IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hey y’all, Mark here again. The last post we talked about why you should care about IPv6. In this next installment Ray Zabilla and I are going to demystify these IPv6 addresses you keep seeing and give you a better understanding of the IPv6 address space and syntax. We’ll also compare different addressing concepts between IPv4 and IPv6. As always let us know in the comments if posts like these are helpful and you want more IPv6.
Let’s start with a common example you are used to seeing.
There it is, an IPv6 address. Scary isn’t it.
Let’s break this down and compare it to something we do know fairly well IPv4. IPv6 address are 128 bits long where IPv4 are 32 bits long. This allows for A LOT more addresses. If you want to get specific IPv6 allows for 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. Say bye-bye to NAT baby!
Breaking down the IPv6 Address
IPv4 Address are divided by 8 bit boundaries, written in decimal and separated by a “.”. From the screenshot we have the 10.0.1.114 address.
IPv6 address are divided by 16 bit boundaries, written in Hex and are separated by a “: “. From the screenshot we have the FE80::d9e:bed6:4917:C7DF%12
One of the other significant differences with IPv6 addresses and IPv4 addresses is that IPv6 addresses are expressed as hexadecimal numbers instead of decimal numbers. Depending on your background this may make it easier or more difficult to understand but stay with us we will explain the rules of the IPv6 address. If you haven’t much experience working with hexadecimal numbers here are a couple of links which provide some more detail if you would like to get a better understanding.
The built in calculator can also covert hex for you as well. Just change it to “Programmer”
OK back to our IPv6 addresses. What really helped me understand how to read them is recognizing that each boundary should contain 4 hex-characters and there should be 8 sets of them. For example it would look something like “abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd” Each little character in that group can be made up of 4 bits also known as ‘nibbles’. So let’s do some math here. Each character is 4 bits, there are 4 characters per set for a total of 16 bits. We have 8 sets, 8 x 16 = 128 bits. Everything checks out.
Now our IPv6 address in the screen shot doesn’t meet the total number of characters and is missing some groups. Let’s write it out the long way and talk about tips how on to shorten the address by compressing zeros.
First a group of 0s can be represented by a double colon “::”. You can only use this one time per address. So our new address with 0s compressed can be written as FE80::0d9e:bed6:4917:C7DF%12. My other mental trick is this. I know I should have 8 sets, so I take the number of sets I have and subtract that from 8. That’s how many sets of 0s I have. Ok back to our address.
If you compare our address in the output of FE80::d9e:bed6:4917:C7DF%12 to our new compressed 0s address FE80::0d9e:bed6:4917:C7DF%12 we have an extra 0. You can also compress the leading 0s in address. Thus we have, FE80::d9e:bed6:4917:C7DF%12. Let’s do some other examples and it will become more clear.
Let’s start with the original IPv6 address from above.
This is known as Colon hexadecimal
Divided along 16-bit boundaries
1111111010000000 0000000000000000 0000000000000000 0000000000000000
0000110110011110 1011111011010110 0100100100010111 1100011111011111
Leading zero suppression
Leading zero suppression with “double colon” suppression
A single contiguous sequence of 16-bit blocks set to 0 can be compressed to “::” (double-colon)
A double-colon can only be used once when compressing an address.
You cannot use zero compression to include part of a 16-bit block
FF02:30:0:0:0:0:0:5 does not become FF02:3::5, but FF02:30::5
More examples of zero compression
Notice we used the “::” one time even though we had multiple blocks of 0.
Overall the summary of the IPv6 address space can be seen as follows.
· 128-bit address space
· 2128 possible addresses
· 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (3.4 x 1038 or 340 undecillion) (undecilion wasn’t even in the MS Word spell checker!)
· 6.65 x 1023 addresses for every square meter of the Earth’s surface
· 128 bits to allow flexibility in creating a multi-level, hierarchical, routing infrastructure
Now that we’ve defined the format of an IPv6 address let’s move on to some of the other characteristics and features of IPv6.
Types of IPv6 addresses
IPv6 has three types of addresses, which can be categorized by type and scope.
Unicast – A unicast address identifies a single interface within the scope of the type of unicast address. With the appropriate unicast routing topology, packets addressed to a unicast address are delivered to a single interface.
What this means for example is with a Global Unicast address, which is similar to an IPv4 Public address and unique across the Internet, a packet is delivered from single interface to another single interface. A Link-local Unicast address is similar to an APIPA address which is unique to local subnet so the packet can only be delivered to a device within the scope. We’ll talk more about IPv6 Address Scopes next in this post.
The following types of addresses are unicast IPv6 addresses:
· Aggregatable global unicast addresses (think public IPv4)
· Link-local addresses (think IPv4 APIPA 169.254.x.x)
· Unique Local (think IPv4 Private addresses)
· Site-local addresses are formally deprecated in RFC 3879
· Special addresses
· Compatibility addresses
· Transition addresses
Mulitcast – Address of a set of interfaces delivered to all interfaces in the set (packet is delivered to multiple interfaces)
Anycast – Address of a set of interfaces but delivery is to only a single interface in the set. A packet is delivered to the nearest of multiple interfaces (in terms of routing distance). This one can be a little tricky to understand but I think one of the better examples we came up with was something like a proxy server where you may have multiple servers located across you network but you only want to forward packets to the closest one.
No more broadcast (sort of)
Note: (Technically IPv6 does not have a broadcast address but in practicality the special IPv6 Multicast address will send a packet to all nodes which will accomplish the same result, for example FF02::1)
That’s it, those are the types of IPv6 addresses. Now let’s move on to the scope of them.
