Are you ready for IPv6?
The world is running out of IPv4 addresses. IPv6 was designed to replace IPv4. Internet Protocol version 4 was created in a time when a few universities and the Derpartment of Defense of the United States where the only ones who would actually be connected to the internet. For that time the 4,294,967,296 IP addresses that result from a 32 bit address size were seen as more than enough. However, with the appearance of the e-mail and the World Wide Web, the use of the internet grew exponentially. More and more organizations required large address ranges. The IP address shortage was soon evident. In order to cope with this problem some workarounds were developed. Network address translation (NAT), for instance, is a technique that translates IP addresses in a private network (which can be repeated among different networks) into public IP addresses which must be unique. Thus, we can provide internet access to a large number of users with a few public IP addresses. But these solutions have a cost associated to additional equipment, design complexity and processing time. The Internet Engineering Task Force (IETF) was commissioned to develop a new internet protocol which would fit in the same layer of the current IPv4 protocol within the tcp/IP stack. That was the birth of IPv6.
IPv6 address format is 128 bit large. This brings up to approximately 3.4 times 10 to the 28th power addresses. For you to have an idea, it is about 1564 addresses for every square meter on earth. In addition to the number of different IP addresses, IPv6 also has some pretty features which make it faster and simpler.
Key IPv6 Features
- Astonishing large address space: 2 raised to the power of 128 addresses.
- Simplified header: Most useful fields have been placed first in the header, which makes routing faster. In addition, some unused fields have been removed.
- End to end direct connectivity: No need for NATting.
- Self-configuration: No need for DHCP, or manual configuration. Servers can auto-configure their network interfaces with unique IP addresses based on the MAC address.
- Protocol-native security: Although not enforced, the IPSec security layer is made available in an optional basis.
- No broadcasting: The broadcasting routing mode (to send a data packet that all the nodes in the segment will receive) is no longer supported.
- New anyCast routing mode: AnyCast is a new method in which a group of hosts is configured with the same address. When a server sends a packet to that Anycast address, the nearer server in the group will receive the packet.
- Internet addresses are no longer territory-bound. Thus, a roaming device, i.e. a cellphone, could go through different geographies while connected with the same IP address and with no interruptions.
- Better priority handling: IPv4 had a very limited way to handle the priority of a packet. IPv4 header allocates 6 bits for Differential Service Code Point and 2 bits for Explicit Congestion Notification, but it only works when the packet is sent to a recipient in the same network segment than the sender. i.e. no routers in the middle. Instead, IPv6 allows the use of flow labels which will tell routers how to prioritize the packet and route it accordingly.
- Extensibility: IPv6 packet header is extensible in order to allow new information to be included. IPv4 had a rigid 40-byte reserved area for future options.
An IPv6 address consists of 128bits. When represented in hexadecimal system, it is a 32 hexadecimal digit number. These digits are grouped into 8 blocks of 4 digits. These blocks are written separated by colon.
For example: ab32:077f:0000:342e:0000:0000:0a99:00fe
Then we can discard all leading zeroes:
Our number becomes: ab32:77f:0:342e:0:0:a99:fe
Finally, we take the longest chain of consecutive zeroes and replace it by “::”. Note that this can be done only once.
We get: ab32:77f:0:342e::a99:fe.
Note that we can reconstruct the original number because we know that the total number of blocks is 8.
In our case ab32:77f:0:342e::a99:fe has 6 blocks, then we know that “::” stands for :0000:0000: (2 blocks).
If we shrunk two chains of zeroes into “::” then we wouldn’t be able to determine the number blocks on each chain.
ab5:0000:0000:0000:bb4:34:0000:0000 -> ab5::bb4:34::
*** WRONG! ***
ab5::bb4:34:: could be any of:
IPv6 addresses may be of one of the following types:
- Global Unicast Address
- Unique Local Address
- Site Local Address (deprecated)
- Link Local Address
- Multicast Address
- AnyCast Address
- Special Address
Global Unicast Address
A global Unicast address is globally and uniquely addressable. It is the equivalent to a public address in IPv4. Only one network card in the world could have one specific Global Unicast address.
The first 48bits of the address correspond to the Global Routing Prefix. The first 3 bits of the Global Routing Prefix are always “001”.That’s how the routers know it is a Global Unicast Address. The Global Routing Prefix identifies an organization’s network.
The following 16 bits in the Global Unicast Address are allocated for subnetting purposes.
The remaining 64bits identify a network interface within the subnet.
Unique Local Address
Unique Local Addresses are the counterpart of Private Addresses in IPv4. They are meant to be used internally within a site or organization. Packets containing a ULA as its source address are not routable beyond an organization’s boundary. However, a ULA is globally unique (this is enforced only for avoiding future renumbering in the case of a change in the organization’s ISP). ULAs are the replacement for the deprecated Site Local Addresses which were formerly the IPv6’s equivalent of IPv4’s Private Addresses.
The IPv6 network address FC00::/7 is the ULA address space.
Site Local Address (deprecated)
(Defined on RFC 3513/ section 2.5.6 and deprecated by RFC 3879)
Addresses in the range FEC0::/10 were meant to be Site Local Addresses. They were not routable beyond an organization’s boundary. They were unique just for that organization, thus there might be many repeated instances of a single Site Local Address around the world provided that they are in different networks. However, this model was deprecated due to the ambiguity on the definition of site.
Link Local Address (self-configured)
A Link Local Address is an address that can be automatically generated by the device’s operating system. This kind of address allows the device to communicate with any other devices in the local network, but it is not routeable, meaning that it cannot communicate with other servers outside the scope of the local network.
The link local address eliminates the need for a DHCP within an organization’s network.
How a Link Local Address is Formed
The first 16 hexadecimal digits of the address are always: “FE80:0000:0000:0000”.
Then, taking advantage of the fact that the MAC addresses are supposed to be unique, the OS’ network subsystem takes the interface’s MAC address and uses it to create the link local address.
It splits the MAC address into two halves.
The following 6 hexadecimal digits of the link local address will be the first half of the MAC address with the 7th bit changed.
Then, the digits “FFFE” are added, and at the end, the second half of the MAC address is appended.
Getting to Know the Neighbors
After a device obtains network addresses for its emtire network interfaces some additional steps take place. These steps altogether are known as Network Discovery Protocol.
The server sends a multicast message to the address FF02::1/16. The purpose of this message is to know whether another network card on the local segment has the same IP address. This is unlikely but not impossible -it could happen in the scenario where a hardware manufacturer usurps the MAC address range of another manufacturer causing MAC address duplications which in turn may cause IPv6 address duplication due to the use of the MAC address to guarantee the IPv6 address uniqueness. If a network card in the same segment happens to have the same IP address, a DAD (Duplicate Address Detection) message is sent back to the solicitor. Otherwise, if no answer is heard, the server assumes the IP address obtained is vacant and keeps it.
Once the network card has been configured with an IP address, it sends a new multicast message to FF02::1/16 telling anyone in the network about its IP address.
The next step on configuring the network card is to send another multicast message to the address FF02::2/16 asking about routers in the network segment. This helps the operating system to configure the default gateway, as well as any other gateway that could be tried when the first goes down.
When a router receives a network solicitation message, it responds back with a router advertisement, letting know the solicitor about itself.
When a router receives a router solicitation, but it knows of another router that would be a better gateway for the host, it sends the solicitor a redirect message letting it know about the other router that can be used as a default gateway.
Multicast addressing is a means to allow one server to send a packet to many servers at once. Many servers could have assigned a single Multicast Address, and then, when a packet is sent to that address it will reach all the servers that have assigned that Multicast Address.
Multicast Addresses are identified because they start with “FF”. The next hexadecimal digit (4 bits) is reserved for flags. These flags describe somehow what kind of Multicast Address it is. So far only the fourth bit of these has a meaning assigned to it. It is the “transient” bit. If set to zero, then the multicast address is defined as permanent (well known address) while if set to one it means that the multicast address is transient, it is, not permanently assigned.
The next hexadecimal digit in a multicast address is the Scope ID.
The Scope ID defines the scope of the multicast address, from Global around the whole Internet, to be restricted to a single organization or the local link.
The following are the 16 possible values of that digit and their meanings:
0 – Reserved
1 – Node-local Scope
2 – Link local Scope
3 – Not yet defined
4 – Not yet defined
5 – Site-local Scope
6 – Not yet defined
7 – Not yet defined
8 – Organization local Scope
9 – Not yet defined
A – Not yet defined
B – Not yet defined
C – Not yet defined
D – Not yet defined
E – Global Scope
F – Reserved
The remaining 28 hexadecimal digits are the multicast group ID.
Well known multicast group IDs
FF0x::1 All nodes in the scope (Valid only for scopes 1 and 2)
FF0x::2 All routers in the scope (Valid for scopes 1, 2 and 5)
Multicast Addresses used for Routing Protocols inside IPv6
Address: Routing Protocol:
FF02::6 OSPFv3 Designated routers
Anycast addressing is a method by which a message can be delivered from a certain server to the nearest member of a group of servers configured with the same address. Anycast addresses are allocated from the Unicast Address space, thus they are not distinguishable. The scope of an Anycast address is that of the unicast address space it belongs to.
