Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

My IPv6 Services

Sun, 13 Apr 2014 17:16:40 -0500 » Networking, Cisco, IPv6, Nerd Projects, Virtualization, System Administration

I’ve had CiscoDude.net and its associated services IPv6 enabled over native IPv6 for the past year. Before that some services were IPv6 enabled over a HE.net tunnel.

Web services are the easiest I’d say, and were the first I implemented.

Web Services

Web services are pretty easy to IPv6 enable. NGINX makes configuration especially simple with multiple listen lines:

	# HTTPS server
	server {
		listen			443 ssl spdy;
		listen			[::]:443 ssl spdy;
		server_name		ciscodude.net;

Apache is similarly simple to configure. IPv4-in-IPv6 mapped addresses can make recognizing addresses a pain in your web applications sometimes. Complications have been fairly minimal, mainly with sessions that store the IP address. Privacy addressing, and switching between IPv6/v4 and back has caused occasional issues.

Email

I run a typical Postfix/Dovecot system with Spamassassin and friends for mail. I have A and AAAA records for my mail server. The only complications I’ve had so far are:

  • Auto configured addresses don’t get revdns, and so auto configured addresses need to be disabled for mail servers (and servers in general, when source address matters for ACLs, QoS, etc)
  • Greylisting: when things fail over from IPv6 to IPv4, mail takes longer to get delivered.
  • Spam filtering is heavily built around IPv4 at the moment.

Jabber/XMPP

I run Prosody for XMPP services. Prosody is very simple compared with many other XMPP servers, and has had IPv6 support since 0.9.x (w/ Lua Socket 3.0).

DNS

Recursive

Both of my internal DNS recursors are dual-stacked.

DNS64/NAT64

My network is not setup for IPv6 only access at the moment, I will be adding DNS64/NAT64 in the next few months to begin testing one translation method. Apparently my Cisco ASA 5505 running firmware 9.0/9.1 should be able to do NAT64/DNS64 w/ AAAA synthesis.

Authoritative

At the moment only one of my nameservers is dual-stacked, the rest are only IPv4 enabled.

| => check-soa -i ciscodude.net
ns1.henchcdn.com.
	206.220.196.222: OK: 2014040601 (4 ms)
	2604:4280:0:1::53: OK: 2014040601 (5 ms)
ns2.henchman21.net.
	107.170.63.61: OK: 2014040601 (73 ms)
ns3.hcdn.pw.
	206.220.199.250: OK: 2014040601 (6 ms)
© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.