IPv6

From OpenStreetMap Wiki
Jump to: navigation, search

Status of IPv6 support in Openstreetmap

There is an openstreetmap tile server for the Netherlands ( http://tile.openstreetmap.nl/ ) running over ipv6. Additionally, Overpass API (offering also XAPI services) can be found via http://ivp6.overpass-api.de

But most openstreetmap servers do not run over IPv6 at the current time.

Overview:

Hostname AAAA DNS record IPv6 web server IPv6 DNS server As of date Note
www.openstreetmap.org Yes Yes Yes 2014-09-17
openstreetmap.org Yes Yes Yes 2014-09-17
osm.org Yes Yes Yes 2014-09-17
a.tile.openstreetmap.org some ? ? 2014-09-17 Default layer on main site, CDN
b.tile.openstreetmap.org some ? ? 2014-09-17 Default layer on main site, CDN
c.tile.openstreetmap.org some ? ? 2014-09-17 Default layer on main site, CDN
piwik.openstreetmap.org No ? ? 2014-09-17 Used by main site
wiki.openstreetmap.org No ? ? 2014-09-17
Additional layers
a.tile.thunderforest.com No ? ? 2014-09-17 Cycle maps, Public transport layers
b.tile.thunderforest.com No ? ? 2014-09-17 Cycle maps, Public transport layers
c.tile.thunderforest.com No ? ? 2014-09-17 Cycle maps, Public transport layers
a.tile.openstreetmap.fr Yes Yes Yes 2014-09-17 Humanitarian OSM Team
b.tile.openstreetmap.fr Yes Yes Yes 2014-09-17 Humanitarian OSM Team
c.tile.openstreetmap.fr Yes Yes Yes 2014-09-17 Humanitarian OSM Team
Other OSM-related servers
tile.openstreetmap.nl Yes Yes Yes 2014-09-17
overpass-turbo.eu Yes Yes No 2014-09-17 depending on overpass-api.de !!!
overpass-api.de No ? ? 2014-09-17 used by overpass-turbo.eu

This can be tested on http://ipv6-test.com/validate.php

Implementation scenario

It has been tested that an AYIYA tunnel from SixXS works from UCL; this basically says that we can make a tunnel from UCL to a nearby tic server in London. The setup time for that is the time to apply at SixXS and the time to request a tunnel. From that point on a subnet can be requested that is (on layer 2) distributing IPv6 using radvd automatically. No setup required, only a IPv6 module loaded in the respectable kernel.

Most likely because we have static ip adresses, we don't want to tunnel over AYIYA out, but directly get a static IPv4 link, without heartbeat. We did not test that yet, but if tested and it works within UCL it would be the best method.

Security

Obviously IPv6 makes machines directly accessible like global IPs do. By putting a firewall on top of the router that is distributing the IPv6 adresses, we basically protect us against people trying to reach the machines by v6. Setting up again a port based match is transparent to IPv4 and IPv6; so theoretically if every system has a firewall now, it would already be protected.

See also