C H A P T E R 14
IPv6: Implications and Concepts
IPv6 is the current standard for Internet communications replacing the currently used and outdated IPv4 protocol.
The aim of this chapter is to:
- Provide an overview of IPv6
- Provide an understanding of the reasons why IPv6 is replacing IPv4
- Explain the implications of changing from IPv4 to IPv6
- Show how to modify the applications you have been working with to use IPv6
IPv6
IPv6 is the next generation Internet addressing and routing protocol. IPv6 has been in development since the mid-1990s as a replacement for the existing and increasingly limited IPv4.IPv4 began its life as a protocol that formed the basis of the Internet and was standardized in 1980.
IPv6 allows the addressing of Internet-capable devices with addresses 64 bits long. These are normally written as eight groups of four hexadecimal digits, separated by colons. This gives the addresses the following appearance:
00FF:00FF:00FF:00FF:00FF:00FF:00FF:00FF
Given the large size of these numbers, IPv6 provides addressing for approximately 340 undecillion (3.4x10^38) systems. The reason for this large number is to avoid the issues currently present in most modern computer systems due to the limited availability of IPv4 addresses.
Hexadecimal Notation
IPv6 addresses contain both letters and numbers. This format is called hexadecimal (hex for short) notation because it represents a base 16 counting system. This means you count 1 to 16 bits; then increment your units. Each hex digit represents 4 bits, using the letters A to F to supplement the familiar decimal digits 0-9 (see Table 14-1).
From Table 14-1 you should be able to get a much better idea of how hexadecimal notation works, which numbers are represented, and how they fall in sequence.
Truncation
IPv6 addresses are very long, and you can get quite exhausted looking at one. There are two things you can do to make them more readable:
- Leading zeroes for each set (between colons) can be removed.
- Sets of consecutive zeroes can be replaced by a double colon.
For example, (192.168.0.0.0.0.0.1 in decimal format):
- Start with
00c0:00a8:0000:0000:0000:0000:0000:0001. - Apply rule one becomes
c0:a8:0:0:0:0:0:1. - Apply rule two becomes
c0:a8::1.
This standard part of IPv6 notation allows you to make these addresses much more simple and human readable.
IPv4 Exhaustion
As Internet growth has grown and then exploded over the past 30 years, IPv4 has faced a problem. It could only provide addresses for 2^32 addresses (4,294,967,296). This limit is decreased, however, as 288 million of these addresses are unavailable for regular public use - they are special-purpose addresses.
It has been known that the world will run out of addresses since the early to mid-1990s, so a number of technologies have come along to help address these issues. Network Address Translation (NAT) is the best example as it meant that larger companies were able to rely on a single or small pool of addresses. However, as of January 31 2011, there are no more IPv4 addresses available for public usage.
As there are no more IPv4 addresses available, the need for Internet users to understand, embrace, and transition to IPv6 is pressing and urgent. The reason for this is that the Internet has expanded so far that it is no longer possible for every computer to switch to IPv6 at once. This was the transition method that led to the use of IPv4: on January 1 1983, the collection of networks that formed the then-fledgling Internet (then called ARPANET) switched over to IP.
This switch would have meant software changes as all the devices attached to the network needed to be changed over to use the new IP protocol. This meant changes to several thousand systems across the continental USA and was considered a major feat in its time.
What if the same change needed to be made today? It would mean that more than 4 billion devices would need to be changed over in one day. Moreover, the diversity of devices and the age of others make this impractical if not impossible. This has lead to a more mixed approach to the rollout of IPv6.
Approach to IPv6
The current approached is very phased, with the policy being “adopt when you can.” However, with the increasing urgency that comes from the world having run out of IP addresses, it is more prudent that you be able to have your servers use IPv6.
In addition to adopting wherever possible, many people have taken up using IPv6–capable NAT devices to fulfill the basic requirements. This means that an IPv6 router acts as the front end of a network and provides an IPv6 Internet address, while behind the router an IPv4 network exists. This solution provides the best of both worlds, bringing forward compatibility while minimizing the volume of changes that need to be made.
