I don’t want to get into the specific design details of IPv6 technology, I just want to give a brief overview from a user’s perspective.

As you know, IPv4 is 32 bits (4 bytes) and has 232 addresses, or 4.2 billion addresses. IPv6 is 128 bits (16 bytes), and there are 2128, or 3.4×1038, or 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. For IPv4 address, according to the global population of 5 billion and one device per person, it is far from enough, not to mention multiple devices per person, especially in the era of Internet of Things. And if it is IPv6, someone once said that every grain of sand on the earth can be assigned a unique IPv6 address, which can’t be used up anyway.

Like IPv4, IPv6 supports globally unique IP addresses. The design of IPv6 intended to re-emphasize the end-to-end principle of network design that was originally conceived during the establishment of the early Internet by rendering network address translation obsolete. Therefore, every device on the network is globally addressable directly from any other device.

In IPv6, the address space is deemed large enough for the foreseeable future, and a local area subnet always uses 64 bits for the host portion of the address, designated as the interface identifier, while the most-significant 64 bits are used as the routing prefix.

These two sentences above are very descriptive of the purpose: to ensure that all devices on the Internet are directly accessible end-to-end, enough to be used for the foreseeable future.

The number is large enough so that there is no longer a need to introduce many complex technologies to solve the problem of not having enough, such as NAT. see the next section.

Why is an IPv6 address globally unique and directly accessible?

Let’s start with IPv4, generally speaking, NAT technology was introduced to alleviate the IPv4 exhaustion problem. The network structure of most home users simply means that the public IPv4 address assigned by the carrier is given to the router, which provides LAN (Local Area Network function) + DHCP (Dynamic Host Configuration Protocol, which automatically assigns available IPv4 intranet addresses to access devices). The public IPv4 address is unique, but the router assigns a fixed range of shared intranet addresses. Therefore, only the public IPv4 address + the internal IPv4 address can be guaranteed to identify a real device (and port).

If you initiate a connection to the public IPv4 network in the code, the connected router cannot connect to the services of the intranet device. So you need “port forwarding”: mapping a port on the router to a port on the intranet with an IPv4 address. Port forwarding requires manual operation, which is not available by default. So this blocks the public network access to the intranet, which is called “NAT Traversal”.

For example, if you have an IPv4 address like 1.2.3.4 (assuming a subnet mask of 255.255.255.0), the segment address (subnet) of this IPv4 address is 1.2.3.0/24, which contains the host addresses from 1.2.3.0 to 1.2.3.255. host address. Operators usually purchase a segment themselves and assign one of the host addresses to a subscriber. A home has one host address (i.e., a public IPv4 address), so devices behind the router (phones, computers) have only the private intranet address available (usually 192 or 10-prefix).

IPv6 is not the same, although IPv6 is also divided into subnet + host, without causing any misunderstanding, we can think of IPv6 as subnet + subsubnet + host. The carrier buys subnet, assigns us subsubnet, and our router then assigns host to the device. Simply put, the carrier assigns us a range of network segments. We assign the specific hosts ourselves. Since the host is part of the IPv6 address, it is not a private address assigned by the router. So externally, this is unique. The external routers just need to know to route the address belonging to this (subnet + subsubnet) to our router, which in turn routes it to our host device. There is no translation of addresses, there is no such thing as an inaccessible intranet address.

The part assigned by the operator (i.e. subnet + subsubnet) has a term called “Routing Prefix”. For example, the following is a real IPv6 address:

1
2
3
4
5
6
7

$ ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.201  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::10dd:27ff:fe69:9466  prefixlen 64  scopeid 0x20<link>
        inet6 240e:3b7:3244:82b0:1e69:7aff:fe6d:272e  prefixlen 64  scopeid 0x0<global>
        ether 1c:69:7a:6d:27:2e  txqueuelen 1000  (Ethernet)
        ...

The routing prefix here is 64 bits long, i.e. the carrier assigns the first 64 bits of the IPv6 address (240e:3b7:3244:82b0), and it determines which user it is by these first 64 bits. The next 64 bits are assigned by the user (1e69:7aff:fe6d:272e). IPv6 addresses are usually in pairs, one global (globally unique, for the public network) and one link local (for the local link). The first part of the public IPv6 address is more fixed:

  • China Telecom (240e::/20)
  • China Mobile (2409:8000::/20)
  • China Unicom (2408:8000::/20)

The intranet address is also relatively fixed, usually starting with FE80::/10:

All interfaces of IPv6 hosts require a link-local address, which have the prefix fe80::/10. This prefix is combined with a 64-bit suffix, which the host can compute and assign by itself without the presence or cooperation of an external network component like a DHCP server, in a process called link-local address autoconfiguration.[citation needed]

The lower 64 bits of the link-local address (the suffix) were originally derived from the MAC address of the underlying network interface card. As this method of assigning addresses would cause undesirable address changes when faulty network cards were replaced, and as it also suffered from a number of security and privacy issues, RFC 8064 has replaced the original MAC-based method with the hash-based method specified in RFC 7217.[citation needed]

A total of 128 bits, 64 bits for the operator and 64 bits for the user. Is that not enough? It’s also enough, 264/5 billion ≈ 3.7 billion. Do you have 3.7 billion devices? Obviously not. Besides, the prefix length of 64 bits is not fixed either. In fact, I think a longer prefix length is better.

