Monday, November 17, 2025

IPv6 (Internet Protocol version 6) | Overview & Hands-On.

An Overview of IPv6 (Internet Protocol version 6).

Scope:

  •        Fundamentals,
  •        Architecture,
  •        Address types,
  •        Routing,
  •        Security,
  •        Transition mechanisms,
  •        Operational best practices.

Breakdown:

  •        Intro,
  •        Key Features and Benefits
  •        Why IPv6 Exists,
  •        IPv6 Address Architecture,
  •        IPv6 Address Types,
  •        IPv6 Packet Header,
  •        Neighbor Discovery Protocol (NDP) — ARP Replacement,
  •        DHCPv6,
  •        IPv6 Routing,
  •        Extension Headers,
  •        IPv6 Security,
  •        Transition & Coexistence Mechanisms,
  •        IPv6 Multihoming,
  •        Address Planning Best Practices,
  •        Cloud IPv6 key takeaway,
  •        Operational Considerations,
  •        Future Projections.
Intro:

  • IPv6 (Internet Protocol version 6) is the latest version of the Internet Protocol, designed to address the exhaustion of available IPv4 addresses and provide a foundation for the continued growth of the internet. 

Key Features and Benefits

  •         Vastly Enlarged Address Space: The primary benefit of IPv6 is its 128-bit address length, compared to IPv4's 32-bit length. IPv6 provides approximately 340 undecillion (3.4 x 10³⁸) unique IP addresses, ensuring enough addresses for every person and the proliferation of Internet of Things (IoT) devices well into the future.
  •         Simplified Routing and Efficiency: IPv6 features a simpler header format and does not require Network Address Translation (NAT), leading to more efficient processing and routing of network traffic.
  •         Auto-configuration: IPv6 supports stateless address auto-configuration (SLAAC), allowing devices to connect to a network and configure themselves without a central server like a DHCP server.
  •         Enhanced Security: The protocol has built-in support for authentication and privacy features like IPSec, offering a more secure foundation for communication compared to IPv4.
  •         Quality of Service (QoS): IPv6 includes "flow labeling" for better prioritization of specific traffic, which can improve performance for applications like streaming and online gaming.

1. Why IPv6 Exists

IPv6 was designed primarily to solve IPv4 address exhaustion but evolved to address broader limitations:

  • Scalability: 128-bit address space3.4×10³⁸ addresses
  • Hierarchical routing: Reduces global routing table size
  • Auto-configuration: Stateless Address Auto-Configuration (SLAAC)
  • Security baked in: Mandatory IPsec support
  • Simplified header: Improved forwarding performance
  • No NAT dependency: End-to-end connectivity restored

2. IPv6 Address Architecture

2.1 Address Structure (128 bits)

2.2 Interface Identifier

Typically:

  • 64-bit EUI-64 (derived from MAC)
  • Randomized via Privacy Extensions (RFC 4941)
  • Stable Privacy IDs (RFC 7217)

3. IPv6 Address Types

3.1 Unicast

Type

Prefix

Purpose

Global Unicast (GUA)

2000::/3

Public internet

Unique Local Address (ULA)

fc00::/7

Private, non-routable (IPv6 analog of RFC1918)

Link-Local

fe80::/10

Required on every interface; no router hop

Loopback

::1

Same as 127.0.0.1

3.2 Multicast

Eliminates broadcast altogether.

Scope

Prefix

Node-local

ff01::/16

Link-local

ff02::/16

Site-local

ff05::/16

Global

ff0e::/16

Important groups:

  • ff02::1 — all nodes
  • ff02::2 — all routers
  • ff02::1:ffXX:XXXX — solicited-node multicast (used by NDP)

3.3 Anycast

Same address assigned to multiple interfaces nearest node responds.

Used for:

  • DNS root infrastructure
  • CDNs
  • Load balancing / redundancy

4. IPv6 Packet Header

4.1 Fixed 40-byte header

Simplified vs IPv4.

Key differences:

  • No checksum (transport layers handle it)
  • No fragmentation by routers (handled by endpoints with PMTUD)
  • Extension headers replace IPv4 options

5. Neighbor Discovery Protocol (NDP) — ARP Replacement

NDP uses ICMPv6 and relies on multicast instead of broadcast.

5.1 NDP Components

  • Router Solicitation (RS)
  • Router Advertisement (RA)
  • Neighbor Solicitation (NS)
  • Neighbor Advertisement (NA)
  • Redirects

5.2 SLAAC (Stateless Auto-Config)

Host derives IPv6 address using:

  • Prefix received from RA
  • Interface ID (EUI-64 or random)

6. DHCPv6

Two modes:

  • Stateful DHCPv6 assigns the full address + DNS + options
  • Stateless SLAAC provides address; DHCPv6 only supplies options (DNS, NTP, etc.)

Flags in RA determine behavior:

  • M flag (Managed)
  • O flag (Other config)

7. IPv6 Routing

7.1 Static Routing

Identical principle to IPv4.
Next hop must be a link-local FE80:: address.

