IPv6 address for TMC

[HankLloydRight]

Say someone has a co-located server with a Cisco ASA5500 firewall. The server runs ESXi5 and a pretty current LAMP stack on CentOS5.

What's involved in enabling ipv6, assuming one can get ipv6 address space from the datacenter?

 

[pgiralt]

Say someone has a co-located server with a Cisco ASA5500 firewall. The server runs ESXi5 and a pretty current LAMP stack on CentOS5.

What's involved in enabling ipv6, assuming one can get ipv6 address space from the datacenter?

I'm assuming you're referring to doing this for some site other than TMC. The ASA has supported v6 for a long time, so assuming you're running a version that is not too many years old, you don't need to do much to get v6 running on it. Assign v6 addresses to the inside and outside interfaces (ipv6 address <blaa>) and a default route (ipv6 route outside ::/0 <your gateway>) and then just configure your access lists as needed. You can use any6 to mean any IPv6 address. In recent versions, any means any4 and any6.

As for CentOS, it's pretty straightforward as well. Here's a tutorial:

Red Hat / CentOS IPv6 Network Configuration

If you're doing this for a website you'll have to get the AAAA records set up to point to your v6 address and get Apache configured for v6 as well. Really shouldn't be too hard to do.

If you have a hard time actually getting v6 addresses, if you can front-end your ASA with another router (Cisco or otherwise) that can do a 6in4 tunnel, you can set up a tunnel to Hurricane Electric (tunnelbroker.net) for free and get some v6 space that way. Unfortunately, the ASA cannot do this natively.

 

[widodh]

I was under the impression the site is using cloudflare , so it should be ipv6 enabled, as that's included in the service.

Oh, yes, they are indeed!

Well, in that case it's very simple: Free IPv6 security company

Say someone has a co-located server with a Cisco ASA5500 firewall. The server runs ESXi5 and a pretty current LAMP stack on CentOS5.

What's involved in enabling ipv6, assuming one can get ipv6 address space from the datacenter?

Yes, that's rather simple. In have a bunch of 5510's running with IPv6 routing through them.

Ask you ISP for a subnet on your WAN interface and then ask them to route a /48 or /56 to your ASA. From there you can route it again to the underlying interfaces. Rather simple.

If you need an example config, just PM me.

 

[JER]

I was under the impression the site is using cloudflare , so it should be ipv6 enabled, as that's included in the service.

Maybe the server has dual stack, but there's no AAAA record for the domain.

Don't feel bad for this site though, teslamotors.com doesn't have one either...

 

[widodh]

Maybe the server has dual stack, but there's no AAAA record for the domain.

True, but it's probably just adding the AAAA-record. That's all.

Don't feel bad for this site though, teslamotors.com doesn't have one either...

Oh, don't start about it

 

[HankLloydRight]

Yes, that's rather simple. In have a bunch of 5510's running with IPv6 routing through them.

Ask you ISP for a subnet on your WAN interface and then ask them to route a /48 or /56 to your ASA. From there you can route it again to the underlying interfaces. Rather simple.

So the 5500 can route external ipv6 to internal ipv4? That would be sweet. I wouldn't have to change any of my internal configs.

Wait, I guess that wouldn't work, then what IP address (from user traffic) would my apps see?

 

[widodh]

So the 5500 can route external ipv6 to internal ipv4? That would be sweet. I wouldn't have to change any of my internal configs.

Wait, I guess that wouldn't work, then what IP address (from user traffic) would my apps see?

No, the machines will also get IPv6. The ASA does not do any translation.

 

[pgiralt]

So the 5500 can route external ipv6 to internal ipv4? That would be sweet. I wouldn't have to change any of my internal configs.

Wait, I guess that wouldn't work, then what IP address (from user traffic) would my apps see?

ASA version 9.0 and later support NAT64. Your applications would see the inside IPv4 address of your ASA (or a pool of internal IPv4 addresses) so you'd loose some visibility to who's actually connecting to your website. That said, it can get pretty messy and you're much better off just routing v6 natively to your host, especially at such a small scale.

