Protocols Next-gen IPv6...................
Apparently, the internet is full. But, as John Lane explains, there’s a bigger, better one waiting in the wings, biding its time for world domination...
Apparently, the internet is full. But, as John Lane explains, there’s a bigger, better one waiting in the wings, biding its time for world domination. Buckle up, folks!
The Internet Protocol, or just IP, is the internet working (connecting distinct networks together) protocol that enables the internet as we know it to exist. Version four, now referred to as IPv4, is what the internet uses today. It uses 32-bit addresses and the availability of unassigned addresses is under pressure. Version six of the protocol, what we call IPv6, addresses this issue with a much larger 128-bit address space. First specified back in 1995, IPv6 adoption has been slow, but is finally gaining traction.
In this tutorial we’ll explore IPv6 to explain how it works and show how you can start using it. However, you may already be using it without knowing. You can check from a command prompt: $ ip address | grep inet6
Depending on your system’s configuration, this may list several addresses along with their properties. At a minimum, an IPv6 capable system should display its IPv6 loopback address, as follows: inet6 ::1/128 scope host
The cryptic ::1/128 is the IPv6 equivalent of the IPv4 127.0.0.1 address and the scope host means that it’s only valid on that host. You may see other addresses listed: inet6 fd3e:b508:4549:20::7ac/128 scope global noprefixroute inet6 2001:470:1d9a:20::7ac/128 scope global noprefixroute inet6 fd3e:b508:4549:20:1d86:73ff:fef1:ece8/64 scope global temporary dynamic inet6 fd3e:b508:4549:20:6215:f893:f1e3:eaa8/64 scope global mngtmpaddr noprefixroute inet6 2001:470:1d9a:20:1d86:73ff:fef1:ece8/64 scope global temporary dynamic inet6 2001:470:1d9a:20:e8ea:b858:e524:c3e6/64 scope global mngtmpaddr noprefixroute inet6 fe80::b1e9:b49f:5258:75e8/64 scope link
IPv6 addresses appear quite confusing at first, but there is some sense to them. Representing these 128-bit addresses, numbers between 0 and 2^ 128 (340,282,366,920,938,463,46 3,374,607,431,768,211,456), using a dotted-decmial notation like IPv4 would be awkward. So IPv6 addresses are instead represented as eight groups of 16-bits with groups separated by colons (:) and each group presented as a four-digit hexadecimal number ie [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff].
However, this can still be difficult to read, and so for extra clarity a canonical IPv6 address notation (RFC5952, section 4) is used. It mandates use of lower-case letters and requires each 16-bit group (four hex digits) to be simplified by omitting leading zeroes and replacing consecutive zero groups with a single empty group using a pair of colons (::). Only one such replacement may be made and it should apply to the longest consecutive (or first of equal length) run of zero groups. A single zero group must be represented as :0: rather than ::.
The other address you should always see on an IPv6capable host is the Link-Local Address: the one beginning with fe80. It’s similar in concept to an Automatic Private IPv4 Address – those beginning with 169.254... that network interfaces self-assign when they’re unable to get an address from a DHCP server.
The IPv6 link-local address provides sufficient network connectivity for a host to communicate with a router to obtain its IPv6 configuration parameters. The link-local address is required because IPv6 configuration uses IPv6 rather than a lower-level protocol like IPv4 does (for example, ARP) – a valid IPv6 address is required before any additional configuration can be done.
Link-local addresses also allow for basic zero-config networks: you may access any host on the same network segment using its link-local address: $ ssh root@fe80::dc47:6eff:fe8f:a99%enp4s0
Because link-local addresses are link-specific, the local link must be explicitly stated if the local host has multiple links (network interfaces). The % delimiter achieves this and is followed by the link name, such as the example’s
enp4s0 . Such a delimiter is called a Zone ID and is only relevant to the local host.
It’s all about the prefix…
The fe80 is an example of a prefix. Like IPv4, there are different kinds of address in IPv6 and you can tell them apart by their prefixes: 2000::/3 Unique Global fd00::/8 Unique Local fe80::/10 Link Local ff00::/8 Multicast
The Internet Assigned Numbers Authority (IANA – the organisation responsible for global coordination of the Internet Protocol addressing systems) assigns these IPv6 prefixes that are specified using Classless Inter-Domain Routing (CIDR) notation to show how much of the address is represented. This notation suffixes an address with a number so that, say a /3, would indicate that three bits are represented. CIDR is used widely in IPv6, so it’s worth taking a little time to understand it.
