This chapter introduces the new concepts and technical specifics of IPv6, the foundation of the Third Internet. Since IPv6 is based heavily on IPv4, the approach will be to describe the differences between the two. This will help those who already are familiar with IPv4 to make the leap to IPv6. The subchapter headings are intentionally similar to those in Chapter 3, to allow you to compare the old and the new, topic by topic. Again, there is no intent to be comprehensive. There is a lot of content available on all aspects of IPv6 listed in the bibliography and/or available online. The ultimate references are the RFCs, so this chapter includes hyperlinks to the relevant ones, for those who want to drill deeper on specific topics.
In other chapters we will discuss topics such as advanced aspects of IPv6 (IPsec, IKEv2), the new things that IPv6 makes possible, who is involved in making it happen, and how we get from the Second Internet to the Third Internet (migration). This chapter covers the core protocols of IPv6.
Network Hardware
Essentially the same network hardware that was used to deploy IPv4 networks is being used to deploy the IPv6 networks , with some notable exceptions, primarily hardware that implements things at the Internet Layer or above, such as smart (“layer 3”) switches, routers, and firewalls. Also, DNS and DHCP servers must be updated or replaced with ones that support IPv6 (more typically both IPv4 and IPv6, or “dual stack”). As IPv6 is deployed, Virtual Private Networks (VPNs) will likely move away from “SSL/VPN”1 to IPsec-based VPNs, which are the only IETF-approved technology for VPNs. There are no RFCs for SSL/VPN because it is not considered to be a viable approach. Unfortunately, IPsec is incompatible with NAT, which is now endemic in the Second Internet. VoIP and IPTV appliances will probably be upgraded to (or replaced with) IPv6-based systems. Any device with TCP/IP hardware acceleration (such as high-end routers) will probably need to be redesigned or replaced. Simply upgrading the firmware will not be sufficient on such products (there are hardware dependencies on IPv4). There are some routers that only have hardware acceleration for the IPv4 stack (IPv6 is done entirely with software), which has led some people to think there are performance issues with IPv6. Already there are hardware acceleration chips that support both IPv4 and IPv6 and are available and being used in new product designs.
The hardware of most computing nodes does not need to change, especially client and server computers. Replacement or upgrade of the operating system and applications is all that is needed. The good news is that almost all operating systems and many network applications that run on client computers are already fully compliant with IPv6, and those are widely deployed. Those that aren’t yet compliant can be upgraded or configured to support it with very reasonable effort and cost. Many server applications (especially open source ones) are already compliant as well. Virtually everything Microsoft makes fully (except Azure Cloud VMs, Skype, and Teams) supports IPv6 today. For client computers, Windows Vista and Windows 7 had fairly complete support. Later versions of Windows (8.1, 10, and 11) have very complete support. Windows XP had some support but was missing some key features (like GUI configuration of IPv6 addresses and DNS queries over IPv6). For server computers, Windows Server 2008 and Exchange Server 2007 (and most other server software since 2007) have full support for IPv6. Most open source operating systems (Linux, FreeBSD, OpenBSD, and NetBSD) have had full support for IPv6 for many years. Most open source network applications (Apache, Nagios, Postfix, Dovecot, etc.) also have full support (although in some cases, documentation may be hard to find).
NICs (Network Interface Connectors ) do not need to change unless they have IPv4-specific hardware acceleration, and even those will typically run IPv6 with no problem, but the IPv6 part won’t be accelerated (it will run at “software” performance levels, in terms of packets or bytes processed per second). There are already many chips available to build hardware-accelerated NICs that fully support both IPv4 and IPv6, so soon, even NICs with hardware acceleration will be no problem. They will accelerate IPv4 and/or IPv6 traffic. For the most part, NICs work at the Link Layer and hence are IP version agnostic (except for hardware acceleration).
Existing Wi-Fi NICs are also IP version agnostic (they work at the Link Layer), and every Wi-Fi NIC that I’ve tried has worked with IPv6 with no upgrades or workarounds required. Wi-Fi routers are another matter, because they include higher layer functionality such as IPv4 routing, often including IPv4 NAT and a DHCPv4 server. Even here, there is a simple workaround. Most Wi-Fi access points have a “WAN” connector, which is the input to the NAT gateway, and one or more “LAN” connectors that are on the client side of the NAT gateway. The LAN connectors are intended to plug in wired client nodes, which are peers to the wireless client nodes (both wired and wireless client nodes obtain configuration information and translated IP addresses from the DHCPv4 server and NAT gateway built into the Wi-Fi access point). Of course, the existing IPv4 routing, IPv4 NAT, and DHCPv4 in such devices are not compatible with IPv6. There are dual-stack Wi-Fi access points available now from companies like D-Link, but some of the products available today do not have routing, firewall, or DHCP support for IPv6. Any device listed on the IPv6-ready list of certified products 2 fully supports IPv6.
However, if you plug the cable from your ISP DSL modem (or from an existing Ethernet network) into one of the LAN connectors on your Wi-Fi access point, instead of into the WAN connector as you are supposed to, you can simply ignore the IPv4-specific parts of the Wi-Fi access point. You are now using the router in “bridge mode.” The actual Wi-Fi transmitter part is IP agnostic, and if there are both IPv4 and IPv6 on the feed you connect, they will both be broadcast on wireless, and all existing nodes with Wi-Fi NICs will receive it (assuming each OS supports IPv6 and you have configured it). Of course, if you want your Wi-Fi nodes to obtain IPv4 addresses automatically, you must have a DHCPv4 server somewhere in your network (properly configured). Your Wi-Fi access point is no longer performing this function. Likewise, if you want Wi-Fi clients to obtain IPv6 addresses through stateless autoconfiguration, there must be a Router Advertisement Daemon in your network (just as for wired IPv6). If your wireless node has a DHCPv6 client and you have a DHCPv6 server in your network, stateful autoconfiguration will work over Wi-Fi as well. Of course, you can manually configure IPv6 addresses for Wi-Fi nodes just as you can with wired nodes. No NAT is required (or needed) for IPv6. For IPv4, no NAT will be performed in the Wi-Fi access point, so if you need it, it must be performed at the outside gateway (e.g., a wired DSL modem from your ISP). Your wireless nodes will be peers to your wired nodes. All of them (wired and wireless) will get IPv4 addresses from the same DHCPv4 pool (if you use DHCP), and all will be in the same subnet. Normally if you connected a Wi-Fi gateway with NAT inside an existing NATted network, your wireless nodes would be behind two levels of NAT, which can cause some problems. One level of NAT is bad enough – two levels are even worse.
A screenshot shows the kame project. It has an illustration of a turtle. Below the illustration project details are given.
The dancing kame
With some of today’s phones, however, the only thing that works over IPv6 today (if anything) is Wi-Fi Internet access, not the voice traffic or “dataplan” service. Some mobile phone service providers are including IPv6 today (most in the United States are). In theory you could add a dual-stack softphone (VoIP client) and do voice communications over IPv6, but only via the Wi-Fi connection through a Wi-Fi access point connected to the main Internet, not over your wireless telephone carrier’s Internet service via WAP, GPRS, EDGE, HSDPA, or whatever else they provide. Someday even these services will be dual stack (probably primarily LTE).
There are now dual-stack Wi-Fi access points that fully support routing for IPv4 and IPv6, NAT for IPv4, and a Router Advertisement Daemon to enable IPv6 stateless auto-configuration. D-Link in Taiwan has several that fully support IPv6, as do other vendors.
Network cables are totally IP version agnostic. You will not need to rewire your network just for IPv6.
All conventional (“layer 2”) hubs and switches are IP version agnostic, although “layer 3” features of some switches (such as web management, SNMP, and VLANs) must be upgraded to support IPv6. In most cases, this will be possible simply with new downloaded firmware. No hardware changes are needed (assuming there is sufficient RAM and ROM to handle the more complex firmware). Contact your switch vendor and demand that they add support for IPv6. There are already a few layer 3 switches on the market that support IPv6. I have an SMC 8848M 48-port gigabit managed switch in my home network that has quite a bit of IPv6 support, including web management over IPv6, IPv6-based VLANs, SNMP over IPv6, etc. Unfortunately, traffic statistics do not break out IPv4 and IPv6 traffic; just the total is reported. D-Link also has a dual-stack smart switch series. They are already IPv6 ready certified. One example is their DGS-3627 XSTACK managed 24-port gigabit stackable L3 switch.
Many enterprise-grade routers and firewalls already support IPv6, although in some cases you must pay extra for the IPv6 functionality. Cisco routers used to require “advanced IP services” for IOS (at additional cost), before IPv6 worked. For example, the Cisco 2851 router ($6495) included only the base IOS (no IPv6 support). The Advanced IP Services Feature Pack for it was an additional $1700 (all prices list). When buying or considering using Cisco routers for use in IPv6 networks, make sure they already include advanced IP services or include the additional cost of the feature pack. More recent Cisco routers include IPv6 support for free in the base IOS.
Home network gateways that support IPv6 are further behind, but coming soon, especially from Asian vendors, such as D-Link. A typical one will have all the features of existing IPv4-based gateways, plus 6in4 tunneling (to tunnel in IPv6 from a virtual ISP), a Router Advertisement Daemon (to enable stateless auto-configuration), and firewall rules for IPv6 traffic. They should also be able to accept direct (in addition to tunneled) IPv6 service, for when dual-stack ISP service becomes more widely available. Their DNS relay should support DNS over both IPv4 and IPv6. More advanced gateways might include a DHCPv6 server.
Note that some DSL or cable modems also include IPv4 firewall functionality. Of course, this will not allow you to control IPv6 traffic. Therefore, if you are connecting your LAN to the IPv6 Internet, there must be IPv6 firewalling somewhere, possibly in a 6in4 tunnel endpoint that is routing IPv6 traffic into your LAN. A dual-stack gateway firewall may include routing to accept incoming “direct” IPv6 service and/or a 6in4 endpoint to accept incoming “tunneled” IPv6 service, together with both IPv4 and IPv6 filtering rules, and a Router Advertisement Daemon to support stateless auto-configuration for the internal nodes that support IPv6.
Some IP phones in use today support IPv6, such as those from Snom in Germany and Moimstone in Korea. Cisco supports IPv6 on a number of their recent phones, including the 7906G, 7911G, 7931G, 7941G/GE, 7942G, 7945G, 7961G/GE, 7962G, 7965G, 79770G, 7971G/GE, and 7975G. Most of the older Cisco IP phones currently in use do not support IPv6, and their firmware cannot be upgraded for various reasons (e.g., insufficient RAM or ROM).
When looking for hardware products that already support IPv6, an excellent source of information is the IPv6-ready approved products list. If possible, choose products that have passed the phase 2 (gold-level) testing. This ensures full compliance with all relevant RFCs and interoperability with many other products. Phase 2 testing also ensures compliance with all items denoted SHOULD in the relevant RFCs (a much more comprehensive set of functionalities). These lists are updated and maintained by the IPv6 Ready Logo Committee of the IPv6 Forum. They can be found at the IPv6-ready list of certified products.4
RFCs: A Whole Raft of New Standards for IPv6
There are many new RFCs that define the protocols, addressing and routing schemes, as well as migration issues for IPv6. I will cover the most important of those in this chapter.
You can trace the beginnings and evolution of IPv6 in some early RFCs. In 1990, when the IETF first realized that a successor to IPv4 was going to be needed (and soon), the fun began. One key RFC related to this is RFC 1752,5 “The Recommendation for the IP Next Generation Protocol,” January 1995. Prior to this, people referred to the successor protocol as IPng (IP next generation), but in this RFC the term IPv6 was used. RFC 1752 says that the IETF started its effort to select a successor in late 1990 and that several parallel efforts were started. Among these proposals were “CNAT,” “IP Encaps,” “Nimrod,” “Simple CLNP,” the “P Internet Protocol,” the “Simple Internet Protocol,” and “TP/IX.” None of these ever made it past the Internet Draft stage.
RFC 1347, “TCP and UDP with Bigger Addresses (TUBA),” June 1992 (Informational)
RFC 1526, “Assignment of System Identifiers for TUBA/CLNP Hosts,” September 1993 (Informational)
RFC 1561, “Use of ISO CLNP in TUBA Environments,” December 1993 (Experimental)
RFC 1707, “CATNIP: Common Architecture for the Internet,” October 1994 (Informational)
RFC 1710, “Simple Internet Protocol Plus White Paper,” October 1994 (Informational)
RFC 1883, “Internet Protocol, Version 6 (IPv6) Specification,” December 1995, obsoleted by RFC 2460 and then by RFC 8200
RFC 1884, “IP Version 6 Addressing Architecture,” December 1995, obsoleted by RFC 2373, then by RFC 3513, and then by RFC 4291
RFC 1885, “Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification,” December 1995, obsoleted by RFC 2463 and then by RFC 4443
RFC 1886, “DNS Extensions to Support IP Version 6,” December 1995, obsoleted by RFC 3596
RFC 1887, “An Architecture for IPv6 Unicast Address Allocation,” December 1995
Four of these have been replaced (multiple times in some cases) since then, and there are quite a few new ones since 1995, but this is where it really started. Yes, IPv6 is 27 years old in 2022 and has finally grown up.
IPv6
The software that is making the Third Internet (and virtually all Local Area Networks) possible will be around for quite some time. Like its predecessor, IPv4, it is a suite (family) of protocols. Once again, the core protocols are TCPv6 (Transmission Control Protocol version 6 ) and IPv6 (Internet Protocol version 6). TCPv6 has changes from TCPv4, but only a few, due to the larger addresses that require more storage and the odd method of calculating the checksum defined in TCPv4 (this involves a “pseudo header” that includes the source and destination addresses from the IP header, which of course are different in IPv4 and IPv6).
There is no new RFC specifically about TCPv6, but there are several RFCs that include details about the new features.
UDP has only very minor changes to work over IPv6, primarily to provide more storage for IPv6 addresses. The UDP packet header checksum also includes the IP addresses, once again using the new pseudo header.
The following standards are relevant to IPv6 in general.
RFCs specific to IPv4-IPv6 transition can be found here.
