IPv6 Fundamentals
Or, common terminology and concepts that make getting started in IPv6 easier
Nick Buraglio
Planning and Architecture
ESnet
ESCC Spring 2024 Meeting
Who should use this resource?
What is not in this resource
Table of Contents (What is in this resource)
IPv6 Fundamentals
Caveat Emptor
The purpose of this IPv6 primer is to provide a solid foundation to build from. As with all things technology, there will be times when the content here does not cover an edge case, specific scenario, or it may provide a slightly simplified view in order to illustrate the information necessary to encompass the basics of a topic.
Terminology
Why use IPv6?
IPv6 deployment has accelerated at a frantic pace over the last 8 years, reaching 45% of measured traffic (statistics via google).
Content providers, mobile carriers, and most large broadband providers are now offering dual-stacked networks by default.
US government requires the retirement of IPv4
IPv6 provides opportunities that IPv4 did not
IPv4 problems that IPv6 solves
Basic Differences between IPv4 and IPv6
IPv4
32bit addresses - 128.66.0.1/24
Subnetting was a late addition (CIDR)
Requires helper applications for configuration (DHCP)
No included address privacy mechanisms (RFC1918 is the closest analog)
IPv6
128bit addresses - 2001:db8:c0ff:ee::1/64
Written with the mask (see above)
Built in auto-configuration (SLAAC)
Privacy extensions included
Default end-to-end transparency (no address translation required)
Basic Differences between IPv4 and IPv6
IPv4
Addressing is an exhausted resource
Limited and overlapping “private” resources
One address per interface by default
No scoped communication between hosts*
* IPv4 uses the same address for all on-link (i.e. same layer 2 segment) communication that it does for off-link (i.e. via router) communication.
IPv6
Functionally unlimited addressing
Multiple addresses per interface as default behavior
Significant scoping of addresses and associated behavior
Addressing
2001:0db8:0001:c0ff:00ee:0000:0000:0001/64
EUI-64 vs. Privacy Addressing
The IID used to be based on an encoding of the device's hardware MAC address, known as EUI-64. This has been replaced by privacy extensions as defined in RFC4941, which does not use a hardware address to generate the interface identifier.
Although RFC4941 has was created in 2007, many IOT devices still use the legacy mechanism of EUI-64. This is largely considered to be less desirable and a security consideration to be noted.
Addressing
2001:db8:1:c0ff:ee::1/64
2001:0db8:0001:c0ff:00ee:0000:0000:0001/64
Is the same address as
2001:DB8:1:C0FF:EE::1/64
Is the same address as
2001:db8:1:c0ff:ee::1/64
Preceding zeros can be “compressed” for easier consumption.
Different hardware will display IPv6 addresses differently.
Network
(48 bits)
Host
(64 bits)
Prefix length
Subnet
(16 bits)
Addressing
2001:0db8:0001:c0ff:00ee:0000:0000:0001/64
Network
(48 bits)
Host
(64 bits)
Prefix length
Subnet
(16 bits)
Addressing
Three types of addresses in IPv6 (typically)
GUA - Global Unicast
Addressing
LL - Link Local
ULA - Unique Local
Addressing
Addresses in IPv6 (typically)
GUA - 2001::/3
Link Local - fe80::/10
ULA - fc00::/7*
- Addresses provided by ISPs, exist on servers. “Public”
- Interface Specific, local to a segment.
- Local to a site. “Private”
* this is not analogous to RFC1918 space and has very specific use cases
Addressing
Link local: for speaking on the local segment (i.e. link). Not routable or available outside of the layer 2 segment / VLAN
SLAAC: Autoconfigured address. Generally used for outbound communication
Static: Generally used for inbound communication, manually configured
Host may have more temporary addresses or no temporary addresses
Hosts will have multiple IPv6 addresses per interface
All addresses are valid and usable
IPv4
Static IPv6
Link Local
SLAAC IPv6
Addressing
Link local: for speaking on the local segment (i.e. link). Not routable or available outside of the layer 2 segment / VLAN
SLAAC: Autoconfigured address. Generally used for outbound communication
Static: Generally used for inbound communication, manually configured
Host may have more temporary addresses or no temporary addresses
Hosts will have multiple IPv6 addresses per interface
All addresses are valid and usable
Static IPv6
SLAAC IPv6
GUA - Global Unicast Addressing, public addressing
Addressing
It is very uncommon to have a subnet that is not a /64
RFC 7381 states that “All user access networks should be a /64.”
All host networks should be /64*, any other subnet length breaks fundamental parts of IPv6 such as SLAAC.
* exceptions exist but are out of scope for this document
Types of IPv6 communication
IPv4 to IPv6 internal communication comparison
IPv4 | | IPv6 |
Broadcast | | Multicast |
ARP | | NDP |
DHCP | | RA/SLAAC/DHCPv6* |
*DHCPv6 requires SLAAC to function; is not universally supported
Types of IPv6 communication
*certain unicast addresses within the IPv6 address space are reserved
Use of multicast
The use of multicast within IPv6 should not be confused with “IPv6 multicast”, which is the IPv6 analog to IPv4 multicast and is largely unused. IPv6 uses multicast for link local communication and for fundamental operations, as a native part of its process.
IPv6 use of multicast
IPv6 multicast
IPv4 multicast
Application use
Protocol use
Use of multicast
There are number of well known IPv6 multicast addresses which will be present on all segments.
