When I want to make IPv4-legacy-only ser ... / 2010-08-25

2010-08-25 When I want to make IPv4-legacy-only ser ... 9 years ago
When I want to make IPv4-legacy-only services available via IPv6 there are some options: an application-specific proxy like the prolocation ipv6 proxy based on squid. A number of high-profile sites are available this way, including for example:
$ host www.spitsnieuws.nl
www.spitsnieuws.nl is an alias for spitsnieuws.nl.
spitsnieuws.nl has address 81.173.64.62
spitsnieuws.nl has IPv6 address 2a00:d00:ff:131:94:228:131:131
spitsnieuws.nl mail is handled by 100 smtpscan-nl1.telegraaf.nl.
spitsnieuws.nl mail is handled by 100 smtpscan-nl2.telegraaf.nl.
But that is web-only. And with some reloads I can make it show a http 503 proxy error which is not the answer I want to see on a high-profile website like www.spitsniews.nl as a visitor, let alone as the owner of the site or the advertiser.

Something I have mentioned before: if you want to implement IPv6 correctly, give it the same amount of monitoring and care as IPv4. Otherwise you're making yourself hard to reach for IPv6-enabled visitors which may damage either your website image or the image of IPv6. Both are bad.

The other option is not the application proxy but address translation. With IPv6 allocations every IPv6 end-user gets enough address space to map the entire IPv4 Internet. I have been thinking about that option for a while and then I came across NAT is evil - www.me.uk RevK's rants. Not IPv4 NAT as we know it, but NAT64 translating IPv6 address space to IPv4 address space. The trick or treat daemon mentioned in the article is the nameserver part for doing DNS64.

But the hard translating work will need to be done in pTRTd, the Portable Transport Relay Translator Daemon.

The default is dangerous from a firewall perspective: you still set up a proxy for the entire IPv4 address space. But with some serious firewall rules on the IPv6 side (default drop and only allow certain addresses and services). I could see an option to do some experimenting with this at work, very carefully selecting certain outward facing services, setting up the firewall and publishing the AAAA records in DNS.

Yes, NAT is evil. NAT64 is evil too, from the viewpoint of the IPv4 server it hides the entire IPv6 Internet behind one IPv4 address without any headers to indicate what the original address was (which the squid proxy solution does offer). But that is one more incentive to upgrade the service to native IPv6 connectivity.


Tags: ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004514 seconds.