Is there any IPv6 plan for *.fedoraproject.org ?
One plan chosen by projects (including wikimedia) is a staged rollout, like this:
1) enable IPv6 reachability and AAAA records for DNS servers 2) enable IPv6 for small-audience or developer-only services, such as cvs/svn/git services 3) enable IPv6 for primary services, such as public web
Such staged rollouts attempt to balance the potential for service disruption due to end-user misconfiguration, with pushing technological progress foward.
As of today, for months, the DNS root servers are reachable via IPv6 and have AAAA records.
Any chance we could look at step #1 or #2 for Fedora?
I am hoping that Fedora can be a leader rather than a follower in deploying this new technology.
Jeff
On Mon, 17 Aug 2009, Jeff Garzik wrote:
On 08/17/2009 10:01 AM, Mike McGrath wrote:
On Mon, 17 Aug 2009, Jeff Garzik wrote:
Is there any IPv6 plan for *.fedoraproject.org ?
There is currently no plan.
What needs to be done to create a plan, and move forward?
someone who cares about ipv6 to lead it, I suspect.
-sv
On Mon, 17 Aug 2009, Jeff Garzik wrote:
On 08/17/2009 10:01 AM, Mike McGrath wrote:
On Mon, 17 Aug 2009, Jeff Garzik wrote:
Is there any IPv6 plan for *.fedoraproject.org ?
There is currently no plan.
What needs to be done to create a plan, and move forward?
Someone with a clear idea of the benefits, costs, and a plan for implementation.
-Mike
On Aug 17, 2009, at 19:43 , Mike McGrath wrote:
On Mon, 17 Aug 2009, Jeff Garzik wrote:
On 08/17/2009 10:01 AM, Mike McGrath wrote:
On Mon, 17 Aug 2009, Jeff Garzik wrote:
Is there any IPv6 plan for *.fedoraproject.org ?
There is currently no plan.
What needs to be done to create a plan, and move forward?
Someone with a clear idea of the benefits, costs, and a plan for implementation.
Besides the fact that we have to expect no more free IPv4 adresses available after 2012 and will then be forced to start working on it, the greatest benefit would be to start getting experience on the whole new IPv6 stack.
As long as our uplink providers already support v6, the costs to enable services within the new address space should be minimal. Providers usually just charge a setup fee and are actually not allowed to charge more than that...
I have already some experience with ipv6 from my workplace. The rough plan for the transition made so far was:
* Enable v6 auto-configuration for all of our server vlans. Thus, all of our machines had v6 connectivity to the outside, and where able to use already existing v6 services.
To work around any security bugs which this change could introduce, we configured stateful filtering on the routers, allowing only established connections from the outside to our machines.
* Working on the support of internal, ancillary services, such as monitoring-, accouting- and documentation systems and setting up firewalls for v6 on all of the hosts.
* Enabling the first non-critical test services, by adding additional addresses from another address space, which allow inbound connections.
* Enabling more and more services, which are as well visible for our customers. DNS, SMTP, WEB,...
Looking forward to work with you guys on the transition.
Regards, Stefan.
-- Stefan Schlesinger \\\\\\\\\\\\\\\\\\\\\\\ \\\\ sts@ono.at STS45-RIPE
On Thu, Aug 27, 2009 at 01:07:49PM +0200, Stefan Schlesinger wrote:
On Aug 17, 2009, at 19:43 , Mike McGrath wrote:
On Mon, 17 Aug 2009, Jeff Garzik wrote:
On 08/17/2009 10:01 AM, Mike McGrath wrote:
On Mon, 17 Aug 2009, Jeff Garzik wrote:
Is there any IPv6 plan for *.fedoraproject.org ?
There is currently no plan.
What needs to be done to create a plan, and move forward?
Someone with a clear idea of the benefits, costs, and a plan for implementation.
Besides the fact that we have to expect no more free IPv4 adresses available after 2012 and will then be forced to start working on it, the greatest benefit would be to start getting experience on the whole new IPv6 stack.
