{"id":17,"date":"2018-09-20T21:25:14","date_gmt":"2018-09-21T04:25:14","guid":{"rendered":"http:\/\/chucko.com\/blog\/?p=17"},"modified":"2020-10-29T23:39:10","modified_gmt":"2020-10-30T06:39:10","slug":"an-ipv6-cheat-sheet-for-folks-familiar-with-ipv4","status":"publish","type":"post","link":"http:\/\/chucko.com\/blog\/2018\/09\/20\/an-ipv6-cheat-sheet-for-folks-familiar-with-ipv4\/","title":{"rendered":"An IPv6 cheat sheet for folks familiar with IPv4"},"content":{"rendered":"<p>In the course of setting up a new home router based on <a href=\"http:\/\/www.pfsense.org\">pfSense<\/a>, I decided to wade into the IPv6 waters. I couldn&#8217;t find the kind of short, pithy information I was looking for. So here&#8217;s what I think is important to know. It assumes the reader knows what an RFC is and <a href=\"http:\/\/ietf.org\/standards\/rfcs\/\">where to find them<\/a>, and has a passing familiarity with IPv4.<\/p>\n<p>I plan to update this as I learn more. Links to the relevant RFCs and standards will be added, eventually. Comments and corrections are welcomed.<!--more--><\/p>\n<h2>Addressing<\/h2>\n<p>128 bits total, a huge expansion from IPv4&#8217;s 32. We&#8217;ll never need to expand addressing again. (Never say never &#8211; address allocation grows to fill the available space, a corollary of Parkinson&#8217;s Law.)<\/p>\n<p>Fully specified format is 32 hex digits, separated by colons every 4 digits. Leading zeroes in a group can be omitted. E.g.<\/p>\n<pre>1234:5678:9ABC:DEF0:0FED:CBA9:8765:4321<\/pre>\n<p>Groups of all zeroes can be elided, but only once per address. Anywhere you see double colons, imagine a bunch of zeroes between them. This convention makes it a little easier to deal with the 128 bit format. Examples below.<\/p>\n<p>Networks or address ranges are specified with a slash and the number of prefix bits,\u00a0e.g. the above address is routed to the network<\/p>\n<pre>1234:5678:9ABC:DEF0::\/64<\/pre>\n<p>Interpretation varies by purpose. More below.<\/p>\n<h3>Wait a minute&#8230; HOW MANY addresses per interface?<\/h3>\n<p>Typically two or more. And they serve different purposes.<\/p>\n<p>All interfaces must have a link-local address (see below). This is used between neighbors on the network segment, and by the router(s). This cannot be routed to from another network segment, so will never be seen outside the local network segment. Link-local addresses always start with\u00a0<strong>FE80:<\/strong>.<\/p>\n<p>Interfaces may also have a\u00a0secured routable address, and a temporary one as\u00a0well. These can be visible to the world.<\/p>\n<p>A network can have more than one prefix\/subnet pair. (One example being a network served by multiple ISPs for redundancy.) In this case an interface can have multiple global addresses, one or more per prefix\/subnet.<\/p>\n<p>On my Mac, &#8216;ifconfig en0&#8217; shows 3 addresses:<\/p>\n<ul>\n<li>The link-local address<strong>;<\/strong><\/li>\n<li>The &#8220;secured&#8221; routable address;<\/li>\n<li>The &#8220;temporary&#8221; routable address.<\/li>\n<\/ul>\n<p>And other than the prefix\/subnet in the routable addresses, they have\u00a0<em>no<\/em> fields the same.<\/p>\n<h3>Unicast\/anycast address format and subnetting<\/h3>\n<p>The basic format for IPv6 addresses:<\/p>\n<pre>pppp:pppp:pppp:ssss:iiii:iiii:iiii:iiii<\/pre>\n<p>where:<br \/>\n<strong>p<\/strong> &#8211; network\u00a0<strong>prefix<\/strong>, 48 bits<br \/>\n<strong>s<\/strong> &#8211;\u00a0<strong>subnet<\/strong>, 16 bits<br \/>\n<strong>i<\/strong> &#8211;\u00a0<strong>interface identifier<\/strong>, 64 bits<\/p>\n<p>In the first example:<\/p>\n<ul>\n<li>The upper 48 bits (<strong>1234:5678:9ABC<\/strong>) are the routing prefix.<\/li>\n<li>Next 16 bits (<strong>DEF0<\/strong>) are the subnet ID. The prefix and subnet combined are 64 bits.