IPv6
IPv6 is the successor of the IPv4 protocol. There are a lot of differences between the two, with the most noticeable being the IP address has expanded from 32 bits to 128 bits. To get an idea of how many IP addresses this is, if you consider that a single IP address was a grain of sand, the total number of IPv4 addresses would fill a dump truck. In contrast, the number of IP addresses for IPv6 would fill an area the size of the sun.
IPv6 was first released back in 1995. There was initially a lot of push for it to be deployed because the world was running out of IPv4 addresses. However, this was delayed because many methods were deployed to reduce the number of IP addresses needed. Plus, new techniques were used where previously IP addresses that could not be used could now be used. However, in 2011, the last IPv4 address was assigned to ISPs by the regional internet registries. Even so, we still seem to be making good use of the IPv4 addresses that we have, but eventually, we are all going to have to move to IPv6.
You will not hear IPv5 being used because this was an experimental protocol Internet Stream, although officially it was never called IPv5 or released to the public. Let’s have a look at how IPv6 adoption is going.
IPv6 Adoption
IPv6 adoption has been initially slow. This was mainly due to initial high IPv6 equipment costs and lack of support; for example, operating system support. Google estimates that 42% of its connections are from IPv6 users. Thus, I doubt that we are getting rid of IPv4 any time soon.
Dual Stack
The good news is that both protocols can be run at the same time, which is called dual stack. Most routers and operating systems support both protocols. If you purchase a really cheap router, it may not support IPv6, but any mid-range or high-range devices should nowadays.
Modern operating systems will try IPv6 first, then fall back to IPv4 if this fails. IPv6 was first introduced in Windows XP; back then, it was not the primary protocol, and IPv4 was attempted first. In all subsequent Windows operating systems, IPv6 became the primary protocol and thus is always tried before IPv4.
There are a lot of differences between IPv6 and IPv4; let’s first start by looking at how the addresses have changed.
IPv6 Address
IPv6 addresses are 128-bits in length, as opposed to IPv4 addresses being 32-bits. IPv6 addresses are written in hexadecimal notation, delimited by colons into four hexadecimal blocks. These addresses may look difficult to understand at first, but once you start breaking them down, they get a lot simpler.
The first breakdown is the network ID and interface ID. Each is 64 bits in length. In IPv4, to work out the network ID and interface ID, you required a subnet mask. This is no longer the case. The first 64 bits are always the network ID, and the last 64 bits are always the interface ID. Subnetting still exists in IPv6, but it is very different from IPv4. More on that later in the video. Let’s now have a look at how we can make the IP address a little easier to understand.
IPv6 Address Shortening
To make IPv6 addresses easy to work with, we can shorten the address. The first method we can use is to remove any leading zeros from any of the blocks in the address. We still need to leave one hexadecimal value in each block, so the most zeros we can remove from each block is three.
In my example IP address, I will remove all the leading zeros from each block. You will notice that this makes the IPv6 address shorter and easier to work with; however, there is also another method that we can use.
IPv6 Address Shortening (2)
The other method of shortening the IP address is that one run of consecutive blocks can be reduced to a double colon. In my example, there are two places where this could be done. Reducing can only be done once.
So, I can reduce the first block of zeros like this, and this would be a valid address. I could also reduce the address on the second set of zeros. As I have left the first block of zeros and only removed the second run of zeros, this address is valid.
However, if I reduce the address twice, this address is not valid. Essentially, you can’t reduce the address twice. If you were to do this, the address could be expanded into multiple different addresses, and you would not know which is the correct one. Thus, you can’t use it twice.
Before I start looking at the different types of addresses that IPv6 uses, I will first have a look at one of the problems that IPv4 had that IPv6 is trying to fix.
Broadcasts and Multicasts
One of the problems with IPv4 networks is the number of broadcasts the protocol uses. Broadcasts are received by all nodes on the network. Since every node on the network receives broadcast packets, this utilizes a lot of bandwidth, particularly on large networks.
In IPv4 networks, broadcasts are used for DHCP discovery. When a device is first added to the network, it does not have any configuration. In order to find a DHCP server to get configuration from, the node sends a broadcast on the network.
The other main use of broadcasts with IPv4 is to find other nodes on the network. For example, if the node is attempting to send a packet to another IP address on the same network, it will need to send out a broadcast to work out the MAC address of the other node. Thus, there is a fair amount of broadcast traffic that is generated on IPv4 networks.