As long as our uplink providers already support v6, the costs to enable services within the new address space should be minimal. Providers usually just charge a setup fee and are actually not allowed to charge more than that...
I have already some experience with ipv6 from my workplace. The rough plan for the transition made so far was:
Enable v6 auto-configuration for all of our server vlans. Thus, all of our machines had v6 connectivity to the outside, and where able to use already existing v6 services.
To work around any security bugs which this change could introduce, we configured stateful filtering on the routers, allowing only established connections from the outside to our machines.
We don't have control over the routers in most of our data centers. RHEL5's ip6tables can't do stateful filtering either (no conntrack). I agree stateful would be nice, but is it strictly necessary? I don't believe so.
On Mon, Aug 17, 2009 at 09:22:28AM -0400, Jeff Garzik wrote:
Is there any IPv6 plan for *.fedoraproject.org ?
I filed a ticket: https://fedorahosted.org/fedora-infrastructure/ticket/1623 and the related wiki page: https://fedoraproject.org/wiki/Infrastructure/IPv6
to get started on this.
It would really help to get info from our kind hosting providers (PHX, tummy, telia, ibiblio, BU, serverbeach, others?) to know exactly what IPv6 capability is already present and how to get address assignments for our use there.
My thought is this. MirrorManager is the most interesting service we offer that would make direct use of an IPv6 address (to do netblock lookups). As was noted in the now-closed ticket https://fedorahosted.org/fedora-infrastructure/ticket/1057 we will have to enable (some of?) our proxy servers to serve over IPv6, as that is where mirrors.fp.o and download.fp.o resolve. We could set up a publictest proxy instance in one of the colos with native IPv6 already, one that matches the existing proxy there, but which also serves IPv6. We create a mirrors-ipv6.fedoraproject.org AAA record which points at that proxy, and use that to test out the rest of the infrastructur (which remains serving IPv4 unchanged). This would give me a chance to work out any bugs in MM which I'm sure exist (at the very least, python-pydns doesn't do AAAA-record lookups and will need fixing).
The automatic Internet2 detection will need some help too, as right now the BGP tables I'm pulling from http://syslog.abilene.ucaid.edu/bgp/WASH/RIBS/ is only listing IPv4 addresses.
As for serving other content, if it's fronted by the proxy servers (e.g. web content), then it should naturally start working via the IPv6-enabled proxys. Testing will prove that out.
For non-web content (git, cvs, ssh?), I believe this is mostly hosted in PHX, which at this point we don't believe has native IPv6. How can we go about requesting such in the colo? I presume this is something that Red Hat IS would have to ask for on our behalf. I'd much rather try to get native going, instead of dealing with 6to4 (the nearest 6to4 server is 10 hops and 60+ms away) or tunnels.
fedorapeople is at BU, which has some native IPv6 capability, but it's not clear they use it: http://www.mrp.net/IPv6_Survey.html
As for DNS servers (serving DNS over IPv6), we have: ns1 is at serverbeach. ns2 is at ibiblio.
We'll need to know their native IPv6 capability before proceeding there. This is less critical, as most users are still doing their DNS lookups to an IPv4 DNS server at their ISP. But it would be nice.
So, that's my thoughts. I'd love to hear yours. -Matt
A rather large ballache would also be ip6tables - I saw no mention in your post - thought I'd throw it out there also.
-- Cheers, David JM Emmett
Sent from my iPhone
On 23 Aug 2009, at 21:50, Matt Domsch Matt_Domsch@dell.com wrote:
On Mon, Aug 17, 2009 at 09:22:28AM -0400, Jeff Garzik wrote:
Is there any IPv6 plan for *.fedoraproject.org ?
I filed a ticket: https://fedorahosted.org/fedora-infrastructure/ticket/1623 and the related wiki page: https://fedoraproject.org/wiki/Infrastructure/IPv6
to get started on this.
It would really help to get info from our kind hosting providers (PHX, tummy, telia, ibiblio, BU, serverbeach, others?) to know exactly what IPv6 capability is already present and how to get address assignments for our use there.