The main prefixes you need to understand are the linklocal just described, unique global and local addresses:
A Unique Global Address is a public unicast IPv6 address similar to what IPv4 calls a public address. They are easily identified because the first digit is always 2. If your ISP assigns you an IPv6 address then it will look like this.
The Unique Local Address (or ULA) is broadly similar in nature to the IPv4 private addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. They are intended for use within a private network so, like IPv4 private addresses, are not routed across the internet. You can recognise these kinds of addresses because they begin with fd .
…and other parts
All IPv6 addresses have a similar structure. Like its predecessor, IPv6 addresses contain network and host parts. In IPv6 the first (most significant) 64 bits are called the Network Prefix and the remaining 64 bits are the host part which IPv6 calls the Interface Identifier (or IID, sometimes referred to as a token). The network prefix is the fixed part of the address common to all hosts on the same network and this combines with the interface identifier to provide each host with a unique address.
The network prefix is further sub-divided into two parts: a Routing Prefix and a Subnet ID. Hosts may receive a whole IPv6 address, a network prefix, or just a routing prefix. CIDR notation is also used to show how much of the address is assigned. The examples previously illustrated mostly show a /64 prefix reflecting a complete 64-bit network prefix. The others have a /128 prefix length, which indicates that the network provided the entire 128-bit address – both network prefix and IID. They were, in fact, assigned by a DHCP server.
Where only a routing prefix is allocated (the CIDR notation is less than 64 bits), the host may use the remaining portion of the 64-bit network prefix to create subnetworks. ISPs may assign such prefixes to customers, typically 48 to 56 bits, leaving 8-16 bits for customers to define subnetworks. A customer’s router may use some or all of this subnet bit capacity, leaving what remains to be allocated by hosts (say, to virtual machines). In all cases, however, the
IID will always occupy the last 64 bits (you can’t steal from this to create subnets!).
As an example, your ISP might give you 2001:db8:beef/48. Your router might then issue DHCP addresses in a subnet such as 2001:db8:beef:10/60. DHCP clients would then be able to create their own subnets within the remaining bits. All hosts will have a 64-bit IID.
IPv6 prefixes are a similar concept to the subnet masks of IPv4 but, in contrast to IPv4 allocations being blocks of hosts, IPv6 allocations are blocks of subnets and every subnet may contain 2^ 64 IIDs. So, unlike IPv4, the prefix length doesn’t affect the number of available interface identifiers. Take a moment to get your head around that, because it’s a source of confusion for many who are new to IPv6!
You can think of the CIDR notation defining the fixed part of the address that’s provided to a host by the network. What the host isn’t given, it must define for itself and there are several approaches a host may take.
Uniquely local; globally unique
As explained previously, the link-local address is a prerequisite for IPv6 configuration. It enables hosts to self-configure if their local network router sends IPv6 Router Advertisements. Having a host self-configure is called Stateless Address Autoconfiguration or SLAAC, and is an alternative to the DHCP method of address assignment. Whether an interface uses SLAAC or DHCP is determined by how it’s enabled.
Router advertisement messages contain the local and global network prefixes and routes offered by the router. Should you wish to view the content of these messages, you can perform a router solicitation using the rdisc6 tool (you may need to install your distro’s ndisc6 package): $ rdisc6 -v enp4s0
Global prefixes and routes will be based on what the router obtains from your ISP, but the network prefix for unique local addresses, the ULA Prefix, must be configured locally. It is, by definition, a 48-bit prefix – the octet fd followed by 40 randomly generated bits which we call a Global ID.
The IPv6 specification (RFC4913) states that the Global ID is pseudo-random, not assigned sequentially or a well-known number. It describes an algorithm to derive a pseudo-random Global ID from the SHA1 hash of the time of day and the system’s MAC address, but any suitable source of randomness may be used, including your shell: $ head -c5 /dev/random | xxd -pg0 9e40364a74
You should set your network’s ULA Prefix on your router so that it can include it in router advertisements. It may also use it for DHCP. As an example, the open-source LEDE (see LXF234) router contains a setting in its network configuration: option ula_prefix ‘fd9e:4036:4a74::/48’
The random Global ID helps ensure a high probability of global uniqueness. This is required because a fundamental principle of IPv6 is that 128-bit addresses are sufficiently large to be considered globally unique (with high probability of uniqueness) and ULAs, unlike IPv4 private addresses, are considered globally unique. This randomness makes it possible for sites to be merged with almost zero possibility of their private address spaces overlapping.
