Posts tagged ‘IPv6’

01/17/2015

Native IPv6 Functionality in Docker

by Jeff Loughridge

The days of kludgy hacks for IPv6-connected docker containers are over. A recent PR merged native IPv6 functionality into the docker daemon. The new bits have not yet made it into the docker ppa package as of 1/17/2015. Therefore, some assembly is required.

You’ll need to compile docker from source. The only currently supported docker build process uses docker. Does this remind anyone of the movie Inception?

Here’s an installation process you can use on a fresh 64-bit Ubuntu 14.04 VM.

 

sudo apt-get update
sudo apt-get -y install git build-essential docker.io
git clone https://github.com/docker/docker.git
cd docker
sudo make build
sudo make binary
sudo service docker.io stop
sudo ip link set docker0 down
sudo ip link delete docker0
VERSION=1.4.1  # version as of this writing
sudo cp ./bundles/$VERSION-dev/binary/docker-$VERSION-dev $(which docker)
sudo echo "DOCKER_OPTS='--ipv6 --fixed-cidr-v6=\"2001:DB8::/64\"'" >> /etc/default/docker.io
service docker.io start

Docker does not put an address within the /64 on the docker0 bridge. It uses fe80::1/64. The default route in the container is set to this link local address.

Your containers will not be able to communicate with the IPv6 internet unless the /64 you’ve selected is routed to the docker host. Unlike how docker handles IPv4 in containers, there is no NAT. Use a provider that will route the /64 to your docker host. Linode did this for me after I emailed the request to its support team. Using providers such as DigitalOcean that support IPv6 but do not route a /64 to your VM are not positioned to offer IPv6 connectivity to containers. You’ll have to use the Neighbor Discovery hack that I described in another post.

I’m not sure why docker doesn’t have an option to connect containers directly to a bridge that includes the internet-facing port. Doing this with LXC is easy to accomplish. I suspect this can be done with docker. I don’t know how though. Perhaps someone with more more knowledge of docker can explain how to attach the daemon to a bridge with the LAN interface.

I’ll note that the docker build environment appears to have a bug with name resolution in the build container if IPv6 DNS servers are in /etc/resolv.conf. I didn’t want to invest the time to troubleshoot it. You can comment out the IPv6 DNS servers in the docker host’s /etc/resolv.conf file to avoid the defect.

If you run into problems, let me know in the comments.

Advertisements
Tags:
07/22/2014

IPv6 in Docker Containers on DigitalOcean

by Jeff Loughridge

This post details how I enabled IPv6 addresses in docker containers on DigitalOcean.

DigitalOcean supports IPv6 in its London 1 and Singapore 1 data centers as of July 2014. Create a droplet using the Ubuntu 14.04 image and DO’s docker installation under Applications in the “Create VM” screen. Make sure to check “IPv6”.

DO provides a VM with 20 addresses within a /64. docker0 gets assigned 0x1 as the last hex character. I give the docker0 interface 0x4. This leaves 0x5 to 0xf for my containers.

Let’s take an example. DO gives me 2a03:b0c0:1:d0::18:d000 to 2a03:b0c0:1:d0::18:d00f. docker0 gets 2a03:b0c0:1:d0::18:d004. The last double octet for containers ranges from 0xd005 to 0xd00f.

To break up the 20 addresses provided by DO, we need a way for containers to respond to IPv6 neighbor discovery on the host’s eth0 interface. This could be performed using a ND proxy daemon (see here for one implementation). For most docker use cases, a static ND proxy entry should do.

docker does not natively support IPv6. LXC, the foundation of docker, can handle IPv6 in containers. As of docker 1, the software uses libcontainer by default instead of LXC. We’ll have to configure /etc/default/docker to use the LXC driver.

See below for example for one time set-up of the droplet.

