39

Having a hard time wrapping my head around IPv6 here. A lot of the lingo seems targeted at enterprise-level IPv6 deployments, discussing link-local, site-local, global unicast, scopes, etc. Not a lot of solid information on really small networks, like home networks. I want to check my thinking and make sure I am getting the correct translations from IPv4-speak to IPv6-speak.

The first question is, what's the equivalent of RFC1918 for IPv6? Initial searches suggested there was no equivalent. Then I stumbled upon Unique Local Addresses (RFC4193), and that states that all ULA's should be assigned the prefix fc00, followed by a 40-bit random number in the routing prefix. This random number is to "prevent collisions when two IPv6 networks are interconnected" -- again, another reference to an enterprise-level function.

If I have a small local LAN at home, numbered using 192.168.4.0/24, what's my equivalent in IPv6's ULA scope? Assuming I will never, ever, tie that IPv6 address into the real internet (a router will NAT & firewall it), can I ignore the RFC to an extent and go with fc00::4:0/120?

It also seems that any address in fc00::/7 are to be globally routable. Does this mean I'll need extra protections so my router would not automatically start advertising these private IPv6 addresses to the world?

Second question, what's this link-local thing? Reading suggests a default-assigned address in the fe80::/10 range that has the last 64bits of the address comprised of the interface's MAC address. Seems to be required, too, but I'm annoyed by the constant discussion of it in relation to enterprise networks.

Third question, what is scope id for? Seems to be yet another term tossed around in relation to enterprise networks, especially when interconnecting them, but almost no explanation on the smaller home network level.

Can I see a scope ID AND CIDR notation used together? I.e., fc00::4:0/120%6, or are scope IDs only supposed to be applied to a single /128 IPv6 address?

Kumba
  • 610
  • 1
  • 5
  • 13
  • If you're looking for more practical information on deploying IPv6, http://tunnelbroker.net/ will give you actual IPv6 space to play with as well as a number of tutorials and exercises on the subject. – MikeyB Nov 22 '11 at 16:12
  • Your assumption (never ties that to the internet) is ignorant. What if you start working for a company and you VPN in and they use the same network? Making sure your private space is unique is not necessarily enterprise - there are good reasons not to use 192.168.x.x as every router seems to b eprecondfigured with this and the next job may require you to vpn into the company. – TomTom Oct 25 '13 at 06:25
  • 1
    @TomTom, while "ignorant" is technically a neutral term, it often isn't so in [common usage](https://www.merriam-webster.com/dictionary/ignorant). Colloquially it seems unnecessarily abrasive and could just as easily be substituted with "isn't right" or similar. – tgm1024--Monica was mistreated May 16 '19 at 14:26

3 Answers3

17

The "Unique Local Address" is exactly what you're looking for. fc00::/7 gives you enough bits that if you generate a random number instead of just picking one the chances of collision are small.

Does this mean I'll need extra protections so my router would not automatically start advertising these private IPv6 addresses to the world?

The RFC that covers these ULAs (RFC4193) specifically states that these numbers should not be routed on the internet, though two peers may mutually agree to pass certain prefixes. Unless Comcast decides to unilaterally route these (unlikely in the extreme) you should have no worries about route advertisement.

Assuming I will never, ever, tie that IPv6 address into the real internet (a router will NAT & firewall it), can I ignore the RFC to an extent and go with fc00::4:0/120?

Don't assume that. For instance, Comcast is currently doing IPv6 trials and they're passing out /64's to end-users (slide 5); not just the single address they're doing with IPv4. This means that their now-running IPv6 testers have the option of running with globally routeable addresses, but firewalled by their router, or do some kind of NAT with either link-local or unique-global-addresses.

However, running without any kind of address translation is not as insane as it sounds. Keep in mind a few points.

