IPv6 Addressing Scheme Design

IPv6 has been ‘coming’ for a long time now, a decade at least. Everyone’s been worried about running out of IPv4 addresses, but then we found that we’re so good at doing NAT that there’s just not much of a need for migrating to IPv6 and the amount of administrative effort to migrate is so great that management usually doesn’t go for it. Outside of the united states though IPv6 has much more popularity, so if you’re working there you’ll likely have a much better chance of running into this. A lot of network admins are pretty intimidated by IPv6, but really it’s about the same as IPv4 from a practical aspect of a network admin, it’s just a bigger woolier address to deal with and can be more difficult to understand where summarization can occur and how to plan an addressing scheme.

In this lesson we’ll be covering some basics about the IPv6 address and migration techniques and go over good practice to help prepare you to design a solid addressing plan that is ready for growth.

Okay, so a super brief flyby of IPv6 addresses. First, an IPv6 address is a 128 bits, as opposed to the 32bit address of IPv4. The address is divided up into 8 sections of 4 characters separated by colons, these are being called hextets because each character in the address represents 4bits, allowing for 16 combinations per character. This is why they’re written in hexadecimal which goes from 0-9 to A-F. Each hextet is 16bits in length.

The concept of a prefix length or subnet mask works exactly the same in IPv6 as it does in IPv4. You still have a network portion of the address and a host identifier. The 2 portions are identified in the same fashion with a mask as before.

Now since IPv6 addresses are so long, there’s some rules for how to shorten them to remove unneeded 0s. First, you can simply omit any preceding 0s in a hextet. Next, any contiguous set of 0s can be abbreviated with a double colon. This can only be done once in an address though. You can understand why pretty easily, the computer needs to be able to know how many 0s there are represented by that double colon; and if there’s 2 different double colons then we don’t know how many 0s are represented by each. What you can do though if you have already used a double colon and you have any other hextets that are just 0s, you can omit all but 1 of the 0s in each hextet.

There does exist private address spaces in IPv6, like site-local addresses, but it’s coming to be unlikely they’re be used. Since there’s just so many addresses available, all devices will have publicly routable addresses.

Now the most common and most recommended prefix length to use is a /64. This is mostly due to it’s compatibility with an automatic addressing method called EUI-64. This is where the device learns about the /64 prefix then takes its 48bit MAC address and jams FFFE into the middle of it to make up the second 64 bits of its IPv6 address thereby allowing automatic address creation. This can be done with publicly routable addresses by learning the prefix from the router in the router advertisement, with he prefix being one that was assigned to your company and is publicly routable. There’s no need to use DHCP or static addressing, you can use EUI-64 which is stateless automatic addressing. The sheer fact that it’s recommended to use /64 prefixes on a point to point link, throwing away an insane number of addresses, really shows just how many addresses there are available in IPv6.

In this diagram at the bottom I wanted to show how obtaining an IPv6 prefix usually works. So here in the united states we have ARIN, the American registry for internet numbers. Now there’s a lot of registries out there; and it’s possible for a company to go to the registry themselves and purchase a block of addresses, or a prefix directly from ARIN. What most people will do though is get a block assigned to them from their ISP. So ARIN will give a /16 or /32 to an ISP and that ISP will then go ahead and subnet that out and commonly assign their customers /48 prefixes. Now just think, that allows you as the enterprise to then subnet that /48 prefix into 65000 /64 prefixes. These are just common prefix lengths you’ll see but there’s certainly a lot in between that is assigned as well.

Just like in IPv4, private address spaces in IPv6 are not routable. In fact, your link-local address is not routable outside your subnet at all. This address is the one that starts with FE80 and uses a modified EUI-64 method to generate itself. Like I mentioned earlier, other private addressing spaces exist with IPv6 but they’re not likely to be used except in perhaps special circumstances.

The global prefix, so what the engineers behind IPv6 decided would be enough addresses to satisfy our usage on Earth, is 2000::/3. Now the global unicast IPv6 prefix is 2001::/16. Commonly in documentation you’ll see the prefix of 2001:DB8::/32 used; this is because this prefix was actually reserved specifically for use in documentation. This prefix is not publicly routable for that reason.

Similarly with how private addresses are unlikely to be used, the same goes for NAT. Now, there is a certain amount of security that comes from using NAT and hiding your device’s true IP address behind some external IP address. In reality though there’s no intrinsic security behind NAT and that security would only really be enforced by your firewall blocking traffic and not necessarily by the NAT function itself. Because of this there’s still debate as to whether NAT should be used in IPv6 or not, although most information I’ve read seems to lean towards not for simplicity’s sake.

All in all, when it comes to IPv6 address planning and design, you’re using the exact same principles as with IPv4. You’re still designing with summarization in mind, and you’re separating out your networks for easy identification and maximum growth. You’re cresting a repeatable addressing plan and you’re sticking to it to ensure your addressing scheme stays consistent. The only real difficulty with IPv6 is the fact that we’re dealing with bigger woolier addresses and it’s written in hex instead of decimal so it can take a while to feel comfortable working with the addresses.

Now migrating to IPv6 is really the question, and there’s a couple options as far as how to go about it. First, I want to cover the idea of migrating a chunk of your network at a time. In this scenario, you’re getting your address plan all ready and you have it ready to go and you’re bringing down a piece of the network during a maintenance window to set up IPv6 addresses and testing to make sure everything works. In this case you’ll have certain pieces of your network that are only running IPv4 and others that are only running IPv6. This causes some problems, right, since the IPv4 hosts can’t speak to the IPv4 hosts directly without some assistance. This is where you have 6to4 tunnels and NAT-PT come into play. 6to4 tunnels takes an IPv6 header and encapsulates it in an IPv4 header and sends it through your IPv4 network where it’s de-encapsulated on the other send and continues on its way through the v6 network. This is used is you have 2 IPv6 islands separated by an IPv4 network they need to traverse. With NAT-PT, which is NAT-protocol translation, you’re actually translating the IPv6 address into an IPv4 address and vice versa to allow communication with a host on the other network. Both of these are more complicated to configure, you’re dealing with network outages while you migrate and overall it’s clunky and just not a good way to go about migration. What you want to do is dual-stack your devices.

Dual stack means running IPv4 and IPv6 at the same time. Of course you’d want to start in your network backbone and work out from there. You can slowly and in the background start enabling and setting up IPv6 on your devices and hosts. Once you have everything running IPv4 and IPv6 at the same time, then you can start disabling IPv4. This means you can do the vast majority of the migration without any downtime and complete it completely silently in the background, heck you can even start on it this weekend! And with he shear number of addresses available in IPv6 you could even migrate to it without any real addressing plan and still succeed, although I truly don’t recommend doing that as you’ll thank yourself later when you have a cohesive addressing plan that’s easier to understand and fits into your network structure. With addressing as a whole there’s not much of a single right answer, you’ll need to consider your network’s needs and work out an addressing plan from there that allows for easier identification of the networks and summarization.

Course Video