IPv6 only network

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

IPv6 only network

xpro6000
Unfortunately my ISP does not provide an IPv6 IP, I need to create an only IPv6 network so I can test an iphone app as required by the Apple store

https://developer.apple.com/support/ipv6/

What I did was, I created a VPS with IPv6 support, I added the following to squid.conf

http_port 3001
acl port1 myport 3001
tcp_outgoing_address 2001:19f1:9232:d4d:b757:3535:1910:412e port1
server_persistent_connections off

The config above works fine. If the website supports IPv6, it does use that IPv6 IP. But Squid uses IPv4 if the website does not support IPv6

Is there anyway to prevent Squid to use IPv4 for outgoing connections?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IPv6 only network

Amos Jeffries
Administrator
On 31/10/17 18:34, xpro6000 wrote:
> Unfortunately my ISP does not provide an IPv6 IP, I need to create an
> only IPv6 network so I can test an iphone app as required by the Apple store
>
> https://developer.apple.com/support/ipv6/ 
> <https://developer.apple.com/support/ipv6/>
>

Squids' default behaviour is to follow BCP 177. So any use of IPv4 is a
strong indication that the server used by your app is having IPv6
connectivity issues.

see "Limitations of Local Testing" at
<https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPreparingfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html#//apple_ref/doc/uid/TP40010220-CH213-SW1>.


> What I did was, I created a VPS with IPv6 support, I added the following
> to squid.conf
>
> http_port 3001
> acl port1 myport 3001

Use "myportname" ACL type. 'myport' is deprecated.

> tcp_outgoing_address 2001:19f1:9232:d4d:b757:3535:1910:412e port1
> server_persistent_connections off

Why disabling persistence? it has nothing to do with IPv4 vs IPv6.

>
> The config above works fine. If the website supports IPv6, it does use
> that IPv6 IP. But Squid uses IPv4 if the website does not support IPv6
>
> Is there anyway to prevent Squid to use IPv4 for outgoing connections?
>

IPv4 is not yet an optional protocol so technically no. But there are
several ways to safely achieve IPv6-only traffic:

* some DNS resolvers can be configured not to deliver A records.

* ensure the NIC of the machine running Squid has no IPv4 addresses.

* ensure that IPv4 space is all non-routable.

* ensure your Squid machines firewall is configured to reject (_not_
drop) IPv4 packets.


Notice how all of those are things you would need to do to make your
network *actually* IPv6-only and have nothing directly to do with Squid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IPv6 only network

xpro6000
Since at home I only have IPv4, I can't fully disable ipv4 on the squid server OS. I think the best option for me would be to configure iptables to reject ipv4 on any port other than port "3001" which is what squid is accepting ipv4 connections to. Would that be possible with iptables?

On Tue, Oct 31, 2017 at 3:13 AM, Amos Jeffries <[hidden email]> wrote:
On 31/10/17 18:34, xpro6000 wrote:
Unfortunately my ISP does not provide an IPv6 IP, I need to create an only IPv6 network so I can test an iphone app as required by the Apple store

https://developer.apple.com/support/ipv6/ <https://developer.apple.com/support/ipv6/>


Squids' default behaviour is to follow BCP 177. So any use of IPv4 is a strong indication that the server used by your app is having IPv6 connectivity issues.

see "Limitations of Local Testing" at <https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPreparingfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html#//apple_ref/doc/uid/TP40010220-CH213-SW1>.


What I did was, I created a VPS with IPv6 support, I added the following to squid.conf

http_port 3001
acl port1 myport 3001

Use "myportname" ACL type. 'myport' is deprecated.

tcp_outgoing_address 2001:19f1:9232:d4d:b757:3535:1910:412e port1
server_persistent_connections off

Why disabling persistence? it has nothing to do with IPv4 vs IPv6.


The config above works fine. If the website supports IPv6, it does use that IPv6 IP. But Squid uses IPv4 if the website does not support IPv6

Is there anyway to prevent Squid to use IPv4 for outgoing connections?


IPv4 is not yet an optional protocol so technically no. But there are several ways to safely achieve IPv6-only traffic:

* some DNS resolvers can be configured not to deliver A records.

* ensure the NIC of the machine running Squid has no IPv4 addresses.

* ensure that IPv4 space is all non-routable.

* ensure your Squid machines firewall is configured to reject (_not_ drop) IPv4 packets.


Notice how all of those are things you would need to do to make your network *actually* IPv6-only and have nothing directly to do with Squid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IPv6 only network

Alex Rousskov
In reply to this post by Amos Jeffries
On 10/31/2017 01:13 AM, Amos Jeffries wrote:

> Why disabling persistence? it has nothing to do with IPv4 vs IPv6.

FWIW, the author is correctly following squid.conf instructions: "The
use of this directive using client dependent ACLs is incompatible with
the use of server side persistent connections. To ensure correct results
it is best to set server_persistent_connections to off when using this
directive in such configurations."

As you know, the tcp_outgoing_address directive has an implicit (but
documented) "preserve selected address family" rule which makes it
useless for directing requests to IPv6 servers.

Squid appears to lack a good general-purpose knob to route traffic to a
particular address family: The address resolution code accepts any
supported family, and the address selection code has no family
discrimination code either. Adding destination_access or a similar new
configuration directive (with a few new ACLs?) would address this and
similar use cases.

Alex.


> acl port1 myport 3001

> tcp_outgoing_address 2001:19f1:9232:d4d:b757:3535:1910:412e port1

> server_persistent_connections off

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users