#!/bin/bash

# enable IPv6 forwarding and ND proxying
echo net.ipv6.conf.all.proxy_ndp=1 >> /etc/sysctl.conf
echo net.ipv6.conf.all.forwarding=1 >> /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

# install LXC
sudo apt-get install -y lxc

# use the LXC driver
echo DOCKER_OPTS=\"--exec-driver=lxc\" >> /etc/default/docker

service docker restart

The script below demonstrates how to set-up the static ND proxy entries. Make sure to change the V6_START variable.


#!/bin/bash
 
# This script provides an example of setting up IPv6 static
# ND proxy entries. Edit the V6_START to match
# what you see in the DO control panel
 
V6_START=2a03:b0c0:1:d0::18:d000
 
# strip the last hex character
V6_MINUS_LAST_HEX_CHAR=`echo $V6_START|sed s/.$//`
 
ip addr add ${V6_MINUS_LAST_HEX_CHAR}4/124 dev docker0
 
echo "adding ND proxy entries..."
for character in 4 5 6 7 8 9 a b c d e f; do
  echo "ip -6 neigh add proxy ${V6_MINUS_LAST_HEX_CHAR}${character} dev eth0"
  ip -6 neigh add proxy ${V6_MINUS_LAST_HEX_CHAR}${character} dev eth0
done

Now we’re ready to bring up the container. The first argument must be an IPv6 address in your assigned
range with the last double octet between 0xXXX5 and 0xXXXF. For me, this is 0xd005 to 0xd00f.

#!/bin/bash
 
# first argument to script must be IPv6 address from DO-allocated
# space that is not part of the first /126 (e.g. 0x4 to 0xF as last
# hex character
 
IPV6_ADDRESS=$1
 
if [ -z "$IPV6_ADDRESS" ]; then
  echo "please specify IPv6 address for container's eth0"
  exit 1
fi
 
echo "container eth0: $IPV6_ADDRESS"

# run container so that docker0 gets a link local address
docker run busybox:ubuntu-14.04 /bin/true
docker rm $(docker ps -lq)

# get docker0's link local address
LINK_LOCAL=$( \
  ip addr show docker0 | \
   grep "inet6 fe80" | \
    awk '{print $2}' | \
      sed 's/\/.*//' \
)

if [ -z "$LINK_LOCAL" ]; then
  echo "unable to find link local address on docker0. something is wrong."
  exit 1
fi
 
echo "docker0 link local: $LINK_LOCAL"
 
docker run -i -t \
   --lxc-conf="lxc.network.flags = up" \
   --lxc-conf="lxc.network.ipv6 = $IPV6_ADDRESS/124" \
   --lxc-conf="lxc.network.ipv6.gateway = $LINK_LOCAL" busybox:ubuntu-14.04 /bin/sh

Executing the script will put you in interactive mode in a shell in the container. Try ‘ping6 2600::’ to to test connectivity. If you are having trouble, let me know in the comments.

I want to thank Andreas Neuhaus for his IPv6 in Docker Containers post and his suggestion to use static ND proxy when the provider does not route a /64 to your docker host.

UPDATE 1/17/2015 – Docker now has native IPv6 functionality. See this post.

09/14/2013

L2TPv3 in Linux Using IPv6 Endpoints

by Jeff Loughridge

Pseudowires have traditionally been deployed in ISP and wireless provider networks to carry Ethernet and TDM frames across an IP/MPLS network. Now you can find an implementation of L2TPv3 in the Linux kernel. Pseudowires for the masses without the need for an MPLS network! You get the added benefit of open source code that can be modified to meet requirements specific to your environment.

L2TPv3 is a lightweight protocol for transporting L2 frames across an IP network (see RFC3931). Cisco’s implementation can carry a variety of L2 protocols (ATM, FR, Ethernet, TDM) while Linux supports Ethernet and PPP. I have use cases in mind in the Iaas space, so Ethernet pseudowires will do the trick. The linux implementation support static tunnels only. If you want an L2TPv3 control channel, check out Katalix’s commercial software, ProL2TP.

