Then about a month ago I performed a laptop refresh for an industrial company where the new laptop was a Configuration Manager (SMS)-managed Vista Business operating system. This was actually problematic, but the issues were due to client network latency between the laptop and the software distribution point, not to Vista itself .

Today I saw Server 2008 in production at a big box retailer while testing a newly installed KVM, and I made an appointment for this week to refresh a laptop user at at IT services firm to a new managed laptop running Windows 7 64-bit. I’m speaking about real, managed deployments here, not a lab machine or a rogue user installing his own software. Color me impressed.

I don’t think this is simply coincidental to the upswing in adopting Windows Deployment Services that I’ve seen over the past two years. Before two years ago, all client images I dealt with were Ghost, Altiris or various Linux-based imaging software, but then I noticed more and more clients using WDS for their newer hardware deployments. Now I have several clients using DVD, PXE and flash boot to image their systems with WDS. And once you have that infrastructure in place, imaging Vista or Windows 7 is as easy as Windows XP. And now apparently patch and application management for Vista, Win7 and Server 2008 is deployed more widely in the enterprise. Welcome to the present!

• Windows XP natively supports IPv6, but it does not provide its IPv6 address to DDNS and cannot use IPv6 for file sharing, remote desktop or name resolution transport.
• Windows Server 2003 natively supports IPv6, but it cannot use IPv6 for file sharing, terminal services or DNS transport.
• There is no general-purpose IPv6-to-IPv4 or IPv4-to-IPv6 translator, although application-specific proxies like multihomed DNS resolvers and web proxies can be implemented

• PXE Boot: There is no Preboot eXecutable Environment boot standard for IPv6 yet, and one will need to be developed before the ability makes its way into boot firmware.
• NAT: Network Address Translation was created to slow down IPv4 address exhaustion, so it is not needed for IPv6. However, many users seem to think that NAT enhances security (I largely disagree), and some have tried to develop a form of NAT during the IPv4-to-IPv6 transition phase so a group of IPv4-only hosts might communicate over a NAT device with IPv6-only hosts. But the transition NAT attempts have run into problems and aren’t considered general-purpose transition solutions. Ideally all hosts on the internet can directly address each other, so NAT should disappear with IPv4.
• WINS: Windows Internet Name Service maps NetBIOS names to IPv4 addresses, but Microsoft has moved to DNS for client-server name resolution and is developing PNRP for peer name resolution. Do not expect WINS to be implemented for IPv6 name resolution or to use IPv6 to transport queries.

When deciding to create the IT Know-It-All site I reviewed my options. My goal was to write about my IT experiences—discovered solutions, lab tests, and reports on my research—to share them and to create a navigable knowledgebase for myself. I had originally envisioned a site with a knowledgebase engine, but later realized  blog with search and tags would work just fine for my purposes and be easier to update and maintain. Wordpress does this “out of the box” with no additional modules, is quite popular and well-maintained, so I chose Wordpress for the new site.

I found no reliably simple way to import two Drupal sites’ articles into Wordpress. I didn’t have that many articles, and none with photos or other media, so I viewed them with Firefox with “no style” chosen and simply copied each article to the clipboard and then pasted it into a new Wordpress post on the new site, then adjusted the publish date. That worked surprisingly well. (I then set up redirects, but that is out-of-scope for this post.)

So far I really like using Wordpress. Drupal can do more and is more flexible, but without thinking about it I had reduced my Drupal sites to a level of simplicity that Wordpress does better. I have two more simple Drupal blog sites, and I think I will convert them to Wordpress, too. My Drupal sites are at least one major version behind because upgrading would cause module issues, so I might as well update (for my purposes) to Wordpress.

Notation

IPv4 is notated four dotted decimal-formatted octets (value of 0-255), such as 192.168.5.34 . IPv6 is formatted in hexadecimal with colon separators every two bytes: 2001:db8:0000:0000:0000:0000:0000:0001 . It is fine to leave out leading zeros in each set: 2001:db8:0:0:0:0:0:1 . For one run of zeros, two colons can represent them all: 2001:db8::1 . You can’t use two double colons because the value of the number could not then be determined. Since colons are reserved characters many placed you might want to use a literal address, IPv6-aware programs accept bracketed literal IPs: [2001:db8::1] . Hexadecimal formatting is helpful in conjunction wtih CIDR netmask notation as each hex digit is 4 bits, and each set of numbers between colons (including leading zeroes) is 16 bits. ::1 is the IPv6 equivalent to 127.0.0.1 . :: is the equivalent to 0.0.0.0 . ff02::1 is the closest analog to 255.255.255.255, but IPv6 uses multicasts instead of broadcasts, so various protocols may have their own multicast address rather than this “all nodes” link-local multicast address.

