Easy, bare IPv6 test without DNS: ping 2600::

If you want to test IPv6, without DNS involved, that's easy: ping to 2600::

Fun fact: 2600:: is owned by telco Sprint, and "2600 hertz (2600 Hz) is a frequency in hertz (cycles per second) that was used in telecommunication signaling in mid-20th century long-distance telephone networks using carrier systems". Coincidence ... ?

Linux:

$ ping -c5 2600::

PING 2600::(2600::) 56 data bytes

64 bytes from 2600::: icmp_seq=1 ttl=53 time=13.3 ms

64 bytes from 2600::: icmp_seq=2 ttl=53 time=14.3 ms

64 bytes from 2600::: icmp_seq=3 ttl=53 time=14.4 ms

64 bytes from 2600::: icmp_seq=4 ttl=53 time=14.4 ms

64 bytes from 2600::: icmp_seq=5 ttl=53 time=15.0 ms

--- 2600:: ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4008ms

rtt min/avg/max/mdev = 13.295/14.281/15.014/0.555 ms

Windows:

PS C:\> ping 2600::

Pinging 2600:: with 32 bytes of data:

Reply from 2600::: time=14ms

Reply from 2600::: time=14ms

Reply from 2600::: time=15ms

Reply from 2600::: time=16ms

Ping statistics for 2600:::

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 14ms, Maximum = 16ms, Average = 14ms

PS C:\>

IPv6 inside WSL2 on Windows

 IPv6 inside WSL2 on Windows

If your Windows has IPv6, by default the WSL (Windows Subsystem for Linux) has no IPv6.

It's easy to solve this (if you use WSL2): in your Windows home directory, create a file .wslconfig to contain this:

[wsl2]

networkingMode=mirrored

You can do this from inside WSL with nano, as long as you make sure it's inside your Windows home directory (so /mnt/c/Users/<windows-user-name/)

If you use notepad from Windows, make sure the .wslconfig has no extension.

Then reboot Windows, start wsl, and "ip address show" should show your IPv6 inside WSL.

Check WSL version

To check that you have WSL2: from Windows, type "wsl.exe -l -v"

PS C:\> wsl -l -v

  NAME      STATE           VERSION

* Ubuntu    Running         2

IPv6 inside docker container

By default, a docker container is behind NAT, and thus has no IPv6.

If the host has IPV6, and you want IPv6 inside the docker docker container, in the container startup, use

--network host

so for example:

docker run -it --network host ubuntu:latest /bin/bash

... and then the docker container has the same IP addresses as the host, thus also IPv6.

For fun: disable IPv4 on Ubuntu and go IPv6-only

People often confuse "IPv6" with "IPv6-only". And then state wrong statements. Pity.

But, hey, Let's try what you happens when you go IPV6-only. So let's turn off IPv4.

On Ubuntu, you can do it like this:

sudo nm-connection-editor

In there, go to your active Wifi network, then go to the tab IPv4 Settings. At Method, select "Disabled".  Click Save.

To activate it, disable Wifi, and enable Wifi. And ... bingo ... IPv6-only!

Results:

Ubuntu works

Google, Microsoft and Facebook work

x.com results in a webpage with an error

A lot of Netherlands government sites work

KLM works, Transavia not

Smaller sites don't work

 Measure IPv6 versus IPv4 traffic on Windows

On Windows, you can see the amount of IPv6 packets:

PS C:\> netsh interface ipv6 show ipstats | find /i """Receives"""

In Receives:                        3606021

... and IPv4 packets:

PS C:\> netsh interface ipv4 show ipstats | find /i """Receives"""

In Receives:                        71758

So, safely assuming IPv6 and IPv4 have about the same mean packet size, 98% of my traffic is IPv6 traffic.

Note: These are packets. To get an indication of the amount of bytes, multiply with something between 1200 and 1500 (= bytes per packet). The above 3606021 IPv6 packets means about 4.3 GB in bytes IPv6 traffic.

let Apache logging show source port for NAT444 forensic logging

With NAT444 / CGNAT, different users share one IPv4 address. So only logging the IPv4 address is not enough to find the specific user; you need to log the source port too. I guess legal intercept logging can then find the individual user.

So ... how do you let Apache webserver log the source IP address plus the source port? Answer: on Ubuntu, in the file /etc/apache2/apache2.conf, as root change the line

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

to

LogFormat "%h:%{remote}p %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

So instead of only the remote IP address %h , the IP address plus the source port :%{remote}p is logged.

Example result from /var/log/apache2/access.log

18.12.12.65:63022 - - [18/Jul/2022:18:16:10 +0200] "GET /dump/ HTTP/1.1" 200 1571 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"

The source port is 63022

Videoland en "Oeps, we konden de video niet afspelen. Het starten van de video is mislukt. Playservice error."

Op Videoland kreeg ik foutmelding "Oeps, we konden de video niet afspelen. Het starten van de video is mislukt. Playservice error.". 

Oorzaak gevonden: mijn IPv6-tunnel via Hurricane Electric. Na het uitschakelen van de IPv6-tunnel kon ik wel Videoland kijken.

Gokje: Videoland beschouwt the IPv6-tunnel als buiten-EU / buiten-Nederland, en weigert daarom met die cryptische melding om af te spelen. En nettere foutmelding (bijv: "u / uw IP-adres xyz komt van buiten de EU, daarom spelen we niet af") zou duidelijker zijn.

Oeps, we konden de video niet afspelen

Het starten van de video is mislukt.

Playservice error

Ah, de Videoland-app geeft een betere foutmelding als de IPv6-tunnel aanstaat: "Videoland is helaas niet beschikbaar in Verenigde Staten"