[CentOS] transition to ip6

Sat Mar 31 00:55:57 UTC 2012
Tilman Schmidt <t.schmidt at phoenixsoftware.de>

Am 30.03.2012 20:23, schrieb Bob Hoffman:
> I imagine some day in the near future there will be a switch to ipv6.

Wrong. There will be no switch. IPv6 is just being added while
IPv4 continues to function. Both will coexist for a long time yet.

> I cannot imagine ever remembering the ip address then...crazy.

Don't worry. You will. Well, not the autoconfigured ones for sure,
but those you choose yourself, they'll cling to your brain after
some time just as 192.168 does today.

> My question, since i have never done ip6 stuff, is what does that mean 
> on my webservers?

Not much, really. You just give them IPv6 addresses and they'll work
with them just like they do with the IPv4 addresses today.

> Would I just need to replace my ip4 with ip6 in my eths, bonds, bridges, 
> and configuration files...and copy out my iptables to ip6tables, and 
> change the dns servers?

That would be a really bad transition plan. Don't switch - migrate.
Don't replace IPv4 - add IPv6 alongside. IPv6 is designed to coexist
with IPv4.

> anything especially daunting to make that switch (save from someone 
> having to do that on 100 computers really fast!!)

DNS reverse zones take some getting used to.
Apart from that, it's really straightforward and doesn't differ
that much from setting up an IPv4 address range:

1. Get a suitable IPv6 address range from your provider.
The regular size for companies is /48, but a /56 is fine too.
(If your provider is unable to give you one, get a better provider.
If you have a really good reason for sticking with a provider that
is so behind the times that it still cannot provide IPv6, you
might use a tunnel broker, but that's a bit more complicated.)
Also create an IPv6 reverse DNS zone for your address range on your
DNS server and get it delegated from your provider so that you can
manage reverse resolution yourself. (Otherwise you'll have to ask
your provider to create every PTR RR you need for you.)

2. Configure your firewall to route and announce a /64 subnet of
the IPv6 address range you got to each of your LANs.

3. Give your machines IPv6 addresses in addition to their IPv4
ones. (Many of them will have gotten one automatically already via
autoconfiguration, but those aren't pretty or easy to remember, so
you may want to assign another one instead or in addition.)
Leave the IPv4 addresses in place so that existing connections will
continue to work.

4. Add those addresses to the machines' DNS entries as AAAA records.
Again, don't remove the IPv4 addresses (A records), they're still
needed for communication partners who aren't IPv6 capable yet.
Also add corresponding PTR records to the IPv6 reverse zone.

That's it. At that point your machines will be reachable via IPv6
in addition to working with IPv4 as before.

(Well, of course there'll be a lot of tedious details like logfile
analyzers not understanding the IPv6 address format, access control
lists needing additional entries for the new addresses, users
phoning the help desk because addresses look strangely different,
etc. But nothing fundamentally new or incomprehensible.)

HTH
Tilman