Adventures in Tech: Dive on in, the IPv6 is lovely
Blub blub blub, no really it's great
Part 2 In the previous part I explored why you should limber up to IPv6 sooner rather than later, and now here's my experience actually walking the talk.
Importantly, mine is not a big-bang approach. I'm not trying to have everything perfect for IPv6 immediately, but rather I want to do just enough to be visible in the brave new world, safely, and tie up loose ends later as I go along.
I expect you to die, Localhost
First, I tackled an issue that'll make you bury your face in your palm: I mentioned in part one that, during development, using
localhost rather than
127.0.0.1 in my URLs when testing caused a messy Java stacktrace of doom -
localhost was expanded to IPv6 address
So after a little time isolating that issue and similar ones where I used the generic Java
InetAddress but actually assumed IPv4, and a sprinkling of unit tests to make sure that the bug should stay dead, I was done.
I spent maybe an hour or two tackling the main bug, but probably the rest of a day on some triage and holding fixes on less obvious stuff such as geo-locating users by their IP address, and even some simple frontline anti-denial of service attack code, which identifies potential troublemakers by a prefix of their IP address.
In IPv4 that network prefix is of variable length, but simply masking out the last (least significant) 8 to 10 bits does a reasonable job of pinning down individual (misbehaving) users or even companies/groups with fancy proxies that spread out their accesses across multiple outbound addresses, and without too much collateral damage.
In IPv6 the network part is fixed to be the first 64 bits (though you might still want to drop some of the tail end of that for various reasons), which makes things simpler, but still required me to expand my troublemaker lookup keys from 32-bit
Integer to 64-bit
Long. Something similar will be needed for the geo-location stuff, but no one will cry into their soup with my temporary fix just to disable it for IPv6 for now and let it continue as-is for IPv4.
What not to write! This example real code fragment will fail for IPv6 (though relatively cleanly) even though the method's signature misleadingly accepts any IP address.
Next, I went to get IPv6 working on my slightly ageing Solaris 10 box co-located with Bogons. After discussion we decided to move my host into a new address range, though I then stupidly applied the old one which caused some head-scratching for a while. Even the smartest tech can be defeated by my idiocy.
That aside all that was really needed to put up my wanted static address was to create a file:
bge0 being the name of the network interface device) and put in it the magic incantation:
addif WWWW:XXXX:YYYY:ZZZZ::2/64 up
WWWW:XXXX:YYYY:ZZZZ is my 64-bit network prefix.
Now pings in and out (eg to
ipv6.google.com) work fine. Hello, world!
This is much less messing around than IPv4 even for a static server address; in particular no default route has to be set as that is auto-discovered in IPv6.
At this point I also added a new connector definition to my Tomcat server (in
conf/server.xml) to bind to and accept the IPv6 connections as well as the existing IPv4, and brought up the new code and did some quick testing with the magic of a telnet to port 80 at the new IPv6 address.
<!-- Existing IPv4 connector. --> <Connector executor="tomcatThreadPool" port="80" address="18.104.22.168" protocol="HTTP/1.1" enableLookups="false" /> <!-- New IPv6 connector. --> <Connector executor="tomcatThreadPool" port="80" address="WWWW:XXXX:YYYY:ZZZZ::2" protocol="HTTP/1.1" enableLookups="false" />
I did find some other latent bugs when I added that, and so did another quick release. And in fact I winkled out a few more bugs in a few rapid rounds of upgrades. Users will have seen a few brief glitches, but I now had a working IPv6 and IPv4 site, though no one except me yet knew about the IPv6. Mwaha-ha-ha!
Tunnel of LOv6
I now wanted to be able to get out to IPv6 land from my own development machine to do more testing. Thanks to the Jobsian touch, and the fact that I have static publicly routable IPv4 addresses at my desk, enabling the "6 to 4" thang in Mac OS X 10.7 network settings (in the same pull-down as the VPN stuff) just worked. (Well, on the second attempt, after a bizarre boiler-plate error about a cable being disconnected, which is what I get when I try from NATted IP addresses such as when on 3G wireless.)
But after that I could ping IPv6 addresses on the Net from my machine, and look at IPv6-hosted pages such as Google's ipv6.google.com. And, most importantly, test out my own co-lo IPv6 site from my desk by using the literal IPv6 address in the form:
Also on the site is a page that shows what the browser's IP address is, and in that case it shows my Mac's (tunnelled) IPv6 address, so all is working.
Next page: What's in AAAA name?
Not to mention any BGP router and packet level firewall
where you are forced to deal with numeric IP addresses and where any form of name resolution might impose a severe penalty on performance.
Yeah, fixing a web server for IPv6 is piece of cake. Migrating several thousands IP access rules or routing tables on the other hand is quite tricky and you might never know what the future will bring us with all this auto-discovery and "scrap NAT" functionality.
Mark my words and prepare for the IPv6 ping of death.
The article is a great advert
for not implementing IPv6.
Geolocation is a daft idea in the age of mobile devices. However, the superficially similar idea of jurisdiction-location is both workable and useful. Most home users would *love* to be able to reliably and cheaply know when something has come from somewhere untouchable. It would make spam filtering vastly more accurate and browsers could use the information to determine an appropriate level of paranoia. (Anonymising proxies and VPN end-points would be legally responsible for re-publishing everything that comes through.)
And if that level of *end-user-driven* control becomes widely available, most of the "won't somebody think of the children" arguments for *central* control with blunter instruments cease to have any technical or legal merit.
Since renumbering is part of IPv6, it could even be retro-fitted.