Hurricane Electric's IPv6 Tunnel Broker Forums

I'm curious what people use their tunnels for, and would like to better know the community :)

I use my tunnels to connect from behind Comcast and Speakeasy at home (oh and to test the tunnel-servers from the end-user's point-of-view of the service).

I use IPv6 to expand my networking knowledge and as IPv6 is the future I see it as something to be added to my knowledge
and to find common issues that may have solutions that need to be remembered for future use

I use it to ssh into my network at home to any equipment that can support ipv6.  (Just cant do wireless stuff atm)
Do have a webserver and dns server setup and running, for development purposes for some sites, that are bound to v4/v6 addresses.
A little research/expermintation too with a cisco router.

In addition to my true answer, I also want to see the dancing turtle!

My tunnel goes to my co-located box since native IPv6 isn't there yet.  I had also been using 6to4 since 2004.  Planned is a VPN to include my home machines but my router and DSL modem have been problems.

I volunteer my time in supporting www.e164.org and one of our name servers in the UK has native IPv6 space, but the rest of our name servers like those in the US don't have IPv6 space and I've enabled both US servers with tunnels. In the last few days I've also added AAAA records for all the websites on one of the US boxes, and I'm going to be redoing our DNS records shortly to have IPv6 glue records as well, currently only the UK IP has been added as a glue record.

We're keeping track of the DNS requests coming in via IPv6 connections and it's pretty low at this stage, although not having the IPs as glue records is partly responsible I'm guessing.

I still have to shift mail + mailing lists to the same box at some point, and that would also be IPv6 enabled then as well, but I've been going to shift mail to that system for a few years now and just haven't gotten round to it :)

www/dns/icecast/ircd servers with v4/v6 access.

Quote from: kriteknetworks on April 20, 2008, 07:33:06 PM
www/dns/icecast/ircd servers with v4/v6 access.

Ummm I thought IRC ports were blocked to prevent abuse?

Quote from: eonesixfour on April 20, 2008, 07:49:12 PM

Quote from: kriteknetworks on April 20, 2008, 07:33:06 PM
www/dns/icecast/ircd servers with v4/v6 access.

Ummm I thought IRC ports were blocked to prevent abuse?

Not on the newer tunnel servers that we started deploying last fall. We are taking steps with specific accounts that are reported for ANY type of abuse. If we see a steady rise of IRC related abuse, then the global ban goes back up.

i selected personal use but that includes irc also. I like my service to be accessible by not only another address but through an entire other path. to me it feels robust and helps me think everything is as should be.

I use my tunnels for OpenBSD/3rd party IPv6 software testing and development as well as IPsec/DNS/SSH/SMTP/IMAP/HTTP/FTP/IRC/SILC/VoIP, etc service. All of my personal systems (running OpenBSD) have v6 enabled as well as all other systems in the house (running Windows/OS X) whether wired or Wifi.

Quote from: broquea on April 20, 2008, 09:39:00 PM
Not on the newer tunnel servers that we started deploying last fall. We are taking steps with specific accounts that are reported for ANY type of abuse. If we see a steady rise of IRC related abuse, then the global ban goes back up.

I didn't mean to imply you wouldn't take reports of abuse, I was just under the impression that you just blocked all IRC ports to prevent IRC abuse.

Is it possible to get IRC ports unblocked on other tunnels end points?
Is there any plans to setup an end point in Australia at all?
AARNET were running a broker but that seems to be broken for anything more then a /128 and all emails are going unanswered.

Quote from: eonesixfour on April 27, 2008, 07:53:58 PM
I didn't mean to imply you wouldn't take reports of abuse, I was just under the impression that you just blocked all IRC ports to prevent IRC abuse.

Is it possible to get IRC ports unblocked on other tunnels end points?
Is there any plans to setup an end point in Australia at all?
AARNET were running a broker but that seems to be broken for anything more then a /128 and all emails are going unanswered.

The only tunnels that might still have IRC blocked would be on either tserv1 or 2. tserv3 and higher are the newer platform tunnel-servers and not blocking IRC........at the moment.

No plans for Australia yet, since we don't have a POP there ;) Perhaps once we have one there as part of HE.NET's backbone, then we could provide a tunnel-server.

Quote from: broquea on April 27, 2008, 09:21:03 PM
The only tunnels that might still have IRC blocked would be on either tserv1 or 2. tserv3 and higher are the newer platform tunnel-servers and not blocking IRC........at the moment.

I was sure I tried to connect to freenode on 6667 and it failed, but it just worked then, must have been their end or something transient, thanks for the correction.

QuoteNo plans for Australia yet, since we don't have a POP there ;) Perhaps once we have one there as part of HE.NET's backbone, then we could provide a tunnel-server.

Fair enough, let me know if anything is planned, although I'm sure it'd be announced anyways :)

My preferred option isn't in the poll:  Actual business traffic (not just research).