Advantages of IPv6
While simply having an IPv6 gateway may seem ideal, it does not provide you with the full volume of benefits offered by the IPv6 suite. In addition to the increased address space available to IPv6 users and the future proofing this entails, there are a number of other benefits of IPv6.
The first advantage is a decrease in the amount of processing needed by routers to forward IPv6 packets. This is due to a reorganization in the way that IPv6 packets are structured. With hindsight, the less-used options of the packet are placed in a trailing optional section. This means that routers can find the information they need much more readily.
The second advantage is in the processing of message sub-blocks. When transmitting an IP packet (v4 or v6), the packet can be split up into smaller chunks called fragments for easier transmission over a network. For IPv4, these packets are then reassembled again between routers, which can add delay - especially if a packet is lost. In IPv6, only the destination is responsible for the reassembly of packets, which cuts down considerably on the trip time over networks that fragment packets.
The third advantage is Internet Protocol Security (IPSec) support. IPSec is the security protocol that functions as part of the Internet Protocol. IPSec works in the same manner as SSL: it creates an end-to-end encrypted tunnel with the sender and receiver negotiating keys between them to ensure a secure communications channel is established. From this, each packet transferred is encrypted at one end and decrypted at the other. IPSec is not the specific domain of IPv6, but was developed as part of IPv6 and then later transferred back to IPv6.
The advantage in this case is that all IPv6 devices must support IPSec, whereas IPv4 does not require that all devices using it be capable of using IPsec. This is a distinct advantage when security is tantamount, as it means that clients can be required to use IPSec to ensure that data being transfer is more secure.
Implementation
Now that we have touted the benefits of IPv6, you need to examine a couple of methods for deploying IPv6 to your environment. There are a number of different ways that you can go about accomplishing this, and we cannot cover every single case with an example. What we will do is to provide some base concepts and then a few select examples covering some of the more broad situations you could encounter.
The goal is that you should understand how an IPv6 implementation should work and adapt from this because no two installations are alike, and it's not possible for us to cover every single permutation. To begin, let's cover the basic directions you will take.
The basic concept is that you will have any Internet facing devices using IPv6, all internal network devices using IPv6, and whichever applications possible using IPv6; and any remaining traffic will use IPv4. For this to occur, you will basically be creating two networks: a “base” IPv6 network with an IPv4 network overlaid for specific traffic. This means that you will need to have two completely separate sets of networking information for each system and will need to maintain any routing or network address information twice. This network layout is detailed in Figure 14-1.
Figure 14-1. Dual networks
The second method is simply having one IPv6 forward-facing interface. This is much easier to accomplish because it only involves having only one network and having an application or router function as an IPv6 gateway. However, this means that you will need to provide the gateway with multiple network adapters and will lose some of the benefits given by IPv6. This network layout is detailed in Figure 14-2.
Figure 14-2. IPv4 with IPv6 gateway
Now that you have seen the two examples, let's begin.
Internet Connection
The first thing you will need to do is make sure that your Internet connection is IPv6, which requires that you are going through an ISP that will provide you with an IPv6 IP and connection to the wider Internet. Not all ISPs currently support IPv6, so it is important to check with an ISP before signing up to see that you will be able to get an IPv6 address and that it is routable to the Internet.
We cannot recommend specific ISPs for you as we cannot speak to availability or any of the many factors that would go into signing an ISP contract; what we can suggest is that you shop around and ensure you understand any contract you sign. Once you have established that your Internet connection is an IPv6 connection, you can begin configuring your network.
DNS
Once you have sorted out an IPv6 IP address, the first thing you should do is to add your new IPv6 address to your existing DNS entries. If you are using a hosted DNS provider you will need to check the capability to support IPv6 addresses and then work with your provider to update your DNS listing. If you are hosting your own DNS server, you will need to make changes to your DNS system to add your IPv6 address.
Just as with the provider, you will need to validate that your DNS server software supports IPv6 DNS addressing. After you have validated that your software supports IPv6, the changes you will need to make are rather simple. You simply need to add an AAAA record to your DNS file that links your URL to the new IPv6 address you have been given. This AAAA record will work in the same manner as a normal A record and is used to signify an IPv6 entry.
Tip Don't forget to update the Serial field after each DNS change.