Some bad news–L2TPv3 will not work out-of-the box with any of the major Linux distributions (This holds true as of Sept 2013 at least).  You need a more recent version of iproute2 that provides the “ip l2tp” configuration command. If you want IPv6 endpoints, you’ll also need kernel 3.5 or later.

I’ll step through an example of getting L2TPv3 to function with IPv6 in a debian wheezy VM. I’m using a 32-bit Debian 7.1 image.

Install Required Packages

roote@debian:~# apt-get install flex bison libdb5.1-dev build-essential kernel-package bridge-utils

Install iproute2

Download iproute2 from this link. I linked to version 3.11, the latest at the time of this writing. Earlier versions may work. I can’t determine where this patch to handle IPv6 endpoints got merged with the code.

Execute ./configure and ignore the error about xtables. Run ‘make’ to compile. I renamed /sbin/ip to /sbin/ip-ss120521. I moved the new file in iproute2-3.11.0/ip/ip to /sbin/ip. If you want to put the new ip in /usr/local/sbin, you can do that instead. I got burned doing this because I didn’t realize that bash retains a hash to matching binaries in your path. Logging out and logging back in is one way to fix this.

Run ‘ip -V’ to ensure you using the correct binary. With iproute2-3.11.0, you’ll see ‘ip utility, iproute2-ss130903’.

Compile 3.5 or Later Kernel

The kernel compilation can be very slow. I set the VM memory to 2Gb with two processors.

root@debian:~# wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.1.tar.xz

root@debian:~# tar xf linux-3.11.1.tar.xz

root@debian:~# cd linux-3.11.1

root@debian:~/linux-3.11.1# cat /boot/config-`uname -r`>.config

root@debian:~/linux-3.11.1# yes “” | make oldconfig

root@debian:~/linux-3.11.1# make-kpkg clean

root@debian:~/linux-3.11.1# time fakeroot make-kpkg –initrd –revision=3.5.0 –append-to-version=-1custom kernel_image kernel_headers

root@debian:~/linux-3.11.1# dpkg -i ../linux-*1custom*

root@debian:~/linux-3.11.1# shutdown -r now

Note: I borrowed most of the compilation steps from lindqvist’s blog. I’ll also point out that you can edit .config to build L2TPv3 into the kernel rather than as a loadable module.

You’ll want to take a snapshot of this VM and make clones based on it. The next step assumes you have two Debian VMs with L2TPv3.

Build L2TPv3 Tunnels

Let’s assume you have two VMs. The interface eth0 on both is a shared network (2001:DB8::/64). The eth1 interface on both connect to the networks you want bridged together. Since the transport is IP, there is no need for a shared network. The remote endpoint could be any node that is reachable by IP.

VM1

root@debian:~# modprobe l2tp_eth

root@debian:~# ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 encap udp local 2001:DB8::1 remote 2001:DB8::2 udp_sport 5000 udp_dport 6000

root@debian:~# ip l2tp add session tunnel_id 3000 session_id 1000 peer_session_id 2000

root@debian:~# ip link set l2tpeth0 up mtu 1488

root@debian:~# brctl addbr br0

root@debian:~# brctl addif br0 l2tpeth0

root@debian:~# brctl addif br0 eth1 ip link set br0 up promisc on

VM2

root@debian:~# modprobe l2tp_eth

root@debian:~# ip l2tp add tunnel tunnel_id 4000 peer_tunnel_id 3000 encap udp local 2001:DB8::2 remote 2001:DB8::1 udp_sport 6000 udp_dport 5000

root@debian:~# ip l2tp add session tunnel_id 4000 session_id 2000 peer_session_id 1000

root@debian:~# ip link set l2tpeth0 up mtu 1488

root@debian:~# brctl addbr br0

root@debian:~# brctl addif br0 l2tpeth0

root@debian:~# brctl addif br0 eth1 ip link set br0 up promisc on

You can verify the tunnel with ‘ip l2tp show tunnel’. It should look like the following.

root@debian:~# ip l2tp show tunnel
Tunnel 4000, encap UDP
From 2001:db8::2 to 2001:db8::1
Peer tunnel 3000
UDP source / dest ports: 6000/5000
root@debian:~#

Now you have a pseudowire between the networks connected to eth1 of both VMs.

