Enabling IPv6 in Ubuntu ufw

I was creating a new web site dogstarplanet.com and as I was installing it on my IPv6 enabled host I thought I would setup the A and AAAA records for the same CNAME.

Windows based PCs without any IPv6 routing obviously ignore any AAAA records and the browser connects to the site as expected but an Ubuntu desktop I was using was unable to get to the site – both Firefox and Opera not connecting.

I loaded Wireshark to see if my traffic was leaving and though I could see the DNS queries for AAAA and A records there was no TSP traffic (Tunnel Setup Protocol) to the freenet6.net IPv4 address  (I’m using gogoc package out of the box). This means that the browser connection was not getting to the tunnel interface. This means firewalling or kernel.

If I run the Firestarter then I also see the tun (routed IP tunnel) but no traffic passes (note: that I have since removed Firestarter and now run Gufw).

Well the IPv6 is in the kernel but I had ufw enabled and that doesn’t have IPv6 enabled by default so you get the error message if you try and use ping6 of e.g.

ping6 ipv6.google.com
 ping: sendmsg: Operation not permitted
 ping: sendmsg: Operation not permitted
 ping: sendmsg: Operation not permitted
 ...

If it is safe you can quickly test this is your problem by turning off the ufw with the command,

sudo ufw disable

Now your ping6 should work. If it does not then you have a tunnel problem. Use the command netstat  -rn6  to see if you have tun entries.

It is easy to enable IPv6 in ufw by editing /etc/default/ufw and towards the top there is a line of IPV6=no which you change to IPV6=yes

Save that and then disable and then enable the firewall i.e. sudo ufw enable or do a sudo ufw reload if it was still running.

Now you will be able to ping6 and connect to IPv6 enable hosts using a browser. Note that when you ping6 then there is a PTR query (that you would only see in wireshark) and you may get a no such name response if you have not configured your host DNS records right so if you are committed to setting up IPv6 on your host then please check you have added a suitable DNS PTR entry for the dotted nibble PTR part of your IPv6 address. Very few protocols, perhaps only mail connections and obviously ping6, use IPv6 PTR queries.

http://No.More.gTLD.Please.ICANN/

We do not agree with the ICANN program of allocating new (generic) gTLD.  Their claim that the “expansion of the generic top-level domain (gTLD) space will allow for a greater degree of innovation and choice. ” is, in our view in a word, nonsense.

An existing brand will already have their BRAND plus .COM, .NET and .ORG gTLD. The innovation and choice has already settled at that second level.

A small startup won’t be able to afford to run or own a .BRAND gTLD but must make do with the existing  .COM and other gTLD or ccTLD space. You would be a moron to come up with a great new name and go ahead with your branding without getting the  .COM even if ICANN go ahead with their plans. Your ability to spend a vast amount of money and get a new gTLD isn’t going to make the fact that if you don’t have the .COM then you are still doomed to try a reverse domain name hijack or throw lots of money at the existing .COM owner to grab that too. So much for your choice.

“Innvovation” and “choice” is an application layer problem.  It is not a network problem. ICANN need to go back to school with a wall chart of the ISO 7-layer model if they think that semantically overloading the DNS is a way to “Innovation” and “choice”.

For the past 10 years of the ICANN existence there are basically two problems that ICANN should be focusing on with all their hearts, minds and our money and that is the exhaustion of the IPv4 address space (i.e. IPv6) and the security of the DNS infrastructure (i.e. DNSSEC). Given IPv4 has started to exhaust but many ISP are only in beta programs for IPv6 then we’ll leave you to make a call as to how successful that has been.

We, the existing domain name owners, all pay the ICANN money as a levy on our gTLD domain names that we buy, so we all have a right to complain about what they are doing. Like many domain name owners  we’ve accumulated the main top level domains for our own company, Open Mutual Limited, but being a small company we have ignored the ccTLD and the more esoteric gTLD. With the new ICANN plans we’ll be looking at potentially many hundreds of new gTLD which will segment the domain name space into a vast number of silos and the further out you go from the traditional .COM then these new gTLD seem to get progressively more expensive to buy (if existing .info, .biz or .xxx are anything to go by).

If we wanted to semantically overload our domain names for application reasons then we do this at the 3rd level i.e. http://idea.openmutual.com. Our customers would always go to the existing domain name and then at an application level we would route them to the 3rd level domain and in all probability this would be done behind the scenes without the customer even knowing this domain name existed.

At a company level we would not be able to afford a new gTLD of http://openmutual.idea/ or http://idea.openmutual/and neither would 99.9% of the rest of the world and neither would this be the focus of any startups unless those startups were just in the business of allocating domain names. I fail to see where the innovation and choice is in filling out the ICANN forms to be just another registry for just another gTLD.

http://No.More.gTLD.Please.ICANN/

P2P and IPv6

Curious I was looking at the connections from a GNU/Linux machine running a BitTorrent (Transmission) client and I noticed about 50% of the connections were to IPv6 peers for a particular tracker.

The IPs were a mixture of freenet (probably due to the very simple gogoc package use – this is the Gateway6 client that was in a package called gw6c or tspc)  plus others but the most were Freenet.

Why is this ? Well with the gogoc package then you get an anonymous freenet IPv6 address for your client machine without configuring a thing. From a corporate point of view this does add an extra layer of complexity to managing internet traffic to and from your LANs. You may block P2P traffic but P2P over IPv6 tunnels may be leaking through.

IPv6 Testing

Just provisioned an IPv6 address on this server. I’d initially tried using an IP6 over IP4 tunnel but this server uses venet virtual interfaces and they don’t seem to be very friendly with the sit interface (nor tun). After managing to lock myself out of the server (had to edit the /etc/network/interface and interface.template to remove my changes and then reload) I went with the Host Europe allocated IP address. I kind of wanted my own range (i.e. /64 from Hurricane Electric) but then I also want the server to run as dual-stack IPv6 so I’ll live with the hosting provided address for the moment.

You need to have Plesk version 10.2.0. If you have added the IPv6 on top of an existing installation then you will have to go into each of the subscriptions for the domains that you want IPv6 support and select Change Host Settings and then pick the IPv6 address. It is your hosting provider that issues you the IPv6 address through their provisioning system.

In your DNS provider you need to add a name that points to the IPv6 address (an AAAA record). I have used ipv6 thus ipv6.openmutual.org can now be connected to from a IPv6 client.