Happy IPv6 Day, everyone! As I write this column, the 24 hour worldwide Internet Protocol, version Six preparedness experiment is still in progress, with some hours to go before the summaries, no doubt penned by industry luminaries, will start appearing. In the meantime, I have a small IPv6 anecdote of my own to share.
Like most network oriented techies, I've had IPv6 somewhere in my field of vision for some time, with a footnoted TODO list to match. I started nagging local ISPs for their IPv6 plans some years ago, and as you've probably guessed, up until very recently the answer at essentially all European ISPs has been 'non-existent'. Among European nations, most of them pretty early in the queue when the original IPv4 address allocations were made, Norway was quite fortunate, and with a total population of less than five million and enough NAT to go around we have a good enough IPv4 address to total population ratio that makes for no panic of us running out of IPv4 locally.
So this left us early adopters to seek out the next generation connectivity via tunnel providers such as Hurricane Electric or Sixxs, with the dancing turtle at the Kame Project website as the early reward for venturing into 128-bit address territory.
For the longest while, that would be pretty much it. Once you'd kept your tunnel stable for a while, you could generally have a /48 subnet for the asking. But finding any good content on IPv6 or large amounts of IPv6 traffic of any kind was not easy. At parties we'd even bitch about the famous lines in one IPv6 textbook that claimed that IPv6 routing tables were generally much smaller and more compact than their IPv4 counterparts -- of course they're smaller, there are essentially no sites, and they produce next to no traffic!
Then, famously, the time came when the last /8 range allocations of IPv4 address space were made, and the IPv4 internet was officially full (should we just start telling them to go away yet?), for some values of at least. Even if certain European organizations or nations are not in any danger of running out of IP addresses, sixteen years after the initial IPv6 RFCs entered the standards track (see RFC1883 and friends), we found ourselves in a situation where any new large-scale implementations would likely be built exclusively with IPv6 or very nearly so, and the historical backdrop for today's experiment was complete.
I expect the summaries to say mostly that modern operating systems, at least the free ones such as OpenBSD came very well prepared for the task. The two protocols are in fact not compatible, but running both will work, and for the vast majority of services, the sysadmin's worksheet looks like this:
1) Get hold of whatever number of IPv6 addresses your application requires
2) Configure your network interfaces with IPv6 addresses (some systems come preconfigured to do their own autoconfiguration)
3) Edit in the required IPv6 addresses into your services' configurations
4) Add any AAAA records required to your domains' externally-visible zones.
And you're done, at least for now. With quad-A entries in your externally-visible DNS, you will start seeing IPv6 traffic hitting your services from elsewhere, not just your own test traffic.
Your logs and other monitoring will show you how your rig behaves. Most likely it all just works, and your users won't notice anything different, except perhaps a dancing turtle (or missing ads on IPv6 for some web sites, as noted by some early IP version six day reports).
I did those things a little while back on my home network, and when the first few days did not show up anything I almost missed what could be an important event: my first spam email delivered over IPv6. I only read message headers when the message stands out somehow, and in this case it was clearly spam, so I took a peek at the headers in case I it would be worth blacklisting manually:
Received: from mo-p00-ob6.rzone.de ([2a01:238:20a:202:53f0::1]) by skapet.bsdly.net with esmtp (Exim 4.73) (envelope-from
) id 1QFOdo-0001zq-E9 for email@example.com; Thu, 28 Apr 2011 12:40:25 +0200 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1303987210; l=2236144; s=domk; d=edrenat.es; h=Content-Type:Mime-Version:Subject:Reply-To:From:Date:X-RZG-CLASS-ID: X-RZG-AUTH; bh=CS67GJbTmE0wDhH/HieJqdndPSo=; b=pNIf0dK3KnFhj/7mcP8KGm70V9/XxlPa/ALQSKRh0nBgWsT0mdoUxi2unepDaMlZMPW cReoEgH/yMOF6T59Zf2X4fjrr358rU9hhxjQuV6lHwIpYoQWYwkxOqAB1iYL+SacIWspU MYMrgju1GQLZps7hIeunhV0pfto8o4JeqqM= X-RZG-AUTH: :KWgWcE6pb9/UNsdwkwZbgj6IM9/U3aYAugAbJE4rNBO+ejjApHAeOC4nD+Q= X-RZG-CLASS-ID: mo00 Received: from PACO1 (cliente-98392.iberbanda.es [126.96.36.199]) by post.strato.de (jimi mo42) (RZmta 25.17) with ESMTPA id J00252n3SABVBu ; Thu, 28 Apr 2011 12:29:29 +0200 (MEST)
The full message is preserved here with headers or as mainly message body as text if you're so inclined.
From the most recent Received: header we see that the delivery happened over IPv6, while the second tells us that the originator most likely did not have IPv6 connectivity, or at least did not see fit to use it if they did.
It's also worth noting that this message, like a surprising amount of spam in recent times, also comes with what appears to be a valid DKIM signature. So much for cryptograpic validation as an effective antispam measure.
