AWS IPv6 Routing | Overview.

AWS IPv6 Routing - Overview.

Focus:

•  Tailored for AWS practitioners & network engineers.

Scope:

•       Intro,
•      IPv6 Address Architecture and Routing Implications,
•       IPv6 Routing Fundamentals,
•       Neighbor Discovery (ND) & Routing Interactions,
•       Routing Protocols in IPv6,
•       Multi-Prefix Routing (Common in Cloud Networks),
•       IPv6-Only Networks & Translation Routing
•       Traffic Engineering in IPv6 Networks,
•       Security and Firewalling Considerations,
•       Cloud-Specific IPv6 Routing (AWS-focused),
•       Common Operational Issues.

Intro:

• IPv6 routing is a little complex because of:
• The protocol stack, 
• forwarding behavior, 
• security model, 
• ICMP requirements, 
• multi-prefix logic all differ in fundamental ways.

1. IPv6 Address Architecture and Routing Implications

• Unlike IPv4, IPv6 addresses are structured for hierarchical aggregation:

1.1 Global Unicast Address (GUA) Format

| Global Routing Prefix | Subnet ID | Interface ID |

       /48 (common)         /16           /64

Implications

•  /64 is mandatory at L3 boundaries for SLAAC, ND scaling, and correct host behavior.
•  Routers do not rewrite Interface IDs; subnets are truly flat.
•  Summarization in IPv6 is far easier because providers allocate in large aligned blocks.

1.2 Link-Local Addresses

• Required on every interface (fe80::/10)
• Used for:
•    Routing adjacency formation (OSPFv3, BGP, EIGRPv6, IS-IS IPv6)
•    ND (Neighbor Discovery)
•    RA (Router Advertisements)
• Routers rarely route link-local addresses, but they depend on them heavily.

2. IPv6 Routing Fundamentals

2.1 Longest Prefix Match (LPM)

• Same as IPv4, but with far more prefixes, especially /64s.

Routing table example:

2001:db8:10::/48      → core-1

2001:db8:10:20::/64   → edge-3

2001:db8:10:20::10/128→ firewall

::/0                  → upstream

2.2 No NAT (Ideally)

• End-to-end connectivity is restored.
• But in cloud environments, Egress-Only Internet Gateways provide IPv6 outbound-only behavior.

2.3 Hop-by-Hop Headers

• Routers may (and often do) drop or ignore these.
• Avoid using them in production unless absolutely required.

3. Neighbor Discovery (ND) & Routing Interactions

IPv6 does not have ARP.

3.1 ND Components

• NS/NA → Neighbor Solicitation/Advertisement (ARP equivalent)
• RS/RA → Router Solicitation/Advertisement (DHCPv6-lite replacement)
• Redirects → Similar to ICMP redirect in IPv4

3.2 Scaling Challenges

• ND is chatty compared to ARP:
• Uses multicast significantly.
• Large /64 subnets multiply multicast traffic.
• Mitigation: RA-Guard, ND inspection, Optimized ND extensions, and EVPN suppressive features.

3.3 Why IPv6 Routing Breaks Without ICMPv6

Routers need ICMPv6 for:

• Path MTU Discovery
• ND
• SLAAC
• RAs
• Blocking ICMPv6 = breaking IPv6.

4. Routing Protocols in IPv6

4.1 OSPFv3

• Uses link-local addresses for peers.
• Supports multiple address families.
• Authentication moved to IPsec, unlike OSPFv2.

4.2 BGP

• Multiprotocol extensions carry IPv6 routes.
• Sessions can form via:
•    Link-local (requires update-source and neighbor interface)
•    GUA addresses

4.3 IS-IS for IPv6

• Carries IPv6 routes as TLVs.
• Very scalable for large DC fabrics.

5. Multi-Prefix Routing (Common in Cloud Networks)

• Servers may carry multiple IPv6 prefixes:
• GUA
• ULA
• Link-local
• Privacy addresses
• Temporary addresses

5.1 Source Address Selection (SAS)

• Defined by RFC 6724:
• The host, not the router, chooses source address.
• Source address selection must match the expected outgoing prefix.
• Incorrect SAS → asymmetric routing, firewalls dropping traffic.

5.2 Policy Routing

•  Required when multiple prefixes exist.
•  Linux uses rp_filter = 0 and multiple tables with IP rules.

6. IPv6-Only Networks & Translation Routing

6.1 NAT64 Routing Logic

When a v6-only host sends traffic to an IPv4-only host:

1.      DNS64 synthesizes an AAAA record.
2.      Traffic routes to the NAT64 prefix (e.g., 64:ff9b::/96).
3.      Router forwards to NAT64 gateway.
4.      NAT64 performs stateful translation.

Routing note:

• twtech routing table must treat the NAT64 prefix as a next hop to the translator.

6.2 464XLAT

•  Widely used on mobile networks.
•   CPE uses CLAT to generate IPv4 flows inside IPv6-only core.

7. Traffic Engineering in IPv6 Networks

7.1 Prefix-Based Steering

• Because there’s no NAT, TE often relies on:
• Assigning different prefixes per upstream link.
• BGP communities for routing policies.

7.2 ECMP Expansion

IPv6 allows:

• Larger ECMP tables
• Better hashing entropy from 128-bit addresses

7.3 Segment Routing (SRv6)

• Encodes path info in IPv6 header.
• Makes MPLS optional.
• Core innovation for 5G, hyperscalers.

8. Security and Firewalling Considerations

• IPv6 removes NAT, so firewalling becomes first-class.

Important considerations:

• IPv6 scanners are ineffective due to huge address space.
• But misconfigured RA/ND can be exploited.
• RA-Guard and DHCPv6-Shield are mandatory.
• ICMPv6 must remain open for correct functionality.

9. Cloud-Specific IPv6 Routing (AWS-focused)

9.1 AWS VPC Logic

• Subnets get /64s.
• VPCs receive /56, /52, or /48.
• No intra-VPC ND; AWS implements a distributed router.

9.2 Egress-Only Internet Gateway

• Outbound-only, no inbound.
• Routing interaction identical to IPv4’s IGW, minus NAT.

9.3 TGW & DX IPv6 Routing

• TGW requires static prefixes or propagated routes.
•  DX supports IPv6 BGP sessions; routing identical to IPv4 BGP.
•  No NAT for IPv6; must expose GUAs end-to-end.

10. Common Operational Issues

Issue	Cause	Fix
IPv6 works internally but not external	ICMPv6 blocked	Allow all essential ICMPv6 types
Asymmetric routing	Wrong source prefix selection	RFC6724 tuning, policy routing
ND cache exhaustion	Too many hosts in /64	ND throttling, EVPN, ND inspection
Breaks with firewalls	Stateful firewalls mishandle extension headers	Disable HBH, simplify headers
PMTU blackholes	ICMPv6-type 2 blocked	Open ICMPv6 fragmentation needed