A quick cheat sheet for understanding IPv6 if you’re used to IPv4.
Address format
IPv6 addresses are hexadecimal, so you can use 0-9 and a-f in an IPv6 address. Each character can express 16 different values. For example the hexadecimal value 1000 is 4096 when written in normal base-10 numbers.
It does not typically matter whether you write the letters in uppercase or lowercase. I’ll be using lowercase in this document.
IPv6 notation
IPv6 addresses usually are expressed in CIDR notation: fe80::/10. There is no concept of “classes” for network segments in IPv6.
In an IPv6 address, for addresses with several segments that are just zeros like: fe80:0000:0000:0000:0000:0000:0000:0001 it can be compressed down to fe80::1
I find the Vultr IPv6 subnet calculator to be an incredibly helpful resource for understanding these addresses or subnets.
Subnet Sizing
The smallest normal subnet is a /64. In IPv4 you might have used a /24, sometimes called a class “c” network - but IPv6 network segments are purposefully huge. Most devices/software won’t do anything smaller than /64.
It truly feels counter-intuitive given the drum-beating about running out of IPv4 addresses, and the common IPv4 network segment sizes in most enterprises, but IPv6 was designed this way.
Any prefix larger than a /64 can be divided into several /64 segments.
Important Well-Known IPv6 prefixes & Addresses
| Prefix/Address | Notes |
|---|---|
| ::1/128 or ::1 | Loopback address. Unlike IPv4, there is exactly one address reserved for loopback. |
| fe80::/10 | Link-Local unicast - traffic that is not routed |
| 2001:db8::/32 | Prefix to be used in documentation |
| ff00::/8 | Multicast addresses |
For the full list of reserved prefixes, see the IANA IPv6 Address Space guide.
Client configuration
DHCP
IPv6 does not require DHCP, but it is available as an option for some clients. I hate to link to wikipedia but it’s the simplest way to find out which operating systems support DHCP6. Importantly, Android clients do not currently support DHCP6 and will need to use automatic addressing, known as SLAAC. Keep this in mind when designing networks that will support a mix of client operating systems.
You will not specify what the router address should be in DHCP6.
Typically the options you’ll provide in DHCP6 are as follows:
- DNS Recursive Name Server IPv6 Address List (Option 00023)
- Domain search list (Option 00024)
Router advertisements
IPv6 Clients can be fully configured through router advertisements. These are, obviously, originated from the routers on your network. These are ICMP messages. DHCP is optional, but a functioning IPv6 network ALWAYS has RAs.
Router Advertisements contain the following true/false flags:
- “A” bit - tells the client it should compute its own address using SLAAC
- “L” bit - the prefix supplied is on-link with the other nodes in this network segment. It’s a little hard to understand. If you want to know more, here’s the RFC. I think it means that it’s a normal, routable address - but don’t quote me.
- “M” bit - the client should rely on DHCP6 for configuration options.
- “O” bit - the router can supply options in place of DHCP6, like DNS servers.
Generally, you should either provide DNS information in DHCP6 or your RA if you want a client to end up with a usable IPv6 stack, otherwise you will have to statically configure it on every host.
I’m not going to cover a lot about SLAAC - there’s an RFC that covers how those addresses are computed and a bit more readable article here. The short version is it takes the MAC address of your network interface and does some math.
I don’t pretend to understand it, but the process also detects duplicates to prevent collisions.
You should also be aware that many operating systems also generate pseudo-random addresses as a way to preserve privacy, defined in RFC4941. There are a number of ways to turn this off, but you may see mixed results when trying to persistently turn them off, if you find you need to - for example if you need a connection to come from a particular address for security reasons.
Windows shell commmands (running with admin permissions):
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
Linux (/etc/sysctl.conf in most cases):
net.ipv6.conf.all.use_tempaddr=0
net.ipv6.conf.default.use_tempaddr=0
NAT
NAT isn’t really a thing in IPv6. There are versions of it, but you shouldn’t use them. A common misconception is that NAT is a layer of security in your network. Many networks include NAT rules to take traffic from an untrusted network (like the internet) and allow either some ports or all ports to pass through to an internal IP address.
In IPv6, most addresses are publicly routeable, but that is not the same thing as saying that all addresses are exposed to the internet. Your security options are the same as they have always been - router ACLs, firewall rules, etc. All you’re losing is a layer of horrible complexity.