IPV6-ifying all my boxes -- any gotchas to be aware of?

[Jon Radel]

On 1/23/16 7:38 PM, Aleksandr Miroslav wrote:
>
> Apart from some websites and mailing lists, I'm not running anything
> mission-critical, but I'd like to avoid snafus if possible. Are there any
> gotchas that I should be aware of?
>
Make sure that any firewalling you find prudent with ipv4 is replicated 
as appropriate with ipv6 and double check what processes are actually 
listening on ipv6.  There's no good that will come of finding at a later 
time that something, say a back-end database, is listening on ipv4 
loopback address only, but is listening on the public ipv6 address with 
no firewall blocking access.  That would probably mean certain 
assumptions about the security of your database are no longer true.

Make sure services actually work over ipv6 before putting AAAA records 
in your DNS.  Remember that there are an awful lot of client machines 
out there that will prefer HTTP and SMTP over ipv6 once you have AAAA 
records, but there are probably still some poor souls for whom this will 
break connectivity or performance reaching your servers.  (Though I'd 
argue that this far into ipv6 roll-out that that's their, not your, 
problem.  However, if you have contracts with them or make money off of 
them it would probably be your problem too.)

Consider putting a DNS resolver reachable over IPv6 in your resolv.conf 
after appropriate testing, though this isn't necessary to make things work.

On the whole I've found the process pretty painless.  (Well other than 
that my business class provider at home STILL doesn't provide native 
ipv6.  Shame on you Cox Business.)

--Jon Radel
jon at radel.com





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160123/35395ebc/attachment.bin>