AWS IPv6 (Internet Protocol version 6) | Overview & Hands-On.

 AWS IPv6 (Internet Protocol version 6) - Overview & Hands-On.

Scope:

•        Intro,
•        Key Features and Benefits
•        Why IPv6 Exists,
•        IPv6 Address Architecture,
•        IPv6 Address Types,
•        IPv6 Packet Header,
•        Neighbor Discovery Protocol (NDP) — ARP Replacement,
•        DHCPv6,
•        IPv6 Routing,
•        Extension Headers,
•        IPv6 Security,
•        Transition & Coexistence Mechanisms,
•        IPv6 Multihoming,
•        Address Planning Best Practices,
•        Cloud IPv6 key takeaway,
•        Operational Considerations,
•        Future Projections,
•        Project: Hands-On.

Intro:

• AWS IPv6 (Internet Protocol version 6) is the latest version of the Internet Protocol, designed to address the exhaustion of available IPv4 addresses and provide a foundation for the continued growth of the internet needs. 

Key Features and Benefits

•  Vastly Enlarged Address Space: 
• The primary benefit of IPv6 is its 128-bit address length, compared to IPv4's 32-bit length. IPv6 provides approximately 340 undecillion (3.4 x 10³⁸) unique IP addresses, ensuring enough addresses for every person and the proliferation of Internet of Things (IoT) devices well into the future needs.
•  Simplified Routing and Efficiency:
•  IPv6 features a simpler header format and does not require Network Address Translation (NAT), leading to more efficient processing and routing of network traffic.
•  Auto-configuration: 
• IPv6 supports stateless address auto-configuration (SLAAC), allowing devices to connect to a network and configure themselves without a central server like a DHCP server.
•  Enhanced Security: 
• The protocol has built-in support for authentication and privacy features like IPSec, offering a more secure foundation for communication compared to IPv4.
•  Quality of Service (QoS): 
• IPv6 includes "flow labeling" for better prioritization of specific traffic, which can improve performance for applications like streaming and online gaming.

1. Why IPv6 Exists

• IPv6 was designed primarily to solve IPv4 address exhaustion but evolved to address broader limitations:
• Scalability: 128-bit address space → 3.4×10³⁸ addresses
• Hierarchical routing: Reduces global routing table size
• Auto-configuration: Stateless Address Auto-Configuration (SLAAC)
• Security baked in: Mandatory IPsec support
• Simplified header: Improved forwarding performance
• No NAT dependency: End-to-end connectivity restored

2. IPv6 Address Architecture

2.1 Address Structure (128 bits)

2.2 Interface Identifier

Typically:

• 64-bit EUI-64 (derived from MAC)
• Randomized via Privacy Extensions (RFC 4941)
• Stable Privacy IDs (RFC 7217)

3. IPv6 Address Types

3.1 Unicast

Type	Prefix	Purpose
Global Unicast (GUA)	2000::/3	Public internet
Unique Local Address (ULA)	fc00::/7	Private, non-routable (IPv6 analog of RFC1918)
Link-Local	fe80::/10	Required on every interface; no router hop
Loopback	::1	Same as 127.0.0.1

3.2 Multicast

Eliminates broadcast altogether.

Scope	Prefix
Node-local	ff01::/16
Link-local	ff02::/16
Site-local	ff05::/16
Global	ff0e::/16

Important groups:

• ff02::1 — all nodes
• ff02::2 — all routers
• ff02::1:ffXX:XXXX — solicited-node multicast (used by NDP)

3.3 Anycast

• Same address assigned to multiple interfaces → nearest node responds.

Used for:

• DNS root infrastructure
• CDNs
• Load balancing / redundancy

4. IPv6 Packet Header

4.1 Fixed 40-byte header

Simplified vs IPv4.

Key differences:

• No checksum (transport layers handle it)
• No fragmentation by routers (handled by endpoints with PMTUD)
• Extension headers replace IPv4 options

5. Neighbor Discovery Protocol (NDP) — ARP Replacement

• NDP uses ICMPv6 and relies on multicast instead of broadcast.

5.1 NDP Components

• Router Solicitation (RS)
• Router Advertisement (RA)
• Neighbor Solicitation (NS)
• Neighbor Advertisement (NA)
• Redirects

5.2 SLAAC (Stateless Auto-Config)

• Host derives IPv6 address using:
• Prefix received from RA
• Interface ID (EUI-64 or random)

6. DHCPv6

Two modes:

• Stateful → DHCPv6 assigns the full address + DNS + options
• Stateless → SLAAC provides address; DHCPv6 only supplies options (DNS, NTP, etc.)

Flags in RA determine behavior:

• M flag (Managed)
• O flag (Other config)

7. IPv6 Routing

7.1 Static Routing

• Identical principle to IPv4.
• Next hop must be a link-local FE80:: address.

