IPv6 needed, urgent, nice to have?

little_falter · 27 November 2021 13:30

Hi Michael,
I write this posting like a open letter to you just to explain my intention. Open letter beause, maybee there are some other users with the same thoughts or question like me. It shouldn’t be seen like the 101st request when IPv6 will be available in IPFire.
A couple of years ago I got my first dsl connection from Telekom (german telecomunication comany). IPv6 wasn’t seen at the horizont, I read an article in a magazine about the technical design. After moving (around 2006) I had the chance to switch to a (coax) cable access. After some years I wanted to switch the contract, to get an upgrade to a higher bandwith, the company told me, yes, it’s possible, but you will get a dual stack lite IPv6 connection. If you want still a IPv4 connection, you have to switch to our business contracts. The costs weren’t so much higher and I wanted to keep my ipfire so I did so. After moving again I had to switch back to a „slow“ dsl connection from Telekom again. The advantage of an „old“ company is, that they have a large pool of ip addresses, in my opinion, to offer a full dual stack access without any higher costs. But now, several years later, I have the chance to switch to another company who offers a fibre connection (ftth). But this is a very young company and it seem’s that there IPv4 address pool is a little bit smaller. So the offer for a IPv4 access will costs 25€ … per month … on top to the costs itself.
So, why I tell this history? In connection with IPFire IPv6 is no more a nice to have feature, it will be a important factor in a calculation of the costs in connection with an internet access. I like the IPFire but, to be onest, this is the first time, I take a look around for an alternative. In this case opnSense. So what can be done? In my case, I’m not a good programmer and if there is a call for donation to get this feature implemented, I’m willing to spent some money for. And maybe, I’m not the only one with this thought ther will be some more who spent.
And again, this should’nt be a critical posting, why ipv6 isn’t still available. It’s just a litte insight of my situation and just to put a little spot at this topic.

At the end of my posting, I will thank you for your work you have done and you will do in future for the IPFire project.

huisco · 27 November 2021 14:50

Little Falter

After reading your post, I realized that you, like many other users (like me), are waiting for those IPFire functions that are unclear when they will be implemented.

Maybe developers need to change the format of news publication? And do:

Publish a roadmap for future releases;
Arrange a vote for the addition of this or that functionality in a future release;
Make it possible to promote the development of that functionality for which users will donate money.

I really like IPFire and I would like it to change for the better and be closer to the community…

ms · 28 November 2021 11:55

Hello,

We know that. That is us, the developers. However, our donors do not seem to think that this is a course worth supporting.

So, the project has been too underfunded to drive this kind of development fast enough. There are a lot of details that I have been written about at various places before. It can be summed up as “we cannot integrate this in IPFire 2”. However, IPFire 3 has extended IPv6 support, but isn’t in a production-ready state, yet.

For that, we will need funds. We will need people and various other resources which we simply do not have. For as long as that is staying, we are not going to be any faster with development. We are on it, just very slowly.

Over the years, we have tried lots of things. We tried crowd-funding and things like that, but in the end spent more time to promote it than actually implementing anything. Nothing that we have tried has worked out well for us.

Right now, we are in the middle of a pandemic and we have put many ideas back on the shelf because no company has any money to spare. Hopefully we will come back to that at some point again, but for now, we are out of ideas and just sitting tight.

Absolutely. The way to do that simply is to donate regularly. It does not have to be a fortune, because every little helps, but of course the more the better.

Help us to encourage others to do that, too.

roberto · 28 November 2021 14:19

Good afternoon from Spain, Michael.

Maybe this is not the best thread to put this on. Feel free to move it.

It would be good if you published a post with physical needs that you have (apart from donations in money) since surely many of us have equipment that we can send you altruistically.

For example, if I am interested in making the IPFire work on a NanoPI R2C, I would have no problem and I would send you one altuistly:

https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=285

And who says that, says Servers, PCs, Switches, etc …

There will be people who do not have money but have knowledge to help and others can only help with material to donate. In other words, apart from asking for donations, also in equipment and necessary things.

