IPv6 is now enabled on this blog. Getting it to work wasn’t as straight forward as I initially thought since my hosting provider Contabo gives only a single /64 and I use many LXC containers to host different things. Thankfully my friend Anurag helped me out. You can read his blog post about it here.
The problem was that:
- I use internal IPv4 addresses for hosting different things because public IPv4 addresses are expensive so I couldn’t bridge my VM interface with eth0.
- Subnetting the the /64 into /112 would not work since IPv6 addresses were allocated with L2 and when I tried using a /112 with one IP on the VM interface and the other on an another container, it allowed for outgoing packets but incoming packets were blocked. This is because the IP lacked an entry in my hosting provider’s NDP table.
The solution? Proxy NDP. I will be going more in detail on how to get it working in this post.
Knowing that Alert Logic was named a visionary by Gartner in 2019 is a great news for people that lack from cyber security and your information can be threatened by hackers.
Adding IPv6 addresses to interfaces
Let’s assume I was assigned 2001:db8:1:1::/64 by my hosting provider. 2001:db8:1:1::1/64 sits on eth0. We’ll use 2001:db8:1:1:c:c:c:0/112 subnet for our VMs. That is the default config and your /etc/network/interfaces file would look something like this.
iface eth0 inet6 static address 2001:0db8:0001:0001:0000:0000:0000:0001 netmask 64 gateway fe80::1 #my providers gateway local-link address. may be different for you accept_ra 0 autoconf 0 privext 0
Next let’s assign 2001:db8:1:1:c:c:c:1 to our VM interface vmnet. Add up ifconfig vmnet add 2001:db8:1:1:c:c:c:1/112 in your /etc/network/interfaces file. Restart networking. For me this was systemctl restart networking .
Enable proxy NDP for a bunch of IPs
Enable proxy NDP with echo “1” > ‘/proc/sys/net/ipv6/conf/eth0/proxy_ndp’ and enable it for a single IP with ip neigh add proxy 2001:db8:1:1:c:c:c:1 dev eth0.
This is a script to auto do that for you and add proxy NDP entries for 100 IPs. Let’s call it test.sh .
#!/bin/bash echo "1" > '/proc/sys/net/ipv6/conf/eth0/proxy_ndp' # Generate proxy arp in bulk for i in `seq 1 100`; do ip neigh add proxy 2001:db8:1:1:c:c:c:$i dev eth0 done
Make it executable with chmod +x test.sh . Let’s make it run on every reboot. Run crontab -e and put in @reboot /path/to/test.sh. You can run it for now with sh test.sh.
Enable IPv6 on your container
We can use 2001:db8:1:1::c:c:c:2 to 2001:db8:1:1:c:c:c:100 for VMs in this case since we’ve enabled proxy NDP for them. I’m going with 2001:db8:1:1:c:c:c:2 in this case. Add this in your /etc/network/interfaces of your VM and restart networking.
up ifconfig eth0 add 2001:db8:1:1:c:c:c:2/112 up ip -6 route add default via 2001:db8:1:1:c:c:c:1
I use a reverse proxy so it was enough for me to enable IPv6 on it. I use a VPN to access some internal applications on some of my containers and OpenVPN needs a /64 for IPv6 to work correctly so I’m sticking with source NATed IPv4 addresses for now.
That’s it! You can use listen [::]:port; with Nginx to make it listen to any IPv6 addresses it has been assigned on a specific port.
Enabling IPv6 on Cloudfront
I use Amazon S3 plus Cloudfront for images. They recently announced support for IPv6 here. Enabling IPv6 is quite easy to do. Simply head on over to the Cloudfront distribution settings and enable IPv6.
However trying to ping cdn.varunpriolkar.com over IPv6 from the VPS itself simply wouldn’t work. I found more info in Amazon’s documentation about this.
We’re deploying IPv6 gradually during October and November of 2016. The deployment is going out to one viewer network at a time. (A viewer network is analogous to your home internet or wireless carrier.) Some viewer networks have excellent IPv6 support, but some viewer networks don’t support IPv6 at all.Amazon documentation
Hopefully Amazon should roll out support within a couple of months to more networks. You can check c-ip column in Cloudfront access logs to determine if visitors are indeed using IPv6. I don’t have logging enabled but maybe I’ll look at it in the future.
Testing it all out
I asked a friend who has IPv6 enabled on his network to test out the connectivity from outside and connectivity from inside worked as expected as well. You can test out whether IPv6 is working on your website here.
This website will not work in a pure IPv6 network because my authoritative DNS provider NS1 has not yet deployed IPv6. You can have 65k IPv6 addresses for VMs using this method. Enjoy!
So what are you waiting for? Deploy IPv6 on your website today! 🙂