IPv6, in contrast, does not use broadcasts. Instead of using broadcasts, multicasts are used. Multicast packets are only sent to certain nodes. For example, if the node needed DHCP configuration information, it would send the packet to the multicast DHCP address. Only devices that request to receive packets from the address will receive these. So essentially, the DHCP server joins the DHCP multicast group and will receive any packets sent to that group.
Multicasts are also used to find other nodes on the network rather than sending a broadcast. Thus, an IPv6 network is a lot more efficient than an IPv4 network.
For the A+ exam, you don’t need to understand how broadcasts and multicasts work. But I covered this topic to give you some context. In order to get multicast to work effectively, the node needs an IP address. However, the node may not have an IP address. The node can potentially get network configuration from the network; however, if this is not available, how does it get an IP address? Let’s have a look at how IPv6 solves this chicken-and-egg problem.
Link-local Address (fe80::/10)
I have isolated a computer from the rest of the network to have a look at what configuration it gets when there is nothing on the network to provide additional configuration. To see the network configuration, I will right-click on the start menu and select the option terminal. This will open a PowerShell window.
To see the network configuration, I will run the command IPConfig. If I were using a command shell, I would run the same command; both would give the same result.
Since this computer is isolated from other nodes on the network, it won’t be able to get any network configuration or communicate with any other nodes. You will notice that a link-local address has been configured. The link-local address will always start with fe80.
This link-local address will always be present on the network adapter, and each network adapter will have one link-local address. The link-local address is used for local network segment communication and thus is not routable. Although IP addresses are still used, which I will cover shortly, the link-local address is used for internal processes like discovering the addresses of other nodes on the network.
At the end of the link-local IPv6 address is a percentage sign followed by a number. Even if you do the Network+ exam, you may not need to know what this is, but I will cover it so you understand what it is and why it is okay to forget about it as it is only used on rare occasions. After the percentage is the zone ID. This essentially is the interface ID.
When you add the zone ID to the end of the IP address, this forces the packet to go out of a particular interface. The only time I have found this useful is when you have multiple network adapters and are attempting to ping another link-local address on the network.
In the real world, when you ping another node using its IP address rather than the link-local address, the computer will route the packet out the correct interface so you won’t need to worry about the zone ID. When the computer has an IP address, there is no need to use the link-local address. The link-local address will get used in the background for IPv6 tasks like discovering nodes on the network. So essentially, you can generally just ignore the link-local address, just know it is needed and used in the background to get IPv6 to work. You won’t be using it directly.
The only time I have ever used the zone ID was for a very rare troubleshooting scenario where I needed to ping another node using its link-local address. As the computer had multiple network adapters, I needed to use the zone ID since it was sending the packets out the wrong interface. So, I would also not worry about the zone ID.
Now, let’s have a look at the IPv6 addresses that we can use on the internet.
Global IPv6 Addresses (2000::/3)
IPv6 addresses that are routable on the internet are currently pretty easy to recognize because they start with either a 2 or 3. Like all IPv6 addresses, the first 64 bits are the network ID and the last 64 bits are the interface ID.
The interface ID does not get routed on the internet. Only the network ID is used to make routing choices. In order to route packets on the public internet, the first 48 bits are used. This is called the global routing prefix. You may think that 48 is not many bits of the whole 128 bits, but 48 is still bigger than the 32 bits used by IPv4 for all addresses, and this is only the network part.
The next 16 bits are the subnet ID. IPv6, unlike IPv4, has dedicated bits for the subnet. Subnet masks in IPv4 are used to divide the IP address into network ID and interface ID. In the case of IPv6, dedicated bits are used, so there is no longer a requirement to use a subnet mask.
The subnet ID can be administered by an ISP or the registered owner of the IPv6 address. Thus, if a company were to register a single IPv6 address, they could internally use the IPv6 subnet using the subnet ID any way they wanted. In some cases, the ISP may use some of the subnet ID, leaving less than 16 bits for the company. In the case of a home user, the ISP will most likely use all the 16-bit subnet, leaving none for the home user to subnet themselves. Keep in mind that even with no subnet ID left to use, the interface ID is still 64-bit. It is hard to consider how large a 64-bit number is, but consider if you multiplied a billion by a billion, this would not be big enough. Thus, in theory, every device on earth could be on one network, although this would be impracticable to do.
I will now open a command prompt and ping google.com. You will notice that the IPv6 address is pinged. You will also notice that the address starts with 2 and thus is easy to recognize as a routable internet address.
Notice that when I ping Microsoft.com there is no IPv6 address for Microsoft. Since we recorded this video, Microsoft had added IPv6. But it just goes to show how long it may take for even big companies to start using IPv6. The point to take away here is that when you configure IPv4 and IPv6 together, the required protocol will be chosen for you in the background and you probably won’t even notice.
