What You Need to Know About IPv6
IPv6 is a suite of protocols designed to overcome the limitations of IPv4 and is integrated into the TCP/IP stack in Windows Server 2008 and Vista. A large address space, simplified routing and built-in security are among the new features that make IPv6 a flexible and compelling choice for businesses.
IPv6 Is Coming
While complete reliance on the next-generation Internet Protocol may be some years away, IPv6 is becoming more prevalent in everyday computing scenarios. For sysadmins, this is evident in Windows Server 2008, where IPv6 is enabled by default in the TCP/IP stack, and if not configured — or disabled — it could cause you some headaches when installing Active Directory or Exchange. No doubt the easiest thing to do is disable IPv6, and there is some argument that if it is not being utilized on your network that is indeed what you should do (see “Keep It On or Shut It Off?”).
The Business Case
Windows Server 2008 Release 2 has one must-have feature that will spur support for IPv6 on corporate networks: DirectAccess lets remote users log on to domain controllers as if they were connected directly to a corporate intranet, without the need to establish a virtual private network.
Mergers and acquisitions offer IT departments with some of their biggest challenges, and this all begins at the network level during periods of coexistence, before networks are fully integrated. Because of the limited number of public IPv4 addresses, intranets commonly use Network Address Translation (NAT) to route traffic from private IPv4 address spaces to the Internet via a globally routable public IPv4 address. Yet there’s a high chance that any two organizations will be using the same private address space, so if a host on network A has the same private IPv4 address as a host on network B, traffic can’t be directly routed between the two devices.
While providing a solution for limited IPv4 addresses, many network protocols cannot easily be traversed across NAT interfaces or must be helped along their way with complicated workarounds. The IPv6 address space is so large that every system connected to the Internet can be assigned a unique global address, meaning that there shouldn’t be any complex routing or renumbering problems when two networks need to be connected. Removing the connectivity restrictions imposed by IPv4 networks opens up the possibilities for new and more efficient applications to be developed along with reduced costs.
IPv6 Notation and Address Space
IPv6 has a 128-bit address space, which is divided into eight 16-bit blocks, providing 3.4 x1038, or 5.2x1028 addresses for each of the 6.5 billion people on the planet— a number so large it’s unlikely we’ll ever run out. While IPv4 notation relies on decimal representation of binary numbers, IPv6 is a little more complicated in that it uses hex. Below you can see an IPv6 address in binary form and its equivalent in standard hexadecimal notation:
The built-in calculator program in Windows can be used to convert binary to hex, or vice versa, if you switch the view to scientific (View menu > Scientific). Hex notation has a system for compressing zeros where contiguous 16-bit zero blocks are represented by a double colon. Leading zeros are also removed, either when writing or using the calculator. Our hex IPv6 address can therefore be reduced as follows: 2002:a00::260:1dff:fe22:5a85
When IPv6 hosts receive an address automatically, regardless of whether there is an available DHCPv6 server or IPv6-capable router on the local network segment, all nodes establish link-local addresses and can communicate with each other. This is similar to Microsoft’s Automatic Private IP Addressing (APIPA) service, which is not native to IPv4, where clients set to automatic configuration will receive an address in the range 169.254.0.1 through 169.254.255.254, should no DHCP server be available. The scope of a link-local address is a single subnet, enabling hosts to create ad-hoc networks without any additional equipment or configuration and communicate with other hosts on the same network segment.
