Un-dreading IPv6, addressing

| 1 Comment
IPv6 addressing is scary looking. Anything that calls "2608:af09:ce24:342a:00a1:3def:ff31:0122" an IP address is going to cause some fear in anyone who is supposed to support that environment. While they can get that complex, they don't have to be.

IPv6 addresses operate the same as IPv4 addresses do. They have a network part and a node part, delineated by the subnet mask. Just as denotes a subnet in IPv4, 2608:af09/32 denotes one in IPv6. Unlike IPv4, IPv6 subnets are always defined by bit-count; the IPv4 equivalent of is /24, but you'll never note an ipv6 subnet mask as ffff:ffff::. The bit-count in IPv6 increments by four for each digit from the start of the address.


And so on.

The other thing to keep in mind is that is perfectly acceptable to have large strings of zeros in IPv6 addresses. You can replace one such string with "::" in the address. Thus an address like:


can be represented by


Also, you may have noticed that leading zeros in an address can be trimmed. The above address assumes ":30" is ":0030" and ":0:" is ":0000:". That also helps keep things short.

This also means that those IP numbers you just have to memorize, DNS and gateway addresses, can be kept simple if your network administration staff don't actively hate you. Your DNS server may be located at 2608:af09:134::134. Not scary at all.

Now for some of the differences with IPv4. They're not scary, just different. Below the fold.
The thing that got a lot of early press with IPv6 is its ability to auto-provision itself with an address independent of DHCP. Combine with dynamic DNS and this really eases setup! There are two ways this can be done. MAC-based, and random-based.

The IPv6 client listens for router announcements that announce the IPv6 network number for that subnet. 2608:af09:30::/48 for instance. The client then knows that it can fill the last 64 bits of the IP address with either the MAC address of the interface (plus some bits to fill out to 64 bits), or a random 64-bit number. 64-bits of randomness means it is very unlikely to collide with another device on the subnet.

Windows uses the random number method, so the self-provisioned IP address would look ugly, but would look like:


But you never have to type that, so it's OK. Also, you can assign static IP addresses same as you always could. Or pass them out with DHCPv6. Or just let it register against Dynamic DNS and not worry about it.

Autoprovision is nifty, but it still won't get a device the DNS address list. For that, DHCPv6 is called for to complete the hands-free setup environment.

Also, IPv6 has a few reserved prefixes. Much like anything starting with 224 in IPv4 is Multicast, IPv6 has the same kind of thing.

Link Local addresses: These addresses always start with 'fe80:' but is visible as if it were a layer-2 address. These addresses do not route, but are visible to others on the same subnet. Yes, this is a bit brain-bendy, but it is needed for IPv6 features. Linux shows these addresses with ifconfig, but on windows "netsh int ipv6 show addresses" is needed.

Site Local addresses: These addresses always start with "fec" and work just like the RFC1918 addresses (e.x. you know and love. I would not be surprised if this is what many early IPv6 deployments started with. That said, you'll probably never run into these as they've been deprecated. They'll still show up in IPv6 documentation though, and the prefix is unlikely ever to be re-used.

Unique Local addresses: Since Site-Local addressing has been depreciated, something had to replace the 'private network' functionality in IPv6. These addresses always start with either "fc0" or "fd0". Unlike RFC1918, these addresses are very likely to be globally unique. By default these addresses are not routed on the Internet, although two peers could negotiate to allow exactly that if they want to. The advantage to being very likely to be globally unique is that if two networks need to merge (say, a company is bought out) the need to renumber everything is vastly reduced.

Multicast Addresses: These always start with "ff" and work like IPv4 multicast. Only better. But unless you're a router person, you don't care.'

Localhost: This is not a prefix, so much as a suffix. The address "::1" is the IPv6 equivalent to IPv4

6to4 addresses: These are the "2002:" addresses you have on your Windows boxes already. They're used to tunnel IPv6 traffic over IPv4 networks. And they do register with DNS if you have Dynamic DNS. Not just Windows can do this trick, it just comes turned on by default in Vista and Win7.

What does this mean for your average corporate network? Well... the IPv4 corporate network is a potentially very large RFC1918-based network behind NAT gateways and firewalls that exist on very few public IPv4 IP addresses. It is no secret that the originators of IPv6, the draft of which was finalized in the late 1990's by the way, haaaated NAT and saw it as a painful hack and not a feature. This is why they built the original protocol to allow all IP consuming devices anywhere to have a globally routeable address.

Unfortunately, and I've also mentioned this before, I know a LOT of sysadmins and Network Security people who consider having a public IP address to be fundamentally insecure. I know I was when I first showed up at WWU. Heck, last time I looked the Payment Card Industry data security standards required that credit-card holding machines be on an RFC1918 address behind a NAT gateway. Having a public IP means that a badly secured firewall allows Evil People to probe all of your vulnerable bits, and it is in this way that a NAT gateway can hide a multitude of InfoSec sins. Defense in depth!

Which means to me that Globally Unique addresses are likely to continue to be common on Corporate networks. I don't know what size of v6 subnets the likes of ARIN are handing out to entities like us, but those subnets are still going to allow a lot of addresses on them. But still, it may continue to be the case that a single v6 address on the corporate border is actually representing thousands of IPs behind it.

Some things don't change.

1 Comment

That would be "deprecated", not "depreciated".