Now that I have had a look at global addresses, I will next have a look at private addresses.
Unique Local Address (fd00::/8)
The functional equivalent to IPv4 private addresses is unique local addresses. Like any other IPv6 address, they are divided into a 64-bit network ID and interface ID. Unique local addresses start with fd. There is another variant of this address type, but I have not covered it since it is not currently used.
The next part is a 40-bit global ID. I will look at the global ID in more detail in a moment. Following this is the subnet ID of 16 bits. The subnet ID can be configured by the administrator however they wish. When creating different networks in your organization, you should use the subnet ID.
The global ID should not be used to subnet your network. It has a different purpose. To understand how it works, consider that networks with different global IDs can be combined together so they route traffic between each network.
To make it so that different networks managed by different administrators can easily be combined together, it is recommended to randomize the global ID. Different global IDs also prevent accidentally routing between networks.
The global ID is a little difficult to understand at first;, to understand it better, it is best to consider an example.
Unique Local Address Example
Let’s consider that we have two company networks. Both are going to use unique local addresses; however, both will not set a global ID. To make it easy to understand, let’s consider that both companies are using two networks with the subnet ID of one and two.
This is not a problem unless we decide to combine both networks. There are a number of reasons we may do this. For example, maybe the companies are part of a merger, but it may not even be that complicated. You may have different networks in the same company managed by different people or devices that create additional networks.
In this example, when the networks are combined, the networks will be duplicated. In order to transfer data between the networks, one company will need to change its addresses. On large networks, this will be a significant amount of work.
The recommended method of using unique local addresses is to use a random global ID. If I consider my two companies again, this time I will use random global IDs. Like before, I will create two networks in both companies using the subnet ID of one and two.
Now, when we combine both networks, there are no duplicated addresses and thus both networks can send packets between each other. When companies use a unique local address, it is recommended they use a random global ID.
Given that the global ID is 40 bits, this gives just over one trillion different global IDs. Although it is possible for two companies to randomly choose the same global ID, it is unlikely if you are using a good method to create a random global ID.
There is also another benefit of using random global IDs. Let’s consider that the second subnet is sending a packet to the first network. However, due to an incorrect route in a router, the packet gets sent to the other company by accident.
When the packet arrives at the other company, the router will read the packet’s global ID, which won’t be in its routing table. Thus, the router can be configured to drop the packet. Thus, if you have different networks that should never communicate with each other, for example, if you have a regular and a secure network, you can give them different global IDs. Thus, if a packet goes where it is not supposed to, assuming the network routing is configured correctly, the packet will be dropped. This adds some additional security.
I once did some work for a company that had a regular network and a secure network. For whatever reason, perhaps for testing something, a cable was plugged in, connecting both networks together. You can understand that mistakes like these or even simple misconfigurations of a network can cause packets to go where they are not supposed to. When this occurs, it helps to have systems in place like random global IDs to help prevent packets from going where they are not supposed to go. Of course, you should always have physical security and, if possible, intrusion detection set up on your network.
Let’s look at the next address you may use.
Loopback (::1)
The loopback address sends network traffic back to the network adapter. The traffic itself does not enter the network. It is used to test if the software or the device driver is working. The simplest way to use the loopback address is to use the ping command followed by two colons and a one using the command prompt or PowerShell.
In IPv6, there is only a single address used for the loopback address, unlike IPv4, which has a whole class of IP addresses for the loopback. Essentially, any IPv4 address starting with 127.
There is one more address that I will look at, although I doubt you will be asked a question on the A+ exam, but it does help you understand a topic I will cover later in the video.
Multicast (ff00::/8)
Multicast addresses go to all nodes that are in the multicast group. You can recognize these addresses as they all start with ff. Multicast is used by IPv6 for certain functions, replacing the need to use broadcasts in IPv4. Generally, the other main use for multicast is when a lot of the same data needs to be sent to many nodes. For example, if you are installing an operating system on many computers at once over a network. This process requires a large amount of the same data to be transmitted over the network, which makes it a good use of multicast.
There are some well-known multicast addresses. It is also possible for the administrator to add their own. For example, there is a multicast address for all nodes on the network and one for all routers. The all-nodes multicast address is the closest you will get to the broadcast on an IPv6 network. Keep in mind this will only go to all nodes on the network that are IPv6.
