IPv6, Simplified!

Rajesh Dangi / August, 2021

As per the internet usage stats, Internet users skyrocketed in the last decade at an unprecedented growth rate of over 1300%, almost 65% of the world population are now active users of the internet. In India alone, the internet users growth is whooping 11,000% from the year 2000 till 2021. Yes, you read it correctly, it’s 11,200% to be precise as quoted. The same is the case with connected devices, interestingly the connected devices are now seen generating more data than the traditional application transactions. Statista mentions by 2025, there will be more than 75 billion Internet of Things (IoT) connected devices in use, nearly a threefold increase from the IoT installed base in 2019.

Fundamentally, this growth in internet adoption and penetration is demanding more and more devices to remain connected and each of them requires globally routed IP Addresses, the basic requirement of any entity to be uniquely identified on the internet. Internet protocol is the sole enabler responsible for establishing connectivity between source and destination on the internet to interact and communicate with each other.As part of the core protocols of standards-based internetworking methods via logical addressing system and performs routing, which is the forwarding of packets from a source host to the intended destination host on another network over the Internet, often called as internetworkingat the internet layer of the Internet Protocol Suite.

The currently deployed version of the IP protocol is fourth version called IPv4and is in production since 1983, it provides approximately four billion addresses. From this range defined in IPv4, about 18 million addresses are reserved for use in private networksthus packets addresses in these ranges are not routable in the public Internet; thus usable range is limited and is seen grossly depreciated already also known as IPv4 address exhaustion.

With the recognition of this problem was in the early 1990s, the Internet Engineering Task Force (IETF)created the Routing and Addressing Group (ROAD) in November 1991 to respond to the scalability problem caused by the classful network allocation system in place at the time and lead to the design of IPv6, (RFC 2460 ) the successor technology to IPv4 to address this problem. IPV6 natively supports approximately 3.4×1038 network addresses, i.e. more than 340 undecillion ( 340 billion, billion, billion, billion) unique IPv6 addresses, in theory, to ensure we don’t run out of addresses ever even if we were to provide each grain of sand on earth unique IP address thus redefining the “Internet” the very next level of connected entities of the universe…so to say!

Key Benefits

IPv6 increases the IP address pool size from 32 bits to 128 bits adding more levels of addressing hierarchy, to get a greater number of addressable nodes connected and simplifies auto-configuration of addresses and gateways thereof. It also provides the labeling of the packets belonging to traffic "flows" when the sender requests special handling, such as quality of service or "real-time" service for voice and video streaming traffic, etc. IPv6 by design includes performance enhancement techniques like refined multicasting, stateless address auto-configuration (SLAAC), simplified headers to streamline router processing, and the option to allow larger packets in run time. Data Security in IPv6 is handled via IPSec, which was actually built for IPv6 but widely used after retrofitting for IPv4.

IPv6 addresses are 128 bits long and provide an address space of 2^128 addresses and are logically segmented into eight blocks of four hexadecimal digits each. Blocks are separated by colons for easier identification and processing. The intelligent use of Global prefix ensures the routing information is present in each IPV6 address to help to route easier and faster, the subsequent block denotes subnet ID, which allows the segmentation of logical or geographical grouping of the IPV6 IP ranges and carries site and subnet specific information. The Interface ID is local and the actual address of the interface wherein this IPV6 address is assigned for. Remember there is no subnet mask like IPV4 in IPV6 deployment,

By default, at address, string is long thus difficult to remember compared to IPv4 yet there are some techniques allowed so that the address can be shortened, eliminating all preceding zeros and collapsing the blocks with zeros just noting as colons…

  • 2409:4071:4d89:cd66:0000:0000:00D3:3afe
  • 2409:4071:4d89:cd66:0:0:D3: 3afe
  • 2409:4071:4d89:cd66::D3: 3afe
< /p>

IPv6 addresses also use network prefixes, which are specified in slash notation. The prefix is used to specify routes or address ranges, not a network ID. Routing table entry for IPv6