Global Address – Address scope is the entire IPv6 Internet
A Global Unicast address is equivalent to an IPv4 Public address. The scope is the entire IPv6 Internet, therefore they are globally routable and reach-able on the IPv6 Internet. The IPv6 Internet address has been designed from its establishment to support efficient, hierarchical addressing and routing so unicast addresses are designed to be aggregated or summarized to facilitate creating an efficient routing infrastructure.
· Global Routing Prefix (part of the Public Routing Topology – along with 001 prefix)
· Subnet ID (Site Topology)
· Interface ID
Link-Local address – Address scope is a single link
An IPv6 unicast link-local addresses are similar to IPv4 APIPA addresses used by computers running Microsoft Windows. Hosts on the same link (the same subnet) use these automatically configured addresses to communicate with each other. A link local address is required for some Neighbour Discovery processes and is always automatically configured, even in the absence on all other unicast addresses.
· Equivalent to IPv4 APIPA address
· FE80::/64 prefix
· Single subnet, router-less configurations
· Neighbor discovery process
· Link-local addresses are ambiguous so Zone ID is used to identify specific interface
· Zone IDs are only used for link-local addresses since routable addresses are non-ambiguous. Ex. fe80::2b0:d0ff:fee9:4143%3
· Windows Vista and above display the IPv6 zone id of local addresses in the ipconfig output.
Unique Local/Site Local addresses – Private addressing alternative to global addresses for intranet traffic
Site-local addresses provide a private addressing alternative to global addresses for intranet traffic. However because the site local address prefix can be reused to address multiple sites within an organization, a site local address prefix can be duplicated. The ambiguity of site local addresses in an organization adds complexity and difficulty for applications, routers and network managers.
Consequently, Site-Local address have been deprecated and Unique Local addresses have superseded them with this challenge in mind. The aim is to replace all site local addresses with a new type of address that is private to an organization yet unique across all the sites in the organization. In other words, Unique Local addresses have global scope to the organization but their reachability is limited by the routing topology and filtering policies at Internet Boundaries. Organizations would not advertise their unique local address prefixes outside their organization or create DNS entries for these for the internet.
The Global ID (see diagram below) identifies a specific site within an organization and is set to a randomly derived 40-bit value. By deriving a random value for the Global ID, an organization can have statistically unique 48-bit prefixes assigned to their sites. Additionally, two organizations that use unique local addresses that merge have a low probability of duplicating a 48-bit unique local address prefix, minimizing site renumbering. Unlike the Global Routing Prefix in global addresses, the Global IDs in unique local address prefixes are not designed to be summarized.
While ULAs were not intended to be registered in any way, it could still happen that multiple organizations generate or use the same prefix and as such there is still a chance of collisions. As a result, a voluntary ULA registration site has been established at http://www.sixxs.net/tools/grh/ula/ to help minimize any ULA collisions. If everybody uses this registry though, the chance for collisions should be near nil.
· RFC 4193 define this unique local address
· Equivalent to IPv4 Private address
· FD00::/8 prefix
· Replacement for site-local addresses
· Global scope, no zone ID required
Special IPv6 Addresses
· Unspecified Address
· 0:0:0:0:0:0:0:0 or ::
· Loopback Address
· 0:0:0:0:0:0:0:1 or ::1
Compatibility or Transition Addresses
Used for IPv4 to IPv6. We’ll have an upcoming blog posts devoted to transition technologies if it’s of interest to our readers. Let us know. Otherwise here is a quick overview.
· IPv4-compatible address
0:0:0:0:0:0:w.x.y.z or ::w.x.y.z
The w.x.y.z is the dotted-decimal representation of a public IPv4 address, is used by IPv6/ IPv4 nodes that are communicating with IPv6 over an IPv4 infrastructure that uses public IPv4 addresses, such as the Internet. IPv4-compatible addresses are deprecated in RFC 4291 and are not supported in IPv6 for Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista.
· IPv4-mapped address
0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z
The IPv4-mapped address used to represent an IPv4 address as a 128-bit IPv6 address
· 6to4 address
An IPv6 6to4 address has the format where WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z (a public IPv4 address) 2002:WWXX:YYZZ::WWXX:YYZZ
· ISATAP address
64-bit prefix:0:5EFE:w.x.y.z or 64-bit prefix:200:5EFE:w.x.y.z
An ISATAP address has a 64-bit prefix:0:5EFE:w.x.y.z, where w.x.y.z is a private IPv4 address and is assigned to a node for the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology.
· Teredo address
Prefix of 2001::/32
A global address that uses the prefix 2001::/32. Teredo is designed to work even in the presence of network address translators (NAT).
Bringing it Home
I know this has been a lot to process but let’s go back to original screenshot and summarize the address FE80::d9e:bed6:4917:C7DF%12.
We now know how long it is (128 bits) and where all the zero’s went. We also know the different types and scopes of addresses for IPv6. Bringing it back to the screenshot the FE80 prefix means it is just a Link-Local address which is the equivalent to IPv4 APIPA. Next time someone says this IPv6 address FE80 is causing routing issues you can simply say, that’s nothing more than an IPv6 APIPA address and wow them with your knowledge of IPv6. In our next post we’ll cover some more advanced topics in IPv6 addresses.
Mark “FE80:Chicago” Morowczynski and Ray “FE80:Minneapolis” Zabilla
Part 1 can be found here
Part 3 can be found here