You are on page 1of 11

Everything you need to know about IPv6

By Iljitsch van Beijnum | Published: March 07, 2007 - 09:10PM CT

Once upon a time...
When the ARPANET was designed in the late 1960s, it was outfitted with a Network Control Protocol (NCP) that made it possible for the very different types of hosts connected to the network to talk with each other. However, it soon became clear that NCP was limiting in some ways, so work started on something better. The engineers decided that it made sense to split the monolithic NCP protocol into two parts: an Internet Protocol that allows packets to be routed between the different networks connected to the ARPANET, and a Transport Control Protocol that takes a data stream, splits it into segments and transmits the segments using the Internet Protocol. On the other side, the receiving Transport Control Protocol makes sure the segments are put together in the right order before they're delivered as a data stream to the receiving application. An important implication of this approach is that unlike, for instance, a phone connected to a wired or wireless phone network, a host connected to the ARPANET then and the Internet now must know its own address. TCP/IP has served us well since it was born in 1981, but for some time now it has been clear that the IP part has a limitation that makes continued growth of the Internet for decades to come problematic. In order to accommodate a large number of hosts but not waste too much space in the IP packet on overhead, the TCP/IP designers settled on an address size of 32 bits. With 32 bits, it's possible to express 4,294,967,296 different values. Over half a billion of those are unusable as addresses for various reasons, giving us a total of 3.7 billion possible addresses for hosts on the Internet. As of January 1, 2007, 2.4 billion of those were in (some kind of) use. 1.3 billion were still available and about 170 million new addresses are given out each year. So at this rate, 7.5 years from now, we'll be clean out of IP addresses; faster if the number of addresses used per year goes up.

.

0.168. The discussion usually goes like this: "Use NAT.0. Home routers (and a lot of enterprise equipment) use a technique called "network address translation" so that a single IP address can be shared by a larger number of hosts.0. and the reverse for incoming packets. multiple computers can share a single public address. This is largely solvable with port mappings and protocols like uPnP and NAT-PMP. NAT has several downsides.0 address blocks that have been set aside for private use in RFC 1918. .0. because when a session request comes in from the outside. This way. incoming connections don't work anymore.0. However. The NAT device replaces the private address in packets sent by the hosts in the internal network with its own address. too!" "NAT is not a firewall. or 192.16. n00b. 172." So what about NAT? Hosts behind a NAT device get addresses in the 10. the NAT device doesn't know which internal host this request should go to.0." "NAT sucks. All 1337 of my Linux boxes share a single IP and it's safer.This is usually when someone brings up NAT. First of all." "You suck.

In addition to the source and destination addresses and other housekeeping information.254 — reserved Things get even trickier for applications that need referrals. current IP packets have version number 4.255. 40 or 48 bits would have given us more than a trillion or even 281 trillion addresses. become Internetconnected. and all of these people live .IPv4 address ranges • • • • • Class A: 1. DEC. Larger addresses The IPng project eventually resulted in IPv6 in 1995. twice shy.255.255. even if the old one isn't technically empty. which acquired DEC.0. Working around this requires a significant amount of special case logic in the NAT device.255 — reserved for multicast groups Class E: 240. For reasons lost in the mists of time.0 to 254.1 to 191. with VoIP. so the IETF opted for 128 bits this time around. and the first version number available for the new protocol was 6. More to the point.211. and apparently we still need 170 million new IP addresses every year.938.255. HP.607. For instance. and the new IP IPv6.463. Apart from autoconfiguration and a lot of minor details that are best left to another article.282.1. but you can only keep squeezing the toothpaste tube for so long before it makes sense to buy a new one.0 to 239.255.431. has more than 33 million addresses.225.0. and 64 bits would have been a nice round number.768. (So HP. such as VoIP phones.456 To put this into perspective: there are currently 130 million people born each year.0. For this reason and a few others.920.374. If this number of births remains the same until the sun goes dark in 5 billion years. the IETF started its "IP next generation" effort.1.0.0." Obviously this doesn't work if the address in question is a private address.463.254 Class B: 128.0. IBM. once bitten. So the old IP is now called IPv4.254 Class C: 192.255.1 to 223. Much larger addresses.366. especially as more and more devices. the client computer says to the server. Apple and MIT all received "class A" address blocks of nearly 17 million addresses. the communication protocol.0. most of the people who participate in the Internet Engineering Task Force (IETF) don't care much for NAT. It's debatable how long we can make the IP address space last. NAT also breaks protocols that embed IP addresses.0. reclaiming those blocks would be a huge effort and only buy us a few more years: we currently burn through a class A block in five weeks. Xerox. and/or the application. For instance. "Please send incoming calls to this address.255. The total number of possible addresses that this gives us: 340. respectively. NAT is already in wide use. some organizations got excessively large address blocks. But as the axiom goes. each IP packet contains a version number.1 to 126.254 Class D: 224. In the early days of the Internet.) However. IPv6 first and foremost sports larger addresses. So in the early 1990s.254.255.

192.e. This way. a host may generate its IPv6 address . It's not uncommon for IPv6 addresses to have a sequence of consecutive zeroes.0. This works very well if there's a single DHCP server.F. This is a mechanism whereby routers send out "router advertisements" (RAs) that contain the upper 64 bits of an IPv6 address. Let nobody accuse the IETF of being frugal this time around. i. the bottom 64 bits of an IPv6 address are generated from a MAC address by flipping a bit and adding the bits ff:fe in the middle. and hosts generate the lower 64 bits themselves in order to form a complete address. With IPv4. Alternatively.to be 72 years old. are written down as eight 16-bit values with colons between them. and each 16-bit value is displayed in hexadecimal. the new protocol departs from IPv4 in some ways. you need a DHCP server to tell you your address if you don't want to resort to manual configuration. So the Ethernet MAC address 00:0a:95:f5:24:6e results in 20a:95ff:fef5:246e as the lower 64 bits of an IPv6 address. called the "interface identifier" in IPv6 parlance. For example. exactly one of those sequences can be left out. Stateless autoconfiguration Although in most regards.31. the host will always configure the same IPv6 address for itself. It can also be hard to get a system to have the same address across reboots with DHCP. No configuration is required. In these cases. for instance. if all the routers send out the same prefix for the upper 64 bits. DHCP is largely unnecessary because of stateless autoconfiguration. With IPv6. So 2001:db8:31:0:0:0:0:1 becomes 2001:db8:31::1 and the IPv6 loopback address 0:0:0:0:0:0:0:1 becomes ::1. Traditionally. IPv4 addresses are written down by splitting them into four 8-bit values and putting periods between those. IPv6 is still IP and works pretty much the same as IPv4. IPv6 addresses on the other hand.2. using numbers and the letters A . but not so much when there's more than one and they supply conflicting information. either on the host or a DHCP server.. 2001:db8:31:1:20a:95ff:fef5:246e. they can all have 53 times the address space of the IPv4 Internet for every second of their lives.

in order to be able to send a packet over Ethernet. With IPv6. Although the DHCPv6 protocol (the IPv6 version of DHCP) can give out IPv6 addresses the same way IPv4 DHCP servers give out IPv4 addresses. or several routers send out different address prefixes. Windows uses this type of addresses for outgoing sessions to aid privacy. When running over Ethernet or WiFi. Special address types In addition to regular "global unicast" addresses as discussed on the previous page. the IETF found the situation where different organizations use the same address space undesirable. Multicast addresses start with ff and can be used for applications where several hosts must receive the same information at the same time. hosts simply create addresses from each of those prefixes. Site local This is the IPv6 equivalent of the RFC 1918 private address space in IPv4.0. Multicast A multicast address is a group address. this is completely seamless.31?" to all systems on the network in . These addresses start with fe80 and are extensively used for IPv6's internal house keeping. so every packet sent to a multicast address is received by all members of the group. IPv6 has several other types of addresses.using a random number so its MAC address remains hidden from the rest of the Internet. Other operating systems can also generate these temporary addresses (a new one is generated every 24 hours) but don't do so by default. it's necessary to know the destination MAC address. For instance. but the three most important special purpose address types are: Link local Link local addresses are used to communicate over a single physical or logical subnetwork. although there will be a way to do this through router advertisements as well soon. such as live video broadcasts and also for autoconfiguration and discovery. further diminishing the need for DHCP in IPv6. However. such as an Ethernet. Routers can make the hosts connected to them renumber their IPv6 addresses by removing the old prefix and advertising a new one.2. When a router sends out several address prefixes. When done right. so they created "unique site local" addresses where everyone takes a randomly selected block out of the IPv6 address space starting with fd. such as DNS server addresses. I haven't encountered any DHCPv6 servers or DHCPv6 clients that support this capability. IPv4 hosts use broadcasts for discovery functions. DHCP is mostly used to distribute additional information. So IPv4 simply broadcasts "who has 192. I don't want to mention them all.