  • Comcast is handing out a /64 subnet to you, so your attacker already knows what your IP space looks like.
  • A /64 provides a mind bogglingly huge number of potential addresses. 2^64 worth! That's four billion IPv4 Internet's worth of IP addresses. (2^64 == 2^32 * 2^32. Four billion times four billion .) While the nature of IPv6 autoprovisioning reduces the actual number of addresses that need scanning, scanning it is still infeasible.
  • Unless you set up your own domain to provide it, Comcast will not be providing forward or reverse DNS lookups to your /64-worth of IP addresses. This greatly reduces the ability of attackers to recon your network.
  • Running without NAT makes certain network problems easier, and certainly makes undesirable but very popular peer-to-peer technologies (you know what I'm talking about) a lot easier to get up and running.

Running without a firewall is still just as insane as it sounds, though. Happily, you can do firewalling without having to NAT.

Second question, what's this link-local thing?

Think of it as able to reach anything in the current broadcast domain, and can not be routed. Like NetBEUI-of-old. In fact, if your home network is completely flat you can use these addresses instead of Unique Local Addresses.

Third question, what is scope id for?

It's used for two different things, which makes it annoying to describe:

Thing 1: Multicast. It defines how far the multicast packet is intended to reach.

Thing 2: (What I think you're referring to) This is used on a URI as a way of defining which interface to use. It's used primarily with link-local addresses. It should never be used in conjunction with CIDR notation, so the two syntaxes should never be combined.

seren
  • 273
  • 2
  • 4
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • I wouldn't consider NAT "vital" to security, but I do consider it extremely useful. For the most part, though, my home network is mostly flat. I've tinkered around with VLANs on my router, though, so going with link-local sounds like a no-go, especially if those are automatically determined. Having some control over my own numbering appeals to me, so I'll have to look more into `fc00::7`. – Kumba Dec 28 '10 at 04:19
  • Scope ID seems almost a Microsoft-thing. I'd never actually heard of it until I came across the MSDN IPv6 article. Rarely, I've seen a few references to it in FreeBSD documentation. – Kumba Dec 28 '10 at 04:23
  • This answer covers things. Still more research to do, but things are a bit clearer now. Thanks! – Kumba Dec 28 '10 at 23:15
  • @Kumba I cribbed most of this from a blog post of mine a while back. A good cheat-sheet: http://sysadmin1138.net/mt/blog/2010/09/undreading-ipv6-addressing.shtml – sysadmin1138 Dec 29 '10 at 00:15
  • @sysadmin: Thanks for the update. The bit on scope ID is much clearer. I actually have a domain, so regardless of my ISP giving me a /64, I'm still going to NAT/Firewall specifically because of the reason you point out. And about that /64...Despite the size of the overall IPv6 address space, that is still a ridiculously huge amount of IPv6 addresses. Seems wasteful. We want IPv6 to last a half-century or more I'd figure, but at that rate of handout, we'll be researching [Protocol 7](http://en.wikipedia.org/wiki/Serial_Experiments_Lain#Plot) within 2-3 decades easily... – Kumba Dec 30 '10 at 23:59
  • 3
    @Kumba A /64 is the *smallest* v6 subnet allowed by the IPv6 spec. You can fit 34,000,000 /64 allocations (2x Comcast's 2009 subscriber count) in a single /36 allocation. Since Comcast has at least a /32 (2001:558/32) they can afford to be liberal. They probably won't need another /32 for a very long time. – sysadmin1138 Dec 31 '10 at 07:15
  • @sysadmin: Never underestimate the human ability to be wasteful. We are quite the experts at it... I'm just afraid of the huge gaps in space because of these handouts. A /64 is frankly, too large. Way, way too large. I could care less about what the spec says, common sense dictates that Joe Schmoe doesn't need a /64 to get on the internet. It's just further proof that the IETF only considered enterprise-level networks in mind when they mapped out IPv6. 20 years from now, IPv6 is going to be an absolute mess because at some point, we're going to slip up in tracking who owns what. – Kumba Jan 02 '11 at 05:44
  • Wow. Sorry about that: apparently I accidentally downvoted you, and I can't reverse it anymore unless you edit the post... – wzzrd Feb 07 '11 at 14:06
  • I don't understand the need for "Unique Local Address". On a LAN all devices automatically get their own unique ipv6 address within the local scope. This is all that the original poster needs. One all of my LAN's which vary from small to medium, I only use or need the link local address. There is NO need to make it more complex. A good book to read is "IPv6 Theory, Protocol and Practice, 2nd edition ( ISBN 1-55860-810-9)" – jdkoftinoff Sep 07 '11 at 16:28
  • One thing to remember if you're using ULAs with IPv6: hosts generally think ULAs are "global" IPv6 addresses, and will therefore try to use them to contact the internet at large (which will fail of course). This can lead to strange to diagnose problems, delays in connections, etc. ULAs are basically only useful if your network is totally isolated from the internet, or you are doing IPv6 prefix translation (http://tools.ietf.org/html/rfc6296) at your Internet-facing gateways. – rmalayter Apr 11 '12 at 14:16
  • sysadmin1138: Your statement WRT /64 being the smallest subnet allowed is incorrect. It is the smallest subnet on which stateless autoconfiguration can be set up, but it's perfectly legal to configure smaller subnets if you're using static addressing on the hosts or using DHCPv6 to assign addresses to hosts on the subnet. – caw Mar 30 '14 at 00:02
6

