andrew.mcmillan.net.nz
cd /var/www; more /dev/rant >>index.html
about  blog  repository  heather  gallery
 
projects


tags
CalDAV Catalyst DAViCal Debian Family FOSS Howto Humour installs ipv6 Kids lca moodle Music N770 Programming Rants RSCDS Travel Ubuntu Web


Recent comments


 
Home
Hosting on IPv6: autoconfiguration of IPv6 addresses may be harmful

The availability of IPv6 worldwide is surprisingly extensive, nowadays, but over the past years as it has slowly filtered around, people have had bad experiences with it because of poor routing. It seems that, as always, a bad rep travels about 20 times further than a good one, so an automatic response to casual problems that people see when using IPv6 is to blacklist it, without actually investigating the problem.

Take today, for an example. Someone said to me "I disabled IPv6 in Firefox because it was slow for one of my favourite sites". OK, so show me this favourite site. Show me the traceroute. Give me some facts!

Further investigation showed that although there is an AAAA record for www.crooksandliars.com, there is nothing listening on the other end! Looking at the AAAA record returned, we see that it is an autoconfigured IPv6 address of the form xxxx:xxxx:xxxx:xxxx:xxxx:xxFF:FExx:xxxx and can conjecture that the likely problem is that someone has done a hardware upgrade on their server, so they now have a different MAC, and consequently the autoconfigured IPv6 address has changed. Other scenarios are entirely possible, of course, but this is a likely one.

This is the second case I have seen where someone was running publicly available services on IPv6 using a manual DNS record pointing at an automatic IPv6 address, but I doubt that it will be the last. Unless there is infrastructure in place to automatically update your DNS when your address is autoconfigured, you are going to get bitten by this problem at some point if people remotely connect to your system for some service.

heres how to fix it

sysctl -w net.ipv6.conf.all.autoconf=0

by barf (not verified) at 2007-10-07 14:46  reply

Is that a fix?

I don't think that would be a fix for the problem I'm talking about above. It seems that crooksandliars have fixed their IPv6 DNS now, so the site works fine on v6 now, as it did on v4, though they are still using an autogenerated address for the site, which I will continue to consider bad practice.

All that your command-line will do is disable IPv6 autoconfiguration, which can be very useful in many situations, such as on a LAN. Your suggestion could be useful if you are stuck behind a broken router which will silently drop AAAA queries for IPv6 addresses though.

Cheers,
Andrew.

by andrew at 2007-10-07 18:17  reply

i'm agree

I certainly agree, using EUI-64 addresses on Internet facing services is a bad practice!

Disabling the RA auto-configuration is prudent on server systems or routers, I'm just dropping the sysctl in there to try and help educate. :-)

by barf (not verified) at 2007-10-08 13:01  reply

What's wrong with autoconfig AAAA?

I like that I can move a server from one network to another and always know what address it will get. So what's wrong with autoconfigure? If I can enter static IPs, I can also keep track of a static IPv6 64 bit local address.

On another note, IPv6 in the USA is HORRIBLE. We've been doing IPv6 since 2001, and no upstream ISP in the US has EVER provided real IPv6: Globix, Level3, Cogent, Savvis... So when you tried visiting the site in October, chances are good that the tunnel connectivity was spotty. On the other hand, one of our servers in Rotterdam has had native IPv6 since the day it was plugged in.

We've since moved to a different tunnel service which runs through an ISP where a friend works and where they've been getting IPv6 running on everything. So far, so good, but it's obviously not perfect. I'd really rather not serve content via tunnels, but I'd rather serve through tunnels than not at all.

by John Klos (not verified) at 2008-05-18 10:44  reply

re: what's wrong with autoconfig aaaa

Autoconfiguration works well on a LAN, where you don't care about the names for the devices in the DNS. The problem for servers is that it is desirable to have a strong link between these things.

DHCPv6 could do some of this, potentially providing a tighter link between hardware address and DNS, but you still need to know the hardware address at the centralised administration point before you will get the right address.

Potentially you could use a dynamic DNS client of some kind to update your DNS automatically with your server's address, and I guess that the autoconfiguration will work well at that point.

Autoconfiguration is necessarily also at odds with anycast addressing too, but anyone in that situation would realise that very early in the process.

The big problem is people not paying attention to IPv6. It seems to get used, but never fully in production, so when someone upgrades the server that their website is on they simply don't notice that it's IPv6 address has changed.

I can certainly agree with the comparison between IPv6 in Europe and Asia vs IPv6 in USA - the traceroutes people have sent me from all over the world show a definite bias towards Europe, and the problems originally getting to your site may well have been upstream from your actual servers.

I can certainly get to it now anyway :-)

by andrew at 2008-05-19 17:25  reply

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.
  

May 2008

March 2008

February 2008

January 2008

November 2007

October 2007

September 2007

August 2007

July 2007

June 2007