Tuesday, February 05, 2008
I have been rooting for IPv6 to get rolled out for a very, very, very long time. I've hated watching people become landless cyberserfs in cyberspace, and hated seeing IPv4 getting even more entrenched. Sometimes I daydream about what might had happened if we'd managed to get IPv6 rolled out before 1996, in some alternate universe where dhcp need not have existed....
Anyway - if you care about the future of the Internet... and run your own DNS server... and have IPv6 enabled and routable (my providers do) - a small blow into the future can be struck today!
IPv6 on some of the Internet's root servers has been rolled out.
The new named.root file (which is called /etc/bind/db.root on ubuntu) is here. Download it, restart your name server, and you've taken one small step towards upgrading to IPv6.
On one of my test domains, I've started working on moving a whole bunch of basic services over to IPv6 - starting with web, ssh, and email. Web works great, ssh works great, email... well, email is an issue because A) there are very few people running IPv6 mail exchangers (even gmail doesn't!) and B) rbls don't work (making spam a bigger issue).
Solving A), by publishing a pair of mx records, with one being IPv6 and the other being IPv4 - shouldn't break anybody too hard... I think. So that's what I just did. Incoming mail on IPv4 gets rbld, incoming on IPv6 doesn't. I'll watch my logs for a while and see what happens.
Solving B) for email - well, I have a few solutions in mind, all of which require more support than I have at present.
1) I can rotate my ipv6 address for my mail exchanger on a regular basis. arbitrary spammers will never find me, while legitimate mailers that pay attention to dns expiry times will "just work" bwahahahahaa! Flaw of this scheme is that an attacker can use the same technique (which basically negates the usefulness of the rbl lists), so having working reverse dns is a bare minimum for me to even accept attempts at email over ipv6. I'd hoped someone out there had put out a best practices for ipv6 smtp servers document, but nope...
2) Strong crypto of various forms
3) Only accepting authenticated mail for just the domains and users I manage. I wish there was a ring of trust....
It looks like verizon is rolling out IPv6 to businesses by june... which, to me, is to the wrong people. The best way to jump-start IPv6 adoption is to make it available on the wire to home users, first, that know what they are doing - and want to implement things like easy home automation, etc.
Oh brave new world that has such protocols in it! I would dearly like to convince IPsec to work for me... haven't figured out how to do primary dns delegation over ipv6... lots to do.
There's plenty I don't know about IPv6, but at least I know a heck of a lot more about it than I did when I migrated (slowly) off of IPX and Netbui onto TCP back in the early 90s....
Anyway - if you care about the future of the Internet... and run your own DNS server... and have IPv6 enabled and routable (my providers do) - a small blow into the future can be struck today!
IPv6 on some of the Internet's root servers has been rolled out.
The new named.root file (which is called /etc/bind/db.root on ubuntu) is here. Download it, restart your name server, and you've taken one small step towards upgrading to IPv6.
On one of my test domains, I've started working on moving a whole bunch of basic services over to IPv6 - starting with web, ssh, and email. Web works great, ssh works great, email... well, email is an issue because A) there are very few people running IPv6 mail exchangers (even gmail doesn't!) and B) rbls don't work (making spam a bigger issue).
Solving A), by publishing a pair of mx records, with one being IPv6 and the other being IPv4 - shouldn't break anybody too hard... I think. So that's what I just did. Incoming mail on IPv4 gets rbld, incoming on IPv6 doesn't. I'll watch my logs for a while and see what happens.
Solving B) for email - well, I have a few solutions in mind, all of which require more support than I have at present.
1) I can rotate my ipv6 address for my mail exchanger on a regular basis. arbitrary spammers will never find me, while legitimate mailers that pay attention to dns expiry times will "just work" bwahahahahaa! Flaw of this scheme is that an attacker can use the same technique (which basically negates the usefulness of the rbl lists), so having working reverse dns is a bare minimum for me to even accept attempts at email over ipv6. I'd hoped someone out there had put out a best practices for ipv6 smtp servers document, but nope...
2) Strong crypto of various forms
3) Only accepting authenticated mail for just the domains and users I manage. I wish there was a ring of trust....
It looks like verizon is rolling out IPv6 to businesses by june... which, to me, is to the wrong people. The best way to jump-start IPv6 adoption is to make it available on the wire to home users, first, that know what they are doing - and want to implement things like easy home automation, etc.
Oh brave new world that has such protocols in it! I would dearly like to convince IPsec to work for me... haven't figured out how to do primary dns delegation over ipv6... lots to do.
There's plenty I don't know about IPv6, but at least I know a heck of a lot more about it than I did when I migrated (slowly) off of IPX and Netbui onto TCP back in the early 90s....
Labels: ipv6
¶ 4:46 AM