I've migrated my entire department to ipv6 and we use it for production services daily.  The tunnel allows me to use ipv6 from other locations and still enjoy full connectivity.  Migrating to ipv6 also has permitted me to be much more flexible with routing tables and firewall rules (ip6tables) for traffic that traverses our departmental gateway between the department and the rest of the business.  Corporate IT phoned me recently and asked me to reconfigure machines to stop broadcasting "some kind of version 6 noise".  I told them, it's not noise, we're really using that, and when will you be getting on the bus?  Their response of course was "um, ok, carry on."

I got an old watchguard firebox 2 and erased the OS on it then installed DD-WRT
this enables the router to be configured for IPv6
These are my earliest experiments with IPv6 and need to learn it as the future is looming up
and IPv6 is the future

(regarding the firebox I followed this but installed dd-wrt not m0n0wall)
http://www.ls-net.com/m0n0wall-watchguard/

just for educational purpose


but I love the dancing turtle

I'm using it to learn more about the operational aspects of IPv6.  I can't really see using it for "personal use" since I'm using a tunnel to get it (no native IPv6 on my ISP so far  :-[ ), and it'd be a bit slow, plus I wouldn't want to abuse HE's graciously provided bandwidth for that sort of thing.   ;D

Using IPv6 takes me back to the late 80s, early 90s, where we didn't have deal with NAT, and everything had a globally routed address.  It makes me eager for a time when IPv4, NAT, and all its complications will be a thing of the past.  It'll be "Back to the Future" in a way.  :)

 for educational purpose (working for an university) and personal use..

I'm using it for personal education mostly.

I love the idea of IPv6 and available MTU associated with it. :)

I'm very thankful for this site, I just wish I would have stumbled onto it a year ago.

I'm using it now to allow my network and my friend's networks to communicate directly, even though they're on "dynamic" ranges.

Well, I would, if AT&T wasn't scared of a bit of rain.

Quote from: jimb on June 06, 2009, 07:39:14 PM
...Using IPv6 takes me back to the late 80s, early 90s, where we didn't have deal with NAT, and everything had a globally routed address....

Do you really trust an Internet with all the Microsoft hosts using live addressing? 

But yeah the IPV6 Internet looks a lot like 1993.

Quote from: sagard123 on February 26, 2010, 11:58:13 AM

Quote from: jimb on June 06, 2009, 07:39:14 PM
...Using IPv6 takes me back to the late 80s, early 90s, where we didn't have deal with NAT, and everything had a globally routed address....

Do you really trust an Internet with all the Microsoft hosts using live addressing?  

But yeah the IPV6 Internet looks a lot like 1993.

You can't really trust any OS, or any piece of software a user might install, or any user to keep their OS secure.  This is why you still need network firewalls even with IPv6 to put your clients machines behind.  The only real change IPv6 makes is that there's no need for NAT.  But you still need a good FW with a sane security policy installed.  I'm using ip6tables for this purpose on my v6 router.

At least today MS OSes have a firewall installed that isn't wide open!  In contrast, most linux distros ship with iptables, but with no default policy, and thus are wide open.  Of course MS OSes tend to have more buggy/exploitable things running and open by default too.  :)

I'm basically a Unix/Linux guy, but I still try to be agnostic and fair about OSes.  :P

Quote from: jimb on February 26, 2010, 01:48:45 PM
I'm basically a Unix/Linux guy, but I still try to be agnostic and fair about OSes.  :P

I'm with you on all OS problems, but when MS has 90% of the market they get 90% of the flak. 

Quote from: jimb on February 26, 2010, 01:48:45 PM
I'm basically a Unix/Linux guy, but I still try to be agnostic and fair about OSes.  :P

Likewise..  Although I prefer Linux and Microsoft over Apple  :o  But in the end, the OS is only as secure as the user who's at the computer allows it to be.  If they click on something that can infect their computers, then it doesn't matter why it was able to actually infect the computer.  It's still because the user clicked it.

(Yep, I know that Microsoft can be infected just by going to the site, but really if it's because of flash or something else, it can potentially infect all os'es IMHO).

Have a great day:)
Patrick.

Oh, and where's the dancing turtle? LOL

Turtle:  http://www.kame.net/  - He only dances if accessed via IPv6.

Personal use, and basically to experiment with IPv6, which has been until now something of an alien concept for me. Also, I miss the old days when everyone had IPv4 addys and NAT wasn't needed.  :)

Of course, now I've been tainted by NAT and the idea of everyone having globally-routeable addresses seems kinda weird to me... even if 10 years ago, that was what I was used to!  :o

Since my ISP doesn't offer native v6, this seemed the best way to go. I already knew about HE, in a vague manner, as they are the v4 transit provider for a VPS I have, but wasn't aware of tunnelbroker till I got bored one day, and decided to learn about IPv6, even though up to that point I was anti-IPv6. Now that I've got it, I can't give it up, it's great being able to access all of the computers on my local network (all 10 of 'em), instead of dealing with a bloody NAT.

