Going into the networking and IT industries, one of the common things you’re met with is certificates. Some of the more common ones include the CCNA and the CompTIA A+ certifications, with some of the more niche and situation-specific including PCNSA, CCNP, and CompTIA Security+ certifications. My first, however, was none of those. It was the Hurricane Electric IPv6 certificate, and it was by complete accident.
Background
I first stumbled across Hurricane Electric through their IPv6 tunnel broker program in early 2024, where they would allocate a routed /48 to you for completely free. All you needed was a routed IPv4 address that would respond to pings. While I was never able to get it successfully set up, likely due to me still learning OPNsense at that time.
As one does on an inherently technical in nature webpage, I clicked around and found they had an IPv6 certification program. Naturally, I let my curiosity take control to see how far I could get with it without having done any research into it or even a routed IPv6 address. After achieving Newbie status easily, I was unable to move past that due to the requirement of having to access from an IPv6 address. With me still being in the middle of the semester, I decided I’d put a pin in that until the summer.
Picking it back up
The date is now January 12th, 2025. It’s the night before the spring semester of classes start, and I’m figuring out what devices have IPv6 addresses with my cat to my side. Out of nowhere, I remember that I was looking into Hurricane Electric for getting IPv6 back where I used to live, and how I was trying to get through what I thought was a connectivity quiz. As such, I pull it back up and see how much further I can get with it.
Explorer
The enthusiast tier could mostly be described as understanding what an IPv6 address looks like. The difficult part of this tier for me was due to my lack of IPv6 connectivity when I initially tried to do this. I deemed it not important enough turning on my phone’s hotspot on just to get past this and just made a mental note for me to do that whenever I was on my hotspot. Yeah that never happened, or else this would be published in June.
After connecting with an IPv6 address (still not through Hurricane Electric’s tunnel), I answered the quiz covering extremely basic diagnostics and confirming I know what an IPv6 address looks like.
Enthusiast
This step involved having a website that had IPv6 connectivity. However, I’ve had one for the past 3 years: https://www.monicarose.tech. While I wish I could say I set this blog up with one of the goals to be achieving an IPv6 certificate, the title of this post is about how I got a certificate by accident.
Questions were extremely leading, pushing you toward using IPv6 alongside some hilarious multiple choice questions, which was trivially easy to just click through and move on.
Administrator
This step was marginally more difficult for the technical aspect of it, which was making sure if I had a working mail server that had IPv6 connectivity. And for the past 2 years, that was a yes for me. If you’ve sent an email to an @monicarose.tech email address, that was sent to a self-hosted mail server. I could insert another joke about this all being planned, but no it wasn’t.
For the homelabbers out there who are hesitant to use cloud providers, it’s entirely possible your ISP allows SMTP traffic, both inbound and outbound. I know I have friends who are running their own mail server from their residential networks without any issues. However for those whose ISP has blocked inbound SMTP, it’s possible you can get away with this with a gmail or outlook email address. However, that much is an exercise for the reader.
By the time I had configured the mail server, I had largely moved on from addressing servers by IP address and had started using DNS to address things as much as possible. Outside of this certification, I personally feel that addressing things by DNS rather than IP addresses is one of the biggest hurdles for IPv6 adoption, since it’s either not common knowledge that DNS records can point to private IPv4 addresses or some DNS providers refuse to use private IPv4 addresses. In my experience, OPNsense (and presumably pfSense by extent) blocks resolution of DNS queries that result in a non-routed IP address, but this is easy to disable and, in my opinion, poses little security risk.
As far as the questions were concerned, most of these were concerned about my experience with the certification process, with one ahem “technical” question. At risk of repeating myself, this was trivially easy to click through and move on.
Professional
While not entirely difficult for me, this might be the stumbling block for people wanting to take this test at home. For full transparency, I used my blog’s website for most of this process, which is being hosted on a $5/month server from Linode. They made it extremely easy for me to change the rDNS for that IPv6 address, but if this is being done in a homelab environment, I fully acknowledge this may be flat out impossible for some people. I didn’t look into if Hurricane Electric allowed me to change the rDNS on my range that I allocated.
That acknowledgement out of the way, hypothetically if I hadn’t already changed the rDNS, it would’ve taken a couple clicks and entering in monicarose.tech, possibly with waiting a few minutes for any DNS caches to expire. However, since I had already completed that in the process of me setting up my mail server, I could once again validate my rDNS record and continue on to the questions
Questions, once again, included surveying about the certification process, notably if I had any issues configuring IPv6. Seeing as I’ve yet to configure the Hurricane Electric tunnel on OPNsense, it’s fairly safe to say that yes, I have had some trouble. That being said, my apartment is using IPv6 with OPNsense and have had little to no issues, even being able to request a /56 and subnet that out.
Guru
If you’ve gotten past the rDNS part successfully, congrats! You can most likely coast out the technical parts from here. Unless for some reason your DNS provider itself doesn’t have IPv6, you can likely click past this just fine, including yes, the questions.
Sage
This was the part for me that was by in large the most difficult part, mostly due to the questions before being “how do you feel about this certification process so far” and me having already done the hard work for the technical stuff already. As I eluded to in the Administrator section, this was heavily centered around resolving IPv6 addresses in DNS, including knowing some of the major authoritative domains and how to query domains and subdomains. If you aren’t familiar with either the terms IPv6 glue or glue records, then you’re probably going to struggle a bit on this.
Personally I had to retake it a few times, though my experience with diagnostics in the past, including a labbing server that had IPv6-related issues for an unknown amount of time, aided me dramatically. Since all of these questions aren’t surveying your experience but rather you, there are correct answers. If you were planning on taking this certification, you probably would’ve reviewed some of the lectures Hurricane Electric have on their certification website. But if you went into this completely blind like I did, there’s no repercussions for retaking that test multiple times, as what’s tested is just the Sage tier questions.
Conclusion
Normally, it is heavily advised to study for the certifications you’re jumping for. And that absolutely stands true for this no less, especially given how difficult setting up everything it asks for can be. This process isn’t an overly expensive one by any means. My domain, monicarose.tech, costs me roughly $50/year, with a cloud server able to do web and mail hosting at about $5/month. I’ll fully acknowledge that I’m on the upper end of how much this could cost, especially with being able to get domains for cheap as $1/month if you don’t care about the name or the top-level domain that you have.
However, if you set it up from the perspective that I had where you want it to set things up as completely as possible, if you have IPv6 access, it doesn’t hurt to be as IPv6 ready as possible. Even if you only got up to the professional tier, what you have shown along the way is that you are aware that IPv6 is very much a thing and have set up web and mail servers to be compatible with it. Even if it doesn’t net you a certificate, being able to show that you can properly configure services around IPv6 carries some weight to it.
This IPv6 certificate will likely be one of the ones that sits lower on my resume, but that’s because I’m already planning on getting CyberOps Associate certified and CCNA certified in the relatively near future, and especially the CCNA has some elements of the HE IPv6 certificate in it.