Likewise, IPv6 is pretty much useless if it is never used. I can assign the addresses all I please but ultimately if all I do is ping my desktop that sits "behind NAT" with it then for the most part the effort was wasted.
My server runs CentOS 5.2, my desktop runs Gentoo, my laptop Debian, my router Debian, my windows desktop Vista (dual boot Server 2008), and the Vista box also has three instances of OpenBSD running within VMWare.
I've got a pretty good testbed to see just what does/doesn't support IPv6, in terms of everything general web browsing to random system daemons to whatever end user programs you have a desire to run. So, I put together a small bit of info concerning what handles IPv6 perfectly, what is kind of broken, and what just looks at it with a mystified look on its face.
So to start:
Operating Systems
Windows
As far as I know, the first IPv6 stack was available for Windows 2000 via a separate download. XP bundled it by default, but left it uninstalled. Vista has the IPv6 stack enabled by default.
Linux
Got a pretty new IPv6 stack with 2.6. Had a working stack in 2.4. I'm pretty sure 2.2 had a functional stack too, as did 2.0. Don't quote me on that.
OpenBSD
Has supported IPv6 since 2.7.
Services/Servers
Apache
Apache has support IPv6 ever since the 2.0 release. Every component of apache that I tested supported IPv6 just fine, from general web page serving to SSL to proxies. Considering how much of the web is still on 1.3, all of those hosts will have to be upgraded to 2.0+ before a much wider IPv6 web base is available.
IIS
IIS (the Microsoft webserver) has supported IPv6 from their 6.0 release, also known as Server 2003. Most places use at least 2003 on their servers, the era of Win2k webservers kind of died out with Code Red and all of those other worms.
MySQL
Just kind of sits and looks at IPv6 like it has no clue what it is. Which is actually entirely true. Boo.
PostgreSQL
Talks happily with IPv6. At least I think. I'm too lazy to start my local copy and check. Their page on the matter isn't what one would call descriptive. No clue when this support was added.
MSSQL
Supported since their 2005 release.
Oracle
Offically supported as of 2006.
Samba
Supported as of the 3.2 release, which was actually just on June 1st of this year.
Windows SMB/CIFS
Supported with XP and onward. Probably Win2000 too.
So the servers are looking pretty good. Unless you run MySQL, which is pretty much everyone. Boo.
At a minimum, we can serve any content over HTTP just fine, and we can access most database just fine too, unless your name starts with a "My" and ends with a "SQL."
End-user programs
Mozilla Suite (and Firefox, Thunderbird, Seamonkey and friends)
Native IPv6 support, ever since the year 2000. Still has some work to be done according to the meta bug, but pretty much all of those bugs are on random operating systems that don't adversely change your ability to connect to IPv6 enabled sites.
Internet Explorer
Supported IPv6 ever since 4.0, once you applied a patch from their research division. Likewise real native support was probably with 5.0, if not it was by 6.0.
Outlook
Supported as of Outlook 2007.
Kopete
Supported. The KDE project has traces of IPv6 development starting around 1999. As far as I can tell, IPv6 is natively supported in every program in 3.5.
Pidgin
Supported. Not clue as of when due to the GAIM --> Pidgin name change, and I'm far too lazy to figure that out.
MSN Messenger, AIM, ICQ and friends
Who cares? (Likely not supported, though I doubt the client is the blocker in these cases.)
PuTTY
Supported since '04.
OpenSSH(d)
Supported. Probably since forever. Go OpenSSH.
irssi
Supported!
mIRC
Not supported without loading a third-party DLL. mIRC sucks anyway.
X-Chat
Supported.... on Windows since '03, *nix and friends likely even earlier.
I could go on and on and on. I won't, because I have no desire to list hundreds of thousands of software packages and their relative IPv6 states. Plus I'm getting tired and this entire post was spontaneous. Not too bad for 30 minutes of google.
