IPv6 practice
Summary:
With openSUSE, everything is clear, so let's discuss the implications of IPv6.
')
Original article in the selecttek corporate blog .
For all virtual machines in the pools of St. Petersburg (1) and St. Petersburg (2), when installing new virtual machines and reinstalling existing ones, support for IPv6 is enabled by default (and is the preferred protocol for outgoing connections). IPv4, of course, remains and works. Previously, we issued IPv6, but did not include it by default.
Why do you need it? Honestly, now the lion's share of the Internet works on ipv4. Some islands of live IPv6 are in Asia, plus several major sites (such as google.com, vk.com, facebook.com) are answered by IPv6. Home users in Russia almost all work only on IPv4.
Here is more or less relevant information about which of the Russian providers have IPv6: version6.ru/isp
However, the transition to IPv6 should occur - and the more sites will be ready to work with IPv6, the easier and calmer the transition will occur, so this is an investment in the future.
What does the appearance of IPv6 mean from a practical point of view for a particular cloud server?
The cloud server service has an informal competition with the cloud storage service: who will have more IPv6 traffic. Until today, cloud storage has won - but there is hope of dragging the flag to one’s side.
Basically, where will IPv6 traffic go:
There is a widespread change that all modern OS support IPv6 out of the box, everything works there and everything is simple and easy. There is a reverse opinion, they say, everything will be buggy and beeping. As practice shows, it works out of the box and beeps. Or, on the contrary, it is buggy and everything is easy and simple. In other words, it works, but a rake brings with it a fair amount, but you can live.
Below is a story about some of them.
The presence of dual stack means that in every place where we have, explicitly or implicitly (for example, outgoing connections) appear IPv6 we need to think . There are many such places - as soon as you have a dual stack, you immediately have all the utilities (starting with wget and ending with ssh) starting to walk on IPv6 over ipv4. Sometimes silently, sometimes silently falling off. Some well-respected companies prescribe AAAA for the domain, but they forget to set up a web server. It turns out an incident.
PostgreSQL has always been known for an excellent set of data types. Starting from geometric objects and ending with money. IP addresses are also included. There are two types: inet and cidr. Both store in a special way ip-address and mask. The difference is that inet stores the node address (that is, nonzero bits are allowed in the zero zone under the mask), and cidr stores networks (that is, host addresses in the zero zone are not valid). In essence, this is the same thing, but if you try to write the host address in cidr, you will get an error because the conditions are not met.
Type one for IPv4 and IPv6. Dimension is determined automatically.
Valid operations: addition with a scalar, subtraction of a scalar, any kind of comparison in, not in, overlapping ranges, equality, etc. In the case of ipv4, this allowed to implement everything you want. For example, if we do an ipv4 distribution, then we simply take max_ipv4 and say +1, and then check if it falls within the range allowed for selection.
With IPv6, the situation is different. Addresses are allocated / 64, and in case of allocation of routed networks - / 48. In order to get the next one / 48 you need to take the last selected one and make max_ipv6 + 1208925819614629174706176 (2 128-48 = 2 80 ). Everything is good, but bigint in postgres is just a 64-bit number, which even 2 64 cannot store, not to mention 2 80 . In other words, the attempt of such a “plus” causes an error due to the added size of the scalar being added. Total - in postgres the control mechanism of IPv6 networks is completely broken. Our temporary solution is the implementation of inet / cidr in persist (haskell library for working with the DBMS) and the implementation of independent mathematics. Upstream problem is fixated, there is no solution (as of 9.2).
The only way to write multiple IPv6 addresses on the interface is to use the post and pre sections using ifconfig. The address on the interface appears, but not immediately, since DAD starts to work - Duplicate address detection. In its simplest form, the computer asks “who has my address?” And is waiting for an answer. This protocol avoids the occurrence of duplicate addresses, however, ifconfig finishes its work on configuring the interface before the wait is completed in the DAD.
As a result, if nginx (or any other server) has a setting for the corresponding address, and not for an asterisk, then when you try to listen, the server receives an error. And does not listen. This is a pure race of conditions that can be noticed only during the server loading process (since in other cases DAD will have time to work before starting / restarting the server). Debugging this problem was very, very unpleasant.
Do not believe? Think colon only?
:: 192.168.1.1 - a valid IPv6 address, although not used on the Internet.
So to say, congratulations to all who hoped that regexps for IPv6 addresses in interfaces will be simple ...
Linux, if it is told that it is a router, stops trusting routing advertisement. In particular, if a node receives routes only from RA, then after switching on routing, it stops trusting RAs (that is, the ipv6 network stops working). If you want to have both RA and forvarding, then the RA value should be set to 2 (net.ipv6.conf.eth0.accept_ra = 2). If the service of announcements (radvd) is started, then one should carefully distinguish whose advertisements we trust and whose ones we do not. Trusting your own announcements is ridiculous and does not work.
- Selectel Cloud News:
- IPv6 in all templates is enabled by default. All new machines are installed with IPv6 settings and immediately after installation are available at their IPv6 address.
- OpenSUSE 12.3 with Linux 3.7-xen kernel is available in the list of templates.
- The story about the practical problems that we encountered in the operation of IPv6.
With openSUSE, everything is clear, so let's discuss the implications of IPv6.
')
Original article in the selecttek corporate blog .
IPv6 for cloud servers
For all virtual machines in the pools of St. Petersburg (1) and St. Petersburg (2), when installing new virtual machines and reinstalling existing ones, support for IPv6 is enabled by default (and is the preferred protocol for outgoing connections). IPv4, of course, remains and works. Previously, we issued IPv6, but did not include it by default.
