IPv6, the Summary

Here we go. I tried to make it short, but obviously failed. IPv6 is a complicated topic, and this article was for me a memory dump, and the end result ended up not being really a content suitable for beginner. But if you have a minimal background you should be able to make it up using the links.

DISCLAIMER This is how I wished somebody had explained IPv6 to my younger self. It might be inaccurate. It might contains errors. It make contains personnal recomendations of my own vision or usage of the protocol. Tell me on twitter @youngyukari or send me a mail at <blog_at_$thisdomain.tld> if you find something I should fix.

If you know already everything and are just looking for a good read, I suggest:

• The world in which IPv6 was a good design (2017)
• IPv4, IPv6, and a sudden change in attitude (2020)
• How NAT traversal works (2020)
• IPv6 at Facebook (pdf slides, 2014)

The fundamentals: How is IPv6 different from IPv4?

IPv4 addresses are 32 bit long. That is not a lot, compared to something like the number of humans on earth. On top of that, large parts of the available address space was initially reserved for various usages, reducing even more the pool of available addresses.

Because of the increasing scarcity of IPv4 addresses, and the exhaustion of the pool of available public allocations (leading to an emergent market where public IPv4 are selling for $20), multiple mitigations strategies have been tried over the years to delay the inevitable: after the RFC 1918 reserved blocs for private usage came the generalisation of NAT, both at a local level and at a carrier level (CGNAT)… But however creative people are - and willing to complicate the overall structure of the Internet - 32 bits is not a lot, and we needed a larger address space: that is what IPv6 is for.

A 128 bit address size…

IPv6 addresses are 128 bit long. Maybe 64 bits could have been enough. A MAC address is 48 bit longs, and we somehow managed to have not too many duplicates. But you can find some if you look hard enough, and 128 bits allows for some nice tricks and ensure that we likely won’t have to do this again. The fact that it’s been more than 10 years in the transition makes it even more justified.

IPv6 is similar to IPv4, but because people were so happy to start from what was effectively a blank page, IPv6 has a TREMENDOUS amount of extensions and knobs, and only a subset of features them are usually implemented or used by a device.

…is hard to remember

Here is the IPv6 of the server hosting this blog (at publication time): 2001:41d0:a:307c:ac7c::1

Note the combination of hexadecimal numbers and semicolons, as well as the length. Even a shortened IPv6 like the one above - :: expand to zeros for the missing bytes - is likely too long for you to remember. That is a major difference with IPv4 addresses, that people often learn by heart (especially for local networks). If you’re not a Jeopardy champion, you’ll need either DNS names or to copy-and-paste things around.

Here is the same IPv6, in full explicit format: 2001:41d0:000a:307c:ac7c:0000:0000:0001.

For reasons explained below, the rightmost 4 blocs (constituting a /64 subnet) are rarely used.

The difficulty to remember IPv6 addresses is often overlooked, but in my professional experience it is a real hindrance to IPv6 adoption.

Another common issue is the increased difficulty to differenciate subnets boundaries and addresses on CIDR notations.

It’s a different protocol, right?

Because of the address size - and all of the extra features, not even counting the removed ones - IPv6 cannot use the IPv4 packet format. It can live aside of IPv4 in a mode called dual stack, and has its own packet format. The encapsulation is quite similar to IPv4, but with some of the lesser used fields removed and a 20 bit increase on the header size, due mainly to the gigantic address.

IPv4 headers are usually 20-24 bytes (variable) while IPv6 headers are 40 bytes (fixed) followed by option headers. Be careful to your MTU when you encapsulate something in v6 packets, the maximum payload to fit in a classical 1500-MTU is slightly shorter than in v4!

Dual Stack: v4 and v6 side-by-side

Dual stack means that the network stack is duplicated for IPv6: it has its own IPs, routing tables, firewalls… All managed independently from the IPv4 ones. That means double configuration and double the number of possible failures. The cold truth is that most admin stop as soon as IPv4 is set up and nether bother to configure IPv6, if only because of the additional burden on maintenance.

It means every system will have separate default gateway for IPv4 and IPv6.

NAT and security concerns

IPv6 has it’s own security concerns and share the classic ones from IPv4. I’ll not go into details, but there are classical implementation issues, vulnerability scanning issues due to the gigantic address space, lack of geolocation and DDoS. And obviously there are some specific issues linked to RA announcements.

Aside here are a couple of RFCs trying to address the home LAN use case:

• Local Network Protection for IPv6, 2007 [RFC 4864](Local Network Protection for IPv6)
• Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service (2011) RFC 6092
• IPv6 Home Networking Architecture Principles (2014, draft) RFC 7368

Routing

IPv6 CIDR routing work fundamentally the same way than IPv4, with subnets and masks. At the beginning, you might be inclined to think that subnets work the same way as IPv4, with a single IP bound to each interface. /32 in v4 could mean /128 in v6. But the reality of it is that there is so many addresses that you usually allocate a bloc (usually a /64) to each equipment. That allow eventual applications (or containers, VMs…) on this host to get a dedicated IP seamlessly. More detail on this below.

