IPv6 only networking not viable in 2018

Get on board the IPv6 train

Quick rant about the roadblocks that IPv6 only networking has caused:

Gist of it:

  • launchpad.net is ipv4, so adding Ubuntu apps via apt-add-repository or by an apt list (that reference launchpad.net) will fail. This severely hinders acquiring software that isn’t distributed by Ubuntu.
  • keyserver.ubuntu.com is ipv4 so one can’t use the default method for trusting package keys (something that shouldn’t be taken lightly)
  • thus everything ubuntu documents about packaging software is not possible via ipv6
  • github.com is ipv4 so one needs to either employ a proxy, nat, or manual transfer files

It can be quite crippling to not have access to these resources.

The full story:

I was checking out Vultr for a VPS. They offer a $2.50 a month package – the catch is that it is IPv6 only (inbound and outbound traffic must use IPv6 addresses). I figured this was no big deal. IPv6 has been in draft standard since 1998, and while it only became an internet standard in 2017, people have had 20 years to prepare. It’s not like you even have to abandon IPv4, one can serve a site with IPv6 and IPv4 side by side.

I got a kick out of IPv6 Excuse Bingo, and figured I should give IPv6 only a shot.

I wanted to setup algo, a personal VPN, and since I was just playing around, I wanted to keep costs down (hence the $2.50 a month package).

Following algo’s Ubuntu 18.04 server guide, I hit a snap on the first line:

apt-add-repository ppa:ansible/ansible

The line would error with

Cannot add PPA: 'ppa:~ansible/ubuntu/ansible'.
ERROR: '~ansible' user or team does not exist.

Searching online for this error would reveal questions only related to setting up an apt proxy. This and many other rabbit holes kept me scratching my head. It turns out, this is the error message that is given to users by apt-add-repository when it can’t access either 91.189.89.22 or 91.189.89.23 (bug report). With IPv6 only networking, it is not possible without some intermediate translation to access those addresses.

I soldiered on, maybe I could circumvent this issue.

I go to manually add the ansible apt key

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7BB9C367

With the lovely error:

gpg: keyserver receive failed: No keyserver available

A bug: keyserver.ubuntu.com has no IPv6 connectivity. The recommended workaround is to switch out the host and execute:

apt-key adv --keyserver pool.sks-keyservers.net --recv-keys 7BB9C367

I’m not familiar with sks-keyservers.net and retrieving keys from a domain I’m not familiar with sets off major red flags. Still, I continue and get ansible installed.

Next issue:

git clone https://github.com/trailofbits/algo

Github doesn’t support IPv6, so I downloaded the repo on another box and transferred accordingly.

I started running algo and then I noticed that it executed the following lines to set up Wireguard (obvious in hindsight):

add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard

These commands fail as add-apt-repository needs to contact an IPv4 address.

And it presented a high enough barrier that I quit (as add-apt-repository won’t work with IPv6). I realized that if I’m having this much trouble setting up the box, I’d have even more trouble when routing traffic through it as a VPN. There were some things I did try or could try to try and soften the problem:

  • Use NAT64, but that would require me to setup another box.
  • Use an apt proxy, but that would also require another box
  • Try appending sixxs.org to domain name for IPv4 exclusive addresses, but sixxs has been sunset.

The solution is simple: upgrade to IPv4. Yes it’ll cost more, but $5 vs $2.50 isn’t something that should cause major headaches.

I can only hope that IPv6 becomes more popular soon.

Comments: