We’ve had IPv6 enabled on the “self-managed server” subnets (164 and 197) for quite a while now, and mostly it has been trouble-free. Recently, however, we’ve had reports of login slowness to some self-managed servers following a system upgrade.
What we expect to happen is that your machine will automatically set its IPv6 address based on its ether MAC address, together with the prefix that our routers multicast every few seconds (a “SLAAC address”). We have that MAC address registered in our host-configuration system, so we can create DNS forward and reverse entries using it, with the result that you can refer to your machine by name and the IPv4 or IPv6 address will be used as appropriate. What seems to have happened is that these upgrades have somehow enabled IPv6 “privacy” addresses instead.
Privacy addresses are a good idea for a laptop which is roaming, as they mean that you can’t be tracked based on the fixed (“IID”) part of your IPv6 address. However, they make little sense for a server, which is not expected to move around, but is expected to be contactable by its clients. Ideally you would fix your login slowness by turning these privacy addresses off again, but unfortunately we haven’t yet got a relable set of instructions for doing so.
As a workaround while we find out how to turn off privacy addresses cleanly, what we propose is this: we will leave IPv6 enabled on the subnets, as we know there has been a demand for it; and we will change our DNS configuration so that we generate reverse entries for the IPv6 addresses we expect you to have, but we will stop generating the forward entries by default, so that when a client asks for your machine’s address it won’t be told the IPv6 one that isn’t working in quite a few cases.
On request (send in a support ticket in the usual way) we can easily re-enable those forward entries on a per-host basis, so if you want your machine to be contactable by its clients using IPv6 then that’s no problem. On the other hand, if you don’t want it to be, or you don’t mind either way, then you don’t need to do anything.
We propose making this change on Monday (27th) at lunch time. Once we do have a reliable set of instructions we’ll let you know and revert to the current setup.