|
|
Author
|
Topic: Is anybody using IPv6 yet?
|
|
|
Stephen Furley
Film God
Posts: 3059
From: Coulsdon, Croydon, England
Registered: May 2002
|
posted 01-10-2013 04:13 PM
on a recent IPv6 day (or it may have been week, I'm not sure) it was still well short of 1%, something like 0.05% I think. Maybe that was in the UK, and it's higher elsewhere. The big academic networks around the world, in our case Janet, nearly all support it. For years we've been able to happily ignore it, but it is appearing over the horizon now, and we are going to have to use it for a few things within, I would guess, the next two years or so. It will only be a tiny part of the traffic on our network by that time.
I need to learn it before then. Did a one-day course on it a few months ago, but I'm having some problems with it.
A couple of years ago we had some problems with Bonjour on Apple computers which turned out to be IPv6 multicast related. We got round this at the time by simply disabling IPv6, thereby forcing them to use IPv4, but that's not going to be an option in the future. We hadn't even realised that they were trying to use IPv6 until we hung on a network analyser.
One of the big problems is that there are so few people using it. There are a few universities, and that's about it, at least in the UK, but there are now places, mainly in parts of Asia, where it's no longer possible to get a IPv4 address.
| IP: Logged
|
|
|
|
Stephen Furley
Film God
Posts: 3059
From: Coulsdon, Croydon, England
Registered: May 2002
|
posted 01-11-2013 05:59 AM
My test setup has two machines, actually two virtual machines running under VMware Fusion on a laptop at home. The VMware isn't the problem as I've tried it on two physical machines at work with the same result. As long as the VMs are configured for bridged mode network, i.e. not NAT, VMware Fusion Professional supports IPv6.
One VM is running Windows 7 Ultimate and the other Fedora 17, both 64 bit. The only V6 addresses are link-local ones, and they look reasonable, i.e. they start with fe80. each machine can ping the loopback address, ::1, so the IPv6 stacks are up. Each machine can also ping its own link local address, and that of the other machine.
Each machine has a web server on port 80, IIS on the Windows and Apache on Linux, each with a simple test page set up. The Linux machine is also running Webmin, using HTTPS on port 10000. Using IPv4 everything works fine; both machines can see all three web servers. Using various browsers each machine can see its own web server(s) using the IPv6 loopback address, but not using the link-local address either for itself, or for the other machine. There is one exception the this, Internet Explorer 9, bot not Firefox or Chrome, on the Windows machine can see the web server on its own link-local address, but not that on the other machine. I have remembered the square brackets around the IPv6 address in the URL, though I did try it without as well, just in case. For example, the URL which I'm trying to use to see the Webmin server from the Windows machine is:
https://[fe80::20c:29ff:fe77:2dfb]:10000
which according to the course book should work. Using IPv4:
https//192.168,0.13:10000
works from both machines, and https://[::1]:10000 works on the local machine. It's the same with the normal web servers on port 80.
I can't SSH to the link local addresses either, but again IPv4, and ::1 both work.
I've checked the firewall settings on both machines, and can see nothing which should stop IPv6 getting through, but I've also tried disabling both firewalls, but still no luck.
This has taken me a day and a half so far. I'm sure it's going to be something simple when I find it, but I don't know anybody with any IPv6 experience, and Google hasn't found anything helpful. I may have to try to contact somebody at Janet.
| IP: Logged
|
|
|
Stephen Furley
Film God
Posts: 3059
From: Coulsdon, Croydon, England
Registered: May 2002
|
posted 01-11-2013 08:58 AM
quote: Scott Norwood "IPv6 is the wave of the future and always will be"
(Not sure who said this, but it is an apt description.)
Very true until now; we've been ignoring it for a decade or more, but it really does look like we're going to have to use it fairly soon. There are several protocols involved which open up new possibilities for denial of service attacks if you're not careful about how the network is configured. I think we'll configure everything properly at the core, then block it at all of the edge ports, except for the handful where we will actually need it out of the many thousands which we have. A recent refurbishment and extension of part of our main building saw 3592 new copper ports installed, and I would guess that we have a similar number of older ones. I suspect that the number where we will actually need to use IPv6 will be in single figures.
