Uptime checks for IPv6 - google-cloud-platform

We recently had some issues with our IPv6 acceptance which resulted in our website to be offline for all users, that have a IPv6 address. Even if these people have an IPv4 address too, they were getting an error, as IPv6 is being preferred.
Our Google Monitoring Uptime check did not trigger, as it is only checking the IPv4 connection.
Is there a way to check IPv4 AND IPv6 with Uptime check?
Thanks a lot!

Related

IPv6 Network is unreachable (os error 101)

Trying to create tcp socket connection between via an Ipv6 address, I get Network is unreachable (os error 101)
As a binding local address is used fe80::850***.
Probably it's because of fe80*** is local ipv6 address generated by OS. Is there a way to provide correct configuration for system to make a call via IPv6?
Short answer:
Your IPv6 connectivity is not setup correctly. This is most probably no configuration problem on your machine, but on the gateway router.
Long answer:
You get a "Network is unreachable" error because your operating system does not know how to reach the destination address. Usually it maintains a table called the routing table, where it looks up which network path leads to which ip subnet. It seems that in your case, there are several things missing.
Your interface probably has no configured non-link-local (fe80::/64) address
There is no routing table entry for the destination address range
In the IPv4 world these missing things are usually resolved by a DHCP server. In the IPv6 world, there are two possible configuration options. Either DHCPv6 is used or the IPv6 Stateless Address Autoconfiguration is used. It seems that neither is setup in your network. Note that correctly setting up one of these requires you to have administrative access to your gateway router.
As it required quite long time to find the main reason of the problem, will try to share the solution/investigation steps:
To make sure ipv6 is not configured properly just run 'ping6 ipv6.google.com'. It should return some error message like 'connect: Network is unreachable' or just stuck.
AWS ec2 instances by default are not assigned ipv6 global routable addresses(only ipv4 is assigned). Ipv6 addresses like 'fe80:*' are local routable and can't be used for global requests. To check the list of ip addresses, check eth0 config /sbin/ifconfig. Btw, AWS provides interface to generate global routable ipv6 address for ec2 instance (just check vpc/ec2 console pages - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html)
Check security group of ec2 instance and make sure that in route table ipv6 traffic is allowed.Specifically inbound and outbound rules should include '::/0' for ipv6(or one of them based on the need).
Try 'ping6 ipv6.google.com' again
Run the following command to check whether IPv6 is enabled:
ip addr
If only an IPv4 address is displayed, IPv6 is disabled. Enable it by referring to this tutorial.
If a link-local address (starting with fe80) is displayed, IPv6 is enabled but dynamic assignment of IPv6 addresses is not enabled.
If an IPv6 address other than fe80 is displayed, IPv6 is enabled and an IPv6 address has been assigned.

Google Cloud Platform Stackdriver uptime check for TCP port : 3306

I did set up an uptime check on GCP stackdriver to monitoring the TCP port 3306 and it works if I set the firewall rule in GCP by open up the port 3306 with IP range 0.0.0.0/0, but that getting a lot of hackers bot try to hit our MySQL server.
Does anyone know what is the IP range that stackdriver to run the uptime check? so I can put into the firewall rules.
Thanks,
Google Cloud publishes the IP address ranges via a TXT DNS Resource Record.
[Update 12/18/2018]. Google now publishes a method to obtain StackDriver IP addresses:
client = monitoring_v3.UptimeCheckServiceClient()
ips = client.list_uptime_check_ips()
print(tabulate.tabulate(
[(ip.region, ip.location, ip.ip_address) for ip in ips],
('region', 'location', 'ip_address')
))
Getting uptime-check IP addresses
[End Update]
Google changes the IP addresses so you will need an automated tool to process updates. Below I show the manual method to obtain the CIDR blocks. In practice I would write a Cloud Function in Python that processes this list and then update a firewall rule set.
My information source is Google Qwiklabs. I documented this from one of the labs - I don't remember which one.
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
This will return a TXT record:
usercontent.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
_cloud-netblocks.googleusercontent.com text =
"v=spf1 include:_cloud-netblocks1.googleusercontent.com include:_cloud-netblocks2.googleusercontent.com include:_cloud-netblocks3.googleusercontent.com include:_cloud-netblocks4.googleusercontent.com include:_cloud-netblocks5.googleusercontent.com ?all"
The last line includes a number of further records to process starting with: _cloud-netblocks1.googleusercontent.com
nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 8.8.8.8
Which returns a block of information that you are interested in. Note that you need to repeat this for each of the _cloud-xxxx records returned above.
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
_cloud-netblocks1.googleusercontent.com text =
"v=spf1 include:_cloud-netblocks6.googleusercontent.com include:_cloud-netblocks7.googleusercontent.com ip4:8.34.208.0/20 ip4:8.35.192.0/21 ip4:8.35.200.0/23 ip4:108.59.80.0/20 ip4:108.170.192.0/20 ip4:108.170.208.0/21 ?all"
Notice the last line above. This contains multiple CIDR blocks. Repeat as I mentioned above.
ip4:8.34.208.0/20 ip4:8.35.192.0/21 ip4:8.35.200.0/23 ip4:108.59.80.0/20 ip4:108.170.192.0/20 ip4:108.170.208.0/21

AWS transition to ipv6, does aws do ipv4 address embedding?

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-migrate-ipv6.html
There are lots of ipv6 roadblocks (cable/home internet, office network) that is ipv4 only, so we have a clustered application that runs dual stack ipv6 and ipv4.
We run a command against one of the clustered application nodes to report all the other nodes. Those come back in ipv6, but we need to interface to them via ipv4. So we'd like to be able to determine the ipv4 address from the reported ipv6 addresses.
One of the ipv4 --> ipv6 transition techniques is ipv6 addresses that have the ipv4 address embedded:
http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding-2.htm
I didn't see any mention of this in AWS info, anyone know if there is a way to do this?

can i connect to a ipv6 address via a AF_INET domain socket?

my network does not support the ipv6 hence i have no access to ipv6 servers, is there any solution to connect to them using sockets that uses 'AF_INET' domain? or any kind of other solutions? is there any server on the Internet that does such a convert for free?
i can reed python and c++.
No; you cannot connect to an IPv6 server without some form of IPv6 transit.
Depending on your network, you may be able to set up a 6to4 gateway. This is a server configuration change, though, and is outside the scope of Stack Overflow.
Google for proxy to ipv6:
http://www.ipv6proxy.net/
http://www.sixxs.net/tools/gateway/

Is it possible to send another ip address in a HTTP(S) request?

There is a web service (in an Intranet environment) what checks the client IP and if it is not a valid IP then refuses the request. Is there any opportunity to cheat at this web service with the IP?
Thank you in advance.
It is prefectly possible to send IP packets with fake IP addresses. However, you won't get a reply because the reply will be directed at the fake IP address. This means that you can't establish TCP connections (upon which HTTP(S) depends) because they require two-way IP traffic.