Routing and Subnets

Both IPv4 and IPv6 use CIDR notation for routing. It’s just that we now have 128 bits instead of 32. The smallest subnet you should see is a /64 which leaves the last 64 bits for the host address. This may sound huge, but it is intended to leave room for 64-bit globally unique identifiers. In fact stateless autoconfiguration transliterates the 48-bit MAC into a unique 64-bit Extended Unique Identifier to act as the host portion of the address. (Actually it is 63-bit since bit 7 is reserved as a flag indicating whether the EIU-64 is globally unique or not.) So far the trend seems to be to assign end users blocks of /48. Again, this may sound huge, but the goal is for a hierarchical routing system. A /48 gives a consumer 65,536 network prefixes of /64 size, so they can grow a lot and not need an unmatched block that will complicate core routing tables.

Local Addressing

Network interface MAC addresses play a big role in local communication in both protocols. In IPv4 the ARP protocol resolves physical addresses for a given IP address. In IPv6 this is replaced by the Neighbor Discovery Protocol (NDP) which finds link-local neighbors as well as listens for router advertisements and has some other enhancements over ARP. NDP does not use MAC directly, but each IPv6 host has a link-local address whose scope is limited to the physical subnet. The end user will not use this address, but the inner workings of IPv6 use this address extensively in communicating over the link.

The IPv6 link-local communication is analagous to IPv4’s reserved 169.254.0.0/16 range of autoconfiguration addresses. An IPv4 host may assign itself an IP from this range if it has no other configuration guidance, but it can only communicate on the local subnet. On Ethernet networks the IPv6 link-local address is based on a transliteration of the 48-bit MAC, so each MAC will result in one unique global 64-bit host address following a network prefix of fe80::/10 . Future network interfaces may have 64-bit identifiers, and IPv6 is ready for them. The analog to “arp -a” is to show the neighbors; in Windows this is “netsh interface ipv6 show neighbors”; in Linux this can be “ip neigh show”. This will generally show you the public addresses and not the link-local addresses.

If you find yourself needing or wanting to ping or otherwise access a link-local address, you may have to specify a scope. I generally haven’t needed to use link-local addresses, but when toying around I had trouble pinging one until I specified the scope. In Windows you do this by appending a percent sign and number at the end of the address. The number is the interface number to specify the ping will happen on that interface. An example: “ping fe80::214:d1ff:fe1a:a533%11″. You may also notice these scope designations when reviewing “ipconfig /all”. The number is the index number of the interface as shown in “netsh interface ipv6 show interfaces”.

Private Addressing

The private address ranges of 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12 were originally set aside for private networks. With the popularity of NAT many people will recognize these address ranges as their home or work LAN addresses. Although IPv6 should eliminate the need for NAT, there may still be the desire for private IPv6 networks. Unique Local Addressing defines the fc00::/7 prefix for private use. A site should be assigned a prefix of fcrr:rrrr:rrrr::/48 with the “r”s being a random 40-bit number. This is to avoid everybody using the same private addressing so there is no ambiguity when merging private networks, connecting private networks with VPN or having a mobile device move between private networks. If you want a private IPv6 address for your home LAN or lab, this is what you are supposed to use.

Site-local addressing is now deprecated, but you might see private addresses of the fec0::/10 block.

Unicast, Broadcast, Multicast

IPv4 can do all of these, but unicasting and broadcasting make up the vast majority of IPv4 communication. IPv6 does not have the concept of broadcasting. Instead multicasting is used extensively to address a set of hosts. Multicast addresses begin with ff00::/8 and have a few bits to designate scope. The multicast can be link-local, site-local or a number of other scopes.

Application Support

The APIs for IPv4 typically work for IPv6 since their use is quite similar, so in theory the applications would not need to be changed to work over IPv6. But applications that input or store literal addresses may need to be updated to store and parse literal IPv6 addresses. Protocols such as SMB that store the source or destination address in their packets need to be updated to support IPv6 addressing or to avoid storing the address in the transported packets. (CIFS, the successor to SMB, works over IPv6.)

