Last Updated: 2013-05-17 17:09:08 UTC
by Johannes Ullrich (Version: 1)
Currently, many public web sites that allow access via IPv6 do so via proxies. This is seen as the "quick fix", as it requires minimum changes to the site itself. As far as the web application is concerned, all incoming traffic is IPv4.
The most obvious issue here is logging, in that the application only "sees" the proxies IP address, unless it inspects headers added by the proxy, which will no point to (unreadable?) IPv6 addresses.
But there is another issue: SSL Certificates. If only IPv6 connections are passed via the proxy, you will end up with two different certificate: One for the proxy, and one for the web application (or the IPv4 proxy). It may also happen that the IPv6 and IPv4 site are considered two different hosts on the web server, requiring distinct configurations.
For example, at this point, "www.socialsecurity.gov" uses two different certificates. One for IPv6 and one for IPv4. The IPv6 certifiate is expired, while the IPv4 certificate is valid. This is in particularly painful as some simple comand line tools, like "openssl s_client' are still not able to work over IPv6. For my test, I used gnutls-cli, which works similar to openssl s_client but supports IPv6.
Excerpt from the result:
Next, lets try IPv4. A disadvantage of gnutls-cli is that you are not able to force an IPv4 connection, so I will just fall back to openssl here: