Sunday, March 25, 2012

Why you should care about IPv6 in MySQL

Since MySQL 5.5 it's possible to use IPv6, but why should you care?

Since MySQL 5.5 you can configure MySQL to listen on an IPv6 address. The MySQL commandline utilities can connect to an IPv6 address.
Storing IPv6 addresses is simple, just store them as a 128 bit integer. You can convert IPv6 addresses to numbers and back in your application.

Your users will start to use IPv6

Your users might start to use IPv6 and you might need to store IPv6 addresses in your database. Since MySQL 5.6.3 you can use the INET6_ATON() and INET6_NTOA() functions. You could also store addresses as character string, but takes more storage and is less flexible.

You need to learn to use IPv6

In a traditional 3-tier web platform the database is normally not directly accessed by the end users as the application server is the one accessing the database. Direct database access is probably used only for administration and/or reporting. If the loadbalancer is IPv6 enabled then the website is accessible over IPv6. The connections between the loadbalancer, web server, application server and database server then can all use IPv4. The drawbacks for this setups are: You can't use direct server return options on the loadbalancer. IP addresses in logs and header might be the one from the loadbalancer.
So you don't need IPv6 for your database server, but you do need it elsewhere and within a number of years you might as well need it. So you should start to use IPv6 and start to learn how it works, how you should make it secure, how to tune it.

Note 1: You should use "bind-address = ::" to make MySQL Listen on IPv6 (Source: Bug #8836)
Note 2: If you use mysql-proxy directly or as part of MySQL Enterprise Monitor: It doesn't yet support IPv6. (Bug #60392)

Fine grained access control

One of the temporary solutions if you need IPv4 is carrier grade NAT. That means that all connections from 1 ISP or company might come from the same IPv4 address. If you want to grant access to somebody you could create the grant for the whole network or use VPN or SSH tunneling. If you use IPv6 every connection should come from a unique and more static IPv6 address. Then you can grant the access only for 1 IP address. Of course you should enable TLS/SSL for a secure connection.

Fixed in drizzle

Of course IPv6 is already fixed in drizzle. You can download the whitepaper about IPv6 in Drizzle here.

It doesn't yet seem to be fully fixed in MariaDB according to the Ask Monty Knowledgebase. But with MariaDB 5.5 this should change. I expect IPv6 support to be complete when MariaDB 5.6 is released. The virtual columns feature of MariDB could makes it easier and faster to work with IP addresses.