# Notes on IPv6

I spent the last two weeks studying IPv6. It began because I was experimenting with DirectAccess on my virtual lab and that uses IPv6, which I was sort of familiar with from my FreeBSD days but hadn’t explored in a while (and it’s been a while). What follows is my notes from the various blog posts and articles I read. It is not meant to be an explanatory post, mainly something for me to refer back to later.

• IPv6 has 128 bit addresses vs 32 bit addresses of IPv4
• The “v6” and “v4” stand for version 6 and version 4 respectively. Before I began reading about IPv6 I though the 4 and 6 stood for the number of dot or colon separated groups (which is all the more silly because IPv6 addresses have 8 groups and not 6!)
• IPv4 puts these 32 bits as 4 groups of 8 bits (a byte). 8 bits gives you 256 combinations (2^8) so that’s why each group is a number from 0-255.
• IPv6 puts these 128 bits in 8 groups of 16 bits each. That is, twice the number of groups as IPv4 and twice the bits in each group. Remember that!
• 16 bits in each group means you have 65536 (2^16) combinations. So each group can have a number from 0-65535.
• To make the number in each group smaller and easier to handle, one can increase the number of digits used. That is, instead of restricting to digits 0-9 we also add a-f, giving us a total of 16 digits to use (‘a’ is short for 10, ‘b’ short for 11, and so on). This way of representing numbers is called Hexadecimal and while the range was from 0-65535 with 10 digits (decimal), now it is from 0-FFFF with 16 digits (hexadecimal).
• To avoid confusion hex digits can be prefixed with a `0x` to indicate their nature. So `0xa` is the hex digit `a`, not the alphabet a.
• In an IPv4 unicast address (an address which specifies a single device on the network) the address has a variable host part and network part. But in the case of an IPv6 unicast address half the bits (64) are for the host and half the bits (64) for the network.

The advantages behind IPv6 are not only that it has more addresses, but also that it has features not present in IPv4. One of these is stateless address autoconfiguration (SLAAC).

• Devices on the network use the Neighbour Discovery Protocol (NDP) to get details of the network (the network prefix, the MTU, duplicate addresses, redirects, etc). (See also this page).
• IPv6 routers periodically send Router Advertisement messages. These are also sent in reply to Router Solicitation messages sent by devices on the network.
• It is not not necessary to have routers for the Router Advertisement messages. Servers too can send this. Linux has the Router Advertisement Daemon. Windows has this in-built and it can be enabled & configured via `netsh`.
• Devices also send each other Neighbour Solicitation messages and reply with Neighbour Advertisement messages. This way they can ensure the neighbour device is still reachable.
• One of the items (optional) in the Router Advertisement is the network prefix. This is a globally unique 64-bit value. Consists of a 48-bit globally unique prefix followed by a 16-bit subnet ID that is unique within the network.
• Devices can autoconfigure their IPv6 address using the network prefix and their MAC address and/or a random number.
• This method is called Stateless because no one keeps track of the addresses. Routers don’t know the device IPv6 addresses, unlike a DHCP server. All routers do is to provide the network prefix, rest is up to the devices.
• SLAAC can be disabled on the device. Or the router can be configured to not send the prefix information.
• On Windows the `netsh` command can do both of this.

While IPv4 addresses use a period to separate the groups, IPv6 uses colons. Since IPv6 addresses are very long, there are a few tricks to shorten them:

• One or more leading zeroes in a group can be omitted. So 0017 can be written as 17.
• Just once, one or more consecutive groups of zeroes – viz in 0000:0000:1234 – can be replaced with a double colon like this – ::1234. This can only be done once and the recommendation is to not do it for just one group of zeroes.
• To give an example, say we are given an address such as 2001:12cd::1. To work out what this stands for we start with remembering that there must be 8 groups. There’s only 3 here, and since then double colons indicate groups of zeroes, in this case they indicate 5 groups of zeroes. Also the final group of 1 is actually 0001.
• This is why the double colon can only be used once. If there were two double colons there would be no way of know how the hidden 5 groups of zeroes are to be distributed.

• Unspecified address: :: (all 128 bits are 0)
• Used as the source address, but never as destination address, when the interface is yet to get an address.
• Default route: ::/0 (equivalent to 0.0.0.0./0)
• Loopback address: ::1/128 (equivalent to 127.0.0.1/8)
• Unlike IPv4 only ::1 can be used as the loopback address. Cannot use ::2 etc.
• Global unicast addresses: 2000::/3 prefix
• 64 bits of network prefix followed by 64 bits of host address.
• Network prefix is 48 bits of Organization prefix followed by 16 bits of subnet ID.
• First three bits are 001. How? 2000::/3 prefix means only the first 3 bits are set. So even though 2000 looks like a 16 bit hex number, only the first 3 bits are used, rest 13 don’t matter. 2 = 0010, so the first three bits are 001.
• The first group is then written as (001x)(xxxx)(xxxx)(xxxx). (001x) can be 0010 or 0011 – i.e. 2 or 3. So the actual range of the first group is 2000::/16 to 3ffff::/16.
• Next 45 bits are the global routing prefix. These are the assigned by whoever allocates you IPv6 addresses (usually an ISP).
• Subnet ID is unique within the organization.
• However, you don’t always get this – it is decided by the address allocator.
• The allocator need not always go with a /48 (3+45 bits) block address. They could use the subnet ID bits too and assign a /64 block – leaving you with no subnets!
• If a /64 block organization prefix is assigned, it means you have no bits for subnets. If a /60 block is assigned you have some bits (4 bits for subnet – so 2^4 = 16 subnets). And so on … This is what the /xx subnet mask of your network prefix means for you – how many subnets you can have.
• /64 block => 0 subnets
• /60 block => 16 subnets
• /56 block => 256 subnets
• /52 block => 4096 subnets
• /48 block => 65536 subnets
• The 64 bits of host address is manually specified, automatically generated via SLAAC or assigned by DHCPv6.
• Link-local addresses: fe80::/10 prefix; the actual assignment is from fe80::/64 so easier to remember it as /64. (equivalent to 169.254.0.0/16)
• First 10 bits are FE8 (`0xF` is 1111, `0xE` is 1110, `8` is 1000). Rest 54 bits are 0 – i.e a single subnet of all zero bits.
• The 64 bits of host address are automatically assigned (randomly or by expanding the MAC address via EUI-64). These may also be assigned manually.
• Unlike IPv4, IPv6 requires a link-local address to be assigned to every network interface on which the IPv6 protocol is enabled, even when one or more routable addresses are also assigned. So IPv6 devices have more than one IPv6 address assigned to them.
• On Windows link-local addresses are created by default for ISATAP too. The host bit is created by prefixing 0200:5efe (for public IPs) or 0000:5efe (for private IPs) in front of the 32 bits of IPv4 address.
• Packets with source address as a link-local IP cannot cross the router. All IPv6 networks use the same fe80::/64 prefix.
• These addresses are not to be published in DNS as they are unique only for the link. Not unique even within the organization.
• Suggestion: Set fe80::1 as the router address for each interface. This way you don’t have to remember the longer address. Also easy to troubleshoot.
• Unique local addresses (ULA): fc00::/7 (equivalent to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
• Similar to link-local addresses but routers will allow them to cross subnets within the site (no clear definition of what constitutes a site; it is up to your border router to block the fc00::/7 packets from crossing out – you define your site!).
• Unlike link-local addresses, these are globally unique addresses (not guaranteed, but there is a high probability it will be globally unique if you followed the correct steps).
• Since the mask is /7, only the first 7 bits are used. `0xF` = 1111, `0xC` = 1100, `0x0` = 0. So the first 7 bits are 1111110 – basically the `0xFC` bits. The zeroes in fc00 are not really zeroes. They are only put as zeroes to complete the group and they don’t matter for the network prefix (because of the mask).
• Notice though that while the first 7 bits are 1111 – `0xF` – and 110 – `0xC` – the latter can be written as `0xC` only if the eight bit is 0. This is because `0xC` is 1100, but since the last bit doesn’t come under the network mask it is not fixed and can be 1 too. In which case `0xC` becomes `0xD`.
• This is intentional. This way the fc00::/7 prefix can be thought of as as two prefixes – fc00::/8 and fd00::/8.
• This 8th bit is called an L flag. L == Local. The idea being that in future there could be a central authority that might assign globally unique ULAs. To avoid any clashes with such a scenario, addresses assigned by that authority will have the L flag set as 0 (not local) while addresses generated by non-central now will have the L flag set as 1 (local). Thus –
• fd00::/8 == Unique Local locally assigned Addresses
• fc00::/8 == Unique Local centrally assigned Addresses
• All ULAs generated by users are supposed to be in the fd00::/8 prefix.
• So that’s the first 8 bits. You still have 64 – 8 = 56 bits for the network prefix. These are made thus:
• 40 bits of a random number. Generated by you. High probability of uniqueness. Suggested algorithm here.
• 16 bits for subnets.
• That’s 65536 subnets so an organization mostly only needs one 40 bit random number for all its networks. Everything can be a subnet of that.
• ULAs can be published in DNS. As they work across the site.
• See this page for more. And this. Also see RFC 4193 on how to generate, and the rationale behind ULAs.
• Visit https://www.sixxs.net/tools/grh/ula/ to generate ULAs following the RFC 4193 method and also register the address with the website. If everyone were to do this, the website can ensure ULAs are unique.
• Stateless IP/ICMP Transition address: ::ffff:0:0:0/96
• If a device has IPv4 address a.b.c.d then its IPv6 address can be assigned as ::ffff:0:a.b.c.d.
• The IPv6 network bit takes 96 bits. Balance is 32 bits for the host – which is the IPv4 address.
• The network block is all zeroes (hence the ::).
• The host bit has 16 bits of ones (ffff) followed by 16 bits of zeroes (0), followed by 32 bits of the IPv4 address.
• This prefix was chosen to yield a zero-valued checksum to avoid changes to the transport protocol header checksum (RFC 2765).
• One-to-closest-of-many
• Any type of address valid for Unicast (Link-Local, Site-Local, ULA or Global) also is valid for Anycast.
• A sending node does not do anything special when sending traffic to an Anycast destination. The network will route your traffic to the nearest one of the nodes (in the network metric sense) that has had that anycast address assigned to it.
• An Anycast connection is still one-to-one, just like Unicast. It just is done to the closest node that has the Anycast address assigned to it. All three Transport Layer protocols (UDP, TCP and SCTP) work with Anycast.
• Multicast address: ff00::/8 prefix (i.e. 8 ones and 8 zeros, but the 8 zeros don’t matter as the mask is /8. They are zeros just to complete the group)
• One-to-many
• Only for UDP and SCTP (TCP is too complex to do multicast; sender has to keep track of all the recipients, whether they received etc).
• A multicast address contains a group.
• Multicast address format is thus:
• 8 bits of 1 (the “`0xff`”) – this is the mask so these are the fixed bits
• 8 bits of flags & scope:
• 4 bits of flags
• 4 bits of scope – `0x0` to `0xf` – so the last digit in the first group of the IPv6 address tells you the scope
• Scope 1 = Interface-local
• Scope 2 = Link-local (the subnet)
• Scope 4 = Admin-local (smallest scope that can be administratively managed … whatever that means)
• Scope 8 = Organization-local (the collection of sites managed by the organization, linked by VPN or whatever)
• All the above scopes are LOCAL. The next one is global.
• Scope E = Global (any node on the Internet, not filtered by routers).
• 112 bits of group ID
• There are many well known groups apart from the user defined ones. Examples:
• Group 1 = Node
• Group 2 = Router
• Group 5 = OSPF IGP router
• Group 1:2 = DHCPv6 servers/ relay agents
• Group 1:3 = DHCPv6 servers or LLMNR hosts (depends on the scope)
• Remember multicasts are only for UDP …
• Every IPv6 node (that is not forwarding) is a part of the following groups:
• ff01::1 – All nodes in local interface
• Scope is 1 (interface-local), Group is 1 (node)
• ff02::1 – All nodes in local link
• Scope is 2 (link-local/ the subnet), Group is 1 (node)
• Windows nodes are part of the following groups:
• ff02::c – Simple Service Discovery Protocol
• Scope is 2 (link-local/ the subnet), Group is c
• ff02::1:3 – Link-Local Multicast Name Resolution
• Scope is 2 (link-local/ the subnet), Group is 1:3 (LLMNR hosts)
• Every IPv6 router is a part of the following groups:
• ff02::5 – All nodes in local site
• Scope is 2 (link-local/ the subnet), Group is 5 (IGP routers)
• Solicited node multicast address: created for each unicast and anycast address
• ff02::1:ff___, with last 24 bits equal to last 24 bits of the unicast/ anycast
• Scope is 2 (link-local/ the subnet)
• From here:
• The result of using the solicited-node multicast address is that address resolution, which commonly occurs on a link, is not required to use a mechanism that disturbs all network nodes. In fact, very few nodes are disturbed during address resolution. In practice, because of the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution.
• Some well-known multicast groups:
• Remember! Last digit of first group is the scope (link, organization, site, global, etc). Last digit of the last group is the group (nodes, routers, etc).
• ff02::1 – Scope 2 (link-local), Group 1 (nodes)
• ff05::1 – Scope 5 (organization-local), Group 1 (nodes)
• ff02::2 – Scope 2 (link-local), Group 2 (routers)
• ff05::2 – Scope 2 (organization-local), Group 2 (routers)
• ff02::fb – Scope 2 (link-local), Group fb (DNS servers)
• ff05::fb – Scope 5 (organization-local), Group fb (DNS servers)
• ff02::1:3 – Scope 2 (link-local), Group 1:3 (DHCPv6 servers)
• ff05::1:3 – Scope 5 (organization-local), Group 1:5 (DHCPv6 servers)
• Teredo: 2001:0::/32 prefix.
• 6to4: 2002::/16 prefix.
• Host bit is 0200:5efe (for public IPs) or 0000:5efe (for private IPs) followed by 32 bits of IPv4 address

## Scopes

• Unicast has 1) Link-local, 2) Global, 3) Unique-local, and 4) Interface-local (loopback).
• Multicast has 1) Link-local, 2) Global, 3) Interface-local, 4) Organization-local, 5) Site-local, and 6) Admin-local.
• Note: No Unique-local.
• The interface-local scope spans a single interface only. A multicast address of interface-local scope is useful only for loopback delivery of multicasts within a node, for example, as a form of interprocess communication within a computer. Unlike the unicast loopback address, interface-local multicast addresses can be joined on any interface (from this page, has good info on the other scopes too).
• More here.

This is just the tip of the ice berg, of course!