cancel
Showing results for 
Search instead for 
Did you mean: 

ipv6 - how does it work?

millsdon
Grafter
Posts: 47
Registered: ‎01-04-2012

ipv6 - how does it work?

My understanding of IPv6 is that there is enough address spaces to enable every device on the planet (and more) to have a public address.
So if it is enabled on plusnet, are users likely to be offered an equivalent of a block of IP addresses by default?
And what sort of security implications does this have eg with multiple clients on your network with public IP's rather than private IP's and NAT being used?
With IPv4 and private addressing, most effort goes into the perimeter firewall. External connections are dropped if there isn't an internal request (assuming there's no port forwarding etc) so even without firewall rules, NAT offers protection.
How will this work with public IP's and no NAT? Am I right in assuming that if you do not have a properly configured firewall for a IPv6 address, you could have a major security issue within your internal network?
6 REPLIES 6
SimonHobson
Rising Star
Posts: 190
Thanks: 41
Registered: ‎30-07-2007

Re: ipv6 - how does it work?

Yes, IPv6 has a "lot" of addresses - 2^^128. By default, when Plusnet rolls out you will be getting a /56 allocation which means the first 56 bits identify the prefix allocated to your, and that leaves you with 72 bits to use (2^^72 addresses :o). The normal* subnet size for a network is 64 bits so you can have up to 256 subnets within your allocation.
* There are many technical and non-technical reasons why you shouldn't use anything else. Definitely no less, and for a home network, no reason to use more.
Now then, security and privacy are two things that cause "a certain amount of discussion" Roll_eyes
Security:
The default for any router worth using should be to run a stateful firewall with a default inbound policy of "drop everything". That will give you same level of protection that using NAT under IPv4 gives you - ie there can be no inbound traffic unless you change the firewall settings to allow it.
Privacy:
Now there's a bigger debate here. The default is for (many) devices to self allocate an address by combining the subnet information provided by routers (by way of broadcast Router Advertisements, or RAs for short) with the MAC address of the interface. As you've guessed, this does mean that services you connect to can identify the individual machine that you use, and if they so wish, track you as you move between networks. All major OSs should allow the setting of a more private mode where the address is randomly chosen and will change when you disconnect/reconnect to a network (ie move between networks, restart, suspend/resume, etc). I've an idea Windows does this by default, with Mac OS X it's something you can turn on with some command line incantation.
Don't forget that you can run IPv4 without NAT. Most people tend to be using NAT because they can't get the addresses needed to run without it. When ManLUG used to meet in the university, all the machines there ran on public IPs (the uni got a massive allocation before it became apparent that there'd be shortages), and at work we run a lot of hosted stuff that all runs on public IPs so it would be quite feasible to run our desktops on the spare addresses (we got a /24 allocation, also before the shortage was fully recognised).
Picnic
Grafter
Posts: 186
Thanks: 1
Registered: ‎30-10-2007

Re: ipv6 - how does it work?

Quote from: SimonHobson
The default is for (many) devices to self allocate an address by combining the subnet information provided by routers (by way of broadcast Router Advertisements, or RAs for short) with the MAC address of the interface

I was entering some Static DHCP devices in to my Router (IPv4) and while entering the MAC addresses it occurred to me that these are only 12 hex digits long, i.e. 48bits. So as IPv6 can address so many more devices what is the new MAC address format for IPv6? If still only 48 bits that will mean at some point multiple devices in the world will have duplicate MAC addresses.
DougMa
Grafter
Posts: 115
Thanks: 3
Registered: ‎09-09-2011

Re: ipv6 - how does it work?

Quote
If still only 48 bits that will mean at some point multiple devices in the world will have duplicate MAC addresses

http://www.erg.abdn.ac.uk/~gorry/eg3561/lan-pages/mac-vendor-codes.html
Unlike IP addresses, MAC addresses only need to be unique within a single collision domain (usually a single subnet).    It's only a problem if multiple network cards have the same MAC address if they try to coexist on the same local network.  Network interface manufacturers are allocated blocks of MAC addresses which they allocate to devices as they are produced, and apply for additional blocks before they reach the end of their allocation.  Whilst any form of preallocation leads to wastage, it should not be enough to cause any problems in the forseeable future.  Worst case, manufacturer can re-use MAC addresses they previously allocated to obsolete networking hardware (10Mbps coax, Token Ring, etc.)
Doug
millsdon
Grafter
Posts: 47
Registered: ‎01-04-2012

Re: ipv6 - how does it work?

So, when plusnet offers an ipv6 address, do you turn off NAT, use routing and just configure your router's dhcp server to hand out ipv6 address's within your allocation?
and how many addresses is (2^^72 addresses)? If that means 2 to the power of 72 then that equals   Cheesy 4,722,366,482,869,645,213,696  Shocked Shocked
millsdon
Grafter
Posts: 47
Registered: ‎01-04-2012

Re: ipv6 - how does it work?

I think this is a good basic tutorial. It certainly gave me a better understanding.
http://www.9tut.com/ipv6-tutorial
Page 2 with it's diagrams explains it well.
SimonHobson
Rising Star
Posts: 190
Thanks: 41
Registered: ‎30-07-2007

Re: ipv6 - how does it work?

Quote from: millsdon
when plusnet offers an ipv6 address, do you turn off NAT, use routing and just configure your router's dhcp server to hand out ipv6 address's within your allocation?

Not really, you have to forget (to some extent) what you've got used to with IPv4 and learn a load of new stuff.
Whatever you are doing now with IPv4 will stay as it is - no change. The NAT you probably use now will stay - for IPv4.
For IPv6, that's a new layer that will run in parallel with your IPv4 - in principal they are different and aren't in any way related.
Because you get so many addresses with IPv6 (see below), then there is no need for NAT. You literally can run every device you have (and "quite a few more") on public IPs without risk of running out. This isn't a security concern, but may be a privacy concern (as noted earlier) if you don't use any privacy features.
Quote
and how many addresses is (2^^72 addresses)? If that means 2 to the power of 72 then that equals   Cheesy 4,722,366,482,869,645,213,696  Shocked Shocked

Yes it is 2 to the power of 72, it is that very big number (I'll take your word on the exact number, my calculator doesn't go that far !). There are 2^^32  addresses (just over 4 billion) in total for IPv4, big chunks of that are wasted, reserved for specific uses, or otherwise not available, and of what's left, there is now not a single address block not allocated to an RIR (Regional Internet Registry). The minimum subnet size for IPv6 is 2^^64, or about 18 million million million addresses :o, so you aren't likely to run out. I can see some ISPs might be stingy and only allocate a single /64, plusnet will be giving up a /56, which is 8 bits more and allows us to run 256 of those very big /64 subnets. Since Plusnet will get a /32 from the registry, that means they still have 24 bits (56 - 32) in between - so their single allocation will support over 16 million customers, each with a /56. Yes, IPv6 has some very big numbers.
Just to add, since ISPs get a /32 allocation, there is enough address space in IPv6 for there to be as many ISPs as there are total IPv4 addresses (roughly). So enough for about one ISP per 2 or 3 people on the planet - should keep us going for a while !