In total, 128 bits, 64 bits for the operator and 64 bits for the user. Is that not enough? It’s also enough, 264/5 billion ≈ 3.7 billion. Do you have 3.7 billion devices? Obviously not. Besides, the prefix length of 64 bits is not fixed either. In fact, I think a longer prefix length is better.

IPv4 and IPv6 cannot communicate with each other

By design, the IPv4 and IPv6 versions of the IP protocol are incompatible, and cannot communicate with each other. That is, an IPv4 address can only communicate with an IPv4 address; an IPv6 address can only communicate with an IPv6 address. Only the two communicating parties need to use the same version of address.

It is difficult to promote two completely incompatible protocols, so there are wrapper protocols such as IPv6 in IPv4 (6to4, 6in4). I won’t go into the details here.

The IPv6 address assigned by the carrier is usually not fixed

The IPv6 address that the router gets after each dialup may change, so dynamic DNS technology is needed. You can call the carrier to fix it. There is good and bad. The following is from ChatGPT:

  • Is the IPv6 provided by the ISP (carrier) better static or dynamic?
  • The IPv6 address provided by the ISP can be static or dynamic, depending on the service provided by the ISP and the needs of the customer. Here are some characteristics of these two approaches: Static IPv6 address: It means that the IPv6 address assigned by the ISP to the customer is fixed and unchanging, and the customer can use the same IPv6 address for a long time. The advantage of static IPv6 address is that it is easy to manage and maintain, especially for cases that require remote access to devices, server setup, etc. that require static IP. The disadvantage is that if the IPv6 address is hacked, the attacker may trace and attack the customer’s device through these constant addresses, so the customer needs additional security protection. Dynamic IPv6 address: This means that the IPv6 address assigned to the customer by the ISP changes dynamically, and the customer is assigned a different IPv6 address each time they go online. The advantage of a dynamic IPv6 address is that it is highly secure and less susceptible to attacks and tracing. The disadvantage is that it requires additional configuration and operation if the customer needs to access the device remotely, build a server, etc. that requires a static IP. In summary, both static IPv6 addresses and dynamic IPv6 addresses have their own scenarios, depending on the specific business scenario that the customer needs, if the customer needs long-term management and maintenance, then static IP may be more suitable. If the customer needs higher security, then dynamic IP is more suitable.

The router’s IPv6 may be turned off by default

If you are using PPPoE broadband account dial-up, you can turn IPv6 on inside the router settings.

  • Connection Type: Native
  • Interface: PPP
  • DHCP-PD: Enable
  • Accept Default Route: Enable

Save (and reboot) and you should see that an IPv6 address has been assigned in the IPv6 status page.

Firewall is on by default

As mentioned earlier, any device in the home has a public IPv6 address, which is equivalent to “running naked” on the Internet (although IPv4 + NAT is quite inelegant, it solves the security problem as a side effect), so it is necessary to turn on the firewall.

The description of “IPv6 Firewall” from ASUS routers: All outgoing traffic and related incoming traffic from IPv6 hosts on the LAN are allowed. Any other incoming traffic must be specifically allowed.

A firewall is a way to configure which of our local IPv6 address ports can be accessed by external IPv6 addresses. This can be set up on demand.

Depending on the router, the supported capabilities vary. For example, my ASUS RT-AC68U does not support setting rules by prefix or suffix over. So much so that I just change the router’s iptables instead of using its page configuration feature.

The NIC may have more than one IPv6 address

This is a case where there may be more than one IPv6 public address, but not all of them are available. This situation mostly occurs after the router is rebooted. The reason for this is unknown at the moment. I was trying to get my IPv6 address by enumerating the NIC address, but found this unreliable. It is more reliable to access an external service to tell me: for example: curl -6 ifconfig.co.

Conclusion

IPv6 is much easier to use than I expected, and the experience is really much better::

  • No need to apply to have a public address
  • No need to buy another cloud server for traffic transit
    • Save a lot of money
    • Increase a lot of bandwidth and traffic
  • No need to configure port forwarding anymore
  • Nearly unlimited available public IPv6 addresses can be freely assigned

This article is my first impressions of IPv6. I’ll follow it up with another article on my latest home network topology.