6 min read

IPv6 For People Who Hate IPv6

My current ISP offers IPv6 connectivity, but it is opt-in. I suppose due to it being a relatively small business, they lacked the expertise to make things Just Work®, and it took them several weeks to get IPv6 running smoothly on my account. During these weeks of troubleshooting and back-and-forth with them, I learned a number of things about IPv6 which made me hate it less and less, and now I wish it was used everywhere. A summary of this epic tale can be seen here*.

My intention with this post is to share what I learned - mainly comparing it to how IPv4 works  -  and make it more palatable for people who, like past me, looked at at v6 address and went "ughhh..."

What is this and who is it for?

The objective for this post is to provide a very high-level overview of how the basic stuff works in IPv6, and how it compares with the same features in the IPv4 we all know and love.

The target audience here are people who know their way around a basic v4 network, but feel uncomfortable and/or intimidated when they look at a v6 address in all its 128-bit glory. Expect technical inaccuracies for the sake of simplicity. If you're a seasoned network admin with a long grey beard and years of experience under your belt, this post is not for you.

The addresses are too long and have letters mixed in, I don't like it!

That's fine, we're humans. Most of us have ten fingers and have been taught from an early age to do everything using base 10, so it's natural to feel uncomfortable when suddenly your numbers have letters in them and "10" actually means 16.

However, the whole idea with IPv6 is to have so many addresses that it is practically impossible to ever run out of them. With the address length being 128 bits, that amounts to a total of 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses, and if we used the same notation we use for IPv4 (3 characters for every 8 bits, from 0 to 255), you'd end up with addresses that would look like this:

192.168.255.255.255.255.255.255.255.255.255.255.255.255.255.1

Now imagine typing that every time you want to ping something... Network masks would be the stuff of nightmares too.

Writing the address in hexadecimal is a good way of "compressing" that same information, bringing the number of characters down to only 2 per every 8 bits, and also only adding a colon as separator every 4 characters (called an "hextet"), meaning the address is shorter and more readable (it's still much longer than IPv4 though, I'll give you that).

IPv6 also has a neat feature which lets you shorten the length of some addresses: if the values in one or more continuous hextets are all zeroes, you can replace them with two colons (::), and leading zeroes in each hextet can be omitted too. This means a full address like

2a00:1450:4009:0821:0000:0000:0000:200e

becomes

2a00:1450:4009:821::200e

Where did my netmask go?

It didn't go anywhere, it just got a lot bigger and easier to work with, and now it's called the "prefix length", or often just "prefix".

????
Before going any further, I recommend reading this other post (which was originally intended to be a part of this section), which explains how network masks/prefixes work.

A prefix length in IPv6 is pretty much the same thing as a netmask in IPv4, with the main difference being it is limited to 64 bits, and it's always written using CIDR notation (forward slash + amount of bits).

"But how can it be easier if it's longer?" you may be asking yourself. Well, when you think about a netmask in IPv4, if it exactly fits with the octets (each 8-bit section) in the address (like a /8, /16 or /24) then it is easy to look at an address and immediately know what parts of it represent the network portion. But in IPv4 that only happens for these 3 examples, and in practice, in the wild you will find that most networks need more granularity than that, and often use less human-friendly masks like /17, /23, /25, etc.

In IPv6 the same thing happens, but because the address space is much larger, we have many more prefixes that are multiples of 8 (/8, /16, /24, /32, /40, /48/, 56/ and /64), and because of the hexadecimal notation, every 8 bits represent 2 characters in the address, so people and companies can (and do) much more often use these "human-friendly" prefixes, which can be figured out at a glance.

Here's an illustrated example:

2a 00:14 50:40 09:08 21: 0000:0000:0000:200e
  |  |  |  |  |  |  |  |
  |  |  |  |  |  |  |  /64
  |  |  |  |  |  |  /56
  |  |  |  |  |  /48
  |  |  |  |  /40
  |  |  |  /32
  |  |  /24
  |  /16
  /8

Addressing the addressing

If you're familiar with IPv4, you know the main methods to give something an address are:

  • Static - you set the address manually and that's it.
  • DHCP - Your computer screams into the network and the DHCP server responds with an address (lease) which your computer can then use.

In IPv6 things are largely the same, with both of the methods above still being available, so I'll not bother explaining how they work. The important part is that IPv6 introduces a new preferred addressing method called "Stateless Address Autoconfiguration", or SLAAC for short.

SLAAC works differently from DHCP in that instead of sending a full ready-to-use address, the router only sends a prefix of a given length, and it's up to the client device to come up with the rest of the address, often using portions of its own MAC address. Everything else about it works pretty much in the same way as DHCP: the client sends a Router Solicitation (RS) into the network and the router picks it up and responds with a Router Advertisement (RA) containing information such as what prefixes to use, gateway address, DNS servers and so on. The router will also periodically broadcast unsolicited RAs to the network to inform clients of changes, like a new prefix becoming available. RAs can also contain instructions for the client to look for specific info (like DNS servers or other DHCP options) using DHCPv6.

One valid concern you may have at this point is: "if the client makes up its own address from the prefix, isn't there a chance two machines will pick the same address and cause conflicts?". The answer to that is "well yes but actually no". Mathematically speaking, the address space is so big that the chances of any two machines picking the same address is ridiculously small, but even in this unlikely event, there are magic protocols in place to detect and correct it before it becomes a problem.

Another weird thing you may notice is that, unlike in IPv4 where the network interface will normally only have one address, in IPv6 you end up with multiple addresses assigned to the interface, each with its own purpose:

  • Link-local address - This address will always begin with "fe80" and will always be assigned to the interface as long as IPv6 is enabled on your device, regardless of your router actually supporting IPv6 or not. This is used to communicate with other devices on the same local network (no routing).
  • LAN address (ULA) - similar to the 192.168.x.x in IPv4, this is your LAN. Addresses will normally begin with "fc" or "fd", and traffic can be routed to other private networks, but not to the Internet (unless you setup NATv6, in which case we can't be friends).
  • Public address - BEGONE NAT! This is the main advantage of IPv6: each device gets its own IP address on the Internet, instead of sharing your router's public IP address like in IPv4. These addresses will normally start with "2".

Public IP? Am I going to be haxx0red?!!!

No, calm down.

Even though your computer now has a public address, that doesn't mean other computers on the internet can reach it directly. All internet traffic coming to and from your computer still needs to go through your router, and this is where your safety net is. Your router knows what is "inside" and "outside", and by default should block everything other than pings coming from the outside world. This is really easy to visualise with OpenWRT's concept of firewall zones - online simulator.

OPEN THE GATE A LITTLE!

But what do you do if you WANT a device/port to be accessible to the rest of the world? Say, if you're hosting a web server, for example?

Remember port forwarding in IPv4? Yeah, we don't do that here (to be clear, we can, but we're not savages). With IPv6, instead of redirecting a port from your router to a port on a device inside your network and translating the addresses, you simply create a firewall rule to allow access from the outside world to the internal device. This offers a much greater level of control on what can be allowed compared to NAT port forwarding.

Final thoughts

IPv6 is pretty cool. If your ISP offers support for it, go for it.

* You may notice I have censored the term "IPv6" multiple times on those tweets. This is to avoid being found by so called "IPv6 evangelists", who treat any criticism of IPv6 as a personal attack, and base their whole personality on it. Please don't be like them

antsu

antsu

UK