7.2 IGPs

OSPFv3

  • Works only with IPv6
  • Uses link-local addresses
  • Authentication moved to IPsec

EIGRP for IPv6

  • Same algorithm as IPv4
  • Operates per-link, no concept of networks

7.3 BGP

BGP-4 with multiprotocol extensions (MP-BGP).
Supports:

  • Global Unicast
  • 6PE / 6VPE deployments

8. Extension Headers

Chained using the “Next Header” field.

Common types:

  • Hop-by-Hop Options
  • Fragment Header
  • Routing Header
  • Destination Options
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)

Routers only inspect Hop-by-Hop headers.

9. IPv6 Security

9.1 Improvements

  • IPsec mandatory in the protocol suite
  • No NAT cleaner, verifiable end-to-end security
  • SLAAC + privacy extensions mitigate tracking

9.2 Risks

  • NDP spoofing (analogous to ARP poisoning)
  • Rogue RA attacks
  • DHCPv6 attacks
  • Extension header abuse (evading firewalls)

Mitigations

  • RA Guard
  • DHCPv6 Guard
  • SAVI
  • SeND (rarely deployed)
  • IPv6 ACLs
  • Firewall normalization of extension headers

10. Transition & Coexistence Mechanisms

Because IPv4 and IPv6 will coexist for decades.

10.1 Dual Stack (best practice)

Run IPv4 + IPv6 simultaneously.

10.2 Tunneling

  • 6in4 (manual / 6to4)
  • 6RD (rapid deployment)
  • ISATAP (intra-site tunnel)
  • GRE over IPv6

10.3 Translation

  • NAT64/DNS64
  • 464XLAT (Android mobile networks)
  • MAP-E / MAP-T (carrier solutions)
  • SIIT / Stateless NAT64

11. IPv6 Multihoming

IPv6 introduces:

  • Multiple global prefixes per interface
  • Prefix policies (RFC 6724)
  • BGP-based multihoming
  • PA vs PI address design decisions

12. Address Planning Best Practices

Recommended allocation:

  • /48 per site
  • /64 per subnet (required by most IPv6 features)
  • Document subnets and create hierarchical structure

Sample:

2001:db8:1000::/48

 → 2001:db8:1000:0001::/64  Servers

 → 2001:db8:1000:0002::/64  Users

 → 2001:db8:1000:0010::/64  WAN links

13. Cloud IPv6 key takeaway

AWS

  • Supports dual-stack VPC
  • IPv6-only subnets
  • EBS/EFS/NLB/GWLB IPv6 support
  • NAT64 + DNS64 via VPC

Azure

  • IPv6 load balancers
  • Dual-stack VNETs

GCP

  • IPv6 global external addresses
  • IPv6-to-IPv6 load balancing

14. Operational Considerations

  • Log correlation becomes harder due to privacy addresses
  • Firewalls need explicit IPv6 rules (v4 rules do not apply)
  • Path MTU discovery issues more visible
  • DNS becomes more complex: AAAA records everywhere
  • Monitoring tools must support IPv6 end-to-end

15. Future Projections

  • Segment Routing over IPv6 (SRv6)
  • IPv6-only data centers
  • QUIC + HTTP/3 accelerating IPv6 adoption
  • IoT native IPv6 networks


Project: Hands-On

How twtech uses IPV6 in it environment.

Search for AWS service: VPC

Step-1:

Select the VPC to configure for IPV6: twtechVPC

Add twtechVPC IPV6 CIDR range: right-click on VPC (twtechVPC) to Edit CIDR

Add new IPV6 CIDR range

IPV6 generated by: Amazon-provider IPV6 CIDR block

Step-2:

Select the Public Subnet: go to Action and Edit the IPV6 CIDRs

Assign to Public Subnet: Add IPV6 CIDR


Step-3:

Edit Public Subnet settings:  to allow auto-assign IPV6 address

From: unchecked

To: checked

Save changes:

Step-5:

Go to CE2 console, select instance, right-click on instance: To Networking  / Manage IP addresses

Click on the icon to expand tab:

Assign new IP address: IPV6 addresses

From:

To: assign new IPV6 address (it will be auto-assigned)

Save and confirm changes:

Step-6:

Verify that instance configured (twtechBastionHostinstance) now has IPV6 address attached

Step-7: edit the security group (inboud rule) of the instance configure to:  add CIDR range for IPV6 address created.

From:

Edit inboud rules to add: SSH from Anywhere-IPV6

Save changes:

Step-7:

  • How to SSH into the configured instance using the IPV6 address attached to the instance (twtechBastionHostinstance)

First:

  • twtech needs to  test if it has IPV6 address in its internet connection: or  it may need an internet upgrade to includee IPV6
  •  To verify if internet connection has access to IPV6 address, google search for : do I have ipv6


Step-8: 

  • twtech needs to verify that a route has been added to the Public route table with IPV6 CIDR:  it should end with /56

Key akeaway:

  • Connecting (SSH) to instance via IPV6 is local ( access remains within the VPC) and it is not accessible from the public internet.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...