Wednesday, May 14, 2025

IPv6 - Part 1 - Everything I need to know about IPv6 addresses

IPv6 (Internet Protocol version 6) was officially released as a standard in December 1998, with the publication of RFC 2460 by the IETF (Internet Engineering Task Force). 
 
It was usable for interoperability testing between Unix-like systems and Windows-based systems since 2006, when Microsoft included native IPv6 support in Windows Vista.
 
In 2012, major ISPs and websites enabled IPv6 permanently. It is called World IPv6 Launch Day.
 
It’s now 2025, so I think it’s time to test IPv6 readiness across the three ISPs I use for my home lab networks here in Czechia, Central Europe.
 
These ISPs are
  1. Vodafone (Global Telco Provider) - ISP for my apartement where is small home lab
  2. StarNet (Czech Telco Provider) - ISP for my house where is large home lab
  3. Cloud4com (Czech Cloud Service Provider) - ISP for my lab in data center (cloud-based)
My home lab network, shown below, has been running on IPv4 for nearly 20 years. Is it already the right time to switch to IPv6?
 

The idea is to keep IPv4 network as is and create new IPv6 network in paralel to do a Proof of Concept and get more familiar with IPv6. I can afford it because all my sites are fully virtualized, therefore it is not a problem to spin up additional IPv6 routers or devices in any of three sites.
 
In this Part 1 blog post, I would like to cover everything I need to know about IPv6 addresses. In future blog posts, I'll cover configuration details and real experience with IPv6.

IPv6 Address

It is 128 bit number typically represented in hexadecimal format.
8 x 16 bit where each 16 bits are delimited by column (:).
 
0000:0000:0000:0000:0000:0000:0000:0000
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 
When there are 16-bites zeroes within the IPv4 address, they can be reduced.
So, the IP address 1111:2222:0000:0000:0000:6666:7777:888 is the same as 1111:2222::6666:7777:888

IPv6 Subnets

The smallest subnet we normally use in IPv6 is /64, so here are examples of IPv6 Subnets

  • fd11:1111:1111:1111:0000:0000:0000:0000/64
  • fd12:3456:789a:0000::/64
  • fd12:3456:789a:1111::/64
Subnet /64 allows up to 2^64 (18,446,744,073,709,551,616) addresses. It is pretty huge space, right?
 
Can I have such a huge number of devices in one VLAN (broadcast domain)? 
No, you cannot practically have 2⁶⁴ devices in one VLAN, even though IPv6 technically allows that many addresses in a /64 and here's why:
  • Ethernet and Switching Limits (MAC address tables in switches)
  • ARP/ND Table Limits (Even operating systems and routers can't store neighbor cache entries for millions of hosts)
  • Collision Domains (Ethernet is still fundamentally a shared medium; physically and logically, it doesn’t scale infinitely)

So What Is the Practical Limit?
Most networks keep a few hundred to a few thousand devices per VLAN, depending on:

  •     Switch/router hardware
  •     Security policy
  •     Performance needs

Even 10,000 devices per VLAN is considered very large and rare. Back in the days, there was a best practice to limit the number of devices within the single broadcast domain (VLAN) to 250 or 300 devices, but the final decision is up to Infrastructure Architect who should take all limits and constraints into account.

What If I Use a Smaller Subnet (e.g. /126 or /112)?
It's possible, but only in specific use cases, like:
  •         Point-to-point links (e.g. /127, /126)
  •         Routing-only environments
But be careful, SLAAC and some OSes may break if the prefix is not /64.

IPv6 Prefix size        Use case                                              
/64                     Standard LAN subnet (use this unless you know better)
/126 or /127            Point-to-point links (e.g. router-router)
/128                    Single host address
< /64 (e.g. /56, /48)   Aggregated prefix blocks, not individual subnets

Local-link Addresses

Link-local address is only accessible on the same link (L2 Segment).  It is automatically generated. Devices generate these addresses automatically upon startup for all interfaces.

