I've only just learned that my newish AT&T UVerse service gives me the full-on IPv6 internet. Time to futurize the home LAN!
Tasks, questions, experiments:
- For starters, check that devices all receive SLAAC IPv6 addresses. Check! Well, except for the PS3... looks like we can't turn off IPv4 on the LAN side anytime soon. Also, a lone Windows XP box may or may not comply.
- Now, can I reach http://ipv6.google.com and http://ipv6.cnn.com? Check! We're on the new internet!
- I'm not sure what gets enabled so that DNS lookups try to resolve AAAA records before A records? Presumably this is in glibc's stub resolver. This seems to be already working, according to
getent hosts google.com.
- I have some hosts that I'd like to have static IP addresses, but I guess with SLAAC, the MAC address will give all devices a pinned, routable IPv6 address. I thought briefly that setting up a DHCPv6 router would be required, but nope, looks like I'm done there.
- How to make this blog, hosted in Rackspace CloudFiles, available IPv6? Check! The big CDN's have been IPv6-implemented for a while. They have matching AAAA records, and since I CNAME to them, there's nothing more for me to do there.
- Experiment in public routability, specifically to private hosts. I fire up a Rackspace cloud server (they've been IPv6-capable for a while) and install netcat6 on both the remote and local nodes.
Now, start a local server with
nc6 -l :: -p 8999on my laptop at home and then
nc6 2602:306:37ec:5bb0:8ea9:82ff:fe10:6f68on the remote client node. Nothing. This is good, since a connection would mean that all services exposed at home were publicly available.
So, if lack of routability isn't protecting my home network, then maybe it's the firewall? The firewall interface on the AT&T router hides some things, and it's not clear that there's an implicit DROP rule.
But sure enough, enabling a "Pass" rule for packets that match "IP version of IPv6", "Protocol of TCP", "Destination Port of 8999", "Ingress Interface of WAN", "Egress Interface of LAN" results in a successful connection of the remote netcat client to the local netcat server. Victory!
- Since historically ISP's freely re-IP consumer-grade connections, how will that work with IPv6? The reassignment will require a new SLAAC moment for all home devices, but more importantly any IP that I treat as static within the LAN changes. I'll just have to document the ways this can break me and hope it happens rarely if ever.
- Challenge for another day: Can I update my private Chef instance to be IPv6-compatible? The container appears to have a proper address with no extra effort on my part, the config doesn't specify anything for IPv6.
netstatshows that "0.0.0.0:443" is listening but not "::", which may or may not be easily fixed in the chef-server.rb. Once solved, I should be a DNS record and a firewall rule away.
I see that AT&T has generously given me not just an IP, but an entire /60 network. w00t!
I feel like it's a goldmine to have 16 addresses in the global space to assign freely, but when I consider how to put this to use, I realize that I may be thinking in the old IPv4 way. If they had given me the least possible allocation, a /64, I'd still have trillions of publicly routable addresses. The 16 global unicast addresses are (it seems) in front of the firewall, but not really since I could only assign them to LAN-side devices so custom firewall rules are required.
Maybe the value of the /60 is that I could specify a DMZ-ish firewall rule that forwards packets to any address in, say, half of one /63 space but not the other /63. But couldn't I do that same thing with, say, two /67's? This new world may confuse me for a while.
Well, all that work I thought I'd have to do, and it looks like it's pretty much done for me already, at least for the things the average consumer might commonly do. Now, I just need to adopt an air of IPv6 self-righteousness as I look down and pity the non-complying world around me (Amazon, I'm looking at you).