Outbound IPv6 on AWS EC2 Amazon Linux How-To (Not Production Grade)

It is well known that we can deploy an application in AWS and be fully IPv6 compliant thanks to the AAAA DNS records that every EC2 Elastic Load Balancer have at our disposal, but this does not apply to Outbound Internet connections (connections that are originated in our EC2 boxes).
The arrival of IPv6 to EC2 could be near but meanwhile there is a way to provide outbound IPv6 connectivity to our servers thanks to Hurricane Electric tunnel broker service.

I call this solution "Not Production Grade" because it is provided for free for experimentation purposes. Please read the Terms of Service (I have to say that is pretty fast and stable though).

Important Security Note:
With no additional measures in place, the configuration described here will open your TCP/IP services to Internet. Deploying a TCP tunnel will bypass the EC2 Security Group security layer.
IPv6 has no Network Address Translation (NAT) and your server will be directly connected to Internet to all effects.
Enabling and configuring ip6tables is advised.

Register:

- Get your free IPv6 tunnel at https://www.tunnelbroker.net

- Open your EC2 Security Group to receive ICMP traffic from Hurricane Electric (This is a requisite for this tunnel provider).

- Fill the field "IPv4 Endpoint (Your side)" with the Public IP of your instance.

- Select an IPv4 tunnel endpoint close to your AWS region.

- Once the tunnel is created we can access its details. No other changes are required, the tunnel is ready to use.

Configure:

- Click on "Example Configurations" to obtain the configuration guidelines for our Operative System (In our case: "Linux-net-tools" option).

Important Security Note:
With no additional measures in place, the configuration described here will open your TCP/IP services to Internet. Deploying a TCP tunnel will bypass the EC2 Security Group security layer.
IPv6 has no Network Address Translation (NAT) and your server will be directly connected to Internet to all effects.
Enabling and configuring ip6tables is advised.

(with sudo)

sudo ifconfig sit0 up
sudo ifconfig sit0 inet6 tunnel ::216.66.88.98
sudo ifconfig sit1 up
sudo ifconfig sit1 inet6 add 2001:470:1f1c:666::2/64
sudo route -A inet6 add ::/0 dev sit1

Note: In your case these IP addresses will vary.

- At this point the new interface and the tunnel are ready.



Test:

- Check our new interface sit1 and its IPv6 configuration. In this example the IP 2001:470:1f1c:666::2 is our Public IPv6 address for this server.

$ ifconfig sit1

sit1      Link encap:IPv6-in-IPv4  
          inet6 addr: 2001:470:1f1c:666::2/64 Scope:Global
          inet6 addr: fe80::a52:b404/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:111 errors:0 dropped:0 overruns:0 frame:0
          TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:14575 (14.2 KiB)  TX bytes:11293 (11.0 KiB)

- ping6 (against Google IPv6 DNS server)

$ ping6 -c 5 2001:4860:4860::8888

PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=56 time=18.9 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=56 time=19.0 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=56 time=19.0 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=56 time=19.1 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=56 time=19.0 ms

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4034ms
rtt min/avg/max/mdev = 18.993/19.062/19.125/0.131 ms

- route

$ route -n -A inet6

Kernel IPv6 routing table
Destination                     Next Hop                                Flags Metric Ref    Use Iface
::/96                              ::                                      U     256    0        0 sit0
2001:470:1f1c:666::/64             ::                                      U     256    0        0 sit1
fe80::/64                          ::                                      U     256    0        0 eth0
fe80::/64                          ::                                      U     256    0        0 sit1
::/0                               ::                                      U     1      3469     1 sit1
::1/128                            ::                                      U     0      22       2 lo
::10.82.180.4/128                  ::                                      U     0      0        1 lo
::127.0.0.1/128                    ::                                      U     0      0        1 lo
2001:470:1f1c:666::2/128           ::                                      U     0      3397     2 lo
fe80::a52:b404/128                 ::                                      U     0      0        1 lo
fe80::2000:aff:fe52:b404/128       ::                                      U     0      0        1 lo
ff00::/8                           ::                                      U     256    0        0 eth0

ff00::/8                           ::                                      U     256    0        0 sit1

::/0 is the Default route in IPv6 (equivalent to 0.0.0.0/0 in IPv4).