RFC 1809, “Using the Flow Label Field in IPv6,” June 1995 (Informational)
RFC 1881 , “IPv6 Address Allocation Management,” December 1995 (Informational)
RFC 1887 , “An Architecture for IPv6 Unicast Address Allocation,” December 1995 (Informational)
RFC 2428, “FTP Extensions for IPv6 and NATs,” September 1998 (Standards Track)
RFC 2474 , “Definition of the Differentiated Service Field (DS Field) in the IPv4 and IPv6 Headers,” December 1998 (Standards Track)
RFC 2526, “Reserved IPv6 Subnet Anycast Addresses,” March 1999 (Standards Track)
RFC 2675, “IPv6 Jumbograms,” August 1999 (Standards Track)
RFC 2711, “IPv6 Router Alert Option,” October 1999 (Standards Track)
RFC 2894, “Router Renumbering for IPv6,” August 2000 (Standards Track)
RFC 3111, “Service Location Protocol Modifications for IPv6,” May 2001 (Standards Track)
RFC 3122, “Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification,” June 2001 (Standards Track)
RFC 3175, “Aggregation of RSVP for IPv4 and IPv6 Reservations,” September 2001 (Standards Track)
RFC 3178, “IPv6 Multihoming Support at Site Exit Routers,” October 2001 (Informational)
RFC 3306 , “Unicast-Prefix-based IPv6 Multicast Addresses,” August 2002 (Standards Track)
RFC 3314, “Recommendations for IPv6 in Third Generation Partnership Project (3GPP) Standards,” September 2002 (Informational)
RFC 3363 , “Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System,” August 2002 (Informational)
RFC 3364, “Tradeoffs in Domain Name System (DNS) Support for Internet Protocol version 6 (IPv6),” August 2002 (Informational)
RFC 3531, “A Flexible Method for Managing the Assignment of Bits of an IPv6 Address Block,” April 2003 (Informational)
RFC 3574, “Transition Scenarios for 3GPP Networks,” August 2003 (Informational)
RFC 3582, “Goals for IPv6 Site-Multihoming Architectures,” August 2003 (Informational)
RFC 3587 , “IPv6 Global Unicast Address Format,” August 2003 (Informational)
RFC 3595, “Textual Conventions for the IPv6 Flow Label,” September 2003 (Standards Track)
RFC 3701, “6bone (IPv6 Testing Address Allocation) Phaseout,” March 2004 (Standards Track)
RFC 3750, “Unmanaged Networks IPv6 Transition Scenarios,” April 2004 (Informational)
RFC 3756, “IPv6 Neighbor Discovery (ND) Trust Models and Threats,” May 2004 (Informational)
RFC 3769, “Requirements for IPv6 Prefix Delegation,” June 2004 (Informational)
RFC 3849, “IPv6 Address Prefix Reserved for Documentation,” July 2004 (Informational)
RFC 3879, “Deprecating Site Local Addresses,” September 2004 (Standards Track)
RFC 3974, “SMTP Operational Experience in Mixed IPv4/v6 Environments,” January 2005 (Informational)
RFC 4007 , “IPv6 Scoped Address Architecture,” March 2005 (Informational)
RFC 4029, “Scenarios and Analysis for Introducing IPv6 into ISP Networks,” March 2005 (Informational)
RFC 4057, “IPv6 Enterprise Network Scenarios,” June 2005 (Informational)
RFC 4074, “Common Misbehavior Against DNS Queries for IPv6 Addresses,” May 2005 (Informational)
RFC 4135, “Goals of Detecting Network Attachment in IPv6,” May 2005 (Informational)
RFC 4147, “Proposed Changes to the Format of the IANA IPv6 Registry,” August 2005 (Informational)
RFC 4159, “Depreciation of ip6.in,” August 2005 (Best Current Practice)
RFC 4177, “Architectural Approaches to Multihoming for IPv6,” September 2005 (Informational)
RFC 4192, “Procedures for Renumbering an IPv6 Network Without a Flag Day,” September 2005 (Informational)
RFC 4193 , “Unique Local IPv6 Unicast Addresses,” October 2005 (Standards Track)
RFC 4215, “Analysis of IPv6 Transition in Third Generation Partnership Project (3GPP) Networks,” October 2005 (Informational)
RFC 4218, “Threats Relating to IPv6 Multihoming Solutions,” October 2005 (Informational)
RFC 4291 , “IP Version 6 Addressing Architecture,” February 2006
RFC 4294, “IPv6 Node Requirements,” April 2006 (Informational)
RFC 4311, “IPv6 Host-to-Router Load Sharing,” November 2005 (Standards Track)
RFC 4339, “IPv6 Host Configuration of DNS Server Information Approaches,” February 2006 (Informational)
RFC 4380, “Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs),” February 2006 (Standards Track)
RFC 4429, “Optimistic Duplicate Address Detection (DAD) for IPv6,” April 2006 (Standards Track)
RFC 4443 , “Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification,” April 2006 (Standards Track)
RFC 4472, “Operational Considerations and Issues with IPv6 DNS,” April 2006 (Informational)
RFC 4554, “Use of VLANs for IPv4-IPv6 Coexistence in Enterprise Networks,” June 2006 (Informational)
RFC 4659, “BGP-MPLS IP Virtual Private Network (VPN) Extensions for IPv6 VPN,” September 2006 (Standards Track)
RFC 4692, “Considerations on the IPv6 Host Density Metric,” October 2006 (Informational)
RFC 4727, “Experimental Values in IPv4, IPv6, ICMPv4, ICMPv6, UDP and TCP Headers,” November 2006 (Standards Track)
RFC 4779, “ISP IPv6 Deployment Scenarios in Broadband Access Networks,” January 2007 (Informational)
RFC 4818, “RADIUS Delegated-IPv6-Prefix Attribute,” April 2007 (Standards Track)
RFC 4852, “IPv6 Enterprise Network Analysis – IP Layer 3 Focus,” April 2007 (Informational)
RFC 4861 , “Neighbor Discovery for IP version 6 (IPv6),” September 2007 (Standards Track)
RFC 4862 , “IPv6 Stateless Address Autoconfiguration,” September 2007 (Standards Track)
RFC 4864, “Local Network Protection for IPv6,” May 2007 (Informational)
RFC 4890, “Recommendations for Filtering ICMPv6 Messages in Firewalls,” May 2007 (Informational)
RFC 4919, “IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement and Goals,” August 2007 (Informational)
RFC 4941 , “Privacy Extensions for Stateless Address Autoconfiguration in IPv6,” September 2007 (Standards Track)
RFC 4943, “IPv6 Neighbor Discovery On-Link Assumption Considered Harmful,” September 2007 (Informational)
RFC 4968, “Analysis of IPv6 Link Models for 802.16 Based Networks,” August 2007 (Informational)
RFC 5095, “Deprecation of Type 0 Routing Headers in IPv6,” December 2007 (Standards Track)
RFC 5172, “Negotiation for IPv6 Datagram Compression Using IPv6 Control Protocol,” March 2008 (Standards Track)
RFC 5175, “IPv6 Router Advertisement Flags Option,” March 2008 (Standards Track)
RFC 5181, “IPv6 Deployment Scenarios in 802.16 Networks,” May 2008 (Informational)
RFC 5350, “IANA Considerations for the IPv4 and IPv6 Router Alert Options,” September 2008 (Standards Track)
RFC 5375, “IPv6 Unicast Address Assignment Considerations,” December 2008 (Informational)
RFC 5453, “Reserved IPv6 Interface Identifiers,” February 2009 (Standards Track)
RFC 5533, “Shim6: Level 3 Multihoming Shim Protocol for IPv6,” June 2009 (Standards Track)
RFC 5534, “Failure Detection and Locator Pair Exploration Protocol for IPv6 Multihoming,” June 2009 (Standards Track)
RFC 5549, “Advertising IPv4 Network Layer Reachability Information with an IPv6 Next Hop,” May 2009 (Standards Track)
RFC 5570, “Common Architecture Label IPv6 Security Option (CALIPSO),” July 2009 (Informational)
RFC 5619, “Softwire Security Analysis and Requirements,” August 2009 (Standards Track)
RFC 5701, “IP Address Specific BGP Extended Community Attribute,” November 2009 (Standards Track)
RFC 5722, “Handling of Overlapping IPv6 Fragments,” December 2009 (Standards Track)
RFC 5739, “IPv6 Configuration in Internet Key Exchange Protocol version 2 (IKEv2),” February 2010 (Experimental)
RFC 5798, “Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6,” March 2010 (Standards Track)
RFC 5855, “Nameservers for IPv4 and IPv6 Reverse Zones,” May 2010 (Best Current Practices)
RFC 5871, “IANA Allocation Guidelines for the IPv6 Routing Header,” May 2010 (Proposed Standard)
RFC 5881, “Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop),” June 2010 (Proposed Standard)
RFC 5905, “Network Time Protocol Version 4: Protocol and Algorithms Specification,” June 2010 (Standards Track)
RFC 5908, “Network Time Protocol (NTP) Server Option for DHCPv6,” June 2010 (Proposed Standard)
RFC 5942, “IPv6 Subnet Model: The Relationship Between Links and Subnet Prefixes,” July 2010 (Proposed Standard)
RFC 5952, “A Recommendation for IPv6 Address Text Representation,” August 2010 (Proposed Standard)
RFC 5963, “IPv6 Deployment in Internet Exchange Points (IXPs),” August 2010 (Informational)
RFC 5970, “DHCPv6 Options for Network Boot,” September 2010 (Proposed Standard)
RFC 6036, “Emerging Service Provider Scenarios for IPv6 Deployment,” October 2010 (Informational)
RFC 6059, “Simple Procedures for Detecting Network Attachment in IPv6,” November 2010 (Proposed Standard)
RFC 6085, “Address Mapping of IPv6 Multicast Packets on Ethernet,” January 2011 (Standards Track)
RFC 6088, “Traffic Selectors for Flow Exchange Bindings,” January 2011 (Proposed Standard)
RFC 6092, “Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential Internet Service,” January 2011 (Informational)
RFC 6119, “IPv6 Traffic Engineering in IS-IS,” February 2011 (Proposed Standard)
RFC 6144, “Framework for IPv4/IPv6 Translation,” April 2011 (Informational)
RFC 6156, “Traversal Using Relays Around NAT (TURN) Extensions for IPv6,” April 2011 (Proposed Standard)
RFC 6157, “IPv6 Transition in the Session Initiation Protocol (SIP),” April 2011 (Proposed Standard)
RFC 6164, “Using 127-Bit IPv6 Prefixes on Inter-Router Links,” April 2011 (Standards Track)
RFC 6177, “IPv6 Address Assignments to End Sites,” March 2011
RFC 6204, “Basic Requirements for IPv6 Customer Edge Routers,” April 2011 (Informational)
RFC 6214, “Adaptation of RFC 1149 for IPv6,” April 1, 2011 (Informational)
RFC 6221, “Lightweight DHCPv6 Relay Agent,” May 2011 (Proposed Standard)
RFC 6250, “Evolution of the IP Model”, May 2011 (Informational)
RFC 6264, “An Incremental Carrier-Grade NAT (CGN) for IPv6 Transition,” June 2011 (Informational)
RFC 6294, “Survey of Proposed Use Cases for the IPv6 Flow Label,” June 2011 (Informational)
RFC 6343, “Advisory Guidelines for 6to4 Deployment,” August 2011 (Informational)
RFC 6384, “An FTP Application Layer Gateway (ALG) for IPv6-to-IPv4 Translation,” October 2011 (Proposed Standard)
RFC 6437 , “IPv6 Flow Label Specification,” November 2011 (Standards Track)
RFC 6438 , “Using the IPv6 Flow Label for Equal Cost Multipath Routing and Link Aggregation in Tunnels,” November 2011
RFC 6459, “IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS),” January 2012 (Informational)
RFC 6540, “IPv6 Support Required for All IP-Capable Nodes,” April 2012 (Best Current Practice)
RFC 6556, “Testing Eyeball Happiness,” April 2012 (Informational)
RFC 6564, “A Uniform Format for IPv6 Extension Headers,” April 2012 (Proposed Standard)
RFC 6568, “Design and Application Spaces for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs),” April 2012 (Informational)
RFC 6606, “Problem Statement and Requirements for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Routing,” May 2012 (Informational)
RFC 6619, “Scalable Operation of Address Translators with Per-Interface Bindings,” June 2012 (Proposed Standard)
RFC 6724, “Default Address Selection for Internet Protocol Version 6 (IPv6),” September 2012 (Standards Track)
RFC 6890, “Special-Purpose IP Address Registries,” April 2013 (Best Current Practice)
RFC 7066, “IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts,” November 2013 (Informational)
RFC 7098 , “Using the IPv6 Flow Label for Load Balancing in Server Farms,” January 2014
RFC 7707, “Network Reconnaissance in IPv6 Networks,” March 2016 (Informational)
RFC 8106 , “IPv6 Router Advertisement Options for DNS Configuration,” March 2017 (Standards Track)
RFC 8200 , “Internet Protocol, Version 6 (IPv6) Specification,” July 2017 (Standards Track)
RFC 8201 , “Path MTU Discovery for IP version 6,” July 2017 (Standards Track)
RFC 8504 , “IPv6 Node Requirements,” January 2019 (Best Current Practices)
Four-Layer IPv6 Architectural Model
A chart depicts the four-layer I P v 6 model. It has an application layer, a transport layer, an internet layer, and a link layer.
Four-layer IPv6 model
Application Layer: DHCPv4 replaced with DHCPv6
Transport Layer: TCPv4 replaced with TCPv6, UDPv4 replaced with UDPv6
Internet Layer: IPv4 replaced with IPv6, ICMPv4 replaced with ICMPv6 (which includes ND)
Link Layer: Removed ARP, OSPFv2 replaced with OSPFv3
In the following discussion, traffic really flows both down from the Application Layer to the Link Layer (then out the wire) and from the wire up through the Link Layer to the Application Layer. For clarity, only the downward path is described in the following. When traffic goes up through the layers, each layer strips off one header and hands off the remaining bytes to the layer above.
The Application Layer implements the protocols most people are familiar with (e.g., HTTP). The software routines for these are typically contained in application programs such as browsers or web servers that make system calls to subroutines (or “functions” in C terminology) in the “socket API” (an API is an Application Program Interface, or a collection of related subroutines, typically supplied with the operating system or programming language). The application code creates outgoing data streams and then calls routines in the API to actually send the data via TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). Output to the Transport Layer is [DATA] using IP addresses.
The Transport Layer implements TCP (the Transmission Control Protocol) and UDP (the User Datagram Protocol). These routines are internal to the socket API. They add a TCP or UDP packet header to the data passed down from the Application Layer and then pass the data down to the Internet Layer for further processing. Output to the Internet Layer is [TCP HDR [DATA]], using IP addresses.
The Internet Layer implements IPv6 (the Internet Protocol) and various other related protocols such as ICMPv6 (which includes the “ping” function among other things). The IP routine takes the data passed down from the Transport Layer routines, adds an IPv6 packet header onto it, and then passes the now complete IPv6 packet down to routines in the Link Layer. Output to the Link layer is [IPv6 HDR [TCP HDR [DATA]]] using IP addresses. ND (Neighbor Discovery) is actually a part of ICMPv6. It helps locate the Link Layer address of other nodes on the link in addition to other functionality.
The Link Layer contains routines that actually read and write packets (as fed down to it by routines in the Internet Layer) onto the network wire, in compliance with Ethernet or other standards. Output to wire is Ethernet frame using MAC addresses (or the equivalent if other network hardware is used, such as Wi-Fi), which includes the entire IPv6 packet.
Link Layer Issues with IPv6
RFC 2464 , “Transmission of IPv6 Packets over Ethernet Networks,” December 1998 (Standards Track)
RFC 2467, “Transmission of IPv6 Packets over FDDI Networks,” December 1998 (Standards Track)
RFC 2470, “Transmission of IPv6 Packets over Token Ring Networks,” December 1998 (Standards Track)
RFC 2491, “IPv6 over Non-Broadcast Multiple Access (NBMA) Networks,” January 1999 (Standards Track)
RFC 2492, “IPv6 over ATM Networks,” January 1999 (Standards Track)
RFC 2497, “Transmission of IPv6 Packets over ARCnet Networks,” January 1999 (Standards Track)
RFC 2590, “Transmission of IPv6 Packets over Frame Relay Networks Specification,” May 1999 (Standards Track)
RFC 3146, “Transmission of IPv6 Packets over IEEE 1394 Networks,” October 2001 (Standards Track)
RFC 4338, “Transmission of IPv6, IPv4 and Address Resolution Protocol (ARP) Packets over Fibre Channel,” January 2006 (Standards Track)
RFC 4392, “IP over InfiniBand (IPoIB) Architecture,” April 2006 (Informational)
RFC 4944, “Transmission of IPv6 Packets over IEEE 802.15.4 Networks,” September 2007 (Standards Track)
RFC 5072 , “IP Version 6 over PPP,” September 2007 (Standards Track)
RFC 5121, “Transmission of IPv6 via the IPv6 Convergence Sublayer over IEEE 802.16 Networks,” February 2008 (Standards Track)
IPv6: The Internet Protocol, Version 6
IPv6 is the foundation of the Third Internet and accounts for many of its distinguishing characteristics, such as its 128-bit address size, its addressing model, and its packet header structure and routing. IPv6 is currently defined in RFC 8200,6 “Internet Protocol, Version 6 (IPv6) Specification,” July 2017, but there are several RFCs that extend the definition.
