The following article was contributed by Paul Heinlein, a systems
administrator at Galois.
Paul attended my full day IPv6 training
course at USENIX LISA 2013
and just a couple of months later sent me a report of his successful
deployment of IPv6. So I asked if he'd like to contribute an article on
It's great to hear of IPv6 success stories like this. (And of course,
I'm glad folks are finding my courses useful). Significantly, his
network is already seeing a very substantial amount of IPv6 traffic!
(A note: the version of iptables in Redhat Enterprise Linux6/CentOS 6
has fixed the stateful IPv6 inspection capability. We use it
successfully at Penn).
You can find the slides from
my IPv6 training course on my website.
An IPv6 Success Story
Galois is a software-engineering firm located in Portland, OR that
specializes in the hard problems of computing trust and assurance.
One of our IT goals for 2014 is enabling IPv6 on all our current IPv4
subnets. I was pleased to see Shumon's full-day IPv6 tutorial on the
LISA '13 schedule. I hoped he could fill the gaps in my limited
experience with IPv6 and provide me the knowledge I'd need to
configure our network hardware and applications.
Full-day technical tutorials can sometimes test my patience, but
Shumon's presentation moved quickly while remaining clear. I came away
from the day thinking that I had enough basic knowledge to plan and
implement our IPv6 rollout.
Returning to Portland, I had to upgrade upgrade a couple core switches
and apply to our ISP for a netblock prior to enabling it on our
network, but once the hardware was in place, everything went
Shumon's overview had done exactly what I'd hoped it would: allow me
to interpret the various bits of vendor-specific and
application-specific documentation and assemble a reasonable roll-out
Our DMZ and client networks are now fully IPv6 enabled. (Internal
development networks will take a bit more time due to VPN-related
Along the way, I learned a couple things Shumon didn't explicitly
cover in his presentation.
First, make sure that reverse DNS pointers are in place for any mail
server before enabling IPv6. gmail (among others) will reject messages
from any mail server without reverse DNS pointers in place.
Second, the ip6tables that ships with RHEL/CentOS 5 has a limited
ability to do stateful packet inspection. The generic rule allowing
packets from established or related sessions does not work:
# this is broken in RHEL/CentOS 5
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
(We've only got one CentOS 5 machine in our DMZ, so this issue hasn't
impacted us in any major way.)
Third, it was a lot of fun! Nearly all our DMZ services (NTP, DNS,
Jabber, e-mail, www, ssh, host-based firewalls) needed updated
configurations, so I learned a bunch. The day after I did the initial
rollout, one of our engineers came into the office, turned off IPv4 on
his Mac, and tested what percentage of Google result links he could
follow. (He thought about 5%, though he said the queries he chose
probably resulted in a higher success rate than might be normal.)
Finally, I've been mildly surprised at the quantity of IPv6 packets
traversing our border firewall. Over the past week, IPv6 has comprised
38% of overall inbound traffic and 11% of outbound. The numbers are
similar when scoped to the past month.
I'd like to express my thanks to Shumon for the talk and the LISA
organizers for putting it on the schedule!
-- Paul Heinlein email@example.com