Forgot your password?
typodupeerror
The Internet Networking Upgrades IT

World IPv6 Launch Day Underway 236

Posted by Unknown Lamer
from the it's-finally-1999 dept.
A number of readers have written in with stories related to today's permanent rollout of IPv6 by several major organizations. From the looks of it, for the 1% or so of end users with IPv6 support, everything is going smoothly. For those not so lucky to have IPv6 already, an anonymous reader writes with (mostly) good news: 60% of ISPs intend to enable IPv6 by the end of 2012. For business users, darthcamaro provides some words of caution: "...the Chief Security Officer of VeriSign doesn't think IPv6 should be turned on by a whole lot of people. The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed. 'If you don't have that visibility into IPv6, you should probably consider explicitly disabling IPv6 on your systems until you can take a very concerted approach to enabling IPv6 in a secure manner,' McPherson said."
This discussion has been archived. No new comments can be posted.

World IPv6 Launch Day Underway

Comments Filter:
  • Verisign != Verisign (Score:5, Informative)

    by tepples (727027) <tepples@gmaiBLUEl.com minus berry> on Wednesday June 06, 2012 @11:59AM (#40233479) Homepage Journal
    This is Verisign the operator of the .com and .net registry, not the other Verisign the certificate racket. The CA business was sold to Symantec in August of 2010. So don't mix this up with the recent news about the $99 fee to get your signed with the UEFI key that will be preloaded on every Windows 8-certified PC motherboard; that's all VeriNorton.
  • slashdot? (Score:5, Insightful)

    by pe1rxq (141710) on Wednesday June 06, 2012 @12:00PM (#40233497) Homepage Journal

    So when is slashdot going to leave the dark ages?

  • I am the 1% (Score:5, Funny)

    by Galestar (1473827) on Wednesday June 06, 2012 @12:01PM (#40233527)
    With IPv6 support
    • Re: (Score:2, Informative)

      by pe1rxq (141710)

      No you are not... at most you are the 0.5% with IPv6, I have it to!

    • by Creepy (93888)

      My internal network supports IPv6 (at least the machines routed through the switch, since the 4 ethernets in the router is 8 too few for my network), but I have to wait for CenturyLink to replace the old Qwest PPPoE infrastructure to support it on my web server outside the router. I'm not holding my breath. Yeah, I could switch providers, but I live in one of the unmotivated Comcast-CenturyLink areas that is formerly Qwest where lack of competition results in no motivation to upgrade services. This is commo

  • by alen (225700)

    other than having every single device have a unique public IP that is a wet dream for google and other marketers?

    • by pe1rxq (141710) on Wednesday June 06, 2012 @12:11PM (#40233673) Homepage Journal

      Peer to peer (the way connections were intended) actually works without strange workarounds.

      • Wont this cause more traffic for ISPs, or will it make transfer more efficient for their network? The answer will have huge implications for adoption.

        As someone that knows very little of IPv6 (I don't work with) other than the basic concept, someone please enlighten me.

        • Ignoring implementation details like whether their existing switches can handle IPv6 traffic as efficiently as IPv4, the change should be a net positive in terms of ISP infrastructure. ISPs which already hand out public IPv4 addresses will just do the same with IPv6. Their routing tables may get a bit simpler due to IPv6's mostly-hierarchical address structure. ISPs which currently use NAT will be able to skip it for IPv6 traffic, reducing CPU load and the management overhead of mapping private IPs onto a l

    • by gman003 (1693318) on Wednesday June 06, 2012 @12:13PM (#40233715)

      Well, no more fiddling with port forwarding to make game servers, video chat or anything else work. No more dealing with public/private IPs, or the whole NAT shitpile.

      Oh, and it also makes mandatory certain things like IPsec, and should speed up packet processing by eliminating fragment reassembly (which was also, historically, a common source for security exploits).

      Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*. So anyone trying to track visitors based off IPv6 address will be easily fooled by anyone who tries.

      • by gstoddart (321705) on Wednesday June 06, 2012 @12:24PM (#40233855) Homepage

        No more dealing with public/private IPs, or the whole NAT shitpile.