But for the most part, we've got a great picture. Every operating system, browser, and web server supports IPv6 and supports it fantastically well. Nearly every program on *nix supports IPv6 and has for quite some time, and most of the big name Windows programs support IPv6 as well.
Not mentioned here was DNS, but the protocol has had support for it since (just about) forever and now that we have AAAA records for the root servers in the public DNS, DNS is good to go with IPv6 from start to finish.
Now we just have to work on the ISPs and home grade routers...
Footnote: one of the comments I got on my initial IPv6 entry was someone reporting success in integrating their LAN with IPv6. While I'm glad to hear it, I'm even more glad that when I got the "unapproved comment has been posted" notification e-mail, the corresponding IP address was a v6 address. The second I had IPv6 up and running on my server, I threw in AAAA records for pretty much everything. If I had to guess, they didn't even know they were using IPv6 to view this blog and post the comment - which is exactly the goal.
So I setup IPv6 for the machines I own. I still depend on IPv4 simply due to IPv6 not being available... well, most anywhere. At least not natively.
A big part of the reason that we don't have IPv6 in more places is because... well, circular dependency here, but because it isn't around. I can't plug my laptop into any other ISP's line and use IPv6 natively, and even if I could, the chances of the average home grade router working with it is about two.
Out of thousands.
So to get around this, IPv6 in IPv4 tunnels are used. They do exactly what their name implies: tunnels IPv6 data within IPv4 packets. The downsides to IPv6 tunneling are latency/overhead and... your ability to keep your IP addresses. If you don't have native IPv6, then your current hosting provider or ISP won't be the one giving it to you - meaning you get to get the IPs from a third party company. When your hosting provider or ISP turns IPv6 on, what are the chances that you'll be able to reassign entire blocks of IPv6 address space? Probably not too great. If you've got Comcast as your home ISP, I don't think that your tunnel broker is going to happily move your address blocks over to Comcast's control - at all.
While the latter point is generally a deal breaker for a lot of people, in the long run, I don't care. IP address reassignment happens all the time. There's no rule stating that you must drop your tunnels once you get native IPv6, and there's no reason why it would be overly problematic or painful either. Simply bring up the native IPv6, change the DNS records, and drop your tunnels a few days later.
With this knowledge in hand, I went poking around the vast area known as the Internet and selected Hurricane Electric's IPv6 Tunnel Broker. What really sold me (for free, that is) on using HE for my tunnel was really twofold: one, their views on IPv6 (which boil down to "we'd really like to be in business when IPv4 is exhausted, so we're going to deploy native IPv6 everywhere, provide a tunnel broker for free for anyone and everyone, and we're going to do it three years before crunch time") and two, the fact that it was free.
In selecting HE, I also got full reverse DNS control, selection of the closest HE router to my server, full control of a /64 subnet and a /48 subnet (by request, which I requested), the possibility of adding three more /64 subnets and three more /48 subnets to my account, and full operating system support (with instructions for setup with linux-net-tools, iproute2, *BSD, OSX, Solaris, Windows XP+, and Cisco).
Not bad for $0. I'm a happy customer (and a potential customer should I ever need colocation/dedicated servers).
I setup my account with HE, logged in, and was presented with simplistic instructions on how to setup my CentOS server.
ip tunnel add he-ipv6 mode sit remote 209.51.161.58 local 64.22.124.36 ttl 255 ip link set he-ipv6 up ip addr add 2001:470:4:b2::2/64 dev he-ipv6 ip route add ::/0 dev he-ipv6
I created a new 'sit' tunnel named 'he-ipv6', with remote endpoint 209.51.161.58 - coming from 64.22.124.36 - and then turned the link up. Easy enough. Then I added my /64 allocation to the newly created tunnel, and pointed the default route through that tunnel.
Wait a minute. That's it? I'm IPv6 enabled already?
[kyle@averageurl ~]$ ping6 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes 64 bytes from 2001:4860:0:1001::68: icmp_seq=0 ttl=55 time=327 msYup...