  • 2409:4071:4d89::/48

As a native feature of IPV6 addressing, any system on start-up will automatically create an address called link-local address on each available interface, using a component of the Neighbor discovery protocol with the prefix fe80::/64. this helps local discovery of any IPv6 node easily and without any conflict to ensure dependent services kick in seamlessly. The NDP operates at the link layerof the Internet model and is responsible for gathering various information required for internet communication, including the configuration of local connections and the domain name servers and gateways used to communicate with more distant systems using five different ICMPv6 packet types for the purpose of router solicitation, router advertisement, neighbor solicitation, neighbor advertisement, and network redirects

Using NDP to create globally routable unicast address: the host sends router solicitation requests and an IPv6 router responds with a prefix assignment, this process is called Stateless address autoconfiguration (SLAAC)to ensure each interface upon request gets an IPv6 address assigned by neighboring routers or DHCPv6 servers using the link-local address

The addressing methodologies offer three basic choices, for primary addressing and routing methodologies common in networking: unicast, anycast, and multicast addressing.

  • Unicast address identifies a single network interface attached to the node. All the IP packets sent to the given unicast address get delivered to that specific interface. are typically composed of two logical parts: a 64-bit network prefix used for routing, and a 64-bit interface identifier used to identify a host's network interface, simplifying the global and local routing by design.
  • Anycast address follows the same composition as unicast but the address is assigned to a group of interfaces attached different nodes spread across the geographies, and packets are delivered to nearest available member node interfaces, based on the routing protocol's definition of distance, typically lowest latency, This helps users connect to the nearest anycast member seamlessly enriching user experience and faster response times by design.
  • Multicast address works similar to anycast and gets assigned to multiple nodes that acquire the multicast address destination by participating in the multicast distribution protocol each packet sent to a particular multicast address gets delivered to all interfaces that have joined the corresponding multicast group and works similar to a broadcast in IPv4 but controlled by participating multicast group. Typically, it is used as all-nodes link-local multicast group ff02::1 formed according to several specific requirements called a scope, associated formatting rules, flags, etc. depending on the application it is supposed to serve.

Transition Mechanism – IPv4 to IPV6

Given the design of IPv6 and IPv6, both protocols do not have a standard upgrade mechanism we are used to upgrading our device drivers, system patches and/or version upgrades, etc. since IPv6 is not foreseen to supplant IPv4 instantaneously. Yet they are designed to operate simultaneously, such implementations are called dual-stack mode and most of the networking devices today support dual-stack mode. Technically still both networks operate independently of each other.

To augment the resources from both these networks for seamless user experience, IPv6 transition mechanismsare needed to enable IPv6 hosts to reach IPv4 services and to allow isolated IPv6 hosts and networks to reach each other over IPv4 networks and resources. In dual-stack mode, each device or node, in particular, get IPv4 and IPv6 addresses and for effective address resolution they depend on resolving DNS server can resolve both types of addresses having associated DNS entries are made in “A” record for IPv4 and “AAAA” record for IPv6, for that device or node as a standard fully qualified domain name. In India, there are many ISPs and TELCO’s who are already using the dual-stack and use IPv4 LAN addresses translating into the public-facing IPv6 address using NAT64, a network address translation (NAT) mechanism, the implementations are large scale and is a testimonial of successful dual-stack implementation.

There are however much more references that are using Hybrid dual-stack IPv6/IPv4 implementations with a special class of addresses, called the IPv4-mapped IPv6 addresses which are written with a 96-bit prefix in the standard IPv6 format, and use the remaining 32 bits written in the customary dot-decimal notation of IPv4 transforming the address to recognize IPv4 mapping in the IPv6 address itself for easier routing.

Adoption in India

The real-time stats published by APNIC Asia pacific arm of Internet Regional Registry ( Read, IRR ) shows staggering adoption rate in India, thanks to few leading telecom operators/carrier networks using it for public-facing IPv6 addresses, seems to have gained success in the large scale adoption in their user buckets and others will follow.

