One of the commonly asked question is around HP Cloud IPv6. At the time of publication of this guide there is no official way except DIY methods. Previously, we have discussed about IPv6 through many articles. As like HP, we are not exactly interested about adding IPv6 to the current instances. There are several reasons and one of them is security.
HP Cloud IPv6 : Prerequisites
HP has a comprehensive suite of IPv6 products and solutions to enable seamless transition to an IPv6 connected world which is not related to HP Horizon. They are for enterprise grade usage and even we (with old Indian conglomerate) do not use them. Most of you need IPv6 for a hype. So, we are providing you some cheating methods for adding funky IPv6.
If the existing Class A IPv4 is rightly used or cost increased, for serious usage they are really better from security point of view. You can not run IPv6 only server right now.
---
We are taking it granted that, you are using HP Cloud DNS or Akamai DNS for IPv4. Both of them support adding a AAAA record against the IP address.
There are two methods for adding IPv6 to an instance via DNS service.
HP Cloud IPv6 : Method One (Cheating Method, Safer)
Akamai DNS will not support IPv6. So ultimately, if you use this method, your instance will pass 30%-50% of the common tests for IPv6. That is, Users with IPv6 only ISP only, can not reach your website related to instance. It is not a great problem. At least you will have an IPv6 and should be happy kid.
If you run :
1 | dig thecustomizewindows.com AAAA |
you will see that we have an IP address. As our servers are Nginx, we adjusted the /etc/nginx/sites-available/default file in this fashion :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # port 80 -> port 433 server { listen 80; listen [::]:80 ipv6only=on; ... } # working server { listen 443 ssl spdy default ipv6only=on; server_name thecustomizewindows.com; sendfile on; tcp_nopush on; tcp_nodelay on; ... } |
As we are using HSTS, ssl spdy is added. ipv6only=on is the only needed directive from server side. So we added that IPv6 2002:f7d:4da6::f7d:4da6 from HP Cloud DNS. Now how we got this 2002:f7d:4da6::f7d:4da6, we should have only the IPv4 address 15.125.77.166.
There are online tools available for IPv6 / IPv4 Conversion. One of them is :
1 | https://isc.sans.edu/tools/ipv6.html # copy to text editor first |
It is exactly not the right way but at least your server will show as compatible to IPv6. Additionally you need to adjust your router settings on HP Cloud. This is odd but from security point of view it is better. DNS will not support IPv6, hence mixed IPv4-IPv6 will be needed to connect to the server.
It has no security risk. That IPv6 2002:f7d:4da6::f7d:4da6 is actually kind of translated version of our IPv4 address 15.125.77.166. Obviously the identifiers will match.
HP Cloud IPv6 : Using Hurricane Electric Free DNS Management
This method is by using a TunnelBroker. It is risky. We are providing the most easy way to configure. Networking is not easy on VM and HP is not supplying the service. You are opening the backdoor of router. If your whole account gets hacked, do not blame us or HP. If you are dyeing for IPv6 then use Rackspace. DigitalOcean is not a standard A grade web host infant of HP, we can not suggest to use it. We or HP will be not be responsible if your stuffs get fully broken down.
We have lesser guts, we are using the cheating method written above. Server security is of first importance.
RFC 3053 defines IPv6 TunnelBroker. SixXS currently has 49 PoPs. You need a free SixXS account > Request a tunnel > Wait for tunnel approval > Request a subnet > Wait for subnet approval. You’ll get an email like this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | Dear Generic User, The SixXS Staff have honored your request for a subnet on the following tunnel: ------- PoP Name : chzrh01 (ch.thermelec [AS20932]) Subnet IPv6 : 2001:xxxx:xxxx::/48 Routed to : 2001:xxxx:xxxx:xx::2/64 Your IPv4 : ayiya ------- Please visit your home on the website for more information and options regarding this subnet. Regards, The SixXS tunnel robot. |
Then install aiccu on server instance, it is the SixXS client application. If aiccu runs as daemon, it will make sure your tunnel endpoint is always up to date due to the heartbeat protocol. Note AICCU is only needed for heartbeat and AYIYA tunnels. Static tunnels can be configured using only interfaces. Run :
1 | aptitude install aiccu |
you’ll get prompt over SSH and you will get username, password, and the tunnel_id prompt. Then edit :
1 2 | /etc/aiccu.conf # nano /etc/aiccu.conf |
This :
behindnat true should not be commented out. Start the service and test :
1 | /etc/init.d/aiccu start && ip a |
Edit :
1 | nano /etc/sysctl.conf |
and uncomment the line net.ipv6.conf.all.forwarding=1.
Then run :
1 | sysctl -p |
Install ravd :
1 | apt-get install radvd |
Edit :
1 | /etc/radvd.conf |
Edit in this way :
1 2 3 4 5 6 7 8 9 10 | interface eth0 { AdvSendAdvert on; MaxRtrAdvInterval 30; AdvOtherConfigFlag on; prefix TUNNEL_PREFIX_FROM_SIXXS.NET { AdvOnLink on; AdvAutonomous on; }; }; |
Edit :
1 | nano /etc/network/interfaces |
Like this :
1 2 3 4 5 | auto eth0 iface eth0 inet dhcp iface eth0 inet6 static address IP_IN_YOUR_SUBNET_FROM_SIXXS.NET netmask 64 |
DHCPv6 or reverse DNS is not installed here. This way is the technically right way but we can not suggest to use it. If you were using Digital Ocean, Hostgator or some $10 / month server, then probably it would look better. With Akamai’s DNS set,
Reboot the instance, all services will restart.
Tagged With hp could method