IPv6 Packet Header Structure
A model depicts the I P v 6 packet header. It has I P version, traffic class, flow label, payload length, next header, hop limit, source I P address, and destination I P address as its elements.
IPv6 packet header
The IP Version field (4 bits) contains the value 6 (imagine that!), which in binary is “0110.” This field allows IPv4 and IPv6 traffic to be mixed in a single network.
The Traffic Class field (8 bits) is available for use by originating nodes and/or forwarding routers to identify and distinguish between different classes or priorities of IPv6 packets, in a manner virtually identical to that of IPv4 “Type of Service.”
The Flow Label field (20 bits) is something new in IPv6. It can be used to tag up to 220 (1,048,576) distinct traffic flows, for purposes such as fine-grained bandwidth management (QoS). Its use is still experimental. Hosts or routers that do not support this function should set it to zero when originating a packet or ignore it when receiving a packet. The semantics and usage of this field are covered in RFC 8200. Further information is found in RFCs 3595, 6294, 6437, 6438, and 7098. Even today, very few routers actually act on the contents of this field. Until they do, it will be of limited value.
The Payload Length field (16 bits) is the length of the IPv6 packet payload in bytes, not counting the standard packet header (as it is in IPv4 Total Length), but counting the size of any extension headers, which don’t exist in IPv4. You can think of packet extension headers as being the first part of the Data field (payload) of the IPv6 packet.
The Next Header field (8 bits) indicates the type of header immediately following the standard IPv6 packet header. It uses the same values as the IPv4 Protocol field, as defined in RFC 1700, “Assigned Numbers,” October 1994. If this value contains the code for TCP, then the TCP header and packet payload (data) begins immediately after the IPv6 packet header. Otherwise, one or more IPv6 extension headers will be found before the TCP header and data begins. Since each extension header has another Next Header field (and a Header Length field), this constitutes a linked list of headers before the final extension header, which is followed by the data. UDP packets can also have extension headers.
The Hop Limit field (8 bits) is to prevent packets from being shuttled around indefinitely on a network. Every time a packet crosses a switch or router, the hop count is decremented by one. If it reaches zero, the packet is dropped. Typically, if this happens, an ICMPv6 message (“Time Exceeded”) is returned to the packet sender. This mechanism is how the traceroute command works.
The Source IP Address field (128 bits) contains the IPv6 address of the packet sender.
The Destination IP Address field (128 bits) contains the IPv6 address of the packet recipient.
The following fields from the IPv4 packet header have been eliminated in the IPv6 packet header: Header Length, Identification (Fragment ID), Fragmentation Flags, Fragment Offset, Header Checksum, and Options. The value in the Payload Length field no longer includes the length of the standard packet header. The Flow Label field has no corresponding field in the IPv4 packet header. Some of the missing fields (e.g., fragmentation information) have been pushed into extension packet headers. For example, in IPv6 only fragmented packets have the fragmentation header extension. Unfragmented packets do not have to carry the unnecessary overhead. In IPv4, all packets have the fragmentation fields in their header, whether they are fragmented or not.
IPv6 Packet Fragmentation and Path MTU Discovery
The fields related to fragmentation are now found in the Fragment extension header, which exists only in fragmented packets (no need to clutter up unfragmented packets, as in IPv4). In IPv6, only the originating node can fragment packets (no intervening node is supposed to do this). The originating node uses MTU Path Discovery to determine the “width” of the proposed path (the maximum packet size that it can handle). MTU stands for Maximum Transmitted Unit (maximum packet length). Any packets larger than that size must be fragmented before transmission by the originating node and reassembled upon receipt by the destination node. There is a default packet size that any IPv6 node must be able to handle (1280 bytes). MTU Path Discovery allows the sender to determine if larger (more efficient) packets can be used. The originating node assumes the path MTU is the MTU of the first hop in the path. A trial packet of this size is sent out. If any link is unable to handle it, an ICMPv6 Packet Too Big message is returned. The originating node iteratively tries smaller packet sizes until it gets no complaints from any node and then uses the largest MTU that was acceptable along the entire path. This process takes place automatically in the Internet Layer. There is no corresponding mechanism in IPv4.
Extension Headers (New in IPv6)
After the main header, there can be zero or more extension headers , before the payload (actual packet data). This approach makes IPv6 highly extensible, for new functionality in years to come. Several extension headers are already defined, and doubtless more will be defined over time.
A model depicts the typical I P v 6 packet header with extensions. It has a basic I P v 6 headers, T C P header, data, routing extension header, fragment extension header, and first fragment of data as some of the elements
Typical IPv6 packet headers with extensions
Options extension header
Hop-by-Hop Options extension header
Routing extension header
Fragment extension header
Destination extension header
Two extension headers are used for IPsec (IP Layer security). The IPsec Authentication extension header (IPsec AH) is defined in RFC 2402, “IP Authentication Header,” November 1998. The Encapsulating Security Payload header (IPsec ESP) is defined in RFC 2406, “IP Encapsulating Security Payload (ESP),” November 1998.
IPv6 basic header
Hop-by-Hop Options header
Destination Options header (for options to be processed by more than just the final recipient)
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header (for options to be processed only by the final recipient)
Upper Layer header (TCP, UDP, or SCTP)
Hop-by-Hop Options header: Used to carry optional information that must be examined by every node along a packet’s delivery path. This option is indicated by a Next Header value of 0.
Routing header: Used by an IPv6 source node to list one or more intermediate nodes to be “visited on the way” to a packet’s destination. This is similar to IPv4’s Loose Source and Record Route option. The Routing header is identified by a Next Header value of 43.
Fragment header: Used by an IPv6 source to send a packet larger than would fit in the path MTU to its destination. In IPv6, packet fragmentation is performed only by the source node, which must use MTU discovery to determine the maximum packet size along the proposed path. The Fragment header is identified by a Next Header value of 44.
Destination Options header: Used to carry optional information that needs to be examined only by a packet’s destination node(s). The Destination Options header is identified by a Next Header value of 60.
For the specific details on each of the above header extension packets, see RFC 8200. The Authentication header and ESP packet headers will be described later, under IPsec.
IPv6 Addressing Model
Some people are aware that you can use IPv4 addresses instead of nodenames in web URIs, for example: http://123.45.67.89/main.html. You can also use IPv6 addresses, but because colons demark other things in URIs (such as nonstandard port number), you cannot use IPv6 addresses “as is”; enclose them in square brackets ([]). For example, http://[2001:df8:5403:3000::d]/nagios is a valid URI that includes an IPv6 numeric address.
When an RIR (e.g., APNIC) allocates a “/32” block of addresses to an ISP, they assign the first 32 bits of those addresses, based on the next available “/32” block from the unallocated pool at that time. A “/32” block contains 65,536 “/48” blocks to allocate to customers. If the ISP allocates all those, then the RIR will give them a new “/32” block, each address of which will have a completely different first 32 bits from the addresses in the previous “/32” block given to the ISP. The leftmost, or most significant, 32 bits of every address in a given “/32” block will all be the same. All addresses from smaller blocks (like a “/48” block or “/64” block) carved out of that “/32” block by the ISP (for allocation to customers) will have the same first 32 bits. For example, many of NTT America’s IPv6 allocations include addresses that start with “2001:418::/32”. No other ISP in the world will ever be allocated a “/32” block with those particular first 32 bits. Up to 65,536 of NTT America’s customers might get “/48” blocks whose addresses start with those 32 bits.
When an ISP allocates a “/48” block for a customer from their “/32” block, the next 16 bits (following the first 32 bits) are chosen by that ISP, so that the first 48 bits will be unique to that customer in the entire world. The first 48 bits of every address in a “/48” block given to an end-user organization will all be the same but will be different from the first 48 bits of the addresses in any other “/48” block in the world. You can think of this 48-bit sequence as the organization prefix. All addresses in our “/48” block from HE happens to start with “2001:470:ed3a::/48”. No other customer of HE has ed3a in the third 16-bit field of their addresses. When a customer deploys subnets, they choose a further 16-bit value (unique within their organization) for each subnet, which, together with the organization’s 48-bit prefix, creates a globally unique 64-bit prefix for a working subnet. This can be used to manually configure 128-bit addresses for nodes on that subnet, or they can be configured on the Router Advertisement Daemon that supplies prefixes to nodes in that subnet for Stateless Address Autoconfiguration. If using stateful DHCPv6, the administrator can also create pools of addresses for assignment, where each 128-bit address in a pool has that same 64-bit subnet prefix.
IPv6 Packet Transmission Types
In IPv4, there were several packet transmission types (unicast, anycast, and multicast). IPv4 multicast uses class D addresses, while all other addresses are unicast (or reserved). There is no real concept of scope in IPv4 (the part of the network in which a given address is valid and unique). IPv4 “private addresses” are a step in this direction, but IPv6 defines real scope rules for certain kinds of addresses. These concepts are defined in RFC 4291, “IP Version 6 Addressing Architecture,” February 2006. Note: In Windows, “ping” is used for both IPv4 and IPv6. In Linux and BSD, the “ping” command is used just for IPv4 – in IPv6, the command is “ping6.” In the following, I use just the generic “ping,” but be aware that for IPv6 on some platforms, “ping6” would actually be used.
IPv6 Address Scopes
Node Local: Valid only within the local node (e.g., loopback address).
Link Local: Valid only within a single network link (subnet). All such addresses start with the 10 bits “1111 1110 10” followed by 54 bits of 0 (fe80::/64). When specified in commands, you usually must follow a link-local address with “%” and the interface ID of the link it is connected to. In FreeBSD, this might be something like “fxp0”, so to ping a link-local address, you might use the command
In Windows, interface IDs are numbers, so a ping command there might look like
Site Local: Valid only within a “site.” They start with the 10 bits “1111 1110 11” (fec0::/10). These were intended to be like IPv4 RFC 1918 “private addresses,” but are no longer used as of RFC 3878, “Deprecating Site Local Addresses,” September 2004.
Global: Valid anywhere on the IPv6 Internet. Global unicast addresses are in the 2000::/3 block. When you specify global addresses, there is no need to append the interface ID, so a ping command for such an address might look like
IPv6 Address Types
:: (all bits zero): The unspecified address must never be assigned to any node.
::1 (127 zeros followed by a 1): The loopback address for IPv6 (corresponds to 127.0.0.1 in IPv4).
An anycast address can specify any of a group of addresses (usually on different nodes). A packet sent to an anycast address will be delivered to exactly one of those interfaces, typically the “nearest” one (in the network sense, not geographic sense). Anycast addresses look just like unicast addresses and differ only in being injected into the routing protocol at multiple locations in the network.
With the scopes larger than the organization, multicast addresses must be specifically configured on nodes (you have to “subscribe to that channel”). If you ping the multicast address ff0e::1, you are not going to get a response from every node on earth, unless you can first talk everyone into adding that address to their nodes. Even then, various routers along the way would probably block that packet. An organization’s routers enforce the scope rules so that link-local multicast addresses will not cross any routers, organization-local multicast addresses will not cross the organization’s border router, but global multicast addresses will cross any router (in the real world, this is actually managed by the MLD, the Multicast Listener Discovery protocol, and PIM, the Protocol Independent Multicast protocol).
These addresses are used by ND (the Neighbor Discovery protocol) in the process of mapping IPv6 addresses to Link Layer (MAC) addresses.
There is no broadcast address in IPv6, but a multicast to all nodes on the local link multicast group ff02::1 will have pretty much the same result.
Perhaps someday there will be a central authority to coordinate use (and allow reservation) of multicast group IDs. No such authority currently exists. Once IPv6 multicast broadcasters start making their programming available over large regions (or even worldwide), such coordination will be necessary and corresponds to the FCC’s management of broadcast frequencies that prevent stations from interfering with each other. Because the number of potential group IDs is so large (2112 or about 5.19 e+33), for now, choosing them randomly is sufficient. The probability of any two randomly generated group IDs being the same is quite low, even with millions of people using this scheme. You might think of these group IDs as being in some sense channel numbers as found today on TVs. I can envision a search engine that would allow you to find multicast channels associated with programming that caters to specific tastes, such as Bollywood music videos over IPTV.
Special Case: IPv4-Compatible IPv6 Addresses (Now Deprecated)
The entire 4.3 billion addresses of IPv4 were mapped into the IPv6 address space, not just once, but twice – once as IPv4- compatible IPv6 addresses (::w.x.y.z) and a second time as IPv4-mapped IPv6 addresses (::ffff:w.x.y.z).
The addresses in the first special block all start with 96 bits of 0, followed by a 32-bit IPv4 address (which can be specified in dotted decimal). When you send traffic to an IPv4-compatible IPv6 address, it is sent as an IPv6 packet, but encapsulated with an IPv4 header, with the Protocol field of the IPv4 packet header set to 41 to indicate that the payload is an IPv6 packet. The IPv4 header allows the traffic to travel across an IPv4-only infrastructure. Upon receipt, the packet payload (the IPv6 packet) is passed to IPv6. This is called automatic IPv6 tunneling over IPv4 networks (defined in RFC 2893, “Transition Mechanisms for IPv6 Hosts and Routers,” August 2000).
IPv4-compatible IPv6 addresses were deprecated in RFC 4291, “IP Version 6 Addressing Architecture,” February 2006. No current transition mechanism uses them. New implementations are not required to support these addresses. Note however that two special addresses that are widely used actually fall into this range, the “unspecified” address (all zeros, or “::”) and the loopback address (“::1”).
Special Case: IPv4-Mapped IPv6 Addresses (Still Valid)
In general, it is best to avoid use of these addresses since support varies from operating system to operating system, behavior is implementation dependent, and there are potential vulnerabilities if it is enabled. It was originally intended as a transition mechanism, but it caused more problems than it solved, so it is better left unused and, ideally, disabled.
Simple IPv6 Address Assignment Scheme (for Manually Assigned Addresses)
The following is not part of any standard, IETF or otherwise. It is a best-practices recommendation, which may help you in migration to IPv6.
Many administrators have adopted a simple scheme for assigning IPv6 addresses manually to nodes, based on existing IPv4 address conventions or actual addresses. It could be argued that it can lead to confusion (by humans) between decimal and hexadecimal. It uses the same numeric digits that are currently used in your IPv4 scheme, to create what are really hexadecimal fields. It is possible to use the numeric digits (0–9) to create up to three hex digits in each of the four 16-bit groups in the IPv6 interface identifier. The resulting address may look strange in binary, but this scheme will make it easier for you to keep track of your IPv6 nodes and is especially useful in dual-stack networks, where you can use what appears to be the “same” address (not counting the prefix) on a given node, in both IPv4 and IPv6.
Using only the IPv4 interface identifier is less likely to produce addresses that collide with automatically generated addresses but requires a good understanding of IPv4 subnetting (see the preceding discussion). Use whichever scheme makes the most sense to you but try to be consistent.
Note that the addresses 123.45.67.1/24 and 192.168.0.1/16 would both produce fe80::1 as the equivalent IPv6 address, but this would not produce a conflict since they are in different subnets, and link-local addresses are valid only within a single subnet.
Obviously, no addresses generated with Stateless Address Autoconfiguration will use this convention, although you should be careful to make sure there are no conflicts between addresses you create and automatically generated addresses. Duplicate Address Detection during automated address creation should detect such conflicts. On the other hand, you can easily create DHCPv6 address pools that will be consistent with these schemes.
I recommend that you avoid use of this mixed notation altogether. If you use the Simple IPv6 Address Assignment scheme , be very careful to use colons (not dots) between all fields, as software that understands the mixed address syntax will interpret addresses with dots in the last four groups as perfectly valid “mixed” notation. This will result in some odd problems. The mixed notation was really intended for use with IPv4-mapped IPv6 addresses, but it works anywhere. You should never create addresses using it, but you need to know about it in case you see addresses written in it by someone else.