which is about 0. and see what comes back. there are additional ping6 options that are even more helpful for nosy types. is still possible. that is simply impossible: even with a billion infected hosts each scanning a billion IPv6 addresses per second. which only works on top of TCP. although not easy. it's not too difficult to find the addresses in question. it also works with IPv4. The good news is that because the IPv6 address space is so large. so it can be applied to all IP traffic. the other isn't. on other systems the Ethernet hardware simply ignores the packets. With IPv4. and most Linux and BSD distributions—is reachable over IPv6 for hosts connected to the same Ethernet. on the other hand. there is almost never any NAT with IPv6.01 percent of what's available. This means that any host that has IPv6 enabled—out of the box for Windows Vista. for a number of reasons. unlike the widely used SSL. sends these packets to a multicast address. Since there are more than enough public addresses to go around in IPv6. IPsec can't be considered a security advantage for IPv6. it takes more than a hundred million years to scan just the IPv6 address space that's given out to ISPs right now. Let me reiterate a point I made earlier: a host that has IPv6 turned on will create a link local address for itself. IPsec encrypts each individual packet. With IPv6. Windows blocks these. The story goes that at the height of the self-propagating malware explosion a few years ago. targeted scanning. IPv6 security There is a lot of talk about how IPv6 is more secure than IPv4. even if there's no IPv6 router sending out router advertisements. one of them is real. An even easier method is sending out a multicast ping. so it never gained much real-world use except as a mechanism to implement VPNs. such as the BSD family and MacOS. . there will generally be a NAT device that functions as a simple firewall by blocking incoming sessions (although there are ways to trick NATs into allowing them). However.question. The command line on these systems is: ping6 -I interface-name ff02::1 Use the ifconfig command to find interface names. so security measures like those used with IPv4 are still necessary. All in all. On systems where the IPv6 networking stack derives from the KAME implementation. Mac OS X. and it's even possible for switches to filter them out by keeping track of the multicast groups hosts are listening on for each switch port. it's very difficult to build IPsec support into applications. IPv6. randomly scanning for systems that are vulnerable is completely infeasible. By monitoring IPv6 autoconfiguration traffic or by trying link local addresses created from MAC addresses seen in other types of traffic. an unpatched Windows system would be infected faster than it could download the necessary security updates. This lack of automatic basic firewalling that comes with NAT is only the beginning. so no automatic protection against incoming sessions. This boils down to two things. so only IPv6 hosts listening for these requests get to see them. However. The idea was to give IPv6 security a big push by making IPsec support mandatory. along with the dislike for NAT in IETF circles. And despite the fact that IPsec was developed for IPv6 or at least with IPv6 in mind. Type man ping6 to find out more. but BSD/Mac/Linux generally send back replies.

11n Airport Extreme in the future. make sure that your services are firewalled over IPv6. Now that Microsoft has enabled IPv6 by default in Vista (it can be turned on and off with ipv6 install and ipv6 uninstall in XP). On the BSD/Linux side. but if you're doing any firewalling on Linux or BSD (or command line firewalling with Mac OS X). make sure that it. a good choice in this regard is the pf firewalling package. it supports both IPv4 and IPv6 and allows rules that apply to both. Many software firewalls that run on the to-be-firewalled host itself only support IPv4 and don't get in the way of IPv6 packets at all. the hard part is getting it deployed. transmitted across the IPv4-only part of the network. because unlike iptables. Having to put an entire new infrastructure in place or flipping a switch from "IPv4" to "IPv6" for the current Internet aren't feasible. or ipf. the IETF came up with a number of transition techniques. most modern operating systems are set up for dual-stack operation by default. a host will generate an IPv6 address for itself so it can talk to the IPv6 Internet. A stateful filter that allows outgoing connections and return traffic. so it can talk to IPv4 hosts over IPv4 and to IPv6 hosts over IPv6. and then the IPv4 part is removed and the packets continue on their way over IPv6. As mentioned earlier. Dual stack is nothing more than the notion that a host can run both IPv4 and IPv6 side by side.though. we can probably expect more IPv6-enabled home routers like Apple's draft-802. Running IPv6 Although designing a new protocol isn't exactly trivial. To avoid these issues as much as possible. So if there's an IPv6 router on the local network that advertises an IPv6 prefix. too. the IPv6 packets are put inside IPv4 packets. If you have a router or home gateway that supports IPv6. The Windows and Mac OS built-in firewalls don't have this problem. The most important ones are dual stack and tunneling. too. ipfw. but not incoming connections closest to the IPv4 NAT filtering functionality. . Tunneling means that when IPv6 packets must cross part of the network that only supports IPv4. filters IPv6.