        And yet I predict internally companies will still use public/private IPs (10.x.x.x anyone?) and use NAT. My internal private network will continue to use a NAT'ed firewall.

        I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.

        Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*.

        Which just sounds like more admin work that people won't want to do.

        I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate. And I can also see a huge amount of consumer type stuff taking years before it has transitioned. IPv4 isn't going to go away overnight.

        • by DarkOx (621550) on Wednesday June 06, 2012 @12:33PM (#40233977) Journal

          I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.

          Addressable and reachable are two different things. I'd love to lose all the NATs around here.

          One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

          Honestly it will make the firewalling and routing much more strait forward, easier to quickly understand the impact of changes on and therefore far more secure.

          • by gstoddart (321705)

            One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

            To me it seems more like you'd be leaking information out by letting that address be visible to the outside world.

            If they don't have any information about your internal stuff, they can't try to figure out how to exploit it.

            I can definitely see a lot of organizations deciding to see how this works out for

            • Look up IPv6 privacy extensions.

              Also, realize that corporate environments are probably going to push you through an HTTP proxy server...which will then appear to be the origination point for traffic. Your workstations don't need to be exposed.

            • by DarkOx (621550) on Wednesday June 06, 2012 @01:03PM (#40234371) Journal

              You are not leaking much information of any real use.

              Your routing tables beneath your gateways won't be visible to anyone outside. So they won't learn anything about your network topology.

              If as I suggested you proxy everything, something you should do in a secure environment because you need to know everything that is going in and out, they won't see the address anyway! So they won't know you are using public IPs or not.

              Even if you do leak that your internal addressing scheme is to use the public IPs without knowing the topology, and your company having at least a /48 it tells them exactly nothing about how to locate hosts. Think about it a /48 is still many orders of magnitude larger that then the entire RFC1918 space today. Its to big to SYN scan if they have pwnd your gateway, and they can assume you are using RFC1918 address currently not to big to SYN scan.

              So even if you don't NAT they still now LESS about your network then they do on ipv4.

          • Look up ULA addresses. You're going to love them.

          • by tlhIngan (30335) <slashdot AT worf DOT net> on Wednesday June 06, 2012 @01:23PM (#40234657)

            Addressable and reachable are two different things. I'd love to lose all the NATs around here.

            One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

            In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).

            It's still something to admin, and something that'll be a PITA to configure for gaming and what not, at which point people will just say "what does it get me?"

            Hell, assuming most people will have their IPv6 machines firewalled off (they'd go to Best Buy and pick off a Linksys "firewall router" for IPv6 to prevent their PCs from getting hacked) and they'd still be poking holes in it to run some game or other, the normal user would definitely start wondering why they bothered spending another $50 on a new router when their old one worked just fine.

            And marketers would love the trackability down to the PC level - sure there's the privacy IP thing, but it's defeated if there's a long-running IP connection still established (unless IPv6 has the ability to inform remote hosts that your IP was changing... which has some very interesting implications). Even so, it's usually a day's worth of tracking and a cookie can be used to bridge between days.

            Sure malware has a more difficult time scanning a larger range, but htat just means scanning won't be an option. Not that it ever will be purely because firewalls or other things will prevent it from being useful in the first place. Instead they'll just adapt and figure out how to detect new IPs on a local LAN segment and proceed that way (or given the Windows majority, they'll use standard Windows browser techniques to discover).

            Between UPnP, ZeroConf (Bonjour) and other methods of discovery, malware will cope just fine.

            • by Bengie (1121981)
              Once your local network is compromised, it all goes to hell in a hurry.

              Everything you point out as "bad" about IPv6 is the same or worse for NAT.
            • by DarkOx (621550)

              In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).

              No not really in a corporate environment you NEED to be doing application level gateway with our without NATing. Egress is just as dangerous and ingress. So you are going from FW NAT ALG ALG And marketers would love the trackability down to the PC level

              As I have explained before I don't see this giving marketers more or less capability than they had before. They are going to pretty much just assume that each /64 subnet is one person or family just like they assume that each address is today. Might

        • by unixisc (2429386)

          The first part - there will still be a need for private addresses, not for NAT, but for people who need to communicate within LANs, not the entire Internet. They'll do fine w/ link-local addresses, or as you say, be dual-stacked - be IPv4 in the inside, and IPv6 on the outside.