Multiple IPv6 Subnet Numbers on a Single Network Link
A single network link can actually have addresses with more than one 16-bit subnet number at any given time. For example, the prefix 2001:df8:5403:1600::/64 may be used with stateless autoconfiguration, while the prefix 2001:df8:5403:1601::/64 could be used with stateful autoconfiguration using DHCPv6 on the same network link. You could also have manually assigned addresses using a third prefix (e.g., 2001:df8:5403:1602::/64) on the same network link. Addresses with different subnet numbers, but the same interface identifier, are not in conflict. Normally, you only broadcast one 64-bit prefix with Router Advertisement messages onto a given network link, so all addresses created with stateless autoconfiguration in a given subnet will have only that one 64-bit prefix. It is possible in some implementations to advertise many prefixes on each network link. If multiple prefixes are advertised, there will still be only one default gateway, which is the link-local address of the gateway that is sending Router Advertisement messages. Another alternative is to define a subnet size greater than /64 on a single network link that includes all the desired subnet numbers. With a “/60” subnet, you can actually have 16 sequential /64 subnet numbers in a single network link (the first subnet number has to be an integral multiple of 16). This is called supernetting. Do this only if you really understand what you are doing.
Multiple IPv6 Addresses on a Single Node
Unlike with IPv4, it is completely normal for IPv6 nodes to have multiple valid addresses. They don’t even all have to have the same subnet number (if you are running multiple subnet numbers on a single link ). A single node could have addresses with each of the preceding 64-bit prefixes (or even multiple manually assigned addresses) at any given time. It could also have various multicast addresses. One of the unicast addresses (chosen at random) will be used as the source address of packets sent by that node, but incoming packets addressed to any of the addresses owned by the node will be accepted.
The loopback address (::1): Always present.
The all-nodes multicast addresses (ff01::1, ff02::1, etc.): Only the “on node” and “on link” scoped multicast addresses are created automatically – ones with larger scope must be specifically assigned to each node that you wish to accept such addresses.
The automatically generated link-local unicast address.
Any additional unicast and anycast addresses that have been assigned to any of the node’s interfaces, manually or automatically.
The solicited node multicast address for each of its unicast and anycast addresses (created automatically for you when the corresponding unicast or anycast address is assigned).
Multicast addresses for all other groups to which the node has subscribed.
The subnet-router anycast address for all interfaces for which it is configured to act as a router
All other anycast addresses with which the router has been configured
The all-routers multicast addresses (ff01::2, ff02::2, ff05::2)
Automatically Generated Interface Identifiers Based on EUI-64
By default, every IPv6 interface will create a unique link-local address (fe80::w:x:y:z). If there is a Router Advertisement Daemon configured and running on the link, the node will also automatically create a global unicast address by using the 64-bit subnet prefix from the Router Advertisement message. It either can generate the interface identifier (low 64 bits) from the node’s MAC address (using EUI-64) or can use a random 64-bit value. This is described in RFC 4291, “IP Version 6 Addressing Architecture,” and RFC 2464, “Transmission of IPv6 Packets over Ethernet Networks.”
This is a reversible mapping, so given an EUI-64 identifier, it is trivial to determine the MAC address of the node (discard the FFFE in the middle 16 bits and invert the seventh bit of the remaining 48-bit value). Note: The seventh bit in the first byte of all valid Organizationally Unique Identifiers, hence of all MAC addresses, will always be 0.
One of the security advantages of IPv6 is supposed to be that the number of possible addresses in a subnet (264) is so large that it is impractical to scan all of them to discover all the nodes on a subnet (this is called mapping a subnet). If EUI-64 interface identifiers are used, there are so few of these (in comparison with the total possible number of interface identifiers) that it is possible to scan for them (especially with the knowledge of which Organizationally Unique Identifiers are actually in use, which is not difficult to determine).
Randomized Interface Identifiers
The reason you might want to disable randomization is that some servers will only accept a connection from nodes for which they can perform a reverse DNS lookup. This often will fail with randomized identifiers. Note that use of randomized interface identifiers can make it very difficult to determine to whom specific traffic in a log belongs, unless a record is kept of randomized interface identifiers used by each node.
When a randomized address changes, the old address is kept around for some time, but marked as deprecated, which means your node will not use it for further outgoing connections. It will accept incoming replies addressed to a deprecated address until that address becomes invalid, which it eventually will be. Since you aren’t making new outgoing connections with it, replies to it will cease fairly quickly. Addresses with randomized interface identifiers are used primarily for outgoing connections (and replies thereto). A node that can accept incoming connections from anyone should have (possibly in addition to other addresses) a static (unchanging) unicast address, which is published in DNS. This would be used by other nodes that want to connect to it. A node that only ever makes outgoing connections need not have such a static address assigned to it, and there is no need to publish its name and IPv6 address in DNS (at least not in your external DNS). Remember in IPv6, it is much more likely that other nodes will be connecting to your node (for VoIP, VPNs, P2P, etc.). The age of NAT (and one-way connectivity) is over.
IPv6 Address Allocation
The standard allocation block to be given to organizations is a “/48,” which is 65,536 subnets, each of which is a “/64” block consisting of 264 or about 18 billion, billion addresses (about 4 billion times the total number of addresses in the Second Internet). Some ISPs may choose to allocate only a single “/64” block to individuals or home users, who have no need for multiple subnets. It is not practical to allocate only a single IPv6 address (a “/128” block) to a user, due to the fact that nodes often create new addresses. One “/48” block will supply 65,536 individuals or homes with “/64” blocks. Perhaps I’m a bit unusual, but I already have two subnets in my home today (one dual stack, one IPv6-only). Who knows, I might have a bunch someday! My company has a “/48” (2001:df8:5403::/48), which we divided into 16 “/52” sub-blocks, each of which has 4096 subnets. I have one of these “/52” sub-blocks (subnets 3000–3fff) routed to my house. That should just about take care of me for some time to come. A single “/64” block should work for most home users.
ISPs are allocated really big “/32” blocks of addresses, which are enough to allocate “/48” blocks for up to 65,536 customers. Should they use up an entire “/32” block, there are plenty more “/32” blocks where that one came from (about 536 million of them just in the 2000::/3 block marked for allocation). The RIRs (ARIN, RIPE, APNIC, LACNIC, and AfriNIC) will be happy to give an ISP all they can use. If you assume there are 7 billion people alive, there are over 5000 “/48” blocks for every human alive, just out of the 2000::/3 range currently marked for allocation. It is extremely unlikely that any single human will ever be able to use any appreciable percentage of their “fair share” of addresses, let alone have the IANA run out. The folks in Taiwan say they want to connect 3 billion devices to the Internet in the next couple of years. This would take three-fourths of the entire Second Internet’s address space but could be handled with a tiny fraction (less than 1 billionth) of a single “/64” block with IPv6, should they want to have them all in one block for some bizarre reason. It will be quite a while before anyone worries about IPv6 address space exhaustion (famous last words?).
The People’s Republic of China believes that they were cheated out of sufficient IPv4 addresses to participate fully in the Second Internet. By the time China started deploying IPv4, if they had taken all the remaining addresses, over 90% of the people there would not have gotten one. The Second Internet recently passed an interesting threshold. There are now more Chinese-speaking users on it than English-speaking users. If you recall the chart of allocated addresses earlier in this book, the United States has over 43% (28% ARIN + 15% legacy, both of which are mostly US users) of the total IPv4 address space for less than 5% of the world’s population. In comparison, APNIC, which includes China, India, and several other populous countries (all together about 50% of the world’s population), has only 16% of the IPv4 address space. When the IPv4 addresses were all gone in September 2011, APNIC would probably still have less than 20% of the IPv4 address space (about .28 addresses per person), while the United States would probably have about 45% (about 6.4 addresses per person). However, note that about one-third of that 45% are held by fewer than 50 organizations (like MIT, Apple, HP, etc.). The distribution of addresses in the Second Internet was (and remains) anything but equitable. It’s really pretty much impossible to do anything about that now. We’re doing it right on the Third Internet. The Second Internet was really an American thing that they shared (to some extent) with the rest of the world. The Third Internet is the first truly global Internet. Every country can have as many public addresses as they can conceivably use.
Should We Reserve Some IPv6 Addresses for Developing Nations?
There has been talk from the ITU (International Telecommunication Union ) about reserving some IPv6 address space for developing nations to make absolutely certain that nobody ever gets left out again, as has happened in the Second Internet. There are so many IPv6 addresses that there is essentially no chance of this ever happening. The ITU might as well try to reserve a few trillion grains of sand (maybe a dump truck’s worth) to make sure that every country can be assured of getting their fair share of grains of sand. The total number of IPv6 addresses is on the same general scale as the number of grains of sand on earth.
Note that block 2000::/3 (which you can also think of as blocks 2000::/16 through 3fff::/16) is currently the only part of the overall space marked for unicast address allocation. This is only one-eighth of the total IPv6 address space. Even so, this is still 2125, or about 4.15 e+37, addresses. You can also view this as 245 (about 35.2 trillion) “/48” blocks or just over 5000 “/48” blocks per human alive in 2010 (using the worldwide population as 7 billion). Should we ever use this up, there are still at least 5.5 times that much space currently not used for anything (from 4000::/16 to efff::/16) that we could repurpose for additional allocation.
I personally don’t think there is any reason to reserve a special block of addresses for anyone, including developing nations. Unlike with IPv4, there are plenty of addresses for everyone this time around.
The People’s Republic of China (and every other country) will have plenty of addresses in the Third Internet, and this is one reason they are investing so heavily in it. India is now determined to deploy IPv6 nationwide and had quite a bit deployed by the end of 2010. By some measure they were at 60% deployment in 2019. The inequitable distribution of addresses in the Second Internet may also account for some of the lack of urgency to migrate to the Third Internet in the United States. Unfortunately, it is not simply a matter of still having enough IPv4 addresses. Imagine if the United States stayed with Standard-Definition NTSC TV, while the entire rest of the world went with globally standard High-Definition TV. The United States would not be able to export their programming to anyone else nor import programming from the rest of the world. If they choose to stay with IPv4, they will be isolating themselves in some very serious ways. It’s not completely ridiculous to think that the United States might decide not to deploy the Third Internet. Look what happened with the metric system. If IPv4 is “riding horses” and IPv6 is “driving cars,” you don’t need to wait until the last horse dies before you get a car. The “cars” (IPv6) are ready and widely available today. Those who adopt cars first will leave those still riding horses way behind. I’d suggest you migrate to IPv6 as soon as possible. Countries that master it and start creating products and applications based on it will have a giant head start in the twenty-first century over those who wait until the last possible minute.
How Is the Entire IPv6 Address Space Divided Up?
RFC 1881, “IPv6 Address Allocation Management,” December 1995
RFC 3879, “Deprecating Site Local Addresses,” September 2004 (affects FEC0::/10)
RFC 4048, “RFC 1888 Is Obsolete,” April 2005 (dropping mapping of OSI addresses)
RFC 4193, “Unique Local IPv6 Unicast Addresses,” October 2005
RFC 4291, “IP Version 6 Addressing Architecture,” February 2006
The 6bone was an early worldwide IPv6 testbed. It used addresses from 3ffe::/16 (as per RFC 2471,9 “IPv6 Testing Address Allocation,” December 1998). These have since been returned to the overall allocation pool as per RFC 3701,10 “6bone (IPv6 Testing Address Allocation) Phase-Out,” March 2004, once the 6bone had served its purpose and was shut down. Interestingly, some addresses from this block still show up on the IPv6 backbone. Among other places, they are still used in IPv6-ready tests, so if an IPv6-ready test network is connected to the main Internet, those addresses could be accidentally routed. Even though they are just more IPv6 unicast addresses now, I would recommend against using them in production systems, just in case. It’s not like there aren’t plenty of other IPv6 unicast addresses to use.
Note that this data does not reflect the actual number of addresses or the volume of traffic, just the number of distinct 48-bit prefixes, which is a rough indication of the number of organizations investigating IPv6. Much of this in the United States is probably research or academic. As percentages of the gigantic total number of “/48” blocks available for allocation, all these are essentially zero (pretty much all the 2000::/3 IPv6 address space is still available for allocation). This tiny percentage is more an indication of the colossal size of the IPv6 address space than of any lack of interest or activity.
A line graph depicts the percentage of networks that includes I P v 6 over the years and depicts an increasing trend. It covers four specific regions and all countries.
IPv6 deployment by region
Classless Inter-Domain Routing (CIDR)
There is no reason to implement CIDR for IPv6. It was done in IPv4 only to extend the lifetime of the IPv4 address space long enough for IPv6 to be fully developed, which has now happened. There is no need to extend the lifetime of the IPv6 address space. If IPv6 had been ready and we had migrated to it in the mid-1990s, we would never have had to suffer through the complexities brought about by CIDR and NAT. The reason we are having to deal with these issues today is that we have already stayed with IPv4 far too long. Imagine trying to do serious work today with an 8-bit processor and 64K bytes of RAM.
Network Ports
Network ports work exactly the same way under IPv6 as they do in IPv4. There are still 65,536 of them associated with every IPv6 address. They could have gone to 32-bit port numbers (yielding 4.3 billion ports for each address), but this would have required even more changes in packet headers and other places, so this was not done. 65,536 is plenty for almost any need, especially since you can assign any number of global unicast addresses to a single interface (each of which has 65,536 ports). The same well-known port numbers are used in IPv6 as in IPv4. The only difference is that you will never see port numbers on IPv6 addresses being shifted by a NAPT gateway, since there is no NAT for IPv6 to IPv6. Note that a given port being used over IPv4 does not prevent it from being used by the same or even a different application, over IPv6 (and vice versa).
Subnetting in IPv6
There is no CIDR in IPv6 (although the CIDR “slash notation” is still used). As a result, subnetting is much simpler in IPv6. All subnets are “/64.” The only exception is if you do supernetting (e.g., a “/60” subnet) to allow multiple “/64” blocks to be used on a single network link. This will likely only be done in large, advanced corporate networks, so most network engineers will never see anything but “/64” subnets.
The only reason for doing this might be to use different “/64” subnets for specific purposes, such as 1000 for SLAAC, 1001 for DHCPv6-assigned addresses, and 1002 for manually assigned addresses. If you use EUI-64 interface identifiers for SLAAC, it is not difficult to partition a single “/64” so there will be no overlap between SLAAC, DHCPv6, and manual assignments. If you use random interface identifiers, they may fall anywhere in a “/64” address space. However, the probability of one colliding with an address assigned manually or via DHCPv6 stateful mode is incredibly low, and Duplicate Address Detection should prevent the odd collision. Having at least two “/64” subnets in a single network (one for SLAAC, one for manually and DHCPv6-assigned addresses) removes all possibility of an address collision.
Each subnet needs to be at least a “/64,” since EUI-64 can generate “node within subnet” values that are 64 bits long. Randomized interface identifiers are also 64 bits in length. But a “/64” subnet is already larger than any organization could conceivably use (18 billion, billion addresses). There are so many “/64” blocks in a single “/48” (65,536) that we can use them even for subnets between a border router and a firewall, which have only two addresses. There is never an excuse to use any subnet smaller than a “/64,” although I have seen some old-school IPv4-trained administrators allocate “/124” IPv6 subnets for the link between a border gateway and firewall case (in IPv4, tiny subnets like /30 would be used in such a case). Old habits die hard. After living with increasing scarcity with IPv4 addresses, it is hard for some of us to realize that there are PLENTY of addresses this time around.