::1 host is our localhost interface (equivalent to 127.0.0.1). 

In IPv6 one or more leading zeroes from any groups of hexadecimal digits are removed and consecutive sections of zeroes are replaced with a double colon (::). 
This 0000:0000:0000:0000:0000:0000:0000:0001 is equal to ::1

- netstat

$ telnet www.google.com 80 &
$ netstat -nat -A inet6

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address              State      
tcp        0      0 :::22                       :::*                         LISTEN      
tcp        0      0 :::38030                    :::*                         LISTEN      
tcp        0      0 :::111                      :::*                         LISTEN      
tcp        0      0 2001:470:1f1c:666::2:35960  2a00:1450:400b:802::2004:80  ESTABLISHED 

Notice that our telnet command has created an IPv6 connection. We didn't specify any IPv6 parameter. How come? More about that later. Check DNS Considerations at the bottom of this article to know more.

- traceroute

$ traceroute -6 2001:4860:4860::8888

traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  juandomenech-1.tunnel.tserv1.lon2.ipv6.he.net (2001:470:1f1c:666::1)  13.331 ms  13.703 ms  14.143 ms
 2  ge3-20.core1.lon2.he.net (2001:470:0:320::1)  42.622 ms  75.028 ms  75.002 ms
 3  2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1)  15.652 ms  15.614 ms  15.386 ms
 4  2001:4860::1:0:ab9e (2001:4860::1:0:ab9e)  14.648 ms 2001:4860::1:0:ab9d (2001:4860::1:0:ab9d)  14.697 ms 2001:4860::1:0:9914 (2001:4860::1:0:9914)  15.386 ms
 5  2001:4860::8:0:aba0 (2001:4860::8:0:aba0)  26.167 ms 2001:4860::8:0:ab9f (2001:4860::8:0:ab9f)  26.139 ms 2001:4860::8:0:aba0 (2001:4860::8:0:aba0)  26.113 ms
 6  2001:4860::8:0:83d2 (2001:4860::8:0:83d2)  26.079 ms 2001:4860::8:0:507c (2001:4860::8:0:507c)  18.276 ms 2001:4860::8:0:83d2 (2001:4860::8:0:83d2)  17.891 ms
 7  2001:4860::2:0:7a79 (2001:4860::2:0:7a79)  18.432 ms 2001:4860::2:0:79fb (2001:4860::2:0:79fb)  20.376 ms  20.369 ms

 8  google-public-dns-a.google.com (2001:4860:4860::8888)  19.208 ms  18.261 ms  17.545 ms

Notice Hop#1. It is the other site of the tunnel. The address :666::1 is the gateway of our network. 

- Test with Port Scan at https://www.tunnelbroker.net/portscan.php

- Type in your IPv6 Address, hit Submit and wait for 10 seconds. 

Do you see something interesting? Yes, as mentioned before, the ports 22 and 111 are open to the network over IPv6 bypassing the security provided by the EC2 Security Groups. 

Creating a TCP/IP tunnel has the same effect as adding another Internet connection to our instance. That traffic is encapsulated over TCP/IP and is out of control of the traditional EC2 Security Group firewall layer. 
Configuring ip6tables is advised.

DNS considerations:

We have added new interfaces to this box and we are routing IPv6 through a tunnel but we haven't changed its DNS configuration. It has the standard EC2 DNS configuration unchanged (EC2-Classic):

$ cat /etc/resolv.conf

; generated by /sbin/dhclient-script
search eu-west-1.compute.internal
options timeout:2 attempts:5
nameserver 172.16.0.23

Despite that, our previous telnet (telnet www.google.com 80) is connecting to Google's IPv6. Let's take a look to the dialog between our box and the EC2-Classic DNS server 172.16.0.23 to understand why:

