Sunday, July 17, 2005

The easy way to IPv6 support for TCP apps

When I initially got my static IPv6 address range from my ISP, I was running Linux as my firewall and Apache 2 on Solaris x86 as my web server. This meant that getting my site available over IPv6 was pretty straight forward. All I had to do was add new A6 and AAAA records to my DNS entries, configure the static IP address on the Solaris box and add an additional Listen directive to Apache. Life was good. Not that I ever got more than 10 hits a month on my site from IPv6 addresses, but that was not the point!

Then I switched the firewall and web server over to OpenBSD. One of the main factors in me deciding to do this was the great "Tinfoil Hat" approach the OpenBSD guys have to security. Sure, you may not be able to run the latest greatest version of your favourite app, but the stuff they do ship with the core distribution has been fairly well nit-picked by some pretty bright people. This means I don't have to worry so much about the script kiddies getting in...

However, this does mean that the Apache they ship and support and have tweaked to have run in its own little chrooted sandbox is pretty old - 1.3.29 at the time of writing this. Yes, all the security patches that come from the Apache group have been applied. But it does not do IPv6. There are patches out there from the Kame guys to enable this in the 1.3 branch, but it's old, experimental, and does not do SSL. I did for a few brief minutes contemplate seeing if I could at least try crafting my own patch to get mod_ssl to work, but then sanity kicked in. I am not a hard core developer. I am a Sys Admin who knows how to code.

I then decided to step back and look at the picture from another angle. All that's different really is the IP stack. The actual TCP protocol used to do all the chatting is the same. What I really needed was something to mess with the inbound IPv6 packets, send them to the required IPv4 host, and do the opposite on replies. Trying to write some code to do this somewhere in the network stack is more scary and presents more security bugs than trying to write a mod_ssl patch. So I decided to go for the quick and easy method - write a socket app that listens on an IPv6 port, and pumps all the TCP packets down a new IPv4 connection, and do the opposite with the replies.

A few hours later I had a small (about 200 lines at the moment) Python app to do this all for me. It's also fast handles multiple ports, and is protocol indepentant. I've tested HTTP, SSL, SSH, IMAP, POP3 and SMTP with it.

I'm busy working on the final touches before releasing it, but I will anounce it here when it's ready.