Why Bother with IPv6?
IPv6 (IP version 6) was designed to replace the ageing IPv4 addressing system, which was conceived prior to the widespread use of the internet. As a result of the internet’s booming popularity, public IPv4 address space has almost run out, and more and more businesses and institutions have migrated to IPv6 - you may not have noticed that this has happened.
If you checked out our article on IPv4 IP addressing, you already know that an IPv4 IP address is 32 bits long. An IPv6 IP address is 128 bits long, which means that, in theory, there are 340,282,366,920,938,463,463,374,607,431,768,211,456,2128 (340 billion billion billion billion) addresses available, which is a great deal more than the 4.3 billion addresses available with the 32 bit IPv4 system.
Since this technology will take over from IPv4 in future, many IP devices are now able to be addressed using IPv4 or IPv6 schemes. Some devices use both simultaneously. One current snag of swapping over to IPv6 is that any network switches and routers need to be checked for IPv6 compatibility, and may need to be configured to handle IPv6 data if they are in fact compatible. This will soon filter out as IPv6 sees wider use.
So IPv6 is already with us, if not noticeably ubiquitous yet, but will eventually become the main standard for IP networks, so it’s worthwhile to get a handle on it now.
So what does IPv6 look like?
IPv6 is similar in many ways to IPv4 addressing. Basically every device has to have a unique IP address, there is name resolution of IPv6 addresses to host names, dynamic addressing, static addressing, routing, etc. as with IPv4.
However when drawing up the specification for IPv6, rather than doing things exactly like IPv4, IPv6 improved upon a handful of things to simplify addressing, routing, improve security, and improve performance and efficiency of IPv6 communications compared to IPv4. So as much as IPv6 addresses themselves are really long and cumbersome, what was done with the IPv6 system actually makes it more efficient.
So the following is some terminology in IPv4 terms and how these concepts are addressed in IPv6:
IP Address: Each device will have an IP address still, but instead of an IPv4 address, it’ll have an IPv6 address. Other than the length and slightly different look, this concept is identical.
Subnet Mask: We used to do subnet masks in IPv4 with notation like 255.255.255.0, or CIDR notation, e.g. /24.
IPv6 uses it's own version of subnet masking which is similar to CIDR notation. We now indicate subnets using a slash and a number that denotes the masking. So for a local area network that would look like:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx /48 (an IP range with subnets) or
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx /64 (an IP range without subnets).
But when you actually key in the IPv6 address on a system, that /48 or /64 will refer to the use (or not) of a hexadecimal number that’ll be in the middle (the fourth “number” from the left) of the IPv6 Address.
So when you see an IPv6 address, while it is really long, it actually includes the Network Address : Subnet : Device IP Address Information in that long address string. We will look at this in more detail later.
Default Gateway Address: The concept of the network gateway in IPv6 is the same as in IPv4, a default gateway address will be designated, which decides where traffic can be routed out of the current subnet (technically the IPv6 Default Gateway address is not a formal standard in IPv6, however Microsoft has included a Gateway setting in their Windows IP Configuration properties page)
What is the equivalent of private network addressing in IPv6?
So how about Private (internal) network addresses, do they exist in IPv6? The answer of course is yes. So if you are just fiddling around with IPv6 on your own private network, or you want to use the equivalent of network address translation (NAT) where you have private addresses for your internal servers and systems, then you can use IPv6 private addressing, using the Unique Local Address (ULA) range, or the Link-Local address range. In the IPv4 world, private addresses include the ranges 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. In the IPv6 world, the ULA space is fc00 and the link-local space is fe80, So
fc00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Indicates a ULA address. <
fe80:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Indicates a link-local address.
Do note though, that if you use Unique Local Addressing or link-local addressing in IPv6, these addresses cannot be routed directly to the Internet. These devices will always have to remain on an internal private network, or reside behind a router. The good thing about that is you can control these devices like you do IPv4 devices on the “inside” of your network, so some say using a ULA is more secure because the device cannot be accessed externally.
An argument against ULA or Link-Local Addressing is that the whole concept of IPv6 is to be able to have IPv6 devices globally routable so that in the future, you would want to have your IPv6 systems talk to other IPv6 systems directly without having to translate addresses through a router (from private to public addressing), having publicly accessible IPv6 addresses on internal devices is planning for the future of what will come in IPv6 communications.
Deciding whether to use ULA or Link-Local addresses or not can be a tough decision, and the correct answer depends upon the requirements of your network. In a security systems network environment, it will be likely that ULA or Link-local IPv6 addresses are the answer for most devices on our own networks, with Internet routable IPv6 addresses being used with interfaces on client networks only (similar to what we already do with IPv4). It should be noted that when using non-Link-Local or ULA addresses, the address ranges (including subnets) would need to be requested from an ISP by the client, and allocated by them to us as they already do sometimes with IPv4 address ranges.
