In the second half of last year, my mobile network operator of choice has introduced IPv4/v6 dual-stack functionality and since then I've been enjoying IPv6 on my mobile device while away from home. Not that I would notice as a normal user as all services I use can still be reached over IPv4, but as a tech-geek, you know… For me this was a bit ironic as I always assumed that I would have IPv6 on my DSL connection long before I use it on my mobile devices in the cellular network. And I could have, to be honest, but I just didn't want to update my fixed line connection at home to "all-IP" as it's a critical link and I don't change critical infrastructure just like that if not really necessary. Anyway, back in December 2015 I had to switch my DSL line to "all-IP" because my network operator politely forced me to and apart from a number of other sweet things the new package included native IPv6 connectivity if I wanted to.
As I was traveling a lot in December I decided to keep IPv6 off for the time being and start experimenting with it once back home for more than just a couple of hours. So this week I finally go around to switching IPv6 on and just let it ran for a while without any other modifications to make sure my servers are not negatively impacted. So far, things have run smoothly except for one thing I was expecting. After switching on IPv6, my devices immediately found the public IPv6 prefix and assigned public IPv6 addresses to themselves. The servers did so as well, including my Raspberry Pis, a nice side effect of having upgraded them from Raspbian based on Debian Wheezy to Raspbian based on Debian Jessie last year. That will make things a bit easier to make them reachable not only via IPv4 but also via IPv6 from the Internet later. The one thing I was actually expecting to break is that for some services I use VPN connections to overcome geo-blocking. As my external VPN service provider does not support IPv6 but happily returns IPv6 addresses to DNS queries I had to disable IPv6 on that machine.
Speaking of inbound IPv6 to my servers that's going to be an interesting thing to get working. So far I see two issues that have to be addressed:
- Today I run several servers behind the same IPv4 address and domain name. With IPv6 they will have different IP addresses so using the same domain name is going to be a challenge.
- My Dynamic-DNS provider does support IPv6 AAAA records but not updating IPv6 records dynamically other than over the web interface. Quite a shame in 2016…
Two fun things to figure out in 2016…
A few comments/suggestions…
For IPv6 service AAAA and PTR RRs, I either assign a static IPv6 address or typically (in a SLAAC environment) rely on the system assigning one IPv6 address based on the EUI-48 address of the interface. Many systems will assign additional (RFC 4941) addresses but the EUI-48-derived one will have a durable suffix.
If the IPv6 prefix is not durable, dynamic DNS updating is appropriate. I happen to use https://dns.he.net/ — I am sure there are others.
I was recently embarrassed to discover I had not blocked Teredo at the edge router, and found a Microsoft Windows 10 system had been routinely establishing Teredo connections at rate corresponding to 15% of all its IPv4 and IPv6 connections, even though the network is dual-stack IPv4&6. Setting a block for outbound IPv4 UDP port 3544 traffic corrected this.
I have observed that almost all home network devices obtain RFC 4941 addresses and use them preferentially for outbound connections. I was rather surprised recently to find in the edge router logs a Shodan port scan targeting the ephemeral RFC 4941 address of a smart phone. It may be prudent to at least log if not selectively gate inbound unsolicited IPv6 traffic at your edge router. Shodan also attempts a port scan of the local RIPE Atlas probe (which has a durable IPv6 address) about once daily.