IPv6 basics
Authors: Lauri Sormunen, Timo Hämäläinen and Mikhail Zolotukhin
Introduction
What are IPv4 and IPv6?
- Internet Protocol version 4 or 6
- Layer 3 (network layer) protocols
- Responsible only for routing packets to intended destination - and nothing else!
- IPv4 and IPv6 are entirely separate protocols and do not interact
Address space of IPv4
IPv4 addresses: an identifier consisting of 32 bits, or 4 bytes
- Usually presented as a tuple of decimal numbers, separated by dots
- e.g. address 130.234.4.30 in different formats
Format | Byte 1 | Byte 2 | Byte 3 | Byte 4 |
---|---|---|---|---|
Decimal | 130 | 234 | 4 | 30 |
Binary | 10000010 | 11101010 | 00000100 | 00011110 |
Hexadecimal | 82 | ea | 04 | 1e |
Address space of IPv6
IPv6 addresses: an identifier consisting of 128 bits, or 16 bytes
- Usually presented as a tuple of hexadecimal numbers, separated by colons
- e.g. address 2001:123:4567:89ab:cdef:0:82ea:041e in different formats
Format | Byte block 1 | Byte block 2 | Byte block 3 | Byte block 4 | Byte block 5 | Byte block 6 | Byte block 7 | Byte block 8 |
---|---|---|---|---|---|---|---|---|
Decimal | 8193 | 291 | 17767 | 35243 | 52719 | 0 | 33514 = 130 * 2^8 + 234 | 1054 = 4 * 2^8 + 30 |
Binary | 00100000 00000001 | 00000001 00100011 | 01000101 01100111 | 10001001 10101011 | 11001101 11101111 | 00000000 00000000 | 10000010 11101010 | 00000100 00011110 |
Hexadecimal | 2001 | 123 | 4567 | 89ab | cdef | 0 | 82ea | 41e |
IPv6 address representation
8 blocks of 2 bytes
Leading zeroes of each block are omitted
Consecutive zero blocks can once be replaced with "::"
For example:
2001:0:0:0:aaaa:bbbb:cccc:dddd is shortened to 2001::aaaa:bbbb:cccc:dddd
2001:0:0:0:aaaa:0:0:dddd can be shortened to either 2001::aaaa:0:0:dddd or 2001:0:0:0:aaaa::dddd.
First 64 bits represent the network ID, last 64 bits a host ID.
A few notable address types
Prefix | Use | Explanation |
---|---|---|
2000::/3 | Global Unicast | Global Unicast addresses. The most common address type. |
ff00::/8 | Multicast | Multicast group addresses |
fe80::/10 | Link-Local | Addresses only used on a single link or Ethernet LAN / WLAN |
fc00::/7 | Unique Local Addresses (ULAs) | Private network addresses, which are not routed in WAN. Used in exercises! |
See IPv6 reference card for more details.
How large is IPv6 Internet?
Theoretical number of IPv4 addresses: \(2^{32} = 4\,294\,967\,296\)
Theoretical number of IPv6 addresses: \(2^{128} \approx 3.4 \cdot 10^{38}\)
=> IPv6 Internet could contain 79 228 162 514 264 337 593 543 950 336 IPv4 Internets!
Practically, some addresses are reserved for different uses, e.g. broadcast, multicast, NATed LAN/Link-Local
Additionally, netmask length is almost always 64 bits in IPv6 Internet. Therefore the first 64 bits identify the network and last 64 bits the device in the network.
=> There are \(2^{64}\) addresses available for devices in a single LAN!
Why IPv6?
- Global depletion of IPv4 addresses
- NAT "solved" this in the 90s
- Finnish ISPs have not depleted their allocations of IPv4 addresses
- Restores end-to-end principle of the Internet (broken by NAT)
- Better support for mobility (Mobile IP)
- "Mandatory" IPsec (was changed from "must implement" to "should" in RFC6434)
- Simpler header structure: always 40 bytes + extension headers
- Includes unused flow label of 20 bits
However:
- NAT has (so far) extended lifetime of IPv4
- End-to-end availability not required because of compatibility of client-server model with NAT
- i.e. servers have public availability, clients do not
- Mobile IP was also implemented to IPv4 with subtle differences
- ...and mobile IP has almost no demand
- Security is not better since it is not required to be implemented
- No "killer apps" for IPv6 Internet
Differences to IPv4
- Many Layer 3 protocols have IPv6 versions of them, e.g. ICMPv6
- Server applications are often required to be configured to enable IPv6 connections
- No broadcast addresses - instead multicast support is "better"
- In a LAN, ff02::1 is the Link-Local multicast address
- No ARP, instead Neighbor Discovery Protocol (NDP)
- Clients send Neighbor Solicitations
- Routers answer with Neighbor Advertisements
- IP addresses are acquired using either DHCPv6 or Stateless Address Autoconfiguration (SLAAC)
- Overview of SLAAC: Clients joining network send Link-Local Multicast ICMPv6 messages to discover routers and other devices
- Clients send Router Solicitations
- Routers send Router Advertisements
- In exercises, we enable DHCPv6 to make sure each device discovers being in an IPv6-enabled network
- Overview of SLAAC: Clients joining network send Link-Local Multicast ICMPv6 messages to discover routers and other devices
- Duplicate Address Detection (DAD) is used to detect if same host ID (last 64 bits) exists in the network
Security considerations
- Restoration of end-to-end Internet => Every device reachable by any device
- Security of e.g. IoT devices is not convincing
- DDoS attacks by smurf attacks or using compromised devices
- IPv6 header structrure is simpler, but allows usage of IPv6 header extensions, enabling DoS attacks.
- Most modern routers implement dual stack - but not all. If IPv6 is available, it is often preferred.
- IPv6 may be enabled without user's knowledge, which offers alternative attack channels bypassing NAT and IPv4 firewalls.
- Some routers and IDSs are not equipped to handle IPv6 firewalling properly
Effectivity of attacks
Scanning for hosts takes forever!
- E.g. nmap in an IPv4 /24 LAN takes a few seconds (254 hosts)
- nmap in IPv6 /64 LAN takes ~58 000 years with 10 million pings per second (\(2^{64}\) hosts)
- By Link-Local multicast messages, hosts can be identified from inside
- DNS servers (internal and external) must be protected, since they can be used to find alive hosts
DoS attacks in LAN:
- Answer every DAD ("Is anyone using this address...?" - "YES!")
- RA/NA flooding (increase neighbor database size)
- Spoof being a router or announce a router to have a lifetime of zero
IPv6 protocols support multiple routers in a network
=> Anyone can become a router => MitM or DoS
Security solutions
- Set up firewalls! Upgrade router software/hardware to support IPv6.
- Disable IPv6 on routers entirely if enough public IPv4 addresses are usable
- Do not assign IPv6 address host IDs in numerical order. Use other methods, e.g. host IDs calculated from MAC or cryptographically generated host IDs.
- "NAT is not firewall" i.e. lack of NAT does not make IPv6 unsafer
- Though NAT obscures view of network to outside world, NAT should not be trusted as a protective measure
- Older implementations of NAT may even route unexpected packets to random hosts
When will the transition from IPv4 to IPv6 happen?
- It is happening! More and more devices globally join the IPv6 network.
- Accesses of Google through IPv6
- Notable factors:
- Customers' demands from ISPs
- New applications
- IoT
These are the current permissions for this document; please modify if needed. You can always modify these permissions from the manage page.