Thursday, October 22, 2015

What's with all those IPv6 Addresses

by Craig Miller

No longer tied to one address

A key difference of IPv6 is multiple addresses. An interface will have at least two IPv6 addresses, a link-local, and a global address, but there can be more, several more.

All those addresses can mean more complexity, but it can also mean simplicity. Other than a Global address, and a link-local address there is no requirement to have more.

But remember there is usually at least two ways to look at something, and IPv6 is no different. Vase, or Faces?


Address fundamentals

By now you know that an IPv6 address is 128 bits long. And hopefully you know that IPv6 does not have a variable length subnet mask. It is always, always 64 bits long. This simplifies things a lot.

An IPv6 address looks like the following:
 2001:4860:4860:0000:0000:0000:000:8888

An IPv6 address is made up of 8 quartets of 4 hexadecimal digits separated by colons. That is a lot of typing. fortunately RFC 4291 says we can shorten one long string of zeros with a double colon. And the address becomes:
 2001:4860:4860::8888
In the above example1, the network number (the part on the left 64 bits) would be 2001:4860:4860 and the host number (the part on the right 64 bits) would be 8888

The double colons don't have to align with the 64 bit mask, but it is convenient when it does.

Special Addresses

There are special addresses, which are required for IPv6 to work properly. The first is the link-local address, which always starts with FE80:, in fact it is officially (in RFC 4291)
FE80::/10

Because there is no ARP (Address Resolution Protocol) in IPv6, another method had to be utilized to resolve MAC addresses for a given IPv6 address. By having every node create a link-local address, which is only significant on that link, ICMPv6 can be used to resolve MAC addresses through neighbour discovery.

Another set of special addresses are the multicast addresses, which start with FF. (again defined in RFC 4291). One we learned from a previous post was the all nodes address. There is no broadcast in IPv6, but multicasting to all-nodes has a similar result. The all nodes address is:
FF02::1

How to get a Global Address, let me count the ways

Before sending your packets on to the big IPv6 enabled internet, you will first need to get a global IPv6 address. Fortunately, there are several methods to get a global address:
  • SLAAC (Stateless Address Auto-Configuration)
  • DHCPv6
  • Statically defined
The first thing to remember about IPv6, is that the network, not the client controls addressing. There are key advantages to doing it this way. If you have a subnet (in IPv6 it is called a prefix) defined, and 100 host machines on it, you don't want to go to each machine and change the prefix. Using SLAAC, you would just change the advertised prefix on the router, and all of the 100 hosts on the line would acquire a new valid Global Addresses.

But how do the hosts know to select a unique Global address for each host? Because the original standard for SLAAC was to take the ethenet MAC address and modify it a bit (into EUI-64 format) and make that the lower 64 bits (or host part) of the address, and prepend the advertised prefix from the router.

Privacy concerns with SLAAC

However, this caused an unforeseen problem. The host always had the same address, day in and day out. This led to privacy concerns, and via RFC 4941, another global address is created called a Temporary Address. The temporary address is a randomized lower 64 bits, which is re-randomized every day (24 hours). Since this Temporary global address is changed every day, it harder for places outside the local network to track the host.

But there are those who don't like every changing addresses. They are the security people. When analyzing the logs, they want to see a consistent address used day in and day out. After all, this is how IPv4 works.

DHCPv6

Another method used to get a global address is DHCPv6. Again it is controlled by the network, not the client, as defined in RFC 3315. The Router Advertisements (RAs) also include the M & O bits (for managed and other). If either or both of these are set, then the DHCPv6 client should make a multicast request to a DHCPv6 server, and request an address (if the M bit is set) or request other options (such as DNS server settings) if the O bit is set. However the M & O bits are not mutually exclusive to the A bit (which controls SLAAC). So it possible to have a DHCPv6 address, a SLAAC address, Temporary address, and a link-local address all on the same interface.

And if that isn't enough addresses, you can always manually assign an address (statically defined) to an interface.
sudo ip addr add 2001:470:1c:583::1 dev eth0

All those addresses which one is used?

Fortunately, there is RFC 6724, Source Address Selection standard to determine which source address is used when connecting to the internet. This standard supercedes the old RFC 3484, which stated that an IPv6 address is always preferred over an IPv4 address. In this time of transition to IPv6, the user (or IT folks) may want to change this preference, as per RFC 6724 rather than just turning off IPv6. See my previous post, IPv6, not your grandma's IP, for more info on how to adjust your preference.

The rules governing Source address selection are a bit complex. To understand them best, one should refer to section 5 of RFC 6724. Here are the rules (as specified in the RFC) to give you a overview:
   Rule 1: Prefer same address.
   Rule 2: Prefer appropriate scope.
   Rule 3: Avoid deprecated addresses.
   Rule 4: Prefer home addresses.
   Rule 5: Prefer outgoing interface.
   Rule 5.5: Prefer addresses in a prefix advertised by the next-hop.
   Rule 6: Prefer matching label.
   Rule 7: Prefer temporary addresses.
   Rule 8: Use longest matching prefix.

Old Protocol, still evolving

As I write this there is a new RFC on the books, Distributing Address Selection Policy Using DHCPv6    (RFC 7078). Again, the idea is make it easier to roll out changes to your hosts (whether it is changing the prefix, or how host select addresses). IPv6 continues to evolve. Learning IPv6 now will help you for the rest of your career.

1) Just like Google has IPv4 DNS servers at 8.8.8.8, and 8.8.4.4, Google also has IPv6 accessible DNS servers at 2001:4860:4860::8888 and 2001:4860:4860::8844

No comments:

Post a Comment