Since IPv6 eliminates the need for NAT, many applications will be improved. VoIP and network gaming will no longer need to rely on UPnP  or connection brokers since they will be able to directly address any other host on the internet.

Let’s look back at IPv4’s design. It has a 32-bit address, but it is divided into a network address and host address. Which portion of the address is network and which is the host is specified by the network mask. There were three different network sizes specified: A, B and C. As the internet became more populated there were problems with assigning network address blocks and routing them properly, so they switched to classless inter-domain  routing where more specific network sizes could be specified and assigned. This helped delay address exhaustion, but it made routing more cumbersome because there was no organization to which network address might be on which router, so the routing tables grew large and the routers spend more time figuring out where to send data.

With IPv6 we are still dividing the whole address into a network address and a host address, but this time they have made the address space large enough so the host address can always be the same size, and the network address can be routed in a much more efficient hierarchical fashion. People used to IPv4 seem to think that IPv6 assignments waste colossal amounts of addresses, but the aim is to have a globally unique host address plus a network address scope that will simplify routing for the foreseeable future and beyond.

The last 64 bits of an IPv6 address is the host address, and it ideally will be globally unique. Bit 7 is a flag to indicate whether the address is globally unique or not, so the host address portion has 2^63 globally unique addresses and 2^63 non unique addresses. Human-assigned addresses like 2001:db8::1 and 2001:db8::dead:beef aren’t likely to inadvertently set bit 7 to 1. Unique host addresses are EIU-64 addresses which are basically a longer MAC address. In fact IPv6 autoconfiguration transforms the 48-bit MAC address to a unique 64-bit EIU-64 address.

Every subnet should be a /64, meaning it should have a 64-bit network address and 64-bit host address. (Network mask is /64 or ffff:ffff:ffff:ffff:0000:0000:0000:0000). One could specify and route  smaller subnets, but it would break IPv6 autoconfiguration and go against the design of globally unique host addressing. If you have a larger block of addresses assigned—say a /48 like many tunnel brokers assign—still only use one /64 out of it for each subnet, or again autoconfiguration is broken, and have you really already used up 2^63 or 2^64 addresses on that subnet? I didn’t think so.

Aside from the larger address space, IPv6 behaves much like IPv4. Some of the specifics look different but have analogous functions between them. For now I’ll cover some of the more basic differences an end user might notice.

People are intimidated by the long addresses, as if 192.168.254.3 was short and intuitive back in the day. Really, how often does one type in an IP address? And how often are you not able to cut and paste it with a mouse? Moreover, there are multiple peer name resolution protocols (Apple bonjour, MS PNRP) that should further reduce the need to type in IP addresses. However, if you should find the need to type one in, you might need to enclose it in brackets when entering it in a web browser or other application, because the colon has special meaning. e.g. http://[2001:db8::1]/ or http://[2001:db8::1]:8080/ .

Linux ping utilities only work for IPv4, but they have ping6 and traceroute6 to use with IPv6 whether you’re typing in the address or a name. Windows commands will work with either but have a -6 switch if you want to force IPv6 or -4 to force IPv4.

When looking at your IPv6 IP address you will likely find you have several, and certainly at least two. I will elaborate in another post, but for now be aware there may be link local addresses which are effectively local MAC addresses, the public address, possibly one or more “privacy” addresses, 6to4 addresses and  Teredo addresses. In Windows you’re usually wanting the “IPv6 Address” line listed under your main network adapter. In Linux you have fewer by default and want to pick the one not starting with fe80: through febf: .

Operating systems and applications have varying support for IPv6. Windows XP and newer have native IPv6, Windows Vista and newer has it enabled by default. Modern Linux distributions support IPv6 and may or may not have it enabled by default.

Windows XP cannot use IPv6 for file sharing or remote desktop, but Vista and Windows 7 can. Some applications would be capable of using IPv6 but don’t recognized IPv6 addresses when you type them in. It can be hit and miss, but basic operating system support is pretty well established, and more and more applications are learning to accept and look up IPv6 addresses.

I recently set up Windows Live Mail to read my Google Mail account, and I was periodically getting the “new mail” sound without getting any new mail. I discovered that Windows Live Mail was syncing the Spam folder and notifying me every time there was new spam. Oops. So I right-clicked on the Spam folder—subfolder of [Gmail]—highlighted “Synchronization Settings” and selected “Don’t Synchronize”.

I may have to do this with other folders as any new mail with multiple labels will show up in an IMAP folder for each label. I haven’t noticed yet, but I’m guessing Windows Live Mail will then tell me there’s a new message for each label it has.

