6 Surprising Facts about IPv6

My name is Brent Cook, and I am a software architect at BreakingPoint. After some goading and prodding, I have decided to finally be social and share in the blog fun. Working lately with our IPv6 support, I have a long list of fun facts to share. As you know, IPv6 is a 128-bit addressing scheme designed to solve the various problems with 32-bit IPv4, or AKA the next 'big thing'. Here are some things you might not know about IPv6:

 Fact 1: You can get on the IPv6 internet in 10 minutes for free, even if your ISP doesn't support it.

I'm a bit of a 'method' programmer, hence to understand a protocol I have to see how it works in real life. So, in order to understand it, I was determined to get on the IPv6 internet and 'live' IPv6. There are plenty of free tunnel brokers, which basically act like a secondary ISP for your IPv6 connection.
 
I went to SixXS first, on recommendation of Wikipedia, and since it also seemed like the most flexible. However, access here requires jumping through a series of hoops intended to test the purity of my soul, worth of character and hipness of LinkedIn profile. It is akin to getting the sysop to grant download rights on an 80's era BBS. While waiting for a third level of approval from SixXS, I skipped over to Tunnel Broker, run by Hurricane Electric, and got online in about 10 minutes. The configuration steps are easy, provided you have a router that supports IP protocol 41, also called 6in4 (your Linksys router probably does not). Tunnel Broker also has a fun leaderboard that tracks how IPv6-ready you are.
 
A couple of days later, after I became an official IPv6 expert (according to Hurricane Electric at least), I finally got the SixXS approval. SixXS is also nice, as their Anything-in-Anything tunnel works as advertised, even behind the most brain-dead IPv4 NAT router (even your Linksys router). Now, armed with full IPv6 connectivity at both work and home, I was ready to dive into the world of IPv6. The first surprise was the enormity of the allotments.

Fact 2: Individual IPv6 allotments are amazingly huge.

When you get an IPv4 address from your ISP, that's all you get - an address. Maybe if you run a business, you get 3 or 4. With IPv6, your ISP gives you at least 2**64 addresses; that is 18,446,744,073,709,551,616 for those counting. IPv6 simplifies routing by making all sites /48, and all subnets /64. With 128 bit addressing, this means you will practically never run out of addresses in your allocated subnet. Want to give your coffee maker its own global address? Do it man, live the dream! Both of the above IPv6 ISPs will give you multiple /64 or /48 subnets for free. It feels almost wasteful, particularly after you take a look around.

Fact 3: There is not a lot to do on the IPv6 internet

It is true, there is not much out there on the IPv6 internet. It is lacking that 'killer app'. For now, it mainly consists of animated gifs when you hit certain sites such as ipv6.google.com doing a little dance and SixXS 'cool stuff' page, which reminds one of the internet, circa 1995. The coolest app that I use regularly is an IPv6->IPv4 gateway, which is basically required to do 'normal' stuff. This works just like NAT, which kind of removes one of the motivations for IPv6 in the first place; end-to-end connectivity.

Why is there not much to do on the IPv6 internet? Because there are relatively few users, so it is a chicken / egg problem. Google's recent survey on IPv6 users (PDF) breaks it down showing that world wide, IPv6 is enabled on 0.238 percent of their users' systems. The data also shows that these users prefer using IPv6 over IPv4 when it is possible, they must not mind wreaking havoc on their command-line life.

Fact 4: IPv6 wreaks havoc on your command-line life

IPv6 addresses use colons and percent signs. This is not the best choice in a world where free punctuation is a scarce commodity. Command-line utilities that support IPv4 addresses generally require odd hacks to work with IPv6, and there are even some cases where there is no choice but to give up and add an entry to /etc/hosts. Here are a few of the interesting ones:

One common method of escaping IPv6 addresses is to wrap it in square brackets:

  2001::1 becomes [2001::1]

However, since square brackets are meaningful in a Posix shell, you have to escape the brackets as well:

  scp file.txt 192.168.1.1: becomes scp file.txt \[2001::1\]:

The same thing applies to URLs: http://[2001::1], though browser support is spotty. Konqueror, for instance, will load an IPv6 URL, then immediately strip the brackets, so a subsequent reload will fail.

There is an additional type of address, link-local, where the interface is tacked onto the end with a percent sign: fe80::1%eth0. Generally, these addresses are a lost cause for most programs, and I could not find any way to escape them in a browser either. Additionally, you cannot really specify these addresses in /etc/hosts using Linux, though it works with OS X and they look different depending on your operating system's naming convention for interfaces. My suggestion, avoid link-local if you can.

Curiously, rather than adding IPv6 support to well known commands like ping and traceroute, most OSes add completely separate versions, ping6 and traceroute6. Only BusyBox bucks the trend, where its ping and traceroute work with any kind of address, provided you configured support when you compiled it.

One final amazing bit of IPv6 address hackery is found in Windows UNC path names. Because the colon is not allowed in UNC, Microsoft registered ipv6-literal.net so you could write 2001::1 as 2001--1.ipv6-literal.net, or link-local address fe80::1%4 as fe80--1s4.ipv6-literal.net. This seems very strange at first, but it's really growing on me - I wonder if I could get a glibc patch past Ingo Molnár :).

 Fact 5: IPv6 is a moving target, your cheat sheet is wrong
 
The IPv6 RFCs have described a number of interesting and, in hindsight, bad features. These include site-local addresses, IPv4 to IPv6 compatible addresses and variable length subnets. These are removed in later RFCs, so it is unfortunate that early implementers cannot pull back existing deployments.

One interesting example is variable-length subnets. Subnets in IPv6 are fixed at /64. However, your router probably allows you to configure an interface with a /48 or /96 subnet. At the same time, you might get this in your Linux dmesg output: "IPv6 addrconf: prefix with wrong length 48", and things won't work properly.
 
Your operating system probably lets you configure non /64 subnets as well, which will be a big surprise when you find out that they are not interoperable with later IPv6 implementations. I recommend that if you read an RFC on an IPv6 feature and the document is more than 2 years old, check if it has not already been deprecated in a later RFC. Also, throw out that cheat sheet you downloaded or books you bought if they are even a year or two old. Speaking of the impact of deprecated features, let's look at the impact on firewall rules.

Fact 6: Your IPv6 firewall rules are probably insufficient

With every deprecated feature or address range comes an extra set of firewall rules that need to block the deprecated address block of shame. Thanks to the deprecated IPv4->IPv6 compatible address block, you also need to block every private IPv4 address in your IPv6 rules as well. This can make securing an IPv6 network a challenge. FreeBSD's default IPv6 firewall rules have to block 17 different address blocks by default, and that probably omits some late additions.
 
ICMP becomes more important with IPv6, since it is used for the required path-MTU feature. However, many firewalls block ICMP entirely, breaking required functionality.

Additionally, your IPv4 firewall rules may not have usable IPv6 analogs, depending on the operating system. For instance, Linux 2.4 and 2.6 up to 2.6.20 do not have functional support for the ESTABLISHED rule for blocking incoming connections. Many popular SOHO firewalls are based on a Linux 2.4 kernel, which complicates any firmware upgrade path to add IPv6 support.

There are other surprising facts of course, including that in 2008, IPv6 celebrated its 10th anniversary. Yet, until the last year or two it has lied in relative obscurity. Hopefully, this article might inspire you to start exploring IPv6 today.