Common and important IPv6 Multicast groups include
All IPv6 Multicast will be contained in FF00::/8
ff02::1 all nodes
ff02::2 all routers
ff02::5 all OSPF (Open Shortest Path First) routers
ff02::6 all OSPF DRs (OSPF Designated Routers)
ff02::9 all RIP (Routing Information Protocol) routers
ff02::a all EIGRP (Enhanced Interior Gateway Routing Protocol) routers
ff02::d all PIM (Protocol Independent Multicast) routers
ff02::f UPNP (Universal Plug and Play) devices
ff02::11 all homenet nodes
ff02::12 VRRP (Virtual Router Redundancy Protocol)
ff02::16 all MLDv2-capable routers
ff02::1a all RPL (Routing Protocol for Low-Power and Lossy Networks) routers (used in Internet of Things (IoT) devices)
ff02::fb multicast DNS IPv6
ff02::101 network time (NTP)
ff02::1:2 all DHCP agents
ff02::1:3 LLMNR (Link-Local Multicast Name Resolution)
ff02:0:0:0:0:1:ff00::/104 solicited node address
ff02:0:0:0:0:1-2:ff00::/104 node information query
ff05::1:3 all DHCP server (site)
ff05::101 all NTP server (site)
Neighbors
Neighbor solicitation (NS), neighbor discovery (ND), and neighbor table are all parts of the same overall process of identifying layer2 adjacencies (neighbors). This process contains an analog to arp in IPv4.
Address planning best practices
From a users experience, IPv6 behavior is very close to that of IPv4. they are both datagram based protocols that provided Layer 3 connectivity to resources.
From an engineering and operations perspective, topology will likely be the same for both IPv4 and IPv6, i.e. the architecture of the network will probably be the same.
From a numbering perspective, IPv4 has significant limits and will likely have subnets of different sizes, whereas IPv6 host networks will be /64 almost universally.
Address planning best practices
Given the vast address space provided by IPv6, it is suggested to be generous with address planning and provisioning. This approach should be applied to both requesting resources from an RIR, and building an address plan for a WAN, Campus, or Data Center.
IPv6 addressing is plentiful, and conservation should be decoupled from the planning process as much as possible, however, any retrofit of an existing network should take limitations of IPv4 into account.
Restated: IPv6 is not IPv4, and parallel thinking is not recommended. Do not build an IPv6 address plan like an IPv4 plan would be built.
Assigning addresses
By default, addresses are assigned by a mechanism called SLAAC, as defined by RFC4862.
SLAAC stands for “Stateless Address Autoconfiguration”
Supporting SLAAC is a requirement for IPv6 compliance (i.e. all devices need to do it)
A network must be a /64 prefix length to support SLAAC (i.e. a network with a subnet mask that is not a /64 will not support SLAAC)
Assigning addresses
SLAAC provides the following:
Subnet prefix (2001:db8:abcd:ef12:9428:cc8d:5ffc:9d7/64)
Hosts provide the “host portion” of the address (2001:db8:abcd:ef12:9428:cc8d:5ffc:9d7/64
Anatomy of a router advertisement
Host behaviors
IPv6 will be preferred, if available, in a dual stacked environment where the device has a GUA address
Host behaviors
Unlike IPv4, packet fragmentation of IPv6 happens on the host system, not at the network device
IPv6 standards require certain functions to be supported to be standards compliant.
Other relevant caveats
Terms such as “IPv6 support” and “IPv6-only” are vague and have different meanings to different people and vendors.
Be explicit when asking for IPv6 support, and ask for detailed explanations of their interpretation of those terms.
Emerging standards
In the last few years IPv6 has rapidly evolved to support new capabilities, changing needs, policy requirements, and to address operational experience pain points. Running IPv6 in general and IPv6 without IPv4 has become significantly more supportable because of these evolutionary steps.
Emerging standards
Link addressing:
Many newer schools of thought also recommend a /64 for all links, including point to point and loopback.
Most of the reasoning behind smaller prefixes have been addressed and a /64 of TCAM is utilized even for shorter prefixes.
Prefix per host:
A recently adopted standard, this technique adopts a broadband-similar approach of providing a prefix to a given host. This allows for significant scalability in very large environments while keeping the neighbor table of an upstream network element to a minimum.
IPv6-mostly:
A newer standard sometimes called “option 108” for the DHCP option number that it employs, this technique uses IPv4 DHCP to signal that a network supports IPv6-only, disabling IPv4 on hosts that support it while still providing legacy IPv4 support for hosts that require it.
References
IPv6 Fundamentals
Or, common terminology and concepts that make getting started in IPv6 easier
Sometime
Somewhere
Some Date
Nick Buraglio
Planning and Architecture
ESnet
Additional topics to weave in
(?) We pre-provision/automate the generation of DNS A record creation based on site templates. How should we handle this if using SLAAC?
(?) If we have PI space and are multi homed to the Internet in multiple locations, and we don’t NAT, how do we ensure symmetric return for stateful security devices?
(?) everything is set up correctly, why does it not work? (“is there a fw blocking ICMP?”) << (point here is emphasis the importance of icmp vs the annoyance of overly aggressive firewalls blocking icmp with v4)
(?) If I have multiple ipv6 addresses which one do we put in our firewall rule request, and what happens if a new one appears?