Unicast Addresses
Figure 4-6 diagrams the three types of addresses: unicast, multicast, and anycast. We begin by looking at unicast addresses. Don’t be intimidated by all the different types of unicast addresses. The most significant types are global unicast addresses, which are equivalent to IPv4 public addresses, and link-local addresses. These address types are discussed in detail in Chapters 5 and 6.
)
Figure 4-6 IPv6 Address Types: Unicast Addresses
A unicast address uniquely identifies an interface on an IPv6 device. A packet sent to a unicast address is received by the interface that is assigned to that address. Similar to IPv4, a source IPv6 addresses must be a unicast address.
This section covers the different types of unicast addresses, as illustrated in Figure 4-6. The following is a quick preview of each type of unicast address discussed in this section:
Global unicast: A routable address in the IPv6 Internet, similar to a public IPv4 address (covered in more detail in Chapter 5).
Link-local: Used only to communicate with devices on the same local link (covered in more detail in Chapter 6).
Loopback: An address not assigned to any physical interface that can be used for a host to send an IPv6 packet to itself.
Unspecified address: Used only as a source address and indicates the absence of an IPv6 address.
Unique local: Similar to a private address in IPv4 (RFC 1918) and not intended to be routable in the IPv6 Internet. However, unlike RFC 1918 addresses, these addresses are not intended to be statefully translated to a global unicast address.
IPv4 embedded: An IPv6 address that carries an IPv4 address in the low-order 32 bits of the address.
Global Unicast Address
Global unicast addresses (GUAs), also known as aggregatable global unicast addresses, are globally routable and reachable in the IPv6 Internet. They are equivalent to public IPv4 addresses. They play a significant role in the IPv6 addressing architecture. One of the main motivations for transitioning to IPv6 is the exhaustion of its IPv4 counterpart. As you can see in Figure 4-6, a GUA address is only one of several types of IPv6 unicast addresses.
Figure 4-7 shows the generic structure of a GUA, which has three fields:
Global Routing Prefix: The Global Routing Prefix is the prefix or network portion of the address assigned by the provider, such as an ISP, to the customer site.
Subnet ID: The Subnet ID is a separate field for allocating subnets within the customer site. Unlike with IPv4, it is not necessary to borrow bits from the Interface ID (host portion) to create subnets. The number of bits in the Subnet ID falls between where the Global Routing Prefix ends and where the Interface ID begins. This makes subnetting simple and manageable.
Interface ID: The Interface ID identifies the interface on the subnet, equivalent to the host portion of an IPv4 address. The Interface ID in most cases is 64 bits.
)
Figure 4-7 Structure of a GUA Address
Figure 4-7 illustrates the more general structure, without the specific sizes for any of the three parts. The first 3 bits of a GUA address begin with the binary value 001, which results in the first hexadecimal digit becoming a 2 or a 3. (We look at the structure of the GUA address more closely in Chapter 5.)
There are several ways a device can be configured with a global unicast address:
Manually configured.
Stateless Address Autoconfiguration.
Stateful DHCPv6.
Example 4-1 demonstrates how to view the global unicast address on Windows and Mac OS operating systems, using the ipconfig and ifconfig commands, respectively. The ifconfig command is also used with the Linux operating system and provides similar output.
Example 4-1 Viewing IPv6 Addresses on Windows and Mac OS
Windows-OS> ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
! IPv6 GUA
IPv6 Address. . . . . . . . . . . : 2001:db8:cafe:1:d0f8:9ff6:4201:7086
! IPv6 Link-Local
Link-local IPv6 Address . . . . . : fe80::d0f8:9ff6:4201:7086%11
IPv4 Address. . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
! IPv6 Default Gateway
Default Gateway . . . . . . . . . : fe80::1%11
192.168.1.1
-----------------------------------------------------------------------------------
Mac-OS$ ifconfig
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 60:33:4b:15:24:6f
! IPv6 Link-Local
inet6 fe80::6233:4bff:fe15:246f%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.111 netmask 0xffffff00 broadcast 192.168.1.255
! IPv6 GUA
inet6 2001:db8:cafe:1:4bff:fe15:246f prefixlen 64 autoconf
media: autoselect
status: active
This section has provided just a brief introduction to global unicast addresses. Remember that IPv6 introduced a lot of changes to IP. Devices may obtain more than one GUA address for reasons such as privacy. For a network administrator needing to manage and control access within a network, having these additional addresses that are not administered through stateful DHCPv6 may be undesirable. Chapter 11 discusses devices obtaining or creating multiple global unicast addresses and various options to ensure that devices only obtain a GUA address from a stateful DHCPv6 server.
