1.9 Compare IPv6 address types
1.9.a Global unicast
1.9.b Unique local
1.9.c Link local
1.9.f Modified EUI 64
Since there are so many IP addresses in the IPv6 space, it is possible for every device in the world to have a unique public IP address. The idea is that every device can be reached from every other device.
IANA (Internet Assigned Numbers Authority) gives out IP addresses to the different organizations. It assigns the largest blocks of IP addresses to the regional authorities. In North America, that is ARIN (American Registry for Internet Numbers). ARIN assigns smaller blocks to ISPs. ISPs assign smaller blocks to their customers.
IPv6 has a global unicast feature which is equivalent to the IPv4 public and private IP addresses. Each company is assigned a group of IP addresses, which they can subnet as they see fit. The block of IPv6 addresses that each company is assigned is called a global routing prefix.
A company could also use private IPv6 addresses for their network – these are known as the unique local IPv6 addresses.
The reserved addresses
- Global Unicast addresses start with 2 or 3. As of the end of 2019, IANA hasn’t assigned any addresses that start with 3, but they are reserved for future use as Global Unicast addresses. A global unicast address is unique across the entire internet.
- Unique local IPv6 addresses start with FD. A local network can use addresses that start with FD, but they aren’t guaranteed to be unique across the internet.
We can assign a global unicast address to our router and unique local addresses to our internal devices, or we can assign global unicast addresses to all our devices.
- Multicast IPv6 addresses start with FF. A multicast address is an address we can send packets to so that they will reach multiple devices.
- Link Local IPv6 addresses start with FE80. The link local address is used by a device for internal testing. Packets addressed to a link local address stay on the local area network. The full range is fe80:0000:0000:0000:0000:0000:0000:0000 to febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
- 2002:0000:0000:0000:0000:0000:0000:0000 to 2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff was used by the 6to4 IP address conversion protocol
- ff00:0000:0000:0000:0000:0000:0000:0000 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff is the multicast address range
- The :: address, which is all zeros is called an unknown address. If a host has an issue with its IP address or if it has not been assigned an IP address, it uses the unknown address.
- The ::1 address is all zeros except for a one at the end. A host uses this address to test its own interface. It is equivalent to the IPv4 127.0.0.1 address (also known as the loopback address).
A host uses the loopback addresses to test its internal applications. Traffic addressed to the loopback address must never leave the host. For example, if we’re hosting a website on a server, we can type “127.0.0.1” in the server’s web browser and should be able to view the website. If we can’t then there is an internal error with the server.
How do we subnet an IPv6 network? We should have one subnet for each LAN or VLAN and one subnet for each WAN connection.
We have three parts again – the network, the subnet, and the host. In IPv6, the network is the global routing prefix. The host is called the interface ID. Between them is the subnet.
|Global Routing Prefix||Subnet||Interface ID|
The total length is 128 bits. There are no address classes (Class A, B, or C) like in IPv4, so we can build our network how we choose.
The global routing prefix is fixed by our ISP. The most common length is 64-bits (16 characters) or 48-bits (12 characters). It is convenient for ISPs to use a 64-bit or 48-bit length because it falls on the nibble boundary (the colons). But an ISP can use a prefix of 63 bits, 62, bits, etc.
The Interface ID is usually 64 bits long.
The subnet makes up the difference (but the total length of the address must be 128 bits. That means the Global Routing Prefix + Subnet + Interface ID = 128.
If our prefix is 64 bits and our interface is 64 bits, then our subnet is 0. If our prefix is 48 bits and our interface is 64 bits, then our subnet is 16 bits.
When we create our subnets, we should determine
- The prefix and prefix length
- The size of the interface ID (the host bits). 64 is a common length and we will learn why later.
- The subnet length (calculated from the prefix length and interface length)
We don’t really need to worry about the size of each subnet or the number of subnets, because the address space is so large.
If our ISP assigned us 2002:0de8:1824:/48 and our interface length is 64 bits, then we have 16 bits for our subnet. We just need to think about all the unique numbers that fit inside the subnet area, and those are our subnets.