On a side note, anyone here managed to get a tunnel going on Android 2.2? I've got a p3droid kernel, with sit support, but I can't seem to get it to work...

Location: Naval Submarine Base, Groton, CT
Router: Hostname: tethyes - OS: Linux 2.6.32-5-xen-686/i686 - Distro: Debian squeeze/sid - CPU: 4 x Pentium III (Cascades) (701.600 MHz) - Processes: 161 - Uptime: 2d 18h 44m - Users: 1 - Load Average: 0.00 - Memory Usage: 147.99MB/1009.68MB (14.66%) - Disk Usage: 904.24GB/1572.52GB (57.50%) - eth0 Traffic (eth0): 1879.87MB In/1683.43MB Out

What's wrong with NAT...now one has "tunnels" to think about - don't recall using them in early '90s either...

As Crush would say to Squirt "Grab shell. Go native dude!" - Possibly 10 years from now we won't require either!

However, (subtly serious question) surely in using /64s on tunnels, are we not halving (poss) the 340 trillion trillion trillion 'ish V6 addresses available for use or at least losing 65532 addresses for each tunnel used?
Would not  /126 be viable?
Currently use native /126 (ptp) and /128 (lo) and wondering why most tunnel brokers go for /64 ? (not yet setup any internal tunnels)

I'd hate to see a V6 countdown "counter" in my lifetime!! ;)

In reality,  using for "research" for deployment in large enterprise.

Quote"atelier momonga"(voluntary association) was established in 1995. The aims of the association are to respect for an individual opinion, to offer the place to create an original work, to promote a local community culture.

Quote from: lukec on September 01, 2010, 01:56:10 AM
However, (subtly serious question) surely in using /64s on tunnels, are we not halving (poss) the 340 trillion trillion trillion 'ish V6 addresses available for use or at least losing 65532 addresses for each tunnel used?
Would not  /126 be viable?
Currently use native /126 (ptp) and /128 (lo) and wondering why most tunnel brokers go for /64 ? (not yet setup any internal tunnels)

Longer than /64 prefixes are actually not as widely supported.  Some hardware won't do /126s, for example.  Which makes sense a bit if you figure their internals are liable to be tuned best for dealing with 64bit values.  It's also administratively easier to deal with a bunch of /64s than a zillion little /126s.  And even if /126s were used, I'd almost expect /124s would be more widely used than /126s, since they at least fall on a nibble boundary, which once again, makes administration easier (rDNS breaks on an easy spot, can do substring matches on prefixes from scripts, etc.)

Quote from: lukec on September 01, 2010, 01:56:10 AM

However, (subtly serious question) surely in using /64s on tunnels, are we not halving (poss) the 340 trillion trillion trillion 'ish V6 addresses available for use or at least losing 65532 addresses for each tunnel used?

Just to nitpick the numbers...

Using a /64 on a P2P interface doesn't waste 65532 addresses; you lose 2**64 - 4 (ish.), or 18,446,744,073,709,551,612 addresses.

If I had a penny for every unused IP on every /64 tunnel... (or heck, even one tunnel), I'd leave this IPv6 to you and just retire :D

Joel

I use it for my own personal educational purposes. Started using it since 2003.

I use it just because I like to be on top of this type of stuff.


"Are YOU ready for the internet revolution?"

To see the dancing turtle as well as personal use.

I've got a debian gateway (ditching uPNP/SSDP-spamming linksys routers FTW!), so setting up my LAN to use my routed /64 was pretty easy. Thanks to the HE guys for making this possible and free.

I use it mostly for personal stuff and learning about networking.
IPv6 was what really got me into networking. I could have enough addresses to try things at home without trying to deal with the complexities of NAT. Most of the stuff I learned from IPv6 was applicable to IPv4 and so now I'm pretty comfortable with both versions.
What I've used IPv6 tunnels in general for is providing remote technical support (for people I've 'converted' to Ubuntu) through SSH (using public keys). You can't use SSH very well without being able to reach port 22 from outside. Some of the people I help are behind carrier wide NAT, side IPv6 tunnels are the easiest way to have a globally reachable port 22. Unfortunatly, this carrier wide NAT doesn't let HE's tunnels through, so I had to use Sixxs. (AYIYA/AICCU HE tunnels would be awesome.)

Now I use it because it's much simpler to set it up once and be done with it for all the development and pre-release stuff I do. No more SSH hopping and redirection!

Other: all of the above.

Mostly personal stuff, learning more about networking, etc... I work at a game company doing the multiplayer section of the client, need to stay on top of these kind of things.