Link-Local Unicast Address
Link-local addresses are another type of unicast address as shown in Figure 4-6. A link-local address is a unicast address that is confined to a single link, a single subnet. Link-local addresses only need to be unique on the link (subnet) and do not need to be unique beyond the link. Therefore, routers do not forward packets with a link-local address. Devices can use Duplicate Address Detection (DAD) to determine whether or not the link-local address is unique.
Figure 4-8 shows the format of a link-local unicast address, which is in the range fe80::/10. Using this prefix and prefix length results in the range of the first hextet being from fe80 to febf.
)
Figure 4-8 Structure of a Link-Local Unicast Address
In Chapter 6 we will examine the structure, uses, and configuration options for link-local addresses in much more detail. For now, here is a summary of some of the key points:
To be an IPv6-enabled device, a device must have an IPv6 link-local address. The device doesn’t have to have an IPv6 global unicast address, but it must have a link-local address.
Link-local addresses are not routable off the link (IPv6 subnet). Routers do not forward packets with a link-local address.
Link-local addresses only have to be unique on the link. It is very likely and sometimes even desirable for a device to use the same link-local address on different interfaces that are on different links.
There can be only one link-local address per interface.
Configuration options for link-local addresses are (see Chapters 6 and 9 for more details):
Devices dynamically (automatically) create their own link-local IPv6 address upon startup. This is the default on most operating systems, including Cisco IOS, Windows, Mac OS, and Linux.
Link-local addresses can be manually configured.
The idea of a device creating its own IP address upon startup is really an amazing benefit in IPv6! Think of it. A device can create its own IPv6 link-local address completely on its own, without any kind of manual configuration or the services of a DHCP server. This means that the device can immediately communicate with any other device on its link (IPv6 subnet). A device may only need a link-local address because it only needs to communicate with other devices on its same network. Or it can use its link-local address to communicate with a device where it can obtain information for getting or creating a global unicast address, such as an IPv6 router or a DHCPv6 server. The device can then use this information to communicate with devices on other networks.
This solves the “Which came first, the chicken or the egg?” problem with IPv4. That is, “How do I ask a DHCP server for an IP address when I first need to have an IP address before I can communicate with the server to ask for one?” (DHCP for IPv4 uses a Discover message with an IPv4 source address of 0.0.0.0.) With IPv6, during startup the device automatically gives itself a link-local address that is unique on that subnet. It can then use this address to communicate with any device on the network, including an IPv6 router and, if necessary, a DHCPv6 server. Remember from Chapter 2 that an IPv6 router sends ICMPv6 Router Advertisement messages that allow the device to obtain a global unicast address, with or without the services of DHCPv6.
Example 4-1 demonstrates how to view the link-local address on Windows and Mac OS operating systems by using the ipconfig and ifconfig commands. These operating systems, as well as Linux, are enabled for IPv6 by default. So, even if the devices did not have a global unicast address, as shown in Example 4-1, you would still see the IPv6 link-local address. And as discussed in Chapter 2, this means client hosts are running IPv6 and, at a minimum, the network should be secured to prevent IPv6 attacks.
The following are some of the ways IPv6 devices use a link-local address:
When a device starts up, before it obtains a GUA address, the device uses its IPv6 link-local address as its source address to communicate with other devices on the network, including the local router.
Devices use the router’s link-local address as their default gateway address.
