A lot of great features have been introduced to OCI in the latest months. In this blog post, we will discuss the newly added feature, IPv6.
Why IPv6 is so important in a cloud environment? It is very important, our customers can integrate with OCI using IPv6 from the On-Premise perspective and traffic to/from the Internet using IPv6 is also supported.
For a full product description, you can consult our public documentation at this link: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/ipv6.htm
1. Existing VCN without IPv6 at the creation time
We can enable the IPv6 for a VCN which has not been enabled for this feature at the creation time:
2. Enabling a VCN for IPv6 at the creation time
3. Enabling a VCN subnet for IPv6
You need to specify the last two hex characters from the /64 for the IPv6 CIDR block to be created:
4. IPv6 addresses on the OCI instances
When a VM is launched even if the subnet supports IPv6 it will not be automatically configured with an IPv6 address.
We need to add the IPv6 address to the instance:
After this step, we can use the DHCPv6 to get the IP address:
sudo firewall-cmd --add-service=dhcpv6-client
sudo dhclient -6 ens3
Checking the VMs for the newly configured IPv6 addresses:
5. IPv6 Security
IPv6 ping from Instance 1 to Instance 2 in the same VCN but different subnets:
Instance 1 Egress Security Rule:
Instance 2 Ingress Security Rule:
We have something very interesting, the ICMP probes are not working. Why? This is an intentional security list configuration for showing a common mistake when working with IPv6. As we can see, the IP Protocol permitted is ICMP but IPv6 uses ICMPv6. ICMPv6 (https://datatracker.ietf.org/doc/html/rfc4443) is different than ICMP. What we need to do is to change from ICMP to IPv6-ICMP in the security entries and the traffic will start to flow:
6. IPv6 Routing
Ping from Instance 1 a host on the Internet, for example, 2001:4860:4860::8888.
First, we need to create a route entry in the routing table associated with the subnet:
Second, we need to create an egress security entry in the security list associated with the subnet:
IPv6 is a truly great IP protocol and the magic part is that it is fully supported on OCI for our customers.