Link Layer Addresses
The software in the Application Layer, the Transport Layer, and the Internet Layer of the IPv6 stack think in terms of IP addresses. But the Link Layer (and the hardware) thinks in terms of MAC addresses. In IPv6 the mapping from IPv6 address to Link Layer (MAC) address is done with the Neighbor Discovery protocol. Note that in this book, I often use the terms Link Layer address and MAC address interchangeably.
A Link Layer address is a “MAC address” only for Ethernet-based network hardware (and a few others), so when I use the term MAC address, think “physical layer address for the actual network hardware in use.” The term Link Layer address is more accurate (a MAC address is just a special case of Link Layer address), but it is easy to confuse it with the similar-sounding term link-local address. Just realize that if the actual network in use is not Ethernet, there may be some other name for the physical layer addresses that IP addresses have to be mapped onto, and it may not look anything like the 48-bit MAC address.
IPv6 addresses are not actually used at the lowest layer of the IPv6 network stack (the Link Layer). The 48-bit MAC addresses covered in Chapter 3 still exist and are used the same way at the Link Layer (at least for Ethernet networks).
Neighbor Discovery (ND) Protocol
Router discovery: A host can locate router(s) residing on any link to which it is attached.
Prefix discovery: A host can discover the correct 64-bit prefix for any link to which it is attached.
Parameter discovery: A host can determine the correct IPv6 parameters, for any link to which it is attached, such as MTU.
Stateless Address Autoconfiguration (SLAAC): A host can automatically obtain a link-local address and, if a Router Advertisement Daemon exists, also a global unicast address.
Address resolution: Mapping IPv6 addresses to MAC addresses (as the replacement for ARP).
Next-hop determination: Hosts can determine the next-hop router for a given destination address.
Neighbor Unreachability Detection (NUD): Determine that a given neighbor is no longer reachable on any attached link (there is no corresponding IPv4 functionality).
Duplicate Address Detection (DAD): Hosts can determine if a proposed address is already in use.
Redirect: A router can inform a host about a better (or working) first hop.
Router Solicitation: Request a Router Advertisement message.
Router Advertisement: Router advertises the 64-bit prefix and parameters for a link, usually sent by a Router Advertisement Daemon living in a gateway router or firewall. The Router Advertisement Daemon can send different information into each attached link, if there are multiple links. This also tells nodes whether or not there is a DHCPv6 server available.
Neighbor Solicitation: Any node can say “Howdy, neighbor” to another node to see if it responds.
Neighbor Advertisement: Response to a “Howdy, neighbor” message from someone else.
Redirect: A router can inform any node that there is a better first hop available than one it has just tried (“there’s a bridge out along that road; try going down this road”), based on its discovered knowledge of the surrounding network.
By the way, some people use “NDP” as the initialism for the Neighbor Discovery protocol (see Wikipedia). If you read the RFCs, the creators of the protocol use just “ND,” so we will use that convention in this book. The initialisms of some protocols include the “P” (for Protocol) (e.g., TCP), while others don’t (like MLD). I follow the conventions used in the RFCs.
IPv6 Router Advertisement messages carry link-layer (MAC) addresses , so no additional packet exchange is required to resolve the router’s Link Layer address. They also carry prefixes, so no separate mechanism is needed to configure a netmask.
By using link-local addresses to uniquely identify routers, hosts can maintain router associations. This capability is necessary for Router Advertisements and for redirects. Hosts need to maintain router associations if the site switches to a new global prefix.
ND is immune to spoofing attacks that originate from off-link nodes. In IPv4, off-link nodes can send ICMPv4 Redirect messages and IPv4 Router Advertisement messages.
TENTATIVE: Generated, but not yet determined by DAD to be unique – attempts to bind() to the address fail with EADDRNOTAVAIL, as if the address doesn’t exist (this can cause race conditions)
DUPLICATED: Generated and determined by DAD to be duplicated (hence unusable)
PREFERRED: Generated and determined by DAD to be unique (hence valid)
DEPRECATED: A preferred address that has passed its preferred lifetime (still valid, and incoming packets addressed to it will be accepted, but no further outgoing packets will be sent using it)
INVALID: A deprecated address that has passed its valid lifetime (may no longer be used for sending or receiving packets)
Here are the details of the various functions that ND can perform.
Router Discovery
Step 1: The node sends a Router Solicitation message to the “all routers on link” multicast group (ff02::2). If the node’s link-local address has already been created, then that will be used as the source address; else, the unspecified address (“::”) will be used as the source address.
Step 2: All routers on the link will respond with Router Advertisement messages, usually to the “all nodes on link” multicast group (ff02::1), but if the source address of the Router Solicitation message was a link-local address, the router can choose to send the Router Advertisement message directly to that address. The source address of each received Router Advertisement message is added to a default gateway table (from which the preferred link-local default gateway will be chosen). The Prefix Information option in all the responses should be the same, so the subnet prefix from the last received Router Advertisement message will be used.
IPv6 router discovery corresponds roughly to IPv4 router discovery (which was defined in RFC 1256, “ICMP Router Discovery Messages,” September 1991), but in IPv6 it is a part of the base protocol. There is no need for hosts to snoop the routing protocols to discover a router. IPv4 router discovery contains a preference field, which is not needed in IPv6 router discovery because of Neighbor Unreachability Detection. IPv4 Router Advertisements and Solicitations (ICMP type 9) work only with multicast-capable IPv4 routers and are not commonly used. All IPv6 nodes support multicast, and Router Advertisements are a fundamental part of almost every nontrivial network.
Address Resolution (Mapping IPv6 Addresses to MAC Addresses)
Step 1: Alice checks her Neighbor Cache (similar to the ARP table in IPv4) to see if it already has an entry with Bob’s IPv6 address. If it does, then Alice sends the packet immediately to Bob using Bob’s MAC address from her Neighbor Cache, and she is finished. If Alice’s Neighbor Cache doesn’t have an entry for Bob’s IPv6 address, the process continues.
Step 2: Alice adds a new Neighbor Cache entry for Bob, in the INCOMPLETE state. Alice then sends a Neighbor Solicitation message to Bob, using Bob’s solicited node multicast address as the destination address. Any of the addresses assigned to Alice’s interface can be used as the source address of this packet, but if possible, it should match the source address of the original packet Alice wanted to send. Alice includes her MAC address as the Source Link Layer Address option in this packet. This ensures Bob will have Alice’s MAC address when it’s time for him to reply.
Step 3: Bob receives the Neighbor Solicitation message and responds with a Neighbor Advertisement message, sent to Alice’s MAC address.
Step 4: Alice receives the Neighbor Advertisement message from Bob and then updates Bob’s entry in her Neighbor Cache.
Step 5: Alice can now send the original packet she wanted to send to Bob using his MAC address.
Prefix Discovery
The Source Link Layer Address (the sending router’s MAC address.
The MTU (the maximum packet size supported on this link)
The Prefix Information (the preferred address prefix for this subnet).
Step 1: The node wanting to discover the subnet prefix sends a Router Solicitation message, using its own link-local address as the source and the “all routers in local link” multicast group (ff02::02) as the destination address.
Step 2: All routers on the local link respond with Router Advertisement messages, with their own link-local address as source and the “all nodes on local link” multicast group (ff02::1) as the destination. The Router Advertisement message includes at least the subnet prefix option. This prefix is extracted from the prefix option and stored as the subnet prefix. All routers will respond with the same prefix, but the last Router Advertisement message received will have the subnet prefix that is used.
Duplicate Address Detection (DAD)
Step 1: The node owning the tentative address sends a number of Neighbor Solicitation messages using the unspecified address (::) as the source address, the solicited node multicast address as the destination address, and the TENTATIVE address as the target address.
Step 2: If any node on the link is already using the TENTATIVE address, it will respond by sending a Neighbor Advertisement to the “all nodes on local link” multicast group (ff02::1). If no such response is seen during a short interval (configurable), then the TENTATIVE address is considered to be unique.
Stateless Address Autoconfiguration (SLAAC)
A flowchart depicts the stateless address autoconfiguration operation. An I P v 6 host is connected to a I P v 6 router via router solicitation and router advertisement message.
SLAAC operation, M=0, O=0
Step 1: The node creates a 64-bit interface identifier. This can be created using the MAC address and the EUI-64 algorithm or can be a randomly generated value (“randomized interface identifier”).
Step 2: The host creates a TENTATIVE link-local address. This is done by appending the chosen interface identifier to the prefix fe80://10. DAD is performed to determine if the link-local address is unique. If so, that address goes to the PREFERRED state, its lifetime starts counting, and the process continues. If the address is duplicated, the address goes to the DUPLICATED state, the interface is disabled, and the SLAAC process fails without having generated any addresses.
Step 3: The host sends a Router Solicitation message to the “all routers on link” multicast group (ff02::2). If the node’s link-local address has already been created, then that will be used as the source address; else, the unspecified address (“::”) will be used as the source address. All routers on the link will respond with Router Advertisement messages, usually to the “all nodes on link” multicast group (ff02::1), but if the source address of the Router Solicitation message was a link-local address, the router can choose to send the Router Advertisement message via unicast to just that address. The source address of each received Router Advertisement message is added to a default gateway table (from which the preferred link-local default gateway will be chosen). The Prefix Information option in all of the responses should be the same, so the subnet prefix from the last received Router Advertisement message will be used.
If no router responds to the Router Solicitation message within a certain time, then the SLAAC process terminates, having created a valid link-local node address, but no link-local default gateway and no global unicast address.
Step 4: If we reach this step, a valid Router Advertisement was received with a subnet prefix, so the host combines the discovered subnet prefix with the created interface identifier, to create a TENTATIVE global unicast address for the node. DAD is performed on the tentative global unicast address, and if the address is unique, it goes to the PREFERRED state, and its lifetime starts counting. If not, the address goes to the DUPLICATED state, the interface is disabled, and the SLAAC process terminates, again having created a valid link-local address and a link-local default gateway address (but no global unicast address).
Anytime a link-local or global address lifetime expires (enters the INVALID state), address regeneration is done. If using randomized interface identifiers, a different random interface identifier is created for each address regeneration. If using EUI-64 interface identifiers, the regeneration process basically just confirms that the addresses are still valid – they don’t actually change. If something has changed since the last validation (e.g., gateway down, link broken, etc.), the SLAAC process may fail, and the address is marked INVALID.
Next-Hop Determination
The prefix of the address must match one of the prefixes assigned to the link.
The address is the target of a Redirect message sent by a router.
The address is the target address of a Neighbor Advertisement message.
The address is the source address of any Neighbor Discovery message received by the node.
If the address is on-link, then the next-hop address is the same as the destination address. If the address is off-link, then the next-hop address is selected from the default router list.
Neighbor Unreachability Detection (NUD)
INCOMPLETE: Cache entry is newly created, and address resolution is in progress. Any transmitted packets are queued. When the address resolution completes, the link-layer address is added into the Neighbor Cache, and the state changes to REACHABLE.
REACHABLE: Any queued packets are immediately sent. Any newly transmitted packets are sent normally. If more than a certain time passes without any traffic to or from the address, the state changes to STALE.
STALE: The reachability of the node is UNKNOWN. The address remains in this state until traffic to that node is generated. At that point, the traffic is queued, and the state changes to DELAY.
DELAY: The address remains in the DELAY state for a short period. The status is still UNKNOWN. Once the delay expires, the probe packet is sent, and the state changes to PROBE.
PROBE: A probe packet has been sent to determine reachability (after the delay), but the result has not yet been obtained. The status is still UNKNOWN. When the result is seen, REACHABILITY is confirmed, and the state changes to REACHABLE. If a certain amount of time elapses without any response, then the node is considered unreachable, any queued traffic is discarded, and an error is generated to the sender.
Note that there is nothing comparable to Neighbor Unreachability Detection in IPv4. IPv6 NUD improves packet delivery in the presence of failing routers and over partially failing or partitioned links. It improves delivery to nodes that change their link-layer (MAC) addresses. For example, mobile nodes can move off-link without losing any connectivity due to stale ARP caches. NUD detects dead routers and dead switches that block access to working routers.
Redirect
A router can send a Redirect message to a packet sender, if there is a better first-hop router or if the destination is an on-link neighbor. In the first case, the Target Address field contains the link-local address of the better first-hop router. In the second case, the Target Address field contains a copy of the destination address. The Destination Address field contains the address of the ultimate packet destination. The router uses its knowledge of the larger environment to generate this information. You might think of a Redirect message as saying something like “There is a bridge out down that road – try going down this road, instead.”
IPv6 redirects contain the link-layer (MAC) address of the new first hop, which eliminates the need for an additional packet exchange to resolve the IP address. Unlike with IPv4 redirects, the recipient of an IPv6 redirect assumes that the new next hop is on-link. The IPv6 redirect is useful on non-broadcast and shared media links. On such links, nodes should not check for all prefixes for on-link destinations.
Viewing the Neighbor Cache
- 1.
Start a command prompt (cmd) and enter the following commands in it.
- 2.
Enter the command netsh –c “interface ipv6”.
- 3.
At the netsh prompt, enter the command show interface.
- 4.
In the resulting list, find the interface index for “Local Area Connection” (say it is 11).
- 5.
At the netsh prompt, enter the command show neighbors 11 (or whatever interface index).
- 6.
You should see global unicast addresses, link-local addresses, and a lot of multicast addresses:
SEcure Network Discovery (SEND)
Note that there are some potentially exploitable vulnerabilities in ND. ARP in IPv4 has several well-known and easily exploited vulnerabilities, used in many hacking attacks. For details of these, search for “ARP Vulnerabilities Black Hat.” You should find an excellent PowerPoint presentation that was presented by Mike Beekey at a Black Hat Briefing security conference. It shows exactly how ARP is vulnerable and how this is exploited by hackers. ARP does not exist in IPv6, so its vulnerabilities do not affect IPv6 networks. However, ND (which replaces ARP) has some new vulnerabilities that do not affect IPv4 networks.
A secure version of ND is defined in RFC 3971,13 “SEcure Neighbor Discovery (SEND) ,” March 2005. This is still a Proposed Standard. SEND uses cryptographically generated addresses, which are defined in RFC 2972,14 “Cryptographically Generated Addresses (CGA),”, March 2005 (this is also a Proposed Standard and has already been updated by RFCs 4581 and 4982). SEND does not depend on IPsec. It is still very much in experimental status even in 2019.
Note that SEND only digitally signs ND packets; it does not encrypt them.
Types of IPv6 Packet Transmission
Unicast, anycast, multicast, and broadcast have already been covered in section 5.3.2.2, because in IPv6, this is considered to be part of the addressing model .
IPv6 Broadcast
Most things that you would use broadcast for in IPv4, you would use some form of multicast, with a more restricted scope, in IPv6. A multicast transmission to the address ff01::2 would go to the same nodes (all nodes on local link) as an IPv4 broadcast . However, there are other scopes, such as site, organization, and global for multicast, that (unlike IPv4 broadcast) will cross routers, but other than “all nodes in local link,” multicast to the wider scopes requires that all recipients intentionally add the necessary multicast address to their node.
IPv6 Multicast
The basic multicast address type has been covered, but there is a lot more to a full multicast system, as you saw in the section “IPv4 Multicast.” For an in-depth discussion of all aspects of IPv6 multicast, I recommend Chapter 6, “Providing IPv6 Multicast Services,” from the book Deploying IPv6 Networks ,15 by Ciprian Popoviciu, Eric Levy-Abegnoli, and Patrick Grossetete, Cisco Press, 2006.
Multicast exists in IPv4, but there are some serious problems with it, which are resolved in IPv6.
Not all IPv4 routers support multicast. In general, it is difficult to deploy except in a “walled garden,” such as the customers of a single ISP like Comcast. In IPv6, support for multicast is mandatory – all compliant routers support it, and it works across ISPs, even worldwide.