Routers exchange IPv6 dynamic routing protocol (OSPFv3, EIGRP for IPv6, RIPng) messages from their IPv6 link-local address.
IPv6 routing table entries populated from dynamic routing protocols use the IPv6 link-local address as the next-hop address.
This section has provided just an introduction to the link-local address. We will explore all these topics in more detail in Chapter 6.
Loopback Addresses
A loopback address is another type of unicast address (refer to Figure 4-6). An IPv6 loopback address is ::1, an all-0s address except for the last bit, which is set to 1. It is equivalent to the IPv4 address block 127.0.0.0/8, most commonly the 127.0.0.1 loopback address.
Table 4-6 shows the different formats for representing an IPv6 loopback address.
Table 4-6 IPv6 Loopback Address Representations
| Representation | IPv6 Loopback Address |
| Preferred | 0000:0000:0000:0000:0000:0000:0000:0001 |
| Leading 0s omitted | 0:0:0:0:0:0:0:1 |
| Compressed | ::1 |
The loopback address can be used by a node to send an IPv6 packet to itself, typically when testing the TCP/IP stack. Loopback addresses have the following characteristics:
A loopback address cannot be assigned to a physical interface.
A packet with a loopback address, source address, or destination address should never be sent beyond the device.
A router can never forward a packet with a destination address that is a loopback address.
The device must drop a packet received on an interface if the destination address is a loopback address.
Unspecified Addresses
An unspecified unicast address is an all-0s address (refer to Figure 4-6). An unspecified unicast address is used as a source address to indicate the absence of an address. It cannot be assigned to an interface.
One example where an unspecified address can be used is as a source address in ICMPv6 Duplicate Address Detection (DAD). DAD is a process that a device uses to ensure that its unicast address is unique on the local link (network). DAD is discussed in Chapter 14.
Table 4-7 shows the different formats for representing an IPv6 unspecified address.
Table 4-7 IPv6 Unspecified Address Representations
| Representation | IPv6 Unspecified Address |
| Preferred | 0000:0000:0000:0000:0000:0000:0000:0000 |
| Leading 0s omitted | 0:0:0:0:0:0:0:0 |
| Compressed | :: |
Unspecified addresses have the following characteristics:
An unspecified source address indicates the absence of an address.
An unspecified address cannot be assigned to a physical interface.
An unspecified address cannot be used as a destination address.
A router will never forward a packet that has an unspecified source address.
Unique Local Addresses
Figure 4-6 shows another type of IPv6 unicast address, the unique local address (ULA), which is the counterpart of IPv4 private addresses. Unique local addresses are also known as private IPv6 addresses or local IPv6 addresses (not to be confused with link-local addresses).
ULA addresses can be used similarly to global unicast addresses but are for private use and should not be routed in the global Internet. ULA addresses are only to be used in a more limited area, such as within a site or routed between a limited number of administrative domains. ULA addresses are for devices that never need access to the Internet and never need to be accessible from the Internet.
ULA addresses are defined in RFC 4193, Unique Local IPv6 Unicast Addresses. Figure 4-9 illustrates the format of a unique local unicast address.
)
Figure 4-9 Structure of a Unique Local Unicast Address
Unique local addresses have the prefix fc00::/7, which results in the range of addresses from fc00::/7 to fdff::/7, as shown in Table 4-8.
Table 4-8 Range of Unique Local Unicast Addresses
| Unique Local Unicast Address (Hexadecimal) | Range of First Hextet | Range of First Hextet in Binary |
| fc00::/7 | fc00 to fdff | 1111 1100 0000 0000 to 1111 1101 1111 1111 |
Unique local addresses have the following characteristics:
They can be used just like global unicast addresses.
They can be used for devices that never need access to or from the global Internet.
They allow sites to be combined or privately interconnected without address conflicts and without requiring addressing renumbering. (Address conflicts are highly unlikely due to the large address space.)
They are independent of any ISP and can be used within a site even without having Internet connectivity.
