All in­tern­al ser­vices mi­grated to IPv6

In the last days I mi­grated all my in­tern­al ser­vices to IPv6.

All my jails have an IPv4 and an IPv6 ad­dress now. All Apaches (I have one for my pic­ture gal­lery, one for web­mail, and one for in­tern­al man­age­ment) now listen on the in­tern­al IPv6 ad­dress too. Squid is up­dated from 2.x to 3.1 (the most re­cent ver­sion in the Ports Col­lec­tion) and I ad­ded some IPv6 ACLs. The in­tern­al Post­fix is con­figured to handle IPv6 too (it is de­liv­er­ing everything via an au­then­tic­ated and en­cryp­ted chan­nel to a ma­chine with a stat­ic IPv4 ad­dress for fi­nal de­liv­ery). My MySQL does not need an IPv6 ad­dress, as it is only listen­ing to re­quests via IPC (the sock­et is hard­linked between jails). All ssh dae­mons are con­figured to listen to IPv6 too. The IMAP and CUPS server was pick­ing the new IPv6 ad­dresses auto­mat­ic­ally. I also up­dated Sam­ba to handle IPv6, but due to lack of a Win­dows ma­chine which prefers IPv6 over IPv4 for CIFS ac­cess (at least I think my Win­dows XP net­book only tries IPv4 con­nec­tions) I can not really test this.

Only my Wii is a little bit be­hind, and I have not checked if my Sony-​TV will DTRT (but for this I first have to get some time to have a look if I have to up­date my DD-​WRT firm­ware on the little WLAN-​router which is “ex­tend­ing the cable” from the TV to the in­tern­al net­work, and I have to look how to con­fig­ure IPv6 with DD-​WRT).

IPv6 in my LAN

Af­ter en­abling IPv6 in my WLAN router, I also en­abled IPv6 in my FreeBSD sys­tems. I have to tell that the IPv6 chapter in the FreeBSD hand­book does not con­tain as much in­form­a­tion as I would like to have about this.

Con­fig­ur­ing the in­ter­faces of my two 9-​current sys­tems to also carry a spe­cific IPv6 ad­dress (an easy one from the ULA I use) was easy af­ter read­ing the man-​page for rc.conf. Af­ter a little bit of ex­per­i­ment­ing it came down to:

ifconfig_rl0_ipv6=“inet6 ::2:1 pre­fixlen 64 accept_​rtadv”
ipv6_defaultrouter=”<router ad­dress>”

Apart from this ad­dress (I chose it be­cause the IPv4 ad­dress ends in “.2”, this way I can add some easy to re­mem­ber ad­dresses for this ma­chine if needed), I also have two auto­mat­ic­ally con­figured ad­dresses. One is with the same ULA and some not so easy to re­mem­ber end (con­struc­ted from the MAC ad­dress), and one is from the of­fi­cial pre­fix the router con­struc­ted out of the of­fi­cial IPv4 ad­dress from the ISP (+ the same end than the oth­er end).

Ad­di­tion­ally I also have all my jails on this ma­chine with an IPv6 ad­dress now (yes, they are like “…:2:100” with the :100 be­cause the IPv4 ad­dress ends in “.100”). Still TODO is the con­ver­sion of all the ser­vices in the jails to also listen on the IPv6 ad­dress.

I already changed the con­fig of my in­tern­al DNS to have the IPv6 ad­dresses for all sys­tems, listen on the IPv6 ad­dress (when I add an IPv6 net­work to allow-​query/​allow-​query-​cache/​allow-​recursion bind does not want to start). And as I was there, I also en­abled the DNSSEC veri­fic­a­tion (but I get a lot of er­ror mes­sages in the logs: “un­able to con­vert er­rno to isc_​result: 42: Pro­to­col not avail­able”, one search res­ult which talks ex­actly about this er­ror tells it is a “cos­met­ic er­ror”…).

I no­ticed that an IPv6 ping between two phys­ic­al ma­chines takes a little bit more time than an IPv4 ping (no IPsec en­abled). It sur­prised me that this is such a no­tice­able dif­fer­ence (not with­in the std-​dev at all):

— m87​.Leidinger​.net ping stat­ist­ics —
10 pack­ets trans­mit­ted, 10 pack­ets re­ceived, 0.0% pack­et loss
round-​trip min/​avg/​max/​stddev = 0.168÷0.193÷0.220÷0.017 ms

— m87​.Leidinger​.net ping6 stat­ist­ics —
10 pack­ets trans­mit­ted, 10 pack­ets re­ceived, 0.0% pack­et loss
round-​trip min/​avg/​max/​std-​dev = 0.207÷0.325÷0.370÷0.047 ms

The in­form­a­tion I miss in the FreeBSD hand­book in the IPv6 chapter is what those oth­er IPv6 re­lated ser­vices are and when/​how to con­fig­ure them. I have an idea now what this rad­vd is, but I am not sure what the in­ter­ac­tion is with the accept_​rtadv set­ting for if­con­fig (and I do not think I need it, as my WLAN router seems to do it already). I know that I get the IPv6-​friendly net­work neigh­bor­hood dis­played with ndp(8). I did not have a look at en­abling IPv6 mul­tic­ast sup­port in FreeBSD, and I do not know what those oth­er IPv6 op­tions for rc.conf do.

IPv6 in my WLAN

The man­u­fac­turer of my WLAN router re­leased a new firm­ware. It con­tains IPv6 and DNSSEC sup­port. I got a little bit of time and power to in­stall it. Un­for­tu­nately my ISP does not provide IPv6 con­nectiv­ity.

I have now in­stalled the IPv6 sup­port in Win­dows XP for the Net­book, cre­ated (and re­gistered) an ULA pre­fix at SixXS, and veri­fied that the net­work stack of XP gets it from the WLAN router.

When I do an IPv6 ping from the laptop to the router, it works, but the IPv6 ad­dress does not show up in the Ho­me­n­et­work over­view of the router. Seems they still have some work to do.

Re­gard­ing DNSSEC I do not see any op­tions in the man­age­ment in­ter­face, but I as­sume it just means that the DNS server does the right thing when he is con­fron­ted with re­curs­ive DNSSEC re­quests. No idea if he will val­id­ate him­self and if yes, if he will add some log mes­sages re­gard­ing it or not.