A Unicast Address assigned to more than one node becomes an Anycast Address. However, an interface with an Anycast address must be configured being aware of having an Anycast address. By the present time, only network devices, not hosts can be configured with Anycast addresses.
IPv4-IPv6 hybrid networks (those with some segments using IPv6 and other segments using IPv4) may need a way to implement Anycast addressing under IPv4. This can be accomplished by using 4to6, a method that uses the IP address 18.104.22.168 as a default gateway as described in RFC 3068.
Addresses with Special Meaning
The IPv4 protocol specifies that all the addresses in the range 127.0.0.1 to 127.255.255.255 stand for the loopback address. For self-referencing and testing purposes with just one loopback address is enough. IPv6 loopback address is ::1/128. Thus, it saves address combinations.
The default route in IPv4 is represented with the address 0.0.0.0/0; its counterpart in IPv6 is 0:0:0:0:0:0:0:0 with mask 0, which can be simplified to the notation: ::/0.
The address 0.0.0.0.0.0.0.0 with mask 128 is defined as “unspecified address” in IPv6.
The first 40 bytes of an IPv6 packet make up the fixed mandatory header. The fixed header of an IPv6 packet is comprised by several fields. Additionally, there may be other optional headers (called extension headers) with a variable length.
Fixed Mandatory Header Structure
This is a 4bit-long field containing the number 6. It stands for IPv6. It is always the same in every IPv6 packet and it identifies the protocol version.
It is an 8bit-long field that identifies the kind of contents the packet holds in order to help the networking devices to decide what priority the packet should be treated with. The traffic class is initially set by the application level software, but it could be further changed by lower levels. Only those components that support the use of the traffic class field are entitled to change it if needed. Because it may be changed during its journey, the destination application level software should not take for granted that its current value is the one that it had at the beginning.
Examples of Traffic Classes
Standard traffic: This kind of traffic is not seriously affected by normal network delays. If a packet is lost, the receiver will request it again, if it takes a longer path to its destination and reaches it after other packets that should come later, the receiver will put the packets in the right order. Text or file transfer data are of this class.
Multimedia traffic: Streamed audio and video data that is reproduced simultaneously as it is being transmitted cannot be delivered without following the packet order with no delay. If a packet is not there when the piece of streamed sound or video it carried must be reproduced, there will be a quality loss in the reproduction. After that, it makes no sense trying to re-send it. The data is only needed at the precise moment it must be reproduced. The packets of this class of traffic will have a value other than zero in its traffic class field.
Real-Time traffic: Real-time applications, such as a program that handles a machine or robot, cannot admit uncertain data delays. Imagine for instance a robotic hand that should stop moving when it reaches the desired position. Let’s say, it handles a laser cutter that is sculpting an eye’s crystalline lens or a drill that is perforating a very delicate object. Real-time applications should be able to predict the time it takes for data to travel across the network. In order to do that, networking time must be a deterministic factor, meaning that environmental factors, like third-party utilization of network resources should not affect it. Routers and other network devices should know when they are dealing with real-time traffic by accessing the contents of the traffic class field.
A flow is a set of packets with a common origin and a common destination and that carry information somehow related to a single operation. Due to the special way all these packets should be treated, they must be identified as belonging to the same flow. While a single origin and target pair of servers could maintain different data flows simultaneously, it is important that packets belonging to the same flow be treated the same way (for instance, routed through the same path) despite the fact that other packets could be treated in a different way. The source will set the same flow label for all packets belonging to the same flow. In unlabeled packets, the flow label field contains a zero. The flow label field is 20 bit long. When a new flow is created the source will choose the new label randomly from 1 to FFFFF (in hexadecimal).
Pay Load Length
Does the size of the data comprise the packet once the fixed header has been removed? This indicates the network interface how much data to read until the beginning of the next packet. Pay load length field is 16-bit long.
This is a number which identifies which class of header the next extension header is. Extension headers are optionally added to supply protocol specific information. Each header has a next header field. Extension headers form a chain of headers. Most of extension headers are meant to be read by the target server. Except when they contain “hop-by-hop” options, these headers are to be examined by every single node in their route. The zero value in the next header field implies that the next header contains “hop-by-hop” options. Next header field is 8-bit long.
The hot limit expresses the maximum number of nodes the packet may go through. It is set by the source server, and is decremented by 1 on every node (network router) it crosses. When a packet hop limit becomes zero, if it is not already at its destination, it is discarded.
