The Pool is Empty. Stop Pretending It Isn't.
Let’s cut the marketing fluff. As of February this year (2011), IANA handed out the last /8 blocks of IPv4 addresses. The RIRs (RIPE here in Europe) are rationing what's left. If you are a systems administrator in Norway or a dev team in Kyiv and you aren't implementing a dual-stack strategy right now, you are building technical debt that will bankrupt your architecture by 2012.
I’ve seen too many 'enterprise' setups recently relying on 6to4 tunnels or Hurricane Electric brokers for production traffic. That works for a home lab, but for a high-traffic e-commerce site? It adds latency, introduces a single point of failure, and ruins your MTU settings. You need native IPv6.
At CoolVDS, we saw this coming. That's why we don't mess around with tunnels. Every VPS gets native IPv6 connectivity directly peered at NIX (Norwegian Internet Exchange). Here is how you configure it without taking down your network.
The OS Layer: Configuring CentOS 6 and Debian Squeeze
First, verify your kernel actually supports it. Most modern kernels (2.6.x) do, but I've seen stripped-down custom kernels that drop the module to save 50kb of RAM. Don't be that person.
On CentOS 6, enable networking in /etc/sysconfig/network:
NETWORKING_IPV6=yes
IPV6_AUTOCONF=noThen, bind the address in your interface config (usually ifcfg-eth0). You want a static assignment for servers. SLAAC is for laptops, not for a database server that needs predictable reachability.
IPV6INIT=yes
IPV6ADDR=2001:db8:100::5/64
IPV6_DEFAULTGW=2001:db8:100::1On Debian 6 (Squeeze), it goes in /etc/network/interfaces:
iface eth0 inet6 static
address 2001:db8:100::5
netmask 64
gateway 2001:db8:100::1Pro Tip: After restarting networking (service network restart), ping a Google IPv6 node immediately:ping6 ipv6.google.com. If you get 'Network is unreachable', check your default route usingip -6 route show.
The Silent Killer: ip6tables
Here is the war story. Last month, a client migrated a high-traffic forum to a new cluster. They had an impenetrable iptables script for IPv4. They assumed it covered IPv6. It didn't.
By default, most distros leave IPv6 wide open. While their SSH port 22 was rate-limited on IPv4, it was completely exposed on IPv6. Bots scanned it, brute-forced root, and we had a compromised box in 4 hours. IPv4 firewalls do not filter IPv6 traffic.
You must duplicate your ruleset for ip6tables. Here is a baseline policy to drop everything except SSH and Web:
# Set default policies
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Allow loopback
ip6tables -A INPUT -i lo -j ACCEPT
# Allow established connections
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH and Web
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
Service Configuration: Nginx 1.0.x
Apache has supported IPv6 for ages, but Nginx is tricky if you are on older versions. However, with the stable Nginx 1.0 release this year, the syntax is cleaner. You need to explicitly bind the v6 listener.
In your nginx.conf or vhost file:
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name example.no;
...
}The ipv6only=on parameter is critical if you want to avoid binding conflicts on dual-stack systems where the OS tries to map IPv4-mapped IPv6 addresses.
The CoolVDS Advantage: Performance and Peering
Why does this matter for your hosting choice? Latency. If your host routes IPv6 traffic through a tunnel broker in Amsterdam before it hits your users in Oslo, you are adding 40-50ms of lag. In the world of high-frequency trading or just snappy PHP rendering, that's an eternity.
We use native routing. When a packet hits our datacenter, it's hitting metal backed by high-performance RAID-10 SSD storage (yes, we use Solid State Drives for caching/DB layers, which beats the standard SAS 15k setups most providers are still peddling). Our connection to NIX ensures your traffic stays local within Norway whenever possible.
Final Checklist for Deployment
- DNS: Add AAAA records only after you've verified the firewall.
- Monitoring: Nagios needs separate checks for IPv6 addresses.
- Mail: Reverse DNS (PTR) records are mandatory for IPv6 mail servers, or Gmail will bounce you instantly.
The IPv4 exhaustion isn't a Y2K scare; it's a mathematical reality. Stop relying on legacy addressing. Deploy a dual-stack instance on CoolVDS today, configure your ip6tables correctly, and future-proof your stack before the crunch hits in 2012.