19 Apr 2011 Awesome self-paced IPv6 certification from HE.net
Wow, look at that! I’m a certified “IPv6 Sage”. Cool. For more details, click on that image or just follow this link. By no means am I going to consider myself an IPv6 expert but thanks to the fine folks at Hurricane Electric I was able to go through a really nice online IPv6 oriented certification process.
The really nice thing about the certification process is that it’s not something that you can trivially skate through simply by using google to find the online test answers. Nope! In order to proceed through the certification levels there are various points at which you have to “prove” that you are in administrative control of various IPv6 enabled services.
The first such hurdle occurs when you have to show that you control an IPv6-aware webserver. A short code is given to you and you have to create a file on that web server containing the code. The HE certification server uses an IPv6-only HTTP client to fetch the document.
The levels progress and at various points you have to be running an IPv6-aware mailserver so that a special code can be sent via email. After that the physical tests largely step down to verifying that you control (or are able to manage) the DNS servers for your domain, including IPV6 AAAA records for “forward” resolution and the ipv6.arpa zone files for reverse lookups as well. The “final” external test is to verify the presence of IPV6 “glue” records that allow IPv6-only clients to sensibly use your DNS information. Overall a nice mixture of online quiz taking plus actual concrete steps that you need to setup and debug in the real world.
MY FIRST IPv6 WEBSITE! Yes the URL is http://[2001:0470:0008:0cbe:0224:36ff:feef:d41d]/
All of this is especially timely considering that the Internet ran out of new v4 IP address blocks in February of 2011. IT people and nerds like myself are running out of time to wrap our heads around the shiny new IPv6 enabled future.
Hold on … back up a step. How did you get IPv6 working?
It was actually not that bad. I have a Business IP internet service in my home office provided by the business sales side of Comcast. As you can see by visiting http://www.comcast6.net/ Comcast does not actually offer direct IPv6 service to their customer base just yet. The Comcast network itself is already running IPv6 but they are only doing trials at this point with a few thousand beta customers apparently.
This is where http://tunnelbroker.net/ saves the day (another fine service run by the folks at Hurricane Electric…). This is a free service that will set up a tunnel between any IPv6-capable device on your own network and the IPv6 routers operated by HE.net.
As part of the tunnelbroker.net process you get an IPv6 address block allocation that will be used for the IPv6 devices at your end of the tunnel. I got a standard routed /64 block: 2001:470:8:cbe::/64 for my allocation. If needed I can also request a much larger /48 block for the same tunnel.
Just for the curious: in a single /64 IPv6 block there are 18,446,744,073,709,551,616 (18 quintillion) unique IP addresses. Of course, the first and last are not used, so you lose 2 which TOTALLY sucks. See why moving from IPv4 to IPv6 makes sense? Who would not want 18 quintillion IP addresses of their very own? Hell, I pay Comcast an extra ~20 bucks a month just to get 15 public IPv4 addresses.
Besides the tunnel, you need an IPv6 endpoint on your own network. This can be a Linux, Mac OS X or Windows machine (IPv6 aware for many years now…) or it can be a hardware device like your internet gateway or wireless router. I was fortunate to have two pieces of hardware that would work — my Apple Airport Extreme wireless router and the Juniper SSG-5 firewall/security appliance. Both devices support the sorts of IPv6 tunnels we need to use.
I ended up using the Airport Extreme to set up and maintain the IPv6 tunnel. The first “aha!” moment came seconds after making the tunnel configuration entries and rebooting the router — it was simply amazing to see my IPv6 desktop, VM and server hosts instantly pick up and autoconfigure themselves! The stateless autoconfiguration and neighbor discovery protocols baked into IPv6 have to be seen to be believed, especially if you (like me!) have wasted hours manually configuring IP addresses into hardware or standing up complex DHCP servers.
IPv6 Tunnel Configuration for Airport Extreme wireless router
The key in the next few pictures is to note how the IPv6 /64 prefix I was assigned for my tunnel (“2001:470:8:cbe”) automatically becomes the base prefix for the computers on my home network that had IPv6 enabled. No manual configuration required, it all happens automatically should you choose to allow it.
Automatic IPv6 address configuration on Mac OS X
Automatic IPv6 address configuration on Linux
What you need to pass the certification process
I was able to step through the certification process in about three days, wedging my work in and around free time and employee obligations. Much of the time consumed actually comes from waiting for DNS changes to propagate.
That said, there are a few things that you’ll need to own/have/control if you want to progress through all of the certification steps up to the “Sage” level …
- A domain name that you have administrative control over, including the ability to change the nameservers if required
- An IPv6 aware web server
- AN IPv6 aware email server
- Your own DNS server or the use of a DNS hosting provider that lets you enter AAAA records
- Solid understanding of DNS and zone records, up to and including the ability to run a local BIND server yourself if you have to…
Those requirements are not all that bad. A single Linux VM or server can handle the IPV6 tunnel, the webserver, the mailserver and the DNS server (if needed) simultaneously.
Here is what I used specifically for the certification process:
- The throwaway vanity domain “chrisdag.me” since I already owned it and was not doing anything important with it. Consider this a good excuse to go out and get a vanity or test domain if you don’t already have one of your own!
- Hosted DNS from www.zoneedit.com
- IPv6 tunnel service from www.tunnelbroker.net
- Apple Airport Extreme wireless router to actually implement the IPv6 tunnel
- A CentOS Linux virtual machine to run the required web and email server & also for experimentation and playing around with ping, traceroute, dig and other network tools
The only other major thing was that I got lazy and moved my DNS and nameservers for the “chrisdag.me” domain from zoneedit.com over to the free He.net DNS service operated at https://dns.he.net/ – the main reason is that Hurricane Electric makes it easy to manage IPv6 aware forward and reverse DNS in a very straightforward process and you KNOW their DNS framework is going to be IPv6 battle tested. I probably should have forced myself to delegate reverse DNS responsibilities to my own local DNS server as it would have been harder and I would have learned more. Doing forward and reverse DNS with the Hurricane Electic systems removed a lot of the complexity and just plain made things easier. I’d recommend using dns.he.net as a starting point for certification although I’m already thinking of redoing the process with my own DNS server just to prove that I really do understand the syntax and configuration of the zone records involved.
I’d recommend this online certification process for anyone involved with IT or networking. This IPv6 stuff is something we are all going to have to be comfortable with sooner rather than later. I really learned a heck of a lot in a fun and self-paced way.