As link-local addresses can be reused on different links, they are additionally identified by what is known as a zone ID, which is derived from the interface index. When IPv6 is present on a given physical network adapter, it has at least two interfaces: a loopback address (::1) and a LAN interface. As interfaces are initialized on an IPv6 node, they are assigned a number, the interface index, starting with the loopback address at 1. Here’s an example of our IPv6 address with a zone ID of 4: 2002:a00::260:1dff:fe22:5a85%4
When using the ping command to test IPv6 connectivity, you should include the zone ID as shown in the example above, so ping knows which interface to send the traffic out of to reach the correct link. Confusingly, each IPv6 node on a link may use a different zone ID. You can view interface indexes on a given host using the netsh command: netsh interface ipv6 show interface
Global IPv6 addresses are equivalent to IPv4 public addresses, and their scope is the entire Internet. It’s important to understand that Internet Service Providers (ISPs) allocate IPv6 routing prefixes, usually 48 bits in length, as opposed to complete addresses. Sixteen bits remain for corporations to allocate to different subnets, the subnet ID, and 64 bits are left for interface IDs (IID). IIDs can be derived automatically from the interface’s MAC address, in the case of stateless auto configuration; manually assigned; or allocated by a DHCPv6 server.
The global routing prefix and subnet ID make up the network ID. For instance, our hex IPv6 address would have a /64 prefix to indicate that the first 64 bits represent the network ID and the remaining 64 bits the IID: 2002:a00::260:1dff:fe22:5a85/64.
Unique local addresses (ULAs) are similar to IPv4 private addresses and are represented by FD00::/8. The first eight bits are fixed (FD) and the next 40 bits represent a randomly generated global ID. As with global IPv6 addresses, 16 bits remain for a subnet ID, and 64 bits for an IID.
Although it’s useful to understand the different types of IPv6 addresses, unless you’re creating ad-hoc networks or have no requirement for routing traffic outside a network, global addresses are the way to go when planning an IPv6 network.
Stateless and Stateful IP Configuration
Unlike IPv4, where an interface generally has one IP address, it’s normal for interfaces to be assigned different types of IPv6 addresses simultaneously. All interfaces configure a link-local address and might additionally acquire a ULA or global address.
Stateless configuration refers to the ability of an IPv6 interface to configure an IP address without the presence of a DHCPv6 server on the network segment. IPv6 compatible routers can be programmed to provide Vista with information about ULA or global address prefixes for generating temporary stateless addresses. Windows Server 2008 does not generate temporary stateless addresses by default. Routers can also be set to redirect IPv6 nodes to a DHCPv6 server to receive extra configuration options or non-link-local IP addresses. This is known as stateful configuration.
IPv6 is backwards compatible with IPv4, and most network protocols need no modification to work over IPv6. Exceptions are protocols that hardcode IP addresses into their payload, such as FTP. Because a complete transition to IPv6 isn’t going to happen overnight, there are various tunnelling protocols that facilitate IPv6 communications over existing IPv4 networks. Teredo wraps IPv6 packets in IPv4 UDP datagrams, allowing IPv6 to be used across IPv4 networks with NAT. Each host system is assigned a global IPv6 address, issued by a public Teredo server. While Teredo can be used with most NAT devices, you should note that symmetric NAT is not supported. Microsoft’s Internet Connectivity Evaluation Tool can be used to test whether an XP or Vista host, located behind a NAT router, is able to establish an IPv6 connection tunnelled using Teredo over IPv4: http://www.microsoft.com/windows/using/tools/igd/default.mspx
Unicast, Multicast and Anycast Addresses
IPv6 includes three different types of address that can be used to send traffic to single or multiple hosts. Unicast addresses represent a single interface and are used to send traffic to one interface only. Multicast addresses represent a set of interfaces, and traffic is delivered to all interfaces in the set. Anycast are similar to multicast addresses in that they represent a set of interfaces but only deliver to one interface in the set. Broadcast addresses have been deprecated in IPv6.
The networks of the future will be NAT-less and VPN-less. IPv6 promises secure connections using IPsec between trusted devices without the need for tunnelling protocols or VPNs, greatly simplifying life for users and sysadmins.
While there may be no great rush to deploy IPv6 exclusively and phase out IPv4, it would be prudent to develop a basic understanding of IPv6 right now, so that you can comprehend those cryptic numbers and be on the ball as IPv6 inevitably becomes a more important feature of Windows networking.
Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.