It might appear attractive to use a memorable ULA Prefix such as fd00::/48 and it will work fine – up to the point. It needs to be combined with another network having the same memorable prefix. The random aspect makes such clashes improbable. Avoid others’ poor decisions – be random!
The prefixes advertised by the router may, depending on its configuration, include a subnet and appear longer than configured. Typically hosts will receive a 64-bit prefix to which they’ll append an interface ID as we describe next.
Information about your interface
The standard way to provide an interface ID is to create an Extended Unique Identifier in what’s called a Modified EUI-64 format. This 64-bit identifier is derived from the interface’s MAC address. The box on the previous page explains this.
The extended unique identifier contains the host’s MAC address and this may concern you if you care about privacy. To mitigate this risk, IPv6 has Privacy Extensions that create temporary addresses. These will be used in preference to the main address, the one that may include the MAC. You can
check whether an interface has privacy extensions enabled: $ cat /proc/sys/net/ipv6/conf/enp4s0/use_tempaddr 2 or alternatively, $ sysctl net.ipv6.conf.enp4s0.use_tempaddr net.ipv6.conf.enp4s0.use_tempaddr = 2
The value of 2 means that the privacy extensions are enabled and that temporary addresses will be used; a value of zero disables them. You can set this (as “root") by: $ echo 2 > /proc/sys/net/ipv6/conf/enp4s0/use_tempaddr or as follows: $ sysctl -w net.ipv6.conf.enp4s0.use_tempaddr=2 net.ipv6.conf.enp4s0.use_tempaddr = 2
This method doesn’t survive a reboot but persistent settings may be written in /etc/sysctl.conf .
Listing addresses with ip address show shows temporary addresses with a temporary flag.
There may be times when you want set a specific interface identifier – perhaps on a server. You can do so while still using the network prefix obtained by SLAAC. On this occasion the identifier is referred to as a token: $ ip token set ::dead:beef/64 enp4s0
The customised address should immediately take effect; you can use ip address show dev enp4s0 to confirm. Alternatively, you’re free to assign static addresses but you’ll need to know the network prefix: $ ip address add 2001:db8:1d9a::dead:beef dev enp4s0
It’s typical for IPv6 interfaces to have multiple addresses. It’s entirely reasonable for an interface to have a static address as well as those obtained using SLAAC and/or DHCP. To see which address will be used to connect to a given destination, use the following: $ ip route get 2001:db8::ace:cafe 2001:db8::ace:cafe from :: dev br0 proto kernel src 2001:db8::dead:beef metric 256 pref medium This illustrates a host that would connect to
2001:db8::ace:cafe from its 2001:db8::dead:beef address. The final, but important, part of address assignment is duplicate address detection. This ensures that an address is unused on the network before assigning it to an interface. Neighbour discovery is used for this.
IPv6, like IPv4, also supports multicast addressing, but it doesn’t support broadcasting; there’s an all-nodes link-local multicast group, but its use isn’t recommended. IPv6 has a new kind of addressing called Anycast that addresses one out of a group of nodes based on which has the lowest cost – nearest, less congested, and so on. Anycast addresses are syntactically identical to and indistinguishable from unicast addresses. Their only difference is administrative.
Getting IPv6
You can use IPv6 internally on your LAN, but its real purpose is to enable the internet to grow. But if your ISP doesn’t support IPv6 then you can’t, and it’s a sad fact that many (at least in the UK) still don’t. ( 4Gmobilenetworksdo–Ed)
But don’t worry – all is not lost. You can use a Tunnel Broker to get IPv6 over your IPv4 connection, a popular one being tunnelbroker.net from Hurricane Electric. It’s free to use and easy to set up, and full instructions are provided on the web site.
Something to consider before connecting IPv6 externally is that internal hosts have public IP addresses and will be externally accessible without NAT unless there’s a firewall in place to prevent such access. Conversely, you only need to open a port on the firewall to make an IPv6 host accessible from outside.
Once you have connectivity, there are several test facilities including www.ipv6-test.com, www.test-ipv6.com and www.ip.bieringer.de to help you check everything works as it should. We’ll see you on the other side…