Link-local addresses are required for Neighbor Discovery Protocol (NDP) and Router Advertisements (RA). In IPv6, NDP is used for address resolution (like ARP in IPv4), neighbor discovery, and router discovery. NDP messages are exchanged using link-local addresses because they are required for communication on the local link. NDP uses ICMPv6 messages and link-local addresses for these operations.
 
IPv6 Subnet of Local-link addresses: fe80::/10 
First address: fe80::
Last address: febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 
Link-local address is composed from Prefix and Interface Identifier
Prefix is always fe80:: (1111 1110 10 in binary format).
The interface identifier is the second part of the address, and it's the portion that identifies the specific network interface on the device. There are two common ways to generate this identifier:
  1. EUI-64 (Extended Unique Identifier): 64-bit number derived from the MAC address of the network interface (for example 1111:2222:3333:4444)
  2. Randomized Interface Identifier (Privacy Extension): A typical random interface identifier might look something like fcb0:2b5a:bbf0:1001

SLAAC

SLAAC (Stateless Address Autoconfiguration) is an automatic method that allows devices to configure their own IPv6 addresses based on network prefixes advertised by routers. Link-local addresses play a crucial role here.

Steps in SLAAC (Involving Link-Local Addresses):

  • Router Advertisements (RAs)
    • Routers send Router Advertisement messages to tell hosts about the network's IPv6 prefix and configuration options.
  • SLAAC Address Generation
  • Neighbor Solicitation for Duplicate Address Detection (DAD)
    • The device sends a Neighbor Solicitation (NS) to check if the generated address is already in use on the local link. 

SLAAC can provide DNS:

  • RDNSS Option in Router Advertisements:
    • Modern IPv6 routers can include the RDNSS option inside their RA messages. This option tells the client which DNS servers to use, so the client doesn’t need DHCPv6 just to get DNS info.
  • Support depends on Router and Client OS:
    • Both the router and the client must support RDNSS in RA for this to work. Most modern OSes (like recent Linux, Windows, and macOS versions) support it.

DHCPv6

First of all, why there is DHCPv6 when IPv6 addresses can be assigned by SLAAC?

While SLAAC automatically assigns IPv6 addresses, it does not provide:

  • DNS server addresses: SLAAC can provide DNS, but there can still be some IPv6 routers without RDNSS Option and DHCPv6 is the only way how to dynamically get DNS addresses.
  • Other configuration settings: Devices may need additional configuration (aka DHCP options) for things like host names, domain names, NTP servers, etc.

That's why DHCPv6 could make sense in some IPv6 deployments. 

What are IA_NA and IA_PD in DHCPv6?

These are Identity Associations (IA) used in DHCPv6 (Dynamic Host Configuration Protocol for IPv6). They tell the DHCPv6 server what kind of information the client is asking for.
IAs are essential. Every DHCPv6 client request must include at least one IA:
  •     IA_NA for requesting a normal address.
  •     IA_PD for requesting a prefix.
Without IAs, the DHCPv6 server won’t know what kind of configuration the client wants. IAs also include lifetime information (valid/preferred) for addresses or prefixes.
 
IA_NA = Identity Association for Normal (non-temporary) Addresses
  • Purpose: Request a stable, public IPv6 address for the client.
  • Typical use: Used by client devices to get a normal IPv6 address for an interface (like your laptop, server, or router WAN).
  • Lifetime: Long-term, valid for as long as the lease allows.
  • Analogy: Like getting a fixed IPv4 DHCP address.
IA_PD = Identity Association for Prefix Delegation
  • Purpose: Ask for a whole IPv6 prefix (subnet) to use for downstream devices.
  • Typical use: Used by routers or firewalls to get a /56, /60, or /64 prefix that can be split and assigned to LAN interfaces.
  • Example: If your ISP delegates a /56, your router can assign /64 subnets to different internal networks.
  • Lifetime: Long-term, like IA_NA.

