Archive for the ‘IPv6’ Category
Is the Public Cloud Ready for IPv6?
February 25th, 2023 | 
Author: 
When connecting machines over the public Internet (or over private networks), we use IPv4 addresses.
For many years we heard about IPv4 address exhaustion or the fact that sometime in the future we will not able to request new IPv4 addresses to connect over the public Internet.
We all heard that IPv6 address space will resolve our problem, but is it?
In this blog post, I will try to compare common use cases for using cloud services and see if they are ready for IPv6.
Before we begin, when working with IPv6, we need to clarify what “Dual Stack” means – A device with dual-stack implementation in the operating system has an IPv4 and IPv6 address, and can communicate with other nodes in the LAN or the Internet using either IPv4 or IPv6.
Source: https://en.wikipedia.org/wiki/IPv6
Step 1 – Cloud Network Infrastructure
The first step in building our cloud environment begins with the network services.
The goal is to be able to create a network environment with subnets, an access control list, be able to create peering between cloud accounts (for the same cloud provider), and get ingress access to our cloud environment (either from the public Internet or from our on-premise data center).
Vendor documentation:
- AWS VPC that supports IPv6 addressing
https://docs.aws.amazon.com/vpc/latest/userguide/get-started-ipv6.html
- What is IPv6 for Azure Virtual Network?
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
- Google VPC networks
https://cloud.google.com/vpc/docs/vpc
Step 2 – Private Network Connectivity – Managed VPN Services
Now that we have a network environment in the cloud, how do we connect to it from our on-premise data center using Site-to-Site VPN?
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Hybrid connectivity design – Amazon-managed VPN
- Google Cloud VPN overview – IPv6 support
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#ipv6_support
Step 3 – Private Network Connectivity – Dedicated Network Connections
Assuming we managed to create a VPN tunnel between our on-premise data center and the cloud environment, what happens if we wish to set up a dedicated network connection (and have low latency and promised bandwidth)?
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Hybrid connectivity design – AWS Direct Connect
- Add IPv6 support for private peering using the Azure portal
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-ipv6-portal
- Create and manage ExpressRoute public peering
https://learn.microsoft.com/en-us/azure/expressroute/about-public-peering
- Can I reach my instances using IPv6 over Cloud Interconnect?
https://cloud.google.com/network-connectivity/docs/interconnect/support/faq#ipv6
Step 4 – Private Network Connectivity – Resources on the subnet level
We have managed to provision the network environment in the cloud using IPv6.
What happens if we wish to connect to managed services using private network connectivity (inside the cloud provider’s backbone and not over the public Internet)?
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Expedite your IPv6 adoption with PrivateLink services and endpoints
- Create a Private Link service by using the Azure portal
Step 5 – Name Resolution – Managed DNS Service
In the previous step we configured network infrastructure, now, before provisioning resources, let us make sure we can access resources, meaning having a managed DNS service.
By name resolution, I mean both external customers over the public Internet and name resolution from our on-premise data centers.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Designing DNS for IPv6
https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/designing-dns-for-ipv6.html
- Azure DNS FAQ
https://learn.microsoft.com/en-us/azure/dns/dns-faq
- General Google Cloud DNS overview
https://cloud.google.com/dns/docs/dns-overview
Step 6 – Resource Provisioning – Compute (Virtual Machines)
In the previous steps we have set up the network infrastructure and name resolution, and now it is time to provision resources.
The most common resource we can find in IaaS is compute or virtual machines.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Amazon EC2 IPv6 addresses
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ipv6-addressing
- Create an Azure Virtual Machine with a dual-stack network using the Azure portal
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/create-vm-dual-stack-ipv6-portal
- Configuring IPv6 for instances and instance templates
https://cloud.google.com/compute/docs/ip-addresses/configure-ipv6-address
Step 7 – Resource Provisioning – Compute (Managed Kubernetes)
Another common use case is to provision containers based on a managed Kubernetes service.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Running IPv6 EKS Clusters
https://aws.github.io/aws-eks-best-practices/networking/ipv6/
- Use dual-stack kubenet networking in Azure Kubernetes Service (AKS) (Preview)
https://learn.microsoft.com/en-us/azure/aks/configure-kubenet-dual-stack?tabs=azure-cli%2Ckubectl
- GKE – IPv4/IPv6 dual-stack networking
https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#dual_stack_network
Step 8 – Resource Provisioning – Compute (Serverless / Function as a Service)
If we have already managed to provision VMs and containers, what about provisioning serverless or Function as a Service?
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- AWS Lambda now supports Internet Protocol Version 6 (IPv6) endpoints for inbound connections
https://aws.amazon.com/about-aws/whats-new/2021/12/aws-lambda-ipv6-endpoints-inbound-connections
Step 9 – Resource Provisioning – Managed Load Balancers
If we are planning to expose services either to the public internet or allow connectivity from our on-premise, we will need to use a managed load-balancer service.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Application Load Balancer and Network Load Balancer end-to-end IPv6 support
- Overview of IPv6 for Azure Load Balancer
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-overview
- GCP – IPv6 termination for External HTTP(S), SSL Proxy, and External TCP Proxy Load Balancing
https://cloud.google.com/load-balancing/docs/ipv6
Step 10 – Resource Provisioning – Managed Object Storage
The next step after provisioning compute services is to allow us to store data in an object storage service.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- Making requests to Amazon S3 over IPv6
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ipv6-access.html
Step 11 – Resource Provisioning – Managed Database Services
Most of the application we provision requires a backend database to store and retrieve data.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- IPv6 addressing with Amazon RDS
https://aws.amazon.com/blogs/database/ipv6-addressing-with-amazon-rds
- Connectivity architecture for Azure SQL Managed Instance – Networking constraints
Step 12 – Protecting Network Access – Managed Firewall Services
If we are planning to expose services to the public Internet using IPv6 or allow access from on-premise, we need to consider a managed network firewall service.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- AWS Network Firewall announces IPv6 support
https://aws.amazon.com/about-aws/whats-new/2023/01/aws-network-firewall-ipv6-support
Step 13 – Protecting Network Access – Managed DDoS Protection Services
On the topic of exposing services to the public Internet, we need to take into consideration protection against DDoS attacks.
