Gervasio Marchand 🦄

while I was playing with #docker on an #ipv6 only host, one of the things I didn't like is that I had to assign public ips to them. I couldn't use a ULA, because that would cause linux to prefer the internal ipv4 address.

One interesting thing I noticed is that if I used the documentation-only range, things worked.

That's cool if you get a /64 range assigned, but in #OracleCloud, you assign ipv6 addresses one at a time... so in this case, you don't have a bunch of addresses.

Well, I just found out why ULA addresses don't work but the documentation only range does: https://github.com/robbertkl/docker-ipv6nat/issues/78#issuecomment-1462060375

I guess I'll start using the documentation-only range everywhere (cries in ipv6)

Prefer ipv6 over ipv4 · Issue #78 · robbertkl/docker-ipv6nat

Hey, Is there a way to set that Ipv6 would be preferred to ipv4? If I bring up a container I get that unless spefied (or ipv6-only site) ipv4 is used: ping www.google.com PING www.google.com (142.2...

GitHub
Aug 15, 2023 at 12:44amWeb
Show threadErik Nygren Aug 15, 2023
@g3rv4 Have you tried changing gai.conf to increase the priority of #IPv6 #ULA? This has some discussion of the issues: https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-ula-00. The #v6ops mailing list in the #IETF is discussing changing the recommend defaults.
Unintended Operational Issues With ULA

The behavior of ULA addressing as defined by [RFC6724] is preferred below legacy IPv4 addressing, thus rendering ULA IPv6 deployment functionally unusable in IPv4 / IPv6 dual-stacked environments. This behavior is counter to the operational behavior of GUA IPv6 addressing on nearly all modern operating systems that leverage a preference model based on [RFC6724] .

IETF Datatracker
Show threadGervasio Marchand 🦄Aug 15, 2023

@nygren oh fun, and alpine containers don't respect gai.conf

https://chameth.com/ipv6-docker-routing/

so yeah, the reserved for documentation range seems to be the best way to achieve this

Adventures in IPv6 routing in Docker · Chameth.com

Show threadDaniel MarksAug 15, 2023
@nygren @g3rv4 pretty sure it’s working as intended here, it has successfully stopped OP from implementing an IPv4-like environment where they try and route to the public internet with NAT using ULAs
Show threadGervasio Marchand 🦄Aug 15, 2023
@rootbeerdan @nygren sigh... if you only had read my original post
Show threadDaniel MarksAug 15, 2023

@g3rv4 if you’re afraid of using “public” IP addresses in IPv6, then you shouldn’t even bother deploying it since you just have the wrong mindset. There’s nothing insecure about using a globally routable prefix assuming you have a stateful firewall.

The entire point of IPv6 is to restore end-to-end connectivity to the internet, you’re just doing it incorrectly if you’re planning on putting it behind some sort of NAT, you may as well just use RFC1918 space.