Now of course my next step was to find out if this particular sender had tried to darken my mail spool before:
peter@skapet:~$ sudo grep firstname.lastname@example.org /var/spool/exim/logs/main.log 2010-11-07 14:21:44 1PF5Bm-0006RI-KB <= email@example.com H=mo-p00-ob.rzone.de [188.8.131.52] P=esmtp S=251712 firstname.lastname@example.org 2010-12-14 20:42:49 1PSaln-000255-PQ <= email@example.com H=mo-p00-ob.rzone.de [184.108.40.206] P=esmtp S=759434 firstname.lastname@example.org 2011-01-30 21:13:30 1PjdeA-0001Nn-If <= email@example.com H=mo-p00-ob.rzone.de [220.127.116.11] P=esmtp S=1905781 firstname.lastname@example.org 2011-02-22 21:59:05 1PrzIX-0006jv-7x <= email@example.com H=mo-p00-ob.rzone.de [18.104.22.168] P=esmtp S=1227270 firstname.lastname@example.org 2011-04-28 12:40:26 1QFOdo-0001zq-E9 <= email@example.com H=mo-p00-ob6.rzone.de [2a01:238:20a:202:53f0::1] P=esmtp S=2210478 firstname.lastname@example.org
Apparently they had, on more or less a monthly basis, so let's take a peek at the log entries for all of those messages:
peter@skapet:~$ for foo in 1PF5Bm-0006RI-KB 1PSaln-000255-PQ 1PjdeA-0001Nn-If 1PrzIX-0006jv-7x 1QFOdo-0001zq-E9; do sudo grep $foo /var/spool/exim/logs/main.log ; done 2010-11-07 14:21:43 1PF5Bm-0006RI-KB DKIM: d=edrenat.es s=domk c=relaxed/relaxed a=rsa-sha1 t=1289136101 l=251099 [verification failed - signature did not verify (headers probably modified in transit)] 2010-11-07 14:21:44 1PF5Bm-0006RI-KB <= email@example.com H=mo-p00-ob.rzone.de [22.214.171.124] P=esmtp S=251712 firstname.lastname@example.org 2010-11-07 14:21:44 1PF5Bm-0006RI-KB => peter <email@example.com> R=localuser T=local_delivery 2010-11-07 14:21:44 1PF5Bm-0006RI-KB Completed 2010-12-14 20:42:46 1PSaln-000255-PQ DKIM: d=edrenat.es s=domk c=relaxed/relaxed a=rsa-sha1 t=1292355762 l=766689 [verification succeeded] 2010-12-14 20:42:49 1PSaln-000255-PQ <= firstname.lastname@example.org H=mo-p00-ob.rzone.de [126.96.36.199] P=esmtp S=759434 email@example.com 2010-12-14 20:42:49 1PSaln-000255-PQ => peter <firstname.lastname@example.org> R=localuser T=local_delivery 2010-12-14 20:42:49 1PSaln-000255-PQ Completed 2011-01-30 21:13:26 1PjdeA-0001Nn-If DKIM: d=edrenat.es s=domk c=relaxed/relaxed a=rsa-sha1 t=1296418396 l=1927465 [verification succeeded] 2011-01-30 21:13:30 1PjdeA-0001Nn-If <= email@example.com H=mo-p00-ob.rzone.de [188.8.131.52] P=esmtp S=1905781 firstname.lastname@example.org 2011-01-30 21:13:30 1PjdeA-0001Nn-If => peter <email@example.com> R=localuser T=local_delivery 2011-01-30 21:13:30 1PjdeA-0001Nn-If Completed 2011-02-22 21:59:03 1PrzIX-0006jv-7x DKIM: d=edrenat.es s=domk c=relaxed/relaxed a=rsa-sha1 t=1298408169 l=1240300 [verification succeeded] 2011-02-22 21:59:05 1PrzIX-0006jv-7x <= firstname.lastname@example.org H=mo-p00-ob.rzone.de [184.108.40.206] P=esmtp S=1227270 email@example.com 2011-02-22 21:59:06 1PrzIX-0006jv-7x => peter <firstname.lastname@example.org> R=localuser T=local_delivery 2011-02-22 21:59:06 1PrzIX-0006jv-7x Completed 2011-04-28 12:40:21 1QFOdo-0001zq-E9 DKIM: d=edrenat.es s=domk c=relaxed/relaxed a=rsa-sha1 t=1303987210 l=2236144 [verification succeeded] 2011-04-28 12:40:26 1QFOdo-0001zq-E9 <= email@example.com H=mo-p00-ob6.rzone.de [2a01:238:20a:202:53f0::1] P=esmtp S=2210478 firstname.lastname@example.org 2011-04-28 12:40:26 1QFOdo-0001zq-E9 => peter <email@example.com> R=localuser T=local_delivery 2011-04-28 12:40:26 1QFOdo-0001zq-E9 Completed
This tells us that they've consistently sent to an address that features only on my website and has never been used as a sender or return address and has never been signed up for any mailing list of any kind. We also see that all the messages bar one pass the initial DKIM validity test.
There are several lessons to be learned here. One is that with a sensible choice of operating system and other software, the transition from classic IP version four only to a dual-stack configuration with both IP version four and IP version six running on your systems will likely be less dramatic than you have been lead to believe.
Another is that at least in some respect the world stays very much the same with IPv6 as it was with IPv4, and content is likely to cross the protocol border. Or to put it slightly differently, the same caveats about ill-intentioned traffic still apply; any security measures you had inplace before you went dual stack most likely need to be tuned to handle traffic from the brave new world of IPv6.
And of course, even if a number of implementation bugs have been found and fixed and a number of fundamental design flaws have been identified and worked around, only full scale testing like today's experiment (preferably sustained over longer periods) offer any hope of identifying and fixing the problems we haven't found yet. The looming IPv6 transition is likely to make and break careers, and some of us will have our share of both fun and nightmares while seeing to the confidentiality, integrity and general security of your data and your systems.
Good night and good luck, while we're slowly going from dots to colons.
Thanks to Sevan Janiyan for tweeting "Though the gmail website is reachable via IPv6, mail is still going via IPv4 :(" earlier today and reminding me of the incident that was the inspiration for this column.