IPv6 – Equivalent to IPv4 RFC1918 Addresses

ipv6

Having a hard time wrapping my head around IPv6 here. A lot of the lingo seems targeted at enterprise-level IPv6 deployments, discussing link-local, site-local, global unicast, scopes, etc. Not a lot of solid information on really small networks, like home networks. I want to check my thinking and make sure I am getting the correct translations from IPv4-speak to IPv6-speak.

The first question is, what's the equivalent of RFC1918 for IPv6? Initial searches suggested there was no equivalent. Then I stumbled upon Unique Local Addresses (RFC4193), and that states that all ULA's should be assigned the prefix fc00, followed by a 40-bit random number in the routing prefix. This random number is to "prevent collisions when two IPv6 networks are interconnected" — again, another reference to an enterprise-level function.

If I have a small local LAN at home, numbered using 192.168.4.0/24, what's my equivalent in IPv6's ULA scope? Assuming I will never, ever, tie that IPv6 address into the real internet (a router will NAT & firewall it), can I ignore the RFC to an extent and go with fc00::4:0/120?

It also seems that any address in fc00::/7 are to be globally routable. Does this mean I'll need extra protections so my router would not automatically start advertising these private IPv6 addresses to the world?

Second question, what's this link-local thing? Reading suggests a default-assigned address in the fe80::/10 range that has the last 64bits of the address comprised of the interface's MAC address. Seems to be required, too, but I'm annoyed by the constant discussion of it in relation to enterprise networks.

Third question, what is scope id for? Seems to be yet another term tossed around in relation to enterprise networks, especially when interconnecting them, but almost no explanation on the smaller home network level.

Can I see a scope ID AND CIDR notation used together? I.e., fc00::4:0/120%6, or are scope IDs only supposed to be applied to a single /128 IPv6 address?

Best Answer

The "Unique Local Address" is exactly what you're looking for. fc00::/7 gives you enough bits that if you generate a random number instead of just picking one the chances of collision are small.

Does this mean I'll need extra protections so my router would not automatically start advertising these private IPv6 addresses to the world?

The RFC that covers these ULAs (RFC4193) specifically states that these numbers should not be routed on the internet, though two peers may mutually agree to pass certain prefixes. Unless Comcast decides to unilaterally route these (unlikely in the extreme) you should have no worries about route advertisement.

Assuming I will never, ever, tie that IPv6 address into the real internet (a router will NAT & firewall it), can I ignore the RFC to an extent and go with fc00::4:0/120?

Don't assume that. For instance, Comcast is currently doing IPv6 trials and they're passing out /64's to end-users (slide 5); not just the single address they're doing with IPv4. This means that their now-running IPv6 testers have the option of running with globally routeable addresses, but firewalled by their router, or do some kind of NAT with either link-local or unique-global-addresses.

However, running without any kind of address translation is not as insane as it sounds. Keep in mind a few points.

Comcast is handing out a /64 subnet to you, so your attacker already knows what your IP space looks like.
A /64 provides a mind bogglingly huge number of potential addresses. 2^64 worth! That's four billion IPv4 Internet's worth of IP addresses. (2^64 == 2^32 * 2^32. Four billion times four billion .) While the nature of IPv6 autoprovisioning reduces the actual number of addresses that need scanning, scanning it is still infeasible.
Unless you set up your own domain to provide it, Comcast will not be providing forward or reverse DNS lookups to your /64-worth of IP addresses. This greatly reduces the ability of attackers to recon your network.
Running without NAT makes certain network problems easier, and certainly makes undesirable but very popular peer-to-peer technologies (you know what I'm talking about) a lot easier to get up and running.

Running without a firewall is still just as insane as it sounds, though. Happily, you can do firewalling without having to NAT.

Second question, what's this link-local thing?

Think of it as able to reach anything in the current broadcast domain, and can not be routed. Like NetBEUI-of-old. In fact, if your home network is completely flat you can use these addresses instead of Unique Local Addresses.

Third question, what is scope id for?

It's used for two different things, which makes it annoying to describe:

Thing 1: Multicast. It defines how far the multicast packet is intended to reach.

Thing 2: (What I think you're referring to) This is used on a URI as a way of defining which interface to use. It's used primarily with link-local addresses. It should never be used in conjunction with CIDR notation, so the two syntaxes should never be combined.

Related Solutions

IPv6: Should I have private addresses

Alright, let's reply by parts

1) Private addresses

ipv6 has different "scopes" so you can have a local scope and a global scope, ipv6 is smart enough to know who's what and to regulate traffic accordingly so you can have a local non-routable network on ipv6 without any problem at all, actually it comes by default as that

2) Dump ipv4 and run only ipv6

All ipv6 implementations so far are dual stack so you can comfortably run both, and I would definitely recommend you to run both, there's no damage in doing that and ipv4 is not going away for a long time, although ipv6 is very cool completely dropping ipv4 is not something I would do.

3) Short questions

a) No technical disadvantages, on the contrary! Lots of cool stuff, automatic assignation of addresses, anycast, native ipsec, it's quite cool b) Firewalls should be good, but there's some specific firewall rules that you should pay attention to like allowing local-link scope traffic, allow multicast on ipv6 and disable processing of RH0 packets, also have in mind that icmpv6 is a completely new protocol and ipv6 is a lot more dependant on it than icmp on ipv4 so filtering it is not a good idea c) As far as I know most of linux services support ipv6 without any problem, dual stack ftw!

Also it's not bad to get yourself familiar with all the ipv6 new specs, have a look at http://en.wikipedia.org/wiki/IPv6 for starters

Windows 7 Client gets incorrect IPv6 Prefix Length

Provided you issue route print command on Windows Client machine you would realize that something like this is present:

  ::1/128                            On-link
  fe80::/64                          On-link
  fe80::/64                          On-link
  fe80::4538:b2f1:41f0:213/128       On-link
  fe80::88a8:ec4a:b2d:fea6/128       On-link
  fd00:17ef::395a:803e:4fc5:dfae/128 On-link

Notice that there is NO /64 prefix for your fd00:17ef:: this is because DHCPv6 in Windows is not issuing Prefix Lenght. Router is supposed to do that. If you have no router in IPv6 test-lab you can't ever test IPv6 properly.

However if you want to use your Windows machine as a IPv6 router here is an easy fix for you (run on Windows server):

netsh interface ipv6 set interface "Local Area Connection" advertise=enabled
netsh interface ipv6 set route fd00:17ef::/64 "Local Area Connection" publish=yes

Please note that you should generate ULA adresses according to RFC 4193 - or click here: http://unique-local-ipv6.com/

PS: I have realized this is 3 years old question, but google still returns it, so I did some research and put it here so others can find:)

Best Answer

Related Solutions

IPv6: Should I have private addresses

Windows 7 Client gets incorrect IPv6 Prefix Length

Related Topic