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- AWS Shield FAQs
https://aws.amazon.com/shield/faqs
- About Azure DDoS Protection SKU Comparison
https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison
- Google Cloud Armor – Security policy overview
https://cloud.google.com/armor/docs/security-policy-overview
Step 14 – Protecting Network Access – Managed Web Application Firewall
We know that protection against network-based attacks is possible using IPv6.
What about protection against application-level attacks?
Let us compare the cloud providers’ alternatives:
Vendor documentation:
- IPv6 Support Update – CloudFront, WAF, and S3 Transfer Acceleration
https://aws.amazon.com/blogs/aws/ipv6-support-update-cloudfront-waf-and-s3-transfer-acceleration
- What is Azure Front Door?
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-overview
Summary
In this blog post we have compared various cloud services, intending to answer the question – Is the public cloud ready for IPv6?
As we have seen, many cloud services do support IPv6 today (mostly in dual-stack mode), and AWS does seem to be more mature than its competitors, however, at the time of writing this post, the public cloud is not ready to handle IPv6-only services.
The day we will be able to develop cloud-native applications while allowing end-to-end IPv6-only addresses, in all layers (from the network, compute, database, storage, event-driven / message queuing, etc.), is the day we know the public cloud is ready to support IPv6.
For the time being, dual stack (IPv4 and IPv6) is partially supported by many services in the cloud, but we cannot rely on end-to-end connectivity.
Additional References
- AWS services that support IPv6
https://docs.aws.amazon.com/general/latest/gr/aws-ipv6-support.html
- An Introduction to IPv6 on Google Cloud
https://cloud.google.com/blog/products/networking/getting-started-with-ipv6-on-google-cloud
Posted in 
Hardening guide for Windows 2008 R2 Domain Controller and DNS Server
This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.
Installation phase
- Install Windows 2008 R2 server (either standard of enterprise edition).
- Login for the first time to the new server, using administrator account.
- Start -> Run -> dcpromo.exe
- Click Next twice -> select “Create a new domain in a new forest” -> click Next -> specify the FQDN of the new forest root domain -> click Next -> on the forest functional level, choose “Windows Server 2008 R2” -> click Next -> leave “DNS server” select and click Next -> click “Yes” on the warning message -> choose a location for the database, logs and sysvol folders -> click Next -> specify complex password for the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select “Reboot on completion”.
- Allow the server to restart when the installation process completes.
- Login to the new domain controller for the first time using domain administrator account.
- Start -> Run -> cmd.exe
- Write the commands bellow to synchronize the PDC emulator with external reliable time source:
w32tm /config /computer:<> /manualpeerlist:time.windows.com /syncfromflags:manual /update exit
- Start -> Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
- Write the commands bellow to protect all OUs in the domain from accidental deletion:
import-module activedirectoryGet-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
exit
- Server Manager -> right click on Features -> Add Features -> select “Windows Server Backup Features” -> click Next -> click Install -> click Close.
- Start -> Administrative Tools -> Windows Server Backup -> from the Actions pane, click on “Backup Schedule” -> click Next -> choose “Full server” -> Specify a backup time -> click Next -> click the check box for your destination disk -> click Next -> click Yes to confirm that the destination disk will be reformatted -> verify the label for the destination disk -> click Next -> verify the information on the Summary page -> click Finish -> On the Confirmation page -> click Close.
- Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary zone” -> leave “Store the zone in Active Directory” checked -> click Next -> select “To all DNS Servers running on domain controllers in this forest” -> click Next -> choose “IPv4 Reverse Lookup Zone” -> click Next -> on the “Network ID” field, put the first 3 octats of the network segment the Domain controller resides in -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
- Perform the above step for all other network segments reside in your organization.
- From the left pane, expand the server name -> expand “Forward Lookup Zones” -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
- Perform the above step for all other “Forward Lookup zones” and “Reverse Lookup zones” in your forest.
Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.
IPv6 DNS settings
- In-order to configure IPv6 address for the DNS server, start -> Control Panel -> under “Network and Internet”, click on “View network status and tasks” -> click “Change adapter settings” -> right click on the relevant “Local Area Connection” icon -> Properties -> click on “Internet Protocol Version 6 (TCP/IPv6) -> Properties -> select “Use the following IPv6 address” -> if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -> enter a Subnet prefix length of 64 -> click OK -> click close.
- Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> expand “Reverse Lookup Zones” -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary Zone” -> click Next -> choose “To all DNS servers running on domain controllers in this forest” -> click Next -> choose “IPv6 Reverse Lookup Zone” -> click Next -> on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
- Right click on the new “Reverse Lookup Zone” -> properties -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
IPv6 – Problem and some solutions
The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.
Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984
http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year
I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:
Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx
Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm
How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true
Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx
Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx
DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx
Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx
IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx
Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/
IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html
Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems
Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view
Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541
Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html
Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html
Apache Talking IPv6
http://www.linuxjournal.com/article/5451
How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm
Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/
IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058
IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html
Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html
Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm
EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm
Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf