IPv6
IPv6¶
Learning Objectives¶
- Understand the motivation for IPv6 and limitations of IPv4
- Master IPv6 address format, notation, and types
- Learn IPv6 header structure and improvements over IPv4
- Understand address autoconfiguration mechanisms (SLAAC, DHCPv6)
- Learn Neighbor Discovery Protocol (NDP) and its role
- Explore transition mechanisms from IPv4 to IPv6
- Understand IPv6 routing protocols
- Learn IPv6 security considerations
- Configure and troubleshoot IPv6 networks
Table of Contents¶
- Why IPv6?
- IPv6 Address Format
- IPv6 Address Types
- IPv6 Header
- Address Autoconfiguration
- Neighbor Discovery Protocol
- Transition Mechanisms
- IPv6 Routing
- IPv6 Security
- Practical Configuration
- Practice Problems
1. Why IPv6?¶
IPv4 Exhaustion¶
IPv4 uses 32-bit addresses, providing approximately 4.3 billion addresses:
Total IPv4 addresses = 2^32 = 4,294,967,296
Exhaustion timeline: - 2011: IANA exhausted central pool - 2015: ARIN (North America) exhausted - 2019: RIPE NCC (Europe) exhausted - 2021: All Regional Internet Registries (RIRs) depleted
NAT Limitations¶
Network Address Translation (NAT) was a temporary solution:
NAT drawbacks: - Breaks end-to-end connectivity - Complicates peer-to-peer applications - Adds processing overhead - Makes troubleshooting difficult - Incompatible with some protocols (IPsec, SIP)
IPv6 Advantages¶
Massive address space:
IPv6 addresses = 2^128 β 3.4 Γ 10^38 addresses
Other benefits: - No need for NAT (restores end-to-end connectivity) - Simplified header for faster processing - Built-in IPsec support - Better multicast support - Autoconfiguration (SLAAC) - No broadcast (replaced by multicast) - Improved QoS with flow labels
2. IPv6 Address Format¶
128-bit Address Structure¶
IPv6 addresses are 128 bits long, written as 8 groups of 4 hexadecimal digits:
IPv6 Address Structure:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 16 bits β 16 bits β 16 bits β 16 bits β ... β 16 bits β
β (0-FFFF)β (0-FFFF)β (0-FFFF)β (0-FFFF)β ... β (0-FFFF) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Group 1 Group 2 Group 3 Group 4 ... Group 8
Example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
Notation Rules¶
Full notation:
2001:0db8:0000:0042:0000:8a2e:0370:7334
Rule 1: Leading zeros can be omitted
2001:db8:0:42:0:8a2e:370:7334
Rule 2: Consecutive zero groups can be replaced with ::
2001:db8:0:42::8a2e:370:7334
Important: :: can only be used ONCE per address
# Valid
2001:db8::1
ff02::1
::1 (loopback)
# Invalid (multiple ::)
2001::25de::cade # β Ambiguous
Address Shortening Examples¶
Original: 2001:0db8:0000:0000:0000:0000:0000:0001
Shortened: 2001:db8::1
Original: fe80:0000:0000:0000:0202:b3ff:fe1e:8329
Shortened: fe80::202:b3ff:fe1e:8329
Original: 0000:0000:0000:0000:0000:0000:0000:0001
Shortest: ::1 (loopback)
Original: 0000:0000:0000:0000:0000:0000:0000:0000
Shortest: :: (unspecified address)
Prefix Notation¶
Similar to CIDR in IPv4:
2001:db8:abcd:0012::/64
βββββββββββ
Network prefix (64 bits)
3. IPv6 Address Types¶
Unicast Addresses¶
Global Unicast (GUA)¶
Routable on the Internet (equivalent to public IPv4):
Address Range: 2000::/3 (currently 2000:: to 3fff::)
Structure:
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β Global β Subnet ID β Interface β β
β Routing β β Identifier β β
β Prefix β β (IID) β β
β (48 bits) β (16 bits) β (64 bits) β β
ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ
Example:
2001:db8:1234:5678::1/64
βββββββββββββ ββββ ββββββββ
ISP Subnet Host
Link-Local Addresses (LLA)¶
Valid only on the local link (like 169.254.x.x in IPv4):
Address Range: fe80::/10
Structure:
βββββββββ¬βββββββββ¬βββββββββββββββββββββββββββββ
β fe80 β 0000 β Interface ID (64 bits) β
βββββββββ΄βββββββββ΄βββββββββββββββββββββββββββββ
Example:
fe80::1
fe80::202:b3ff:fe1e:8329
Mandatory on all IPv6 interfaces!
Unique Local Addresses (ULA)¶
Private addresses (like 10.x.x.x, 192.168.x.x in IPv4):
Address Range: fc00::/7 (fd00::/8 in practice)
Structure:
ββββββ¬ββββ¬βββββββββββββ¬βββββββββ¬βββββββββββββββ
β fd β 0 β Global ID β Subnet β Interface ID β
β β β (40 bits) β(16 bit)β (64 bits) β
ββββββ΄ββββ΄βββββββββββββ΄βββββββββ΄βββββββββββββββ
Example:
fd00:1234:5678:1::1/64
Multicast Addresses¶
Address Range: ff00::/8
Structure:
ββββββ¬ββββββββ¬βββββββββββββββββββββββ
β ff β Flags β Group ID β
β β Scope β β
ββββββ΄ββββββββ΄βββββββββββββββββββββββ
Common multicast addresses:
ff02::1 All nodes on link
ff02::2 All routers on link
ff02::1:ff00:0/104 Solicited-node multicast
Scopes:
- 1 - Interface-local
- 2 - Link-local
- 5 - Site-local
- 8 - Organization-local
- e - Global
Anycast Addresses¶
Same format as unicast, but assigned to multiple interfaces. Packet delivered to nearest interface.
Example use case: DNS root servers
2001:db8::1 assigned to multiple servers
Special Addresses¶
::1/128 Loopback (localhost)
::/128 Unspecified address (like 0.0.0.0)
::ffff:0:0/96 IPv4-mapped IPv6 (::ffff:192.0.2.1)
2001:db8::/32 Documentation prefix
4. IPv6 Header¶
Simplified Header Structure¶
IPv6 header is simpler and fixed-length (40 bytes):
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| Traffic Class | Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length | Next Header | Hop Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Source Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Field Descriptions¶
| Field | Size | Description |
|---|---|---|
| Version | 4 bits | Always 6 |
| Traffic Class | 8 bits | QoS priority (like DSCP in IPv4) |
| Flow Label | 20 bits | QoS flow identification |
| Payload Length | 16 bits | Length of payload (not including header) |
| Next Header | 8 bits | Type of next header (TCP=6, UDP=17, etc.) |
| Hop Limit | 8 bits | Decremented by each router (like TTL) |
| Source Address | 128 bits | Source IPv6 address |
| Destination Address | 128 bits | Destination IPv6 address |
Improvements Over IPv4¶
Removed fields: - Header Length (fixed at 40 bytes) - Identification, Flags, Fragment Offset (moved to extension header) - Header Checksum (handled by link layer and transport layer)
Benefits: - Faster processing (no checksum calculation) - Fixed header size (easier hardware implementation) - Optional features in extension headers
Extension Headers¶
Extension headers provide flexibility:
IPv6 Header β Ext Header 1 β Ext Header 2 β TCP/UDP Header β Data
Common extension headers: 1. Hop-by-Hop Options (0) - processed by every node 2. Routing (43) - source routing 3. Fragment (44) - fragmentation information 4. Destination Options (60) - options for destination 5. Authentication (51) - IPsec AH 6. Encapsulating Security Payload (50) - IPsec ESP
Example with fragmentation:
βββββββββββββββ¬βββββββββββββββ¬βββββββββββ¬βββββββ
β IPv6 Header β Fragment β TCP Hdr β Data β
β Next=44 β Header β β β
β β Next=6 β β β
βββββββββββββββ΄βββββββββββββββ΄βββββββββββ΄βββββββ
5. Address Autoconfiguration¶
