Alibaba Cloud Tech Share - Prepare your website/app for IPv6-only networking - Alibaba Cloud Developer Forums: Cloud Discussion Forums

Ysera
Assistant Engineer
Assistant Engineer
  • UID634
  • Fans0
  • Follows0
  • Posts44
Reads:2822Replies:0

Alibaba Cloud Tech Share - Prepare your website/app for IPv6-only networking

Created#
More Posted time:Feb 3, 2017 14:22 PM
Foreword
IPv6 started to proclaim its presence from around 2010, yet it has received poor support even though IPv4 resources have been fully assigned in the United States.  
 
But IPv6 began to show rising popularity recently in developer circles, as Apple now requires every iOS app to support IPv6-only networking. I think it is a good thing. IPv6 user experience will never improve without a strong push. Even if the push doesn't come from Apple, Google may force the promotion of IPv6 sooner or later.
 
IPv6-only
IPv6-only means only IPv6 addresses are accessible, and no IPv4 addresses exist. This also means that the IP address of the DNS cache server must also be an IPv6 address and only IPv6-supporting servers can be connected.  If you want to resolve a domain name, the domain name itself and the DNS server of the root domain name it belongs to must also support IPv6.
1. The DNS server of the root domain name that the domain name belongs to should support IPv6.
2. The DNS resolution and DNS server used by the domain name should support IPv6.
3. The server should support IPv6 and has IPv6 resources.
4. The server system and web software should support IPv6.  
 
Domain name and DNS service
In the IPv6 support report of TLDs (Top Level Domains), we see that as of the press date of this article, only 98.1% of TLDs support IPv6 resolution, including com, net, biz, cloud, and top.  
In terms of DNS servers, foreign servers such as CloudFlare, NS1, Rage53, DNSimple and Rage4, and domestic servers such as DnsPod, Baidu Cloud CDN and sDNS support IPv6-only. However, as of the press date of this article, Alibaba Cloud DNS and Cloudxns haven't started to support IPv6-only.  
The DNS resolution records of IPv6 are AAAA records, and that of IPv4 are A records.  
 
Server support of IPv6
At present, DigitalOcean, Vultr and Linode all adopt default-assigned IPv6 addresses. Many VPS brands may even offer an IPv6 segment free of charge.  
If our sites or apps are hosted on Alibaba Cloud or other clouds, we have to make them support IPv6-only. There are currently three feasible solutions:
1. Use tunneling transmission to support IPv6 in a roundabout way if the server is located on Layer 3 (network layer).
2. HTTP Proxy enables reverse proxy for IPv6-supporting servers and resolute the AAAA records to the proxy server.
3. Use CDN cache. CDN services such as CloudFlare can support IPv6.
 
However, each of these three solutions present issues. In specific, the first solution has the fewest problems and functions almost natively; the reverse proxy is limited by the latency of the reverse proxy server and comes at significant construction costs; the CDN cache solution has an unsatisfactory speed in China, for example Cloudflare.  
 
Tunneling transmission to support IPv6
Here we will introduce how to use Hurricane Electric Free IPv6 Tunnel Broker to expand server support for IPv6. The Tunnel Broker is equivalent to a proxy structured on the network layer (Layer 3). The operating system of your server should support Tunnel Broker and the server must have a fixed IPv4 address.  
 
1. Sign up on www.tunnelbroker.net. Do not forget to verify your e-mail address.  
 
2. Create a tunnel. www.tunnelbroker.net/new_tunnel.php
 
3. IPv4 Endpoint (Your side): Enter the server IP address; Available Tunnel Servers: Select the region with the lowest latency. Domestic access to Hong Kong, Singapore and Japan regions in Asia is very poor according to tests. We recommend Fremont.  
 
4. Click “Create Tunnel” and the tunnel will be ready.  


5. Modify the network parameters to make the system support IPv6. Edit /etc/sysctl.conf, and change the following
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

to
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

Run the sysctl -p command to enable IPv6.

root@mf8.biz:~# sysctl -p
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2


6. In the HE window, click “Example Configurations” and select your system. Here we take Debian 8.5 as an example.  
Modify the /etc/network/interfaces file and add the code listed in the figure at the bottom:  

Save the changes and restart the system.  
 
7. Confirm to enable IPv6 support.  
Run the ifup he-ipv6 command to confirm IPv6 has been enabled.  
root@MF8.BIZ:~# ifup he-ipv6
ifup: interface he-ipv6 already configured
ifup: interface he-ipv6 already configured


8. DNS adds the AAAA records to the assigned IP address.  
Enable the support on web server apps
Enabling the IPv6 support on the server isn't all that is needed. Related settings are also required on web server software such as Apache and nginx.  
 
nginx
server {
 listen 80; // Listens to IPv4 port 80
 listen [::]:80; // Listens to IPv6 port 80
}

server {
 listen 443 ssl http2; // Listens to IPv4 port 443
 listen [::]:443 ssl http2; // Listens to IPv6 port 443
}


Apache HTTPD
Listen to server IPv4 IP:8080
Listen to [assigned IPv6 IP]:8080


Important: Do not forget to restart the system.
Guest