- Each subnet starts with our global routing prefix (2002:0de8:1824)
- The subnet portion is unique for all subnets
- The interface portion is all 0s
Then we assign the subnets. For example,
- 2002:0de8:1824:0001:0000:0000:0000:0000 or 2002:0de8:1824:1:: is our first subnet
- 2002:0de8:1824:0002:0000:0000:0000:0000 or 2002:0de8:1824:2:: is our second subnet
- 2002:0de8:1824:0003:0000:0000:0000:0000 or 2002:0de8:1824:3:: is our third subnet
- 2002:0de8:1824:ffff:0000:0000:0000:0000 or 2002:0de8:1824:ffff:: is our last subnet
We have 65,536 subnets (remember due to hexadecimal it is 16 x 16 x 16 x 16). Each subnet has 1616 possible IP addresses.
The subnet ID is called the subnet router anycast address. We should not assign it as an IP address. Devices can send a message to the subnet ID if they want to reach every router in the subnet. By having a subnet router anycast address, any device can reach the router without having to know the default gateway.
We can assign an IP address to a device statically, via DHCP, or via SLAAC (Stateless Address Autoconfiguration). We will learn more about this later.
An address that starts with FD only works on an internal network. It is called the unique local address. A device with no IP address can choose a unique local IP address that starts with FD. How?
- Use FD as for the first two digits
- Pick a 40-bit prefix (this prefix plus FD makes 48 bits) randomly
- The next 16 bits are the subnet
- This leaves us with 64 bits for the interface
If a device wants to use a static IP address (choose its own IP address), and wants to ensure that it is unique, it can calculate the modified EUI-64 (extended unique identifier) address.
A link-local IPv4 address is only unique in its own local network, but an IPv6 link-local address is globally unique. Why? A MAC address is considered globally unique (no two devices have the same MAC address). Therefore, if an IPv6 address can be generated from a MAC address, it is also globally unique. The IP address is generated using a process called EUI64.
Remember that a MAC address is 48 bits (6 bytes) and follows the format 11:22:33:44:55:66. Like an IP address, a MAC address can be converted into 0’s and 1’s (binary).
We split the MAC address in half and add 16 bits (2 bytes) to the middle. This results in a 64-bit address, which is the standard sized interface portion of an IPv6 address.
If our IP prefix was aabb:ccdd:aabb:ccdd and our MAC address was 11:22:33:44:55:66, we split it in half, and add two bytes to the middle: 11:22:33:FFFE:44:55:66.
Now we add it to our prefix and the result is: aabb:ccdd:aabb:ccdd:1122:33FF:FE44:5566
Finally, we need to invert the seventh bit of the MAC address. This is a little tricky. I wrote the 11:22:33:44:55:66 MAC address in binary – every two digits makes up one byte.
The seventh bit is in bold
If we invert it, we change it from a 1 to a 0.
Thus, the MAC address is
We can write it out as (only the first set of two digits changed).
That means our IP address is actually
Why do we bother inverting our MAC address? If our MAC address is unique than our inverted MAC address would also be unique.
Remember that a MAC address is assigned by the manufacturer. Some network devices allow us to manually change the MAC address. When the seventh bit is “1”, we know that the MAC address was changed by the user. When the seventh bit is “0”, we know that the MAC address was assigned by the manufacturer.
In summary, our IP address looks like this
|Prefix||First half of MAC address||FFFE||Second half of MAC address|
The FF30::/12 address is a multicast address. A multicast address lets you send a message to several hosts at the same time. It is different from a broadcast address, which lets you send a message to all the hosts on a subnet. The problem with a broadcast is that every host must read the packet and decide whether they needed it or not.
We don’t use broadcasts in IPv6, because the multicast allows hosts that don’t need the message to ignore it. For example, the FF02::5 address is intended for routers only. Routers will receive and process packets sent to this address, but other hosts will ignore it.
The most important multicast addresses
|All routers using OSPF protocol|
|FF02::9||All routers using RIPng protocol|
|FF02::A||All routers using EIGRP|
|FF02::1:2||All routers using DHCPv6|
The most important link local addresses prefixes are in the following table. These are also multicast addresses.
|FF01||Interface-Local Local just to a specific device interface|
|FF02||Link-Local Local just to a specific subnet|
|FF05||Site-Local Local just to a site (office)|
|FF08||Organization-Local Local to an entire organization’s network Used to pass router configurations|
|FF0E||Global Can go anywhere|
For example, FF02:1111:2222:3333:4444:5555:6666:7777 is a link local address that can be used to address other devices on the same subnet.
A router knows whether it must keep a packet within its subnet or if it should forward it. With global addresses, a router must be configured to understand where the organization boundary is so that it does not forward a packet outside the organization.