There are many reasons for the slow and low adoption of IPv6 and many organizations struggle to get a clear answer on the approach, strategy, and most importantly cost-benefit, here are few key barriers that we could fathom out ..

  • Customer Demand – On the demand side typically users are keen on using content and services and do not bother about which protocol is used, or services are deployed, etc since most of their management systems are based on IPv4 they seem comfortable running existing setups as they already have secured IPv4 since long. This mindset is not helping IPv6 adoption for enabling new services.
  • Network Topology & Tools- IPv6 and IPv4 are two different protocols, IPv6 is not backward compatible thus not all the equipment’s in the current IPv4 stack support the transition and concurrency due to these resources available over IPv6 are not reachable from an IPv4 node and vice versa unless additional investments are made to support hybrid dual-stack equipment as a gateway between both networks. IPv6 routers also typically support a variety of First Hop security features that include RA Guard, ND Inspection, and Source Guard to help put additional safeguards. Few implementations of secure DNS, DHCP, and IP Address Management features offer an appliance-based, highly-available, dual-stack infrastructure with visual IPAM tools for IPv6 address space allocation and management as well as IPv6-capable DNS and DHCP or even Large scale NAT ( read, LSN) a Carrier-grade NAT (CGN or CGNAT) deployment used for sharing of small pools of public addresses among many end sites, etc. to highlight few areas of possible solutions.
  • Network Security - Most of the pointers for s/low adoption point to complexities on deploying security tools in IPv6 since Some vendors now start including IPv6, and the same for backend systems might not support the IPv6 traffic scrutiny, Yet at the fundamental level IPv6 was designed to include support for IPSec, providing encryption and authentication right in the protocol suite itself, rather than being bolted-on after the fact as with IPv4 yet IPv6 addresses are often assigned based on predictable patterns thus making it bit easier for attackers unless specialized services such as the implementation of Secure Neighbour Discovery a foolproof version of NDP. With multiple address types, IPv6 will have a wider attack surface than IPv4. Unlike IPv4, IPv6 has wide support for address autoconfiguration, meaning the endpoints might be accepting IPv6 traffic without even realizing it. The Link-local addresses are also typically configured on any endpoint that has IPv6 enabled thus there is a possibility of a node running on IPv6 within your local area network, without you even knowing it and thus can be compromised since it might run without protection and using tools such as scan6 it can be discovered. There are published details on newsletters by Meity Ipv6 task force or guidelines on the secure deployment of IPv6 from NIST, for additional reference.

There are many more reasons we can list down and debate yet it boils down to effective planning, allocating resources, and just following existing best practices from IPv4 have equivalents in IPv6 security. The complexity, scalability, and security are contextual tenets and have to be considered while choosing or enabling authentication for your routing protocols, turning on bogon filters to limit the attack surface, and configuring host-based firewalls to prevent lateral movement inside your network perimeter, etc. as recommended in both IPv4 and IPv6 environments to ensure effective manageability of all the above tenets.

In Summary, IPv6 and IPv4 will coexist for many more years, possibly decades due to multiple reasons we discussed above, yet doesn’t mean an enterprise can afford to rely on just IPv4. It warrants to put forth a charter to discuss, help mitigate the risk and assign costs associated with IPv6 adoption planning as early as today. IPv6 momentum in the industry has increased but the adoption rates are still s/low. We do have large IPv6 commercial deployments in many business sectors that have seen benefits driven by reduced cost, decreasing complexity, improving performance, and eliminating barriers to security and innovation in the connected world of their workloads. IXPs, CSPs, and leading-edge carrier networks, for example, have been evolving to IPv6-only networks and with the new 5G rollout in near future IPv6 adoption should gather momentum. Anyway, the IPv6 is here to stay and will charter the newer and faster way we would want our internet to be, for sure!