$ sudo tcpdump -i eth0 -nn -s0 -A port 53

13:31:52.961142 IP 10.104.229.189.47624 > 172.16.0.23.53: 61300+ A? www.google.com. (32)
E..<.c@...1.
h.........5.(...t...........www.google.com.....
13:31:52.961158 IP 10.104.229.189.47624 > 172.16.0.23.53: 48977+ AAAA? www.google.com. (32)
E..<.d@...0.
h.........5.(...Q...........www.google.com.....
13:31:52.962279 IP 172.16.0.23.53 > 10.104.229.189.47624: 48977 1/0/0 AAAA 2a00:1450:400b:802::2004 (60)
E..X....@..N....
h...5...Ds3.Q...........www.google.com..............w..*..P@......... .
13:31:52.963683 IP 172.16.0.23.53 > 10.104.229.189.47624: 61300 6/0/0 A 209.85.203.104, A 209.85.203.105, A 209.85.203.106, A 209.85.203.147, A 209.85.203.99, A 209.85.203.103 (128)
E.......@.. ....
h...5....u..t...........www.google.com..............,...U.h.........,...U.i.........,...U.j.........,...U...........,...U.c.........,...U.g

- Packets #1 and #2 are our requests and packets #3 and #4 are the answers coming back from the DNS server.
- Our Linux box is resolving www.google.com twice. First with IPv4 (A) and second with IPv6 (AAAA).
- Each request receives a different answer. The A record receives a list of IPv4 addresses and the record AAAA receives a single IPv6 address (2a00:1450:400b:802::2004).  This is the address our box has decided to use.

In other words, during the DNS resolution our system determines whether this host is accessible using IPv6 or not. The way to do that is asking for the AAAA DNS record and use it when present.

We can do the same using dig.


- dig

$ dig AAAA www.linkedin.com

;; ANSWER SECTION:
www.linkedin.com. 88 IN CNAME glb-any-eu.www.linkedin.com.
glb-any-eu.www.linkedin.com. 88 IN CNAME any-eu.www.linkedin.com.
any-eu.www.linkedin.com. 1869 IN AAAA 2a04:f540:1::b93f:930a

Migrated = Yes

$ dig AAAA www.facebook.com

;; ANSWER SECTION:
www.facebook.com. 14 IN CNAME star-mini.c10r.facebook.com.
star-mini.c10r.facebook.com. 41 IN AAAA 2a03:2880:2130:7f20:face:b00c:0:25de

Migrated = Yes

$ dig AAAA github.com

;; AUTHORITY SECTION:
github.com. 60 IN SOA ns1.p16.dynect.net. hostmaster.github.com. 1461162636 3600 600 604800 60

Not migrated yet.

IPv6 Security: Back to square one?

After enjoying with a IPv6 "Hello World!" and surfing IPv6 a bit during the IPv6 World Launch I've notice something while reading some IPv6 configuration guides available around for Unix. Let me see... Interface definition, tunnel creation, end-point IP, DNS, etc. Everything seems in order but something is missing: The firewall!
With all that rush to set up our new IPv6 connection and after all that time working behind a NAT connection we didn't pay attention to that important element and some machines are plugged-in wide open.
Are just a couple of poorly configured systems or a epidemic? Let's scan the network "old style". Any sequential IPv6 scan approach is not viable due the size of the IPv6 range (2^128) so I took an IP list from this IPv6 database http://flyr.info/ . From there I've got 16839 unique IPv6 addresses. A good sample to test.
With the nc Linux command, the IP list and a loop we have a low cost IP scanner:

#!/bin/bash while read ip; do     nc -6zv -w 1 $ip $1 done < "list"

Scan result: From 16839 scanned IPs:
6660 machines with Port TCP 22 SSH open
53 machines with Port TCP 5900 VNC open
181 machines with Port TCP 3389 Windows Remote Desktop open
and the list goes on...

I know, some of those machines have those ports open on purpose. But when you see something like these nmap scan results you realise that these are computers without any IP filtering active. And this is not good.

# nmap -6 2001:**:**:**::** Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 00:48 CEST Nmap scan report for ****.******.cr (2001:**:**:**::**) Host is up (0.22s latency). Not shown: 972 closed ports PORT     STATE    SERVICE 22/tcp   open     ssh 25/tcp   open     smtp 53/tcp   open     domain 80/tcp   open     http 88/tcp   open     kerberos-sec 143/tcp  open     imap 311/tcp  open     asip-webadmin 389/tcp  open     ldap 443/tcp  open     https 445/tcp  open     microsoft-ds 464/tcp  open     kpasswd5 548/tcp  open     afp 587/tcp  open     submission 625/tcp  open     apple-xsrvr-admin 636/tcp  open     ldapssl 749/tcp  open     kerberos-adm 993/tcp  open     imaps 2000/tcp open     cisco-sccp 5222/tcp open     xmpp-client 5269/tcp open     xmpp-server 5900/tcp open     vnc 8088/tcp open     radan-http 9999/tcp filtered abyss Nmap done: 1 IP address (1 host up) scanned in 27.74 seconds

