IPv6 on the Home LAN, Part One

Overview

IPv6 has been around for a long time. According to Wikipedia, it became a draft standard in 1998 and was formalized in the Summer of 2017.

As you may know, IPv4 address space has proven to be quite limited. This is partly due to the increased global connectivity in our lives, but also largely due to the generous address block allocation performed by IANA in the early days of the internet. If you want to look at some of those large allocations, check out the list published by the IANA. You’ll see that AT&T, Ford Motor Company, Apple Computers, and PSINet are among the recipients of a full Class-A block of addresses - each receiving about 0.4% of the total addressable IPv4 space.

February of 2011 saw the exhaustion of the remaining free pool of IPv4 addresses as the last remaining blocks were allocated to Regional Internet Registries.

Over the years, NAT has been embraced heavily as a mitigation technique to reduce the number of globally accessible internet addresses. This presents some challenges with home users providing services to the internet and fundamentally divides the internet into the service provider tier and the consumer tier.

IPv6 solves the addressing problem and provides additional improvements such as hierarchical route aggregation, optimized multicast behavior, and use of IPSec.

Key Concepts

Let’s look at some of the key concepts of IPv6:

  • Addressing, link level addresses, privacy extensions
  • DHCPv6, SLAAC, and prefix delegation
  • Router Advertisements (RA)
  • Routing Aggregation
  • Typical prefix length
  • IPSec

Addressing

Addressing is the most noticeable difference in an IPv6 environment. Let’s take a look at one of Google’s addresses:

[clocks]: ~ dig -t aaaa google.com

; <<>> DiG 9.12.1 <<>> -t aaaa google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38160
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 91cc60f0a169f91c1f28fa535ab84bf9950abcbec32a015d (good)
;; QUESTION SECTION:
;google.com.			IN	AAAA

;; ANSWER SECTION:
google.com.		299	IN	AAAA	2607:f8b0:4009:803::200e

;; Query time: 35 msec
;; SERVER: 10.50.4.3#53(10.50.4.3)
;; WHEN: Sun Mar 25 21:25:13 EDT 2018
;; MSG SIZE  rcvd: 95

The IPv6 address record (type ‘AAAA’) returned by dig is 2607:f8b0:4009:803::200e.

IPv6 addresses are 128 bits in length, with the first 64 bits representing the network identifier and the last 64 bits representing the host portion. The idea is that each network segment in all of the internet will have a unique first 64 bits, and each machine on that network segment will have a unique last 64 bits. Current implementations allow hosts to create and use many different host addresses to identify themselves on the network segment. This allows for some interested techniques like rotating addresses at a defined interval, or associating particular host addresses with particular servers, or even using “burner” addresses.

Contiguous runs of zeroes can be elided with ::, and leading zeroes can be omitted, leading to more easily transcribed addresses.

For instance, if my local network segment is 2601:3325:8112:AC3F, then I can assign static IP addresses to machines on the network allowing for addresses like:

  • 2601:3325:8112:AC3F::1 as my default gateway
  • 2601:3325:8112:AC3F::2 as my DNS server
  • 2601:3325:8112:AC3F::3 for NTP
  • 2601:3325:8112:AC3F::4 for the fileserver, etc

You will find a more complete treatment of IPv6 address representation here.

There are a couple of ranges of IPv6 addresses to be aware of:

  • Link-local addresses: These start with the 10-bit prefix: fe80::/10. Link local addresses identify an interface uniquely on the subnet and are generated using the MAC address. Most importantly, these are not globally addressable.
  • ::1/128 is the IPv6 version of 127.0.0.1
  • FF02::1 is the all nodes multicast address. Ideally, you can ping this address to find out what nodes are listening on the local network segment.
  • FF02::2 is the all routers multicast address. Any node identifying as a router should respond to this address.

DHCPv6, SLAAC, and Prefix Delegation

In the section above I mentioned setting static addresses for services on my local network. That’s fine for things like servers, but doesn’t work so well with roaming devices (like phones or laptops) or for networks that have client machines added or removed somewhat regularly.

By default IPv6 offers Stateless Address Autoconfiguration (SLAAC). This is a straightforward process by which a link comes up and sends out a link-local router solicitation (remember FF02::2) looking for the nearest router. Routers respond with a router advertisement packet containing the network prefix and other required configuration.

In some cases this is inappropriate or undesireable. For myself, I chose to use a stateful approach with DHCPv6. This is essentially v4 DHCP, but with the added component of prefix delegation. In my home network, my ISP provides me with a 56-bit network prefix. Any subnet from that prefix is mine to do with as I please, and my ISP’s upstream router knows to send any traffic addressed to that prefix down to me. My router, in turn, chops that 56-bit prefix up into, at the time of this writing, 2 (of possibly 256) 64-bit subnets.

DHCPv6 additionally carries information on search domains and DNS servers. This information can also be communicated through neighbor discovery protocol if you’re using SLAAC.

Router Advertisements

Router advertisements are packets of information from nodes identifying as routers that contain info about the local network segment. This includes the network prefix and “other configuration flags”. Router advertisements are sent periodically and in response to router solicitation messages. One of the neat features of these is automatically propagating a network prefix change. If my local segment was moved for some reason, the upstream router could inform my home router, which would inform the local nodes and everyone would happily update their addresses.

Routing Aggregation

Because of the hierarchical nature of prefix delegation, it is possible to consolidate routes rather than having a unique entry for each route.

Wikipedia summarizes this as:

CIDR provides fine-grained routing prefix aggregation. For example, sixteen contiguous /24 networks can be aggregated and advertised to a larger network as a single /20 routing table entry, if the first 20 bits of their network prefixes match. Two aligned contiguous /20 blocks may be aggregated as /19 network. This reduces the number of routes that have to be advertised.

Typical Prefix Length

Typically, ISPs seem to be providing /56 prefixes to residential customers. This allows for 256 /64 subnets. I have heard of other ISPs provided /48 prefixes (for 65536 /64 subnets!). Either way, for most applications you will have plenty of available subnets to use.

IPSec

IPv6 was initially designed with the requirement that IPSec be used, but it has since been relaxed to an optional feature.

To Be Continued

This post is one of a series on adopting IPv6 on your home or small business network. Future installments will cover:

  • Sample Network Description
    • Guest subnet
    • Trusted subnet
    • DNS resolution
  • Platform Specific Setup Details
    • EdgeOS router configuration
    • JunOS switch configuration
    • Windows client configuration
    • Linux client configuration
    • OS X client configuration
    • Android phone configuration
  • Miscellany
    • Using IPv6 addresses in Chrome / Firefox / MS Edge
    • Preferring DNS IPv6 records