From there, I requested a /48 subnet so I could allocate a few full /64 subnets to my house (a /64 for my LAN, wifi, and secondary wifi), brought some more tunnels up, and then from my desktop...
kyle@ksb ~ $ ping6 ipv6.google.com PING ipv6.google.com(2001:4860:0:2001::68) 56 data bytes 64 bytes from 2001:4860:0:2001::68: icmp_seq=1 ttl=54 time=325 ms
And now my desktop is IPv6 enabled. Go ahead, ping6 2001:470:d82b:ffff::2! You'll hit my home desktop. Then ping ::3 - my Vista box. Yup, that's right! My windows box is also on the IPv6 network. :fffe::2 would be my laptop on the wifi. The entire :fffd::0/64 subnet (and corresponding wifi AP) is unused currently, but perhaps once I decide to upgrade my router's software and play with wpa_supplicant that will change.
But why did I do this? What did I gain? Well, for starters, it was really fun to use HE's Looking Glass to run a traceroute to my desktop...
Tracing the route to IPv6 node 2001:470:d82b:ffff::2 from 1 to 30 hops 1 2 ms <1 ms <1 ms 2001:470:0:32::2 2 76 ms 75 ms 75 ms 2001:470:0:35::2 3 103 ms 103 ms 103 ms 2001:470:0:4b::2 4 103 ms 103 ms 103 ms 2001:470:0:8c::2 5 148 ms 148 ms 148 ms 2001:470:4:b2::1 6 234 ms 236 ms 238 ms 2001:470:d82b:ffff::1 7 234 ms 233 ms 233 ms 2001:470:d82b:ffff::2... while it sits behind my IPv4 NAT router. And then my Vista computer, and then my laptop connected to the wifi. Then I got to go take a look at The KAME project and check out the dancing turtle. It turns out that Google's IPv6 site also has an animated logo.
But in the end, I can now access all of my computers from behind NAT, without actually using any NAT - at all. I could drop the IPv4 addresses from some computers and still retain access to them, full access. This may prove to be both a blessing and a curse, but given time, we'll see..
(And yes, I know I shouldn't be using ::1 for my routers, that'll change soon enough.)
That's always a fun feeling. "Oh, hey, look at all of this stuff I wrote about a year and a half ago. It's... it is... so.. entirely wrong. And to think I took my time to write that, scanned it once for typos (missed many), and then attached my name to it by clicking the big 'Save' button."
I was sorely tempted to remove my existing content (content! ha!) and start over with this post, but that feeling quickly subsided when I remembered that no matter how hard I try, and no matter how little people may care, somewhere it was archived. Saved as organized bits on a disk somewhere in the world, indexed by multiple bots, and easily found by anyone looking for my name. Kinda creepy when you think about it.
The other reason that I quickly gave that up, is equally simple. Some of it, I actually like. I've outlined in the past in great detail things which I still believe, and a lot of my philosophies. Sure, the ratio of posts I like is still nearly three to one, but hey, I'll live with it.
After just over a year of not touching this blog, for reasons many, I think I'll be.. well, I don't want to say "back to blogging." There's too much cliche involved with that line. I can think of no quicker way to blog deletion than by announcing my triumphant return of posting random things that no one cares about on a website that no one subscribes to (let alone visits to post comments).
Except of course, for the bots (feed aggregators included).
But who knows what will happen!
Yup. I just said it: Windows is a perfect platform.
Obvious counter argument: go out there and search for "windows virus scanner" and check that out: 1.38 million results on Google. 53,000 if you include the quotes.
Either I'm wrong, or Google is lying to me. That's a lot of results for a virus scanner. "Windows virus" turns up 134 million. Clearly, Windows is anything but the perfect platform. My reasons as to why it is regarded as an imperfect, shoddy, spyware-ridden platform are very clearly written in a packet I got ahold of recently, concerning a website which is used extensively at work. The website in question will be launching with a new version soon, and to inform their customers of the upcoming changes and needed alterations to your OS (read: Windows and Internet Explorer) in order for this website to work.