I haven’t yet converted my real web server from Apache/mod_fcgid to Apache/mod_fastgi with an externally spawned FastCGI process. It is doable and works fine, but it is a pain to configure it how I want it to work.

I’m not sure I can blame Apache or FastCGI. It actually makes sense how they are doing it. However, I tend to install PHP software packages like Drupal, Simple Machines Forum, Mambo/Joomla, Gallery2, WordPress and so forth. Generally these applications are built with Apache/mod_php in mind and take some tweaking to make work on other setups. But I don’t want to tweak, especially if I have to do it periodically when upgrading.

I switched from lighttpd/ModFastCGI to Apache/mod_php/Squid because I was tired of fiddling with lighttpd rewrites to make pretty urls for Drupal and SMF which include ready-made Apache pretty rewrite rules.

Apache/mod_fcgid has worked pretty well so far, and with the AddHandler directive it behaves like mod_php: Any .php files under the document root will be parsed by the PHP interpreter. The downside is that any caching–like APC–is not share across the PHP processes.

So I wanted to spawn my own PHP FastCGI process with several child processes sharing a cache like I did with lighttpd and then have Apache use it. That works, but the mod_fastcgi FastCgiExternalServer directive behaves much like a ScriptAlias directive: if you specify a folder, anything under that folder will be processed by the FastCGI server, so you can’t easily mix static files with PHP script files. I tried hacking my way around this with various combinations of symlinks, aliases, handlers and rewrites, and I even got a couple of the combinations to work, but I would have to make changes to each Apache virtual host (or enforce a strict naming scheme for my vhosts), and if I missed something it would be too easy to accidentally serve up the source of a .php file.

Now if I were making an application from scratch it would be fine to put the PHP files in a script folder and the static files elsewhere, and I could alter premade software like that with rather simple aliases, but I would have to do it for every installed instance and then re-tweak every time I updated the software. No thanks.

I was able to spawn a separate PHP FastCGI server with children and have Apache connect to it. It was trickier than I thought. The big benefit is that one shared APC cache can serve all the PHP child processes and being able to use a multithreaded Apache without worrying about whether my PHP dependencies are thread safe.

The trick isn’t getting it working, but getting it working the way I wanted. I want “.php” files to be processed by the FastCGI server and have the other files sent by Apache. Without some tricky configuration, Apache’s mod_fastcgi can only send specified file requests or specified directories–plus all their contents–to the external FastCGI server.

But I am getting ahead of myself. Let me back up to my old lighttpd setup: I had lighttpd installed, and a script that launced several php-cgi processes and listened on a network socket. Lighttpd would connect to the php-cgi processes and let them handle PHP processing. Apache can do this, too, but it was hard for me to easily find out how online.

As it turns out, the spawn-fcgi program from lighttpd that I used to start the FastCGI server is now a project on its own. Supposedly the mod_fastcgi developers have a launcher program, too, but I couldn’t easily find it, and I was already familiar with spawn-fcgi and was happy to see it’s being maintained. I downloaded the source package from the site, extracted it and then did the usual “./compile”, “make” and “sudo make install”. So now I have /usr/local/bin/spawn-fcgi installed.

There is some good info on lighttpd’s ModFastCGI documentation site on launching a PHP server with spawn-fcgi and various helper scripts. I modified one slightly to make it use a unix socket instead of a network tcp socket:

#!/bin/bash

## ABSOLUTE path to the spawn-fcgi binary
SPAWNFCGI="/usr/local/bin/spawn-fcgi"

## ABSOLUTE path to the PHP binary
FCGIPROGRAM="/usr/bin/php-cgi"

## TCP port to which to bind on localhost
FCGIPORT="1026"

## bind to unix domain socket
FCGISOCKET="/tmp/php.sock"

## number of PHP children to spawn
PHP_FCGI_CHILDREN=4

## maximum number of requests a single PHP process can serve before it is restarted
PHP_FCGI_MAX_REQUESTS=1000

## IP addresses from which PHP should access server connections
FCGI_WEB_SERVER_ADDRS="127.0.0.1"

# allowed environment variables, separated by spaces
ALLOWED_ENV="ORACLE_HOME PATH USER"

## if this script is run as root, switch to the following user
USERID=www-data
GROUPID=www-data

################## no config below this line

if test x$PHP_FCGI_CHILDREN = x; then
  PHP_FCGI_CHILDREN=5
fi

export PHP_FCGI_MAX_REQUESTS
export FCGI_WEB_SERVER_ADDRS

ALLOWED_ENV="$ALLOWED_ENV PHP_FCGI_MAX_REQUESTS FCGI_WEB_SERVER_ADDRS"