          The multiple IP thing doesn't have to imply admin work. While people can set up DHCP6 configurations to assign certain addresses to certain computers, vary them and so on, what it means is that when a device is on a foreign networ

          • by gstoddart (321705)

            It's not that straightforward when it's going from behind one NAT network to another, b'cos there exists the possibility of it running into an address collision w/ say, another 192.168.0.23

            I definitely agree with that.

            Years ago at another job someone needed more network drops in his office than were physically available. So, he bought himself a little firewall/router to use, and it defaulted to the 192.168 block.

            Apparently he caused a collision with one of the really important servers and caused an outage

            • by hjf (703092)

              policies. LOL. 802.1x is what you need.

              • by gstoddart (321705)

                policies. LOL. 802.1x is what you need.

                Which is fine and lovely if your IT department is willing to implement it.

                At the time when the guy was asking for this the response from IT was "we don't care, you have two network drops, that's all you get". So he said the hell with them and got himself the router. They eventually had to resolve his issue because he had about 6 computers in his office.

                In many places, IT is still operating like they did in the 90's -- with users needing to beg for scraps because the

            • by Ichijo (607641)

              Why did he use a router? A hub should have sufficed.

          • ULA addresses are good for having 'private' address ranges. Don't rely on link-local. As sexy as it sounds, a lot of tools (especially browsers) don't handle them well; they get hung up on the concept that an IP address may be valid only when combined with an interface.

        • People won't necessarily switch over to IPv6 for their internal networks right away, since it can be a pain to reconfigure your network. However, there's not really much reason to continue using NAT if there's enough IP addresses to go around.
          • by unixisc (2429386)

            People whose computers are Windows 7, rather than XP, will find that IPv6 is the default for internal networks, unless they choose to disable it for IPv4. And if they have a bunch of toys, all of which recognize IPv6, then some link local addresses will do just fine.

            NAT just segments a network, and forces a handover of packets before a destination has been reached. It's true that all devices don't need to be on the internet, just being in their LANs will do. In which case, giving them a link local addr

        • by asdf7890 (1518587) on Wednesday June 06, 2012 @01:30PM (#40234771)

          Most companies will probably keep their internal network on IPv4.

          Which is fine. My IPv6 hosts don't need to care. Of course they'll eventually need to ensure that they have a reliable v4-to-v6 bridge setup either locally or at their ISP, but that will most likely be easier to setup than changing their whole network to IPv6 would be.

          There's no way they're going to want all of their machines with an internet addressable location.

          They won't any more than they do now. Public facing routers/firewalls will simply be set not to pass through any incoming connections unless otherwise instructed, just like IPv4 routers do. NAT is a read herring here - before NAT was common things worked fine much the same way as they will work under IPv6 (just with a much smaller address space) in that regard. Most big corporate networks control outgoing connections too (which an IPv4+NAT-only setup generally won't by default) so the one incoming default "block" rule is not going to be a significant amount of extra admin.

          I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate.

          Certainly some will, though not all that many in the near future. I suspect it will quickly become normal for new networks to be IPv6, and IPv4 will vanish that way rather than due to mass conversions.

          It may not be the case here or where you are but it is already getting to the point in some parts of the world that people will have to be IPv6 all the way as their ISPs have too few IPv4 addresses to hand out to the connecting modems. Said ISPs use some form v6-to-v4 bridging so that IP4v-only servers will be contactable, but while your website will be fine not all protocols will work well through this arrangement. I don't know how common it is, but I know people who have been in Hotels out east where the provided network connections are IPv6 only (presumably with some 6-to-4 system in place so v4 only hosts can be contacted). IPv4 may not die any time soon, but that doesn't mean IPv6 use won't grow rapidly.

          The big win I see is for mobile devices like phones - it will make the job of large network providers for those devices easier.

          And I can also see a huge amount of consumer type stuff taking years before it has transitioned.