Quoted directly from this thirty page packet: ... "you will need to download a new control from the [XX] site, this requires that you be administrator of your machines for that 1st export only. Unless it is a big company with an IT department, you are likely administrator already."
Let's put this in linux terms. "You are required to run as root in
order to get this piece of software to work. You are already running as
root, so don't worry about it."
The problem with Windows isn't Windows. The problem with Windows is the
absurd number of poorly written software packages, all of which require
administrator rights. This is a website, not a system reconfiguration
utility. "I know! And, so, I only require administrator rights the
first round!" One of these days, I'm going to go find out why it
requires administrator rights at all.
This packet then proceeds to outline all of the needed steps to get this new website up and running on the individual computers. This process must be repeated for every user on every computer. For me, this means driving between three buildings, located in Sandy, Salt Lake, and Bountiful. For the curious, that's a half-hour drive. The total machine count is 37. Total miles driven will be just over 50. Time spent in transit will be roughly an hour and a half, all things considered. Once I hit the first building, however, the real work begins. This packet outlines that the following changes need to be made:
- Adjust the settings of the popup blocker to whitelist said website.
- Ensure that the cache settings are set to check for new versions of pages automatically (and then clean the cache out).
- Add the website to the "Trusted Sites" security zone.
- Adjust the security settings for the "Trusted Sites" zone to allow/do the following: Enable automatic prompting of ActiveX controls, enable binary and script behaviors, download signed ActiveX controls, download unsigned ActiveX controls, initialize and script ActiveX controls not marked as safe, run ActiveX controls and plugins, script ActiveX controls marked safe for scripting, enable automatic prompting for file downloads, enable file downloads, and enable font downloads. (These are the instructions for IE6. IE7 also includes enabling Loose XAML, XAML browser applications, XPS documents, allowing previously unused ActiveX controls to run without prompting, and oddly, disabling video and animation on a webpage that does not use them.)
- Go ahead and re-read point number four there. I even put the relevant points in bold for you, so by all means, have at it.
- Check the computer for any of the following toolbars, and if they are found, reconfigure them all individually to also allow popups from the website in question: Google, Yahoo, AOL, MSN, "or anything besides Standard Buttons, Address Bar or Links."
- The remaining pages are dedicated to disabling or reconfiguring any other possible popup blockers.
It should be noted that not one of those steps included instructions that told me how to download and install said unsigned, marked not safe for scripting, "I need admin rights to continue" ActiveX control.
So, come the Monday morning that this launches, I get to drive around more than I care to, tweaking more settings that need tweaked, decreasing the default system security, installing ActiveX controls as administrator.
There is nothing wrong with Windows; there is everything wrong with the average software package (and/or website, as is this case). Because of this, Windows doesn't even have a fighting chance. If a website you loaded up suddenly popped up a box stating that it wanted your root password to continue, what would you do?
Why don't you do the same thing on Windows though?
Oh, right, the software requires it.
The operating system isn't broken, just all of the third-party software is.
You know that funky option in your computer's BIOS, "Network Boot Agent"? Okay, so it goes by a lot of names. "Networking Boot ROM," "Integrated NIC ROM," the list goes on. Maybe you've seen the "Press F12 to network boot option" around. You see this, your curiosity gets the best of you, so you hit F12. Suddenly your computer is scanning the ethernet subnet for a DHCP server and acquiring an IP address!
Only to go away really fast and continue booting up your computer without really telling you much. Awfully anti-climatic, if you ask me. I mean really, you add an option to your boot order, hit the button to make it go, and it starts doing all of these wonderful things only to promptly "stop" and advance in the boot order without telling you a thing.