 

[MartinAustin]

All this talk of the USA still having lots of IPv4 addresses to hand out... sheesh
As the US runs out of IPv4 addresses, BT confirms UK rollout of IPv6- The Inquirer

 

[widodh]

All this talk of the USA still having lots of IPv4 addresses to hand out... sheesh
As the US runs out of IPv4 addresses, BT confirms UK rollout of IPv6- The Inquirer

Indeed! So where is the AAAA record for this site?

 

[jerry33]

All this talk of the USA still having lots of IPv4 addresses to hand out... sheesh
As the US runs out of IPv4 addresses, BT confirms UK rollout of IPv6- The Inquirer

Originally ICANN and predecessors gave out Class B address space to any largish company/institution that asked. Most of this space is currently unused (and is a haven for spammers). I believe that ICANN is taking back any space that those companies don't currently use (whenever possible).

 

[widodh]

Kicking this thread again.

With more and more mobile connections being behind Carrier Grade NAT with IPv4 and native IPv6 the internet is actually getting slower.

Facebook sees 15% to 20% performance improvement over IPv6 instead of IPv4 on mobile networks. T-Mobile USA for example has IPv6 fully enabled, but Comcast and other big ISPs as well.

I think it is important that TMC adds IPv6 connectivity quickly.

 

[doug]

Yeah yeah, it's coming.

 

[widodh]

Yeah yeah, it's coming.

Good to hear!

 

[FlasherZ]

You lose widodh...

;; QUESTION SECTION:
;teslamotorsclub.com.           IN      AAAA

;; AUTHORITY SECTION:
teslamotorsclub.com.    86334   IN      SOA     dana.ns.cloudflare.com. dns.cloudflare.com. 2020964900 10000 2400 604800 3600

;; Query time: 23 msec

 

[markwj]

You lose widodh...

;; QUESTION SECTION:
;teslamotorsclub.com.           IN      AAAA

;; AUTHORITY SECTION:
teslamotorsclub.com.    86334   IN      SOA     dana.ns.cloudflare.com. dns.cloudflare.com. 2020964900 10000 2400 604800 3600

;; Query time: 23 msec

 

[pgiralt]

It's alive!

Screen Shot 2016-03-14 At 11.21.34 PM

• pgiralt
• Mar 14, 2016

;; QUESTION SECTION:
;www.teslamotorsclub.com.    IN    A

;; ANSWER SECTION:
www.teslamotorsclub.com. 10    IN    A    104.24.14.29
www.teslamotorsclub.com. 10    IN    A    104.24.15.29

;; AUTHORITY SECTION:
teslamotorsclub.com.    75804    IN    NS    eric.ns.cloudflare.com.
teslamotorsclub.com.    75804    IN    NS    dana.ns.cloudflare.com.

;; ADDITIONAL SECTION:
eric.ns.cloudflare.com.    43020    IN    A    173.245.59.112
dana.ns.cloudflare.com.    23368    IN    A    173.245.58.105
eric.ns.cloudflare.com.    51703    IN    AAAA    2400:cb00:2049:1::adf5:3b70
dana.ns.cloudflare.com.    36741    IN    AAAA    2400:cb00:2049:1::adf5:3a69

 

[markwj]

Working for me now, over iPv6:

$ dig AAAA www.teslamotorsclub.com

; <<>> DiG 9.8.3-P1 <<>> AAAA www.teslamotorsclub.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12724
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.teslamotorsclub.com. IN AAAA

;; ANSWER SECTION:
www.teslamotorsclub.com. 300 IN AAAA 2400:cb00:2048:1::6818:f1d
www.teslamotorsclub.com. 300 IN AAAA 2400:cb00:2048:1::6818:e1d

 

[doug]

Great. That may be up and down as we adjust things. But as we are now on a platform that can handle those IPs, we intend to fully support it.

 

[widodh]

Great. That may be up and down as we adjust things. But as we are now on a platform that can handle those IPs, we intend to fully support it.

Awesome!

Seems to work here as it should