The source address is the IPv6 address of the packet sender.
The destination address is the IPv6 address of the packet target server.
Mapping IPv4 Addresses into an IPv6 Network
The process of converting the whole Internet from IPv4 into IPv6 is expected to occur along many years. For the sake of the co-existence of the two protocols special provisions had been included in the IPv6 design. One of these provisions is to allow any IPv4 address to be converted into an IPv6 address which then can be converted back to the original IPv4 address. This is possible due to the fact that IPv6 addresses are very much larger than IPv4 addresses.
An IPv4 address consists of 8 bytes, i.e. 32bits. An IPv6 address has 128 bits. The mapping is made straight forward, just prefix the IPv4 address with 96 zeroes in order to complete the 128 bits. In order to make the original address recognizable by humans a special notation is allowed. The hybrid notation mixes the hexadecimal digits used in IPv6 with the 4 decimal number groups used in IPv4 notation.
To map the IPv4 address 192.168.23.12 into an IPv6 address we just add 96 bits with the value 0 before the IPv4’s 32 bits.
The first 96 bits are then written in hexadecimal system in groups of 4 digits separated by colons (as is the IPv6 standard notation).
The remaining 32 bits that correspond to the IPv4 address are kept in decimal notation in 4 groups of one byte each separated by dots (as used in IPv4).
0000:0000:0000:0000:0000:0000:192.168.23.12 (shortened to –> ::192.168.23.12)
Using this hybrid notation makes it easier for readers to recognize the original IPv4 address it comes from.
We have already mentioned that NAT is no longer needed for address space reasons. But it goes beyond that: In IPv6, NAT is considered a protocol violation.
Nevertheless, there are people who still promote it (e.g. http://workshop.netfilter.org/2011/wiki/images/a/ac/Ipv6_nat.pdf).
The reasons for supporting the use of natting (apart from extending the address range) might be network security and network administration practices.
The RFC 4864 discourages NAT and shows how local network protection as implemented in IPv6 provides better ways to secure your network, whilst RFC 4192 offers recommendations on how to perform a network renumbering without risks and without using NAT. It is also worth to clarify that while NAT is discouraged and unneeded, that is not the case of proxying which may be both needed and adequate.
Network Address Translation with Protocol Translation (NAT-PT)
Whereas the use of NAT within IPv6 is no longer needed and even proscribed, the use of NAT-PT in the boundary between an IPv6 network and an IPv4 network seems to be the only option while we are in a transition phase where both protocols are to co-exist. And this transition is likely to take a long long time.
Dual Stack Routers
Dual Stack Routers are routers that support both IPv4 and IPv6.
Dual Stack Networks
One of the many strategies for the transition from IPv4 to IPv6 is a Dual Stack Network. A Dual Stack Network is a network in which all the nodes inside the network support both IPv4 and IPv6 traffic. When a node in a Dual Stack Network has to communicate with other node that supports both protocols, communication will occur in IPv6. Only in the case that a node in a Dual Stack Network has to communicate to a server outside the network which supports only IPv4 both nodes will use IPv4 to communicate with each other. A typical approach is to enable the core WAN routers with dual protocol capabilities first, then the perimeter routers and firewalls, then the routers on the server side and then the routers on the desktop side. Once all the network devices support both protocols, we start enabling IPv6 on the server farm and finally on the desktop computers.
Tunnels, Islands and Oceans
This approach consists on converting the organization’s network by small sectors. At first only a few isolated LAN segments will support IPv6. When a node within such an IPv6 island has to communicate with another node on another IPv6 island their traffic will be tunneled by encapsulating the IPv6 packets into IPv4 datagrams. The IPv4 datagrams will cross the IPv4 ocean until they reach the second IPv6 island, then the IPv4 datagrams will be opened and the original IPv6 packets will be re-compossed. The IPv6 packets will continue their travel to the destination node. As the conversion goes on, IPv6 islands will arise until they form an IPv6 ocean with a few IPv4 islands. The IPv4 traffic between two nodes on different IPv4 islands will be tunneled over IPv6 packets and these packets will sail the IPv6 ocean until they reach the IPv4 shore.
There are two types of tunnels: manually configured tunnels and dynamically configured tunnels. The former implies more configuration work in order to set up the tunnel. Taking into account that we’ll be creating and removing tunnels as we convert new LAN segments to IPv6, it could involve a significant amount of work. The latter is easier to maintain and configure but presents some security concerns. Tunneled traffic cannot be parsed by routers and in some scenarios it is not possible to track the originating server. Someone could inject forged traffic into the tunnel that firewalls will have no means to inspect, especially when communicating with a non authenticated router.