My thought is this. MirrorManager is the most interesting service we offer that would make direct use of an IPv6 address (to do netblock lookups). As was noted in the now-closed ticket https://fedorahosted.org/fedora-infrastructure/ticket/1057 we will have to enable (some of?) our proxy servers to serve over IPv6, as that is where mirrors.fp.o and download.fp.o resolve. We could set up a publictest proxy instance in one of the colos with native IPv6 already, one that matches the existing proxy there, but which also serves IPv6. We create a mirrors-ipv6.fedoraproject.org AAA record which points at that proxy, and use that to test out the rest of the infrastructur (which remains serving IPv4 unchanged). This would give me a chance to work out any bugs in MM which I'm sure exist (at the very least, python-pydns doesn't do AAAA-record lookups and will need fixing).
The automatic Internet2 detection will need some help too, as right now the BGP tables I'm pulling from http://syslog.abilene.ucaid.edu/bgp/WASH/RIBS/ is only listing IPv4 addresses.
As for serving other content, if it's fronted by the proxy servers (e.g. web content), then it should naturally start working via the IPv6-enabled proxys. Testing will prove that out.
For non-web content (git, cvs, ssh?), I believe this is mostly hosted in PHX, which at this point we don't believe has native IPv6. How can we go about requesting such in the colo? I presume this is something that Red Hat IS would have to ask for on our behalf. I'd much rather try to get native going, instead of dealing with 6to4 (the nearest 6to4 server is 10 hops and 60+ms away) or tunnels.
fedorapeople is at BU, which has some native IPv6 capability, but it's not clear they use it: http://www.mrp.net/IPv6_Survey.html
As for DNS servers (serving DNS over IPv6), we have: ns1 is at serverbeach. ns2 is at ibiblio.
We'll need to know their native IPv6 capability before proceeding there. This is less critical, as most users are still doing their DNS lookups to an IPv4 DNS server at their ISP. But it would be nice.
So, that's my thoughts. I'd love to hear yours. -Matt
-- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
That is why ip6tables exists ;)
Mind you puppet will make things significantly easier, do you also have hardware firewalls/a NAT setup?
-- Cheers, David JM Emmett
Sent from my iPhone
On 24 Aug 2009, at 02:47, Jeff Garzik jgarzik@pobox.com wrote:
On 08/23/2009 06:59 PM, David JM Emmett wrote:
A rather large ballache would also be ip6tables - I saw no mention in your post - thought I'd throw it out there also.
Are you saying that IPv4 rules would need IPv6 counterparts, or something more?
Jeff
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
On 08/24/2009 01:17 AM, David JM Emmett wrote:
On 24 Aug 2009, at 02:47, Jeff Garzik jgarzik@pobox.com wrote:
On 08/23/2009 06:59 PM, David JM Emmett wrote:
A rather large ballache would also be ip6tables - I saw no mention in your post - thought I'd throw it out there also.
Are you saying that IPv4 rules would need IPv6 counterparts, or something more?
That is why ip6tables exists ;)
Yes; I would hope that a Linux kernel developer who has worked extensively in network (me) and the entire infrastructure team knows this.
Was trying to determine if your point is simply "remember ipv6 rules," or something more detailed and explicit...
Regards,
Jeff
P.S. Please don't top-post.
On 24 Aug 2009, at 06:40, Jeff Garzik jgarzik@pobox.com wrote:
On 08/24/2009 01:17 AM, David JM Emmett wrote:
On 24 Aug 2009, at 02:47, Jeff Garzik jgarzik@pobox.com wrote:
On 08/23/2009 06:59 PM, David JM Emmett wrote:
A rather large ballache would also be ip6tables - I saw no mention in your post - thought I'd throw it out there also.
Are you saying that IPv4 rules would need IPv6 counterparts, or something more?
That is why ip6tables exists ;)
Yes; I would hope that a Linux kernel developer who has worked extensively in network (me) and the entire infrastructure team knows this.
Was trying to determine if your point is simply "remember ipv6 rules," or something more detailed and explicit...
Regards,
Jeff
P.S. Please don't top-post.
