering the ip address then...crazy. > > My question, since i have never done ip6 stuff, is what does that mean > on my webservers? > > Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, > and configuration files...and copy out my iptables to ip6tables, and > change the dns servers? > > all that does not sound to harsh. > > anything especially daunting to make that switch (save from someone > having to do that on 100 computers really fast!!) > > -bob > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > lists.centos.org/mailman/listinfo/centosWe've been running out of IPV4 address and needing to convert someday soon for the last 10 years..., but yet the vast majority of broadband providers and even most ISP's don't support it yet. Nataraj
Am 30.03.2012 20:23, schrieb Bob Hoffman:> I imagine some day in the near future there will be a switch to ipv6.Wrong. There will be no switch. IPv6 is just being added while IPv4 continues to function. Both will coexist for a long time yet.> I cannot imagine ever remembering the ip address then...crazy.Don't worry. You will. Well, not the autoconfigured ones for sure, but those you choose yourself, they'll cling to your brain after some time just as 192.168 does today.> My question, since i have never done ip6 stuff, is what does that mean > on my webservers?Not much, really. You just give them IPv6 addresses and they'll work with them just like they do with the IPv4 addresses today.> Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, > and configuration files...and copy out my iptables to ip6tables, and > change the dns servers?That would be a really bad transition plan. Don't switch - migrate. Don't replace IPv4 - add IPv6 alongside. IPv6 is designed to coexist with IPv4.> anything especially daunting to make that switch (save from someone > having to do that on 100 computers really fast!!)DNS reverse zones take some getting used to. Apart from that, it's really straightforward and doesn't differ that much from setting up an IPv4 address range: 1. Get a suitable IPv6 address range from your provider. The regular size for companies is /48, but a /56 is fine too. (If your provider is unable to give you one, get a better provider. If you have a really good reason for sticking with a provider that is so behind the times that it still cannot provide IPv6, you might use a tunnel broker, but that's a bit more complicated.) Also create an IPv6 reverse DNS zone for your address range on your DNS server and get it delegated from your provider so that you can manage reverse resolution yourself. (Otherwise you'll have to ask your provider to create every PTR RR you need for you.) 2. Configure your firewall to route and announce a /64 subnet of the IPv6 address range you got to each of your LANs. 3. Give your machines IPv6 addresses in addition to their IPv4 ones. (Many of them will have gotten one automatically already via autoconfiguration, but those aren't pretty or easy to remember, so you may want to assign another one instead or in addition.) Leave the IPv4 addresses in place so that existing connections will continue to work. 4. Add those addresses to the machines' DNS entries as AAAA records. Again, don't remove the IPv4 addresses (A records), they're still needed for communication partners who aren't IPv6 capable yet. Also add corresponding PTR records to the IPv6 reverse zone. That's it. At that point your machines will be reachable via IPv6 in addition to working with IPv4 as before. (Well, of course there'll be a lot of tedious details like logfile analyzers not understanding the IPv6 address format, access control lists needing additional entries for the new addresses, users phoning the help desk because addresses look strangely different, etc. But nothing fundamentally new or incomprehensible.) HTH Tilman
On Fri, 2012-03-30 at 14:23 -0400, Bob Hoffman wrote:> I imagine some day in the near future there will be a switch to ipv6.A long way off; for a long time things will be dual-stack. It isn't either IPv4 or IPv6, they coexist just fine.> I cannot imagine ever remembering the ip address then...crazy.That's why there is DNS! :)> My question, since i have never done ip6 stuff, is what does that mean > on my webservers?Nothing more than IPv4 means for you web servers. It is just-another-address, configured in the same way as if you had multiple IPv4 addresses.> Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, > and configuration files...and copy out my iptables to ip6tables, and > change the dns servers?Nope, you don't replace, you add.> all that does not sound to harsh.It isn't at scary as some people make it out to be. And IPv6 gets rid of numerous hideous hacks that have been built into / onto creaky old IPv4. Die NAT Die!> anything especially daunting to make that switch (save from someone > having to do that on 100 computers really fast!!)And recent computer or distributions is sitting their quietly waiting for it's IPv6 address to arrive - probably automatically, via auto discovery. Clients are trivial. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <lists.centos.org/pipermail/centos/attachments/20120331/2e6e0bcc/attachment-0004.sig>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Adam,> And recent computer or distributions is sitting their quietly waiting > for it's IPv6 address to arrive - probably automatically, via auto > discovery. Clients are trivial.... and that is EXACTLY the biggest problem with IPv6. 'Introducing' IPv6 happens automatically in most cases, and inadvertently as well. The moment ISPs will start supporting IPv6 for their customers will be a security nightmare, because IPv6 firewalls will not be configured on most networks, and the pseudo-security of NAT will no longer be in effect. In fact, a very large number of networks (especially those currently relying on NAT 'security') will be completely exposed to the Internet without any protection, and the bad thing is that you just don't have to do anything to make it 'work'. From one day to the other, IPv6 connectivity will be there and most people won't even notice until it's too late. One may only hope that home router manufacturers will deliver standard configurations with all incoming IPv6 traffic (except answers to outgoing packets, obviously) blocked by default, but I'm not very optimistic :-( So, before you do anything else, set up proper incoming and outgoing IPv6 port filtering rules on your perimeter routers. It will save you a hell of a headache. Peter. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - gpgtools.org iEYEARECAAYFAk93AW4ACgkQ+8TW1Xhd1gcs+ACdGuX1d+0tB9BCh29oH/qJYli7 1rMAoLgnYPcgz3H73kot9sONNjmXOc8C =TjFi -----END PGP SIGNATURE-----
On Saturday, March 31, 2012 06:44:38 AM Adam Tauno Williams wrote:> > We've been running out of IPV4 address and needing to convert someday > > soon for the last 10 years..., but yet the vast majority of broadband > > providers and even most ISP's don't support it yet.> You've got another couple of months. I believe most U.S. network > providers have agreed to a 'flag day' sometime in June 2012.> Internal networks / backbones at Comcast and Verizon have been IPv6 for > some time now. At least that is what a credible little bird told me.Well, since 100.64.0.0/10 got allocated for draft-weil, CGN and NAT444 will be a reality, and IPv4 gets a new lease on its fugue state. (see: ietf.org/mail-archive/web/ietf-announce/current/msg09959.html ) To Bob's question, IPv6 and IPv4 will coexist as dual-stack until nothing of importance is left on IPv4, and then it will be turned off by network ops, one AS at a time (iterate across ~30,000 AS's). It will likely take decades for IPv4 to go away; but I reserve the right to be wrong.
On Monday, April 02, 2012 11:11:29 AM Stephen Harris wrote:> One of my providers gave me a single(!) IPv6 address. Another one has > subdivided a /64 into multiple /96's (one for each customer). > > You might want to rethink the /64 concept!Subscribe to the NANOG list, and let that group know who the provider is..... hilarity is guaranteed to ensue. You can get your own PI space in /48 chunks now; you just have to demonstrate a need to multihome.