A node joins the multicast group by attempting to join the multicast group and listening for multicast traffic. It joins the multicast group by sending a join request to the network. To keep compatible with Ethernet networks, some of the multicast address is encoded in a MAC address. I will have a look at the multicast address for all routers as an example. All IPv6 multicast addresses start with four threes. Following this will be the last part of the multicast address. In this example, the multicast address for all routers ends in two with all zeros before that.
When a device like a switch receives a multicast frame, it may record the MAC address so it knows which ports to send further multicast traffic for that address out. I say may because it depends on a number of factors.
It is beyond the scope of this video to go into too much detail about how a switch handles multicast traffic, but I will provide you with the main points to be considered. What multicast features the switch supports depends on the hardware used and its configuration. The options configured can also have a positive and negative effect on performance depending on how your switch is used.
If your switch supports all multicast features and they are enabled, this can result in a very large MAC address table being kept on the switch if the switch records every multicast MAC address. We have only scratched the surface on multicast, but consider a large network with just normal multicast traffic can result in very large MAC address tables having to be recorded just for multicast traffic, which affects performance and memory required in the switch. Thus, you will find that if your switch supports multicast, it may not record every multicast MAC address depending on performance factors.
The good news is, if your switch does not support the multicast feature or multicast at all, the switch will treat the frame like a broadcast. That is, the switch will transmit the multicast out all the ports of the switch. This may sound like not much of an advantage over broadcast, but consider the network card can filter and even drop frames it does not require. With broadcast traffic, the network card is not able to filter out broadcasts; thus, there are still advantages to multicast.
To understand this process better, let’s consider an example. On this network, there are 3 nodes on the network and two routers, all connected to a switch. The routers want to receive traffic to the router multicast group. Thus, the routers will send a message to the switch saying they wish to join the multicast group.
If you are using old equipment that does not support multicast join messages, the switch will simply ignore the message. When a switch receives a multicast message, it will look at the MAC address starting with four threes and not know where it needs to be sent. When a switch does not know which port to send traffic out, it simply sends it out all the ports, and that way, the node requiring it will always get the traffic.
Now, let’s consider that one of the nodes wants to send a frame to all routers on the network. The frame just needs to embed the multicast address into the destination MAC address and send the frame. Thus, the switch in the example supports multicast and knows when it receives this frame to send the frame to the routers. The routers are listening for frames with this MAC address, and thus, when they receive it, they will process it.
It is unlikely you will get a question on this content in the A+ exam, but having a basic understanding helps understand later topics. Think of it simply like this. When a node is added to the network, the node will attempt to join certain multicast groups. For example, every node will join the all-nodes group. On a network that supports multicast, a lot of multicast frames that the node is not a member of should get filtered out by the switch. If the node receives a multicast frame that is not for that node, it will simply be dropped. Broadcasts, in contrast, can’t be dropped because they have to be processed by all nodes to see if the broadcast is for them.
Now that we have had a look at how IPv6 works, let’s now have a look at how it is configured.
SLAAC
IPv6 adds a new way of configuring nodes on the network. You can still use DHCP to configure clients, which I will look at next. The new method is called Stateless Address Auto Configuration or SLAAC.
SLAAC uses router advertisements to configure itself. A router advertisement is sent by the router to all nodes on the network periodically using the all-nodes multicast address. The router advertisement contains the network prefix for the network. Originally, it did not contain DNS servers; however, it has been expanded to include DNS servers.
It may seem strange that the original specification did not include DNS servers unless you know the history. Just like the IPv4 protocol, IP is its own protocol, and other protocols like DNS are added later. These extra protocols are worked on independently of the main IP protocol.
The original SLAAC design included only the IP protocol with the idea that other protocols would be developed later, so they just focused on IP. IPv6, for a lot of reasons, was slow to take off and be developed. DNS servers were not added until 2010.
In order to configure DNS servers using SLAAC, your device will need to support it. You will find many operating systems and devices don’t support DNS servers to be configured using SLAAC. For example, this feature was not added in Windows until the Windows 10 Creators Update. In my opinion, I can understand why it was not added straight away, but I think it was a serious misstep to take so long to include DNS server in SLAAC configuration. However, later in the video, I will look at how DHCP can be used to make up for this.
Now, let’s consider how a device on the network uses SLAAC to configure itself. The device can wait for a router to send a router advertisement. The length of time is configurable, and thus different devices will have different default times. The time between these can be several minutes and thus too long for most devices to wait.
For this reason, the device, when it starts up, will often send a router solicitation message on the network. This message is sent to all routers on the network using the multicast router address. For the A+ exam, don’t worry about remembering the multicast addresses. Simply know that multicast is used, and depending on what the device is, will determine which multicast groups it is part of. In this case, all the routers on the network are part of the router multicast address, and thus the message is being directed to them.
