IPv6 ... here I come
Sooo... I'm finally part of the IPv6 world now, and so is this blog. I've been meaning to do this for a long time now, but ... you know. – I ran into some traps – partly my own fault – so I might just share it for others, too.
First of all, and this got me several times, when testing loosen up
your iptables settings. That especially means setting the right
policies in ip6tables: ip6tables -P INPUT ACCEPT. (I had set the
default policy to DROP before automatically at interface-up time.
It's better safe than sorry. Do you know what services listen on ::
by default?)
I started out using a simple
Teredo tunnel, which
worked well enough. See Bart's article
ipv6 on your desktop in 2
steps. The default
gai.conf, used by the glibc to resolve hosts, will still prefer IPv4
addresses over IPv6 if your only access is a Teredo tunnel. You can
change this by commenting out the default label policies in
/etc/gai.conf, except for the #label 2001:0::/32 7 line. (See
here
for example. The blog post advises to reboot or wait 15 minutes, but
for me it was enough to re-start my browser / newsreader / ...)
So I set up IPv6 on my server. This was rather easy because Hetzner provides native v6. The real work is just re-creating the iptables rules, adding new AAAA records for DNS. Strike that: The real work is teaching all your small tools to accept IPv6-formatted addresses. (Great efforts are underway to modernize many programs. But especially your odd Perl script will simply choke on the new log files. :-P)
I am still not sure how I should use all these addresses. For now I
enabled one "main" IP for the server, 2a01:4f8:150:4022::2. Then I
have one for plenz.com and one for the blog,
ending in leet-speak "blog": 2a01:4f8:150:4022::b109 – Is it
useful to enable one ip for every subdomain and service? It sure seems
nice, but also a big administrative burden...
Living with the Teredo tunnel for some hours, I wanted to do it "the right way", i.e. enabling IPv6 tunneling on my router. Over at HE's Tunnelbroker you'll get your free tunnel, suitable for connecting your home network.
I'm still using an old OpenWRT WhiteRussian setup with 2.4 kernel, but everything works surprisingly well, once I figured out how to do it properly. HE conveniently provides commands to set up the tunnel; however, setting up the tunnel creates a default route that routes packets destined to your prefix across the tunnel. (I don't know why this is the case.) Thus, after establishing the tunnel, I'm doing:
# send traffic destined to my prefix via the LAN bridge br0
ip route del <prefix>::/64 dev he-ipv6
ip route add <prefix>::/64 dev br0
Second, I want to automatically update my IPv6 tunnel endpoint
address. HE conveniently provides and IPv4 interface for that. Simply
md5-hash your password via echo -n PASS | md5sum, find out your user
name hash from the login start page (apparently not the md5 hash of
your username :-P) and your tunnel ID. My script looks like this:
root@ndogo:~# cat /etc/ppp/ip-up.d/he-tunnel
#!/bin/sh
set -x
my_ip="$(ip addr show dev ppp0 | grep ' inet ' | awk '{print $2}')"
wget -O /dev/null "http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$my_ip&pass=PWHASH&user_id=UHASH&tunnel_id=TID"
ip tunnel del he-ipv6
ip tunnel add he-ipv6 mode sit remote 216.66.86.114 local $my_ip ttl 255
# watch the MTU!
ip link set dev he-ipv6 mtu 1280
ip link set he-ipv6 up
ip addr add <prefix>::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6 mtu 1280
# fix up the routes
ip route del <prefix>::/64 dev he-ipv6
ip route add <prefix>::/64 dev br0 2>/dev/null
Side note: Don't think that scripts under /etc/ppp/ip-up.d would get
executed automaically when the interface comes up. Use something like
this instead:
root@ndogo:~# cat /etc/hotplug.d/iface/20-ipv6
#!/bin/sh
[ "${ACTION:-ifup}" = "ifup" ] && /etc/ppp/ip-up.d/he-tunnel
The connection seemed to work nicely at first. At least, all Google
searches were using IPv6 and were fast at that. However, oftentimes (in
about 80% of cases) establishing a connection via IPv6 was not
working. Pings (and thus traceroutes) showed no network outage or
other delays along the way. However, tcpdump showed wrong checksums
for a lot of TCP packets.
Only today I got an idea why this might be: wrong MTU. So I set the
MTU to 1280 in the HE web interface and on the router, too: ip link
set dev he-ipv6 mtu 1280. Suddenly, all connections work perfectly.
I've been toying around with the privacy extensions, too, but I don't know how to enable the mode "one IP per new service provider". There's some information about the PEs here but for now I have disabled them.
My flatmate's Windows computer and iPhone picked up IPv6 without further configuration.
I'm actually astonished how many web sites are IPv6 ready. So far I like what I'm seeing.
Update: While setting up an AAAA record for the blog, I forgot it had been a wildcard CNAME previously. The blog was not reachable via IPv4 for a day – that was not intended! ;-)
Happy New Year!
I started this blog exactly one year ago. Over the course of this year, I wrote 105 articles. That is not really much, and I want to write more – just about the stuff that's on my mind. So stay tuned. ;-)
A Happy New Year to all my readers!
ending the silence
It has been a little more than three months since I last posted something here in my blog. Considering that the first post ever in this blog was from 1st of January this year, this pretty much looked like a "tried to blog, but gave it up again" thing.
I was really busy, however, and was simply not able to write a single post. What really ate up all my time was my latest pet project, writing a German book about Git. Valentin (my co-author) and I worked really hard throughout the past few weeks – only got up once in a while to get something to eat and stock up on Club Mate. The book is being published at Open Source Press and will be available from the end of June. Go buy it!
Now, with a lot of free time on my hands, I can finally get back to my studies (yes, really). Also, I will devote more time to this blog. :-)
Blog software
Which blog software to take? – Not a simple question to answer.
I had my mind on Ikiwiki for quite some time. I haven't got it working, though. After several tries, I gave up. (The problem had in part something to do with an outdated git version, which I cannot upgrade on the server without going through quite some hassle.)
I decided to use Jekyll now. As with other "static site generators", the documentation is pretty rudimentary (and largely not very helpful). After some hours of fiddling around, I finally found a way to integrate tags and a tag cloud. This blog post has been very helpful, although I had to patch the file. Strangely, also, Jekyll refused to load any plugins when calling it like
/var/lib/gems/1.8/bin/jekyll --no-auto <source> <destination>
To fix this, I set up git's post-receive hook to cd to that
directory first, and then call Jekyll with . as source paramter.
Time for a quick listing of pros and cons:
pro
- Write posts in
vimwith Markdown syntax - Store every modification in a git repo
- Publish with a simple
git push
contra
- Written in ruby (I'd have liked Perl much better)
- Lots of ruby/gem/rake/whatever stuff
- No extensive Documentation or User's Guide available
The template mechanisms seem managable, though. As for security and speed, the pages are generated once (even for pagination stuff) and are copied as simple static HTML pages to the web server. This is nice.
In the weeks to come I might publish the git repo of this blog where my other git repos are at.
Starting a blog
2011 is here. I will try to maintain a blog again. The last time I gave up because I had nothing to write any more (I thought). I discover, though, that a lot of people like to read what I write.
So I have a blog again. I'll post random stuff here. Might just be about UNIX tools; philosophy; math stuff; books I read; links I like. English or German, -- maybe other languages in the future.
Stay tuned. :-)