The Internet Group Management Protocol (IGMP) is not part of IPv4, and not all IPv4 routers include it. In IPv6, the Multicast Listener Discovery (MLD) protocol is standardized and is actually just a subset of the ICMPv6 messages. Because of this, all IPv6-compliant routers include it.
Multicast in IPv4 was an afterthought, grafted on long after the original protocol was designed. In IPv6, multicast was incorporated from the beginning and is present in all address scopes. Multicast link-local addresses are used extensively in SLAAC and other places.
For IPTV applications, IPv6 networks will be the first time that really global Internet TV services can be deployed and work reliably. This is as exciting as when Ted Turner first relayed the signal from his small UHF TV station via a satellite. That breakthrough resulted in WTBS, CNN, CNN Headline News, TNT, Cartoon Network, and, indirectly, the entire multibillion-dollar satellite/cable television network industry.
There are many other areas in which working, scalable multicast can be used to improve applications. You could build chat, VoIP, or even video conferencing clients that could build fully meshed networks, with each new participant subscribing to all existing clients’ multicast “channels” and all existing clients subscribing to the new participant’s multicast “channel.” Even if the initial participant left, all remaining participants would still have a fully functional mesh network. This also eliminates the need for any central exchange point (other than perhaps a search or directory facility to help in setting up the conference and allowing participants to locate each other).
RFC 2375, “IPv6 Multicast Address Assignments,” July 1998 (Informational)
RFC 2710, “Multicast Listener Discovery (MLD) for IPv6,” October 1999 (Standards Track)
RFC 3306, “Unicast-Prefix-based IPv6 Multicast Addresses,” August 2002 (Standards Track)
RFC 3307 , “Allocation Guidelines for IPv6 Multicast Addresses,” August 2002 (Standards Track)
RFC 3590, “Source Address Selection for the Multicast Listener Discover (MLD) Protocol,” September 2003 (Standards Track)
RFC 3810 , “Multicast Listener Discovery Version 2 (MLDv2) for IPv6,” June 2004 (Standards Track)
RFC 3956, “Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address,” November 2004 (Standards Track)
RFC 4489, “A Method for Generating Link-Scoped IPv6 Multicast Addresses,” April 2006 (Standards Track)
RFC 4607, “Source-Specific Multicast for IP,” August 2006 (Standards Track)
Multicast Listener Discovery (MLD) Protocol
MLD is used by IPv6 routers to discover the presence of multicast listeners (nodes that wish to receive multicast packets) and the specific multicast addresses to which they want to subscribe. MLD (defined in RFC 2710) is commonly referred to as MLDv1. It is the IPv6 equivalent to IPv4’s IGMPv2 (defined in RFC 2236). MLDv1 and IGMPv2 multicast protocols are used to set up any-source multicast (ASM), which allows multiple sources in a group (*,G) or “channel.” This is also known as traditional multicast.
MLDv2 extends the definition of MLDv1 by adding support for “source filtering.” It includes all the functionality of MLDv1, so there is no need to deploy both on a given node. This allows a node to indicate interest only in packets from specific source addresses (INCLUDE mode) or in packets from all multicast addresses except for specific source addresses (EXCLUDE mode). MLDv2 is the IPv6 equivalent of IPv4’s IGMPv3. MLDv2 and IGMPv3 multicast protocols are used to set up source-specific multicast (SSM), which allows a specific source (S) in a group (G) to deliver packets to all members that join (S,G) known as a “channel.” This is described in RFC 4604,16 “Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery Protocol Version 2 (MLDv2) for Source-Specific Multicast,” and in RFC 4607,17 “Source-Specific Multicast (SSM) for IP.”
There is another RFC that defines MLD proxying: RFC 4605,18 “Internet Group Management Protocol (IGMP)/Multicast Listener Discovery (MLD)-Based Multicast Forwarding (“IGMP/MLD Proxying”).” A proxy would exist on a forwarding gateway that links together multiple subnets and relay messages across that gateway between an MLD Querier on one subnet and MLD listeners on a different subnet.
MLDv1 and MLDv2 are sub-protocols of ICMPv6. All MLDv2 messages are just additional ICMPv6 messages. All IPv6-compliant devices should include support for MLD. MLD messages must be sent with a link-local IPv6 source address, a Hop Limit of 1, and an IPv6 Router Alert Option in the Hop-by-Hop Options extension packet header. When used in Neighbor Discovery protocol’s Stateless Address Autoconfiguration, the source address can be the unspecified address (::). IGMP is not a sub-protocol of ICMPv4. It does not use ICMPv4 messages, but an entirely new protocol. IGMP is not mandatory on all IPv4 routers.
MLD can co-exist with IGMPv3 in a dual-stack network, as MLD (v1 or v2) will only involve IPv6 messages and IGMP (v1, v2, or v3) will only involve IPv4 messages. However, in general, multicast will work far better on IPv6 than on IPv4.
With MLD, there is a “router role” (performed by at most one router in a subnet) and a “listener role” (performed by any number of listener nodes in that subnet) in the protocol.
For the router role, only one router on a subnet can be the Querier at any given time. If there is more than one router on a subnet, there is an election mechanism that selects one of them to be the Querier. Should that router fail at some point, all other routers on that subnet have been listening in and maintaining state, so another election will select one of the surviving routers on that subnet to become the Querier. Only the Querier sends periodic or triggered Query messages on its subnet.
General queries
Multicast address–specific queries
Multicast address– and source-specific queries
Current State Report (sent in response to a query)
State Change Report (sent unsolicited in response to some change on the listener)
General queries are sent from the Querier to all listeners on the subnet periodically to learn multicast address listener information, to build and refresh state inside all multicast routers on the subnet. Even though only the Querier sends out periodic queries, all routers listen to the responses and update their state.
When a listener node gets a General Query message, it responds by sending a Current State Report, with its per-interface state information. It is also possible for a listener node to immediately report a state change (such as someone “unsubscribing” to a multicast channel) through an unsolicited State Change Report. Current State Reports are sent only once (if one is lost, it will probably be received in response to the next periodic query). State Change Reports are sent multiple times for robustness (to increase the probability of all routers getting the message).
When the Querier gets a State Change Report from a listener, it sends a multicast address–specific query to see if there are still any other listeners to that multicast address. If not, the Querier will delete that multicast address from its multicast address listener state table, which stops relaying the corresponding traffic. If there are source-specific listeners, the Querier will send a multicast address– and source-specific query instead.
There must be a service interface (API routines) available, which allows an application to cause a State Change Report to be sent to the Querier. A sample API is documented in RFC 3678,19 “Socket Interface Extensions for Multicast Source Filters,” January 2004. The full API includes the ability to JOIN or LEAVE a multicast group (“subscribe to a multicast channel”) and to BLOCK and UNBLOCK specific source addresses, as well as to set and retrieve source filter sets.
For details on the syntax of the various MLDv2 messages, see RFC 3810.20
Protocol Independent Multicast (PIM) for IPv6
Item | IPv4 | IPv6 |
|---|---|---|
Source-specific multicast | 232.0.0.0/8 | ff3x:/32 |
Wildcard Group set | 224.0.0.0/3 | ff00::/8 |
ALL-PIM-ROUTERS group | 224.0.0.13 | ff02::d |
PIM for IPv6 does not include routing, but provides multicast forwarding by using static IPv6 routes or routing tables created by IPv6 unicast routing protocols, such as RIPng, OSPFv3, IS-ISv6, or BGP4+.
PIM Dense Mode is defined in RFC 3973,21 “Protocol Independent Multicast – Dense Mode (PIM-DM),” January 2005 (for both IPv4 and IPv6). This uses dense multicast routing, which builds shortest-path trees by flooding multicast traffic domain-wide and then pruning branches where no receivers are present. It does not scale well.
PIM Sparse Mode is defined in RFC 4601,22 “Protocol Independent Multicast – Sparse Mode (PIM-SM): Protocol Specification (Revised),” August 2006 (for both IPv4 and IPv6). As in IPv4, PIM-SM builds unidirectional shared trees routed at a rendezvous point per group and can create shortest-path trees per source. It scales fairly well for wide-area use.
Bidirectional PIM is defined in RFC 5015,23 “Bidirectional Protocol Independent Multicast (BIDIR-PIM),” October 2007 (for both IPv4 and IPv6). It builds shared bidirectional trees. It never builds a shortest-path tree, so there may be longer end-to-end delays, but it scales very well.
Example 1: An ISP manages 2001:db8::/32 and wants an RP for the network and all its customers, on an existing subnet, for example, 2001:db8:beef:feed::/64. The group address would be something like ff7x:y40:2001:db8:beef:feed::/96, and the RP address would be 2001:db8:beef:feed::y (y can be any value from 1 to F, but not 0).
Example 2: An organization wants to have its own PIM-SM domain. It should pick multicast addresses such as ff7x:y30:2001:db8:beef::/80. The RP address would be 2001:db8:beef::y (y can be any value from 1 to F, but not 0).
ICMPv6: Internet Control Message Protocol for IPv6
ICMPv6 is a key protocol in the Internet Layer that complements version 6 of the Internet Protocol (IPv6). It was originally defined in RFC 1885 (December 1995) and then enhanced in RFC 2463 (December 1998). It is currently defined in RFC 4443,25 “Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification,” March 2006.
There are many more ICMPv6 messages defined than there are ICMPv4 messages (in fact, Neighbor Discovery and Multicast Listener Discovery protocols are just subsets of the ICMPv6 messages). ICMPv6 messages have a much greater range of functionality than ICMPv4 messages. Even if you block all ICMPv4 messages (common practice by some IPv4 network administrators), normal network operation will usually occur. This is not true with ICMPv6. ICMPv6 messages are used in normal operation of IPv6.
Error messages, with message type ranging from 0 to 127
Informational messages, with message type ranging from 128 to 255
1 Destination Unreachable (ICMPv6, RFC 4443)
2 Packet Too Big (ICMPv6, RFC 4443)
3 Time Exceeded (ICMPv6, RFC 4443)
4 Parameter Problem (ICMPv6, RFC 4443)
128 Echo Request (ICMPv6, RFC 4443)
129 Echo Reply (ICMPv6, RFC 4443)
130 Multicast Listener Query message (MLDv2, RFC 3810)
131 Multicast Listener Report (MLDv1, RFC 2710)
132 Multicast Listener Done (MLDv1, RFC 2710)
133 Router Solicitation message (ND, RFC 2461)
134 Router Advertisement message (ND, RFC 2461)
135 Neighbor Solicitation message (ND, RFC 2461)
136 Neighbor Advertisement message (ND, RFC 2461)
137 Redirect message (ND, RFC 2461)
138 Router Renumbering (RR, RFC 2894)
139 ICMP Node Information Query (NIQ, RFC 4620)
140 ICMP Node Information Response (NIQ, RFC 4620)
141 Inverse Neighbor Discovery Solicitation message (IND, RFC 3122)
142 Inverse Neighbor Discovery Advertisement message (IND, RFC 3122)
143 Multicast Listener Report message (MLDv2, RFC 3810)
144 Home Agent Address Discovery Request message (MIPv6, RFC 3775)
145 Home Agent Address Discovery Reply message (MIPv6, RFC 3775)
146 Mobile Prefix Solicitation (MIPv6, RFC 3775)
147 Mobile Prefix Advertisement (MIPv6, RFC 3775)
148 Certification Path Solicitation (SEND, RFC 3971)
149 Certification Path Advertisement (SEND, RFC 3971)
151 Multicast Router Advertisement (MRD, RFC 4286)
152 Multicast Router Solicitation (MRD, RFC 4286)
153 Multicast Router Termination (MRD, RFC 4286)
154 FMIPv6 messages (MIPv6, RFC 5568)
IND Inverse Neighbor Discovery
MIPv6 Mobile IPv6
MLDv1 Multicast Listener Discovery, version 1
MLDv2 Multicast Listener Discovery, version 2
MRD Multicast Router Discovery
ND Neighbor Discovery
NIQ Node Information Query
RR Router Renumbering
SEND SEcure Neighbor Discovery
4 Source Quench
5 Redirect
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
IPv6 Routing
IPv6 has to solve the same problems as IPv4 in terms of how to get packets from one point to another through a packet-switched network. However, the differences in IP address length and addressing model mean that the existing routing protocols for IPv4 do not work. All the popular routing protocols have been extended to support IPv6. These include RIPng, EIGRP, IS-ISv6, OSPF for IPv6, and BGP4 with Multiprotocol Extensions (BGP4+).
RFC 2080 , “RIPng for IPv6,” January 1997 (Standards Track)
RFC 2185, “Routing Aspects of IPv6 Transition,” September 1997 (Informational)
RFC 2545 , “Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing,” March 1999 (Standards Track)
RFC 5308, “Routing IPv6 with IS-IS,” October 2008 (Standards Track)
RFC 5340 , “OSPF for IPv6,” July 2008 (Standards Track)
RIPng: RIP Next Generation. Defined in RFC 2080, “RIPng for IPv6,” January 1997. This IETF standard specifies extensions to the RIP (as defined in RFCs 1058 and 1723), to support IPv6. Like RIP for IPv4, RIPng also uses the distance vector algorithm. Unlike RIP for IPv4, RIPng is implemented only in routers. IPv6 itself provides mechanisms for router discovery (part of ND). RIPng is a UDP-based protocol, using port 521 (compare with port 520 for RIP). It supports 128-bit IPv6 addresses instead of 32-bit IPv4 addresses. It has the same limitations as RIP, such as being useful only in small networks, with less than 15 hops. It does have some of the extensions of RIPv2. When a response is sent to all neighbors, the multicast group ff02::9 (all-rip-routers) is used. RIPng only routes IPv6. On a dual-stack network, you would need both RIP (for IPv4) and RIPng. Since RIPng runs over IPv6, it can use the IPsec Authentication header (AH) and Encapsulating Security Payload (ESP) mechanisms to ensure integrity and authentication/confidentiality of routing exchanges.
EIGRP: Enhanced Interior Gateway Routing Protocol (proprietary Cisco routing protocol). This already includes extensions to allow it to route IPv4 and/or IPv6 packets. For details, see Cisco documentation.
IS-ISv6: Extension of IS-IS to support IPv6. Based on two levels, L2 = Backbone, L1 = Stub, L2L1 = Interconnected L2 and L1. It runs over CLNS (Connectionless Network Service, an OSI Network Layer protocol, similar to IP). Each IS node still sends out Link State Packets and sends information via Tag/Length/Values. There are two new TLVs, IPv6 Reachability and IPv6 Interface Address, and a new Network Layer Identifier, IPv6 NLPID (Network Layer Protocol IDentifier). Other than that, IS-ISv6 is pretty much the same as the original IS-IS. It is still suitable mainly for large ISPs.
OSPF for IPv6: Open Shortest Path First for IPv6 (also known as OSPFv3). Defined in RFC 5340, “OSPF for IPv6,” July 2008. This is still an Interior Gateway Routing Protocol and is suitable for use within organizations, but not between autonomous systems (BGP4+ is needed for this).
The basic OSPF for IPv4 mechanisms (flooding, designated router election, area support, Short Path First calculations) are unchanged. Some changes are required because of new protocol semantics or larger address size. Most fields and packet-size limitations in OSPF for IPv4 have been relaxed, and option handling is more flexible. The protocol processing is now per link, instead of per subnet. There is now a flooding scope to reflect the scopes of IPv6 addresses. It uses IPv6 link-local addresses. The addressing semantics have been removed (with a few exceptions), leaving a mostly network protocol–independent core. OSPF Router IDs, Area IDs, and Link State IDs are still 32 bits, so those can no longer be IP addresses (which in IPv6 are 128 bits).