Once the router receives this message, it may send out a router advertisement. I say may because if it has already sent one recently, it won’t send another. If the device does not receive a response, it most likely will send another request so it won’t be waiting long to get a router advertisement.
Once the device receives the router advertisement, it can use this to configure itself. The router advertisement will have the network prefix in it, which the client can use to configure itself. The router advertisement will have the source address where the frame came from, which is the link-local address of the router. The client will use the link-local address of the router as its default gateway. This is different from IPv4, which uses the IP address of the router.
Next, the client can configure the DNS servers from the router advertisement. Keep in mind this is optional and does not need to be included in the router advertisement. Also, older clients will not support this.
Now the client has all this information, it can configure an IP address. This will be the prefix plus the interface ID. There are two different ways the interface ID can be configured. Let’s have a look.
SLAAC Interface ID
There are two main ways that SLAAC uses to generate the interface ID. The first is the Extended Unique Identifier or EUI-64. This method uses the MAC address to generate the interface ID. The interface ID is generated using a simple method where the MAC address is mapped to the interface ID, some extra values are added, and a single bit is flipped. The point to take away here is that the MAC address is used to create the interface ID in a simple, predictable way. Using the interface ID, you can easily work out what the MAC address is.
Since the interface ID is always the same, there are some privacy concerns. To understand why, consider that you use a laptop on a public Wi-Fi point, for example, in a café. When using the Wi-Fi, your laptop will get the network prefix from the router and generate the interface from the MAC address.
Now, let’s consider that you connect to another Wi-Fi network at an airport. At the airport, the laptop will get the network prefix from the router and generate the interface ID once again from the MAC address. This will be used to create an IP address.
You will notice that the interface ID does not change. Since the interface ID does not change, this can be used to track the device. For example, if you access the same web server both times, the administrator of the web server can look at the logs of the server and see it was accessed twice with the same interface ID. If multiple websites work together, they could share data and track your internet activity. Thus, privacy is a concern using this method.
The second method is simply randomly choosing an interface ID. This process just requires the device to choose a random 64-bit number for the interface ID. This IP address can be changed by the device. It depends on the device if it does this or not. You will find some devices, once they have an IP address, keep the same IP address even between reboots. However, if you disable and re-enable the network card, the IP address may change. It all depends on how the manufacturer of the device implemented it.
Let’s consider for a moment that a random interface ID is selected and the device decides to keep using the same interface ID even between reboots. There is still the same privacy concern that the interface ID is not changing, which gives the same end result as the first method. There is a way that some devices use to get around this problem. Let’s have a look.
Privacy Extensions
In order to prevent the device from being tracked, privacy extensions were added to SLAAC. In SLAAC, privacy extensions use an IP address and temporary addresses. Looking at an example of a computer that has been running for a while, you will see there is an IPv6 address and multiple temporary IPv6 addresses.
For an application to receive data over an extended period the IP address needs to stay the same. The temporary IPv6 addresses are used for a short period. In a moment I will look at how privacy extensions can keep network connections stable.
Depending on the device, it has the choice of using either of the two methods I looked at for creating this IPv6 address. That is, it could use the MAC address to generate the IP address or use the random method.
To prevent your device from being tracked, privacy extensions create outgoing connections using a temporary address. These temporary addresses are random and only valid for a short period of time. Changing the IP address all the time prevents tracking of the device. However, the problem is what happens if the IP address changes while it is in use?
To prevent the network from becoming unstable and prevent disconnections, the IP address has different states, which are shown on the far right of the address. If the IP address is preferred, it is still actively in use and can be used for all functions. That is, it can be used to open new connections.
If the IP address is deprecated, new connections can’t be opened using that IP address; however, existing connections that are already open can still be used. So essentially, what occurs is that a new temporary IP address is created periodically. How the device is configured will determine when these new IP addresses are created. Once a new temporary IP address is created, the previous IP address is changed to deprecated. There should only be one preferred temporary IP address at a time. If there were to be two, the device would change the older one to deprecated once the new temporary IP address is ready to be used.
Eventually, the temporary IP address will be removed. The time period for this is generally quite long to give time for a device to change to a different IP address to help prevent the application using the IP address from having its network connection disconnected.
SLAAC allows the device to configure itself without the need for infrastructure. However, this also means the administrator won’t have any centralized information about what devices are on the network. Devices can effectively configure themselves on the network with no records kept of which devices have added themselves to the network. Let’s look at how we can have more control over which devices are added to the network and how we can also configure additional options.