ULA and NAT
ULA and NAT is a bit of a tricky topic. The concept of translating a unique local address to a global unicast address is the subject of ongoing debate within the IPv6 community, and it fosters emotional opinions on both sides of the argument. The IAB published an informational RFC highlighting its thoughts on NAT and IPv6 in RFC 5902, IAB Thoughts on IPv6 Network Address Translation. In this RFC, the IAB summarizes the use of NAT as follows:
Network address translation is viewed as a solution to achieve a number of desired properties for individual networks: avoiding renumbering, facilitating multihoming, making configurations homogenous, hiding internal network details, and providing simple security.
So, does this means NAT provides security, and ULA addresses can be translated to GUA addresses for this purpose? The simple answer is no. RFC 5902 goes on to state, “However, one should not confuse NAT boxes with firewalls. As discussed in [RFC 4864] Section 2.2, the act of translation does not provide security in itself.”
Remember that the driving force for using NAT with IPv4 is not security but IPv4 address depletion. Although the IAB and the IETF did not intend for NAT to be used with IPv6 as it is with IPv4, NAT does provide mechanisms for translation where translation is necessary. These translation techniques include Network Prefix Translation version 6 (NPTv6), described in RFC 6296, IPv6-to-IPv6 Network Prefix Translation, and NAT66, described in an Internet draft RFC, IPv6-to-IPv6 Network Address Translation (long expired). Both of these RFCs focus on translation for address independence—and only where necessary. In RFC 6296, the IETF goes as far as stating, “For reasons discussed in [RFC 2993] and Section 5, the IETF does not recommend the use of Network Address Translation technology for IPv6.”
Both NPTv6 and NAT66 are designed for address independence and not security. Address independence means that a site does not have to renumber its internal addresses if the ISP changes the site’s external prefix or if the site changes ISPs and receives a different prefix.
NPTv6 and NAT66 are both stateless technologies, whereas NAT for IPv4 is stateful. It is the statefulness, not NAT itself, that provides the security. This means that internal devices are open to certain types of attacks that would not be possible in a NAT for IPv4 network. Without getting into the NAT-versus-security debate covered in Chapter 1, NAT for IPv4 is not security and introduces many problems and challenges.
If all this seems vague, complicated, and perhaps even contradictory, welcome to the discussion on NAT and IPv6.
L Flag and Global ID
ULA addresses have the prefix fc00::/7, or the first 7 bits as 1111 110x. As shown in Figure 4-10, the eighth bit (x) is known as the L flag, or the local flag, and it can be either 0 or 1. This means that the ULA address range is divided into two parts:
fc00::/8 (1111 1100): When the L flag is set to 0, may be defined in the future.
fd00::/8 (1111 1101): When the L flag is set to 1, the address is locally assigned.
Because the only legitimate value for the L flag is 1, the only valid ULA addresses today are in the fd00::/8 prefix.
Another difference between ULA addresses and private IPv4 addresses is that ULA addresses can also be globally unique. This is helpful for ensuring that there won’t be any conflicts when combining two sites using ULA addresses or just in case they get leaked out into the Internet.
The trick is that the global IDs must somehow be unique without being administered by a central authority. RFC 4193, Sample Code for Pseudo-Random Global ID Algorithm, defines a process whereby locally assigned Global IDs can be generated using a pseudorandom algorithm that gives them a very high probability of being unique. It is important that all sites generating Global IDs use the same algorithm to ensure that there is this high probability of uniqueness.
The algorithm defined in RFC 4193 is beyond the scope of this book, but these are the six steps from Section 3.2.2 of RFC 4193:
3.2.2. Sample Code for Pseudo-Random Global ID Algorithm
The algorithm described below is intended to be used for locally assigned Global IDs. In each case the resulting global ID will be used in the appropriate prefix as defined in Section 3.2.
Obtain the current time of day in 64-bit NTP format [NTP].
Obtain an EUI-64 identifier from the system running this algorithm. If an EUI-64 does not exist, one can be created from a 48-bit MAC address as specified in [ADDARCH]. If an EUI-64 cannot be obtained or created, a suitably unique identifier, local to the node, should be used (e.g., system serial number).