It’s an idea.

In any case, thank you for your work.

BR.

disturbeddragon · 2 December 2021 11:52

IPv6 is no longer a luxury item, but a requirement. I recently moved to a new ISP and to OPNsense since IPFIRE is not v6 capable. I like IPFIRE, have used it for many years and made donations. Simple truth though, it’s not longer viable for me to use it.

antwitz · 4 December 2021 12:55

@ms Hello Micheal,
several years back you had the donations goal meters where you could donate explicitly for a certain feature. Why not try this with ipv6 (ipfire3)?

And in prerequirments of that:
Can you more precise/transparent what ressources are needed to push the ipfire 3 development to a level that is suitable for public testing?

pmueller · 5 December 2021 13:49

Hi all,

for the records, I just wanted to mention IPFire 2.x is not entirely incapable of IPv6:

IPFire’s infrastructure (web sites, mail services, nameserver, …) has been reachable via IPv6 for quite a while by now - and is actually protected by an IPFire 2.x installation.

$ host ipfire.org
ipfire.org has address 81.3.27.38
ipfire.org has IPv6 address 2001:678:b28::
ipfire.org mail is handled by 10 mail01.ipfire.org.
$ host mail01.ipfire.org.
mail01.ipfire.org has address 81.3.27.42
mail01.ipfire.org has IPv6 address 2001:678:b28::25

Truth to be told, this configuration needs to be done manually, as the WUI does not know anything about IPv6. This is certainly not the level you want from a dedicated firewall distribution, but if you are not afraid of configuring networking and IPv6 firewalling (actually not that easy, see this paper for details), you won’t need to throw away your IPFire 2.x installation.

One aspect of IPv6 I have not found an ideal solution to so far is VPN, especially if you have dynamic prefixes working on both ends of the tunnel - say two firewalls at residential ISPs connected to each other. Preventing traffic leaks is a nightmare in this case, and the (in Germany very popular) FritzBox CPE series does not support IPv6 for IPsec either - perhaps we could stick to this, too, until we found a (better) solution).

This all is not a short-term solution. But I did not want to leave this thread in silence.

Sorry to disappoint, and best regards,
Peter Müller

huisco · 5 December 2021 14:22

Hi Peter Müller

Thanks for the clarification, but this functionality has long existed in commercial solutions…

I agree with Hanz Meister it is necessary to show what resources are needed in order to make the functionality that the community needs now, how much it will cost to implement this or that functionality…
I am sure that if you show how much it will cost to implement IPV6 support, you will quickly collect the necessary amount… And I will be sure that if I donate money, it will go exactly to what I need now…

pmueller · 5 December 2021 16:44

Hi,

based on the experience the IPFire project made during the past when it comes to funding, I sincerely doubt that, but I would be happy to be proven wrong.

Personally, I cannot really mention a concrete amount of money here. Perhaps @ms can…

Thanks, and best regards,
Peter Müller

ms · 6 December 2021 16:39

No, I would not support any plans to bring crowdfunding back. It is too complicated and has too much overhead. Last time we did this I was busy drumming the money together and in that time, I probably could have implemented whatever we were collecting funds for twice.

What we would need is a stable income in donations. That would be all and we would be there in no time.

xperimental · 6 December 2021 19:06

Tried this a long time ago and still periodic donation with paypal is not possible. Works fine for Document Foundation etc but not ipfire.

ms · 7 December 2021 11:31

This is because PayPal is not allowed to implement this in Europe unfortunately. There has been too much fraud and PayPal did too little about it, which is why they currently do not offer this to us.

Although, the document foundation is based in Germany, too, which is surprising. Do you have any contacts there that could tell us more about how they managed to do it?

