On Monday, January 31, 2011 01:29:18 pm Randy McAnally wrote:
> The solution is to manually build your own kernel from a vanilla source, along
> with all the problems that entails.
There's also the RH eMRG rt kernel which is built on substantially newer
sources. You'll need to rebuild it yoursel
On Mon, 31 Jan 2011, Simon Perreault wrote:
The command
# ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
works on CentOS 5.5. And there's no documentation for it in "man
ip6tables". So it fits the backport hypothesis...
While it may accept it, you may find it doesn't really work t
On Mon, 31 Jan 2011 11:53:22 -0600, Blake Hudson wrote
> > # ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> I guess the next question is whether or not it actually works correctly
You can open/shut ports but you can't do anything with connection state
(RELATED, ESTABLISHED, ect)
On 1/31/2011 11:48 AM, Simon Perreault wrote:
works on CentOS 5.5. And there's no documentation for it in "man
ip6tables". So it fits the backport hypothesis...
Not unexpected. The kernel also handles virtio for kvm. It's nowhere
near vanilla.
Jack
Original Message
Subject: Re: Ipv6 for the content provider
From: Simon Perreault
To: nanog@nanog.org
Date: Monday, January 31, 2011 11:48:34 AM
> On 2011-01-31 12:38, Blake Hudson wrote:
>> I was under the impression that the later versions of 5 (e.g. 5.5, 5.
On 2011-01-31 12:38, Blake Hudson wrote:
> I was under the impression that the later versions of 5 (e.g. 5.5, 5.6)
> had backported stateful connection tracking. Has anyone tested recently?
The command
# ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
works on CentOS 5.5. And there's n
Original Message
Subject: Re: Ipv6 for the content provider
From: valdis.kletni...@vt.edu
To: Charles N Wyble
Cc: nanog@nanog.org
Date: Wednesday, January 26, 2011 4:09:07 PM
> On Wed, 26 Jan 2011 13:56:05 PST, Charles N Wyble said:
>
>>> The only issue I&#
On Fri, Jan 28, 2011 at 8:04 PM, Owen DeLong wrote:
> The IPv6 geo databases actually tend to be about on par with the IPv4
> ones from what I have seen so far (which is admittedly limited as I don't
> really use geolocation services). However, I still think it is important
> for
> people conside
The IPv6 geo databases actually tend to be about on par with the IPv4
ones from what I have seen so far (which is admittedly limited as I don't
really use geolocation services). However, I still think it is important for
people considering deploying something as you described to be aware
of the add
On 1/26/11, Owen DeLong wrote:
> And if your servers behind the LB aren't prepared for it,
> you lose a LOT of logging data, geolocation capabilities,
> and some other things if you go that route.
Of course, anybody expecting a current IPv4 geolocation service to
provide accurate information over
On Jan 27, 2011, at 2:53 AM, Antonio Querubin wrote:
> On Wed, 26 Jan 2011, Owen DeLong wrote:
>
>> It's actually pretty well known and it is documented in several places in
>> plain
>> sight.
>
> Where?
>
> A search for IPV6_V6ONLY in the FreeBSD Handbook yields nothing. You'd think
> the
On Wed, 26 Jan 2011, Owen DeLong wrote:
It's actually pretty well known and it is documented in several places in plain
sight.
Where?
A search for IPV6_V6ONLY in the FreeBSD Handbook yields nothing. You'd
think the brokenness would at least be mentioned in the handbook.
A similar search o
On Jan 26, 2011, at 3:13 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said:
>> On Wed, 26 Jan 2011, Owen DeLong wrote:
>>
Listen a.b.c.d:80 -> Listen 80
->
>>> That only works if you have only one address on the machine an
On Jan 26, 2011, at 2:59 PM, Antonio Querubin wrote:
> On Wed, 26 Jan 2011, Owen DeLong wrote:
>
>> It would be nice if BSD would correct their IPV6_V6ONLY behavior instead
>> of putting up an alleged security red herring. I'm not sure why Micr0$0ft
>> suffers
>> from this braindeath.
>
> Or a
Additionally for DNS don't forget to add IPv6 glue for the nameservers
for your zones to the parent zones.
For named in particular listen-on-v6 needs to be specified as it
is not on by default e.g. "listen-on-v6 { any; };". Named will ask
questions over IPv6 by default even if it isn't listening
On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said:
> On Wed, 26 Jan 2011, Owen DeLong wrote:
>
> >> Listen a.b.c.d:80 -> Listen 80
> >>->
> >>
> > That only works if you have only one address on the machine and.
