With approximately a few more months left until there are no more IPv4 addresses left many of you are starting too look into IPv6. Now just because there are few IPv4 addresses left doesn’t mean the Internet is going to come to a screeching halt but it is definitely time to learn about IPv6 and get your self ready for the transition. So what’s the difference?
We all know (I hope) than an IPv4 address is made up of 32 bits with a portion being the network identifier and the other portion being the host identifier. The identifier was specified via the subnet mask, or net mask. For example and IP address of 192.168.1.100 with a net mask of 255.255.255.0 meant that the 192.168.1 portion was the network identifier and the .100 was the host identifier. And based on this we could have 254 hosts on that network segment.
An IPv6 address is made up of 128 bits and this is most commonly displayed in the following manner…
An IPv6 address has a 64 bit network prefix (aka identifier) and a 64bit interface identifier. Since a single host can have multiple interfaces rather that stick with host identifier it was changed to interface indentifier but in essence it is the same. There are a few things to note with an IPv6 address…
- The hex characters are case insensitive
- Leading zeros maybe omitted
- One occurrence of groups of zeros can be replaced with 2 colons
- Colons are used to separate octets
- Periods are used to signify ports
As an example this IPv6 address can be expressed in multiple ways.
- 2001:0db8:85a3::8a2e:0370:7334.21 for an FTP server as an example
So what else is new in IPv6? Quite a bit aside from just a larger pool of addresses. Yes the main reason for moving to IPv6 is the larger pool of IP addresses. With IPv4 the limitation is 4,294,967,296 unique addresses and with IPv6 it is, well it is a lot more 😉 3.04 x 10^38 as a rough calculation. Needless to say it should get us through the next few decades. Besides that there are some new features as well.
Support for IPSec and Multicast are built into the base IPv6 protocol. While you can, and might be using this already with IPv4, the support wasn’t native to the IPv4 protocol. IPv6 also supports Jumbograms which are not to be confused with Jumbo Frames. In IPv4 the maximum payload size was 65535 octets of data whereas the a Jumbogram can support payloads up to 4 294 967 295 octets.
With an IPv6 address the first 64 bits are used to identify the network. Your ISP will use part of that 64 bit prefix for its routing and you will use the rest for internal routing. The interface identifier can be provided a number of ways, including via DHCP, however DHCP becomes unecessary as thanks to an IPv6 feature called Stateless Auto-configuration.
Stateless Auto-configuration works by using the router advertisement to create the 64 bit network identifier and then auto configuring the 64 bit interface identifier using the devices MAC address and inserting ff:fe in the middle. For example, the MAC address of the NIC in my notebook is 00:24:D7:62:94:48 the interface identifier would be 00:24:D7:FF:FE:62:94:48 With your routers always sending out the same advertisements and your MAC address never changing you will always get the same IPv6 IP address. DHCPv6 is still an option but would be used to provide DNS information rather than IP addressing.
The type of address we have been discussing is called a Global Unicast IPv6 Address but there are other types of IPv6 address available. These include:
- Link Local – A Link Local IPv6 address is used on a single logical network by the IPv6 stack for it’s own maintenance. Link local IPv6 addresses always start with fe80
- Site Local – You can think of a Site Local IPv6 address as a private address space. Similar to the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 private ranges in IPv4. Site Local IPv6 addresses always start with fd
- Multicast – An IPv6 Multicast address is a group address. All devices with a specific IPv6 Multicast address will get the packets sent to that group address. Multicast IPv6 addresses always start with ff
There is a key difference between multicast in the IPv4 and IPv6 networks. IPv4 uses a broadcast mechanism to deliver multicast, whereas IPv6 sends the data to a group address and all interfaces in the group will see it. It is a small difference but can be signifigant in reducing the amount of chatter on th wire.
The IPv6 protocol has support for IPSec built in. While IPSec offers real security advantages by encrypting all traffic over the wire, as opposed to SSL which is limited to TCP, it still requires the underlying IPSec infrastructure. IPv4 supports IPSec, although not natively, and if you have deployed IPSec in IPv4 there really isn’t anything different in IPv6 that would require wholesale changes.
So who is running IPSec? Not many organizations. From the challenges with setting it up to the lack of support from major applications, IPSec has seem limited implementation. But there is still a security upside to IPv6.
Ever do a port scan? Of course you have. I don’t know anyone who hasn’t run a port scan against their organizations network or their cable Internet segment 😉
When you run a port scan you basically select a range of IP addresses and set the scanner to look for open ports in that range. With the sheer number of IPv6 addresses available this becomes impossible. Sure you can still select a range of IPv6 addresses and scan them and the scanner will report back with the list of open ports but it would take forever, almost literally. And with less than 1% of IPv6 addresses allocated to ISPs this will only take longer as IPv6 is adopted. That doesn’t mean we are free and clear as you can still scan a specific IPv6 address if you know it but random port scanning will be a thing of the past.
To protect from targeted port scanning we have all the same methods of protecting the systems as we do today such as firewalls and NAT devices. If you are running IPv6 you will need to upgrade your networking gear to support IPv6 and this includes your firewall and/or NAT devices.
While there has been a lot of talk about IPv6 being more secure, it is and it isn’t. IPv4 has the same support for IPSec than IPv6 does, it just wasn’t built into the protocol. The sheer number of IPv6 addresses does provide some “security by obscurity” but that really isn’t a valid security measure. If you want to keep your network secure, simply moving to IPv6 isn’t the answer.
So we’ve covered a lot of the basics of IPv6 and you might want to get started with it. Well there is some good news and some bad news. Bad news is most ISPs don’t offer IPv6 addresses to the public yet. The good news is you don’t need your ISP to do it, in fact you are probably already using it.
Windows Vista, Windows 7 and OSX all have built in support for IPv6 and all create a global unicast address. Home Group in Windows 7 relies on IPv6 and in a Windows 7/Server 2008 network a lot of the network utilities you use (ping for example) support IPv6 as well. DirectAccess in Windows Server 2008 R2 also uses IPv6. So how does this work if you have IPv6 support in your OS but no where else? Tunnelling and translation, that’s how.
You can go to any number of Tunnel Brokers and get a public IPv6 address. The tunnel broker will then use one of the tunnelling options to connect you. But what is tunnelling? Tunnelling is the technology used to tunnel IPv6 traffic over an IPv4 network and there are three basic tunnelling options:
- Teredo – Teredo is a method of encapsulating an IPv6 packet inside an IPv4 UDP datagram. Seeing as Teredo was designed by Microsoft it is supported in Windows and is the primary tunnelling mechanism used by Windows. One of the key benefits to Teredo is the fact that because it is encapsulated in an IPv4 UDP datagram it can be routed.
- ISATAP – ISATAP stands for Intra-Site Automatic Tunnelling Protocol and works by building a Link Local IPv6 address from the interface’s IPv4 address and using Neighbour Discovery to connect the interfaces. ISATAP can be routed by created a Potential Router List (PRL).
- 6to4 – 6to4, also known as 6in4, encapsulates IPv6 packets and transmits them over a specific IPv4 link. The IPv4 link must allow packets with Protocol Header 41 through. Typically 6to4 endpoints need to be configured statically making it a poor choice in most instances. 6to4 is meant as a transition mechanism and not a long term solution.
IPv6 is here to stay and as mentioned you are most likely already using it. There are sites on the Internet that are only accessible via IPv6 such as http://www.v6.facebook.com and http://ipv6.google.com While ISPs might be currently lagging and getting IPv6 out there there is nothing preventing you from trying it out today.
For more information on IPv6 see the TechNet IPv6 Library