and another limitation is the dependence on public gateways. which makes 6to4 slower and less reliable than other forms of IPv6 connectivity. Note that Windows Vista (and Windows XP with IPv6 enabled) have 6to4 enabled by default when the system has a public IPv4 address. so hosts behind NAT can't do 6to4 tunneling. and 6to4 automatic tunneling. only public IPv4 addresses can be used for 6to4. Because every 6to4-derived IPv6 address maps to an IPv4 address. However. it's easy for a system that understands 6to4 to tunnel the IPv6 packets to the right place over IPv4. If you're serious about IPv6. If your ISP offers this service. 6to4 is also relatively easy to turn on with Mac OS X and BSD/Linux. . The same is true for the new Airport Extreme. There are several tunneling techniques. With 6to4.Note that there's no requirement that your ISP supports the new protocol in order to use IPv6: an IPv6-enabled router or a host itself can use a tunnel to reach the IPv6 Internet. a host or router can create a range of IPv6 addresses from its IPv4 address. and has the added bonus that it comes with built-in IPv6 address space. but one of the many tunnel brokers is a good alternative. which will send out router advertisements with its 6to4 IPv6 address prefix so hosts connected to it will configure an IPv6 address and be tunneled over 6to4 by the router. but the most common ones are "manual" IPv6 in IP tunnels where the exact path of the tunneled IPv6 packets is set up through manual configuration. 6to4 is easy to use because it doesn't require any configuration. 6to4 addresses are easily recognizable because they always start with 2002. Gateways make it possible for native IPv6 systems to communicate with 6to4 systems. that's the best choice to avoid unnecessary tunnel detours. you'll want to set up a manual tunnel.

so you may actually run into it one of these days. Communication over the Internet requires addresses. which dances if you connect over IPv6. Linux and BSD will use IPv6 when available on the system. IPv6 and the future of home networking Although stateless autoconfig works very differently from DHCP.apnic. Multihoming means connecting to more than one ISP at the same time. but Firefox on the Mac has IPv6 turned off in about:config. we'll probably see a new class of home firewall products that allow more granular blocking of services and devices in a home IPv6 network than either block incoming sessions or allow everything. this is added to the DNS with an AAAA (quad-A) record. Hosts that only have IPv4 connectivity ignore the AAAA records. and use IPv4 if there's no AAAA record in the DNS or connecting over IPv6 doesn't work. The abundance of address space also makes it possible to have separate subnetworks for different purposes. Their mascot is a turtle.4. And we still have a lot to look forward to: the IETF is currently working on mobility and multihoming extensions to IPv6. turning off IPv6 can make surfing the web a lot faster. so that when one fails. keep your eye out for IPv6 because if overlooked. KAME is a Japanese project that built an IPv6 networking stack for BSD and Mac OS. APNIC is responsible for giving out IP addresses in the Asia-Pacific region. continue over wireless service and then finish at work. which will be helpful as more and more devices connect to the network. IPv6 could allow things that are blocked over . You can see if your computer has working IPv6 connectivity by connecting to www. In these cases. and their web site will tell you your IP address (IPv4 or IPv6) in the top left corner of the page. but dual stack hosts ask the DNS for both the A and AAAA records. it's now showing up in more and more places. communication sessions automatically move over to the other. So a VoIP call could start on your home network. They will then generally prefer to connect to a destination over IPv6 if possible. because with IPv4. which creates a problem with some (increasingly rare) buggy DNS servers that return an error after an AAAA query. Some applications and/or OSes always ask for AAAA records when IPv6 is turned on. Mobility means moving from one network to another while keeping the same IP address. like we have in today's first IPv6 home routers. If you're working on security. Firewalling is a bit different. The DNS takes care of the difference by having one or more A (address) records that contain an IPv4 address associated with a given name. Safari on Mac OS X 10. modem or gateway so they can connect to the 'Net without manual intervention. Internet Explorer under Windows. most people don't have the option to keep their network completely open.Systems with IPv6 connectivity (regardless of the type) decide whether to use IPv4 or IPv6 to reach a destination by consulting the DNS. Moral of the story Although IPv6 is taking its sweet time to conquer the world.kame. When IPv6 takes off.net. but we generally work with domain names.net or www. If a system also has an IPv6 address. and Firefox under Windows. in practice IPv6 works much the same as IPv4 in a home network: computers and other devices automatically get an address from a router.

you may want to make sure that if it doesn't do IPv6 today. . it's at least upgradable. And if you're buying expensive equipment. And it never hurts to experiment a bit with the new protocol so you know how it works by the time you need it. so you can still use your gear if IPv6 picks up more quickly than expected as IPv4 addresses run out.IPv4.