Concatenate the time of day with the system-specific identifier in order to create a key.
Compute an SHA-1 digest on the key as specified in [FIPS, SHA1]; the resulting value is 160 bits.
Use the least significant 40 bits as the Global ID.
Concatenate fc00::/7, the L bit set to 1, and the 40-bit Global ID to create a Local IPv6 address prefix.
This algorithm will result in a Global ID that is reasonably unique and can be used to create a locally assigned local IPv6 address prefix. You can use the following website to generate and register your ULA address space: www.sixxs.net/tools/grh/ula.
Site-Local Addresses (Deprecated)
The original IPv6 specification allocated address space, similar to RFC 1918, Private Address Space in IPv4, for site-local addresses. Site-local addresses have since been deprecated (that is, made obsolete).
Site-local addresses, defined in RFC 3513, were given the prefix range fec0::/10. (You will most likely come across this prefix in older documentation.) The problem was that the term site was ambiguous. No one could really agree on what a site really meant. The other issue was that there was no guarantee that two sites within the same organization wouldn’t end up using the same or overlapping site-local addresses, which kind of defeats the purpose of IPv6 and all this extra address space. Therefore, site-local addresses have been deprecated and replaced with unique local addresses.
IPv4 Embedded Address
The final unicast address types are IPv4 embedded addresses, as shown in Figure 4-6. IPv4 embedded addresses are IPv6 addresses used to aid the transition from IPv4 to IPv6. IPv4 embedded addresses carry an IPv4 address in the low-order 32 bits. These addresses are used to represent an IPv4 address inside an IPv6 address. RFC 4291 defines two types of IPv4 embedded addresses:
IPv4-mapped IPv6 addresses
IPv4-compatible IPv6 addresses (deprecated)
Special techniques such as tunnels are used to provide communications between islands of IPv6 devices over an IPv4-only network. To support this compatibility, IPv4 addresses can be embedded within an IPv6 address. This is easy to do because a 128-bit IPv6 address has plenty of room for the 32-bit IPv4 address. Basically, IPv6 just puts it at the end of the address and pads the front end. IPv4 and IPv6 packets are not compatible. Features such as NAT64 are required to translate between the two address families. See Chapter 17, “Deploying IPv6 in the Network,” for more information.
IPv4-Mapped IPv6 Addresses
IPv4-mapped IPv6 addresses can be used by a dual-stack device that needs to send an IPv6 packet to an IPv4-only device. As shown in Figure 4-10, the first 80 bits are set to all 0s, and the 16-bit segment preceding the 32-bit IPv4 address is all 1s. The last 32 bits in the IPv4 address are represented in dotted-decimal notation. So, the first 96 bits are represented in hexadecimal, and the last 32 bits contain the IPv4 address in dotted-decimal notation.
)
Figure 4-10 IPv4-Mapped IPv6 Address
With an IPv4-mapped IPv6 address, the IPv4 address does not have to be globally unique.
Table 4-9 shows the various formats for representing an IPv4-mapped IPv6 address using the IPv4 address 192.168.10.10.
Table 4-9 IPv4-Mapped IPv6 Address Representations
| Representation | IPv4-Mapped IPv6 Address |
| Preferred | 0000:0000:0000:0000:0000:0000:ffff:192.168.10.10 |
| Leading 0s omitted | 0:0:0:0:0:0:ffff:192.168.10.10 |
| Compressed | ::ffff:192.168.10.10 |
Although there are many transition techniques available, the goal should always be native end-to-end IPv6 connectivity.
IPv4-Compatible IPv6 Addresses (Deprecated)
The deprecated IPv4-compatible IPv6 address is almost identical to an IPv4-mapped IPv6 address, except all 96 bits—including the 16-bit segment preceding the 32-bit IPv4 address—are all 0s. Another difference is that the IPv4 address used in the IPv4-compatible IPv6 address must be a globally unique IPv4 unicast address. The IPv4-compatible IPv6 address was rarely used and is now deprecated. Current IPv6 transition mechanisms no longer use this address type.