IPv6 at home: A Primer
IPv6 implementations are something clients have been asking for help with more frequently lately, and while I have had enough training in IPv6 to be able to guide clients from a strategy perspective, building up the muscle memory for it to be second nature like IPv4 is something that only comes with hands-on use. Believe it or not, I haven't had an ISP that supports IPv6 until I switched to Comcast cable a couple of years ago, which really cut back on opportunities to play with it. I could have set up a free 6over4 tunnel to he.net if I was truly motivated, I just didn't have servers laying around to do it (until now, anyway). This project is giving me a chance to really get under the hood and build that muscle memory.
The average person still doesn't know what IPv6 is, and if they don't have a particular interest in understanding how the plumbing of the Internet works, why would they?
As I mentioned in my previous post, even the nice account manager I spoke to at Comcast had no idea what IPv6 was. While there may not be an excuse for an Internet services sales rep not to know what it is, I can understand it for the rest of you. A lot has been written about what IPv6 is and why you should turn it on, so I'll drop this link by NetworkWorld for you to get up to speed. What we're going to cover in this post is the process of how to enable it, use it and to start to get comfortable with the addressing scheme.
Comcast consumer broadband comes IPv6 ready, but in order to use it you will need both a cable modem that supports IPv6 as well as a WiFi router. In my case, I own my own cable modem, a Netgear CM1000, but if you lease yours you will need to verify support and possibly request an upgrade.
Most any WiFi router or WiFi mesh system that have been released in the last 5 years will have IPv6 capability, but it may not be turned on. I've got a Google WiFi mesh solution that I deployed last year, which replaced a fairly old Linksys router that I had purchased some 10 or more years ago (which I paid a premium for to get the top model that had IPv6 support, I might add).
The Netgear is IPv6 ready an enabled out of the box, but IPv6 is disabled on the Google WiFi router by default. To enable it, go to the tab on the upper right with 4 dots, click on the Network & General button under Settings, then select the Advanced Networking button and finally the IPv6 settings.
Click the slider button to enable IPv6. That's all you need to do to start getting IPv6 addresses on your machines, which are most likely ready and waiting for IPv6 addresses.
Now for the fun part. Pour yourself a scotch, put your feet up and take a moment to feel proud. You have just helped move the Internet forward!
If you're feeling really, really good about yourself, or a scotch just sounds really good right about now, you can stop reading, but if you want to look under the hood a bit, read on!
So what do we actually get from Comcast? On the IPv4 side, we are getting only a single, public IPv4 address (format x.x.x.x), but with v6, which has approximately a bajillion times more addresses than v4, do we get more?
Comcast explained a fair amount about how IPv6 addresses are delegated on their business service on this blog post of theirs, which isn't what we have, we have the consumer service, but we can draw some conclusions about what is happening behind the scenes and do some detective work based on what our tools are telling us.
Starting with this tech note at Google, our router makes a DHCPv6 request and gets an IPv6 address for its external WAN interface. So far, this part is exactly like IPv4. Then it does
something new, something not possible on a consumer-grade broadband service with IPv4, which is to ask for a routable IPv6 prefix for internal LAN network. It does this by making one (or more) DHCP-PD requests (DHCP PrefixDelegation) of Comcast. Comcast then relays those prefix delegations back through the cable modem and the router installs a route for them. In the business service, a /56 is allocated to the cable subscriber and the cable modem then assigns the lowest /64 in the block to the router (and more, if requested). If that's what a business customer gets, what are we getting? Sadly, the Google Wifi router does not tell us what it is was assigned, so there's no way to know by looking at the Google WiFi App. So, let's put on our detective hat and take a look at the some of the 21 addresses currently assigned on my network.You can see the addresses assigned to each device on your LAN by clicking on the Devices button in your central screen, which yields the screen just below and to the right.
There are quite a few addresses assigned to my Macbook Pro. First off, notice that there is only one IPv4 address assigned, which is the norm for IPv4. It's not that you can't assign more than one IPv4 address to a device, you can (and it's not all that uncommon on servers), but it's not common for the standard end-user machine.
The creators of IPv6 acknowledged that address scarcity wasn't a thing anymore, and designed end-points to take advantage of that, so your machine may potentially make dozens of SLAAC requests for IPv6 addresses. It's like your router asks if you want an IPv6 address, and your computer says "yes please, I'll have 10! No, make that 20!" Okay, bad analogy, because the routers don't give out IP addresses, they just advertise that they are a router, tell you a subnet and your machine makes up it's own damn IP addresses.
I think I'll save the explanation for all of the various methods used for a client machine to create it's own IPv6 address for a future post as it has evolved quite a bit over the years and your machines may be making use of several different approaches at the same time, so for this article I'll simplify it down. The addresses that start with fe80 are non-routable, local-only addresses. Think of them like RFC1918 addresses, like 10.x.x.x or 192.168.x.x, that your machines auto-configure (even if you have no IPv6 path to the Internet. They are stable addresses, meaning you can use them on your internal network, put them into DNS, whatever you want. They are unique and permanent once created.