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Nothing more than an attempt to be slightly useful... withdraws self from conversation...
-- Cheers, David JM Emmett
Sent from my iPhone
On Mon, Aug 24, 2009 at 06:17:44AM +0100, David JM Emmett wrote:
That is why ip6tables exists ;)
Here's a proposed ip6tables-template.conf.erb. It's based on the iptables template, with all the IPv4-specific stuff stripped out. This should let our current model of using defined per-service ports work:
# Firewall Rules, allow HTTP traffic through $tcpPorts = [ 80, 443, 873, 8080 ] $udpPorts = [] $custom = []
ip6tables { "/etc/sysconfig/ip6tables": content => template("system/ip6tables-template.conf.erb"), }
service { "ip6tables": ensure => running, hasstatus => true, }
------
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
# loopback allowed -A INPUT -i lo -j ACCEPT
# Accept ping and traceroute (needs icmp) -A INPUT -p ipv6-icmp -j ACCEPT
# Established connections allowed -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Custom Services <% custom.each do |cust| -%> <%= cust %> <% end -%>
# Services TCP <% tcpPorts.each do |port| -%> -A INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT <% end -%>
# Services UDP <% udpPorts.each do |port| -%> -A INPUT -m state --state NEW -m udp -p udp --dport <%= port %> -j ACCEPT <% end -%>
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT
On Mon, Aug 24, 2009 at 05:11:37PM -0500, Matt Domsch wrote:
On Mon, Aug 24, 2009 at 06:17:44AM +0100, David JM Emmett wrote:
That is why ip6tables exists ;)
Here's a proposed ip6tables-template.conf.erb.
I committed a slightly different template to puppet/staging that I built on an EL-5 box. EL-5 doesn't have ip6tables conntrack, so -m state functions won't work there.
I've done some more digging, and posted my findings on [1] specifically that our torrent tracker doesn't support IPv6, though the VM is on a machine that has a global IPv6 address. I've started looking at building opentracker, which is under a beerware license (so acceptable). It requires libowfat, which in Fedora is built against dietlibc. Neither libowfat nor dietlibc are built on EL-5. I've reached out to the mainainers of these to see if they will branch, or if we can build libowfat for EL-5 against glibc.
At the moment, hosts and VMs housed at iBiblio can be reached via IPv6 global addresses natively. No word from Telia yet, though some people here think they're capable, but our VMs there aren't getting addresses automatically assigned. OSUOSL has plans in the works and hope to have something within a few months. BU is about a year away from production use. Our other kind hosting facilities have no plans at this time.
With what we have at iBiblio, we could enable ns2, proxy4, and torrent1 pretty easily.
[1] http://fedoraproject.org/wiki/Infrastructure/IPv6 [2] http://erdgeist.org/arts/software/opentracker/
Matt, I think the key issue is to get anything going. Anything is better than nothing. When other providers roll IPv6 PAs out, then those locations can be enabled, when available. Of course there would also be the 6to4 option. Might also be smart, to check if those providers offer a 6to4 gateway, then 6to4 tunneling, could be used in the interim.
Regards,
Tristan
On 27/08/09 06:01, Matt Domsch wrote:
On Mon, Aug 24, 2009 at 05:11:37PM -0500, Matt Domsch wrote:
On Mon, Aug 24, 2009 at 06:17:44AM +0100, David JM Emmett wrote:
That is why ip6tables exists ;)
Here's a proposed ip6tables-template.conf.erb.
I committed a slightly different template to puppet/staging that I built on an EL-5 box. EL-5 doesn't have ip6tables conntrack, so -m state functions won't work there.
I've done some more digging, and posted my findings on [1] specifically that our torrent tracker doesn't support IPv6, though the VM is on a machine that has a global IPv6 address. I've started looking at building opentracker, which is under a beerware license (so acceptable). It requires libowfat, which in Fedora is built against dietlibc. Neither libowfat nor dietlibc are built on EL-5. I've reached out to the mainainers of these to see if they will branch, or if we can build libowfat for EL-5 against glibc.