If you have any problems while following my directions, let me know in the comments. I will make corrections. My thanks go to James Chapman and his peers at Katalix for writing the code and providing pointers on getting it working.

Tags: , , ,
06/16/2013

IPv6 in XCP 1.6

by Jeff Loughridge

The intent of this post is to document how to enable IPv6 in XCP 1.6 and manage the host using IPv6 transport. I hope Google leads many people to this page, as I wasn’t able to find anything else on the web on the subject. I’d like to see more people experimenting with IPv6 on XCP hosts.

XCP 1.6 is built on an optimized Centos 6 dom0 kernel. Enabling IPv6 is not as simply a matter of editing files in /etc/sysconfig/ as you would for a typical Centos server. XCP takes over network configuration during system start-up. Fortunately, the process is very straightforward. To manage IPv6 networking on an XCP host, you must be comfortable with the ‘xe’ command line tools, as this cannot be performed using XenCenter.

Here are the steps for enabling IPv6 and configuring an IPv6 address.

  1. Log in to the XCP host as root and execute ‘/opt/xensource/bin/xe-enable-ipv6 enable’.
  2. Reboot.
  3. Verify that an IPv6 link-local address appears on xenbr0 using ‘ip -6 addr show dev xenbr0’. You should see a /64 address that begins with fe80 (e.g., fe80::20c:29ff:fe48:5bc9/64).
  4. Configure an IPv6 address on the host using ‘xe pif-reconfigure-ipv6’.

I’ll  provide some sample ‘xe pif-reconfigure-ipv6’ configuration commands.

Static IPv6 address – ‘xe pif-reconfigure-ipv6 mode=static uuid=<PIF_UUID> ipv6=<IPV6_ADDRESS>. The address is specified using the standard IPv6 notation with a slash followed by the prefix length (e.g., 2001:DB8::2/64). Fill in the UUID parameter with the Physical Interface (PIF) UUID of your management domain as provided by ‘xe pif-list’.

Stateless Autoconfiguration  (SLAAC) – ‘xe pif-reconfigure-ipv6 mode=autoconf uuid=<PIF_UUID> ipv6=<IPV6_ADDRESS>’. After executing this command the XCP host will create an IPv6 address using IPv6 Route Advertisements (RA). If there are no routers sending RAs on your network, the XCP host will not assign an address to xenbr0.

DHCPv6 – ‘xe pif-reconfigure-ipv6 mode=dhcp uuid=<PIF_UUID>’. XCP starts dhcp6c after the command is executed; however, the address assignment does not take place. If anyone wants DHCP on the hypervisor, feel free to fire up wireshark and track down the problem. I’ll update the post.

I’ve verified that the ‘xe’ commands can be run remotely using IPv6 transport. XenCenter also connects over IPv6. If you use an IPv6 literal, you must enclose it in brackets as you would in a web browser (e.g., [2001:DB8::2]). As I mentioned earlier in the post, XenCenter cannot configure IPv6 networking.

I want to thank Grant McWilliams for his tips that led me to figuring out IPv6 in XCP 1.6.

UPDATE 9/4/13 – This process also works in Xenserver 6.2.

04/13/2013

The Glorious Return of End-to-end Connectivity with IPv6

by Jeff Loughridge

For almost 15 years, I relied on hacks and trickery to get servers in my residence to communicate with Internet hosts. I used DMZ hosts, port forwarding, and a variety of tunneling mechanisms. The situation deteriorated four years ago when I moved into a neighborhood with a monopoly ISP that implemented NAT in its infrastructure. The days of contorting my services to work around the address space scarcity kludges are over. End to end connectivity is restored.