The minimal dhcp6c.conf just to get IA-NA is this

 interface vmx0 {
       send ia-na 0;            # Request a non-temporary address
};

The dhcp6c.conf to get IA-NA and IA_PD is this

interface vmx0 {
       send ia-na 0;            # Request a non-temporary address
       send ia-pd 1;            # Request a delegated prefix
       send rapid-commit;       # Optional: speed up the handshake
       send domain-name-servers;# Ask for DNS info if ISP provides it
};

id-assoc na 0 {
    # No additional settings needed unless you want to override lifetimes
};

id-assoc pd 1 {
    prefix-interface vmx2 {     # Interface to assign a subnet of the delegated
prefix
        sla-id 0;               # Subnet ID (e.g., /64 within a /56)
    };
};

Unigue Local Addresses

A ULA prefix (Unique Local Address prefix) in IPv6 is a private, non-routable address block used within a site or organization, similar to IPv4's 10.0.0.0/8, 192.168.0.0/16, etc.

For IPv6 Unique Local Addresses (ULA), there is reserved range fc00::/7 reserved for private, non-routable addresses.

Range fc00::/7 is split into two /8 subnets:

  • fc00::/8 — reserved for future use (currently unused)
  • fd00::/8 — commonly used (locally generated)

So for private use, we should use subnets within fd00::/8 range.

These addresses:

  • Are not routed on the public Internet
  • Are safe to use in your LAN or data center
  • Work well with SLAAC, DHCPv6, and static assignments

Documentation and Examples Addresses

There is another IPv6 prefix (2001:db8::/32) which is not globally routed.  

It is reserved (RFC 3849) for documentation and example purposes. It should really be used just for examples, tutorials, and documentation. It is not routed on the public internet, and should not appear in real networks. 

For local, non-routable subnets, a ULA prefix (fd00::/8) should be used.

IPv6 Public DNS Servers

In this section, I document publicly available IPv6 DNS servers.

Google's Public DNS Servers

Primary: 2001:4860:4860::8888            Equivalent to IPv4: 8.8.8.8
Secondary: 2001:4860:4860::8844        Equivalent to IPv4: 8.8.4.4

Cloudflare's Public DNS Servers

Cloudflare is a U.S. based technology company that provides a suite of services to enhance website performance, security, and reliability. CDN (Content Delivery Network), Security, Performance, Networking and DNS.

Standard DNS Servers

Primary: 2606:4700:4700::1111            Equivalent to IPv4: 1.1.1.1
Secondary: 2606:4700:4700::1001        Equivalent to IPv4: 1.0.0.1

Malware Blocking

Primary: 2606:4700:4700::1112            Equivalent to IPv4: 1.1.1.2
Secondary: 2606:4700:4700::1002        Equivalent to IPv4: 1.0.0.2

Malware and Adult Blocking

Primary: 2606:4700:4700::1113            Equivalent to IPv4: 1.1.1.3
Secondary: 2606:4700:4700::1003        Equivalent to IPv4: 1.0.0.3
 

Quad9's public DNS servers

Quad9 is a non-profit organization focused on security and privacy in DNS resolution.

Secure DNS Servers

Primary: 2620:fe::fe                              Equivalent to IPv4: 9.9.9.9
Secondary: 2620:fe::9                            Equivalent to IPv4: 149.112.112.112

Secure DNS Servers + ECS-enabled (for CDNs)

Primary:  2620:fe::11                            Equivalent to IPv4: 9.9.9.11
Secondary: 2620:fe::fe:11                     Equivalent to IPv4: 149.112.112.11

Unsecured DNS (No filtering)

Primary: 2620:fe::10                             Equivalent to IPv4: 9.9.9.10
Secondary: 2620:fe::fe:10                     Equivalent to IPv4: 149.112.112.10

on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)