I would absolutely recommend using credit cards for recurring donations (or SEPA if you are in Europe). Both variants are a lot cheaper for us than PayPal and in case of credit cards, we do not store your details, which makes it more fraud-proof.

xperimental · 7 December 2021 16:51

I can’t give you any contact. I set it up on their website 5 years ago and give them 50€ per year. SEPA etc. is too complicated or I’m missing the flexability and service of control.

r1200cl · 13 December 2021 00:35

So how many “subscribers” would you need if it was a yearly $50 fee ? (Or monthly $5)
I wouldn’t have any problem doing that in one or two years.

I’m now talking about more than IP6. More like speeding up the whole roadmap.

pmueller · 13 December 2021 18:30

Hi all,

to contribute some concrete figures and a roadmap to this:

First of all, we won’t add IPv6 support to IPFire 2.x anymore. This is because there are many technical debts in the 2.x, ranging from the build system to the architecture of the web interface. True, patching in IPv6 support is certainly somehow possible, but would be quite ugly in technical terms, which is bad if you maintain a security distribution.

Therefore, IPv6 will come with IPFire 3.x, and a lot of work has already been done there in terms of managing IPv6 connectivity (i. e. handling dynamic addresses and routing) - see also this talk for further details. There is also a technical fundament for its web interface and its build service. However, both the latter are not finished yet, and a decent firewall engine is still under development, too.

So, a roadmap to IPv6 would look like:

Get the build service for IPFire 3.x working.
Repair things at IPFire 3.x so we have bootable development/testing environments again.
Create and finalise the firewall engine and the web interface.
Testing, bug fixing, penetration testing, hardening, etc.
Initial release of IPFire 3.x with IPv6 support.

It is important to understand IPFire 2.x and 3.x are completely independent distributions, and share almost no code basis. (We somehow failed to communicate this clearly, perhaps that’s why the efforts needed for IPv6 and IPFire 3.x were frequently underestimated.) There will be certainly a “dual-stack” phase where both IPFire 2.x and 3.x are supported, until 3.x comes with all necessary features and we can phase out 2.x. Until this date, security maintenance and bug fixing in IPFire 2.x remains a necessity as well.

After a long phone call with @ms, we came to conclusion the roadmap above requires a decent amount of manpower (say two skilled people working on this exclusively for about an year), and a low six-digit amount of money.

I’m afraid this is the sum we are talking here about. Having two third of all IPFire installations located in companies - we are aware of some Fortune 500’s using it as well -, it should be easy to collect this money; after all, developing a firewall software at any company would be much more expensive. Unfortunately, the majority of donations come from home users, not from companies, and currently pose a low tree-digit sum per month.

We would love to have more funding - especially from companies, which benefit form IPFire a lot. A steady, decent flow of donations would keep things much more smooth, and we’d have IPv6 and IPFire 3.x ready since years then.

Or, to quote @ms:

If every IPFire user would donate us 1 € per month, we would not have to worry about our funding at all.

Thanks, and best regards,
Peter Müller

P.S.: Should you be reading this as a company and authority, and want to contribute to IPFire, we would love to hear from you. Please contact info@ipfire.org in case of questions, billing issues, or similar.

cfusco · 13 December 2021 18:45

Is 3.x still going to be based on Linux from scratch?

pmueller · 13 December 2021 18:47

Yes. In terms of security, this is the best option we have.

ms · 13 December 2021 19:02

I wouldn’t say that either versions are really based on Linux from Scratch as in the book that you can find here:

https://www.linuxfromscratch.org

We build IPFire from source which is what we will need to do to maximise its resiliency against so many common attack vectors.

cfusco · 14 December 2021 09:43

I was wondering, can you get the same flexibility using NixOS? Maybe the fact that NixOS is designed from the ground up for build reproducibility might make your life easier and achieve the same ability to control the package you install to the granularity you need?

ms · 14 December 2021 09:55

No, we would not look into whether IPFire should be based on some other distribution, because IPFire would not be IPFire if we would be built on top of Debian or anything like that.