<\/li>\n<li>Last 64 bits (<strong>0FED:CBA9:8765:4321<\/strong>) are the interface identifier.<\/li>\n<\/ul>\n<p>IPv6 subnets are 64 bits MINIMUM. This helps facilitate autoconfiguration.<\/p>\n<h4>Anycast<\/h4>\n<p>Anycast is &#8220;one-to-one-of-many&#8221;, used for (e.g.) failover, load sharing, etc.<\/p>\n<p>There are two reserved anycast addresses:<\/p>\n<ul>\n<li>Subnet Router anycast addresses have an interface ID of all zeroes. (RFC 4291)<\/li>\n<li>RFC 2526 designates <strong>x:x:x:x:FFFF:FFFF:FFFF:FF80\/121<\/strong> for subnet anycast,<br \/>\ncurrently <strong>x:x:x:x:FFFF:FFFF:FFFF:FFFE<\/strong> is assigned to<br \/>\nMobile IPv6 Home-Agents, all others are reserved.<\/li>\n<\/ul>\n<h4>Link-local<\/h4>\n<p>Link-local addresses are in the <strong>FE80::\/10<\/strong> block. They\u00a0take the form:<\/p>\n<pre>FE80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx<\/pre>\n<p>Which is usually abbreviated as:<\/p>\n<pre>FE80::xxxx:xxxx:xxxx:xxxx<\/pre>\n<p>The last 64 bits are again the interface identifier.<\/p>\n<p>Link-local addresses CANNOT be routed.<\/p>\n<h3>Multicast format<\/h3>\n<pre>FFfs:gggg:gggg:gggg:gggg:gggg:gggg:gggg<\/pre>\n<p><strong>FF<\/strong> &#8211; 8 bits, all 1s<br \/>\n<strong>f<\/strong> &#8211; flags (Rendezvous, Prefix, Transient)<br \/>\n<strong>s<\/strong> &#8211; scope (interface, link, realm, admin, site, org, global)<br \/>\n<strong>g<\/strong> &#8211; group ID (112 bits)<\/p>\n<p>There are many variations. Some are significant for router administrators; see below.<\/p>\n<h3>Special address blocks<\/h3>\n<ul>\n<li><strong>::\/0<\/strong> &#8211; routing, default route<\/li>\n<li><strong>::\/128<\/strong> &#8211; unspecified address (all zeroes)<\/li>\n<li><strong>::1\/128<\/strong> &#8211; loopback (internal to originating host)<br \/>\nThe IPv6 equivalent of <strong>127.0.0.1<\/strong>.<\/li>\n<li><strong>::ffff:0:0\/96<\/strong> &#8211; IPv4 mapped addresses<br \/>\n(i.e. <strong>0:0:0:0:0:FFFF:x:x<\/strong>)<br \/>\nBottom 32 bits represent the IPv4 address.<\/li>\n<li><strong>::ffff:0:0:0\/96<\/strong> &#8211; IPv4 translated addresses (SIIT protocol)<br \/>\n(i.e. <strong>0:0:0:0:FFFF:0:x:x<\/strong>)<br \/>\nBottom 32 bits represent the IPv4 address.<\/li>\n<li><strong>64:ff9b::\/96<\/strong> &#8211; 6to4 addressing<br \/>\n(i.e. <strong>64:ff9b:0:0:0:0:x:x<\/strong>)<\/li>\n<li><strong>100::\/64<\/strong> &#8211;\u00a0Discard prefix (RFC 6666)<\/li>\n<li><strong>2001::\/32<\/strong> &#8211; Teredo tunneling (RFC 4380)<\/li>\n<li><strong>2001:2:::\/48<\/strong> &#8211; Reserved for Benchmarking Methodology Working Group<\/li>\n<li><strong>2001:20::\/28<\/strong> &#8211; ORCHIDv2 crypto hash identifiers, not routable<\/li>\n<li><strong>2001:db8::\/32<\/strong> &#8211; Example use, not routable<\/li>\n<li><strong>2002::\/16<\/strong> &#8211; Old 6to4, deprecated<\/li>\n<li><strong>FC00::\/8<\/strong> was meant to be used for unique addresses globally allocated prefixes,<br \/>\nbut no policy was established for allocation, so this range is unused.<\/li>\n<li><strong>FD00::\/8<\/strong> &#8211; Unique local addresses, not routable outside site or organization (RFC 4193)<br \/>\nAnalogous to IPv4 <strong>10.0.0.0\/8<\/strong> or <strong>192.168.0.0\/16<\/strong> &#8211; private networks not exposed to the outside world.<br \/>\nThe following 40 bits of the prefix are randomly generated and the\u00a016-bit subnet IDs are as well, so the general form is:<br \/>\n<strong>FDpp:pppp:pppp:ssss::\/64<br \/>\n<\/strong>where:<br \/>\n<strong>FD<\/strong> &#8211; first 8 bits (1111 1101)<br \/>\n<strong>p<\/strong> &#8211; 40 bits of prefix<br \/>\n<strong>s<\/strong> &#8211; 16 bits of subnet<br \/>\nUnique local addresses are routed same as global, but never leave the private net.<\/li>\n<li><strong>FE80::\/10<\/strong> (effectively <strong>FE80::\/64<\/strong>, as the next 54 bits must be zeroes) &#8211; Link-local address, not routable outside originating net segment<\/li>\n<li><strong>FF00::\/8<\/strong> &#8211; Multicast<br \/>\nMany options. See <a href=\"https:\/\/www.iana.org\/assignments\/ipv6-multicast-addresses\/ipv6-multicast-addresses.xhtml\">https:\/\/www.iana.org\/assignments\/ipv6-multicast-addresses\/ipv6-multicast-addresses.xhtml<\/a><br \/>\nSome specific variants that will show up in router logs:<br \/>\n<strong>FF02::1<\/strong> &#8211; All-nodes, link-local. Typical uses include Neighbor Advertisement and Router Advertisement.<br \/>\n<strong>FF02::2<\/strong> &#8211; All-routers, link-local.<br \/>\n<strong>FF02::1:2<\/strong> &#8211; All DHCP servers\/relay agents, link-local. You&#8217;ll see these if your network uses DHCPv6 locally.<\/li>\n<\/ul>\n<h3>Address Allocation<\/h3>\n<p>One of the goals of IPv6 was to simplify network administration, in part by freeing admins from having to do address and subnet allocation. Most common situations on a small network require little or no input from a human. You can still hard-wire addresses &#8211; but why?<\/p>\n<p>The down side, of course, is that autoconfigured addresses are harder to associate with a particular host or role, which can make troubleshooting more difficult.<\/p>\n<p>Stateless Address Autoconfiguration (SLAAC) is a plug-n-play method of\u00a0allocating routable addresses without need of a central authority like\u00a0DHCP. Periodic Router Advertisement (RA, see Neighbor Discovery\u00a0Protocol) messages deliver a prefix to the host (along with router\u00a0info), and the host then generates an address, which then undergoes Duplicate Address Detection via NDP on the local link before it is assigned.<\/p>\n<p>The simplest way of generating an address is via modified EUI-64. Interface identifiers are derived from the MAC address by inserting <strong>FF:FE<\/strong> in the middle\u00a0and inverting the 7th bit of the interface ID;\u00a0e.g. the MAC address<\/p>\n<pre>00:e3:e1:c2:ea:d6<\/pre>\n<p>becomes<\/p>\n<pre>p:p:p:s:02E3:E1FF:FEC2:EAD6<\/pre>\n<p>where the p&#8217;s are the prefix and s the subnet.<\/p>\n<p>There are many other documented ways to generate an address.\u00a0<em>to be supplied<\/em><\/p>\n<p>There are several ways to allocate temporary addresses. Their purpose is to reduce the\u00a0likelihood of associating a particular global IPv6 address with a particular user or host. They have a limited lifetime.<\/p>\n<p><em>more to be added<\/em><\/p>\n<h2>Domain Name System<\/h2>\n<p>Transport is unchanged from IPv4, UDP first, falling back to TCP, both\u00a0on port <strong>53<\/strong>.<\/p>\n<p>Address records for IPv6 use the <strong>AAAA<\/strong> in place of the <strong>A<\/strong> for\u00a0IPv4. Format is as described above. Everything else is identical.<\/p>\n<p>Reverse resolution is done in the <strong>ip6.arpa<\/strong> domain, in place of\u00a0<strong>in-addr.arpa<\/strong> for IPv4. In the query, addresses are reversed as in\u00a0IPv4, but with one hex digit per period!<\/p>\n<h2>Dynamic Host Configuration Protocol (DHCPv6)<\/h2>\n<p>Clients use UDP port <strong>546<\/strong>, servers <strong>547<\/strong>.<\/p>\n<p>DHCP Unique Identifier (DUID) per client. 2-byte type, up to 128 byte ID.\u00a04 types are implemented (RFCs 3315, 6355).<\/p>\n<p>RFC 6939 defines Client Link-Layer Address Option, which is an\u00a0alternative for DUID, derived from the MAC address. Not widely used.<\/p>\n<p>Prefix Delegation (RFCs 3633, 6603, 7550) allows routers at the\u00a0network edge to request a unique routable prefix from the upstream\u00a0provider.<\/p>\n<p>Many uses of DHCP in IPv4 are replaced by Neighbor Discovery Protocol and Router Advertisements, which leads us to&#8230;<\/p>\n<h2>Internet Control Message Protocol (ICMPv6)<\/h2>\n<p>ICMP takes on a bigger role in IPv6.<\/p>\n<p>Neighbor Discovery Protocol (NDP, RFC 4861) replaces ARP and some\u00a0functions of DHCP. RFCs 8106, 6106, 5006 add Recursive DNS Server\u00a0Option and DNS Search List options to Router Advertisements. These extensions obviate most uses of DHCPv4; they are on a standards track but not yet officially standardized.<\/p>\n<p>Secure\u00a0Neighbor Discovery Protocol (SEND, RFCs 3971, 6494) is a variant using\u00a0Cryptographically Generated Addresses (CGA) and Resource Public Key\u00a0Infrastructure (RPKI).<\/p>\n<p>Multicast Listener Discovery (MLD) replaces IGMP. (RFC 2710)<\/p>\n<p>MLDv2 (RFC 3810)<\/p>\n<p><em>more to be added<\/em><\/p>\n<h2>Stuff found in router logs<\/h2>\n<p>These are examples of blocked messages on my LAN, seen in the router log:<\/p>\n<ul>\n<li>\u00a0<strong>[fe80::xxxx:xxxx:xxxx:xxxx]:50926<\/strong> -&gt; <strong>[ff02::1]:10001<\/strong>, UDP<br \/>\n(Link-local interface to link-local all-nodes multicast on an unassigned port)<br \/>\nThis is our Ubiquiti access point looking for its controller every 10 seconds.\u00a0It isn&#8217;t answered because there&#8217;s no controller running on our net most of the time. The router ignores it, as it should; what happens in <strong>FE80::\/10<\/strong> stays in <strong>FE80::\/10<\/strong>.<\/li>\n<li><strong>[fe80::xxxx:xxxx:xxxx:xxxx]:546<\/strong> -&gt; <strong>[ff02::1:2]:547<\/strong>, UDP<br \/>\n(Link-local interface to link-local all-DHCP-agents multicast, DHCPv6)<br \/>\nSome host is trying to query a DHCPv6 server every 2 minutes.\u00a0It&#8217;s not going anywhere because there isn&#8217;t one; we&#8217;re using SLAAC. Again, the router ignores it.<\/li>\n<li>\u00a0<strong>[2600:1700:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:51217<\/strong> -&gt; <strong>[2620:100:xxxx:x::xxxx:xxxx]:443<\/strong>, TCP:RA<br \/>\n(Public address on our LAN to external public address, HTTPS)<br \/>\nThis looks like an attempt to reject data sent on a closed HTTPS connection\u00a0(R-reset, A-ack). See RFC 793.\u00a0Not sure why this particular message was dropped.<\/li>\n<\/ul>\n<p>Feel free to send me more examples to dissect.<\/p>\n<h5>Revision history<\/h5>\n<p>2020-10-29 Minor formatting fixes<\/p>\n<p>2018-09-20 Initial version<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the course of setting up a new home router based on pfSense, I decided to wade into the IPv6 waters. I couldn&#8217;t find the kind of short, pithy information I was looking for. So here&#8217;s what I think is important to know. It assumes the reader knows what an RFC is and where to<\/p>\n<p class=\"more-link-wrapper\"><a href=\"http:\/\/chucko.com\/blog\/2018\/09\/20\/an-ipv6-cheat-sheet-for-folks-familiar-with-ipv4\/\" class=\"more-link\">Continue Reading<span class=\"screen-reader-text\"> &#8220;An IPv6 cheat sheet for folks familiar with IPv4&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[2,14],"_links":{"self":[{"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/posts\/17"}],"collection":[{"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/comments?post=17"}],"version-history":[{"count":6,"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/posts\/17\/revisions"}],"predecessor-version":[{"id":188,"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/posts\/17\/revisions\/188"}],"wp:attachment":[{"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/media?parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/categories?post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/chucko.com\/blog\/wp-json\/wp\/v2\/tags?post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}