My ISP allocated a /64 of IPv6 addresses to me in early 2013. Almost every IP-enabled device in my abode has an IPv6 stack. Some do SLAAC only while others can obtain IPs with DHCPv6. (Apparently printer manufacturers have disdain for IPv6. The printer I bought in 2012 can’t communicate via IPv6.)

I can access my home servers anywhere I go. Verizon’s Mobile Hotspot MiFi 5510L supplies an IPv6 address with both EVDO and LTE access. If I’m deep inside a building with no wireline IPv6 access, I have to fire up my SixXs AYIYA tunnel to connect to my home servers. This isn’t ideal but is better than no connectivity.

The days of the Internet over HTTP are coming to an end. We’ll all benefit as application designers implement innovative services unrestricted by NAT.

Tags:
02/16/2012

A Press Release is Not an IPv6 Network Strategy

by Jeff Loughridge

A strategy for enabling your network for IPv6 requires significant planning. The planned future state must be an IPv6-only network rather than dual stack. How do you get from an IPv4-only network to there? I’ll cover some broad themes, as the details are too many for a single post. I’ll also share my thoughts on what an IPv6 strategy is not.

Take the hypothetical conversation between two network engineer colleagues.

Engineer 1: What’s our strategy for IPv6?

Engineer 2: We posted a press release. Check it out on our media relations page.

Engineer 1: <Reads press release> Hmm. OK. I see that we’re going to provide our customers access the IPv6 Internet by end-of-year 2013. How are we going to do that?

Engineer 2: You know…I’m not sure who’s working on that.

A press release–or any other high-level assertions about IPv6 enablement– is not an IPv6 strategy. It a goal and only that. You can’t roll out a scalable, production-quality service without focusing on crucial aspects of the deployment. Some examples follow.

  • IPv6 addressing schemes
  • Address assignment mechanisms
  • Internal and 3rd party applications/services
  • Security
  • IP infrastructure tools and systems
  • Transition technologies
  • Remote access
  • End system and network IPv4/IPv6 protocol interaction
  • Routing protocol selection

The carriers write detailed network design documents for new services and infrastructure components. The design document is shared with all stakeholders and revised based on feedback. This practice should be adopted by enterprises and other entities that operate large IP networks. There is necessary complexity in IP networks that can’t be informally passed along in organizational memory. Experience tells us that writing documentation is time-consuming and that engineers don’t like doing it. I believe a formalized design document is an absolute requirement for network changes on the scale of IPv6 introduction.

If the IPv6 design document is thorough and communicated throughout the organization, you’ll be positioned to avoid issues such as a department continuing to invest in IPv4-only hosts, applications, and network infrastructure. The lack of last-minute surprises helps you meet your IPv6 goals and breaks your dependence on the rapidly depleting IPv4 space.

Get those IPv6 design documents written. When you have an actionable plan, then you can issue the press release.

Tags: ,
01/17/2012

IPv6 – Just 96 More Bits?

by Jeff Loughridge

My favorite professor in college joked that the answer to most questions in computer science is, “It depends.” How true. I’ve found few absolutes in my years working on IP networks. If you compare IPv6 (128 bit address space) with IPv4 (32 bit address space), is IPv6 just 96 more bits?

IPv6–with its long hexadecimal addresses–can be intimidating for engineers who have built a career on IPv4 networking. I recall my hesitation to get involved in turning up customer tunnels to Sprint’s IPv6 overlay network in the early 2000s. I felt that I could fix any problem thrown my way on IPv4. Why invest time to learn IPv6 when its adoption was so limited? Clearly, my sentiment my short-sighted, and I corrected my thinking.

I take the reassuring approach in talking to engineers who are new to IPv6. Gaurab Upadhaya of Limelight Networks put it well: only 96 more bits, no magic. After engineers understand IPv6 basics such as addressing, SLAAC, and neighbor discovery, they’ll begin to understand that the simple, connectionless packet service provided by IP is the same for both versions. Routing is routing (albeit with OSPFv3 for IPv6). The best practices for building scalable IPv4 networks carry over to IPv6 largely intact.

