IPv6-only network--is NAT64+DNS64 really this easy now?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

IPv6-only network--is NAT64+DNS64 really this easy now?

Mel Pilgrim
I'm looking to set up a pure-IPv6 environment to test the viability of
it.  I tried this a few years ago and fell flat on my face due to the
lack of NAT64 and DNS64 support.

Reading through docs now, it looks like unbound has a DNS64 module, and
NAT64 is baked into ipfw.  Waving a hand at bug-hunting and lamentations
over the inertia of embedded systems designers, has it really become
this easy to turn up an IPv6-only site?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPv6-only network--is NAT64+DNS64 really this easy now?

Ultima-2
Hello Mel,

 While it may be possible to have an IPv6 only environment, I don't
think it is really viable. There are simply too many things that don't run
on or have very limited support for IPv6 that it makes it very hard
to drop IPv4 altogether and until something comes along forcing the
move it likely won't happen for at least another decade at the minimum.

Best regards,
Richard Gallamore

On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim <[hidden email]>
wrote:

> I'm looking to set up a pure-IPv6 environment to test the viability of
> it.  I tried this a few years ago and fell flat on my face due to the
> lack of NAT64 and DNS64 support.
>
> Reading through docs now, it looks like unbound has a DNS64 module, and
> NAT64 is baked into ipfw.  Waving a hand at bug-hunting and lamentations
> over the inertia of embedded systems designers, has it really become
> this easy to turn up an IPv6-only site?
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> [hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPv6-only network--is NAT64+DNS64 really this easy now?

Mel Pilgrim
On 2019-06-24 19:33, Ultima wrote:
> Hello Mel,
>
>   While it may be possible to have an IPv6 only environment, I don't
> think it is really viable. There are simply too many things that don't run
> on or have very limited support for IPv6 that it makes it very hard
> to drop IPv4 altogether and until something comes along forcing the
> move it likely won't happen for at least another decade at the minimum.

Yes, that is why I wrote "Waving a hand at bug-hunting and lamentations
over the inertia of embedded systems designers".

This a lab experiment specifically to iron out the very wrinkles you
just stated.

> On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim <[hidden email]>
> wrote:
>
>> I'm looking to set up a pure-IPv6 environment to test the viability of
>> it.  I tried this a few years ago and fell flat on my face due to the
>> lack of NAT64 and DNS64 support.
>>
>> Reading through docs now, it looks like unbound has a DNS64 module, and
>> NAT64 is baked into ipfw.  Waving a hand at bug-hunting and lamentations
>> over the inertia of embedded systems designers, has it really become
>> this easy to turn up an IPv6-only site?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPv6-only network--is NAT64+DNS64 really this easy now?

Jan Bramkamp-2
On 25.06.19 04:47, Mel Pilgrim wrote:

> On 2019-06-24 19:33, Ultima wrote:
>> Hello Mel,
>>
>>   While it may be possible to have an IPv6 only environment, I don't
>> think it is really viable. There are simply too many things that
>> don't run
>> on or have very limited support for IPv6 that it makes it very hard
>> to drop IPv4 altogether and until something comes along forcing the
>> move it likely won't happen for at least another decade at the minimum.
>
> Yes, that is why I wrote "Waving a hand at bug-hunting and
> lamentations over the inertia of embedded systems designers".
>
> This a lab experiment specifically to iron out the very wrinkles you
> just stated.
In that case the answer is yes. At least Github, Stack Overflow and
Twitter work just fine on IPv6 only clients as long as you provide NAT64
and DNS64.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPv6-only network--is NAT64+DNS64 really this easy now?

Wolfgang Zenker-2
In reply to this post by Mel Pilgrim
* Mel Pilgrim <[hidden email]> [190625 04:47]:
> On 2019-06-24 19:33, Ultima wrote:
>>   While it may be possible to have an IPv6 only environment, I don't
>> think it is really viable. There are simply too many things that don't run
>> on or have very limited support for IPv6 that it makes it very hard
>> to drop IPv4 altogether and until something comes along forcing the
>> move it likely won't happen for at least another decade at the minimum.

> Yes, that is why I wrote "Waving a hand at bug-hunting and lamentations
> over the inertia of embedded systems designers".

> This a lab experiment specifically to iron out the very wrinkles you
> just stated.

Depending on what you want to do it is viable now.
At work we use IPv6-only jails for web hosting, where all jails on
one physical machine share one NAT64 gateway for outgoing connects to
IPv4-only services like Github. That gateway is the only dual-stack jail
on a machine, the host and all other jails are IPv6 only. The NAT64 jail
also provides a reverse proxy for incoming web access on IPv4. Customers
on an IPv4-only connection use a ssh jumphost to access the server.
We use ipfw for NAT64 and bind for DNS64.

At RIPE meetings twice a year I use the provided IPv6-only network for
net access with phone and notebook; in these 10 days per year for the
last couple of years I have not seen any problems myself. Some people
reported problems accessing VPN gateways though, and accessing IPv4-only
services that use DNSSEC is a problem if your local resolver on the
client does DNSSEC validation.

>> On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim <[hidden email]>
>> wrote:
>>> I'm looking to set up a pure-IPv6 environment to test the viability of
>>> it.  I tried this a few years ago and fell flat on my face due to the
>>> lack of NAT64 and DNS64 support.

>>> Reading through docs now, it looks like unbound has a DNS64 module, and
>>> NAT64 is baked into ipfw.  Waving a hand at bug-hunting and lamentations
>>> over the inertia of embedded systems designers, has it really become
>>> this easy to turn up an IPv6-only site?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: IPv6-only network--is NAT64+DNS64 really this easy now?

Evilham
In reply to this post by Ultima-2
Hi there,

On dt., juny 25 2019, [hidden email] wrote:

> Hello Mel,
>
>  While it may be possible to have an IPv6 only environment, I
>  don't
> think it is really viable. There are simply too many things that
> don't run
> on or have very limited support for IPv6 that it makes it very
> hard
> to drop IPv4 altogether and until something comes along forcing
> the
> move it likely won't happen for at least another decade at the
> minimum.
>
> Best regards,
> Richard Gallamore
>
> On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim
> <[hidden email]>
> wrote:
>
>> I'm looking to set up a pure-IPv6 environment to test the
>> viability of
>> it.  I tried this a few years ago and fell flat on my face due
>> to the
>> lack of NAT64 and DNS64 support.
>>
>> Reading through docs now, it looks like unbound has a DNS64
>> module, and
>> NAT64 is baked into ipfw.  Waving a hand at bug-hunting and
>> lamentations
>> over the inertia of embedded systems designers, has it really
>> become
>> this easy to turn up an IPv6-only site?


At risk of sounding like an advertiser, let me point to:
http://ipv6onlyhosting.com/
As an example of it really being viable nowadays.

Basically, as other have mentioned, there are a few caveats, but
most of them are easily solved.
Software with hard-coded legacy IP addresses is not that common
now, but an issue that I have seen often are fields (settings,
input, ...) that won't accept IPv6 addresses as valid, but will
accept a domain name as valid:
quite often in these cases, pointing to a domain name that echoes
back the IP over DNS (e.g. 8.8.8.8.xip.io for IPv4) is enough, in
that if needed DNS64 will add the AAAA records pointing to the
NAT64 and the piece of software that refused the IPv6 on
settings/input, just transparently uses that.

Basically, if you are unsure weather things can work out: they
can, it's not painful and more often than not, even if you forget
to do DNS64, you only notice that something is different when
using the all-time Big Offenders (Twitter, GitHub, ...).
--
Evilham
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"