SLAAC (Stateless Address Autoconfiguration)¶
IPv6 devices can configure themselves without DHCP:
Process:
ββββββββββββ ββββββββββββ
β Host β β Router β
ββββββ¬ββββββ ββββββ¬ββββββ
β β
β 1. Generate link-local address β
β (fe80::IID) β
β β
β 2. Router Solicitation (RS) β
βββββββββββββββββββββββββββββββββββββββΆβ
β (ICMPv6 type 133) β
β β
β 3. Router Advertisement (RA) β
ββββββββββββββββββββββββββββββββββββββββ
β (prefix, gateway, flags) β
β (ICMPv6 type 134) β
β β
β 4. Generate global address β
β (prefix + IID) β
β β
β 5. Duplicate Address Detection (DAD) β
β (Neighbor Solicitation) β
βββββββββββββββββββββββββββββββββββββββΆβ
β β
Interface Identifier (IID) Generation¶
Method 1: EUI-64 (from MAC address)
MAC address: 00:1A:2B:3C:4D:5E
Steps:
1. Split MAC: 001A2B | 3C4D5E
2. Insert FFFE: 001A2B | FFFE | 3C4D5E
3. Flip U/L bit: 021A2B | FFFE | 3C4D5E
(7th bit of first byte: 00 β 02)
Result IID: 021a:2bff:fe3c:4d5e
Method 2: Privacy Extensions (RFC 4941)
Random IID generated periodically for privacy:
Temporary IID: 1234:5678:9abc:def0 (random)
Lifetime: 1 day (configurable)
DHCPv6¶
Stateless DHCPv6: - Address from SLAAC - DNS, NTP from DHCPv6
Stateful DHCPv6: - Complete address from DHCPv6 server - Like traditional DHCP
DHCPv6 process:
Client Server
β β
β SOLICIT (multicast ff02::1:2) β
ββββββββββββββββββββββββββββββββββββΆβ
β β
β ADVERTISE β
βββββββββββββββββββββββββββββββββββββ
β β
β REQUEST β
ββββββββββββββββββββββββββββββββββββΆβ
β β
β REPLY (address, DNS, etc.) β
βββββββββββββββββββββββββββββββββββββ
Router Advertisement Flags¶
M flag (Managed): 1 = Use DHCPv6 for address
O flag (Other): 1 = Use DHCPv6 for other config (DNS)
Combinations:
M=0, O=0 β SLAAC only
M=0, O=1 β SLAAC + stateless DHCPv6
M=1, O=0 β Stateful DHCPv6
M=1, O=1 β Stateful DHCPv6
6. Neighbor Discovery Protocol¶
NDP vs ARP¶
NDP (Neighbor Discovery Protocol) replaces ARP in IPv6:
| Function | IPv4 | IPv6 |
|---|---|---|
| Address resolution | ARP | NDP (NS/NA) |
| Router discovery | ICMP Router Discovery | NDP (RS/RA) |
| Redirect | ICMP Redirect | NDP Redirect |
| MTU discovery | - | NDP (RA) |
NDP Message Types¶
All NDP messages use ICMPv6:
- Router Solicitation (RS) - Type 133
- Router Advertisement (RA) - Type 134
- Neighbor Solicitation (NS) - Type 135
- Neighbor Advertisement (NA) - Type 136
- Redirect - Type 137
Neighbor Solicitation/Advertisement (NS/NA)¶
Address resolution example:
Host A wants to communicate with Host B (2001:db8::2)
1. Host A sends NS to solicited-node multicast:
Src: 2001:db8::1
Dst: ff02::1:ff00:2 (solicited-node for ::2)
"Who has 2001:db8::2?"
2. Host B sends NA:
Src: 2001:db8::2
Dst: 2001:db8::1
"I am 2001:db8::2, my MAC is 00:1A:2B:3C:4D:5E"
Solicited-Node Multicast¶
Efficient address resolution:
Target address: 2001:db8::1234:5678
Solicited-node multicast:
ff02::1:ff34:5678
ββββββββ ββββββββββ
prefix last 24 bits
Duplicate Address Detection (DAD)¶
Before using any address:
1. Host sends NS for its own address:
Src: :: (unspecified)
Dst: ff02::1:ff00:1 (solicited-node)
Target: 2001:db8::1 (tentative address)
2. If NA received β address conflict!
3. If no response β address is unique
Neighbor Unreachability Detection (NUD)¶
Verify neighbors are still reachable:
States:
INCOMPLETE β REACHABLE β STALE β DELAY β PROBE β UNREACHABLE
Transitions:
- REACHABLE: confirmation received within 30s
- STALE: no recent confirmation
- PROBE: sending NS to verify
7. Transition Mechanisms¶
Dual-Stack¶
Run IPv4 and IPv6 simultaneously:
βββββββββββββββββββββββββββββββ
β Applications β
βββββββββββββββ¬ββββββββββββββββ
β
βββββββββββ΄ββββββββββ
β β
βββββΌβββββ ββββββΌβββββ
β IPv4 β β IPv6 β
β Stack β β Stack β
βββββ¬βββββ ββββββ¬βββββ
β β
ββββββββββββ¬ββββββββ
β
ββββββββΌβββββββ
β Network β
βββββββββββββββ
Configuration example:
# Linux interface with dual-stack
ip addr show eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP>
inet 192.0.2.1/24
inet6 2001:db8::1/64
inet6 fe80::1/64 scope link
Tunneling Mechanisms¶
6to4 Tunnel¶
Automatic tunneling using IPv4 infrastructure:
IPv6 Packet
β
βΌ
βββββββββββββββββ
β IPv4 Header β
βββββββββββββββββ€
β IPv6 Packet β
βββββββββββββββββ
6to4 address format:
2002:WWXX:YYZZ::/48
ββββββββββ
IPv4 address in hex
Example:
IPv4: 192.0.2.1 β C000:0201
6to4: 2002:c000:0201::/48
Teredo Tunnel¶
NAT traversal for IPv6:
Structure:
ββββββββββ¬ββββββββββ¬βββββββ¬βββββββββ¬ββββββββββ
β 2001 β 0 β IPv4 β Flags β Obscuredβ
β β βServerβ β Client β
ββββββββββ΄ββββββββββ΄βββββββ΄βββββββββ΄ββββββββββ
Example:
2001:0000:4136:e378:8000:63bf:3fff:fdd2
ββββββββββ ββββββββββββββββ
Server IP Client info
ISATAP¶
Intra-Site Automatic Tunnel Addressing Protocol:
Address format:
[prefix]:0:5efe:[IPv4 address]
Example:
2001:db8:1:2:0:5efe:192.0.2.1
ββββββββββββ
IPv4 address
Translation Mechanisms¶
NAT64/DNS64¶
Allow IPv6-only clients to reach IPv4 servers:
IPv6 Client IPv4 Server
2001:db8::1 192.0.2.1
β β
β 1. DNS query (AAAA) β
βββββββββββββββΆDNS64 β
β β β
β β 2. No AAAA, β
β β query A β
β βββββββββββββββββΆβ
β β β
β β 3. A=192.0.2.1 β
β ββββββββββββββββββ
β β β
β 4. AAAA= β β
β 64:ff9b:: β β
β c000:0201 β β
ββββββββββββββββ β
β β
β 5. Packet to β
β 64:ff9b::c000:0201 β
ββββββββββββΆNAT64ββββββββββββββββΆβ
β Translates to β
β 192.0.2.1 β
Well-Known Prefix: 64:ff9b::/96
8. IPv6 Routing¶
OSPFv3¶
OSPF for IPv6:
Differences from OSPFv2:
- Runs directly over IPv6
- Link-local addresses for neighbor discovery
- Multiple instances per link
- Authentication via IPsec (not built-in)
Configuration example (Cisco):
ipv6 router ospf 1
router-id 1.1.1.1
interface GigabitEthernet0/0
ipv6 ospf 1 area 0
ipv6 address 2001:db8:1::1/64
BGP for IPv6¶
Multi-protocol BGP (MP-BGP):
router bgp 65001
neighbor 2001:db8::2 remote-as 65002
address-family ipv6 unicast
neighbor 2001:db8::2 activate
network 2001:db8:1::/48
exit-address-family
Route Aggregation¶
IPv6's large address space enables better aggregation:
ISP allocation: 2001:db8::/32
Customer subnets:
2001:db8:0001::/48
2001:db8:0002::/48
2001:db8:0003::/48
...
2001:db8:ffff::/48
Advertise only: 2001:db8::/32
Routing Table Example¶
# Linux routing table
ip -6 route show
2001:db8:1::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::1 dev eth0 metric 1024
9. IPv6 Security¶
Built-in IPsec¶
IPv6 was designed with IPsec in mind:
ββββββββββββββ¬ββββββββββ¬ββββββββββ¬βββββββββββ¬βββββββ
β IPv6 Hdr β ESP Hdr β TCP Hdr β Data β ESP β
β β β β β Auth β
β Next=50 β Next=6 β β(Encrypted)β β
ββββββββββββββ΄ββββββββββ΄ββββββββββ΄βββββββββββ΄βββββββ
Note: IPsec is optional in practice, but easier to deploy.
Privacy Extensions¶
Prevent tracking via stable IIDs:
# Enable privacy extensions (Linux)
sysctl net.ipv6.conf.all.use_tempaddr=2
# Temporary address
2001:db8::1234:5678:9abc:def0 (changes daily)
# Stable address (for incoming connections)
2001:db8::21a:2bff:fe3c:4d5e (EUI-64)
Firewall Considerations¶
Important: Don't block all ICMPv6!
