IPv6 Nameserver Glue

Looks like we will be moving our domain registrations to another provider shortly. We are currently with Dotster for cost and ease of administration (mostly cost), but when I inquired about adding IPv6 glue for our nameserver records they were without clue. After repeated requests I finally got through to a tech who proclaimed that nobody is using IPv6 and they have no demand.

SIXXS.net confirms this. Looks like Network Solutions might be getting a little more business.

Now if only a few thousand other people moved their registrations for this reason we might pop up on the radar.

Linux IPv6 MTU issues

I'm seeing an annoying issue with Ubuntu 8.10 and IPv6. It appears that the Linux OS is sending packets larger than 1500 bytes out of a gigibit Ethernet interfaces which is configured for a 1500 byte MTU.

This is easy to reproduce with a dual stack machine. Just SCP/FTP a file down via IPv4 and one via IPv6. You will only see about 10% of the IPv4 throughput on the v6 transfer. A tcpdump or wireshark will confirm that packets sourced from the Linux machine are larger than 1500 bytes....sometimes 10x the size. When the network connecting these two machines only supports 1500 bytes, all these oversized packets get dropped.

I've opened a case with the ubuntu guys -- https://bugs.launchpad.net/ubuntu/+source/linux/+bug/254622

However, I'm seeing similar results on CENTOS 5.2 so I'm thinking it's less distro specific.

I haven't really heard of anyone else noticing this which makes we wonder if I'm missing something painfully simple in the configuration, or nobody is really serving any IPv6 content off a server with 2.6 kernel.

Anyone else seeing this?

Cisco ASA & IPv6 Failover

When we began planning the upgrade of our corporate infrastructure to fully support IPv6 in a dual-stack configuration, one of the earliest stumbling blocks came from an unexpected source – our Cisco ASA security appliances. By the time we’d begun our changes Cisco ASAs and PIXes had already been supporting IPv6 for a full three years (since release 7.0 in mid-2005), so I was expecting a feature-complete IPv6 product.

Initial configuration went smoothly (via the CLI, as the ASDM does not currently support IPv6 commands), but IPv6 connectivity through the ASA was spotty at best. Digging into the problem, we discovered that the Primary and Standby ASA were both transmitting router advertisements with the same priority, and that most of the hosts were sending their non-local packets to the link-local address of the Standby ASA, which was duly discarding them. A Cisco TAC request confirmed that IPv6 failover configuration will not be supported until 8.2. Timeframe for release of 8.2? Unknown.

How could IPv6 and critical enterprise functionality such as Failover be mutually exclusive, especially after three years and one full major release (IPv6 functionality was introduced in 7.0 – as of this writing the current version is 8.04)? This tells me that NO enterprises (0.000%) running Cisco ASAs have deployed IPv6 in their existing production environments. Since Cisco is the market share leader in the firewall segment, one has to wonder what percentage of North American companies have even begun planning for the approaching IPv4 exhaustion.