DHCP (Stateful)
Dynamic Host Configuration Protocol or DHCP is a protocol that is designed to provide network configuration to clients. There are two different modes for which the DHCP server can be set up. The first one that I will look at is stateful, which, if you are familiar with DHCP, works the same way you are used to, that is, it provides centralized allocation of IP addresses and administration.
DHCP can also provide additional network configuration. For example, if you had a client that booted from the network, you could provide additional network configuration to the client for it to download boot files.
A stateful DHCP server, essentially a DHCP with all the features enabled, requires more infrastructure to operate. This means more software to operate, more memory, more storage, and more processing power. More of everything, essentially.
In some cases, having a stateful DHCP is not necessary. If you do not require additional network configuration or centralized administration, the extra resources are not necessary. For example, on a home network, you may not require this additional overhead on your router. In large cloud environments with thousands of devices, this extra overhead may not be required. In this environment, you may want to simply have the devices connected to the network and use other methods to manage them.
To get a better understanding of how it works, I will have a look at a functioning DHCP server, in this example, a freely available router software called PFSense. To access the DHCP server functions, I will select the services menu and then select the option “DHCPv6 Server & RA.”
Once selected, I will be able to configure DHCP server options. The first big difference between stateful and SLAAC is that, with stateful, you can configure a range of IP addresses. Rather than the device configuring its own interface ID, it will instead be given one.
In this example, the whole range has been configured; however, on your network, you may want to reduce the range down to a much smaller range to make it more manageable.
Below this, you will notice the network prefix, essentially the network ID part of the IP address. Below this, the DNS servers can be configured. This is the same as SLAAC, but keep in mind that DNS servers require an additional feature of SLAAC that not all devices support. Thus, one reason why you may want to use DHCP rather than SLAAC. There are some other in-between options that I will look at later in the video.
At the bottom, there are a lot more options that can be configured. Later in the course, I will look at DHCP in more detail and examine some of these options.
Going through these options, you may have noticed that there was no option for a default gateway. This is where things get interesting.
I will now scroll up to the top and select the option “Router Advertisements.” This tab is where you configure how the router will advertise network configuration to devices on the network. This is where configuration is a little different from DHCP in IPv4. Essentially, DHCP configuration and router configuration have been divided up. In this case, my DHCP server and router are both on the same computer; however, they don’t need to be.
Unlike IPv4, in IPv6, the router will advertise itself on the network. Devices on the network will use these advertisement messages to learn the router’s link-local address. The device will configure itself to use this router. As we learned from SLAAC, the router is limited in what network configuration it can configure. The router can configure the network prefix and, if supported, DNS servers, but nothing else.
For this DHCP server, the router mode has been set to “Managed.” This means that clients on the network will receive the router address via router advertisements; however, additional information will be configured by the DHCP server.
You will notice that there are a number of different options that can be configured. These options determine what is configured at the router level, what is configured by DHCP, a combination of the two, or a choice between the two.
There is a lot to understand, so what I will do is select the simplest option, “Router only.” The “Router only” option provides router information to clients on the network, and it is a good starting point to understand what is happening.
Router Only
At the router’s most basic level, it announces the router’s availability on the network. Thus, it provides basic information about the router. This is done using a router advertisement or RA. They are sent periodically or can be sent as a response to a solicitation.
Our router has been set up to send router advertisements out but not configure nodes on the network. Let’s have a look at what happens to a node that receives this router advertisement, in this case, a computer running Windows 11.
To do this, I will open a PowerShell terminal and run the command IPConfig. You will notice that two items are listed as being configured. The first is the Link-Local IPv6 address. The Link-local address will always be present on every IPv6 node. This address allows the node to communicate with other nodes on the network. For example, low-level functions like finding other nodes on the network or sending traffic to them. Link-local addresses are not routable. Having a Link-local address means you don’t need to use broadcasts, and you can use multicast addresses instead. Multicast addresses are more efficient than broadcast addresses since broadcasts go to all nodes, whereas multicasts can be filtered during transmission and when a node receives them.
The router advertisement allows the node to configure a default gateway. The default gateway is essentially the link-local address of the router. The node gets this address from the source address of the router advertisement.
So far, we have a node on a network that can communicate with other nodes on the same network segment, which includes the router. However, it lacks an address that allows traffic to be routed to other networks connected to the router. Thus, only local network traffic is possible.
The configuration so far is not that useful to us. Maybe nodes on a network, like CCTV cameras, could use it to communicate back to a recording unit on the same network, but using the Link-local addresses is difficult. A device can generate a link-local address randomly if it wishes, so it is possible for the link-local address to change, although a node tends to keep using the same link-local address after it is generated. Thus, you never really want to use link-local addresses to communicate with each other since they are hard to work with and can change. Link-local addresses are designed to be used in the background to communicate with nodes on the same network.