>
> Actually it works fine on machines with multiple IP addre
On Wed, 26 Jan 2011, Randy McAnally wrote:
The only issue I've faced is RHEL/CentOS doesn't have stateful connection
tracking for IPv6 - so ip6tables is practically worthless.
As long as you're willing to run your iptables through a modification
filter to generate the corresponding ip6tables
On Wed, 26 Jan 2011, Owen DeLong wrote:
It would be nice if BSD would correct their IPV6_V6ONLY behavior instead
of putting up an alleged security red herring. I'm not sure why Micr0$0ft
suffers
from this braindeath.
Or at the very least document this in plain site in the IPv6 section of
the
On Wednesday, January 26, 2011 05:01:31 pm Randy McAnally wrote:
> I've worked around it by compiling custom (newer) Kernels on systems that need
> it. Apparently support was added some time around 2.6.20, but of course RHEL5
> is still in the dark ages of 2.6.18.
RHEL has the eMRG kernel availab
On Wed, 26 Jan 2011, Owen DeLong wrote:
Listen a.b.c.d:80 -> Listen 80
->
That only works if you have only one address on the machine and.
Actually it works fine on machines with multiple IP addresses for both
FreeBSD and CentOS. And IPv6 enabled servers can easily have mult
On Wed, 26 Jan 2011 13:56:05 PST, Charles N Wyble said:
> > The only issue I've faced is RHEL/CentOS doesn't have stateful connection
> > tracking for IPv6 - so ip6tables is practically worthless.
>
>
> H. Interesting. I wonder if this is specific to the RedHat kernel?
> Or a problem with v6
On Wed, 26 Jan 2011 13:56:05 -0800, Charles N Wyble wrote
> > The only issue I've faced is RHEL/CentOS doesn't have stateful connection
> > tracking for IPv6 - so ip6tables is practically worthless.
>
> H. Interesting. I wonder if this is specific to the RedHat
> kernel?
I've worked around
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/26/2011 01:50 PM, Randy McAnally wrote:
> On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
>
>> For the most part, I'm a data center/application
>> administrator/content provider kind of guy. As such, I want to
>> provide all my web c
Thus spake Randy McAnally (r...@fast-serv.com) on Wed, Jan 26, 2011 at
04:50:22PM -0500:
> On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
>
> > For the most part, I'm a data center/application
> > administrator/content provider kind of guy. As such, I want to
> > provide all my web c
On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
> For the most part, I'm a data center/application
> administrator/content provider kind of guy. As such, I want to
> provide all my web content over ipv6, and support ipv6 SMTP. What
> are folks doing in this regard?
The only issue I'
> That's definitely a bug. Mapped addresses should never hit the wire.
>
> Dual stack is quite a bit safer than NAT64/DNS64. The bug you describe
> should be fairly trivial to get fixed if someone can isolate which
> product
> actually has the bug. Have you tried the current kernel under the
> exi
On Jan 26, 2011, at 11:18 AM, George Bonser wrote:
>>
>> Application level support on Linux/FreeBSD/NetBSD is 98% and rising
>> every day. Apache, BIND, Postfix, they all work great. The "problem"
>> is you may need config adjustment. Your Apache ListenOn's will need
>> IPv6 added, your Postf
On Jan 26, 2011, at 11:17 AM, Francois Tigeot wrote:
> On Wed, Jan 26, 2011 at 10:22:40AM -0800, Charles N Wyble wrote:
>> For the most part, I'm a data center/application administrator/content
>> provider kind of guy. As such, I want to provide all my web content over
>> ipv6, and support ipv6 S
On Jan 26, 2011, at 11:17 AM, Antonio Querubin wrote:
> On Wed, 26 Jan 2011, Charles N Wyble wrote:
>
>> Do I just need to assign ip addresses to my servers, add records to
>> my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
>> WWW. Postfix for SMTP.
>
> Best to remove
On Jan 26, 2011, at 11:22 AM, George Bonser wrote:
>> And if your servers behind the LB aren't prepared for it, you lose a
>> LOT
>> of logging data, geolocation capabilities, and some other things if
> you
>> go that route.
