Monday, November 17, 2025

IPv6 Routing | Overview.

An Overview of IPv6 routing.

Scope:

Tailored for AWS practitioners and network engineers.
Designed for those who already know the basics and want the why and how behind IPv6 behavior in real networks.

Breakdown:

IPv6 Address Architecture and Routing Implications,
IPv6 Routing Fundamentals,
Neighbor Discovery (ND) & Routing Interactions,
Routing Protocols in IPv6,
Multi-Prefix Routing (Common in Cloud Networks),
IPv6-Only Networks & Translation Routing
Traffic Engineering in IPv6 Networks,
Security and Firewalling Considerations,
Cloud-Specific IPv6 Routing (AWS-focused),
Common Operational Issues.

Intro:

IPv6 routing is a little complex because of the protocol stack, forwarding behavior, security model, ICMP requirements, and multi-prefix logic all differ in fundamental ways
This overview covers the IPv6 routing architecture, packet forwarding, neighbor discovery, multi-prefix routing, and real-world complications in dual-stack and IPv6-only environments.

1. IPv6 Address Architecture and Routing Implications

Unlike IPv4, IPv6 addresses are structured for hierarchical aggregation:

1.1 Global Unicast Address (GUA) Format

| Global Routing Prefix | Subnet ID | Interface ID |

       /48 (common)         /16           /64

Implications

/64 is mandatory at L3 boundaries for SLAAC, ND scaling, and correct host behavior.
Routers do not rewrite Interface IDs; subnets are truly flat.
Summarization in IPv6 is far easier because providers allocate in large aligned blocks.

1.2 Link-Local Addresses

Required on every interface (fe80::/10)
Used for:

Routing adjacency formation (OSPFv3, BGP, EIGRPv6, IS-IS IPv6)
ND (Neighbor Discovery)
RA (Router Advertisements)

Routers rarely route link-local addresses, but they depend on them heavily.

2. IPv6 Routing Fundamentals

2.1 Longest Prefix Match (LPM)

Same as IPv4, but with far more prefixes, especially /64s.

Routing table example:

2001:db8:10::/48      → core-1

2001:db8:10:20::/64   → edge-3

2001:db8:10:20::10/128→ firewall

::/0                  → upstream

2.2 No NAT (Ideally)

End-to-end connectivity is restored.
But in cloud environments, Egress-Only Internet Gateways provide IPv6 outbound-only behavior.

2.3 Hop-by-Hop Headers

Routers may (and often do) drop or ignore these.

Avoid using them in production unless absolutely required.

3. Neighbor Discovery (ND) & Routing Interactions

IPv6 does not have ARP.

3.1 ND Components

NS/NA → Neighbor Solicitation/Advertisement (ARP equivalent)
RS/RA → Router Solicitation/Advertisement (DHCPv6-lite replacement)
Redirects → Similar to ICMP redirect in IPv4

3.2 Scaling Challenges

ND is chatty compared to ARP:

Uses multicast significantly.
Large /64 subnets multiply multicast traffic.
Mitigation: RA-Guard, ND inspection, Optimized ND extensions, and EVPN suppressive features.

3.3 Why IPv6 Routing Breaks Without ICMPv6

Routers need ICMPv6 for:

Path MTU Discovery
ND
SLAAC
RAs

Blocking ICMPv6 = breaking IPv6.

4. Routing Protocols in IPv6

4.1 OSPFv3

Uses link-local addresses for peers.
Supports multiple address families.
Authentication moved to IPsec, unlike OSPFv2.

4.2 BGP

Multiprotocol extensions carry IPv6 routes.
Sessions can form via:

Link-local (requires update-source and neighbor interface)
GUA addresses

4.3 IS-IS for IPv6

Carries IPv6 routes as TLVs.
Very scalable for large DC fabrics.

5. Multi-Prefix Routing (Common in Cloud Networks)

Servers may carry multiple IPv6 prefixes:

GUA
ULA
Link-local
Privacy addresses
Temporary addresses

5.1 Source Address Selection (SAS)

Defined by RFC 6724:

The host, not the router, chooses source address.
Source address selection must match the expected outgoing prefix.
Incorrect SAS → asymmetric routing, firewalls dropping traffic.

5.2 Policy Routing

Required when multiple prefixes exist.
Linux uses rp_filter = 0 and multiple tables with IP rules.

6. IPv6-Only Networks & Translation Routing

6.1 NAT64 Routing Logic

When a v6-only host sends traffic to an IPv4-only host:

DNS64 synthesizes an AAAA record.
Traffic routes to the NAT64 prefix (e.g., 64:ff9b::/96).
Router forwards to NAT64 gateway.
NAT64 performs stateful translation.

Routing note:
twtech routing table must treat the NAT64 prefix as a next hop to the translator.

6.2 464XLAT

Widely used on mobile networks.
CPE uses CLAT to generate IPv4 flows inside IPv6-only core.

7. Traffic Engineering in IPv6 Networks

7.1 Prefix-Based Steering

Because there’s no NAT, TE often relies on:

Assigning different prefixes per upstream link.
BGP communities for routing policies.

7.2 ECMP Expansion

IPv6 allows:

Larger ECMP tables
Better hashing entropy from 128-bit addresses

7.3 Segment Routing (SRv6)

Encodes path info in IPv6 header.
Makes MPLS optional.
Core innovation for 5G, hyperscalers.

8. Security and Firewalling Considerations

IPv6 removes NAT, so firewalling becomes first-class.

Important considerations:

IPv6 scanners are ineffective due to huge address space.
But misconfigured RA/ND can be exploited.
RA-Guard and DHCPv6-Shield are mandatory.
ICMPv6 must remain open for correct functionality.

9. Cloud-Specific IPv6 Routing (AWS-focused)

9.1 AWS VPC Logic

Subnets get /64s.
VPCs receive /56, /52, or /48.
No intra-VPC ND; AWS implements a distributed router.

9.2 Egress-Only Internet Gateway

Outbound-only, no inbound.
Routing interaction identical to IPv4’s IGW, minus NAT.

9.3 TGW & DX IPv6 Routing

TGW requires static prefixes or propagated routes.
DX supports IPv6 BGP sessions; routing identical to IPv4 BGP.
No NAT for IPv6; must expose GUAs end-to-end.

10. Common Operational Issues

Issue	Cause	Fix
IPv6 works internally but not external	ICMPv6 blocked	Allow all essential ICMPv6 types
Asymmetric routing	Wrong source prefix selection	RFC6724 tuning, policy routing
ND cache exhaustion	Too many hosts in /64	ND throttling, EVPN, ND inspection
Breaks with firewalls	Stateful firewalls mishandle extension headers	Disable HBH, simplify headers
PMTU blackholes	ICMPv6-type 2 blocked	Open ICMPv6 fragmentation needed