So far, this configuration is not that useful to us. If it were combined with DHCP to provide additional options, it would become useful. More on that later in the video. Let’s have a look at the next option: allowing stateless.
To do this, I will re-configure my router to the next option. This will configure the router to send out router advertisements but also include configuration telling the node to use stateless configuration to configure itself. Let’s have a look.
RA With Autoconfiguration
Like before, the router will send a router advertisement on the network periodically. The router advertisement is different this time as it instructs the device to automatically configure itself. Once the device receives a router advertisement, it uses SLAAC to configure itself. SLAAC will create an IP address using the network ID from the RA and generate its own interface ID.
To understand what has occurred, I will open a PowerShell terminal and run IPConfig on my Windows 11 computer to show the network configuration. You will notice that an IPv6 address has been generated. In this case, the left half is the network prefix from the router advertisement and the right part is randomized.
The next part is the Link-local address. This is automatically configured by the network adapter when it is first brought up. It is not something configured by stateless configuration, but I bring it up to remind you that it is normal to always see this address.
The last part is the default gateway. This will be the link-local address of the router. So, the only part that has changed is that the device has generated an IP address for itself. This IP address is not centrally managed or recorded and thus is called stateless. The advantage of this system is that you don’t have to deploy a centralized system to keep track of which IP addresses you allocate to which devices. This requires less infrastructure. The disadvantage is you have no real way of knowing how many devices are on your network because a device simply needs to listen for the router advertisement and configure itself. There is no tracking of what devices are on the network.
In this example I have not used the extension that allows DNS servers to be configured with the IP address since it is not available to all clients. The question is, can we have devices configure themselves but get additional configuration options from another source. The answer is yes, we can.
DHCP Stateless
DHCP Stateless allows clients to use stateless configuration but get additional configuration from a DHCP server. That is, the client still configures its own IP address using router advertisements, but this IP address is not centrally recorded.
The process works like this. The router still transmits router advertisements on the network like before. This is different from IPv4, where the DHCP server would send all the configuration. The same device can be used as a router and a DHCP server, but if you separate them, you will need to make sure you configure the router and DHCP server.
The DHCP server will provide additional configuration. It is pretty common for the additional configuration to be DNS servers. However, other configuration can also be provided. The advantage of DHCP stateless is that it works with clients that don’t support DNS server configuration with SLAAC.
We have looked at a lot in this video; let’s have a look at how we would apply this in the real world.
In The Real World
In the real world, you may be using IPv6 already and not even know it. IPv6 is very common on mobile networks. You may find on your mobile device you are already using it. If you don’t have IPv6, don’t worry. For the moment, IPv4 is still good and should still meet your needs. It is pretty rare for an application to require IPv6.
The question is why we would need to move to IPv6 if IPv4 will meet our needs. The problem is IPv4 address exhaustion. All the registries in charge of handing out new IP addresses around the world have run out of IP addresses. In order to help address the problem, changes to the protocol have been made which increased the size of the routing tables.
Making things worse, reclaiming and reissuing IP addresses adds to the problem. For example, a block of IP addresses may get reclaimed but reissued as multiple networks rather than one network. Although this has the greatest effect on internet backbone routers, the general user won’t notice it. In the long term, this is not sustainable. It’s like trying to stuff items into a box. You can change the way you pack the box, apply pressure to get more items into the box, but sooner or later you are going to reach the limit of how many items you are going to get into the box.
At the time of making this video, IPv6 adoption was around the 50% mark, so I would say it is still a long time off before IPv6 is close to becoming commonplace. There are, however, still problems with IPv6 that will need to be addressed.
Currently, IPv6 has very few VPN providers. If you wish to purchase a VPN, it will most likely be IPv4. The reason not many providers want to provide IPv6 VPNs is due to security concerns. The problem with IPv6 VPNs is address and DNS leaks. The problem occurs because you should be able to access close to 100% of the internet using IPv4; however, this is not the case with IPv6. Thus, if you are going to use an IPv6 VPN to access the internet, you really want dual stack running, that is, have IPv4 running as well.
The problem with running dual stack with a VPN is that you can have what is referred to as spill through the other protocol. For example, you may be trying to access an IPv6 site, so a DNS request is made. The DNS query accidentally goes to an IPv4 DNS server rather than an IPv6 DNS server. This is referred to as a DNS spill. The same thing can occur with your IPv6 accidentally spilling out via the IPv4 protocol.