The new flooding scope allows control over how widely to flood information: link local, area wide, or AS wide (the entire routing domain). It is now possible to run multiple instances of the OSPF protocol on a single link (every message now includes an Instance ID value). Link-local addresses are used where they are meaningful (for transactions completely within a link), but global-scope IPv6 addresses must still be used in some places (e.g., source address for OSPF protocol packets). The AuType and Authentication fields have been removed from OSPF for IPv4, as IPsec AH and ESP are available and superior. As with TCP, the header checksum covers the entire OSPF packet and a prepended IPv6 pseudo header. All support for MOSPF (Multicast OSPF) has been removed.
OSPF for IPv6 runs only over IPv6 and only routes IPv6. On a dual-stack network, you would need both OSPF for IPv4 (OSPFv2) and OSPF for IPv6 (OSPFv3) deployed, similar to RIP and RIPng. It is possible that a future version of OSPF will support both IPv4 and IPv6 routing.
BGP4 with Multiprotocol Extensions (also known informally as BGP4+): Defined in RFC 4760, “Multiprotocol Extensions for BGP-4,” January 2007. BGP4 is currently defined in RFC 4271, “A Border Gateway Protocol 4 (BGP-4),” January 2006. BGP4 supports only IPv4. The multiprotocol extensions have been around since RFC 2283, February 1998, but have been updated with each new version of BGP4.
These extensions allow BGP4+ to carry routing information for multiple Network Layer protocols,(e.g., IPv6, IPX, L3VPN, etc.). L3VPN is a “layer 3 Virtual Private Network.” BGP4+ is designed to be backward compatible, such that a BGP4+-compliant router can exchange IPv4 routing information with a router that does not support the multiprotocol extensions (basic BGP4).
Currently BGP4+ is the primary protocol used for routing IPv6 packets between autonomous systems (very large networks under the control of a single entity, such as ISPs or major corporations). Most IPv6 engineers will never work with it, unless they work for an ISP or a really large company.
One of the issues that ISPs face when supporting IPv6 is to migrate their BGP4 gateways to BGP4+ gateways. They typically must also upgrade many routers to dual stack. At the ISP level, many routers have hardware acceleration, so this can be expensive. These may involve “forklift” upgrades, where entirely new high-end routers must be purchased, and there may be relatively little resale value for legacy IPv4-only equipment (hint to ISPs: migrate to IPv6 now and sell your old gear while it still has SOME value!).
Looking at Local Routing Information
Network Address Translation
NAT (Network Address Translation ) was introduced to extend the lifetime of the IPv4 address space long enough for its replacement, IPv6, to be defined and refined and compliant infrastructure products and applications to be developed. IPv6 is now fully developed and ready for prime time. NAT has served its purpose. It is time to put it out to pasture.
There is a common belief that the practice of hiding nodes behind a single routable IPv4 address (“hide-mode NAT”) adds security. It really doesn’t.
First, anytime you make an outgoing connection, either directly or via NAT, the connection you make is a two-way path, and the node you connect to can easily attack you right through your packet filtering firewall and Network Address Translation. You should have “defense in depth” and protect your node with a host-based firewall whether or not you are behind a firewall and NAT gateway .
Second, if a hacker manages to breach your firewall by installing a Trojan horse onto any node in your network, they can attack you from that compromised node. Hackers have a term for networks that have a strong perimeter defense but limited internal defenses. It is “hard crunchy outside, soft chewy inside.” Again, host-based firewalls on all nodes are a good idea.
Third, if you are using almost any peer-to-peer software, VoIP (e.g., Skype), or IPsec VPN, it probably includes a mechanism called NAT traversal (e.g., STUN, TURN, SOCKS, etc.). NAT traversal basically bores a hole right through your NAT protection (required for any of the preceding applications). Anything that includes NAT traversal can easily be used to attack you. Many people think Skype is a productivity tool. Network security people think it is a security vulnerability.
Fourth, any time you open a document from outside (Word document, Excel spreadsheet, JPEG image, etc.), it may contain malware that infects your node right through firewalls and NAT.
It is better to allow direct connections to your node over IPv6, through various layers of firewalls, including a host-based firewall, together with good active anti-malware software, than to have NAT giving you a false sense of security.
On the other hand, NAT causes problems with any connectivity model other than simple client server outgoing connections, such as web browser to web server. This was covered in some detail in Chapter 3, section “Network Address translation (NAT).”
The real kicker is that NAT is the hacker’s friend! It is easy for a hacker to hide behind a NAT gateway and do all kinds of mischief, sending of malware, etc. It is quite difficult for the authorities to figure out which of the nodes hidden behind the common address is doing the bad stuff. To do this, the ISP must log EVERY connection, including source address, destination address, timestamp, and port. This mounts up to several TERABYTES for each ISP customer over a year, which is not a trivial amount of storage. With a flat address space (as in IPv6), it is far easier to figure out where the attack is coming from.
Because of these issues, there is no IPv6-to-IPv6 NAT defined in any IETF standard. There is no need for it to extend the IPv6 address space lifetime, it has no other real benefit, it causes many problems, and it is greatly impeding innovation. Other than those minor things, I guess it’s okay (sarcasm warning!).
On the other hand, there is a real need for IPv4-to-IPv6 (and IPv6-to-IPv4) Network Address Translation, and there are about eight proposed methods in the IETF now. All of them have various problems and tradeoffs (that is the nature of NAT). One of the more promising schemes is NAT64 in combination with DNS64. These will be discussed in more detail in Chapter 8 on migration to IPv6.
TCP: The Transmission Control Protocol in IPv6
There is very little difference between TCP over IPv4 and TCP over IPv6. The main difference is that more storage must be provided in the implementations to hold the four times larger addresses (16 bytes vs. 4 bytes, for each address). The other aspect involves the TCP header checksum , which uses a pseudo header to allow inclusion of the IP addresses in the calculation of the checksum (in addition to the contents of the payload). Of course, there is a different pseudo header format for IPv4 and IPv6, given the difference in address size. There are no new RFCs for TCP over IPv6.
There is one new feature for both TCP and UDP over IPv6 called “Jumbograms.” This is defined in RFC 2675,26 “IPv6 Jumbograms,” August 1999. Jumbograms are very large packets, with a payload containing more than 65,535 bytes. The standard Payload Length field is only 16 bits, so the maximum payload size is 65,535 bytes. RFC 2675 defines a new Hop-by-Hop Option that includes a 32-bit Payload Length field, allowing packet lengths of up to 4.3 billion bytes. Of course, such packets require paths with very large MTUs. The simple 16-bit checksum becomes a less reliable error detection scheme as the payload length increases significantly. Of course, even a 1-bit error would require retransmission of an entire packet, so this should be used only on extremely reliable links.
TCP Packet Header
No changes are required to the TCP packet header, as port numbers are still 16 bits in length. The only differences are in how the header checksum is calculated (using the IPv6 pseudo header) and the availability of Jumbograms.
UDP: The User Datagram Protocol in IPv6
UDP over IPv6 has basically the same differences from UDP over IPv4 as was described for TCP.
DHCPv6: Dynamic Host Configuration Protocol for IPv6
Unlike with DNS, it was not possible to add new functionality into DHCPv4 to support IPv6 (let alone a single server that could handle both IPv4 and IPv6). DHCPv6 is pretty much a new design from the ground up. DHCPv4 was built from an earlier protocol called BOOTP and contains many now unnecessary features from that. DHCPv6 was cleaned up considerably and contains none of the things left over from BOOTP.
DHCPv4 runs over IPv4 and supplies only 32-bit IPv4 information (assigned IPv4 addresses, IPv4 addresses of DNS servers, etc.). DHCPv6 runs only over IPv6 and supplies only 128-bit IPv6 information (assigned IPv6 addresses, IPv6 addresses of DNS servers, etc.). There is no conflict between DHCPv4 and DHCPv6 in terms of functionality or ports used, so it is possible to run both on a single, dual-stack node.
Hosts communicate only with DHCPv6 servers or relay agents on their local link, using link-local addresses (typically ff02::1:2, “all DHCPv6 relay agents and servers”). DHCPv6 uses UDP ports 546 and 547 (compare with DHCPv4, which uses UDP ports 67 and 68). As with DHCPv4, relay agents are used to allow hosts to communicate with remote DHCPv6 servers (ones not on the local link). This is still done via UDP but using a site-scope address (ff05::1:3 “all DHCPv6 servers, but not relay agents”), which is used only by relay agents.
In some simple networks, there is no need for DHCPv6 because of Stateless Address Autoconfiguration. Currently, however, DHCPv6 is the only way for IPv6-capable nodes to automatically learn the IPv6 addresses of DNS servers. This is particularly important for IPv6-only (“pure IPv6”) networks, of which there are not many yet. For dual-stack networks, there is no conflict between DHCPv4 and DHCPv6, and both can exist even on a single node. In this case, the IPv4 side of a node would get its IPv4 configuration from the DHCPv4 server, and the IPv6 side of a node would get its IPv6 configuration from the DHCPv6 server.
DHCPv6 allows the administrator far better control over distribution of interface identifiers (low 64 bits of each address) than with Stateless Address Autoconfiguration. With SLAAC, interface identifiers can either make use of only a tiny percentage of the possible 264 address space (when using EUI-64-generated interface identifiers) or have interface identifiers scattered randomly all over the possible 264 address space (when using cryptographically generated addresses). Either of these can lead to problems with network access control (NAC) or firewall rules. In general, administrators like to cluster IP addresses by department (or other groupings), so that a single firewall or NAC rule can be used for an entire group, by specifying an address range (e.g., all addresses that fall between 2001:df8:5403:3000::1000 and 2001:df8:5403:3000::1fff, inclusive).
M: “Managed address configuration” flag. When set it indicates that addresses are available via DHCPv6. If set, then the O flag can be ignored. This enables stateful DHCPv6, where both the stateless information (IPv6 addresses of DNS and other servers) and global unicast addresses can be obtained from DHCPv6.
O: “Other configuration” flag. When set, it indicates that other configuration information is available via DHCPv6. This includes things such as IPv6 addresses of DNS or other servers. This is called stateless DHCPv6 and is used in conjunction with Stateless Address Autoconfiguration (for obtaining global unicast addresses).
If both M and O bits are clear, then SLAAC is the only way to get addresses, and there is no source of IPv6 addresses for any servers, including DNS.
Relevant RFCs for DHCPv6
RFC 3319, “Dynamic Host Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP) Servers,” July 2003
RFC 3646 , “DNS Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” December 2003 (Standards Track)
RFC 3898, “Network Information Service (NIS) Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” October 2004 (Standards Track)
RFC 4075, “Simple Network Time Protocol (SNTP) Configuration Option for DHCPv6,” May 2005
RFC 4076, “Renumbering Requirements for Stateless Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” May 2005 (Informational)
RFC 4339, “IPv6 Host Configuration of DNS Server Information Approaches,” February 2006 (Informational)
RFC 4477 , “Dynamic Host Configuration Protocol (DHCP): IPv4 and IPv6 Dual-Stack Issues,” May 2006 (Informational)
RFC 4580, “Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Subscriber-ID Option,” June 2006 (Standards Track)
RFC 4649, “Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option,” August 2006 (Standards Track)
RFC 4704, “The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) Option,” October 2006 (Standards Track)
RFC 4994, “DHCPv6 Relay Agent Echo Request Option,” September 2007 (Proposed Standard)
RFC 5007, “DHCPv6 Leasequery,” September 2007 (Standards Track)
RFC 5460, “DHCPv6 Bulk Leasequery,” February 2009 (Standards Track)
RFC 5908, “Network Time Protocol (NTP) Server Option for DHCPv6,” June 2010 (Proposed Standard)
RFC 5970, “DHCPv6 Options for Network Boot,” September 2010 (Proposed Standard)
RFC 6011, “Session Initiation Protocol (SIP) User Agent Configuration,” October 2010 (Informational)
RFC 6221 , “Lightweight DHCPv6 Relay Agent,” February 2011 (Proposed Standard)
RFC 6334 , “Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Option for Dual-Stack Lite,” August 2011 (Proposed Standard)
RFC 6355, “Definition of the UUID-Based DHCPv6 Unique Identifier (DUID-UUID),” August 2011 (Proposed Standard)
RFC 6422, “Relay Supplied DHCP Options,” December 2011 (Proposed Standard)
RFC 6603, “Prefix Exclude Option for DHCPv6-Based Prefix Delegation,” May 2012 (Proposed Standard)
RFC 6607, “Virtual Subnet Selection Options for DHCPv4 and DHCPv6,” April 2012 (Proposed Standard)
RFC 6644, “Rebind Capability in DHCPv6 Reconfigure Messages,” July 2012 (Proposed Standard)
RFC 6653, “DHCPv6 Prefix Delegation in Long-Term Evolution (LTE) Networks,” July 2012 (Informational)
RFC 6784, “Kerberos Options for DHCPv6,” November 2012 (Proposed Standard)
RFC 6853 , “DHCPv6 Redundancy Deployment Considerations,” February 2013 (Best Current Practice)
RFC 6939, “Client Link-Layer Address Option in DHCPv6,” May 2013 (Proposed Standard)
RFC 6977, “Triggering DHCPv6 Reconfiguration from Relay Agents,” July 2013 (Proposed Standard)
RFC 7031 , “DHCPv6 Failover Requirements,” September 2013 (Informational)
RFC 7037, “RADIUS Option for the DHCPv6 Relay Agent,” October 2013 (Proposed Standard)
RFC 7078, “Distributing Address Selection Policy Using DHCPv6,” January 2014 (Proposed Standard)
RFC 7227, “Guidelines for Creating New DHCPv6 Options,” May 2014 (Best Current Practice)
RFC 7341, “DHCPv4-over-DHCPv6 (DHCP 4o6) Transport,” August 2014 (Proposed Standard)
RFC 7598, “DHCPv6 Options for Configuration of Softwire Address and Port-Mapped Clients,” July 2015 (Proposed Standard)
RFC 7610 , “DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers,” August 2015 (Best Current Practice)
RFC 7653, “DHCPv6 Active Leasequery,” October 2015 (Proposed Standard)
RFC 7774, “Multicast Protocol for Low-Power and Lossy Networks (MPL) Parameter Configuration Option for DHCPv6,” March 2016 (Proposed Standard)
RFC 7824 , “Privacy Considerations for DHCPv6,” May 2016 (Informational)
RFC 7839, “Access-Network-Identifier Option in DHCP,” June 2016 (Proposed Standard)
RFC 7844, “Anonymity Profiles for DHCP Clients,” May 2016, (Proposed Standard)
RFC 7934 , “Host Address Availability Recommendations,” July 2016 (Best Current Practice)
RFC 7943, “A Method for Generating Semantically Opaque Interface Identifiers (IISs) with the Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” September 2016 (Informational)
RFC 7969, “Customizing DHCP Configuration on the Basis of Network Topology,” October 2016 (Informational)
RFC 8026, “Unified IPv4-in-IPv6 Softwire Customer Premises Equipment (CPE): A DHCPv6-Based Prioritization Mechanism,” November 2016 (Proposed Standard)
RFC 8115, “DHCPv6 Option for IPv4-Embedded Multicast and Unicast IPv6 Prefixes,” March 2017 (Proposed Standard)
RFC 8156 , “DHCPv6 Failover Protocol,” June 2017 (Proposed Standard)
RFC 8168, “DHCPv6 Prefix-Length Hint Issues,” May 2017 (Proposed Standard)
RFC 8415 , “Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” November 2018 (Standards Track)
RFC 8539, “Softwire Provisioning Using DHCPv4 over DHCPv6,” March 2019 (Proposed Standard)
DHCPv6 has a failover mechanism. Two servers can manage a single pool of addresses for redundancy (in case of failure of one of the servers). This also can be used for load balancing.
All IPv6 hosts have automatically generated link-local addresses that can be used to exchange packets with any other node on the local link. DHCPv4 requires some complex hacks to allow hosts to communicate before they get an address. All IPv6 hosts support link-local multicast. All DHCPv6 servers listen to DHCPv6 multicast groups. With DHCPv4, clients have to do a general broadcast to all nodes on the link, which generates significant broadcast traffic on the link and unnecessary traffic handling on all nodes.
With DHCPv6, a single request can configure all interfaces on a node. The server can offer multiple addresses, one for each interface, and each interface can even have different options. With DHCPv4, each interface would require a separate DHCP operation.
IPv6 prefix
Vendor-specific options
Addresses of SIP servers
Addresses of DNS servers and search options
NIS configuration
SNTP servers
There are several implementations of DHCPv6 already on the market. Windows Server 2008 contains a very complete implementation, in addition to its DHCPv4 server. You can view the IPv6-ready phase 2 products list for other options, including my own company’s Sixscape DNS appliance. Some implementations only support stateless mode, which means they can supply stateless information (like DNS addresses) but not actually allocate addresses. Be sure the DHCPv6 server you select includes full support for stateful mode as well (where it can supply addresses to each node, in addition to stateless information). You should also be sure that the gateway router or firewall you select has the ability to inform nodes that DHCPv6 servers are available on the subnet.
Address Reservations with DHCPv6
In the case of DHCPv4, it is possible to make an address reservation , linked to the MAC address of a node. Anytime the node with a MAC address for which an address reservation has been made asks DHCPv4 for an address, it will get the specific address that was reserved for that MAC address. In the case of DHCPv6, the same concept applies, except that you use two identifiers called the IAID (Interface Association ID) and DUID (DHCP Unique IDentifier ).
Link Layer Address plus Time (DUID-LLT): This type is recommended for all general-purpose computing devices, such as desktop computers, printers, routers , etc. They must contain some form of writable non-volatile storage. Note that the device should configure the time on the node before this DUID is generated, if possible. The only purpose of the timestamp is to lower the chance of an identifier conflict. The Link Layer address is typically the MAC address for Ethernet media. The DUID is defined as follows:
Vendor-Assigned Based on Enterprise Number (DUID-EN): This type is assigned to the device by the vendor. This type of DUID is for devices that have some form of non-volatile storage (e.g., EEPROM). The enterprise number is the IANA 32-bit assigned number for the vendor. The identifier can be anything the vendor chooses but must be unique within that vendor for each device.
Link Layer Address (DUID-LL): This type is just like the DUID-LLT, without the timestamp. It is recommended for permanently connected devices that have a Link Layer address, but no non-volatile, writeable stable storage.
Viewing Your Node’s DUID
You can also see a DHCPv6 IAID value (in this case 234887307). This identifies a particular Identity Association, which allows a server and a client to identify, group, and manage a set of related IPv6 addresses. Each IA consists of an IAID, one or more IPv6 addresses, and the time T1 and T2 for that IA. Each IA is associated with exactly one interface. For further details, see RFC 3315, section 11.
DHCPv6 Ports and Messages
Clients and servers exchange DHCPv6 messages using UDP over IPv6. The client uses a link-local address, or addresses obtained via other mechanisms, as the source address for transmitting and receiving DHCPv6 messages. Servers receive messages from clients using a reserved link-scoped multicast address, so that clients don’t need to be configured with the addresses of DHCPv6 servers. To allow hosts to communicate with servers on other links, DHCPv6 relay agents are used. Clients listen for DHCPv6 messages on UDP port 546. Servers and relay agents listen for DHCPv6 messages on UDP port 547.
The link-scoped multicast address used by a client to communicate with an on-link relay agent or server is ff02::1:2. All DHCPv6 servers and relay agents are members of this multicast group.
The site-scoped multicast address used by a relay agent to communicate with servers is ff05::1:3, if it wants to send a message to all DHCPv6 servers or does not know the unicast address of the servers. All DHCPv6 servers in a given site are members of this multicast group.
The SOLICIT message (1) is sent (multicast) by a client to locate servers.
The ADVERTISE message (2) is sent (multicast) by a server to indicate that it is available to provide DHCPv6 service, in response to a Solicit message from a client.
The REQUEST message (3) is sent (unicast) by a client to request configuration parameters, including IP addresses, from a specific server.
The CONFIRM message (4) is sent (multicast) by a client to any available server to determine whether the addresses it was assigned are still appropriate on the link to which the client is connected.
The RENEW message (5) is sent (unicast) by a client to the server that originally provided the client’s address and configuration parameters, to extend the lifetime on the addresses assigned to the client and update other configuration parameters.
The REBIND message (6) is sent (multicast) by a client to any available server to extend the lifetimes on the addresses assigned to the client and to update other configuration parameters. This message is sent after a client receives no response to a RENEW message.
The REPLY message (7) is sent (unicast) by a server to a client in response to a SOLICIT, REQUEST, RENEW, or REBIND message received from a client. A server sends a REPLY message containing configuration parameters in response to an INFORMATION-REQUEST message. It sends a REPLY message in response to a CONFIRM message confirming or denying that the addresses assigned to the client are appropriate on the link to which the client is connected. A server sends a REPLY message to acknowledge receipt or a RELEASE or DECLINE message.
The RELEASE message (8) is sent (unicast) by a client to the server that assigned addresses to the client to indicate that the client will no longer use one or more of the assigned addresses.
The DECLINE message (9) is sent (unicast) to a server to indicate that the client has determined that one or more addresses assigned by the server are already in use on the link to which the client is connected.
The RECONFIGURE message (10) is sent (unicast) by a server to a client to inform the client that the server has new or updated configuration parameters and that the client should initiate a RENEW/REPLY or INFORMATION-REQUEST/REPLY transaction with the server in order to obtain the updated information.
The INFORMATION-REQUEST message (11) is sent (unicast) by a client to a server to request configuration parameters, without the assignment of any IP addresses to the client.
The RELAY-FORW message (12) is sent (multicast) by a relay agent to forward messages to servers, either directly or through another relay agent. The received message, either a client message or a RELAY-FORW message from another relay agent, is encapsulated in an option in the RELAY-FORW message.
The RELAY-REPL message (13) is sent (unicast) by the server to a relay agent containing a message that the relay agent should then deliver to a client. The RELAY-REPL message may be relayed by other relay agents for delivery to the destination relay agent. The server encapsulates the client message as an option in the RELAY-REPL message, which the relay agent extracts and then relays to the next relay agent or directly to the client.
DHCPv6 Status Codes
DHCPv6 Message Syntax
The DHCPv6
DHCPv6 works in somewhat the same way as DHCPv4, except that different messages are used and communication between client and server takes place using link-local scoped multicast and unicast addresses.
When it first comes up, before any DHCPv6 operation, an IPv6-capable client node obtains a link-local unicast address through ND (and possibly a global unicast address as well, using information from a Router Advertisement message). If a Router Advertisement message is seen, then the client can check the M and O bits in it to determine if there is stateful DHCPv6, stateless DHCPv6, or no DHCPv6 available. If no Router Advertisement is available, a client can still attempt DHCPv6 server discovery, as follows.
ClientID
Option Request Option (IA-NA, DNS-Servers, Domain-List)
ServerID, ClientID
DNS-Servers, IA-NA (IAID, IAPREFIX).
ServerID, ClientID
Option Request Option (IA-NA, DNS-Servers, Domain-List)
ServerID, ClientID
DNS-Servers: 2001:xxx:yyy:zzz::a, 2001:xxx:yyy:zzz::b
IA-NA: IAID: 1,
IAPREFIX: Preferred lifetime: nnnnnn,
Valid lifetime: nnnnnn,
Prefix: 2001:xxx:yyy:zzz::c/64
For Further Information on DHCPv6
For details on how clients send and respond to DHCPv6 messages, see RFC 3315, section 17.
For details on DHCP Client-initiated Configuration Exchanges, see RFC 3315, section 18.
For details on DHCP Server-initiated Configuration Exchanges, see RFC 3315, section 19.
For details on relay agent behavior, see RFC 3315, section 20.
For details on the optional authentication mechanism, for use of DHCPv6 in unsecured environments, such as wireless networks, see RFC 3315, section 21.
For available DHCPv6 message options and their syntax, see RFC 3315, section 22.
Stateless DHCPv6 assumes that assigned IPv6 addresses are obtained some other way, such as Stateless Address Autoconfiguration, and that only stateless information (IPv6 addresses of DNS servers, SIP servers, etc.) will be obtained from DHCPv6. RFC 3736, “Stateless Dynamic Host Configuration Protocol (DHCP) Server for IPv6,” April 2004, defines the subset of messages and options from the full (stateful) DHCPv6 functionality that are required to provide stateless DHCPv6 service.
For details on publishing the address of SIP servers with DHCPv6, see RFC 3633, “IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6,” December 2003.
For details on publishing the address of DNS servers with DHCPv6, see RFC 3646, “DNS Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” December 2003.
For details on publishing the address of NIS (Network Information Service) servers with DHCPv6, see RFC 3898, “Network Information Service (NIS) Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” October 2004.
For details on publishing the address of SNTP (Simple Network Time Protocol) servers with DHCPv6, see RFC 4075, “Simple Network Time Protocol (SNTP) Configuration Option for DHCPv6,” May 2005.
Useful Commands Related to DHCPv6
ipconfig /release6: Release assigned IPv6 address (es) and de-configure network.
ipconfig/renew 6: Do a new configuration request for IPv6.
ipconfig/all: View all network configuration settings (IPv4 and IPv6).
The MAC address (“physical address”) of the interface is 00-22-15-23-32-9C.
A 64-bit interface identifier (b5ea:976d:679f:30f5) was created, which is a cryptographically generated value (not from EUI-64). A link-local unicast address was generated from this (by prepending fe80::/64). The link-local address of the default gateway (fe80::21b:21ff:fe1d:c159) was then obtained using ND router discovery.
A Router Advertisement message supplied the subnet prefix (2001:df8:5403:3000::/64), so the node used it to create two global unicast addresses, one of which (2001:df8:5403:3000:b5ea:976d:679f:30f5) used the 64-bit random interface identifier from ND and the other (2001:df8:5403:3000:218a:4956:7d8c:7c2c) used yet another random interface identifier.
Obtain an IP address automatically and Obtain DNS server address automatically were selected in the IPv4 GUI configuration (“DHCP Enabled”), and a working DHCPv4 server was found (“Autoconfiguration Enabled”). So an IPv4 address (172.20.2.1), the subnet mask (255.255.0.0), the default gateway (172.20.0.1), and the IPv4 addresses of two DNS servers were obtained from the DHCPv4 server. The lease for this was obtained on March 12, 2010, 9:42 p.m., and would expire on March 18, 2010, at 9:43 p.m. The MAC address (00-22-15-23-32-9C) was used to make a DHCPv4 reservation for this node, so this node will always get that IPv4 address.
Obtain an IPv6 address automatically and Obtain DNS server address automatically were selected in the IPv6 GUI configuration, and both the M and O bits were set in the Router Advertisement message (stateful and stateless DHCPv6 available), so another global unicast IPv6 address (2001:df8:5403:3000::2:1) was obtained from DHCPv6, plus the IPv6 addresses of two DNS servers. The lease for this was obtained on March 12, 2010, at 9:43 p.m., and would expire on March 24, 2010, at 9:43 p.m.
The DUID of the node is 00-01-00-01-11-99-BD-28-00-22-15-24-32-9C. The first two hex digit pairs contain 00-01. That means this is a type 1 DUID (DUID-LLT), “Link Layer plus Timestamp.” The next six hex digit pairs (00-01-11-99-BD-28) are the timestamp, and the last six hex digit pairs (00-22-15-23-32-9C) contain the interface MAC address. This DUID, along with the IAID (218112533), was used to make a DHCPv6 address reservation for this node. So this node will always get that IPv6 address.
IPv6 Network Configuration
Network prefix: 2001:df8:5403:3000::/64
Default gateway: 2001:df8:5403:3000::1
DHCPv6 server address: 2001:df8:5403:3000::11
DNS server addresses: 2001:df8:5403:3000::11
2001:df8:5403:3000::12
Domain name: redwar.org
Furthermore, assume the DHCPv6 server is correctly configured with this information and is managing the address range 2001:df8:5403:3100::1000 to 2001:df8:5403:3100::1fff (and that some leases have already been granted).
IPv6 link-local node address (obtained automatically)
All nodes on link multicast address (ff01::1), there by default
IPv6 global unicast address
IPv6 address of default gateway (link-local address of gateway obtained automatically)
IPv6 addresses of DNS servers (manually configured or from DHCPv6)
Nodename
DNS domain name
Manual Network Configuration for IPv6-Only
It is possible to perform IPv6 configuration manually , either by editing ASCII configuration files, as in FreeBSD or Linux, or via GUI configuration tools, as in Windows. If you have understood the material in this chapter, it should be fairly easy to configure your node(s). In most cases, if you have ISP service, the ISP will give you all the information necessary to configure your node(s). In the coverage of dual-stack networks, we will show configuration of both IPv4 and IPv6 on a single node.
Auto Network Configuration Using Stateless Address Autoconfiguration
It is easy for a FreeBSD node to be automatically configured using Stateless Address Autoconfiguration . Note that the global unicast address will be created with the EUI-64 algorithm from your MAC address.
FreeBSD interface name: vr0
Nodename: us1.redwar.org
Node IP address (whatever SLAAC comes up with)
Default gateway (whatever SLAAC comes up with)
DNS domain name: redwar.org
DNS Server 1: 2001:df8:5403:3000::11
DNS Server 2: 2001:df8:5403:3000::12
You need to edit the following files (you will need root privilege to do this):
Auto Network Configuration Using Manually Specified (Static) IPv6 Address
FreeBSD interface name: vr0
Nodename: us1.redwar.org
Node IP address: 2001:df8:5403:3000::13
Default gateway: 2001:df8:5403::1
DNS domain name: redwar.org
DNS Server 1: 2001:df8:5403:3000::11
DNS Server 2: 2001:df8:5403:3000::12
You need to edit the following files (you will need root privilege to do this):
If you specify a static IPv6 address in FreeBSD 7.x (“IPv6-config_vr0=”...”), the node will not obtain a link-local default gateway address automatically. Therefore, in this case it is essential that you also manually specify a default gateway address (which can be global unicast or link local), using the “IPv6_defaultrouter=...” option in /etc/rc.conf. If no default gateway is defined, communication with other on-link nodes will work okay, but communication with off-link nodes will fail.
This is different from the behavior of Windows 7 and Linux, where the addition of a manually configured global unicast address does not stop the node from obtaining the link-local default gateway automatically.
Summary
IPv6 itself
IPCMPv6 (the helper protocol)
ND (Neighbor Discovery, which is really just a subset of ICMPv6)
Stateless Address Autoconfiguration (SLAAC) (which is one of the ND mechanisms)
We also covered the new IPv6 packet header, as well as the all-new packet header extensions. We compared that with the older IPv4 packet header, noting that the basic header is twice as long, but simpler. The advanced features have now been moved to the header extensions.
We covered the IPv6 addressing model, which is more complex than the IPv4 model. For the first time, address scopes have been fully implemented. IPv4 private addresses were kind of an address scope, but in IPv6 that concept is fully realized.
We covered DHCPv6, although technically that does not live in the Internet Layer (like DHCPv4, it lives in the Application Layer). With the new SLAAC, there is not much need for DHCPv6, especially now that SLAAC advertises the DNS addresses for the network. The only real need for DHCPv6 in current networks is for Prefix Delegation (how ISPs advertise the network prefix to subscribers).
Finally, we covered how you actually configure IPv6 addresses in FreeBSD.