Understanding IPv6 addresses
Okay, so we’ve gone through the concepts of IP addressing in IPv6, which basically shows that the same concepts we’ve used and have gotten familiar with in IPv4 is still pretty much the same in IPv6, but with slightly different notation. So let’s look at IPv6 addresses in more detail.
We know that IPv4 addresses are 32-bit addresses (4x 8-bit octets). These are separated into 4 octets by dots. The octets are three digit numbers in the range 0 – 255. Leading zeros in an octet can be omitted, so an IPv4 address can look like 10.12.2.200. Typically we would give the address a Subnet mask like 255.255.0.0 which means that the network is 10.12. and the device address is 2.200.
We now know that IPv6 addresses are shown in a 128-bit double-octet format separated by a colon, so is effectively written out as 8 sets of four “numbers”. Since IPv6 uses hexadecimal notation, a digit from the "number" will be in the range 0 - 9, and a - f. Therefore an IPv6 address could look like this:
af30:0000:0000:0001:ac4e:003e:0009:000e
As with IPv4, IPv6 addressing allows you to drop leading zeros in the format, so the above address could be simplified as:
af30:0:0:1:ac4e:3e:9:e
And when you have a double-octet group that is nothing but zeros (0000) you can replace the entire grouping with a ::, so using this option further simplifies the above to look like:
af30::1:ac4e:3e:9:e
Note: You can only have one set of :: in an IPv6 address, so if you have two groupings of zeros, you can only use this shortcut on one of them.
How to subnet IPv6
So we skipped over subnetting in IPv6 earlier, other than to look at subnet notation. Let’s look at it in more detail now. Looking at the address above, it’s not just one massively long IP address. It can actually be broken down into three parts, the Network Address, Subnet Address, and the Device Address. With the above address, and a subnet of /48, the breakdown looks like this:
af30:0000:0000:0001:ac4e:003e:0009:000e
The Network Address is the first 48-bits of the address, or since they are grouped into 16-bit numbers, effectively the first three groups of numbers designate the network. For the above example, the Network Address is af30:0000:0000. For those getting their IPv6 addresses from an ISP, the first part of this Network Address will be the same for all of the customers of that ISP, which will designate the region and ISP. If you are using Unique Local Addressing (ie: IPv6 private addressing), you could effectively address this part as fc00:0000:0000 where fc00 designates this as a ULA, and that you are working with a single common network.
The Subnet Address is the next 16-bits of the address. For the above example, that would be 0001, denoting subnet 1. So instead of a separate subnet mask, in IPv6, you just note the Network Address and the Subnet Address, and that’ll give this address a specific designation of the Network that this device is on, and the Subnet that this device is on. This is where IPv6 is more efficient than IPv4 as each data packet has everything a router needs to route the information along, instead of having to add or append routing information, or look to a completely separate subnet mask parameter.
The last 64-bits (or 4 groups of numbers) is the unique Device Address, in this case, the device is specifically ac4e:003e:0009:000e.
With 16-bits allocated to subnets and 64-bits allocated to devices on a subnet, this means that a single Network Address can have 65,535 Subnets, each with over 18 quintillion (18 with 18 zeros after it) Device Addresses. With 48-bits allocated to the Network Address header of the IPv6 address, that’s 281 trillion networks (each with 65,535 subnets, each with 18 quintillion devices). With this in mind, it is clear that (in your own LAN setup at least) subnetting could be used to reduce the number of available device addresses as with IPv4.
How the concept of gateways and routing works in IPv6
So for a Gateway address in IPv6, it works exactly like the Default Gateway address in IPv4, you’ll have an IPv6 address that’ll be the route out of your Subnet, to other subnets or the internet. Just like in IPv4, that Gateway address needs to be an IP address from the subnet you are on so that your traffic hits that Gateway address, and that Gateway address should be configured to route your communications to a device outside of your subnet.
Hopefully now IPv6 addresses make more sense. If you are using public IPv6 addresses, then you will likely be given the first 4 groupings of numbers (the Network and Subnet) from your ISP and you will have the last 4 groupings to address as you please (In our case we will still normally be allocated IP ranges from our clients). If required you will define your Gateway address that’ll take you out of your subnet to other subnets or to the Internet
More about IPv6
As we said earlier, IPv6 addresses are 128-bit identifiers for network interfaces and sets of network interfaces. There are three types of IPv6 addresses:
Unicast Address: An identifier for a single network interface. A data packet sent to a unicast address is delivered to the network interface identified by that address only.
Anycast Address: An identifier for a set of network interfaces (typically belonging to different nodes). A data packet sent to an anycast address is delivered to one of the network interfaces identified by that address (the “nearest” one, according to the routing protocols’ measure of distance).