The way IPv4 VPNs get around this problem is to simply block all IPv6 traffic. You can’t afford to block IPv4 when using IPv6 since you won’t be able to access a good part of the internet.
IPv6 is not fully deployed yet; if it is available, in my opinion, you should give it a try. Keep in mind that it can always be switched off if it is causing problems or slow performance. Depending on how IPv4 and IPv6 are deployed in your area and the amount of load on the network, the performance of each protocol may be different. When I first started using IPv6, I experienced slow performance accessing YouTube. When I switched off IPv6, the speed got significantly faster. About a year later, I switched on IPv6 and found the speed of YouTube had improved. My guess is there had been some upgrades to the IPv6 network, making my experience better. You can never really know which protocol is going to perform better. So my advice is to give IPv6 a try. If it causes problems or slows down performance, switch it off. You can always switch it back on six months or a year later to see if performance has improved.
There has been a lot covered in this video; I will now summarize the major points.
Summary of IPv6 Address Type
IPv6 addresses are very different from IPv4 addresses. They are 128-bit addresses made of eight blocks of four hexadecimal values. Unlike IPv4, where the subnet mask determines which part of the address is the network ID and which part is the interface ID, IPv6 is always divided into a fixed 64-bit network ID and a 64-bit interface ID. When working with IPv6 addresses, a network prefix should always be 64 for nodes. If you are working with routing, the network prefix value may change. So essentially, if you configure a device or network interface, the network prefix is generally always going to be 64. If you are adding a route to a routing table, the network prefix may change.
Link-local addresses start with fe80. These addresses are always present on every IPv6 interface. They are used for local segment communication. They are thus not routable. You generally won’t need to worry about using them directly.
Global Unicast addresses start with 2 or 3. These addresses are publicly routable IP addresses on the internet.
Unique local addresses start with fd. These are allocated by administrators on their private networks. Since they are private addresses, they are not routable on the internet.
This covers the main addresses that you are going to come across. There are more; however, a lot of the other ones you won’t come across in general day-to-day troubleshooting or have been deprecated. Deprecated means their use is not encouraged, and the addresses are being phased out. Now, let’s have a look at how IP addresses are assigned to devices on our network.
IP Address Assignment
On an IPv6 network, the router advertises itself to nodes on the network. This is required so the device can configure a gateway address. This is different from IPv4, where the DHCP server would provide the gateway configuration to the node.
IP addresses are configured using two different methods. The first is stateless. When stateless is used, the device receives configuration information for the network; however, the device generates its own IP address.
Having an IP address by itself provides basic network functions; however, generally, you want more configuration, and often it is considered the bare minimum to have an IP address, default gateway, and DNS servers.
Using stateless and the router advertisement, the node can configure the IP address and default gateway but not DNS servers. By making improvements to the original protocol, the router was able to advertise DNS servers; however, this requires the device to support this.
The other method is to have additional options supplied by a DHCP server. The DHCP server can provide DNS servers plus additional configuration. The DHCP server, however, can’t configure a gateway address. The gateway address always comes from the router. This means the router and DHCP server can be on different devices. You could also have them on the same device if your router supports it.
The other way that IP addresses can be configured is stateful. When this is used, the DHCP allocates an IP address rather than the device generating an IP address. This means that the IP addresses can be recorded on the DHCP, effectively meaning you know how many devices are on the network, and you can control which devices get allocated an IP address and which don’t. With stateless, you don’t know how many devices are on the network since the devices configure themselves and this is not recorded.
Stateful also allows the DHCP server to provide additional configuration options to the node. However, just like stateless, it is not able to configure a gateway for the node. The gateway is always obtained from the router through a router advertisement.
End Screen
That concludes this video on IPv6. I hope we have made IPv6 easier for you to understand. Until the next video from us, I would like to thank you for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” pages 180 to 181
“IPv6 stats” https://www.google.com/intl/en/ipv6/statistics.html
“Router Advertisement (IPv6)” https://www.cisco.com/assets/sol/sb/RV320_Emulators/RV320_Emulator_v1.0.1.01/help/DHCP7.html
“Picture: No” https://upload.wikimedia.org/wikipedia/commons/7/7b/NO_sign.svg
“Picture: Green tick mark” https://ia.wikipedia.org/wiki/File:Tick_green_modern.svg
“Picture: Broadcast” https://en.wikipedia.org/wiki/File:Broadcast.svg
“Picture: Multicast” https://en.wikipedia.org/wiki/Multicast#/media/File:Multicast.svg
Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk
