From owner-freebsd-net@freebsd.org Tue Jun 25 10:21:23 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0C6015C798D; Tue, 25 Jun 2019 10:21:23 +0000 (UTC) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from saturn.lyxys.ka.sub.org (saturn.lyxys.ka.sub.org [217.29.35.151]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8AFA78405D; Tue, 25 Jun 2019 10:21:16 +0000 (UTC) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from juno.lyxys.ka.sub.org (juno.lyx [IPv6:fd2a:89ca:7d54:0:240:caff:fe92:4f47]) by saturn.lyxys.ka.sub.org (8.15.2/8.15.2) with ESMTPS id x5PABeuQ060577 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 25 Jun 2019 12:11:41 +0200 (CEST) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from juno.lyxys.ka.sub.org (localhost [127.0.0.1]) by juno.lyxys.ka.sub.org (8.15.2/8.15.2) with ESMTPS id x5PABeZ9026808 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 25 Jun 2019 12:11:40 +0200 (CEST) (envelope-from wolfgang@lyxys.ka.sub.org) Received: (from wolfgang@localhost) by juno.lyxys.ka.sub.org (8.15.2/8.15.2/Submit) id x5PABeGb026805; Tue, 25 Jun 2019 12:11:40 +0200 (CEST) (envelope-from wolfgang@lyxys.ka.sub.org) X-Authentication-Warning: juno.lyx: wolfgang set sender to wolfgang@lyxys.ka.sub.org using -f Date: Tue, 25 Jun 2019 12:11:40 +0200 From: Wolfgang Zenker To: freebsd-net@freebsd.org Cc: FreeBSD Mailing List Subject: Re: IPv6-only network--is NAT64+DNS64 really this easy now? Message-ID: <20190625101140.GG26071@lyxys.ka.sub.org> References: <5e24739b-bbd0-d94a-5b0e-53fdeba81245@bluerosetech.com> <19784363-6543-ccc1-b13f-5f1a67dc10d1@bluerosetech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19784363-6543-ccc1-b13f-5f1a67dc10d1@bluerosetech.com> Organization: private site User-Agent: Mutt/1.12.0 (2019-05-25) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (saturn.lyxys.ka.sub.org [IPv6:fd2a:89ca:7d54:1:200:24ff:feca:b4cc]); Tue, 25 Jun 2019 12:11:41 +0200 (CEST) X-Rspamd-Queue-Id: 8AFA78405D X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of wolfgang@lyxys.ka.sub.org designates 217.29.35.151 as permitted sender) smtp.mailfrom=wolfgang@lyxys.ka.sub.org X-Spamd-Result: default: False [-1.75 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.977,0]; NEURAL_HAM_LONG(-0.99)[-0.994,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[sub.org]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[subnet.sub.net,mailin.pluspunkthosting.de,saturn.lyxys.ka.sub.org]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.28)[-0.277,0]; IP_SCORE(-0.19)[ipnet: 217.29.32.0/20(-0.53), asn: 16188(-0.42), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:16188, ipnet:217.29.32.0/20, country:DE]; SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2019 10:21:23 -0000 * Mel Pilgrim [190625 04:47]: > On 2019-06-24 19:33, Ultima wrote: >> While it may be possible to have an IPv6 only environment, I don't >> think it is really viable. There are simply too many things that don't run >> on or have very limited support for IPv6 that it makes it very hard >> to drop IPv4 altogether and until something comes along forcing the >> move it likely won't happen for at least another decade at the minimum. > Yes, that is why I wrote "Waving a hand at bug-hunting and lamentations > over the inertia of embedded systems designers". > This a lab experiment specifically to iron out the very wrinkles you > just stated. Depending on what you want to do it is viable now. At work we use IPv6-only jails for web hosting, where all jails on one physical machine share one NAT64 gateway for outgoing connects to IPv4-only services like Github. That gateway is the only dual-stack jail on a machine, the host and all other jails are IPv6 only. The NAT64 jail also provides a reverse proxy for incoming web access on IPv4. Customers on an IPv4-only connection use a ssh jumphost to access the server. We use ipfw for NAT64 and bind for DNS64. At RIPE meetings twice a year I use the provided IPv6-only network for net access with phone and notebook; in these 10 days per year for the last couple of years I have not seen any problems myself. Some people reported problems accessing VPN gateways though, and accessing IPv4-only services that use DNSSEC is a problem if your local resolver on the client does DNSSEC validation. >> On Mon, Jun 24, 2019 at 6:50 PM Mel Pilgrim >> wrote: >>> I'm looking to set up a pure-IPv6 environment to test the viability of >>> it. I tried this a few years ago and fell flat on my face due to the >>> lack of NAT64 and DNS64 support. >>> Reading through docs now, it looks like unbound has a DNS64 module, and >>> NAT64 is baked into ipfw. Waving a hand at bug-hunting and lamentations >>> over the inertia of embedded systems designers, has it really become >>> this easy to turn up an IPv6-only site?