Sunday, November 3, 2024

IPv6 inside docker container

By default, a docker container is behind NAT, and thus has no IPv6.

If the host has IPV6, and you want IPv6 inside the docker docker container, in the container startup, use


--network host


so for example:


docker run -it --network host ubuntu:latest /bin/bash


... and then the docker container has the same IP addresses as the host, thus also IPv6.


Friday, October 18, 2024

For fun: disable IPv4 on Ubuntu and go IPv6-only

People often confuse "IPv6" with "IPv6-only". And then state wrong statements. Pity.

But, hey, Let's try what you happens when you go IPV6-only. So let's turn off IPv4.

On Ubuntu, you can do it like this:


sudo nm-connection-editor


In there, go to your active Wifi network, then go to the tab IPv4 Settings. At Method, select "Disabled".  Click Save.

To activate it, disable Wifi, and enable Wifi. And ... bingo ... IPv6-only!

Results:

Ubuntu works

Google, Microsoft and Facebook work

x.com results in a webpage with an error

A lot of Netherlands government sites work

KLM works, Transavia not

Smaller sites don't work





Monday, July 3, 2023

Measure IPv6 versus IPv4 traffic on Windows

 Measure IPv6 versus IPv4 traffic on Windows


On Windows, you can see the amount of IPv6 packets:


PS C:\> netsh interface ipv6 show ipstats | find /i """Receives"""

In Receives:                        3606021


... and IPv4 packets:


PS C:\> netsh interface ipv4 show ipstats | find /i """Receives"""

In Receives:                        71758


So, safely assuming IPv6 and IPv4 have about the same mean packet size, 98% of my traffic is IPv6 traffic.


Note: These are packets. To get an indication of the amount of bytes, multiply with something between 1200 and 1500 (= bytes per packet). The above 3606021 IPv6 packets means about 4.3 GB in bytes IPv6 traffic.


Monday, July 18, 2022

let Apache logging show source port for NAT444 forensic logging

With NAT444 / CGNAT, different users share one IPv4 address. So only logging the IPv4 address is not enough to find the specific user; you need to log the source port too. I guess legal intercept logging can then find the individual user.

So ... how do you let Apache webserver log the source IP address plus the source port? Answer: on Ubuntu, in the file /etc/apache2/apache2.conf, as root change the line

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

to

LogFormat "%h:%{remote}p %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


So instead of only the remote IP address %h , the IP address plus the source port :%{remote}p is logged.


Example result from /var/log/apache2/access.log


18.12.12.65:63022 - - [18/Jul/2022:18:16:10 +0200] "GET /dump/ HTTP/1.1" 200 1571 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"


The source port is 63022


Thursday, June 9, 2022

Videoland en "Oeps, we konden de video niet afspelen. Het starten van de video is mislukt. Playservice error."

Op Videoland kreeg ik foutmelding "Oeps, we konden de video niet afspelen. Het starten van de video is mislukt. Playservice error.". 

Oorzaak gevonden: mijn IPv6-tunnel via Hurricane Electric. Na het uitschakelen van de IPv6-tunnel kon ik wel Videoland kijken.

Gokje: Videoland beschouwt the IPv6-tunnel als buiten-EU / buiten-Nederland, en weigert daarom met die cryptische melding om af te spelen. En nettere foutmelding (bijv: "u / uw IP-adres xyz komt van buiten de EU, daarom spelen we niet af") zou duidelijker zijn.


Oeps, we konden de video niet afspelen

Het starten van de video is mislukt.

Playservice error




Ah, de Videoland-app geeft een betere foutmelding als de IPv6-tunnel aanstaat: "Videoland is helaas niet beschikbaar in Verenigde Staten" 




Wednesday, February 16, 2022

PCExtreme with "IPv6-only" VPS ... certain IPv4 traffic is working, from behind NAT

 

PCExtreme offers "Standard Server 1GB IPv6 only" for only €1 ex VAT per month. See https://www.pcextreme.com/cloud-servers/standard

I wanted to try that out, because: how does IPv6-only work in practice? Is that working in 2022?

So I bought a VPS, and now I'm a bit disappointed: the VPS does have IPv4 after all. It's behind NAT. Just like a device on a home LAN with an ISP connection.

However, some of my IPv4 traffic failed, like git connections to special git ports (no problem via https). So I did some research by trying to connect to outside ports

Some checks: HTTP and HTTPS are both allowed:

port 80 is allowed

port 443 is allowed

SMTP Port 25 is of course not possible:

port 25 not reached


Other ports ... to find out.



Monday, November 5, 2018

Suddenly FD...-addresses, aka Unique Local IPv6 Unicast Addresses

Suddenly I saw IPv6 addresses starting with FD in my ifconfig.

On Linux 3.13:

          inet6 addr: fdd6:5a2d:3f20:0:213:77ff:fefa:63e3/64 Scope:Global
          inet6 addr: fdd6:5a2d:3f20:0:6001:f53f:1e8:3850/64 Scope:Global

and on Linux 4.14:

        inet6 fdd6:5a2d:3f20:0:ce90:a2cc:655b:416e  prefixlen 64  scopeid 0x0


It appears these are "Unique Local IPv6 Unicast Addresses", defined in RFC4193. They are world wide unique (well, at least: very probably unique), and to be used within a site.

At first I thought this was a new Linux setting, but these addresses also showed up on my old Ubuntu 14.04.
So ... what is going on? Ah, it's my new Fiber modem/router Genexis Platinum that is providing these addresses.

My use so far: you can use the FD address without specifying the interface. So handier than the FE80 addresses.

I checked a Windows 10 machine, but Windows 10 did not show these addresses. Maybe a Windows policy?

Update (2018-11-11):
Both Android and MacOSX show the FD... addresses too.