The other addresses that start with 2601 are publicly routed IPv6 addresses. These are also self-created, but with the guidance provide by our gateway, the WiFi router. The WiFi router gives us the network and subnet (the first 64 bits / first half of the v6 address) and our device creates the host identifier portion of the address (the last 64 bits / last half of the v6 address).
The equivalent command of an 'arp -a' in the IPv6 world is an 'ndp -a' and the n on the end tells the command not to try and reverse resolve the IP address to a name. This gives us a fair amount of information about which IPv6 addresses are on our local LAN all in one place, so let's have a look see at what my Macbook sees on the local network.
masteredmix:~ davidsiegel$ ndp -an Neighbor Linklayer Address Netif 2601:281:8300:ae:1cf6:8c15:8d0:cabd 8c:85:90:16:be:d6 en0 2601:281:8300:ae:68e4:3dc4:aaf3:d952 8c:85:90:16:be:d6 en0 2601:281:8300:ae:8c74:9c0a:9eb6:318e 4c:cc:6a:4b:ab:f4 en0 2601:281:8300:ae:94db:c3ff:feab:8cfc 7c:2e:bd:8c:e7:ff en0 2601:281:8300:ae:de4a:3eff:fe1d:1003 dc:4a:3e:1d:10:3 en0 fe80::1%lo0 (incomplete) lo0 fe80::aede:48ff:fe00:1122%en5 ac:de:48:0:11:22 en5 fe80::aede:48ff:fe33:4455%en5 ac:de:48:33:44:55 en5 fe80::4d9:e488:b12b:e585%en0 88:ae:7:2a:d7:1c en0 fe80::cfb:81e9:29c7:4d33%en0 8c:85:90:16:be:d6 en0 fe80::1411:f04a:a908:b82c%en0 40:83:1d:99:49:1b en0 fe80::181a:3e06:b340:69d2%en0 e0:33:8e:8b:80:d0 en0 fe80::18ee:4a28:2b22:ae5b%en0 9c:f3:87:ae:7b:8e en0 fe80::94db:c3ff:feab:8cfc%en0 7c:2e:bd:8c:e7:ff en0 fe80::a698:12b:e165:e237%en0 4c:cc:6a:4b:ab:f4 en0 fe80::de4a:3eff:fe1d:1003%en0 dc:4a:3e:1d:10:3 en0 fe80::405a:4aff:feb3:7235%awdl0 42:5a:4a:b3:72:35 awdl0 fe80::405a:4aff:feb3:7235%llw0 42:5a:4a:b3:72:35 llw0
I have also been tracking the addresses that my first round of servers have been configuring and watching them over time to make sure they are stable and have the following list.
2601:281:8300:ae:8c74:9c0a:9eb6:318e 2601:281:8300:ae:de52:cbf4:a1fd:46cb 2601:281:8300:ae:5054:ff:fea2:ae4e 2601:281:8300:ae:d90b:f14a:cafa:60e9 2601:281:8300:ae:1cf6:8c15:8d0:cabd
As confusing as those look, we can see that the common portion of the address space is 2601:281:8300:ae:x:x:x:x. Let's file this for later use.
The next thing we're going to do, because we don't have the prefix lengths memorized for IPv6 like we do for IPv4, is use a handy tool created by Neustar called Ultratools to play with some prefix lengths and understand the implied ranges. Click the IPv6 CIDR to range option along the left, enter your IPv6 address and tack on a /48 to the end of it. We get the following:
Start Range: 2601:281:8300:0:0:0:0:0 End Range: 2601:281:8300:ffff:ffff:ffff:ffff:ffff No. of host: 1,208,925,819,614,629,174,706,176
This is the kind of block that we would get assigned if we signed up for HE.net's free IPv6 tunnel broker service, but it's obviously far bigger than what comcast business subscribers get. Let's look at the business customer allocation next, a /56.
Start Range: 2601:281:8300:0:0:0:0:0 End Range: 2601:281:8300:ff:ffff:ffff:ffff:ffff No. of host: 4,722,366,482,869,645,213,696
Did you catch that it was difference? The 5th hextet in our second example is ff, where as its ffff in the first example. These might look the same, but they aren't. There are implied leading zero's in the second example, the /56, so the difference is ffff vs. 00ff.
Referring back to our addresses, we're ending up with 2601:281:8300:ae, and if our cable modem were assigning the lowest address in a /56, our address would probably look more like 2601:281:8200::5054:ff:fea2:ae4e, not 2601:281:8300:ae:5054:ff:fea2:ae4e. Finally, let's look at /64 length.
Start Range: 2601:281:8300:ae:0:0:0:0 End Range: 2601:281:8300:ae:ffff:ffff:ffff:ffff No. of host: 18,446,744,073,709,551,616
So there we go, this is the smallest IPv6 subnet that can be assigned (18 million billion addresses, or 18 quintillion addresses). Is it possible to get more /64 subnets? Why would you want more subnets, you ask? Well, maybe I want to put a few discrete IP segments into my home network, which I, in fact do. If you read my previous blog post about my end-state logical network design, I want to have 3 different segments, one for end-user machines, one DMZ for my DNS and web server, and a 2nd DMZ to put some honeypots (systems designed to be insecure to attract hackers). It looks like it is possible to request a /60 based on this reddit thread, but the Google WiFi router isn't configurable in this way. I'll need to put that dedicated network appliance in before I can get to that level of functionality.