I tend to emphasize the differences between IPv4 and IPv6 in talking about network strategy, design (including migration and transition mechanisms), security, and business continuity. In these areas, the protocol deviations drive the discussion. Let’s take security.  IPv6 implementation introduces new attack vectors. Neighbor Discovery and Router Advertisements, not present in IPv4, can be   subject to denial of service and spoofing. Also, there is new way for malcontents to communicate with your infrastructure. Does your security policy align for IPv4/IPv6 and does it account for IPv6-specific security issues?

IPv4 exhaustion is imminent; engineers and IT leaders will be forced to make critical decision about IPv6 in 2012. Their discussions will likely include aspects of both IPv4/IPv6 similarities and differences.  As long as organizations are having these talks with the intent to act in the near term, they are better off than they would be by ignoring IPv6.

Tags: , ,
01/04/2012

Adventures in AWS, DNS, and IPv6

by Jeff Loughridge

This post describes how I used AWS Elastic Load Balancers and Route 53 to enable IPv6 connectivity to the zone apex of my company’s domain.

Recently I moved my company’s page to Amazon’s AWS. I needed IPv6 support, and the hosting company I was using kept promising IPv6 in 2 to 3 months but never delivered. I used the process I outlined in a previous post to make my site reachable via IPv6 using Elastic Load Balancers. I recommend reading that post before continuing if you don’t know how to do this.

In implementing IPv6 connectivity for my site, I stumbled on a problem that I had not considered. The URL for my company is http://brooksconsulting-llc.com. The URL is already long; I don’t want to put http://www.brooksconsulting-llc.com on company material, email signature, and business card. The “naked” domain, meaning the top of the zone, is called the zone apex. Per RFC 1034, CNAMEs cannot co-exist with required NS and SOA records. The IPv6 hack using AWS Elastic Load Balancers needs a CNAME. Fortunately, AWS does some proprietary magic and accommodates CNAMEs at the zone apex (see announcement here).

You must use AWS’s Route 53 tool for your zone. This wasn’t a problem for me. I prefer Route 53’s zone management GUI over GoDaddy’s. I realized that the Route 53 GUI appears not to support AWS’s on-the-fly conversion from CNAME to A/AAAA record. I had to use the CLI tools to add the records. I used the elb-associate-route53-hosted-zone command twice–once with the –rr-type A (the default) and once with the –rr-type AAAA flag–to add the entry. For more information, check out this section of the Elastic Load Balancing Developer Guide.

I posted a question to ServerFault to see if there was a way to perform the association in the Route 53 GUI. Jesper Mortensen provided a very helpful response. He believes the association can’t be made in the GUI.

Does all of this sound daunting? Well, I probably took a more difficult path than necessary. I’ve read that DNS30 has a GUI to manage Route 53 that includes a method to instruct Route 53 to do the CNAME to A/AAAA record conversion. You may want to take this approach, especially if you don’t already have the EC2 and Load Balancing API tools installed on your system.

In responding to my question at ServerFault, Jesper pointed out that there is an effort underway to standardize the use of CNAMEs at the zone apex. The Internet Draft is here.

——————————————————————————————-

UPDATE (1/5/2012) – A friendly engineer from the AWS Route 53 team contacted me and provided instructions for creating alias resource record sets in the Route 53 console. I confirmed that these work.

Here are the steps.