Why do you need it? Honestly, now the lion's share of the Internet works on ipv4. Some islands of live IPv6 are in Asia, plus several major sites (such as google.com, vk.com, facebook.com) are answered by IPv6. Home users in Russia almost all work only on IPv4.
Here is more or less relevant information about which of the Russian providers have IPv6: version6.ru/isp
However, the transition to IPv6 should occur - and the more sites will be ready to work with IPv6, the easier and calmer the transition will occur, so this is an investment in the future.
What does the appearance of IPv6 mean from a practical point of view for a particular cloud server?
- Site users who have IPv4 as went to IPv4 addresses, so go and will
- Users who have an IPv6 will be able to access the IPv6 server address only if this address is registered in the DNS (AAAA record)
- Outgoing connections from the server to IPv4-only nodes will go using IPv4
- Outgoing connections from the server to the nodes with IPv6 and IPv4 addresses will go using IPv6 addresses
The cloud server service has an informal competition with the cloud storage service: who will have more IPv6 traffic. Until today, cloud storage has won - but there is hope of dragging the flag to one’s side.
Basically, where will IPv6 traffic go:
- Google services
- mirror.selectel.ru and mirror.yandex.ru (Yandex turned on IPv6 for mirror, but did not turn it on for search, alas), and on the rest of the mirrors of distributions, which mostly support IPv6
- If you configure AAAA record for a domain, then a google robot will come to you via IPv6. If you have a web crawler or fetch on other sites, it will also prefer IPv6.
IPv6 in real life
There is a widespread change that all modern OS support IPv6 out of the box, everything works there and everything is simple and easy. There is a reverse opinion, they say, everything will be buggy and beeping. As practice shows, it works out of the box and beeps. Or, on the contrary, it is buggy and everything is easy and simple. In other words, it works, but a rake brings with it a fair amount, but you can live.
Below is a story about some of them.
The presence of dual stack means that in every place where we have, explicitly or implicitly (for example, outgoing connections) appear IPv6 we need to think . There are many such places - as soon as you have a dual stack, you immediately have all the utilities (starting with wget and ending with ssh) starting to walk on IPv6 over ipv4. Sometimes silently, sometimes silently falling off. Some well-respected companies prescribe AAAA for the domain, but they forget to set up a web server. It turns out an incident.
Postgresql and IPv6
PostgreSQL has always been known for an excellent set of data types. Starting from geometric objects and ending with money. IP addresses are also included. There are two types: inet and cidr. Both store in a special way ip-address and mask. The difference is that inet stores the node address (that is, nonzero bits are allowed in the zero zone under the mask), and cidr stores networks (that is, host addresses in the zero zone are not valid). In essence, this is the same thing, but if you try to write the host address in cidr, you will get an error because the conditions are not met.
Type one for IPv4 and IPv6. Dimension is determined automatically.
Valid operations: addition with a scalar, subtraction of a scalar, any kind of comparison in, not in, overlapping ranges, equality, etc. In the case of ipv4, this allowed to implement everything you want. For example, if we do an ipv4 distribution, then we simply take max_ipv4 and say +1, and then check if it falls within the range allowed for selection.
With IPv6, the situation is different. Addresses are allocated / 64, and in case of allocation of routed networks - / 48. In order to get the next one / 48 you need to take the last selected one and make max_ipv6 + 1208925819614629174706176 (2 128-48 = 2 80 ). Everything is good, but bigint in postgres is just a 64-bit number, which even 2 64 cannot store, not to mention 2 80 . In other words, the attempt of such a “plus” causes an error due to the added size of the scalar being added. Total - in postgres the control mechanism of IPv6 networks is completely broken. Our temporary solution is the implementation of inet / cidr in persist (haskell library for working with the DBMS) and the implementation of independent mathematics. Upstream problem is fixated, there is no solution (as of 9.2).
Multiple IPv6 on interface, DAD and nginx
The only way to write multiple IPv6 addresses on the interface is to use the post and pre sections using ifconfig. The address on the interface appears, but not immediately, since DAD starts to work - Duplicate address detection. In its simplest form, the computer asks “who has my address?” And is waiting for an answer. This protocol avoids the occurrence of duplicate addresses, however, ifconfig finishes its work on configuring the interface before the wait is completed in the DAD.
As a result, if nginx (or any other server) has a setting for the corresponding address, and not for an asterisk, then when you try to listen, the server receives an error. And does not listen. This is a pure race of conditions that can be noticed only during the server loading process (since in other cases DAD will have time to work before starting / restarting the server). Debugging this problem was very, very unpleasant.
Points in an IPv6 Address
Do not believe? Think colon only?
:: 192.168.1.1 - a valid IPv6 address, although not used on the Internet.
So to say, congratulations to all who hoped that regexps for IPv6 addresses in interfaces will be simple ...
routing advertisement && forwarding
Linux, if it is told that it is a router, stops trusting routing advertisement. In particular, if a node receives routes only from RA, then after switching on routing, it stops trusting RAs (that is, the ipv6 network stops working). If you want to have both RA and forvarding, then the RA value should be set to 2 (net.ipv6.conf.eth0.accept_ra = 2). If the service of announcements (radvd) is started, then one should carefully distinguish whose advertisements we trust and whose ones we do not. Trusting your own announcements is ridiculous and does not work.
Source: https://habr.com/ru/post/183176/
All Articles