[Labs-l] IPv6?

Ryan Lane rlane32 at gmail.com
Tue May 5 09:20:48 UTC 2015 

Access through a bastion via proxycommand is a much better approach than
direct access via ssh. Even considering direct access, it would likely be
better to allow direct access via VPN than to allow the world to be able to
access the ssh port of every node via IPv6.

We initially limited SSH through bastions because of IP limitations, but in
the long-run I think it was also a good choice from a security point of
view. We can mostly disable all SSH access to Labs by removing access to
the bastions.

Take a look at how AWS implements VPC to get a better understanding of how
this works in large infrastructures. Assume each VPC is a separate Labs
project, or assume different accounts are different Labs projects.

On Tue, May 5, 2015 at 12:24 AM, Petr Bena <benapetr at gmail.com> wrote:

> Yes that's true, it's more or less something we could have, not
> something we really need. But at some point it would make stuff easier
> for some people, you probably wouldn't use public IPv6 to provide some
> service to public, but rather for example to make it simple for owner
> of virtual machine to directly ssh / scp into their instance, not
> having to go through some tunnels and so on.
>
> On Tue, May 5, 2015 at 1:14 AM, Ryan Lane <rlane32 at gmail.com> wrote:
> > On Mon, May 4, 2015 at 5:05 AM, Petr Bena <benapetr at gmail.com> wrote:
> >>
> >> Hey,
> >>
> >> It's 2015, many years after IANA's IPv4 pool was exhausted. WE STILL
> >> DON'T HAVE IPv6 ON LABS! Why?
> >>
> >> If we had it, every single instance could have it's own public address
> >> and things like http://tools.wmflabs.org/ wouldn't say "Server not
> >> found" if you were on IPv6 only box.
> >>
> >
> > Even with IPv6, it doesn't make a ton of sense to give direct access to
> the
> > nodes. You'd still have to support the case of IPv4, but then you'd add
> the
> > complexity of having things work two different ways, which makes
> > troubleshooting harder. Making things go through proxies is a good
> approach
> > as a whole.
> >
> > That said, it would be nice to eventually have IPv6 support in Labs for
> > testing IPv6 for MediaWiki.
> >
> > - Ryan
> >
> > _______________________________________________
> > Labs-l mailing list
> > Labs-l at lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/labs-l
> >
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20150505/7c229cc8/attachment.html>

More information about the Labs-l mailing list