# nmap -6 2607:**:**:**::** Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 09:04 CEST Nmap scan report for ****.******.com (2607:**:**:**::**) Host is up (0.24s latency). Not shown: 973 closed ports PORT      STATE    SERVICE 21/tcp    open     ftp 22/tcp    open     ssh 25/tcp    open     smtp 26/tcp    open     rsftp 53/tcp    open     domain 79/tcp    open     finger 80/tcp    open     http 88/tcp    open     kerberos-sec 110/tcp   open     pop3 143/tcp   open     imap 389/tcp   open     ldap 443/tcp   open     https 515/tcp   open     printer 548/tcp   open     afp 631/tcp   open     ipp 636/tcp   open     ldapssl 993/tcp   open     imaps 995/tcp   open     pop3s 1025/tcp  open     NFS-or-IIS 5900/tcp  open     vnc 10001/tcp open     scp-config Nmap done: 1 IP address (1 host up) scanned in 45.27 seconds

# nmap -6 2a02:**:**:**::** Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 08:59 CEST Nmap scan report for 2a02:**:**:**::** Host is up (0.11s latency). Not shown: 981 closed ports PORT      STATE    SERVICE 80/tcp    open     http 135/tcp   open     msrpc 445/tcp   open     microsoft-ds 554/tcp   open     rtsp 1433/tcp  open     ms-sql-s 3389/tcp  open     ms-wbt-server 49152/tcp open     unknown 49153/tcp open     unknown 49154/tcp open     unknown 49155/tcp open     unknown 49156/tcp open     unknown 49157/tcp open     unknown 49158/tcp open     unknown Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds

IPv6 Hello World!

After a little set up for surfing with IPv6 is time for a "IPv6 Hello World!". Ingredients: AWS EC2 instance, EC2 ELB and a Apache HTTP server.

First, deploy one EC2 instance. I always use the default Amazon Linux 64bits AMI. I'm used to RedHat and CentOS Linux and this AMI is basically the same. Then install your favourite web server flavour. This instance will have an IPv4 address and that's all we need. The magic for IPv6 is at the ELB public side. There's no way (and and no need now) to get an IPv6 attached to your instance.

Once that is done, deploy an ELB and attach the instance to it. Notice on the ELB "Description" tab that you have 3 DNS records for it.

In may case:

domenech-1821931935.us-east-1.elb.amazonaws.com (A Record) ipv6.domenech-1821931935.us-east-1.elb.amazonaws.com (AAAA Record) dualstack.domenech-1821931935.us-east-1.elb.amazonaws.com (A or AAAA Record)

Let's give a detailed look to it. The first DNS record (A Record) is the typical IPv4 record where you usually point the CNAME to.

# host domenech-1821931935.us-east-1.elb.amazonaws.com domenech-1821931935.us-east-1.elb.amazonaws.com has address 23.21.124.217 root@juan-ubuntu:~# host ipv6.domenech-1821931935.us-east-1.elb.amazonaws.com ipv6.domenech-1821931935.us-east-1.elb.amazonaws.com has IPv6 address 2406:da00:ff00::1715:7cd9

So, if we resolve the A Record we get a IPv4 (23.21.124.217 in my example) and with the AAAA Record we get the IPv6 (2406:da00:ff00::1715:7cd9). They are there waiting for us to use them. No more configuration needed.

Searching this IP in this BGP AS database we get that it belongs to the Autonomous System AS16509 prefix 2406:da00::/32 from Amazon.com. In other words, part of the AWS IPv6 infrastructure. Those 32 bits prefix mean that are 96 bits of IP addresses available (IPv6=128bits) into that prefix and that is 79,228,162,510,000,000,000,000,000,000 IPs. Nice!

Another interesting thing is that the AAAA Record "implies" the A Record. An IPv6 is formed by 8 "hexquads" 16 bit long each one separated by colons and written in lower case hexadecimal. Double colon (::) means "full of zeros". In my example, the IPv6 2406:da00:ff00::1715:7cd9 translates to 2406:da00:ff00:0000:0000:0000:1715:7cd9. If we take the last 8 hexadecimal elements grouped by 2 and convert to decimal:

17 = 23 15 = 21 7c = 124 d9 = 217

And this is 23.22.124.217. The IPv4 address that this ELB also provides.

Now we have just to create our CNAME record for our domain pointing to the AWS ELB. We can either choose the AAAA Record or the "dualstack" (A and AAAA) Record. Basically the Dual Stack record answers a IPv4 IP if our DNS call asks for a A Record or a AAAA Record in that case.

Dig for A Record:

# dig ipv6.domenech.org A @2001:4860:4860::8888 ; <<>> DiG 9.8.1-P1 <<>> ipv6.domenech.org A @2001:4860:4860::8888 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56239 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ipv6.domenech.org.        IN    A ;; ANSWER SECTION: ipv6.domenech.org.    60    IN    CNAME    dualstack.domenech-1821931935.us-east-1.elb.amazonaws.com. dualstack.domenech-1821931935.us-east-1.elb.amazonaws.com. 60 IN A 23.21.124.217 ;; Query time: 216 msec ;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888) ;; WHEN: Tue Jun  5 11:58:20 2012 ;; MSG SIZE  rcvd: 122

Dig for AAAA Record:

# dig ipv6.domenech.org AAAA @2001:4860:4860::8888 ; <<>> DiG 9.8.1-P1 <<>> ipv6.domenech.org AAAA @2001:4860:4860::8888 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56671 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ipv6.domenech.org.        IN    AAAA ;; ANSWER SECTION: ipv6.domenech.org.    57    IN    CNAME    dualstack.domenech-1821931935.us-east-1.elb.amazonaws.com. dualstack.domenech-1821931935.us-east-1.elb.amazonaws.com. 60 IN AAAA 2406:da00:ff00::1715:7cd9 ;; Query time: 123 msec ;; SERVER: 2001:4860:4860::8888#53(2001: 4860:4860::8888) ;; WHEN: Tue Jun  5 11:58:23 2012 ;; MSG SIZE  rcvd: 134

Note: 2001:4860:4860::8888 is a Google IPv6 DNS Server.

This duality is something we have to keep in mind when testing IPv6. We have to be certain whether our browser will ask for a IPv6 Record or not.
And basically that's it. With the EC2 instance up, the web site up and our CNAME ready in our DNS server (I used http://ipv6.domenech.org) you just need to open a browser and type the URL.

Ta-raaaaa!

Appendix.
IP Source: Do not expect to read IPv6 in your Apache log files. All the communication between the ELB and EC2 is IPv4. By default all your connections to your instance will come from the ELB internal IP (something like 10.28.x.x) and this is what you will get at the logs. To reflect your clients IP in your log files instead the ELB IP you need to change the default Apache configuration adding %{X-Forwarded-For}i  to your LogFormat. And to make present this information at your application you need to read the HTTP_X_FORWARDED_FOR header provided by the ELB. The best way to start dealing with headers is to create a PHP test page and read all the headers that come with every request. Don't forget to delete this page when is no longer needed to avoid giving away too much information.

Surfing with IPv6

My DSL carrier (and as far I know no Spanish ADSL carriers) has IPv6 available so my only chance to join IPv6 Launch Day is to create a tunnel to a IPv6 service provider. I've choose the well known Hurricane Electric Tunnel Broker free service.

Easy steps using Ubuntu:
- Sign-in.
- Create your tunnel connection towards your public IPv4 address (Note: You will need to allow HE to ping your router in your firewall configuration).
- Configuration following this guide: http://davecoyle.com/documents/ubuntu-ipv6-he-tunnel.html
- Add the IPv6 DNS server at your /etc/resolv.conf file. In this cases is: nameserver 2001:470:20::2
My suggestion, and for the sake of the test, is to use only this DNS server.
And test!