Hello,

I'm learning the protocol IPv6 and all the transitions.
IPv6 is the future Internet Prootocol ,that is why i'm here today.

Then my goal is to give explanation around me.

I use ipv6 tunnel to access the websites blocked by China government.Almost all services of Google support IPv6, thanks to that I can build proxy of my own on Google App Engine, through which I can access other IPv4-only website, IPv6 just help me manage to connect Google app engine~ ;D

I deleted my tunnel as my current router seems to mangle the tunnel packets, it only works if I put my laptop directly behind the Cable Modem but for me, it primarily is research for a new hosting service (won't mention, I hate spam as much as everyone else does - and my target audience is technical n00bs anyway) I am starting.

Once I replace my router I will create a new one. The geographic location of my tunnel probably wasn't optimal anyway, but Fremont was full so I had to go with Seattle. Maybe when I replace my router, Fremont will have an opening (I'm in Redding). OTOH since my servers are all in Dallas (Linode), maybe that would be a good tunnel location.

Nutshell - I want everything I host to be dual stack. Many emerging markets (especially in Asia) seem to be adopting IPv6 very quickly, I think it is important to my potential clients (even though most will likely be American) that their content be available on IPv6 so that it is not missed by users who may be on IPv6 only networks.

Also, due to the way Apache works, individual SSL certs for hosted domains with name based virtual hosting is problematic.
Thus it is to my advantage to see IPv6 replace IPv4 as quickly as possible. The sooner dual stack becomes the norm, the sooner we'll get to a point where IPv4 drops away and I can go IPv6 only for SSL content. Still years away, but I figure the more interest in IPv6 that is seen by the big corporations the sooner that will happen.

Finally, I do not fully understand the details, but if my impression is correct, it sounds like the technical aspects of IPv6 make load balancing a hell of a lot easier. Something about being able to have a cluster of servers where the first available handles the request without needing to have the cluster behind a load balancer. I definitely want to research that some more and make sure I understand the concepts behind it.

I'm running a tunnel at home (OpenBSD firewall in front of my FiOS router) and now at a VPS system. I'm doing this to learn IPv6 administration and for grins.

Yesterday I enabled an IPv6 address for the MX's for my domains; it took only a couple of hours before I got my first real V6-transported email. Good stuff.
No spam yet, fortunately.

For educational purposes, that and I really quite enjoyed the challenge and the learning curve.
:-D

I use TunnelBroker to learn about IPv6.  I never used the Internet back in the early '90s, but this business of global addresses makes things much more straight forward.  I outright gave up on trying to get SIP working through NAT.  I just want NAT to die.

I am here to learn. I came across this site in another unrelated forum and it sounded interesting.

Great to have router with OpenWRT installed on it. I can use IPv6 without any problems for educational purpose.

Quote from: DOMBlogger on September 08, 2011, 07:14:08 PM
I deleted my tunnel as my current router seems to mangle the tunnel packets, it only works if I put my laptop directly behind the Cable Modem

Unfortunately the type of tunnel HE uses doesn't really work behind NAT. Some nats will work in some scenarios but it's not a setup I can reccomend. IMO you should either get a router that can terminate the tunnel on the router or get a tunnel provider that can be used from behind NAT (I use freenet6 myself)

QuoteAlso, due to the way Apache works, individual SSL certs for hosted domains with name based virtual hosting is problematic.

It's not apache that is the problem, it's the design of SSL itself. They eventually added an extension called SNI to support name based virtual hosting but a significant proportion of web users still don't support it.

Still I expect SNI support to be ubiquitous within a few years. Pretty much the only significant browsers that don't support it are internet explorer on windows XP and the default browser on old versions of andriod. I expect both to fade away from the public internet over the next few years as consumers replace their hardware and corps either move away from a version that no longer gets security updates or at least stop using the shipped browser for general web browsing to reduce their exposure.

On the other hand I have serious doubts about ubiquitous IPv6 any time soon. In particular I discovered that windows7 will disable teredo support by default if it sees a domain controller on the local network (and apparently it thinks one of my linux boxes is a domain controller). So I expect clients on corporate networks to remain v4 only for a LONG time.

I'm actually building my own company and want to provide all sorts of technology services, and in order to do that I need to be dual stack enabled (I am, but my ISP, Century Link, is not). So I built out my first tunnel, got it fully working, then completed the IPv6 certification program, and now I am building out Mobile IPv6 routers that can drop onto any network, update their tunnel end-point, and connect to the IPv6 network with their own firewall! I'll have 4 of these and they will be pretty handy for building out our initial POPs!

Thank you HE team for building this amazing tool, and the IPv6 certification program! It has really helped kick-start the back-end mess of Unknown Technology Solutions!

As always, if anyone has any questions, I'd love to answer them, so feel free to ask me however!