          Which is rather unfortunate as these devices are where one of the key IPv4 problems exist (Including phones as mentioned above).

          IPv4 isn't going to go away overnight.

          No, but IPv6 might grow very rapidly so you can't avoid interacting with it for long even if you stick with IPv4 internally.

      • by DarkOx (621550) on Wednesday June 06, 2012 @12:27PM (#40233889) Journal

        Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP.

        You and the grand parent are missing the obvious outcome.

        For the most part home users are going to end up with /64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.

        Does that mean you can put 1,50,100,1000,10000 addresses on device sure, but the network portion the addresses will be the same. That network address is going to uniquely identify your household just like your full ipv4 address does today. Marketers will just assume that each /64 subnet is unique to a user or house hold. Just like the assume on ipv4address is an entire house hold behind NAT.

        It changes little to nothing with regard to track ability.

        • by unixisc (2429386)

          Except that when one has to track, one would have to either target the complete 8 word IPv6 address, or take the 4 word address and do a scan. If they tried doing a multicast to every node on the network (since broadcasts are no longer there on IPv6), their own system would grind to a standstill. And if they tried scanning the entire subnet of 2^64, it'd take them forever.

          Also, that would be quite an assumption on their part. While households that have multiple devices may want an IPv6 link, those that

          • by DarkOx (621550)

            They don't need to 'scan' anything to track you for marketing purposes they just log where the requests are coming from. When they process their logs they simply only look first 64bits of any ipv6 address, and then enhance reliability the correlation that its the person/device using the same tricks they use now, also including the user agent string, cookies, referrers, date times, etc.

            • by unixisc (2429386)

              You are assuming that the source addresses are permanent. However, privacy extensions to autoconfigured addresses makes them temporary addresses, so even if they log them, it's of now use. And if they just take the first 8 words of the address, either they have to know what the new address is, or they have to do a 'broadcast' (actually a multicast to all nodes in that network) or do a scan.

              If they do a multicast to all nodes in an IPv6 subnet, they'll just be drowned in unreachability error messages whi

              • by DarkOx (621550) on Wednesday June 06, 2012 @02:41PM (#40235677) Journal

                I think we are talking about different things. I am trying to get at marking droids attempting to answer questions like,

                How many unique visits to our website did we get?
                How many people who visitied our flagship site ultrap0rn.com also visited our FaceSpace page?
                How many days a week did Jon Doe surf ultrap0rn.com?
                Did John Zoogle ultraDildos after visiting ultrap0rn.com

                I don't think in practice ipv6 is going to make this significantly easier or harder for them to do, or have much impact on the quality of their data; for the reasons I have mention.

              • You have to have multicast routing set up between you and the networks you want multicast to go to...and the clients have to 'subscribe' to your multicast group. They won't hear anything from you until they tell their local multicast router they want to talk to you.

                So, yeah, multicast doesn't generally work unless you're on the same subnet. That said, here's a fun one to run under Linux:
                ping6 -c2 ff02::1%eth0

                Any hosts configured to respond to ICMP6 echo requests will send a reply. I once counted several hun

              • by Bengie (1121981)
                He's saying that companies will just track the first 64bits. Privacy extensions and autoconfig only change the last 64bits. Since the destination network doesn't change, one can safely assume it's the same end-user. No different than tracking an IPv4 address with a NAT. You may not know which exact computer/person, but you can tell it's the same network.
        • Tracking ability is going to be driven more by browser request headers than by IP address, anyway.

          I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:

          • Broadcast and multicast traffic on a gigabit link doesn't risk flooding the far-slower wireless link
          • It makes it trivially easy to partition off wireless clients from wired clients, reducing the vulnerabi
          • Tracking ability is going to be driven more by browser request headers than by IP address, anyway.

            I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:

            • Broadcast and multicast traffic on a gigabit link doesn't risk flooding the far-slower wireless link
            • It makes it trivially easy to partition off wireless clients from wired clients, reducing the vulnerability my wireless network gives me. I'll be able to do even better once I split off to two SSIDs, one for guests and one for trusted users; guests wouldn't get access to any of the rest of the network.