Remember that the link-local unicast address prefix is FE80. For example, a device might use FE80:1111:2222:3333:4444:5555:6666:7777 as its link local address.
How can we use NDP to find the MAC address of another host on our subnet? Every device calculates a unique address called the solicited-node multicast address for every unicast address on its interface. If a device has a unicast address and a link-local address, then it will have to calculate two solicited-node multicast addresses.
We take the generic address FF02::1:FF00:0, which can be written as FF02:0000:0000:0000:0000:0001:FF00:0000 and add the last 24-bits (6 digits) of our IP address to it.
For example, if our IP address is FA01:ABCD:1111:2222:3333:4444:5555:6666, then the last six digits are 55:6666. When we add them to the generic address, we get FF02:0000:0000:0000:0000:0001:FF55:6666.
If the device address ends in 55:6666, then it will subscribe to the FF02:0000:0000:0000:0000:0001:FF55:6666 multicast address and receive messages addressed to it.
Now, if I want to send a message to a device with IP address FA01:ABCD:1111:2222:3333:4444:5555:6666, and it is on my local network, I still need to learn its MAC address. I calculate the device’s solicited-node multicast address.
Then I send an NDP message to FF02:0000:0000:0000:0000:0001:FF55:6666. All the devices whose IP address end in 55:6666 will see the message and respond with their MAC addresses. Now I know the MAC address of the device with IP address FA01:ABCD:1111:2222:3333:4444:5555:6666.
The benefit of multicast as opposed to broadcast is that I didn’t have to send my NDP message to all the devices on my network. Given how big an IPv6 subnet can be, there might be thousands of active devices, and I don’t want to consume resources on all of them just so that I can learn one MAC address.
Some benefits of NDP
- Neighbor MAC Discovery – a host can learn the MAC addresses of the other hosts on the sane network
- Router Discovery – a host can learn the IPv6 addresses of the routers on its subnet
- SLAAC – a host can learn the subnet of its network
- DAD – a host needs to be able to verify that the address it chooses for itself is not duplicated somewhere else using Duplicate Address Detection
We learn the MAC address of other devices using two messages
- Neighbor Solicitation (NS) – NS is basically “hey if you are using this IPv6 address, reply with your MAC address”. This address is sent to the solicited-node multicast address so that only hosts whose last six IPv6 address digits match will see the message.
- Neighbor Advertisement (NA) – NA is basically “look at me, this is my IPv6 address and my MAC address”. The NA is sent as a reply to the NS. It can also be sent standalone (known as an unsolicited NA). When sent unsolicited, the other devices that see it will store it.
An unsolicited message is sent to the FF02::1 address, which is a local-scope multicast address that all IPv6 hosts on a subnet listen to.
We learn the default gateways using two messages
- Router Solicitation (RS) – “hey if you’re a router, identify yourself”. This message is only sent to FF02::2 – a multicast address which local routers respond to.
- Router Advertisement (RA) – this is sent as a response to an RS. “hey, I’m this router, and this is my link-local IPv6 address”. The router can send it to the host that created the RS or it can send it to FF02::1, which is seen by all IPv6 hosts.
A router can periodically advertise itself by sending unsolicited RA messages to the FF02::1 address.
Remember that if a host needs to obtain an IP address, it can use DHCP. It calls the DHCP server and asks for an IP address. The DHCP server replies with an IP address that the host can use. We will learn more about DHCP later.
In IPv6 a device can generate an IP address using SLAAC, or Stateless Address Autoconfiguration. How?
- The device learns the IPv6 prefix that is on its link (local network). It learns this from an NDP Router Advertisement (RA) message.
- Then it generates an IP address that begins with that prefix. It can use the EUI-64 address, or it can choose a random value.
- It uses DAD (Duplicate Address Detection) to make sure that nobody else is using that address before assigning it to itself.
Each time a host joins a network (even if just powered off and already has a static IP address), it checks the DAD. Even if a host has a statically configured IP address, if it detects another host with the same address, it will not use its static address.
- The computer sends out a DAD message, which says “this is the address I chose, is anybody else using it”? It sends this message to the IP address that it selected. If another device is using the same IP address, it will receive the message.
- If the other address is in use, the host that is using it will reply with an NA (Neighbor Advertisement) message. The first host will realize that it must select a new IP address.