Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: cssdesign on May 10, 2013, 09:55:06 AM

Title: Running webserver with tunnel
Post by: cssdesign on May 10, 2013, 09:55:06 AM
I want to configure DNS, DHCPv6, and my webserver to be dual-stacked. Now the problem is that i don't know if i'm supposed to use the IPv6 given by hurricane electric or i will need to deploy from my router or something.

My main goal now is that, when my ISP starts providing IPv6 services, i want to be able to remove the tunnel settings and still have everything working normally. So to accomplish that, which IPv6 should i use to set up all those services, without having to go change things in the future later.
Title: Re: Running webserver with tunnel
Post by: cholzhauer on May 10, 2013, 10:21:05 AM
I'm not sure what you mean by "which IPv6"...are you referring to the ranges you were provided?

If so, you use the routed /64 (unless you've requested a /48)
Title: Re: Running webserver with tunnel
Post by: cssdesign on May 10, 2013, 10:34:37 AM
what i mean mainly is first what do i use for my internal DNS server as the  AAAA records?

secondly, what IPv6 address do i use for configuring a DNCPv6?

Thirdly, if i want to glue an IPv6 address to my domain name, do i have to deploy another set of addresses for my network, or use the hurricane electric provided one, or wait for my ISP to start offering IPv6 services?

Lastly, if and when my ISP starts offering IPv6, and i don't need the tunnel anymore, will i have to change every of those service configurations that i used the assigned IPv6 for?

i have a /64
Title: Re: Running webserver with tunnel
Post by: cholzhauer on May 10, 2013, 11:00:04 AM
Quote
what i mean mainly is first what do i use for my internal DNS server as the  AAAA records?

I assume you mean what software package? You can use anything you want.

Quote
secondly, what IPv6 address do i use for configuring a DNCPv6?

I think you're over thinking this; it's pretty much the same thing as IPv4, you just have longer addresses and larger subnets.

Quote
Thirdly, if i want to glue an IPv6 address to my domain name, do i have to deploy another set of addresses for my network, or use the hurricane electric provided one, or wait for my ISP to start offering IPv6 services?

Glue as in the type of glue you had to do to pass your sage certification?  You don't need to wait on your ISP

Quote
Lastly, if and when my ISP starts offering IPv6, and i don't need the tunnel anymore, will i have to change every of those service configurations that i used the assigned IPv6 for?

Change the configurations?  No.  Change the addresses?  Yes.
Title: Re: Running webserver with tunnel
Post by: kasperd on May 10, 2013, 11:14:26 AM
First of all I don't think you should put much effort into DHCPv6. You can run IPv6 without using DHCPv6, so configuring DHCPv6 may just add to the complexity. Only consider DHCPv6 if you know exactly what you want to achieve from using DHCPv6.

Secondly I wouldn't prepare a detailed plan for the transition from tunnelled IPv6 to native IPv6 if you don't know how your ISP is going to deploy IPv6. But considering it at a high level makes sense such that you don't introduce too many dependencies on fixed IPv6 addresses, which are going to be problematic later.

A transition that could work in principle would be to run with IPv6 from both your ISP and from HE simultaneously while you identify all places, where you have addresses configured and update them. There is one caveat though. By default routing only considers the destination address of a packet when deciding which direction to route it. This means packets with a source address delegated by HE and packets with a source address delegated by your ISP will take the same route. But you can probably expect both HE and your ISP to filter packets based on source address, which means regardless of which direction you route the packets, some of them will be dropped.

This caveat can be addressed in two ways. Either you convince either HE or your ISP to permit packets from you with the source addresses you need, or you use a router, which can consider the source address when deciding between two default routes.

Another transition would be to segment your network. Your LAN could have two IPv6 segments, one using each of the two IPv6 paths. Then you can migrate services one by one.

The easiest transition would probably be to just shut down the tunnel and switch over in one go. Then start figuring out which services are unreachable and bring them up again. This means downtime during the transition, but if you aren't running anything that needs to be up 24/7, then that is easiest.

Places where you actually have IPv6 addresses configured should be kept as limited as possible. As much as possible, you want to use hostnames rather than IP addresses. In those corner cases where depending on DNS isn't an option, you can still use hostnames and put them in /etc/hosts.