7.2 IGPs

OSPFv3

• Works only with IPv6
• Uses link-local addresses
• Authentication moved to IPsec

EIGRP for IPv6

• Same algorithm as IPv4
• Operates per-link, no concept of networks

7.3 BGP

• BGP-4 with multiprotocol extensions (MP-BGP).

Supports:

• Global Unicast
• 6PE / 6VPE deployments

8. Extension Headers

• Chained using the “Next Header” field.

Common types:

• Hop-by-Hop Options
• Fragment Header
• Routing Header
• Destination Options
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Routers only inspect Hop-by-Hop headers.

9. IPv6 Security

9.1 Improvements

• IPsec mandatory in the protocol suite
• No NAT → cleaner, verifiable end-to-end security
• SLAAC + privacy extensions mitigate tracking

9.2 Risks

• NDP spoofing (analogous to ARP poisoning)
• Rogue RA attacks
• DHCPv6 attacks
• Extension header abuse (evading firewalls)

Mitigations

• RA Guard
• DHCPv6 Guard
• SAVI
• SeND (rarely deployed)
• IPv6 ACLs
• Firewall normalization of extension headers

10. Transition & Coexistence Mechanisms

• Because IPv4 and IPv6 will coexist for decades.

10.1 Dual Stack (best practice)

• Run IPv4 + IPv6 simultaneously.

10.2 Tunneling

• 6in4 (manual / 6to4)
• 6RD (rapid deployment)
• ISATAP (intra-site tunnel)
• GRE over IPv6

10.3 Translation

• NAT64/DNS64
• 464XLAT (Android mobile networks)
• MAP-E / MAP-T (carrier solutions)
• SIIT / Stateless NAT64

11. IPv6 Multihoming

IPv6 introduces:

• Multiple global prefixes per interface
• Prefix policies (RFC 6724)
• BGP-based multihoming
• PA vs PI address design decisions

12. Address Planning Best Practices

Recommended allocation:

• /48 per site
• /64 per subnet (required by most IPv6 features)
• Document subnets and create hierarchical structure

Sample:

2001:db8:1000::/48

 → 2001:db8:1000:0001::/64  Servers

 → 2001:db8:1000:0002::/64  Users

 → 2001:db8:1000:0010::/64  WAN links

13. Cloud IPv6 key takeaway

AWS

• Supports dual-stack VPC
• IPv6-only subnets
• EBS/EFS/NLB/GWLB IPv6 support
• NAT64 + DNS64 via VPC

Azure

• IPv6 load balancers
• Dual-stack VNETs

GCP

• IPv6 global external addresses
• IPv6-to-IPv6 load balancing

14. Operational Considerations

• Log correlation becomes harder due to privacy addresses
• Firewalls need explicit IPv6 rules (v4 rules do not apply)
• Path MTU discovery issues more visible
• DNS becomes more complex: AAAA records everywhere
• Monitoring tools must support IPv6 end-to-end

15. Future Projections

• Segment Routing over IPv6 (SRv6)
• IPv6-only data centers
• QUIC + HTTP/3 accelerating IPv6 adoption
• IoT native IPv6 networks

Project: Hands-On

• How twtech uses IPV6 in it environment to address the exhaustion of available IPv4 addresses and provide a foundation for the continued growth of the internet needs.

Search for AWS service: VPC

Step-1:

twtech Selects the VPC to configure for IPV6: twtechVPC

• Add twtechVPC IPV6 CIDR range: right-click on VPC (twtechVPC) to Edit CIDR

• Add new IPV6 CIDR range

• IPV6 generated by: Amazon-provider IPV6 CIDR block

Step-2:

twtech Selects the Public Subnet: go to Action and Edit the IPV6 CIDRs

Assign to Public Subnet: Add IPV6 CIDR

Step-3:

twtech Edits Public Subnet settings:  to allow auto-assign IPV6 address

From: unchecked

To: checked

Save changes:

Step-5:

• twtech Goes to CE2 console, select instance, right-click on instance: To Networking  / Manage IP addresses

Click on the icon to expand tab:

Assign new IP address: IPV6 addresses

From:

To: assign new IPV6 address (it will be auto-assigned)

Save and confirm changes:

Step-6:

• twtech Verifies that instance configured (twtechBastionHostinstance) now has IPV6 address attached

Step-7: 

• twtech edits the security group (inboud rule) of the instance configure to:  add CIDR range for IPV6 address created.

From:

Edit inboud rules to add: SSH from Anywhere-IPV6

Save changes:

Step-8:

• How to SSH into the configured instance using the IPV6 address attached to the instance (twtechBastionHostinstance)

First:

• twtech needs to  test if it has IPV6 address in its internet connection: or  it may need an internet upgrade to includee IPV6
•  To verify if internet connection has access to IPV6 address, google search for : do I have ipv6

Step-9: 

• twtech needs to verify that a route has been added to the Public route table with IPV6 CIDR:  it should end with /56

Key akeaway:

• Connecting (SSH) to instance via IPV6 is local (access remains within the VPC) and it is not accessible from the public internet.