Reserved blocs and addressing scheme

Short list of IPv6 reserved blocs with thier IPv4 counterparts: Blocs are allocated by IANA. The list is available here on the IANA website and most of these allocation orifinated from RFC 3513

• The localhost address (127.0.0.1/8 subnet equivalent) is ::1/128, a single address.
• The routable address space named Global Unicast (GU) is 2000::/3
• The link-local space is fe80::/10
• The multicast space is ff00::/8

Reference sheet http://www.teachmeipv6.com/IPv6-Essentials-Reference-Sheet.pdf

Internet, the DFZ & the fullview size

Because of its address size, Internet routing tables (in the DFZ) for IPv6 can be much larger than the IPv4 ones. This is not by any mean surprising, the size of the DFZ IPv4 table itself (called a full view) has been a hot topic for years, and caused many issues when it exceeded the maximum buffer size allocatable on some network equipments.

As a result, and in an effort to limit the memory used by this table, network operators often drop any IPv4 announcement below /24. Same goes for IPv6, where usually anything below a /48 is dropped as well. These two number are not random: they are the size of the minimal allocations given by the RIR to Autonomous Systems.

To sum up:

• /64 is often allocated for clients
• /48 is the minimal size of a routing bloc on the Internet

For very good reasons, it is highly recommended to not allocate less than a /64 for a client. That leaves 16 bits for the local subnetting and aggregated routing. For the same reason, a site should be allocated a /48.

Transit issues on v6

There are multiple transit issue on IPv6 peering between Tier-1 providers that aren’t present on IPv4. Cogent/HE is a famous one, dating back as far as 2009. Be mindful if you plan to leverage HE IPv6 tunnels to replace your ISP IPv6 capabilities, you will not get access to everything, only a split view of the v6 internet. Read this 2018 TheRegister article if you want to know more.

Layer 2 discovery on switched network: no ARP

IPv4 uses ARP as a Layer 2 network discovery protocol on a directly attached local network. IPv6 uses NDP, which is based on ICMP packets and tries to fix some of the issues and limitations of ARP.

NDP uses the same principle as ARP: the device will build a local table of its neighbours using a gossip-like protocol. But NDP is much better than ARP instead of broadcasting announcement, Neighbor Solicitation ICMP Message are multicasted on specific bands to hosts, allowing for a more refined distribution of messages by switches.

Built-in into NDP are also Router Solicitation messages. They allow discovery of accessible routers (there can be several of them) and autoconfiguration of corresponding IPs though one of the assignation protocols.

This allow IPv6 to test and confirm the reachability of a gateway, and to eventually reconfigure itself if the gateway become unreachable. ND also embed a protocol named Duplicate Address Detection that does what it says.

How do I get an IP?

Auto-configuration

When a host receive a Router Announcement packet gratuitously (sent every 200s by default) or in response to a ND message, it can use the content to infer what IP allocation method among the 3 possibilities:

• SLAAC using the provided subnet (min /64), we choose a random IP
• Link-local the fe80::/10 subnet is used and a local address is derived from the interface MAC (the process is called EUI-64)
• DHCPv6 we should send a DHCPv6 request to get an address

The RA can also contain additional configuration information and act as a stateless DHCP (RFC 3736. For example:

• Lifetime of the assignment
• MTU (v6 minimum is 1280 bytes)
• A local recursive DNS server
• A local DNS domain search list
• SIP outbound proxy server (for phone communication)

NOTE: apparently NTP was not included in the initial design, but since then DHCPv6 was extended to support most of DHCPv4 options, such as advertising NTP servers (RFC 5908, 2010)

And lastly, the RA message contains information about the gateway itself. It means that the DHCPv6 protocol is only used to obtain an address, and not the local gateway like in IPv4. In itself, DHCPv6 is not enough and need the RA announcements.

The complete list of the RA capabilities and options can be found on the IANA website.

Static configuration

Like in IPv4, IPv6 hosts can use static addressing and a hand-written configuration. You’ll have to configure the same parameters (IPv6, subnet mask, gateway, MTU and DNS).