Required ICMPv6 types:
- Type 1: Destination Unreachable
- Type 2: Packet Too Big (for PMTUD)
- Type 3: Time Exceeded
- Type 4: Parameter Problem
- Type 133-137: NDP messages
Example iptables:
# Allow essential ICMPv6
ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
# Allow NDP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
Security Threats¶
Rogue Router Advertisements: - Attacker sends fake RAs - Mitigation: RA Guard
NDP Spoofing: - Similar to ARP spoofing - Mitigation: SEcure Neighbor Discovery (SEND)
Address Scanning: - Large subnet makes brute-force difficult - But predictable IIDs (EUI-64) can be targeted - Mitigation: Use privacy extensions
10. Practical Configuration¶
Linux Configuration¶
Check IPv6 connectivity:
# Show IPv6 addresses
ip -6 addr show
# Show IPv6 routes
ip -6 route show
# Ping IPv6 address
ping6 2001:4860:4860::8888
# Traceroute
traceroute6 google.com
Manual address configuration:
# Add IPv6 address
sudo ip -6 addr add 2001:db8::1/64 dev eth0
# Add default route
sudo ip -6 route add default via fe80::1 dev eth0
# Enable IPv6 forwarding
sudo sysctl -w net.ipv6.conf.all.forwarding=1
Static configuration (Ubuntu/Debian):
# /etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
eth0:
dhcp6: no
addresses:
- 2001:db8::1/64
gateway6: fe80::1
nameservers:
addresses:
- 2001:4860:4860::8888
- 2001:4860:4860::8844
Enable SLAAC:
# Accept Router Advertisements
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=1
# Autoconf
sudo sysctl -w net.ipv6.conf.eth0.autoconf=1
Windows Configuration¶
Command line:
REM Show IPv6 configuration
ipconfig
REM Show IPv6 routing table
netsh interface ipv6 show route
REM Add static IPv6 address
netsh interface ipv6 add address "Ethernet" 2001:db8::1/64
REM Add default route
netsh interface ipv6 add route ::/0 "Ethernet" fe80::1
REM Test connectivity
ping 2001:4860:4860::8888
tracert google.com
PowerShell:
# Get IPv6 configuration
Get-NetIPAddress -AddressFamily IPv6
# Add IPv6 address
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress "2001:db8::1" -PrefixLength 64
# Add default route
New-NetRoute -DestinationPrefix "::/0" -InterfaceAlias "Ethernet" -NextHop "fe80::1"
Testing Connectivity¶
Test dual-stack:
# IPv4 connectivity
ping google.com
# IPv6 connectivity
ping6 google.com
# Check which protocol is used
curl -v https://google.com
# Look for "Trying 2001:..." (IPv6) or "Trying 192..." (IPv4)
# Force IPv6
curl -6 https://google.com
# Force IPv4
curl -4 https://google.com
Online tests: - https://test-ipv6.com/ - https://ipv6-test.com/ - https://www.whatismyipv6.com/
Common Issues and Troubleshooting¶
No IPv6 connectivity:
# 1. Check if IPv6 is enabled
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
# Should be 0 (enabled)
# 2. Check for IPv6 addresses
ip -6 addr show
# Should see link-local (fe80::) and possibly global
# 3. Check for default route
ip -6 route show
# Should see default via fe80::...
# 4. Check Router Advertisements
sudo rdisc6 eth0
# Should see RA from router
# 5. Test local connectivity
ping6 fe80::1%eth0 # Ping link-local gateway
MTU issues:
# IPv6 minimum MTU is 1280 bytes
# Check current MTU
ip link show eth0
# Test PMTUD
ping6 -s 1500 2001:4860:4860::8888
11. Practice Problems¶
Problem 1: Address Shortening¶
Shorten the following IPv6 addresses to their shortest form:
a) 2001:0db8:0000:0000:0000:0000:0000:0001
b) fe80:0000:0000:0000:0202:b3ff:fe1e:8329
c) 2001:0db8:0001:0000:0000:0000:0000:0000
d) 0000:0000:0000:0000:0000:0000:0000:0000
Solutions:
a) 2001:db8::1
b) fe80::202:b3ff:fe1e:8329
c) 2001:db8:1::
d) ::
Problem 2: EUI-64 Conversion¶
Given MAC address 00:50:56:A1:B2:C3, calculate:
- The EUI-64 interface identifier
- Complete link-local address
- Complete global address with prefix 2001:db8:1::/64
Solution:
MAC: 00:50:56:A1:B2:C3
1. Split: 005056 | A1B2C3
2. Insert FFFE: 005056FFFE | A1B2C3
3. Flip 7th bit: 025056FFFE | A1B2C3
IID: 0250:56ff:fea1:b2c3
Link-local: fe80::250:56ff:fea1:b2c3
Global: 2001:db8:1::250:56ff:fea1:b2c3
Problem 3: Subnetting¶
You are allocated 2001:db8:abcd::/48. Design a subnetting scheme for:
- 4 regional offices (need 256 subnets each)
- Each subnet should support /64 for end-users
Solution:
/48 prefix: 2001:db8:abcd::/48
Use bits 49-52 for regions (4 bits = 16 regions):
Region 0: 2001:db8:abcd:0000::/52
Region 1: 2001:db8:abcd:1000::/52
Region 2: 2001:db8:abcd:2000::/52
Region 3: 2001:db8:abcd:3000::/52
Each /52 contains 4096 /64 subnets (2^12).
