In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.
While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.
Even though it will be difficult to use the actual IPv6 addresses in normal day-to-day operations because of the size, it is important to understand the conventions of how the address can be displayed and entered. Unlike IPv4, which uses a dotted-decimal (such as 172.21.1.20) notation, IPv6 uses a colon-separated notation. The full IPv6 address consists of 8 16-bit fields similar to the following:
To simplify things, leading zeros in a field are optional so the above address can be written as:
Finally, you can also compress one or more groups of 0’s using a “::” symbol. In order to avoid ambiguity, zero compression can only happen once in an address. So applying this rule, our address becomes:
The IPv6 address can split into two 64-bit pieces. The first 64-bit segment represents the Global Routing Prefix (also known as the Network Prefix). The Global Routing Prefix is the portion of the address that determines the destination network to which the packet will be routed. Logically it will be subdivided by various components which allow IPv6 addresses to be more effectively aggregated, thus reducing the size of routing tables. The typical components of the Network Prefix include:
- Registry Prefix
- ISP Prefix
- Site Prefix
- Subnet Prefix
The second half of the IPv6 address is the Interface Identifier. Per RFC 4291 -IP Version 6 Addressing Architecture, the Interface Identifier is built by dividing the 48-bit MAC address for the interface into two pieces and inserting “FFFE” in between these pieces (24-bits MAC + FFFE + 24-bits MAC). This is known as an EUI-64 prefix address. The universal/local flag can also be toggled (7th bit in first octet of MAC address) to produce a “modified” EUI-64 address. Let’s look at an example to clarify this. Suppose that the Network Prefix for your network is 2001:DB8:1:2::/64 and your MAC address for the interface is 02:03:e8:00:65:10, then the modified EUI-64 IPv6 address would be:
Notice how the first half of the MAC address changes from 02:03:e8 to 00:03:e8 because of the change in the universal/local bit. EUI-64 addresses provides a very simple formula, but it creates information leakage and privacy concerns. In IPv4, when you connect your computer at different locations (such as work, home, or on a Wifi hotspot), you receive a different IPv4 address at each location. Since each location provides a different IPv4 address, it is difficult for someone to determine that traffic from all of the different addresses is the same system/user. With IPv6, you also technically receive a different IPv6 address at each location as well. With IPv6, however, only the Network Prefix is changing. The Interface Identifier portion of the address stays the same. Therefore, by simply looking at the IPv6 address information, you can easily see that the traffic from multiple locations is actually the same system (and probably the same user). To overcome this, RFC 4941 outlined a mechanism to generate a random value for the Interface Identifier that changes over time to make it difficult to identify traffic from multiple locations as coming from the same system. Many systems, such as Windows 7 and Windows 2008, have this privacy protection enabled by default. While this solves the privacy issue to a large degree, it introduces other issues, such as the continually changing link-local address. An attacker could potentially even use the changing Interface Identifier to bypass the detection of Intrusion Detection Systems by making multiple actions appear to come from different IPv6 addresses.
IPv6 utilizes Unicast, Multicast, and Anycast addresses, but unlike IPv4, IPv6 does not have a broadcast address. Also, whereas multicast was an optional addition in IPv4, in IPv6 multicast takes on a more required role. Even basic operations such as ICMP traffic routinely rely on multicast addresses to operate efficiently. Like IPv4, IPv6 also has a loopback address. Instead of 127.0.0.1, however, the loopback address in IPv6 is now 0:0:0:0:0:0:0:1 (::1 in simplified form). IPv6 also has an address called an unspecified address. This address is composed of all 0’s (0:0:0:0:0:0:0:0 or ::) and is used as the source address in situations when a host does not currently have a valid IPv6 address.
Multiple Addresses Per interface
With IPv4, you usually only had a single address configured for a specific interface. With IPv6, an interface is expected to have multiple addresses. Some of the types of addresses that an interface can have in IPv6 are:
- Link Local address (FE80::/10)
- Unique Local Unicast (FC00::/7)
- Global Unicast (2000::/3)
Besides these addresses, an IPv6 interface also listens to various multicast addresses, such as one or more solicited-node multicast addresses and the all-nodes multicast address. These multicast addresses will make it easy for an attacker on the local segment to quickly identify other hosts and routers on that same local segment. Furthermore, it will be difficult for Intrusion Detection Systems to identify this traffic as malicious since it is normal traffic in an IPv6 network. This explosion of addresses for an interface will also make filtering traffic on the network an interesting challenge. Even the hosts themselves need to have defined policies as to which address to use as the source address for IPv6 traffic, since in many cases more than one address can be used successfully.
Besides the number of addresses, addresses in IPv6 can have a lifetime associated with them. This is very similar to DHCP lease times in IPv4, but now these lifetimes apply to addresses learned from DHCP, as well as addresses learned from routers via Router Advertisement messages.
Well that’s all for this installment. Although this was only a high-level overview of addressing in IPv6, hopefully it has provided you with a good introduction into the way addressing has changed, and has provided you with a starting point. In fact, some of the topics, such as multicast address usage and address selection, scope, and address lifetime could definitely use further explanation. We may have to develop a second, more detailed post on some of the addressing topics. Nevertheless, keep an eye out for the next post in this series where we’ll be talking about ways to secure your IPv6 network.