### This if-then-else is for opening a network TCP port
#if test x$UID = x0; then
#  EX="$SPAWNFCGI -n -p $FCGIPORT -f $FCGIPROGRAM -u $USERID -g $GROUPID -C $PHP_FCGI_CHILDREN"
#else
#  EX="$SPAWNFCGI -n -p $FCGIPORT -f $FCGIPROGRAM -C $PHP_FCGI_CHILDREN"
#fi

### This if-then-else is for opening a unix socket
if test x$UID = x0; then
  EX="$SPAWNFCGI -n -s $FCGISOCKET -f $FCGIPROGRAM -u $USERID -g $GROUPID -C $PHP_FCGI_CHILDREN"
else
  EX="$SPAWNFCGI -n -s $FCGISOCKET -f $FCGIPROGRAM -C $PHP_FCGI_CHILDREN"
fi

# copy the allowed environment variables
E=

for i in $ALLOWED_ENV; do
  E="$E $i=${!i}"
done

# clean the environment and set up a new one
exec env - $E $EX

In the above script I had to use /bin/bash instead of Ubuntu’s default /bin/sh as it uses some of bash’s features. Also note that with spawn-fcgi you can have a network tcp socket or a unix socket, but not both. On my test server I just simply ran the above script as root; it won’t restart itself if the VPS is restarted or if the script crashes. I have daemontools on my real server, and I’ll use that to start and monitor the launcher script. The link to lighttpd’s site has other startup scripts worht looking at.

You can’t use mod_fcgid to connect to the externally spawned FastCGI process. It can only launch and manage the processes itself. So I loaded mod_fastcgi and used the FastCgiExternalServer directive:

<IfModule mod_fastcgi.c>
  FastCgiExternalServer /srv/www/site/fcgi -socket /tmp/php.sock
</IfModule>

That tells Apache that any request under the /srv/www/site/fcgi directory gets passed to the FastCGI process with a unix socket at /tmp/php.sock. Unfortunately there is not an simple configuration to have it just run php files, and the FastCGI server may not know what to do with static files like pictures or .css files.

There is a good article explaining the FastCgiExternalServer directive. Its solution to having just the .php files be handled by the external server involve adding a handler, assigning an action to the handler pointing to a nonexistent script and then aliasing the nonexistent script back to a folder symlinked to the original directory. The only way I could find to simplify that was to use a ReWriteRule. In either case we need to unfortunately modify the configuration for each vhost to make it work.

I have several vhosts under /srv/www/. Following the articles example I created a symlink /srv/fcgi pointing to /srv/www . Then I modified my mod_fastcgi configuration as such:

<IfModule mod_fastcgi.c>
  FastCgiExternalServer /srv/fcgi -socket /tmp/php.sock
  ReWriteEngine On
  ReWriteCond %{DOCUMENT_ROOT} ^/srv/www/(.*)
  ReWriteRule ^/(.*\.php(3|4)?(\?.*)?)$ /srv/fcgi/%1/$1
</IfModule>

Now the external FastCGI server is invoked whenever a file under /srv/fcgi is accessed, but /srv/fcgi is just a symlink to /srv/www. Instead of the above article’s gyrations I figured out the above rewrite rules that will rewrite any request for a .php file to /srv/fcgi/(rest-of-document-root)/(request_URL) . So in effect the rewrite points back to the original file, but through a symlink that makes Apache use the FastCGI server to process it. The ReWriteCond shown doesn’t actually make a decision; it is giving me a reference to use when constructing my rewritten path name.

Now I have to modify my vhosts. Rewrite rules don’t carry over to vhosts by default. For each VirtualHost section I have to add the following which allows the server rewrite rules inherit to the vhost:

ReWriteEngine On
ReWriteOptions Inherit

Alternately I could just put the rewrite rules in each VirtualHost section. In fact I may need to if I have other rewrite rules for pretty URLs.

With FastCGI–whether externally spawned or managed by mod_fcgid or mod_fastcgi–you also need ExecCGI enabled in the Options directive.

I used Apache benchmark and verified that all the child proceses are being used concurrently. And now the APC cache is shared among all the child processes.