So, what’s the status of the IPv6 development nowadays? Sometimes I wonder.

I mean, these days I’m migrating services from eliot to ralph, and up to now the only one thing I’ve noticed that Amavis (based on Net::Server perl module) doesn’t seem to like at any rate binding on IPv6 addresses; MySQL doesn’t accept IPv6 connections either (there’s a Google Summer of Code project about this, but the only patch I’ve found, digging between mailing lists, no longer patches correctly current code), and so on.

I also had a plan: I have a VPN from my home server to the laptop, so I can access internal services without worries about security. I thought: if I add a radvd daemon, I can get free ipv6 connectivity. In fact this involved adding a small routing rule by hand, but it worked fine on Linux (more on that on a later article), whereas the tuntap driver under MacOS doesn’t seem to understand router advertisement packets (sent a mail to the author, so I’ll wait his response before telling you I’m sure about this).

So, nowadays it’s difficult even only to have internal network IPv6 connectivity. What a pity.

As a side note, I want to talk about a subtle distinctions between a concept present in both IPv4 and IPv6: local link address. The problem is that a person approaching IPv6 is tempted to think link-local addresses ([fe80::]) are the equivalent of IPv4 private subnets (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16). This is not true at all. Private subnets are exactly what the word says, and the IPv6 most close equivalent is site-local subnets, which as of now have been quite discouraged. Link-local addresses in IPv6 are thought to be used exactly, well, for link-local purposes (I write a protocol which checks if servers with given MAC addresses are reachable, and I use link-local addresses). Private subnets in IPv4 instead are used because

1. we need NAT, and
2. for security implications: bind your servers to 192.168.0.0/24 and they won’t be reachable from the outside.

Ok, for the 1), we know that with IPv6 we no longer need it, but for 2)? Well, the point is that security should not be implemented this way in the IPv6 philosophy, but by firewalls, which conceptually surely fits in. So, no more bind addresses in the IPv6 addresses. Anyway, what should stop you to use this security plus? Because of two facts:

1. a link-local address has no meaning without an associated interface, since it contains no routing informations. this isn’t supported by any server I know of, and shouldn’t by design.
2. if you move the server, you’re lost. if you phisically split the network, you’re lost again.

In case the point isn’t clear, link-local addresses have no informations about routing, that’s the problem. So, they seem to be a step backward from private subnets, but they are not: take into consideration that link-local addresses is get automatically. If you add a server radvd, you have full network configuration for free. Attach your computer, and start going into the web. It’s not DHCP built after the IP infrastructure, it’s almost the contrary.

So, it all seems neat and cleaner under IPv6. Bet there’ll be some sort of problems with this shift of view? :-)

Posted by mattia as ipv6 at 10:09 PM CET

No Comments »

People usually goes to the seaside at the weekend. But here it was snowing. So, I thought about setting up some geeky stuff.

First of all, upgrade of my ubuntu server to Gutsy Gibbon. Quite smooth, even if I did it via ssh and with an ever-dropping connection. Just apache: complains about port 443 used by someone else, and it was itself. Removed it from /etc/apache2/ports.conf, since already present in /etc/apache2/mods-enabled/ssl.conf.

Second: now I have an alpha server at home. Got some difficulty, since I never worked on an alpha neither do it via serial line (given alpha was configured to use only serial line as input/output). But, at last, ralph the alpha is up. Ralph, just like Ralph Waldo Emerson, oh my dear, nothing less. aboot - the boot system for alpha servers with SRM consoles (wonderful thing, by the way) - still does not boot up right, complaining about a unknown zip compression, but when I give him the boot stuff by hand, it starts smoothly. I had just to add a console=ttyS0 by hand and the corresponding entry in /etc/inittab, and it was all ok. It’ll start crunching numbers (see: running antispam, computing graphs and keeping the mysql db) as soon as I can configure it. Veeeeery nice.

Posted by mattia as apache, ubuntu at 10:05 PM CEST

No Comments »

In the Developer Book of Zope they tell you that if you put a README.txt file in the root directory of your brand new product, it’ll appear a new README tab in the Control Panel (not in the product’s instances, beware). Apart from the fact this isn’t really true (I suspect it looks for the existence of version.txt too; which, by the way, must be written something like “Product-x.x.x”, with the dash in the middle, to be recognized), it isn’t really true that any restructured text is accepted, at least in zope 2.10. The problem is that the normal way of writing sections like that doesn’t work:


Section 1
=========
Hello!

You must use indentation instead:


Section 1
[blank space]Hello!


And everything works ok. Oh, well, one more strange thing under the sun.

Posted by mattia as zope at 10:46 PM CEST

No Comments »