Switch to IPv6

[wincent]

As noted here, as of February 1st I'm now paying $7/month for two IP addresses.

• Amazon announcement about charging for IPv4 addresses, starting in February 2024.
• "A new blog post shows you how to use Elastic Load Balancers and NAT Gateways for ingress and egress traffic, while avoiding the use of a public IPv4 address for each instance that you launch."
• Tom's Hardware: "Amazon’s new AWS charge for using IPv4 is expected to rake in up to $1B per year — change should speed IPv6 adoption"
• Superuser (Stack Exchange): "How to turn on IPv6 on an Amazon EC2 instance?"
• Docs: "Amazon EC2 instance IP addressing"

My only concern is how to make the set-up persistent. As noted here (emphasis added):

You can disassociate the IPv6 address on a network interface, and unless you do so, the IPv6 address persists when you stop and start your instance, and is released when you terminate your instance.

So... Does that mean I have to do a tricky synchronized DNS dance every time I want to create and migrate to a new instance? Seems like it probably does. This ServerFault page might provide a useful layer of indirection through Cloudflare:

I made these changes a while back. My EC2 instance has IPv6, private IPv4, and I use CloudFlare as a gateway / proxy / cache. CloudFlare makes the website available on IPv4 or IPv6. It works well. I had to change my Nginx configuration a little to accept IPv6 only.

AWS has a useful tutorial here. The broad steps are:

• Associate an IPv6 CIDR block with your VPC and subnets
• Update your route tables
• Update your security group rules
• Assign IPv6 addresses to your instances

[wincent]

Ok, so I went ahead and assigned IPv6 addresses to my currently running instances (as per the guide); eg.

$ host git.wincent.com
git.wincent.com has address 52.202.171.200
git.wincent.com has IPv6 address 2600:1f18:2bf1:e500::200

(Yes, I know that 200 decimal != 200 hexadecimal, but AWS gave me the 2600:1f18:2bf1:e500::/56 subnet and I wanted the suffix of the addresses I chose to match up, at least visually.)

So, I can connect just fine (eg. with git fetch origin -6) and ping (eg. with ping6 git.wincent.com) but these charts from Google aren't exactly heartening:

IPv6 adoption globally

IPv6 adoption by country

---

This probably means that I should keep running with the IPv4 addresses for some time. Based on the first graph, it took nearly 10 years to go from 5% to 45% adoption, so that means it might be another 10 before we get close to "full" or at least "almost complete" adoption.¹

Footnotes

1. And 10 years at $7/month is about $840... ↩

[wincent]

Fun fact, GitHub doesn't offer IPv6:

$ host github.com
github.com has address 140.82.121.3
github.com mail is handled by 10 alt4.aspmx.l.google.com.
github.com mail is handled by 10 alt3.aspmx.l.google.com.
github.com mail is handled by 1 aspmx.l.google.com.
github.com mail is handled by 5 alt1.aspmx.l.google.com.
github.com mail is handled by 5 alt2.aspmx.l.google.com.

[wincent]

Asked for people's experiences going IPv6-only but I don't expect I'll get many replies.

One idea I had was to try this on my Git host only for a while, and see what happens. That's likely to be less problematic than doing it on my main website host.

[wincent]

One idea I had was to try this on my Git host only for a while, and see what happens.

Ok, scratch that idea. Shit seems super flaky here, and I am not sure how much of it is machine-specific and how much depends on where traffic happens to be being routed at any given point in time. Right now:

• ping6 $anything-at-all (eg. ping6 apple.com or ping6 2620:149:af0::10) gives me "No route to host" on my both my work laptop and my personal one (last night, I feel sure I saw ping6 work on my local laptop, whether I gave it the raw IP address or a hostname). ping apple.com works.

• git clone -6 doesn't work on my work laptop:

  $ git clone -6 git://git.typechecked.net/null.git
  Cloning into 'null'...
  fatal: unable to connect to git.typechecked.net:
  git.typechecked.net[0: 2600:1f18:2bf1:e500::200]: errno=No route to host
  

  but it does on my personal laptop... However trying to use numeric IP addresses (either 2600:1f18:2bf1:e500::200 or [2600:1f18:2bf1:e500::200]) fails with "No route to host".