            This I agree w/, and I think that ISPs could probably have a 3 tiered choice to offer customers:

            • /128 service, where a home has only one computer, or only a need for a single computer to be publicly connected
            • /64 service, where the connection goes into a single router, and all the devices in that household are connected to that network
            • /60 service, where a customer gets 16 subnets, and can use different ones for things like wired vs wireless, multiple SSIDs, or low bandwidth vs high bandwidth connections

            On

          • You do realize you can cut up the /64 into several smaller subnets, right?

      • by Chemisor (97276)

        > no more fiddling with port forwarding

        Uh, no. By default all your internal addresses will be blocked by the firewall on your router, so you will still have to enable them manually. Even though NAT will no longer be necessary, nobody should be leaving access opened by default. Security is done in layers. Blocking all external access to hosts that do not need to be accessed is one such obvious layer.

    • by Dagger2 (1177377)

      Privacy addresses?

      I mentioned them to you when you last posted that [slashdot.org]. Do you not read the replies to your own posts?

    • Well, you won't need to pay ridiculous fees in order to get a static IP address.

      Just to give one example, right now, if I want to be able to SSH directly into the computers on my network from the Internet, it's a pain. I have to pay $100/month extra to upgrade to my ISP's business account to get even 1 static IP address, and getting multiple can be expensive/difficult. I can use a dynamic DNS service instead, which depending on the service might be expensive or unreliable-- just another thing that can go

      • by unixisc (2429386)

        The beauty of this whole thing is that if you have a /64 and DHCP6, you can configure it to give yourself a whole bunch of static IPs for each of your servers. Furthermore, you could define a pool range that would be dynamic addresses used by all the computers in your network - including visiting family members. If you have multiple virtual web hosts, each one can have its own IP address - no need to share anymore. Same for if you have a mail server, an ftp server or any other server.

        Also, since NAT is

    • I'll point out the major reason, we have kinda run out of IPv4 addresses. Not fun when you sign up for new link from your ISP and the response is "Here's your link but we have no ips for you to use it with".

      Reason enough? All the other stuff are (useful) side-effects.

      As to the security implications, thats the job of a firewall, of which NAT is just a dumb (although statefull) version of.

  • by Bookwyrm (3535) on Wednesday June 06, 2012 @12:07PM (#40233621)

    Did folks ever get IPv6 multi-homed routing straightened out?

    It always felt like conflicting goals at work -- on one hand, people wanted to simplify and shrink the size of the backbone routing tables, but on the other, a purely hierarchical routing space removes redundancy. That is, a tree graph has the property that there is only *one* path between any two nodes, which means a purely hierarchical routing arrangement would mean that the idea of 'routing around censorship' would go into the waste bin because there are no alternative routes possible. (Note that I am differentiating this from redundant *physical* links -- this is a matter of administrative links. If there is no multi-homing and the upstream provider is blocking/filtering/limiting traffic, there is no network route around it, physical redundancy not withstanding.)

    So any current best practices for IPv6 multihoming for small ISPs/businesses?

    • by Fez (468752) *

      The purists hate NAT, but for SOHO, NPt can help with that.

      http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 [pfsense.org]

    • Set up an application-layer proxy on a host with both addresses, same as you would with IPv4.

      So, set up a machine running Squid, where that machine has IPs from both your upstream ISPs. All your internal clients can use that Squid proxy to get out. SIP? No problem; use a SIP proxy.

      Since you're pushing the 'logical, not physical' link angle, you can go one step further and set up a tunnel to another endpoint on the Internet, and use that as another possible route. (i.e. I have IPv6 access because I use a pro

    • by bbn (172659)

      There are three options:

      1) Order internet from two different ISPs. Get a router from each. Connect both routers to your internal network. Done.

      Yes for most people and small business nothing more is required. What will happen is that every computer will get two IP-addresses, one from each ISP. As part of IPv6 every computer monitors the routers and automatically chooses one that is responsive. If you unplug a router every computer will start using the other with a failover time of maximum 30 seconds.

