Tactical Advice

What You Need to Know About IPv6

Although complete reliance on the next generation Internet Protocol may be some years away, IPv6 is becoming more prevalent.

IPv6 is a suite of protocols designed to overcome the limitations of IPv4 and is integrated into the TCP/IP stack in Windows Server 2008 and Vista. A large address space, simplified routing and built-in security are among the new features that make IPv6 a flexible and compelling choice for businesses.

IPv6 Is Coming

While complete reliance on the next-generation Internet Protocol may be some years away, IPv6 is becoming more prevalent in everyday computing scenarios. For sysadmins, this is evident in Windows Server 2008, where IPv6 is enabled by default in the TCP/IP stack, and if not configured — or disabled — it could cause you some headaches when installing Active Directory or Exchange. No doubt the easiest thing to do is disable IPv6, and there is some argument that if it is not being utilized on your network that is indeed what you should do (see “Keep It On or Shut It Off?”).

The Business Case

Windows Server 2008 Release 2 has one must-have feature that will spur support for IPv6 on corporate networks: DirectAccess lets remote users log on to domain controllers as if they were connected directly to a corporate intranet, without the need to establish a virtual private network.

Mergers and acquisitions offer IT departments with some of their biggest challenges, and this all begins at the network level during periods of coexistence, before networks are fully integrated. Because of the limited number of public IPv4 addresses, intranets commonly use Network Address Translation (NAT) to route traffic from private IPv4 address spaces to the Internet via a globally routable public IPv4 address. Yet there’s a high chance that any two organizations will be using the same private address space, so if a host on network A has the same private IPv4 address as a host on network B, traffic can’t be directly routed between the two devices.

While providing a solution for limited IPv4 addresses, many network protocols cannot easily be traversed across NAT interfaces or must be helped along their way with complicated workarounds. The IPv6 address space is so large that every system connected to the Internet can be assigned a unique global address, meaning that there shouldn’t be any complex routing or renumbering problems when two networks need to be connected. Removing the connectivity restrictions imposed by IPv4 networks opens up the possibilities for new and more efficient applications to be developed along with reduced costs.

IPv6 Notation and Address Space

IPv6 has a 128-bit address space, which is divided into eight 16-bit blocks, providing 3.4 x1038, or 5.2x1028 addresses for each of the 6.5 billion people on the planet— a number so large it’s unlikely we’ll ever run out. While IPv4 notation relies on decimal representation of binary numbers, IPv6 is a little more complicated in that it uses hex. Below you can see an IPv6 address in binary form and its equivalent in standard hexadecimal notation:

0010000000000010

0000101000000000

0000000000000000

0000000000000000

0000001001100000

0001110111111111

1111111000100010

0101101010000101

2002:0a00:0000:0000:0260:1dff:fe22:5a85

The built-in calculator program in Windows can be used to convert binary to hex, or vice versa, if you switch the view to scientific (View menu > Scientific). Hex notation has a system for compressing zeros where contiguous 16-bit zero blocks are represented by a double colon. Leading zeros are also removed, either when writing or using the calculator. Our hex IPv6 address can therefore be reduced as follows: 2002:a00::260:1dff:fe22:5a85

When IPv6 hosts receive an address automatically, regardless of whether there is an available DHCPv6 server or IPv6-capable router on the local network segment, all nodes establish link-local addresses and can communicate with each other. This is similar to Microsoft’s Automatic Private IP Addressing (APIPA) service, which is not native to IPv4, where clients set to automatic configuration will receive an address in the range 169.254.0.1 through 169.254.255.254, should no DHCP server be available. The scope of a link-local address is a single subnet, enabling hosts to create ad-hoc networks without any additional equipment or configuration and communicate with other hosts on the same network segment.

As link-local addresses can be reused on different links, they are additionally identified by what is known as a zone ID, which is derived from the interface index. When IPv6 is present on a given physical network adapter, it has at least two interfaces: a loopback address (::1) and a LAN interface. As interfaces are initialized on an IPv6 node, they are assigned a number, the interface index, starting with the loopback address at 1. Here’s an example of our IPv6 address with a zone ID of 4: 2002:a00::260:1dff:fe22:5a85%4

When using the ping command to test IPv6 connectivity, you should include the zone ID as shown in the example above, so ping knows which interface to send the traffic out of to reach the correct link. Confusingly, each IPv6 node on a link may use a different zone ID. You can view interface indexes on a given host using the netsh command: netsh interface ipv6 show interface

Global IPv6 addresses are equivalent to IPv4 public addresses, and their scope is the entire Internet. It’s important to understand that Internet Service Providers (ISPs) allocate IPv6 routing prefixes, usually 48 bits in length, as opposed to complete addresses. Sixteen bits remain for corporations to allocate to different subnets, the subnet ID, and 64 bits are left for interface IDs (IID). IIDs can be derived automatically from the interface’s MAC address, in the case of stateless auto configuration; manually assigned; or allocated by a DHCPv6 server.

The global routing prefix and subnet ID make up the network ID. For instance, our hex IPv6 address would have a /64 prefix to indicate that the first 64 bits represent the network ID and the remaining 64 bits the IID: 2002:a00::260:1dff:fe22:5a85/64.
Unique local addresses (ULAs) are similar to IPv4 private addresses and are represented by FD00::/8. The first eight bits are fixed (FD) and the next 40 bits represent a randomly generated global ID. As with global IPv6 addresses, 16 bits remain for a subnet ID, and 64 bits for an IID.

Although it’s useful to understand the different types of IPv6 addresses, unless you’re creating ad-hoc networks or have no requirement for routing traffic outside a network, global addresses are the way to go when planning an IPv6 network.

Stateless and Stateful IP Configuration

Unlike IPv4, where an interface generally has one IP address, it’s normal for interfaces to be assigned different types of IPv6 addresses simultaneously. All interfaces configure a link-local address and might additionally acquire a ULA or global address.

Stateless configuration refers to the ability of an IPv6 interface to configure an IP address without the presence of a DHCPv6 server on the network segment. IPv6 compatible routers can be programmed to provide Vista with information about ULA or global address prefixes for generating temporary stateless addresses. Windows Server 2008 does not generate temporary stateless addresses by default. Routers can also be set to redirect IPv6 nodes to a DHCPv6 server to receive extra configuration options or non-link-local IP addresses. This is known as stateful configuration.

Compatibility

IPv6 is backwards compatible with IPv4, and most network protocols need no modification to work over IPv6. Exceptions are protocols that hardcode IP addresses into their payload, such as FTP. Because a complete transition to IPv6 isn’t going to happen overnight, there are various tunnelling protocols that facilitate IPv6 communications over existing IPv4 networks. Teredo wraps IPv6 packets in IPv4 UDP datagrams, allowing IPv6 to be used across IPv4 networks with NAT.  Each host system is assigned a global IPv6 address, issued by a public Teredo server. While Teredo can be used with most NAT devices, you should note that symmetric NAT is not supported. Microsoft’s Internet Connectivity Evaluation Tool can be used to test whether an XP or Vista host, located behind a NAT router, is able to establish an IPv6 connection tunnelled using Teredo over IPv4: http://www.microsoft.com/windows/using/tools/igd/default.mspx

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.

Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...