---

Update: Same computer, same command run several hours apart with different results:

dot ❯ ping6 2620:149:af0::10
ping6: UDP connect: No route to host
zsh: exit 1     ping6 2620:149:af0::10
dot ❯ ping6 2620:149:af0::10
PING6(56=40+8+8 bytes) 2a0c:5a82:eb07:4400:f46c:d4f3:1b0d:74d --> 2620:149:af0::10
16 bytes from 2620:149:af0::10, icmp_seq=0 hlim=51 time=308.381 ms
16 bytes from 2620:149:af0::10, icmp_seq=1 hlim=51 time=385.957 ms
^C
--- 2620:149:af0::10 ping6 statistics ---
3 packets transmitted, 2 packets received, 33.3% packet loss
round-trip min/avg/max/std-dev = 308.381/347.169/385.957/38.788 ms

Also, look at the difference ICMP times:

dot ❯ ping6 apple.com
PING6(56=40+8+8 bytes) 2a0c:5a82:eb07:4400:f46c:d4f3:1b0d:74d --> 2620:149:af0::10
16 bytes from 2620:149:af0::10, icmp_seq=1 hlim=51 time=372.095 ms
16 bytes from 2620:149:af0::10, icmp_seq=2 hlim=51 time=326.049 ms
16 bytes from 2620:149:af0::10, icmp_seq=3 hlim=51 time=923.705 ms
16 bytes from 2620:149:af0::10, icmp_seq=4 hlim=51 time=434.087 ms
^C
--- apple.com ping6 statistics ---
5 packets transmitted, 4 packets received, 20.0% packet loss
round-trip min/avg/max/std-dev = 326.049/513.984/923.705/239.639 ms
dot ❯ ping apple.com
PING apple.com (17.253.144.10): 56 data bytes
64 bytes from 17.253.144.10: icmp_seq=0 ttl=58 time=32.644 ms
64 bytes from 17.253.144.10: icmp_seq=1 ttl=58 time=37.932 ms
64 bytes from 17.253.144.10: icmp_seq=2 ttl=58 time=36.423 ms
64 bytes from 17.253.144.10: icmp_seq=3 ttl=58 time=38.439 ms
^V64 bytes from 17.253.144.10: icmp_seq=4 ttl=58 time=32.660 ms
^C
--- apple.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 32.644/35.620/38.439/2.512 ms

10x slower for apple.com, although the delta is way smaller for my host:

dot ❯ ping git.typechecked.net
PING git.typechecked.net (52.202.171.200): 56 data bytes
64 bytes from 52.202.171.200: icmp_seq=0 ttl=232 time=108.422 ms
64 bytes from 52.202.171.200: icmp_seq=1 ttl=232 time=108.820 ms
64 bytes from 52.202.171.200: icmp_seq=2 ttl=232 time=109.192 ms
^C
--- git.typechecked.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 108.422/108.811/109.192/0.314 ms
dot ❯ ping6 git.typechecked.net
PING6(56=40+8+8 bytes) 2a0c:5a82:eb07:4400:f46c:d4f3:1b0d:74d --> 2600:1f18:2bf1:e500::200
16 bytes from 2600:1f18:2bf1:e500::200, icmp_seq=0 hlim=238 time=118.203 ms
16 bytes from 2600:1f18:2bf1:e500::200, icmp_seq=1 hlim=238 time=117.924 ms
16 bytes from 2600:1f18:2bf1:e500::200, icmp_seq=2 hlim=238 time=114.012 ms
16 bytes from 2600:1f18:2bf1:e500::200, icmp_seq=3 hlim=238 time=117.893 ms
16 bytes from 2600:1f18:2bf1:e500::200, icmp_seq=4 hlim=238 time=118.991 ms
^C
--- git.typechecked.net ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 114.012/117.405/118.991/1.742 ms

[wincent]

Maybe something to revisit in some years. For now, it's clear that simply turning off IPv4 is not an option.