4

As we know, IPv6 module is installed and enabled by default in our CentOS server. But I have never use it and many articles tell us to disabled IPv6 feature for performance or security reason. So what kind of situations should I enable IPv6 with my server located in Internet?

kasperd
  • 29,894
  • 16
  • 72
  • 122
seanlook
  • 529
  • 2
  • 9
  • 18
  • 6
    Don't believe everything you read on the Internet, especially out of date and bad advice to "disable IPv6". Doing so _reduces_ performance and has no real impact on security, providing you have properly configured firewalls (I hope you do). – Michael Hampton Nov 28 '14 at 09:33
  • I would be interested to hear how exactly does disabling IPv6 reduce performance. Enabling or disabling one networking protocol does not sound like something which would affect performance (and what is performance in this case?) in any way. –  Nov 28 '14 at 09:39
  • 3
    @SamiLaine For example: Using IPv6 avoids NAT, especially carrier grade NAT used in places where there is a shortage of IPv4 addresses. This reduces latency when visiting web sites, for instance, making them faster. – Michael Hampton Nov 28 '14 at 09:40
  • Related: [Should I use IPv6 only or both IPv4 and IPv6 in my web server?](http://serverfault.com/q/421445/126632) – Michael Hampton Nov 28 '14 at 10:01
  • 2
    ipv6 is a Good Thing. If your provider supports it - and in my experience, most hosting providers are well-able to do this, and have been for some time - you should definitely get some addresses off them and make sure they're allocated to your server. Only if you can't get v6 space for your server should you even toy with the idea of disabling the protocol. – MadHatter Nov 28 '14 at 10:22

1 Answers1

6

Short answer: IPv6 should be enabled on all servers.

Longer answer: Three out of five RIRs are so short on IPv4 addresses that rationing is a reality. And another RIR will run out early next year leaving Africa as the only region in the world without a shortage of IPv4 addresses.

Major content providers deployed dual stack in 2012. And in doing so they eliminated one of the only valid arguments for others to stay IPv4-only.

In short, if you did not think about enabling IPv6 along with all the other providers back in 2012, then you are behind schedule.

At that time I would consider being hosted in an IPv4 only data center to be a valid reason not to enable IPv6 just yet. But at that time, it would be reasonable to demand IPv6 support from your hosting provider. There is enough competition that everybody should be able to find a provider with IPv6 support.

For connections to your home or to an office, the situation is a bit different. Being tied to a specific location limits competition. And the limited competition means in many regions you simply cannot switch to a competing provider.

There is a minority of users with better IPv6 connectivity than IPv4 connectivity. You will support those better by hosting your server on dual stack than IPv4 only. Plus ISPs are using your lack of IPv6 support as an excuse for not deploying IPv6 to their customers. Those two for me are sufficient reason to recommend deploying IPv6 ASAP.

Years ago clients with broken IPv6 connectivity was a concern that lead to content providers being reluctant to deploy IPv6. That is mostly a solved problem, but there is still a few things you can do yourself to ensure users of your dual stack server will experience as reliable a connection as possible:

  • Tweak your MSS settings. On IPv6 the recommended setting would be 1220. But most systems would default to 1440. It is not that there is anything wrong with using 1440, but other people have deployed broken networks, that may cause an otherwise correct MSS setting of 1440 to not work.
  • Deploy 6to4 and Teredo relays. If your server has a public IPv4 address, you can deploy your own. And if you don't, you'll be relying on unreliable public relays to communicate with any users using either of those protocols.
  • Monitor your server. A surprising large number of sites have an IPv6 address that doesn't respond. On one occasion I pointed out such a problem to a specific provider. Their reaction was: 1. Say it was intentional. 2. Claim there network had full IPv6 support working perfectly flawless. 3. Stop announcing their IPv6 prefix through BGP. 4. Kept the AAAA record in DNS. 5. Left the system in that state for years. You should not fall into the same trap. If your IPv6 address should ever stop responding, you want to know before your customers.
kasperd
  • 29,894
  • 16
  • 72
  • 122
  • 1
    It's 2014. People are _decommissioning_ 6to4 and Teredo relays. – Michael Hampton Nov 30 '14 at 13:20
  • @MichaelHampton Unfortunately it is way too early to be decommissioning those. By the time the majority of the internet has native IPv6 it might make sense. But until then configuring your own relays provides better reliability for those using the relays, and it doesn't affect those not using them. And on a machine with dual stack access, it takes less than five minutes to configure your own Teredo and 6to4 relays. – kasperd Nov 30 '14 at 13:58