1. click create record set
2. for zone apex record just leave the name field blank
3. select the type of alias you want to make A or AAAA (all steps after this are the same for both types)
4. Select the yes radio button.
5. Open the EC2 console in another tab and navigate to the list of your load balancers.
6. Click on the load balancer and look at the description tab in the pane below the list. Sample output below

DNS Name:
new-balancer-751654286.us-east-1.elb.amazonaws.com (A Record)
ipv6.new-balancer-751654286.us-east-1.elb.amazonaws.com (AAAA Record)
dualstack.new-balancer-751654286.us-east-1.elb.amazonaws.com (A or AAAA Record)

Note: Because the set of IP addresses associated with a LoadBalancer can change over time,
you should never create an “A” record with any specific IP address. If you want to use a friendly
DNS name for your LoadBalancer instead of the name generated by the Elastic Load Balancing
service, you should create a CNAME record for the LoadBalancer DNS name, or use Amazon Route 53
to create a hosted zone. For more information, see the Using Domain Names With Elastic Load Balancing

Status: 0 of 0 instances in service

Port Configuration: 80 (HTTP) forwarding to 80 (HTTP)

Stickiness: Disabled(edit)

Availability Zones:
us-east-1b

Source Security Group:
amazon-elb-sg

Owner Alias: amazon-elb

Hosted Zone ID:
Z3DZXD0Q79N41H

7. Now copy the Hosted zone ID in the above case ‘ Z3DZXD0Q79N41H’ and paste it into the field labeled ‘Alias Hosted Zone ID:’
8. Now copy the DNS Name in the above case ‘ new-balancer-751654286.us-east-1.elb.amazonaws.com‘ and paste into the field ‘ Alias DNS Name:’
-Just an FYI this DNS name is the same for both A and AAAA alias records. (do not use ‘ ipv6.new-balancer-751654286.us-east-1.elb.amazonaws.com‘)
9. Click create record set or at this time you can select yes to weight the record and provide a weight between 0-255 and a setID such as ‘my load balancer’

Tags: , , , , , ,
09/04/2011

How to Share Content over IPv6 with AWS EC2

by Jeff Loughridge

Although EC2 instances are not IPv6-capable as of this writing, Amazon has implemented IPv6 for its US East (Northern Virginia) and EU (Ireland) Elastic Load Balancers. I’ll demonstrate how to make IPv6 content available using EC2 and the load balancers. Please note that Amazon is currently offering new customers EC2 micro instances at no charge if you remain under certain thresholds.

Instance Set-up

  1. Install a Linux-based Amazon Machine Instance. If you want to follow along with this tutorial, use a Ubuntu 10.04 LTS instance that Canonical uploaded to the Community AMIs (AMI ID ami-63be790a). Use US East or EU (Ireland) servers. If this is your first time setting up an instance, I recommend viewing Greg Wilson’s tutorial on Youtube.
  2. Log in using the “ubuntu” user name. Use the ssh private key as described in the video.
  3. Install the packages required for a LAMP server. A simple way to do this is to “sudo tasksel --section server”. Select “LAMP server” in the graphical installer. Strangely, the LAMP selection does not install PHP. I did this manually with “sudo apt-get install php5-cli”.

Load Balancer Set-up

  1. Click on “Load Balancer” in the “Network & Security” left panel of the AWS Console. Click the “Create Load Balancer” button.
  2. Give your load balancer a name. I used the default HTTP entry. For the health check, I used the default settings.
  3. Add your instance to the load balancer.
  4. Now that the load balancer is created, place a check next to its entry so that detailed information appears in the bottom panel.
  5. Write down your IPv4, IPv6, and dual stack DNS names.
  6. Click on the Instances tab in the bottom panel. Make sure the instance’s status indicates “In Service”. Note:  I’ve noticed that the time required for the health check to add the instance into service can be 20 – 45 minutes.