>>
>> Owen
>
> Relying on IP address for geolocation is actually quite
On Jan 26, 2011, at 11:10 AM, David Freedman wrote:
>>>
>>>
>> And if your servers behind the LB aren't prepared for it, you lose a LOT
>> of logging data, geolocation capabilities, and some other things if you
>> go that route.
>>
>> Owen
>>
>>
>>
>
> I can't imagine an LB vendor who woul
Thus spake Leo Bicknell (bickn...@ufp.org) on Wed, Jan 26, 2011 at 10:55:26AM
-0800:
>
> The layer 3 part for you is really simple. Here's a deployment model we
> use a number of places. I'm going to assume you have a /48, from ARIN
> or your upstream.
>
> Lay out your networks as:
> :BB
Thus spake Jack Carrozzo (j...@crepinc.com) on Wed, Jan 26, 2011 at 01:38:48PM
-0500:
> As I understand it, when a client requests a particular domain of yours and
> gets
> an A and an , the client will default to the (assuming it's on a v6
> network) and attempt to communicate as such.
On Wed, 26 Jan 2011, Antonio Querubin wrote:
Best to remove IP version dependencies in your configs.
If you are using name-based virtual hosting in Apache, convert:
Listen a.b.c.d:80 -> Listen 80
->
Use hard-coded IP addresses only where required for stuff like SSL-enabled
web
> And if your servers behind the LB aren't prepared for it, you lose a
> LOT
> of logging data, geolocation capabilities, and some other things if
you
> go that route.
>
> Owen
Relying on IP address for geolocation is actually quite ridiculous
though I do realize that many people seem to believe
>
> Application level support on Linux/FreeBSD/NetBSD is 98% and rising
> every day. Apache, BIND, Postfix, they all work great. The "problem"
> is you may need config adjustment. Your Apache ListenOn's will need
> IPv6 added, your Postfix "local nets" ACL will need your IPv6
addresses
> added,
On Wed, Jan 26, 2011 at 10:22:40AM -0800, Charles N Wyble wrote:
> For the most part, I'm a data center/application administrator/content
> provider kind of guy. As such, I want to provide all my web content over
> ipv6, and support ipv6 SMTP. What are folks doing in this regard?
>
> Do I just ne
On Wed, 26 Jan 2011, Charles N Wyble wrote:
Do I just need to assign ip addresses to my servers, add records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.
Best to remove IP version dependencies in your configs.
If you are using name-based
On 01/26/2011 07:46 PM, Owen DeLong wrote:
>> Do I just need to assign ip addresses to my servers, add records to
>> my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
>> WWW. Postfix for SMTP.
>>
> It might be that simple, it might not. Depends on your application.
>
> For
>>
>>
> And if your servers behind the LB aren't prepared for it, you lose a LOT
> of logging data, geolocation capabilities, and some other things if you
> go that route.
>
> Owen
>
>
>
I can't imagine an LB vendor who would sell a v6 to v4 vip solution who
wouldn't provide a way to inject the v6
In a message written on Wed, Jan 26, 2011 at 10:22:40AM -0800, Charles N Wyble
wrote:
> For the most part, I'm a data center/application administrator/content
> provider kind of guy. As such, I want to provide all my web content over
> ipv6, and support ipv6 SMTP. What are folks doing in this reg
On 26/01/2011 20:22, Charles N Wyble wrote:
For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?
Do I just need to assign ip addresses to
On Jan 26, 2011, at 10:39 AM, George Bonser wrote:
>
>
>> From: Charles N Wyble
>> Sent: Wednesday, January 26, 2011 10:23 AM
>> To: nanog@nanog.org
>> Subject: Ipv6 for the content provider
>>
>> For the most part, I'm a data center/application administrator/content
>> provider kind of guy.
>
> Do I just need to assign ip addresses to my servers, add records to
> my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
> WWW. Postfix for SMTP.
>
It might be that simple, it might not. Depends on your application.
For the DNS and Mail, it should be pretty much that
> From: Charles N Wyble
> Sent: Wednesday, January 26, 2011 10:23 AM
> To: nanog@nanog.org
> Subject: Ipv6 for the content provider
>
> For the most part, I'm a data center/application administrator/content
> provider kind of guy. As such, I want to provide all my web content
> over
> ipv6, and
Bind and apache work with v6 out of the box, and have for years. As I
understand it, when a client requests a particular domain of yours and gets
an A and an , the client will default to the (assuming it's on a v6
network) and attempt to communicate as such. Failing that, it will fall back
46 matches
Mail list logo
