Contorsions toward an IPv6-only vhost on Debian Apache through whacky multiple IPv6 addresses configuration
I just wanted to create an Apache virtual host responding to queries only over IPv6. That should have been most trivial considering that I had already been running a dual-stacked server, with all services accessible over both IPv4 and IPv6.
Following the established IPv4 practice, I set upon configuring the virtual host to respond only to queries directed to a specific IPv6 address. That is done by inserting the address in the opening of the VirtualHost stanza : <VirtualHost [2001:470:1f13:a4a::1]:80> – same as an IPv4 configuration, but with brackets around the address. It is simple and after adding an AAAA record for the name of the virtual host, it works as expected.
I should rather say it works even better than expected : all sub-domains of the second-level domain I’m using for this virtual host are now serving the same content that the new IPv6-only virtual host is supposed to serve… Ungood – cue SMS and mail from pissed-off users and a speedy rollback of the changes; the joys of cowboy administration in a tiny community-run host with no testing environment. As usual, I am not the first user to fall into the trap. Why Apache behaves that way with an IPv6-only virtual host is beyond my comprehension for now.
Leaving aside the horrible name-based hack proposed by a participant in the Sixxs thread, the solution is to give each IPv6-only virtual host his own IPv6 address. Since this server has been allocated a /64 subnet yielding him 18,446,744,073,709,551,616 addresses, that’s quite doable, especially since I can trivially get a /48 in case I need 1,208,925,819,614,629,174,706,176 more addresses. Remember when you had to fill triplicate forms and fight a host of mounted trolls to justify the use of just one extra IPv4 address ? Yes – another good reason to love IPv6 !
So let’s add an extra IPv6 address to this host – another trivial task : just create an aliased interface, like :
iface eth0:0 inet6 static
The result :
SIOCSIFFLAGS: Cannot assign requested address
Failed to bring up eth0:0.
This is not what we wanted… You may have done it dozens of time in IPv4, but in IPv6 your luck has ran out.
Stop the hair pulling right now : this unexpected behavior is bug – this one documented in Ubuntu, but I confirm it is also valid on my mongrel Debian system. Thanks to Ronny Roethof for pointing me in the right direction !
The solution : declare the additional address in a post-up command of the main IPv6 interface (and don’t forget to add the post-down command to kee things clean) :
iface he-ipv6 inet6 v4tunnel
post-up ip -f inet6 addr add 2001:470:1f13:a4a::1 dev he-ipv6
pre-down ip -f inet6 addr del 2001:470:1f13:a4a::1 dev he-ipv6
And now the IPv6-only virtual hosts serves as designed and the other virtual hosts are not disturbed. The world is peaceful and harmonious again – except maybe for that ugly post-up declaration in lieu of declaring an aliased interface the way the Unix gods intended.
All that just for creating an IPv6 virtual host… Systems administration or sleep ? Systems administration is more fun !
15 Oct 2011 at 0:45 by Jean-Marc Liotier
The Copwatch case – French government incompetence at its best and where to go from there
The French interior minister Claude Gueant has decided to launch a viral marketing campaign to spread the notoriety of https://copwatchnord-idf.org, a sousveillance commune attempting to enforce police accountability. Displaying a cunning knowledge of mass communications, he let a court order the whole site made inaccessible; thus drawing the ire of free speech activists and ensuring excellent conditions for a nice Streisand Effect. Even before the court order has been implemented there are already a wealth of alternative ways to access the site’s content – among others I2P, ED2K, Bittorrent and a nicely growing list of mirrors including one on this site (IPv6 only – let’s promote IPv6 while we are at it) which will stay up until I get a court order to take it down or police pressure I can’t handle. Funniest thing is that I haven’t even read the content of the site.
I could have mirrored it anonymously, but civil disobedience doesn’t carry much of a message if you are not ready to do it in your own name: provoking a debate is the whole point of my involvement.
What triggered the French Copwatch case is the site’s naming of law enforcement officers, in infraction of French law regulating the collection, storage, and use of personal data. There are also claims of slander and libel, but those are not worthy of discussion – the targeting of individuals is the meat of the case brought forth by police unions.
It may surprise you but I agree with the police unions : naming law enforcement officers and systematically exposing their personal data in a manner making them personally more vulnerable to public anger is bad.
So why am I misbehaving by mirroring https://copwatchnord-idf.org on my host ? To have you talk about it. This is about ensuring that no one wants to publish something like Copwatch anymore. Even if law enforcement manages to stomp all the Web ants, technologies such as Tor hidden services and I2P guarantee that there is no way to eradicate information anymore – only to make it more difficult for the non technophile public to reach. So if we don’t want sites like Copwatch, it is the cause that must be attacked – Copwatch is only the symptom of some deeper disease.
In the French republic, law enforcement has a monopoly on legitimate violence, which is a good thing. In addition, law enforcement has powerful surveillance tools – those have never been as powerful as they are now, and their power is still growing. As the popular saying goes : “with great power comes great responsibility” – law enforcement is fine but only if it is accountable. Copwatch’s efforts may be misguided, but they illustrate a growing frustration from those involved in police violence and faced with police impunity: where to turn to for accountability when facing staggering power asymmetry ? They answer by starting an arms race between censor and watchers. No good will come out of that – we must make peace now : accept that censorship is pointless and imagine alternatives that guarantee that cases of illegitimate police violence are treated fairly – or even better, that they don’t happen.
A fight between the people and its own law enforcement is a losing proposition for every party involved – don’t do it ! Instead, make sure that institutional and individual acts of violence are easily documented and brought to court. Law enforcement is viable only if the people trusts its officers, but the relationship between the people and law enforcement is increasingly broken… Can we fix that ?
To make law enforcement officers accountable for their individual acts of violence, data must be collected from witnesses. But how to do it without naming them and exposing their personal data in a manner making them personally more vulnerable to public anger ? My proposal is to make prominent personal identifier displays part of what a law enforcement officer must feature to act legitimately as such. This identifier must point to the individual while keeping him anonymous. It must be displayed large enough to be readable through photography. This is only a single technical proposition, but the general idea to be pushed is for the police to be put under surveillance by the citizens who can easily gather enough information for proper judiciary proceedings while protecting the individuals involved from extra-judiciary threats.
With a culture of accountability in place and enough eyes over the police, sites such as Copwatch would be pointless… Everybody wins. Don’t fear the sunshine and let’s talk about solutions !