There are also some 'issues' with using certain features on some of our older switches with IPv6, but the ones involved are now coming up to 11 years old, and most of them will probably have been retired by the time we need to do it. Unfortunately, I won't have retired until just after this happens.
| IP: Logged
|
|
Marcel Birgelen
Film God
Posts: 3357
From: Maastricht, Limburg, Netherlands
Registered: Feb 2012
|
posted 01-11-2013 04:01 PM
quote: Stephen Furley Very true until now; we've been ignoring it for a decade or more, but it really does look like we're going to have to use it fairly soon. There are several protocols involved which open up new possibilities for denial of service attacks if you're not careful about how the network is configured. I think we'll configure everything properly at the core, then block it at all of the edge ports, except for the handful where we will actually need it out of the many thousands which we have. A recent refurbishment and extension of part of our main building saw 3592 new copper ports installed, and I would guess that we have a similar number of older ones. I suspect that the number where we will actually need to use IPv6 will be in single figures.
Most of the industry has been ignoring it for over a decade or more. Even big players like Cisco didn't offer IPv6 as a standard feature until quite recently.
But, since most of your network is probably using RFC 1916 addresses (the private ones) that have ample of room for even the biggest organizations on the planet, why would you suddenly need to worry about shortage of IPs?
quote: Stephen Furley There are also some 'issues' with using certain features on some of our older switches with IPv6, but the ones involved are now coming up to 11 years old, and most of them will probably have been retired by the time we need to do it. Unfortunately, I won't have retired until just after this happens.
Switches usually have nothing to do with IPv6, it's the routers, servers and workstations that have to deal with it. Switches deal with Layer 2, nothing has changed on that layer.
| IP: Logged
|
|
Stephen Furley
Film God
Posts: 3059
From: Coulsdon, Croydon, England
Registered: May 2002
|
posted 01-11-2013 04:44 PM
quote: Marcel Birgelen But, since most of your network is probably using RFC 1916 addresses (the private ones) that have ample of room for even the biggest organizations on the planet, why would you suddenly need to worry about shortage of IPs?
The problem is not shortage of v4 addresses; we do use private addresses, and have two class C public addresses as well, which go back to before the days of private addresses on our network, when all hosts, far less than today, had public addresses (before my time). Probably less than 100 public addresses are actually in use now. The problem is tht there are indications that certain new services will only be made available to us via IPv6. There are also advantages for certain other services, SIP trunks are an obvious one, where NAT is problematical, and it's easier with IPv6.
quote: Marcel Birgelen Switches usually have nothing to do with IPv6, it's the routers, servers and workstations that have to deal with it. Switches deal with Layer 2, nothing has changed on that layer.
Most of our switches are layer 3 devices, Extreme 24e3, 48si, 250e, x450a and 8810, so they do, or can, act as routers. There are also facilities to do things like block rogue router advertisments and false duplicate address detection packets, a host claiming (falsely) to be using every address which a new host propose to use. Most newer switches, at lest if their software is up to date, provide protection against such things.
Our older layer 3 switches are unaware of IPv6; you can define it as a propocol, based on Ethertype, and then enable or disable it on a per vlan basis, but that's about all. If we need to do things like create v6 tunnel endpoints on layer 3 switches then we need to use the newer models.
I don't yet know exactly what the newer switches can do, but the technical specifications list a lot of IPv6 related protocols. Once I get it talking properly on a couple of test machines then I can get some v6 address space from Janet and try out talking to the outside world.
After two days I still can't make simple HTTP and HTTPS connections between two machines, or even to the same machine other than via the loopback address [::1]. There's one exception, IE9 on the Windows machine will talk to the web server on the same machine, but exactly the same URL pasted into a different browser doesn't work.
Need to spend some time with Wireshark this weekend I think. Somebody from Imperial College, who are one of the main users of IPv6 in the UK says it ought to work, and he can't see anything wrong with what I'm doing.
| IP: Logged
|
|
|
Stephen Furley
Film God
Posts: 3059
From: Coulsdon, Croydon, England
Registered: May 2002
|
posted 01-14-2013 05:41 AM
At this rate it should be a few thousand years before we see IPv7!
IPv6 uses 128 bit addresses so we shouldn't run out for a while.
The problem turned out to be that Linux uses two firewalls, one for IPv4, and the other for IPv6. The interface which I was using to configure the firewall, Webmin, was only acting on the IPv4 one, so whatever I did, add new rules, stop and start the firewall etc. was having no effect on the IPv6 one. Once I found out that there were two firewalls I just manually copied the new rules from the v4 one, IPtables, to the v6 one, IP6tables, restarted IP6tables and it works.
Only took me the best part of three days to get it working.
| IP: Logged
|
|
Randy Stankey
Film God
Posts: 6539
From: Erie, Pennsylvania
Registered: Jun 99
|
posted 01-14-2013 09:09 AM
The way I understand, Vint Cerf, one of the guys who really did invent the internet, said that he only used 32-bit addresses as a test to see if things would actually work. They had been discussing whether to use 128-bit addressing since they started. But, when the testing was done, people just started using TCP/IP as it was and IPv4 became the standard. We have kept using it all these years just because of intertia, really.
So, basically, once we get everybody using IPv6, we've got a couple-few hundred years to go before we have to think of something else. By that time, we'll probably be be up to IPv10, easy.
But, what should we call it? We can't just call it "ten." It's got to be something cool. Right? We can't use the Roman numeral, "X." Somebody already trademarked that.
Why don't we name it "IPv0A"? In hexadecimal. That way only geeks will understand it.
| IP: Logged
|
|
|
Marcel Birgelen
Film God
Posts: 3357
From: Maastricht, Limburg, Netherlands
Registered: Feb 2012
|
posted 01-14-2013 06:23 PM
quote: Stephen Furley Most of our switches are layer 3 devices, Extreme 24e3, 48si, 250e, x450a and 8810, so they do, or can, act as routers. There are also facilities to do things like block rogue router advertisments and false duplicate address detection packets, a host claiming (falsely) to be using every address which a new host propose to use. Most newer switches, at lest if their software is up to date, provide protection against such things.
I had some bad experiences with Layer 3 routing functionality on Extreme . Although, recent ExtremeWare should bring IPv6 to your more recent Extreme switches, at least the "i" switches. IP forwarding on the "e" series is done entirely in software, so fire a big load of packages at it and it dies.
Also, I had my fair share of issues with all kinds of fancy port/network protection schemes (especially on Extreme, but also on ProCurve and others). In most cases, it is better to keep your broadcast networks small and get tcpdump/wireshark out if something is really going haywire.
In my opinion it would be better to get one or two decent dedicated routers or routing switches (e.g. Cisco Catalyst 6500) and trunk your VLANs to those boxes, if possible. A decent router (or routing switch) also offers many more features regarding traffic inspection, firewalling and even traffic shaping. Still, I would prefer to do firewalling on yet another dedicated box if somehow possible.
quote: Stephen Furley Our older layer 3 switches are unaware of IPv6; you can define it as a propocol, based on Ethertype, and then enable or disable it on a per vlan basis, but that's about all. If we need to do things like create v6 tunnel endpoints on layer 3 switches then we need to use the newer models.
If you only use the Layer 2 part, just plain Ethernet is fine. The IPv6 Neighbor Discovery Protocol works fine over any standard compliant L2 switch, just like ARP, although any IPv6 enabled network can benefit from Layer 2 switches that have a *working* IGMP implementation.
| IP: Logged
|
|
|
All times are Central (GMT -6:00)
|
|
Powered by Infopop Corporation
UBB.classicTM
6.3.1.2
The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion
and agrees to release the authors from any and all liability.
|