Let's clear up the mysticism: what you (typically) just activated and attempted to use was this thing called PXE. PXE stands for "Preboot Execution Enviroment." Wikipedia has an awesome article (also available on the German Wikipedia) on the details of PXE, but I may be biased in thinking that because I assisted in it's writing. Admittedly, it has changed a fair amount over time, but the content of the article as a whole is still there. Now, come on, I know you're lazy and didn't read all of that artice. I'd even go as far as to say you didn't read any of it. So, if you're still wondering "What is this PXE thing?" I'll answer that here and now.
PXE is in it's most simple terms, a boot device. At least, that's what it appears to be to your BIOS. However, instead of spinning up your hard drive, it fires up the NIC in your computer and starts probing for DHCP (or BOOTP, but that won't be covered here. It's pretty much obselete). Then, once it has acquired an IP address with the needed DHCP options set, the PXE ROM goes about downloading and executing files off of a TFTP server.
So, what is PXE? A way to boot your computer without the need of a hard drive or any real physical storage medium. It's commonly known as netbooting. The process, as outlined above, is pretty simple. The NIC scans for a DHCP server, and then acquires an IP address. In it's brief exchange with the DHCP server, the client is sent several "DHCP Options" along with the IP address, one of which is commonly known as "filename." If the client does not find this option, it gives up and (typically) advances with the boot order. If it finds this option, however, it tries to download the specified file off of a TFTP server. An additional option which can be given is "next-server" which is the IP address of the TFTP server to contact in order to download "filename." If the "next-server" paramater is omitted, then it defaults to the same IP as the DHCP server, and likewise tries to download "filename" and in turn, execute the file it downloads.
That's it. That right there is the majority of what PXE "is" and how it works. Why did your computer acquire an IP address only to just continue on booting? Because you didn't have the needed DHCP options set. To be fair, the huge majority (99%) of all home routers lack the ability to configure the needed options, so it's likely you've never even heard of "DHCP Options." However, my personal feelings on how retarded home routers are do not belong here.
Let's move on to a "What is/isn't PXE" list real quick.
PXE is:
- A way of booting your computer without a hard drive or CD-ROM (or floppy, for you old people)
- Very useful - does not require physical storage in the computer to work
- Light - DHCP options and a TFTP server are the only requirements
- Powerful - ever wonder what it'd be like to walk into a room of computers, turn them all on, press F12, and come back an hour later to fresh installs of (your OS here)? I've done it with Windows, and I must say, it's management/installation/reinstallation bliss.
PXE isn't:
- A way to "network boot this ISO image I have here" (but it is possible given time)
- ... even related to the boot loader or actual software side of the computer. It downloads a file, it runs a file, that's IT. It's not a kernel, it lacks any real form of hardware support. It exists to run something else, not run your system for you.
- Diskless booting. Sure, it CAN do that, but again, PXE isn't there to run your system for you.
- Thin clients. Refer to above statement. And statement above said above statement. You get the idea.
- Overly detailed. When I started messing with PXE, it made little sense as a whole and felt very hacked together once I got it working. This was largely due to a lack of documentation.
In sum, PXE has a vast number of capabilities, but PXE in and of itself is pretty much worthless. You can't feed it an ISO of a bootable CD and say "Go!," nor can you magically make an entire lab of computers run Firefox without hardrives. I'll admit it in full: PXE does not run your computer for you. You are in charge of that. But, it certaintly can help in installing OSs or running entire diskless labs. If this seems unclear, I'm sure the latter articles will clear it up.
In the next few parts, I'll use the following software: ISC DHCP,
tftp-hpa, pxelinux, memtest86+, and maybe a little bit of the debian
installer. Who knows, maybe I'll splurge and go overboard with some
CentOS installation over PXE, but for the most part, you're safe with
the previous list. (Don't go downloading all of the debian CDs though,
as we won't be using them.)
It should also be noted that I have written and maintain the only wiki
(that I know of anyways) that is dedicated to the topic of PXE booting.
For the curious, that wiki is available here.