On a side note, that Reddit thread, and another thread I found, seem to contradict this blog post from Comcast that suggests that the nature of Comcast's prefix delegations are all the fault of the cable modem. Clearly we can get a larger prefix if our gear just makes the right request. So let's figure out some more about our network.
I'm curious what IP addresses are assigned to the WiFi router itself, and since the Google WiFi app is also devoid of this information (WAN IP address info shows iPv4 info only) we'll have to figure this out with traceroute.
The inside of the network is easy. We just pop up a terminal window on our Macbook (or a shell on Windows) and run a traceroute6 command (tracert on Windows) to somewhere like www.google.com and get
traceroute to www.google.com (2607:f8b0:400f:800::2004), 30 hops max, 80 byte packets 1 2601:281:8300:ae:94db:c3ff:feab:8cfd (2601:281:8300:ae:94db:c3ff:feab:8cfd) 0.839 ms 1.428 ms 0.793 ms
Okay, so yet another address out of our assigned /64, 2601:281:8300:ae::0 block.
I am also curious what is assigned to the outside of the WiFi router, so to find that out, we are going back to Ultratools and using their traceroute-v6 tool. You can put in any of the publicly routable addresses that were assigned as a destination, but since I've done a little extra ork (that I'll cover in a future post) I'll put in dns.siegelgrouplabs.net as the destination, and the last two hops are:
Hop number: 20 Connected to: 2001:558:6040:51:e1fb:99fb:28b1:5fb9 ( 2001:558:6040:51:e1fb:99fb:28b1:5fb9 ) Roundtrip times: 53.378 ms 52.266 ms 52.246 ms Hop number: 21 Connected to: 2601:281:8300:ae:5054:ff:fea2:ae4e ( 2601:281:8300:ae:5054:ff:fea2:ae4e ) Roundtrip times: 56.97 ms 56.974 ms 50.146 ms
Interesting! While it was expected that we would get something not in our assigned /64 (because it's necessary for the routing to work), this block is out of a completely different /16 (2001/16 vs. 2601/16). Comcast has one provider block for their backbone and a completely different one that they use for customer delegations. I bet they probably have a lot more provider blocks as well. Maybe they received a separate delegation for each regional division? This would make sense, as they also run separate ASN's for each one of those regional divisions.
Okay, so we've enabled IPv6 on our WiFi router and all of our machines have their own unique, public IP addresses on the Internet. I used to have some inherent level of protection before I enabled IPv6 because I had NAT and I had to explicitly create a port-map rule to allow traffic from the outside Internet into my LAN. Aren't my devices exposed directly to hackers now? I actually heard a similar argument from a client last week about how IPv6 would expose their network to security issues, and while there is a kernel of truth to it, there is little reason for concern in my opinion, as we'll see here in a minute.
In typical engineer fashion, I'll answer the question with "it depends" on how your WiFi router.
In the case of our Google WiFi router, there is a built-in IPv6 firewall that blocks inbound connections. If you go into your advanced network settings, under Port Management the sub-heading says "Manager Port Opening and Forwarding Rules." It is here that we can do both activities, manage IPv4 port mapping as well as allow IPv6 traffic in.
First, set up your IPv4 port-map by getting the IPv4 address of your server and add a port-map (we'll save that as an exercise for the reader).
Then click over to the IPv6 tab. This is the only place in the Google WiFi router that we can get a single pane of glass that shows us the all the local devices and their IPv6 addresses.
Just select the device that you want to allow to be accessible through the firewall from the outside, enter the start port and the end port, and you're done. Your starting port and ending port will usually be the same, because unlike IPv4 where we might have to configure many external ports that all map to different internal IP's on the same port, we have unique, public IP's for IPv6 so we can expose multiple web servers, each with a unique public IP, to the outside world on their native http port 80.
And that's the end of this primer! Thanks for following along this far. I have some additional articles on this subject where I plan to talk about:
a) Methods for how machines create their own IPv6 addresses
b) How to set up DNS naming for your new, publicly routed addresses
c) How to set up an open source router in a virtual machine on your network and a tunnel to the he.net free tunnel broker
d) IPv6 feature comparison of consumer WiFi routers
e) Replacing a consumer WiFi router with a network appliance and requesting a /60 subnet from my upstream ISP
Please do ask questions in the comments and I will either answer them directly, or if the answer is meaty enough, it'll be the topic of a future article.
Siegel Group is a consulting firm specializing in network transformation. We do all of our consulting work exclusively through Yates Ltd, a network cost optimization and network transformation consulting firm. If your enterprise would like an assist with your IPv6 implementation, Yates has several experts that can help you plan your deployment strategy and project manage your implementation. Please reach out to me directly for more information.