Multicast Address: An identifier for a set of network interfaces (typically belonging to different nodes). A data packet sent to a multicast address is delivered to all network interfaces identified by that address.
Addressing model
IPv6 addresses of all types are assigned to network interfaces. Since each network interface belongs to a single node, any of that node’s interfaces’ unicast addresses may be used as an identifier for the node.
An IPv6 unicast address refers to a single network interface. A single network interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, and multicast). There are two exceptions to this model.
These are:
1) A single address may be assigned to multiple physical interfaces if the implementation treats the multiple physical interfaces as one interface when presenting it to the internet layer. This is useful for load-sharing over multiple physical interfaces.
2) Routers may have unnumbered interfaces (i.e. no IPv6 address assigned to the interface) on point-to-point links to eliminate the necessity to manually configure and advertise the addresses. Addresses are not needed for point-to-point interfaces on routers if those interfaces are not to be used as the origins or destinations of any IPv6 data packets.
IPv6 continues the IPv4 model that a subnet is associated with one link. Multiple subnets may be assigned to the same link.
Text representation of addresses
We have looked at the basic conventions for representing standard unicast IPv6 addresses as text strings. There are a few others which may be used under specific circumstances.
1. An alternative form that is sometimes more convenient when dealing with a mixed environment of IPv4 and IPv6 nodes is termed an “IPv4-compatible IPv6 address” and has the format:
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:d.d.d.d
where the ‘x’s are the hexadecimal values of the six high-order 16-bit groups of the IPv6 address, and the ‘d’s are the decimal values of the four low-order 8-bit pieces of the address (in standard IPv4 notation), which replace the remaining two 16-bit pieces of the IPv6 address.
Examples:
fc00:0000:0000:0000:0000:0000:192.168.1.1
af30:0:0:0:0:0:129.144.52.38
2. Another alternative form incorporates the MAC (Physical) addresses of the network interface
Examples:
fc00:0000:0000:0000:0203:baff:fe24:a9c6
af30:0:0:0:0203:baff:fe24:a9c6
Here a 48-bit MAC address is converted into modified EUI-64 format. A 48-bit MAC can be transformed to a 64-bit interface ID by inverting the seventh (universal) bit and inserting an ff and fe byte after the third byte. So the MAC 00:03:ba:24:a9:c6 would become IPv6 device address 0203:baff:fe24:a9c6. See RFC 4291 Appendix A and RFC 4941 for further info.
The use of IEEE 802 MAC addresses as an interface ID is expected to be very common in environments where nodes have an IEEE 802 MAC address. The inclusion of a unique global interface identifier, such as a MAC address, makes possible a very simple form of auto-configuration of addresses. A node may discover a subnet ID by listening to router advertisement messages sent by a router on its attached link(s), and then fabricating an IPv6 address for itself by using its own MAC address as the interface ID on that subnet.
3. The “unspecified address”, which is:
0000:0000:0000:0000:0000:0000:0000:0000
It must never be assigned to any network interface. It indicates the absence of an address. One example of its use is in the source address field of any IPv6 data packets sent by an initializing host (a new device powering up) before it has learned its own address.
The unspecified address must not be used as the destination address of IPv6 data packets or in IPv6 routing headers.
4. The"loopback address” which is:
0000:0000:0000:0000:0000:0000:0000:0001
This is the IPv6 equivalent of using address 127.0.0.1 in IPv4. It may be used by a node to send an IPv6 data packet to itself
The loopback address must not be used as the source address in IPv6 data packets that are sent outside of a single node. An IPv6 data packet with a destination address of loopback must never be sent outside of a single node.
Note: The “unspecified address”, the loopback address, and the IPv6 Addresses with Embedded IPv4 Addresses, are assigned out of the 0000:0000 format prefix space.
5. Multicast addresses are distinguished from Unicast addresses by the value of the high-order octet of the addresses. A value of FF (11111111 in binary) identifies an address as a multicast address; any other value identifies an address as a unicast address. Anycast addresses are taken from the unicast address space, and are not syntactically distinguishable from unicast addresses. A Multicast address therefore could look like this:
ff00:0000:0000:0001:00ac:0000:0000:0001
Anycast Addresses
An IPv6 anycast address is an address that is assigned to more than one interface (typically belonging to different nodes), with the property that a packet sent to an anycast address is routed to the “nearest” interface having that address, according to the routing protocols’ measure of distance.
Anycast addresses are allocated from the unicast address space, using any of the defined unicast address formats. Thus, anycast addresses are syntactically indistinguishable from unicast addresses. When a unicast address is assigned to more than one interface, thus turning it into an anycast address, the nodes to which the address is assigned must be explicitly configured to know that it is an anycast address.
IPv6 to IPv4 tunnelling
A range has been set aside where IPv6 is employed over an IPv4 network. The range is:
2002:0000:0000:0000:00ac:0000:0000:0000