 device into our network, either through the wireless or through the wired, and it will be configured and they can use it and they can SSH into it. That means that you need to have some way of naming those devices. So when you plug in a vanities research gadget, that one there, it will ask for an address via DHCP and supply a host ID which will then up here be stuck by the DHCP server into the DNS system and then you can actually refer to it by name, which is nice. So this all looks good. We're connected through some corporate firewalls that we don't have much control over. Whether we get changes there depends on how overworked the IT supports that people are, which is normally very, yeah, so that's what it looks like beforehand. So what we decided to do was to deploy IPv6. We would assign IPv6 addresses to all external facing things, including the machines that aren't shown there, some kind of DMZ that provide web services and database services to the rest of the world. Update the firewall rules, update the DNS and go live. And then at the same time, because Matt over there wanted to set up our IPv6 gateway, we decided to put another machine for IPv6 gateway and firewall in parallel with the others. So we ended up with something that looked like this. As a side effect, we ended up with another DMZ there that we could control ourselves. Now, this all looks very nice. All these things here can get IPv6 addresses. Who can see the problem? No. Come on. Oh, that's okay. This one here, voucher advertisements don't pass a voucher. They don't go through. So we need to earn bad VD there as well. Okay? Duh. So, trash for the unwearable number one. Voucher advertisements don't cross vouchers. Deliberately so. Okay. Remember I said that we run mccurial on this thing? So as soon as we have the name hg.ertaus.nicturethecom.au, that points to this external gateway, which is really nice, but when some random desktop says hg push, his route goes like this. It goes bzzzzzzzzzz. Hey. I can see this one. Bzzzzzzzzzz. And the firewall here gets really confused because it doesn't see any acts coming back and drops the connection boom and we have some unhappy users now you could play around with policy mounting on here but that gets really complicated really fast so so what we decided to do was stick static roots in here and here so that when this one goes up this way it would actually bounce back to there and everything's nice right hang on okay we got that bit so we end up putting static roots in here okay and then when this person wants to talk to that one it goes up here and says oh what should happen is oh um there's a better route there inserting your voting table to go there instead and it didn't what's going on the problem is that in order to make that to work you need to give the link local address in the route there not the globally accessible though not the globally accessible address so we did that and then I started working except that it still doesn't work for the wireless route and I don't know why we've got a static route to the whole subnet but it doesn't seem to do I see a PV device and I'm still investigating that having a chance to chase it down yet and the other nice so so where are we now where are we now we can SSH out from our system and we can see the dancing turtle on come it on it we can IPv6 to mail servers all around the world which is all nice if you want to talk IMFS to an external mail server we can SSH into machines inside and we now control that firewall so that if somebody wants their desktop to be on the internet for SSH input then we can open the firewall and it just happens and we don't need to go through Nick to IT which reduces their load so they're happy to and the DMZ meant that some external people could come in and plug into our DMZ and demonstrate mobile IPv6 applications and it all just worked and this was all really nice we still got some issues that routing problem really ugly head again when Nick to IT decided to change the external interface address again that was assigned to us and when they did that all average broke because we forgot to change the static roots that would otherwise override them now we could fix this by using some kind of split horizon DNS though inside our network we'd see the internal interface name and outside we see the external interface name that would work unfortunately it breaks for people using VPNs to somewhere else because their default group goes to somewhere else which would then see the external one and we end up having a much longer path than we would otherwise have and people get sad when things should be faster actually slow so we're just keeping on adding static roots at the moment because there's only two of them it's okay I'm just hoping it doesn't get any bigger naming the other problem is that the order configured nodes are anonymous so when you type who on the home server we see something like this and I don't know about you but I have no idea which machine that is if it said Fred's machine that it'd be much easier so I'm still trying to solve this problem at the moment when we're mostly running dual stack stuff the DH client passes up a host identifier which is then stuck in for the IV before address that's assigned and I've written some hacky scripts that are extremely hacky and fragile that calculate what that address should be based on the MAC address and insert that one in as a quarter a record that doesn't work for Windows clients fortunately we've only got two windows boxes on the network and quite frankly I don't really care about Windows users they don't normally want to SSH into their machine either so but they might want to use our desktop but hey so so that was still something I've got to work out the DHCP and PXE boot are still IPv4 that will depend on people like Intel getting their firmware right now U-boot which we use extensively could theoretically use IPv6 and we're currently looking at implementing an IPv6 version of U-boot so that it can boot stuff off the network because we're extensively putting embedded devices on the network booting them and having things happen so that one still we're working on and there are still some problems with other DHCP services because we're using NFS homes on the system it's important that people synchronize their NTP servers to that machine so the difference between that machine however far it is it is from the normal mean time is small and so we're handing out the address of that via DHCP the IPv6 only nodes don't pick that up yet likewise other services like name servers and there is a RDNS daemon but it hasn't been ported to all the machines we're interested in yet so that's still ongoing work this might get better there's a new version of DHCP daemon and client gone into to be an unstable now it's supposed to do IPv6 as well as IPv4 so we could move to a DHCP IPv6 instead of using auto configuration and I'm looking forward to trying that out when the stuff well as soon as I can get down to it yep right okay the comment was the DHCP version 6 for IPv6 still use the autoconf as well can I ask can I somehow securely yeah tell me I'm interested to know this DHCP v6 requires router advertisements with prefix it basically requires you to do all the autoconfig although you can turn off the automatic address assignment and have DHCP do the address or you can fact have DHCP not to address or you can have both do an address but you'd must have autoconfig working which also must means your prefixes need to be slash 64's okay that's all okay for us what I'm really concerned about is can DHCP then insert the DNS entry the cord over it go that's the bit that's missing the moment with all I think anyway that was all I had to say so questions comments do you have v6 only clients yes we do wow how do they do they work which of the two websites today access sorry which of the two what websites v6 I don't care they access our internal NFS roots that's all I really care about so you're going with IV version 6 DHCP well no I haven't said we're going for it I said I'm going to evaluate it okay right so you're at the moment you isn't using autoconfig yes and according to the gentleman down here you would need to use autoconfig and DHCP v6 together to get the result we want yep okay do you see any problems with you know in sort of in terms of network discovery for like your DMZ is do you see any security aspects there a DMZ by its very nature is open to the world and you just got to keep monitoring it as far as the autoconfig goes I don't see any real issue in knowing that that phone as that MAC address need it internally anyway to be able to track which devices belong to who and that information is five walled off so it never gets out to the internet anyway so who cares okay thanks so you're saying that the current DHCP server does not support IP version 6 I thought version the ISC DHCP server 4.1 doesn't have to do the job it does but it's not into being stable yet and being stable is what we're running now so that's okay so thank you