Yet another Mastodon-inspired post. In this toot the author reports that downloading python packages is slow, and the Internet said that disabling IPv6 is the solution.

Slow can mean two different things here. If the host I’m using has a globally unique IPv6 address, but my connection to the outside is broken somehow, most software would try IPv6 first and then, after a timeout would fall back to IPv4 and try again. It can also mean that the IPv6 connection is working, but the download is actually slow.

Some time ago I was asked why IPv6 wasn’t working. The customer had just configured some ipv6tables rules and IPv6 stopped working. See if you can spot the error in the following example rule set:

ip6tables -A INPUT -p ICMP -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport ssh  -j ACCEPT
ip6tables -A INPUT -j DROP

The mistake is in line one. In IPv6 neighbor discovery and other functions rely on ICMPv6 which is a different protocol then ICMP. Some how ip6tables is fine with loading the ICMP protocol.

Last year I did a presentation about my 1st IPv6 project. After writing a post titled IPv6 is hard, where I told people that they shouldn’t do IPv6 if they don’t take it seriously, here is a post about how it can be done.

June 5th 2012, around five in the afternoon

The team lead walks into the office with a crate of beer and asks if we are done with the IPv6 project. We are (we think) and have a beer.

In my last post, which made it to Hacker News, I wrote:

"HE can have some funny side effects. In a project a connection to a
development web server sometimes worked and sometimes didn't. The
solution was quite simple. The customer used a split VPN tunnel.  IPv4 was
routed via the VPN tunnel and those IPv4 addresses were allowed in the web
servers access list. IPv6 was routed via the normal Internet connection and
those addresses weren't allowed."

This lead to some questions. Why didn’t HE work? Well it did work. Sometimes the IPv4 connection was better than the IPv6 connection, and sometimes IPv6 was better than IPv4. The TCP connection worked. And that is what counts for Happy Eyeballs.

Yesterday I read this toot (German) over on mastodon which starts with “IPv6 is hard.”

No it’s not. It’s different.

I ran across this multiple times: There is an A and an AAAA-record for a FQDN, but the web server is only reachable via IPv4. You can easily test this with curl

$ curl -4  https://github.com -o /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  273k    0  273k    0     0  3417k      0 --:--:-- --:--:-- --:--:-- 3553k
$ curl -6  https://github.com -o /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (7) Couldn't connect to server

When using IPv4 273k are “saved” to /dev/null, using IPv6 we get an error message “Couldn’t connect to server”