Testing DNS and Load Balancer

  1. Use dig or nslookup to verify that you get A (IPv4) and AAAA (IPv6) records. This verification step is primarily for your information.
  2. ubuntu@ip-10-244-171-28:~$ nslookup
    > Jeff-LB-Test-1796974432.us-east-1.elb.amazonaws.com
    Server: 172.16.0.23
    Address: 172.16.0.23#53
    Non-authoritative answer:
    Name: Jeff-LB-Test-1796974432.us-east-1.elb.amazonaws.com
    Address: 50.19.220.184
    > set type=AAAA
    > ipv6.Jeff-LB-Test-1796974432.us-east-1.elb.amazonaws.com
    Server: 172.16.0.23
    Address: 172.16.0.23#53
    Non-authoritative answer:
    ipv6.Jeff-LB-Test-1796974432.us-east-1.elb.amazonaws.com has AAAA address 2406:da00:ff00::3213:dcb8
    Authoritative answers can be found from:
    > dualstack.Jeff-LB-Test-1796974432.us-east-1.elb.amazonaws.com
    Server: 172.16.0.23
    Address: 172.16.0.23#53
    Non-authoritative answer:
    dualstack.Jeff-LB-Test-1796974432.us-east-1.elb.amazonaws.com has AAAA address 2406:da00:ff00::3213:dcb8
    Authoritative answers can be found from:
    >

  3. Create a script called test.php with the following text.
    <?php
    
    $headers = apache_request_headers();
    $ip = $headers["X-Forwarded-For"];
    
    if($ip) {
      print "X-Forwarded-For header is $ip";
    }
    else {
      $ip =  getenv('REMOTE_ADDR');
      print "IP is $ip";
    }
    
    ?>
    

    Amazon’s Elastic Load Balancers will set the X-Forwarded-For header to the IPv6 source address. If the connection is made via IPv4, the X-Forwarded-For variable is undefined. Put this script in /var/www.

  4. Using your web browser, access http://yourIPv4DNS/test.php, http://yourIPv6DNS/test.php, and http://yourDualstackDNS/test.php. Assuming you are accessing from a dual stack IPv4/IPv6 end host that prefers IPv6, you will see an IPv4 address, an IPv6 address, and an IPv6 address respectively.

 

Congratulations! Your content is now available over IPv6. Now you can set the CNAME record for your domain to the dual stack DNS name so that users can type in your domain and reach your site via IPv4 or IPv6. For more information on how to use CNAME’s with Amazon EC2, see Using Domain Names with Elastic Load Balancing.

I hope this post encourages people to make content available over IPv6. The days of assuming all end hosts are reachable via IPv4 are over. Amazon’s EC2 and Elastic Load Balancers make transitioning content to IPv6 simple.

08/29/2011

IPv6 in Ubuntu Natty Narwhal

by Jeff Loughridge

I always considered Linux to be a leader in IPv6; the first IPv6 code was added to the kernel in 1996. I’ve recently noticed that the several Linux distributions do not support IPv6 in a way that allows typical users to connect to an IPv6 network. Let’s examine Ubuntu Natty Narwhal.

Natty does not activate IPv6 by default and requires special configuration. Windows 7 has better IPv6 support out of the box than Ubuntu Natty Narwhal. Surprising? An average user can obtain connectivity to the IPv6 Internet using default configuration in Windows 7.

Activating IPv6 in Natty can be done using NetworkManager  (GUI tool) or  manually editing /etc/network/interfaces. There are limitations. Even though the ISC DHCP client supports DHCPv6, the end station will not request a nameserver. For /etc/network/interfaces, you’d think that obtaining an IPv6 address through DHCPv6 would be simple: add an “iface ethx inet6 dhcp” line. Unfortunately, this won’t work in Natty. I am using a hack. I assign a ULA address and then use post-up to execute dhclient.

iface eth0 inet6 static
address fc00::1
netmask 64
post-up /sbin/dhclient -6 eth0

I figured this out through trial and error; this method is not fitting for the average user.

The next Ubuntu release is Oneiric Ocelot. IPv6 should be enabled by default in it. I am testing an alpha build that doesn’t yet have a fix for enabling DHCPv6 in /etc/network/interfaces. Let’s hope this gets fixed prior to release.

After encountering problems, I found that Tore Anderson opened bugs in April 2011. I recommend reading Tore’s exchange with the developer on enabling IPv6 by default. Tore tries to correct the mindset that IPv6 is only needed for power users.

The thread is here.

The bug for the missing DNS server in DHCPv6 is here.