Operating System
As with all the parts of your system, you should ensure that your operating systems support IPv6. While most operating systems released in the past 10 years should support IPv6 out of the box, it is important to be sure whether they do or do not. You should also be aware of any specific caveats to the functioning of IPv6 on that system that may dictate small changes to your implementation.
As it stands, you have used two operating systems within this book, both Centos 6 and Ubuntu 10.04, and both of these operating systems support IPv6. However, any modern Linux that is running any kernel since 2.6 should be capable of running IPv6. Moving beyond Linux, we can confirm that Windows supports IPv6 from Windows XP Service Pack 1 onward. Given the number of operating systems available, we can't go over each of them. All we can recommend is to check the documentation of your OS.
Networking
Now that you have completed the first step in moving toward IPv6, you will need to begin attaching it to our network. From this point, you can begin taking different directions as to how you want to accomplish the task of adding IPv6 support for your website.
Single Gateway Network
Given that you now have an IPv6 address and have configured the DNS for it, all that remains is to add IPv6 support to your network gateway. This gateway is the point in your network that your DNS settings point to as being the face your network presents to the outside world. These gateways normally take requests and forward them back into your network for processing. For this, your gateway device will need at least two device ports and IP addresses. This means that it is in effect multi-homed and lives both in your network and on the Internet.
This means that only your gateway device needs to be capable of working with IPv6. This device can be a router or even be an Internet facing server. If you are using a server rather than a router as your gateway device you will need to ensure that it and all the software you plan to run on the server support IPv6.
Dual Network
This is the much more involved of the two options. For this, you will begin by establishing the layout and addressing for both your networks. The order won't matter as you will need to overlay both networks. To begin, start establishing which devices you have that will support IPv6. From this point you need to establish whether each system is to support IPv4 or both IPv4 and IPv6.
The criteria for establishing these are as follows:
- Will the OS support IPv6?
- Will all the applications that are to contact this system use IPv6?
- Will all applications that are to communicate with this server use IPv6?
From this point, you need to create both the networks by establishing IP addresses for each server (both IPv4 and IPv6 when appropriate). Remember, the aim is to have IPv6 wherever possible and have IPv4 as the fallback for those applications that cannot support IPv6. Once you have established and laid out your network, you should perform connectivity tests on both networks to ensure that your servers can communicate over both protocols.
Application Support
Once you have established connectivity, it's time to begin changing your applications. We will cover the applications that you have been using thus far and how specifically IPv6 affects these applications. For more specific information on the applications, you should visit the earlier chapters in this book that cover each application.
Apache
Apache has built-in support for IPv6, can function in either IPv4 or IPv6 modes, and has two modes for operating the two together. This is handled by an Apache build configuration option that needs to be specified at compile time. These configuration flags are '--enable-v4-mapped' and '--disable-v4-mapped'; and they need to be specified when executing the ‘configure' command to compile Apache.
The default for Linux systems is to have v4 mapping enabled. This means that whenever possible, Apache will attempt to map between the IPv6 and IPv4 addresses. This means that adding a basic directive such as 'Listen 80' will make Apache listen on both IPv4 and IPv6 interfaces on port 80. In this instance, Apache keeps both connections within the same sockets and uses all its sub processes for IPv4 and IPv6 connections.
If you want to specify an IPv6 address to your Apache server, it can be done using the same Listen directive. It functions exactly the same way as normal, but the IPv6 address must be wrapped in square braces [...] giving the appearance "Listen [00FF:00FF:00FF:00FF:00FF:00FF:00FF:00FF]:80".
At this point, you might want to have your IPv4 and IPv6 running on separate processes – if, say, you are experiencing slowdown across the board when an IPv6 connection occurs. Then you will need to set the --disable-v4-mapped flag, which means that any socket that is accepting IPv4 connections can't accept IPv6 connections. Then you will need to add the following Listen directives:
Listen [::]:80
Listen 0.0.0.0:80
These two directives will tell Apache that it needs to read from any port 80 connection via IPv4 and separately any IPv6 connection on port 80. With these two methods, you should be able to tailor the way that Apache deals with IPv6.
