In the last days I migrated all my inter­nal ser­vices to IPv6.

All my jails have an IPv4 and an IPv6 address now. All Apaches (I have one for my pic­ture gallery, one for web­mail, and one for inter­nal man­age­ment) now lis­ten on the inter­nal IPv6 address too. Squid is updated from 2.x to 3.1 (the most recent ver­sion in the Ports Col­lec­tion) and I added some IPv6 ACLs. The inter­nal Post­fix is con­fig­ured to han­dle IPv6 too (it is deliv­er­ing every­thing via an authen­ti­cated and encrypted chan­nel to a machine with a sta­tic IPv4 address for final deliv­ery). My MySQL does not need an IPv6 address, as it is only lis­ten­ing to requests via IPC (the socket is hardlinked between jails). All ssh dae­mons are con­fig­ured to lis­ten to IPv6 too. The IMAP and CUPS server was pick­ing the new IPv6 addresses auto­mat­i­cally. I also updated Samba to han­dle IPv6, but due to lack of a Win­dows machine which prefers IPv6 over IPv4 for CIFS access (at least I think my Win­dows XP net­book only tries IPv4 con­nec­tions) I can not really test this.

Only my Wii is a lit­tle bit behind, and I have not checked if my Sony-TV will DTRT (but for this I first have to get some time to have a look if I have to update my DD-WRT firmware on the lit­tle WLAN-router which is “extend­ing the cable” from the TV to the inter­nal net­work, and I have to look how to con­fig­ure IPv6 with DD-WRT).

After enabling IPv6 in my WLAN router, I also enabled IPv6 in my FreeBSD sys­tems. I have to tell that the IPv6 chap­ter in the FreeBSD hand­book does not con­tain as much infor­ma­tion as I would like to have about this.

Con­fig­ur­ing the inter­faces of my two 9–cur­rent sys­tems to also carry a spe­cific IPv6 address (an easy one from the ULA I use) was easy after read­ing the man-page for rc.conf. After a lit­tle bit of exper­i­ment­ing it came down to:

ifconfig_rl0_ipv6=“inet6 ::2:1 pre­fixlen 64 accept_rtadv“
ipv6_defaultrouter=”<router address>”

Apart from this address (I chose it because the IPv4 address ends in “.2″, this way I can add some easy to remem­ber addresses for this machine if needed), I also have two auto­mat­i­cally con­fig­ured addresses. One is with the same ULA and some not so easy to remem­ber end (con­structed from the MAC address), and one is from the offi­cial pre­fix the router con­structed out of the offi­cial IPv4 address from the ISP (+ the same end than the other end).

Addi­tion­ally I also have all my jails on this machine with an IPv6 address now (yes, they are like “…:2:100″ with the :100 because the IPv4 address ends in “.100″). Still TODO is the con­ver­sion of all the ser­vices in the jails to also lis­ten on the IPv6 address.

I already changed the con­fig of my inter­nal DNS to have the IPv6 addresses for all sys­tems, lis­ten on the IPv6 address (when I add an IPv6 net­work to allow-query/allow-query-cache/allow-recursion bind does not want to start). And as I was there, I also enabled the DNSSEC ver­i­fi­ca­tion (but I get a lot of error mes­sages in the logs: “unable to con­vert errno to isc_result: 42: Pro­to­col not avail­able”, one search result which talks exactly about this error tells it is a “cos­metic error”…).

I noticed that an IPv6 ping between two phys­i­cal machines takes a lit­tle bit more time than an IPv4 ping (no IPsec enabled). It sur­prised me that this is such a notice­able dif­fer­ence (not within the std-dev at all):

— m87.Leidinger.net ping sta­tis­tics —
10 pack­ets trans­mit­ted, 10 pack­ets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.168÷0.193÷0.220÷0.017 ms

— m87.Leidinger.net ping6 sta­tis­tics —
10 pack­ets trans­mit­ted, 10 pack­ets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.207÷0.325÷0.370÷0.047 ms

The infor­ma­tion I miss in the FreeBSD hand­book in the IPv6 chap­ter is what those other IPv6 related ser­vices are and when/how to con­fig­ure them. I have an idea now what this radvd is, but I am not sure what the inter­ac­tion is with the accept_rtadv set­ting for ifcon­fig (and I do not think I need it, as my WLAN router seems to do it already). I know that I get the IPv6-friendly net­work neigh­bor­hood dis­played with ndp(8). I did not have a look at enabling IPv6 mul­ti­cast sup­port in FreeBSD, and I do not know what those other IPv6 options for rc.conf do.

The man­u­fac­turer of my WLAN router released a new firmware. It con­tains IPv6 and DNSSEC sup­port. I got a lit­tle bit of time and power to install it. Unfor­tu­nately my ISP does not pro­vide IPv6 connectivity.

I have now installed the IPv6 sup­port in Win­dows XP for the Net­book, cre­ated (and reg­is­tered) an ULA pre­fix at SixXS, and ver­i­fied that the net­work stack of XP gets it from the WLAN router.

When I do an IPv6 ping from the lap­top to the router, it works, but the IPv6 address does not show up in the Home­net­work overview of the router. Seems they still have some work to do.

Regard­ing DNSSEC I do not see any options in the man­age­ment inter­face, but I assume it just means that the DNS server does the right thing when he is con­fronted with recur­sive DNSSEC requests. No idea if he will val­i­date him­self and if yes, if he will add some log mes­sages regard­ing it or not.