Cisco Logo


Security

In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.

While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks  without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.

Visual Representation

Even though it will be difficult to use the actual IPv6 addresses in normal day-to-day operations because of the size, it is important to understand the conventions of how the address can be displayed and entered. Unlike IPv4, which uses a dotted-decimal (such as 172.21.1.20) notation, IPv6 uses a colon-separated notation. The full IPv6 address consists of 8 16-bit fields similar to the following:

2001:0DB8:0000:CD30:0000:0000:0123:4567

To simplify things, leading zeros in a field are optional so the above address can be written as:

2001:DB8:0:CD30:0:0:123:4567

Finally, you can also compress one or more groups of 0′s using a “::” symbol. In order to avoid ambiguity, zero compression can only happen once in an address. So applying this rule, our address becomes:

2001:DB8:0:CD30::123:4567

Address Structure

The IPv6 address can split into two 64-bit pieces. The first 64-bit segment represents the Global Routing Prefix (also known as the Network Prefix). The Global Routing Prefix is the portion of the address that determines the destination network to which the packet will be routed. Logically it will be subdivided by various components which allow IPv6 addresses to be more effectively aggregated, thus reducing the size of routing tables. The typical components of the Network Prefix include:

The second half of the IPv6 address is the Interface Identifier. Per RFC 4291 -IP Version 6 Addressing Architecture, the Interface Identifier is built by dividing the 48-bit MAC address for the interface into two pieces and inserting “FFFE” in between these pieces (24-bits MAC + FFFE + 24-bits MAC).  This is known as an EUI-64 prefix address. The universal/local flag can also be toggled (7th bit in first octet of MAC address) to produce a “modified” EUI-64 address.  Let’s look at an example to clarify this. Suppose that the Network Prefix for your network is 2001:DB8:1:2::/64 and your MAC address for the interface is 02:03:e8:00:65:10, then the modified EUI-64 IPv6 address would be:

2001:0DB8:0001:0002:0003:E8FF:FE00:6510

Notice how the first half of the MAC address changes from 02:03:e8 to 00:03:e8 because of the change in the universal/local bit. EUI-64 addresses provides a very simple formula, but it creates information leakage and privacy concerns. In IPv4, when you connect your computer at different locations (such as work, home, or on a Wifi hotspot), you receive a different IPv4 address at each location. Since each location provides a different IPv4 address, it is difficult for someone to determine that traffic from all of the different addresses is the same system/user. With IPv6, you also technically receive a different IPv6 address at each location as well. With IPv6, however, only the Network Prefix is changing. The Interface Identifier portion of the address stays the same. Therefore, by simply looking at the IPv6 address information, you can easily see that the traffic from multiple locations is actually the same system (and probably the same user). To overcome this, RFC 4941 outlined a mechanism to generate a random value for the Interface Identifier that changes over time to make it difficult to identify traffic from multiple locations as coming from the same system. Many systems, such as Windows 7 and Windows 2008, have this privacy protection enabled by default. While this solves the privacy issue to a large degree, it introduces other issues, such as the continually changing link-local address. An attacker could potentially even use the changing Interface Identifier to bypass the detection of Intrusion Detection Systems by making multiple actions appear to come from different IPv6 addresses.

Address Types

IPv6 utilizes Unicast, Multicast, and Anycast addresses, but unlike IPv4, IPv6 does not have a broadcast address. Also, whereas multicast was an optional addition in IPv4, in IPv6 multicast takes on a more required role. Even basic operations such as ICMP traffic routinely rely on multicast addresses to operate efficiently. Like IPv4, IPv6 also has a loopback address. Instead of 127.0.0.1, however, the loopback address in IPv6 is now 0:0:0:0:0:0:0:1 (::1 in simplified form). IPv6 also has an address called an unspecified address. This address is composed of all 0′s (0:0:0:0:0:0:0:0 or ::) and is used as the source address in situations when a host does not currently have a valid IPv6 address.

Multiple Addresses Per interface

With IPv4, you usually only had a single address configured for a specific interface. With IPv6, an interface is expected to have multiple addresses. Some of the types of addresses that an interface can have in IPv6 are:

Besides these addresses, an IPv6 interface also listens to various multicast addresses, such as one or more solicited-node multicast addresses and the all-nodes multicast address. These multicast addresses will make it easy for an attacker on the local segment to quickly identify other hosts and routers on that same local segment. Furthermore, it will be difficult for Intrusion Detection Systems to identify this traffic as malicious since it is normal traffic in an IPv6 network. This explosion of addresses for an interface will also make filtering traffic on the network an interesting challenge. Even the hosts themselves need to have defined policies as to which address to use as the source address for IPv6 traffic, since in many cases more than one address can be used successfully.

Address Lifetimes

Besides the number of addresses, addresses in IPv6 can have a lifetime associated with them. This is very similar to DHCP lease times in IPv4, but now these lifetimes apply to addresses learned from DHCP, as well as addresses learned from routers via Router Advertisement messages.

Well that’s all for this installment. Although this was only a high-level overview of addressing in IPv6, hopefully it has provided you with a good introduction into the way addressing has changed, and has provided you with a starting point. In fact, some of the topics, such as multicast address usage and address selection, scope, and address lifetime could definitely use further explanation. We may have to develop a second, more detailed post on some of the addressing topics. Nevertheless, keep an eye out for the next post in this series where we’ll be talking about ways to secure your IPv6 network.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments.


  1. Hi,

    I would like to ask a question regarding the modified EUI-64 address.

    If you have a look at the MAC address it is 02:03:e8:00:65:10, i.e. the u-bit is set to “1″. As far as I know IEEE registration authority mentioned that if u bit is set to 0 it is a universally (globally) administered, i.e. it is globally unique address. If u bit==1 the address is locally administered and it is not guaranteed that this address is unique. Isn’t that true?

    There must be a difference because IEEE 802 addresses have different meaning due to the value of u, don’t you agree?

    Thanks,
    abcd

       1 like

    • With modified EUI-64 addresses, the universal/local bit is inverted with
      the intent that a ’1′ now means global/universal and a ’0′ is now for
      local addresses. According to RFC 4291, the reasoning behind using a ’0′
      for local is that it makes it easier for administrators to hand
      configure non-global identifiers. So instead of having to configure
      0200:0:0:1, 0200:0:0:2, etc, the administrator can simply configure
      0:0:0:1 and 0:0:0:2 for non-global identifiers.

         2 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home