How my IPv6 tunnel interface looks like:

# ifconfig he-ipv6 he-ipv6   Link encap:IPv6-in-IPv4            inet6 addr: 2001:470:1f08:16b::2/64 Scope:Global           UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1           RX packets:24393 errors:0 dropped:0 overruns:0 frame:0           TX packets:15097 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX bytes:30140949 (30.1 MB)  TX bytes:1460976 (1.4 MB)

And the local interface. Now we have the new localhost IPv6 address ::1 (In IPv6 this is the equivalent of 127.0.0.1).

lo        Link encap:Local Loopback            inet addr:127.0.0.1  Mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host           UP LOOPBACK RUNNING  MTU:16436  Metric:1           RX packets:1043 errors:0 dropped:0 overruns:0 frame:0           TX packets:1043 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX bytes:105946 (105.9 KB)  TX bytes:105946 (105.9 KB)

First, ping my interface (notice that I'm using ping6 command):

# ping6 -c 5 2001:470:1f08:16b::2 PING 2001:470:1f08:16b::2(2001:470:1f08:16b::2) 56 data bytes 64 bytes from 2001:470:1f08:16b::2: icmp_seq=1 ttl=64 time=0.033 ms 64 bytes from 2001:470:1f08:16b::2: icmp_seq=2 ttl=64 time=0.048 ms 64 bytes from 2001:470:1f08:16b::2: icmp_seq=3 ttl=64 time=0.062 ms 64 bytes from 2001:470:1f08:16b::2: icmp_seq=4 ttl=64 time=0.047 ms 64 bytes from 2001:470:1f08:16b::2: icmp_seq=5 ttl=64 time=0.032 ms --- 2001:470:1f08:16b::2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3996ms rtt min/avg/max/mdev = 0.032/0.044/0.062/0.012 ms

Then, ping the other side of the tunnel (notice the round trip time change):

# ping6 -c 5 2001:470:1f08:16b::1 PING 2001:470:1f08:16b::1(2001:470:1f08:16b::1) 56 data bytes 64 bytes from 2001:470:1f08:16b::1: icmp_seq=1 ttl=64 time=66.7 ms 64 bytes from 2001:470:1f08:16b::1: icmp_seq=2 ttl=64 time=66.5 ms 64 bytes from 2001:470:1f08:16b::1: icmp_seq=3 ttl=64 time=66.5 ms 64 bytes from 2001:470:1f08:16b::1: icmp_seq=4 ttl=64 time=66.3 ms 64 bytes from 2001:470:1f08:16b::1: icmp_seq=5 ttl=64 time=67.4 ms --- 2001:470:1f08:16b::1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 66.309/66.720/67.461/0.460 ms

And then, my first IPv6 ping to Google :)

# ping6 -c 5 -n ipv6.google.com PING ipv6.google.com(2a00:1450:400d:803::1013) 56 data bytes 64 bytes from 2a00:1450:400d:803::1013: icmp_seq=1 ttl=57 time=167 ms 64 bytes from 2a00:1450:400d:803::1013: icmp_seq=2 ttl=57 time=176 ms 64 bytes from 2a00:1450:400d:803::1013: icmp_seq=3 ttl=57 time=170 ms 64 bytes from 2a00:1450:400d:803::1013: icmp_seq=4 ttl=57 time=176 ms 64 bytes from 2a00:1450:400d:803::1013: icmp_seq=5 ttl=57 time=176 ms --- ipv6.google.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 167.003/173.506/176.744/3.987 ms

And now is time for a browser and what could be better than http://whatismyipv6.com (IPv6 style of course :)

And http://test-ipv6.com

Google redirects me to the UK site although I'm at Spain. That's because among all the tunnels endpoints from Hurricane Electric I've choose the one at London. But there are more. This could become handy later.

 

A curios ping :)

# ping6 -n -c1 www.v6.facebook.com PING www.v6.facebook.com(2620:0:1cfe:face:b00c::3) 56 data bytes 64 bytes from 2620:0:1cfe:face:b00c::3: icmp_seq=1 ttl=51 time=197 ms --- www.v6.facebook.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 197.501/197.501/197.501/0.000 ms

And a couple more:

2a01:4f8:d13:3a43:feed:abba:deca:f       www.synchronkartei.de
2001:4cc0:1ff:40:bebe:cafe:bebe:cafe     www.webtuga.com
2001:610:148:dead:beef:b00b:cafe:babe    www.ist-mome.org