Subnets you can use:

• IPv4-Mapped IPv6 ::FFFF:0.0.0.0/96 with the zeros replaced by an IPv4 address
• Link-local fe80::/10 (similar to the 169.254.0.0/16 IPv4 bloc)
• ULA fd00::/8 (subset of fc00::/7, RFC 4193) but you should not use it
• RIR-assigned blocs 2000::/3

ifupdown configuration stanza

This is this server local configuration for my provider (OVH):

iface eth0 inet6 static
  # only a /80 is routed, but the subnet itself is /64
  address 2001:41d0:a:307c:ac7c::1/64
  pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra
  post-up ip -6 route add 2001:41d0:a:30ff:ff:ff:ff:ff dev eth0
  post-up ip -6 route add default via 2001:41d0:a:30ff:ff:ff:ff:ff dev eth0

SLAAC

SLAAC allows the client to pick an address at random inside of a /64 subnet. This address can be derived from the interface MAC to provide a stable allocation, or, for privacy reasons, simply random. SLAAC is stateless, and does not require a specific server to talk to, at the price of a reduced control over the attribution of addresses to devices.

Most devices supporting IPv6 support SLAAC. If you are curious about the configuration, you can read this.

DHCPv6

DHCPv6 works mostly on the same logic that DHCPv4 on the IP attribution side). But it is largely different in the fact that it does not provide any default gateway to the client. This is a common mistake, but DHCPv6 or not, the routes management is still the responsibility of the Router Advertisement protocol.

The upside of DHCPv6 over SLAAC are the ability to track allocations, use subnets smaller than /64, assign specific IPs to devices or simply ensure devices leases are persisted.

Some devices or OS (like Android) don’t support DHCPv6.

Linux IPv6 configuration

Linux IPv6 works mostly the same way IPv4 does. NetworkManager should come with IPv6 enabled by default, and it will assign an IPv6 link-local address to any interfaces.

Kernel network configuration

If you need to configure things by hand, you can find all options in /proc/sys/net/ipv6/. The ip command (from the iproute2 package) expose v6 though the ip -6 <command> option.

ip -6 a(ddr) s(how) # return the list of interfaces and v6 IPs
ip -6 route         # display the v6 default routing table
ip -6 neigh         # display the neighbour table (similar to the v4 ARP table)
ip -6 rule          # display the routing table attribution of v6 traffic

How to choose between IPv4 and IPv6: The getaddrinfo magic

In Linux, decision to use IPv4 or IPv6 for a connection is done when translating a domain name into an IP address at the getaddrinfo call level in libc.

The caller can specify use of a specific protocol (AF_INET is v4 and AF_INET6 is v6, AF_USPEC for either). This is how some programs (like ping6 or traceroute6) enforce IPv6 usage.

The generic modern behavior behavior on most distros is to try v6 first (if a v6 address is present), and fallback to v4. For v6 to succeed, the AAAA record of the FQDN target needs to exist and you need to have a valid v6 connectivity (IPv6 address routed and default gateway).

Note that not having an IPv6 address does not affect explicit v6 DNS resolution. You can resolve AAAA queries over IPv4, but you’ll not be able to connect:

# only IPv4 and IPv6 link-local are available, but let's force v6 usage
$ ping6 google.com
PING google.com(ams17s08-in-x0e.1e100.net (2a00:1450:400e:80e::200e)) 56 bytes of data
From_gateway (fe80::eade:27ff:feb1:c7ae%wlp2s0) icmp_seq=1 Destination unreachable : No route

Local steering between IPv4 and IPv6

Straight from man gai.conf:

A call to getaddrinfo(3) might return multiple answers. According to RFC 3484 these answers must be sorted so that the answer with the highest success rate is first in the list. The RFC provides an algorithm for the sorting. The static rules are not always adequate, though. For this reason, the RFC also requires that system administrators should have the possibility to dynamically change the sorting. For the glibc implementation, this can be achieved with the /etc/gai.conf file. link

The configuration file allow you to fine-tune priorities between both protocols for specific targets, but it’s usually not needed.

References

Some common IPv6 questions https://blogs.infoblox.com/ipv6-coe/common-ipv6-newbie-questions/

IPv6 Rosetta Stone of configuration : https://wikispaces.psu.edu/display/ipv6/IPv6+Rosetta+Stone and the updated version https://theinternetprotocolblog.wordpress.com/2019/11/04/basic-ipv6-troubleshooting-commands-i-ipv6-rosetta-stone-2019/

• IANA protocols page https://www.iana.org/protocols#index_I
• RIPE NCC study on IPv6 usage https://www.ripe.net/publications/docs/ripe-690
• IPv6 Basics https://www.internetsociety.org/deploy360/ipv6/basics/
• NAT66 and NPTv6 https://www.howfunky.com/2013/12/ipv6-nat66-and-nptv6-it-seems-there-is.html

Specific to french ISPs

• https://forum.hardware.fr/hfr/reseauxpersosoho/FAI/orange-livebox-2gbts-sujet_2017_1806.htm#t1107776
• https://blog.brimbelle.org/index.php/2018/04/30/fibre-orange-ipv6-et-dhcpcd/

Related to IPv6 tunnels

• http://www.employees.org/~tw/he-ipv6-ubnt.html