Two things are getting confused here:
- classful addressing vs CIDR
- Masquerading / NAT
Going from classful addressing to Classless Inter Domain Routing (CIDR) was an improvement that made the address distribution to ISPs and organisations more efficient, thereby also increasing the lifetime of IPv4. In classful addressing an organisation would get one of these:
- a class A network (a /8 in CIDR terms, with netmask 255.0.0.0)
- a class B network (a /16 in CIDR terms, with netmask 255.255.0.0)
- a class C network (a /24 in CIDR terms, with netmask 255.255.255.0)
All of these classes were allocated from fixed ranges. Class A contained all addresses where the first digit was between 1 and 126, class B was from 128 to 191 and class C from 192 to 223. Routing between organisations had all of this hard-coded into the protocols.
In the classful days when an organisation would need e.g. 4000 addresses there were two options: give them 16 class C blocks (16 x 256 = 4096 addresses) or give them one class B block (65536 addresses). Because of the sizes being hard-coded the 16 separate class C blocks would all have to be routed separately. So many got a class B block, containing many more addresses than they actually needed. Many large organisations would get a class A block (16,777,216 addresses) even when only a few hundred thousand were needed. This wasted a lot of addresses.
CIDR removed these limitations. Classes A, B and C don't exist anymore (since ±1993) and routing between organisations can happen on any prefix length (although something smaller than a /24 is usually not accepted to prevent lots of tiny blocks increasing the size of routing tables). So since then it was possible to route blocks of different sizes, and allocate them from any of the previously-classes-A-B-C parts of the address space. An organisation needing 4000 addresses could get a /20, which is 4096 addresses.
Subnetting means dividing your allocated address block into smaller blocks. Smaller blocks can then be configured on physical networks etc. It doesn't magically create more addresses. It only means that you divide your allocation according to how you want to use it.
What did create more addresses was Masquerading, better known as NAT (Network Address Translation). With NAT one device with a single public address provides connectivity for a whole network with private (internal) addresses behind it. Every device on the local network thinks it is connected to the internet, even when it isn't really. The NAT router will look at outbound traffic and replace the private address of the local device with its own public address, pretending to be the source of the packet (which is why it was also known as masquerading). It remembers which translations it has made so that for any replies coming back it can put back the original private address of the local device. This is generally considered a hack, but it worked and it allowed many devices to send traffic to the internet while using less public addresses. This extended the lifetime of IPv4 immensely.
It is possible to have multiple NAT devices behind each other. This is done for example by ISPs that don't have enough public IPv4 addresses. The ISP has some huge NAT routers that have a handful of public IPv4 addresses. The customers are then connected using a special range of IPv4 addresses (100.64.0.0/10
, although sometimes they also use normal private addresses) as their external address. The customers then again have NAT router that uses that single address they get on the external side and performs NAT to connect a whole internal network which uses normal private addresses.
There are a few downsides to having NAT routers though:
- incoming connections: devices behind a NAT router can only make outbound connections as they don't have their own 'real' address to accept incoming connections on
- port forwarding: this is usually made less of a problem by port forwarding, where the NAT routed dedicates some UDP and/or TCP ports on its public address to an internal device. The NAT router can then forward incoming traffic on those ports to that internal device. This needs the user to configure those forwardings on the NAT router
- carrier grade NAT: is where the ISP performs NAT. Yyou won't be able to configure any port forwarding, so accepting any incoming connections becomes (bit torrent, having your own VPN/web/mail/etc server) impossible
- fate sharing: the outside world only sees a single device: that NAT router. Therefore all devices behind the NAT router share its fate. If one device behind the NAT router misbehaves it's the address of the NAT router that ends up on a blacklist, thereby blocking every other internal device as well
- redundancy: a NAT router must remember which internal devices are communicating through it so that it can send the replies to the right device. Therefore all traffic of a set of users must go through a single NAT router. Normal routers don't have to remember anything, and so it's easy to build redundant routes. With NAT it's not.
- single point of failure: when a NAT router fails it forgets all existing communications, so all existing connections through it will be broken
- big central NAT routers are expensive
As you can see both CIDR and NAT have extended the lifetime of IPv4 for many many years. But CIDR can't create more addresses, only allocate the existing ones more efficiently. And NAT does work, but only for outbound traffic and with higher performance and stability risks, and less functionality compared to having public addresses.