At the moment, hosts and VMs housed at iBiblio can be reached via IPv6 global addresses natively. No word from Telia yet, though some people here think they're capable, but our VMs there aren't getting addresses automatically assigned. OSUOSL has plans in the works and hope to have something within a few months. BU is about a year away from production use. Our other kind hosting facilities have no plans at this time.
With what we have at iBiblio, we could enable ns2, proxy4, and torrent1 pretty easily.
[1] http://fedoraproject.org/wiki/Infrastructure/IPv6 [2] http://erdgeist.org/arts/software/opentracker/
On 08/27/2009 01:06 AM, Tristan Santore wrote:
Matt, I think the key issue is to get anything going. Anything is better than nothing. When other providers roll IPv6 PAs out, then those locations can be enabled, when available. Of course there would also be the 6to4 option. Might also be smart, to check if those providers offer a 6to4 gateway, then 6to4 tunneling, could be used in the interim.
6to4 is definitely worth investigating, but there are a few downsides,
- gateway is often far away (you hint at this)
- it complicates firewalling; a site may need additional rules relating to wrapping, unwrapping and passing protocol IPPROTO_IPV6 (41) on the iptables (ie. IPv4 tables) side of things
It's definitely an option to consider, though...
Jeff
On 08/27/2009 01:01 AM, Matt Domsch wrote:
I've done some more digging, and posted my findings on [1] specifically that our torrent tracker doesn't support IPv6, though the VM is on a machine that has a global IPv6 address. I've started looking at building opentracker, which is under a beerware license (so acceptable).
[...]
Regarding bittorrent,
http://www.sixxs.net/tools/tracker/
And they link to http://ipv6.niif.hu/index.php?mn=3&sm=5&lg=en which is dead, but http://ipv6.niif.hu/index.php?mn=3&sm=5&lg=en which is alive, and contains some discussion of IPv6 and BT.
With what we have at iBiblio, we could enable ns2, proxy4, and torrent1 pretty easily.
Nice!
Jeff
On 08/23/2009 04:50 PM, Matt Domsch wrote:
The automatic Internet2 detection will need some help too, as right now the BGP tables I'm pulling from http://syslog.abilene.ucaid.edu/bgp/WASH/RIBS/ is only listing IPv4 addresses.
neat :) didn't know about this.
As for serving other content, if it's fronted by the proxy servers (e.g. web content), then it should naturally start working via the IPv6-enabled proxys. Testing will prove that out.
Yep.
Though I would prioritize A+AAAA web setups below other tasks, since web content has the greatest possibility of meeting a misconfigured user, who cannot figure out what went wrong.
For non-web content (git, cvs, ssh?), I believe this is mostly hosted in PHX, which at this point we don't believe has native IPv6. How can we go about requesting such in the colo? I presume this is something that Red Hat IS would have to ask for on our behalf. I'd much rather try to get native going, instead of dealing with 6to4 (the nearest 6to4 server is 10 hops and 60+ms away) or tunnels.
Agreed... unless native IPv6 is estimated to be years away.
Internal pushing at RH has yielded very little result...
fedorapeople is at BU, which has some native IPv6 capability, but it's not clear they use it: http://www.mrp.net/IPv6_Survey.html
As for DNS servers (serving DNS over IPv6), we have: ns1 is at serverbeach.
Best googled estimates are "probably by the end of 2009"
ns2 is at ibiblio.
That's the good news. ibiblio has been experimenting with IPv6 for years: http://theclassicalstation.org/press/2004_ipv6.shtml
Also, another DNS issue: getting AAAA glue records served by the .org registrar.
We'll need to know their native IPv6 capability before proceeding there. This is less critical, as most users are still doing their DNS lookups to an IPv4 DNS server at their ISP. But it would be nice.
Technically this is true... but it is also true that most users are still doing IPv4 ;)
I tend to look at DNS as a "sooner rather than later" hurdle, because that is the first link necessary to construct an all-IPv6 path to the destination servers.
Jeff
infrastructure@lists.fedoraproject.org