You should not be using an address starting with fc00:

As explained in RFC 4193 it is a 7 bit prefix. Everything after those first 7 bits should be filled in as explained in the RFC. The method currently defined will always produce an address that starts wit fd. The 00 should be replaced with random numbers, and the next two groups of 16 bits should also be random making up a total of 40 bits.

There are lots of pages on the internet that can generate one for you. I just want to one of those sites to get an example of what such a prefix could look like fdae:a212:e94d::/48

As you pointed out, those addresses are global unicast, but they are not supposed to be globally routable. If your router does route them externally by default, it would be a good idea to configure filters to prevent that. Your upstream should be filtering as well, so they will only be routed outside your network if both of you have misconfigured routers.

Kasper
  • 61
  • 1
  • 1
  • I'm not. I'm aware that fc00::/8 hasn't been given a purpose in life yet, so I am on an fd00::/8 subnet at present for my home network. And I'm not interested in randomized addresses. My ISP doesn't even offer IPv6 yet, so this is strictly internal, so I'm sticking to something that I can actually remember. – Kumba May 21 '11 at 06:26
  • At least one project relies on fc00::/8: [Cjdns](http://en.wikipedia.org/wiki/Cjdns) – Vi. Jun 06 '13 at 23:08
3

all addresses starting with fe80: something are link-local. You can think of a "link" being all the computers connected to a switched network with no routers. So those ipv6 addresses can be used only for communication on that net.

The hardest part for us humans is probably that the machines now configure themselves. There is a protocol called Neighbour Discovery Protocol (NDP) that takes care of saying "hello" to all the other machines on the net.

If you don't want the machines to access internet then... just don't install a router.

You CAN set up ipv6 by hand or with a DHCP server, but you don't need to. That's one of the good news with ipv6.

Arno Teigseth
  • 91
  • 2
  • @Arno: Ah, So if I have a box I SSH to on my internal LAN, I can simply use the link-local address of it to SSH? Can I still manually-configure that `fe80::/10` address to something I like? Or will it be auto-set based on IPv6's design (and the OS's particular stack implementation)? – Kumba Dec 28 '10 at 03:34
  • PS: Machines that configure themselves. Hmm, _where_ have I seen that before? :) – Kumba Dec 28 '10 at 03:36
  • You've probably seen self-configuring machines in some movie:) Just don't let them take off, or we'll be dominated. – Arno Teigseth Dec 28 '10 at 03:58
  • 1
    about the configuring: http://en.wikipedia.org/wiki/Link-local_address (the operating system takes the MAC address of the network card, does a few tricks and ends up with fe80: something. The ugly details are on http://tools.ietf.org/html/rfc4862 , search for fe80 ...) – Arno Teigseth Dec 28 '10 at 03:58
  • Ugly details indeed. – Kumba Dec 28 '10 at 04:21
  • @Kumba: Unlike in IPv4, it's quite common for interfaces to have several assigned addresses. The link-local address is required, but you can still add as many others as you like. – yuriks Apr 27 '11 at 00:39