Which is why IPv6 was invented: Lots of addresses and public addresses for every device. So your device (or the firewall in front of it) can decide for itself which inbound connections it wants to accept. If you want to run your own mail server that is possible, and if you don't want anybody from the outside connecting to you: that's possible too :) IPv6 gives you the options back that you used to have before NAT was introduced, and you are free to use them if you want to.
You are correct that 6to4 is for allowing IPv6 hosts (actually whole networks of IPv6 hosts) to talk to other IPv6 hosts. It does that by doing automatic tunnelling: putting the IPv6 packet into an IPv4 packet. This is done by a router that has both IPv4 and IPv6. That IPv4 packet can then be transmitted over the IPv4 internet (which doesn't know how to handle IPv6 at all) to another router that has both IPv4 and IPv6. The IPv4 wrapper is taken off, and the IPv6 packet can travel to its destination.
This is just basic tunnelling. What makes 6to4 so special? It is that the IPv4 address of the router is communicated inside the IPv6 prefix. For example: the address between 2002:c000:0204:0000:0000:0000:0000:0000
and 2002:c000:0204:ffff:ffff:ffff:ffff:ffff
can be reached by wrapping (encapsulating) the IPv6 packet inside an IPv4 packet and sending that packet to IPv4 address 192.0.2.4
(c0
=192, 00
=0, 02
=2, 04
=4). That makes it possible for people whose provider doesn't give them IPv6 but does give them a public IPv4 address to get their own IPv6 addresses. With a /48
you can create 65536 subnets (which are a /64
each).
The problem occurs when communicating with systems that have 'normal' IPv6 addresses. Such addresses don't have an IPv4 address encoded in the IPv6 address and therefore the 6to4 router doesn't know which IPv4 address to send the packets to. So it has to send them to a 3rd-party relay that is connected to the normal IPv6 internet. The quality of such relays is very unpredictable, and therefore the connectivity to the normal IPv6 internet is often bad. Therefore such deployment of 6to4 is deprecated (see RFC7526).
If you want IPv6 access then first complain to your ISP. If they don't want to provide IPv6 then find a decent ISP that does. If you can't get IPv6 from an ISP then you should look at i.e. tunnelbroker.net. They provide free IPv6 tunnels with proper connectivity. It's not optimal, but it's much much better than unreliable 6to4.
Based on the chat discussion some extra information:
6to4 is an obsolete technology. It was meant to give IPv6 addresses and routeability to people whose ISP didn't provide proper IPv6. A quick overview:
- you need a device with a public IPv4 address
- From that IPv6 address you derive a /48 prefix to use with 6to4
- so my address (37.77.56.75) would become 2002:254d:384b::/48
- that prefix can then be used to provision my whole house/business/etc with IPv6
- that is where you need subnetting
- the device with the public IPv4 address is the gateway between my internal IPv6 network and the rest of the IPv6 world
- and your LANs are numbered out of that 2002:....:....::/48 prefix
And that's it basically :)
The problem with 6to4 is that it needs 3rd-party relays on the internet to relay between the IPv4 internet (to which your 6to4 gateway is connected) and the real IPv6 internet. And you usually have no control over which relays are used for your outbound traffic, and you certainly never have control over which relays are used for your inbound traffic. This causes many many problems with reliability. Connectivity to some IPv6 sites may work, to others it may not, or performance is really unpredictable etc etc etc.
So it is therefore better use i.e. tunnelbroker.net. They provide proper tunnels straight to the real IPv6 internet :)
Best Answer
With a very few exceptions, IPv6 will use
/64
networks: 64 bits for the Network ID, and 64 bits for the Interface ID. You may see/128
for a host address, and/127
or/126
for a point-to-point link. When you see anything less than/64
, e.g./48
, you are seeing a network block that is to be divided into/64
networks.IPv6 notation only uses the CIDR notation, not a network mask. IPv4 addresses are 32 bits, so the maximum mask length is
/32
. IPv6 addresses are 128 bits, so the maximum mask length is/128
.You should investigate RFC 4291, IP Version 6 Addressing Architecture, and RFC 5952, A Recommendation for IPv6 Address Text Representation.