Nginx
Nginx leverages part of the Linux operating system to configure whether or not it will need to use the IPv4 to IPv6 mapping. This feature is controlled via the file /etc/sysctl.conf. To modify, you will need to set the following entry so that its value is 1.
net.ipv6.bindv6only = 1
After this, you will need to reload your config with the following:
sysctl -p
This change means that IPv6 addresses will never be bound into IPv4 addresses for processing by any application! The same as using the --disable-v4-mapped parameter in Apache. From this point, you can modify the listen parameters, just as with Apache IPv6, entries need to be in square brackets.
The key difference is that with bindv6only = 1 set, if you attempt a listen with only the IPv6 entry, you will receive errors. To negate this, you will need to use the ipv6only=on; parameter.
This will cause errors in ‘bind socket’:
listen [::]:80;
This will not cause errors as it specifies only IPv6 connections:
listen [::]:80 ipv6only=on;
However, in contrast to this, if the net.ipv6.bindv6only is set to 0, adding a statement such as listen [::]:80; will allow you to listen on both IPv6 and IPv4.
Varnish Cache
Varnish cache needs to be above version 1.0 and it will accept IPv6 addresses. As with the previous applications, simply replace IPv4 addresses with IPv6 addresses inside square brackets. If only a port is specified within its config then Varnish will listen on both IPv4 and IPv6 interfaces.
Memcached
Memcached simply needs to be above version 1.2.5 to function with IPv6 addresses. In this instance, as with previous ones, you simply need to replace IPv4 addresses with IPv6 addresses inside square brackets.
IPVS
IPVS has limited support for IPv6. The requirement for this is that your kernel version be greater than 2.6.28-rc3 (as this kernel was the one that included the new IPVS IPv6 features). In addition, you should have the latest version of IPVS possible. Once you have IPv6, support is fairly straightforward, the IPv6 entries just need to be made as normal with IPv6 addresses being in square brackets. An IPVS entry can be worked like the following example:
ipvsadm -A -t [c0:a8::1]:80
ipvsadm -a -t [c0:a8::1]:80 -r [c0:a8::2]:80 -m
ipvsadm -a -t [c0:a8::1]:80 -r [c0:a8::2]:80 -m
In addition, the IPVS team has published the following list of what is supported and what is not supported with regard to IPv6:
What Works with IPv6
- Forwarding mechanisms: NAT, Direct Routing(DR), maybe Tunnel (not fully tested yet)
- Protocols: TCP, UDP, Encapsulated Security Payload (ESP), Authentication Header (AH) (last two not tested)
- Manipulation and inspection of both IPv4 and IPv6 entries with ipvsadm
- Six out of ten schedulers (10/10 in latest net-next dev tree)
- ping6 monitor in heartbeat
- ldirectord using external commands for monitoring
What Is Not Supported with IPv6
- Handling fragmentation or other extension headers
- FTP application helper (can be loaded, but only operates on v4)
- sync daemon (can be started, but only operates on v4)
- Probably some incorrect handling of ICMPv6 or other corner cases
- Most built-in probes in ldirectord - use checkcommand
- Real servers must be specified individually in ldirectord, address ranges are not supported
Ldirectord
As with IPVS, ldirectord is simply a static replace of IPv4 addresses with IPv6 ones. The following is an example config for Ldirectord.cf:
virtual = [c0:a8::1]:80
protocol = tcp
scheduler = wlc
real = [c0:a8::2]:80 gate 1000
real = [c0:a8::3]:80 gate 1000
service = http
Heartbeat
Like Ldirectord, heartbeat involves a static replacement of IPv4 addresses with IPv6 addresses. The only differences between the two this time is that support is limited to 'full' addresses only - meaning that you cannot shortcut the addresses with step two of IPv6 truncation.
Summary
Throughout the course of this chapter, you have covered the implications of IPv6 and the changes it is bringing about to the Internet and world. This chapter has covered what IPv6 is and how IPv6 addresses look and the benefits it provides. You have covered the basic methods for adding IPv6 to an existing system and you have covered the implications of doing this. Finally, you covered the configuration changes needed over a number of applications to establish IPv6 connectivity with them.