      This opt

      • by Fez (468752) *

        1) Is out for people who want automated failover
        2) Is prohibitively expensive for most
        3) Is interesting, but still early
        4) Works fine, now, and provides functional multi-homing. Why discard it? NPt isn't pure evil. It's not ideal, but it gets the job done without requiring all of that extra setup or dynamic routing protocols on top.

  • REally.... (Score:4, Informative)

    by Lumpy (12016) on Wednesday June 06, 2012 @12:10PM (#40233659) Homepage

    "The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed."

    Funny, The ones here do. In fact the last firebox update said it covered ipV6.

    What out of date garbage are people running out there that will not scan ipV6?

    • by gman003 (1693318)

      What out of date garbage are people running out there that will not scan ipV6?

      Norton '95.

  • by Shoten (260439) on Wednesday June 06, 2012 @12:17PM (#40233769)

    For example, when I look at Comcast's site [comcast6.net], I see "When Comcast decided to participate in World IPv6 Launch, we committed to enabling at least 1% of our customers with IPv6 by June 6, 2012." So, how does that figure into the 60%? If there are 50 ISPs in the world, but Comcast has 5% of the subscriber base, is that 2% out of the 60%? Or is it 5% Or is it .002%? I'm curious how this 60% number was calculated.

    • by nxtw (866177)

      I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.) Most consumer routers that are currently deployed don't support IPv6 and some older ones that do might not work properly with prefix delegation. They may only enable it for modems that they have certified for IPv6.

      • by slamb (119285) *

        I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.)

        More or less. The Comcast blog [comcast.com] says "To meet this goal, we launched and enabled IPv6 in over one-third of our broadband network ... we observe roughly 5% of users can take advantage of this. That percentage can increase dramatically if vendors act to enable IPv6 by default in software updates for existing devices an

  • ...that are going to enable IPv6 for all customers by the end of 2012? Does it include CenturyTel?

  • I've been using IPv6 via he.net tunnels on pfSense 2.1 for over a year now, and it's working great.

    Really happy to see my Netflix streaming going over IPv6 this morning, too.

    • I'm glad to see you mention that. While under the FreeBSDs, Monowall has supported BSDs for a while, the same hadn't been true about pFSense. I wanted to know whether pFSense 2.1 supports IPv6 or not. Checking out their site [pfsense.org], it stated

      Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

      We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

      IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.

      Incidentally, which version of FreeBSD does pFSense 2.1 correspond to?

      • by Fez (468752) *

        [Disclaimer, I am a pfSense developer, employee, and book author so I'm a bit biased] :-)

        pfSense is based on FreeBSD 8.3 with quite a few things patched in the kernel and base system. We've been doing quite a lot of work lately on getting the last few bits of IPv6 going along with some other features we have in the chamber for 2.1. IPv6 support is the main focus of pfSense 2.1 so changes in other areas have happened but they have been minimal in comparison.

        Here is a spreadsheet covering the current status o [google.com]

    • by daniel23 (605413)

      Had to look into my tunnelbroker.net account: it's already 4 years of running it. About once a year there is some hiccup at their Frankfurt node, I 'll write a mail to their support stuff then and about 20 mins later some friendly supportnic asks me to check if I can still repro the problem...
      And free dns server (ipv6-ready, with glue records), and free ipv6 training & certification - HE has been really helpful for me,

  • Run OpenWRT [openwrt.org] on your router, then.

    • by synapse7 (1075571)
      I'm trying to decide if i'm being overly paranoid running some kind of scripted firewall or if I should just use client firewalls which I hate, for some reason.
    • Yeah, maybe things have improved, but I played with IP6 tunneling for a short time. It was kind of cool, but on IPv4, my typical ping times are 20-80ms to reach most hosts. On IPv6 with tunneling, the latencies were typically >100-300ms. Which, is mostly fine for web browsing, but sucks for other applications.

  • $> dig facebook.com aaaa
  • ..or other hostnames with AAAA records:

    Add -4 to ping_check command, restart nagios and carry on.
    Dan

Nothing is more admirable than the fortitude with which millionaires tolerate the disadvantages of their wealth. -- Nero Wolfe

Working...