IPv6
IP addresses allow machines to address each other across a network. IPv4 is still the most widely used version of the protocol, but the IPv4 address space is being consumed rapidly. IPv6 is the most recent version of the protocol, designed to solve the address space problem.
You can selectively enable IPv6 on new or existing instances. Once enabled, an IPv6 will be automatically configured on the first interface of your instance, along with its public IPv4 address.
Note
All IPv6 addresses for your organization are taken from the same /64 subnet (the beginning of the IPv6 address will always be the same). Currently, only one IPv6 address can be assigned for each instance. In the future, we will allow you to assign more IPv6 addresses.
Note
An instance that is transferred to a different organization will keep the primary IPv6 address of the source organization.
Adding IPv6 to a New Instance
During instance creation, you can enable IPv6 by clicking on the toggle labeled
Enable IPv6:
In addition to an IPv4 address, the new instance will receive an IPv6 address.
With the API, you can pass ip6=true as an additional parameter to
the deployVirtualMachine
call.
Adding IPv6 to an Existing Instance
In the details of the instance, below the IPv4 address, you will find a toggle to enable IPv6:
There is no need to reboot your instance - an IPv6 address is configured to the public interface of your instance within a few seconds.
Alternatively, you can use the
activateIp6 API call.
Security Groups
Like for IPv4, by default, ingress traffic is filtered and egress
traffic is open. To authorize ingress traffic, you need to add
IPv6-specific rules. For example, if you want to authorize SSH access
from anywhere, use ::/0 as the source. ::/0 means any IPv6 host,
while 0.0.0.0/0 means any IPv4 host.
If you already have IPv4 egress rules, outgoing IPv6 traffic is filtered and you need to specify additional rules to allow IPv6 outbound flows. The reverse is also true: if you add IPv6 egress rules without any IPv4 egress rule, IPv4 traffic is filtered.
Testing the Connection
Linux
On Linux, log into your instance and execute the following command:
$ ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=51 time=4.60 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=51 time=4.08 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=51 time=4.13 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=51 time=4.12 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 4.085/4.237/4.607/0.214 ms
If you get an error, check if the IPv6 address is correctly assigned on the first interface:
$ ip -6 a l dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a04:c43:c00:12f:491:58ff:fe00:79/64 scope global mngtmpaddr dynamic
valid_lft 86360sec preferred_lft 14360sec
inet6 fe80::480:58ff:fe00:79/64 scope link
valid_lft forever preferred_lft forever
In addition to the fe80:: address prefix, you should get an address
starting with 2a04::. If you do not have the fe80:: address prefix,
IPv6 is disabled on your system. You can enable it with:
sysctl -w net.ipv6.conf.all.disable_ipv6=0`
If you do not have the 2a04::
address prefix, the auto-configuration mechanism failed. This might be because
of a locally configured firewall, or because IPv6 auto-configuration has
been disabled. You can enable IPv6 auto-configuration with:
sysctl net.ipv6.conf.eth0.autoconf=1
If the addresses are present, check if:
- you do not have a local firewall (check
ip6tables-save), - you are not using egress rules in your security groups, and
- you do not use privacy extensions (check
sysctl net.ipv6.conf.eth0.use_tempaddr, it should be 0).
Windows
On Windows, you need to disable privacy extensions. You can disable privacy extensions by issuing the following commands in an administrative PowerShell session:
PS> Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
PS> Set-NetIPv6Protocol -UseTemporaryAddresses Disabled
Then, you can test with ping6:
PS> ping6 2001:4860:4860::8888
Pinging 2001:4860:4860::8888 with 32 bytes of data:
Reply from 2001:4860:4860::8888: time<1ms
Reply from 2001:4860:4860::8888: time<1ms
Reply from 2001:4860:4860::8888: time=1ms
Reply from 2001:4860:4860::8888: time=1ms
Ping statistics for 2001:4860:4860::8888:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
If this does not work, use ipconfig /all to check if you have an IPv6 address:
PS> ipconfig /all
[…]
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : 06-6B-EA-00-00-36
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2a04:c46:c00:12f:46b:eaff:fe00:36(Preferred)
Link-local IPv6 Address . . . . . : fe80::46b:eaff:fe00:36%5(Preferred)
IPv4 Address. . . . . . . . . . . : 89.145.160.49(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Lease Obtained. . . . . . . . . . : mardi, 17 avril 2018 14:10:14
Lease Expires . . . . . . . . . . : vendredi, 24 mai 2154 20:45:03
Default Gateway . . . . . . . . . : fe80::fc6b:eaff:fe00:36%5
89.145.160.1
DHCP Server . . . . . . . . . . . : 89.145.160.1
DHCPv6 IAID . . . . . . . . . . . : 55727104
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-67-9C-42-06-6B-EA-00-00-36
DNS Servers . . . . . . . . . . . : 89.145.160.136
89.145.161.109
185.150.8.225
NetBIOS over Tcpip. . . . . . . . : Enabled
Also check if you got a default route:
PS> route print ::/0
[…]
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
5 271 ::/0 fe80::fc6b:eaff:fe00:36
===========================================================================
Persistent Routes:
None
OpenBSD
On OpenBSD, you need to disable Semantically Opaque Interface
Identifiers and privacy extensions. Add the following lines in
/etc/hostname.vio0:
-soii
-autoconfprivacy
As of OpenBSD version 6.9 autoconfprivacy option has been deprecated
and replaced by temporary. Make sure you specify inet6 autoconf
options in /etc/hostname.vio0 in a single line:
inet6 autoconf -soii -temporary
Then, use sh /etc/netstart vio0 to reload the configuration. You can
test if it works correctly with ping6:
# ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=0 hlim=61 time=1.296 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=1 hlim=61 time=1.294 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 hlim=61 time=1.218 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 hlim=61 time=1.171 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 hlim=61 time=1.345 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 hlim=61 time=1.117 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.117/1.240/1.345/0.079 ms
If this does not work, check that you got an IPv6 with ifconfig:
# ifconfig vio0
vio0: flags=648843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,INET6_NOPRIVACY,AUTOCONF6,INET6_NOSOII> mtu 1500
lladdr 06:6b:ea:00:00:36
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet 89.145.160.49 netmask 0xfffffc00 broadcast 89.145.163.255
inet6 fe80::46b:eaff:fe00:36%vio0 prefixlen 64 scopeid 0x1
inet6 2a04:c46:c00:12f:46b:eaff:fe00:36 prefixlen 64 autoconf pltime 14350 vltime 86350
Also, check if you got the default gateway:
# route -n show | grep default | tail -1
default fe80::fc6b:eaff:fe00:36%vio0 UGS 0 3 - 56 vio0