Region 0 examples:
2001:db8:abcd:0000::/64
2001:db8:abcd:0001::/64
2001:db8:abcd:0002::/64
...
2001:db8:abcd:0fff::/64
Problem 4: NDP Analysis¶
Explain the sequence of NDP messages when: 1. A host boots up and gets IPv6 connectivity 2. Host A wants to send a packet to Host B on the same link
Solution:
1. Host boot sequence:
a. Generate link-local address (fe80::IID)
b. DAD: Send NS for own address
c. If no NA, address is valid
d. Send RS to ff02::2
e. Receive RA with prefix, M/O flags
f. Generate global address (prefix + IID)
g. DAD for global address
h. Optional: DHCPv6 if M=1 or O=1
2. Host A β Host B communication:
a. Check neighbor cache for B's MAC
b. If not found, send NS to B's solicited-node multicast
c. Receive NA from B with MAC address
d. Cache entry created (REACHABLE state)
e. Send packet to B
Problem 5: Transition Mechanism Selection¶
For each scenario, recommend the best IPv6 transition mechanism:
a) Enterprise with dual-stack routers, need to connect IPv6 islands over IPv4 backbone b) Home user behind NAT with IPv6-only services c) ISP wants to serve IPv6-only customers accessing IPv4 content d) Small office with ISP providing IPv4 only, wants IPv6
Solutions:
a) 6to4 or manual tunnels (GRE/IPsec)
- Controlled environment, static config acceptable
b) Teredo
- NAT traversal required
- Automatic, no config needed
c) NAT64/DNS64
- Translates IPv6 requests to IPv4
- ISP-level deployment
d) 6to4 or Tunnel Broker (Hurricane Electric)
- Automatic or semi-automatic
- Works over any IPv4 connection
Problem 6: Security Configuration¶
Write ip6tables rules to: - Allow established connections - Allow essential ICMPv6 - Allow SSH from specific prefix - Drop all other incoming traffic
Solution:
#!/bin/bash
# Flush existing rules
ip6tables -F
# Default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Allow loopback
ip6tables -A INPUT -i lo -j ACCEPT
# Allow established/related
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow essential ICMPv6
ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
# Allow NDP
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH from 2001:db8::/32
ip6tables -A INPUT -p tcp --dport 22 -s 2001:db8::/32 -j ACCEPT
# Log dropped packets (optional)
ip6tables -A INPUT -j LOG --log-prefix "IPv6-DROP: "
# Drop everything else (already default policy)
Summary¶
IPv6 is the future of Internet addressing:
Key takeaways: 1. 128-bit addresses provide virtually unlimited address space 2. Simplified header improves routing efficiency 3. Autoconfiguration (SLAAC) reduces configuration overhead 4. NDP replaces ARP with improved functionality 5. Transition mechanisms enable gradual migration 6. Built-in security with IPsec support 7. No NAT required restores end-to-end connectivity
Migration strategy: - Start with dual-stack - Ensure all services are IPv6-capable - Use transition mechanisms as needed - Monitor IPv6 traffic growth - Eventually phase out IPv4
IPv6 adoption is growing, and understanding it is essential for modern network engineering.
Difficulty: βββ
Further Reading: - RFC 8200: IPv6 Specification - RFC 4862: IPv6 Stateless Address Autoconfiguration - RFC 4861: Neighbor Discovery for IPv6 - RFC 7084: Basic Requirements for IPv6 Customer Edge Routers
Previous: 17_Practical_Network_Tools | Next: 19_Container_Networking