The dynamic tunneling technique 6 to 4 uses addresses in the 2002::/16, range this means that you’ll have to renumber your network after the having eliminated all IPv4 islands in order to use the IPv6 address range you meant to.
NAT-PT (Network address translation with Protocol Translation)
Natting from IPv4 to IPv6 is quite straight forward but the other way round is more complex. This technique is meant to be the last resort when all other approaches cannot be applied.
If your IT platform includes web servers, then you have to decide which will be the strategy that fits best for you. You have to consider who is going to be accessing your websites. If your web content is targeted to your own employees only, then you may want to migrate the servers to IPv6 as you migrate your employees’ PC’s to IPv6. On the other hand, if your web sites are to be accessed by general public or customers, you may want to make them available on both protocols independently of what your organization’s network protocol is. You can achieve this in different ways. You can have all your web servers over an IPv4 segment, and then a reverse proxy that converts the traffic to IPv6 when web requests come in that protocol, or you can configure your web servers to use IPv6 and have the proxy convert the traffic to IPv4 when suitable. Another option could be having separated web servers for each protocol (although this implies duplicated web master’s work). In any case you will most likely need to set up an IPv6 enabled proxy.
IPv6 Proxying and Reverse Proxying Issues
With some proxies like some versions of Squid, some operating systems like Windows XP, Open BSD and Mac OS X, find it difficult to establish outgoing connections to IPv6 websites (although incoming traffic will not be affected). These issues also exist on other operating systems if split-stack IPv6 support or non-mapping dual stack IPv6 support is configured. If your platform happen to be like that mentioned above, consult your product documentation in order to know whether you may be actually affected by this or not.
Testing Your IPv6 Web Sites
There are some resources over the Internet that allow to test an IPv6 site when you don’t have a desktop PC with IPv6. These services are proxies that access your IPv6 web site for you, convert the response to IPv4, and send it back to your browser on an IPv4 speaking PC.
The following is a list of useful resources (there are a lot more in a Google search, just choose the one you like most).
In order to secure an IPv6 Network (take into account that in IPv4, NAT provided a minimum of security) you should put a firewall at your network border. It should be at least a stateful firewall. The most elementary type of firewall is a filter, such as a server running IP Tables. A filter is able to look inside the network packets (TCP, UDP, ICMP or others) and examine the contents of the fields comprising the packet’s header. Then the filter would allow or deny packets to pass through according to these fields’ content, and the configured criteria. A stateful firewall is able to read the fields in a TCP packet corresponding to the status bits. These bits allow the firewall to keep track of a session, i.e. to know which packets are responses to previous packets and which is the first packet on a session. This way, it can know whether the session was originated inside or outside the local area network (LAN). Normally all traffic originated inside the LAN would be allowed to pass, but packets coming from outside would only be allowed when required (according to our servers’ purpose). For example, if there is a web server within your network, you may want to configure your firewall to allow incoming packages through the web ports (80 and 443) and to deny any other traffic originated outside your LAN; while allowing all the traffic originated inside it (outgoing traffic) so that your users can navigate the Internet freely. A minimum of IP6Tables (the IPv6 Version of IP Tables) could be used.
Blacklists and Whitelists
A list of sites to be blocked, while the rest are being permitted is referred to as a “blacklist”; on the other hand, a list of sites to be permitted while the rest is being blocked is called a “whitelist”. Setting up a black or white list using IP6Tables might be accomplished with a lot of work or by using some shell scripting, but this could be hard to maintain, unless you choose a specialized tool.
If you want to implement a more complex set of firewalling rules, such as blocking some kind of attached files based on its names or extension (which is actually very easy to bypass), scanning traffic for viruses, decompressing files to inspect them, etc., then IP6Tables ares not enough, you should look for more advanced solutions. Firewalls that deal with issues like those need to know some of the internal operation of the applications, they are called application-aware, and since they are located at the application layer in the OSI model, they are referred to as Application Level Gateways (ALG).
Bundled Protocols are protocols used by application which dynamically assign IP addresses and/or ports as a way to establish streams of raw data. Some examples of application using bundled protocols are SIP, H.323, FTP, Internet telephony, etc.
If your applications use bundled protocol you might want to implement FCP (Firewall control Protocol), otherwise your data flows will quite probably be messed up by your firewalls. This is not different in IPv4.
For a list of firewall solutions available on the marketplace you can check out the following link:
The following sites were consulted when compiling this material: