IPv6 is not new, it’s nearly thirty years old and implemented virtually everywhere but nobody seems to use it so why should you? Let me be clear: You will need to use it someday when a service you require does not offer an IPv4 fallback anymore. For this reason, it’s a whole lot better to start using it when you’ve got time to try stuff and not one month before an important feature needs to go live.
The fact we need to accept is that IPv4 is dead, it was kept alive artificially for a long time by bandaids like port-forwarding, NAT and large cloud providers paying top dollar for (otherwise) worthless companies who own an address range they acquired decades ago. Now we’re just carrying the corpse around. Why? Most probably because unfortunately the living creature called IPv6 does not offer any killer features to force the switch or make it worthwhile.
Notation of IPv6 addresses
An IPv6 address is 128 bits (16 bytes) long, notated in hexadecimal and delimited by ‘:’ every 16 bits (2 bytes).
The IPv6 RFC defines some rules regarding notation:
- Leading zeros must be removed in every quartet
- :: must be used to shorten the longest consecutive set of all zeros quartets. If there are two equal-length all-zero sets, shorten the leftmost one.
- Hex characters must be written in lowercase, not uppercase.
Be aware that not all implementations follow the standard, but you should at all times.
Notations in Applications
Notations in applications may need some special attention or notation for an IPv6 address to be valid and unambiguous.
In a browser for URLs
In a URL it’s not clear which portion is the IP and which is the port when using a “plain” IPv6 address: https://fe80::7c10:da1e:7839:4a32:8443
so we need to put the address in square brackets to help the browser understand: https://[fe80::7c10:da1e:7839:4a32]:8443
Microsoft UNC paths
Ok, this is plain insanity. You must replace all colons with dashes and append “.ipv6-literal.net” to the address. This is not a joke. I’m convinced some pharmacy near Redmond mixed up most prescriptions while this was implemented, maybe someone can investigate? To give an example: When you want to connect to share myfiles on the computer with address fe80::7c10:da1e:7839:4a32 in Windows Explorer you need to put this into the address bar: \\fe80--7c10-da1e-7839-4a32.ipv6-literal.net\myfiles
. Waiting for some kind of “nah just kidding”? Sorry, this is still not a joke.
Some IPv6 knowledge
IPv6 and IPv4 are completely incompatible. So if a device only supports IPv4, it will not be able to communicate with a device that uses IPv6. Sadly there are still services and devices that don’t support one or the other. The solution for this dilemma is called Dual-Stack networking where v4 and v6 run side by side on the network layer. There are rules regarding which one to choose your OS will enforce. The gist is that v6 will be chosen if possible, v4 is just a fallback.
IPv6 has some types of unicast addresses:
- The unspecified address “::” to indicate the absence of an address
- The loopback address “::1”, which refers to the local host (this computer)
- Link-local addresses:” fe80:…” for communication in the local network (routers will not forward them over network boundaries)
- Global unicast addresses: Are globally unique and routable
- Unique local addresses: They are used to recreate the NAT madness from v4 in v6 which you should not do. Period. Also, they are utterly broken in Dual-Stack. Forget they even exist.
Speaking of NAT: It’s gone, forget it even exists. “But wasn’t it a security feature?” No. Never. Same story with port forwarding. Your firewall is for security and that’s all you need.
An IPv6 address, just like an IPv4 address, consists of a network portion (which is recommended to always be 64 bits) and a host portion (also 64 bits). The network portion is called the network prefix and can be further divided into a global routing prefix and a subnet identifier. That is because your organization may be assigned a global routing prefix shorter than 64 bits and the remaining bits can be used to form subnets within the organization. For example, you might receive a /48 prefix, providing you with 16 bits (64-48) to form your subnets as you wish. The remaining 64 bits are called the interface identifier and form the host portion.
Global Routing Prefix received from RIPE / ISP
2001:db8:3c4d::/48
Subnets you can freely use
2001:db8:3c4d::/64 to 2001:db8:3c4d:ffff::/64
A full host adress in the ffff network
2001:db8:3c4d:ffff::1
|------1-----|-2--|-3-|
1) Global routing prefix
2) Subnet identifier
3) interface identifier
1 and 2) Network prefix
1, 2 and 3) Full adress of host "1" in network "2001:db8:3c4d:ffff::/64"
Obtaining an IPv6 address
To obtain a valid address, we need to get both the network prefix and the interface identifier. Depending on the type of address (global unicast or link-local) and the network configuration this can be achieved in multiple ways.
Obtaining the network prefix
For your Link-local address, your device uses the predefined prefix of FE80::/10. To get the desired length of 64 bits for the network portion, the remaining 54 bits are filled with zeros. As a result, all link-local addresses have FE80::/64 as the network portion.
For global unicast addresses, the prefix is propagated to all clients by a router using ICMPv6 messages Router Solicitation RS (sent by the client) and Router Advertisement RA (sent by the router).
Obtaining the interface identifier
There are two methods for getting this portion of the address:
- From a DHCPv6 server
- Using SLAAC
- Derive the value from the interface MAC address (using EUI-64)
- Generated random value
Where to try IPv6
My suggestion is to start playing in a fresh “cloud data centre” and play with virtual networks and all those things in a public cloud. When you feel more confident, go further and enable IPv6 at your home or at work. Just don’t forget: Unique local addresses are a big nono everywhere.
In a public cloud
Most providers fully support it. In Azure, there is no way to go IPv6-only (shame on you Microsoft). IPv4 is still mandatory, Dual-Stacking is our only option to use IPv6.
At home
You request some IPv6 address space either directly from RIPE or your ISP. When you request it from your ISP, please ask for some space that is not bound to your ISP otherwise you need to change everything again when you switch to a different provider. The reason for this is that your router will get the network prefix from your provider (via prefix delegation which is a DHCPv6 feature) and propagate it to your downstream devices (using the RS and RA ICMP messages mentioned above). So if you defined some rules based on IP addresses you would need to rewrite them when you change your provider.
Photo by Clint Adair on Unsplash