Thread by ErrataRob

Robᵉʳᵗ Graham #PcapsOrItDidntHappen

Sat Aug 14 17:37:02 +0000 2021

This is wrong. You shouldn't know more about IPv6. But in case you wanted to know more, I thought I'd write up a quick thread. https://t.co/nLrVXghHVb

The reason for IPv6 is to preserve the "end-to-end" feature of the Internet, so that anybody can send a packet to anybody.

It's not for more addresses. IPv4 doesn't need more addresses. We have more than 20-billions devices on the IPv4 Internet, and have no upper limit.

You of course know an IPv6 address is 128-bits, and that we like to represent it as hex, and that in an URL, it's surrounded by [] brackets, like this:
https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/

It's not just you, nobody can read hex gibberish like this.

So we try to find shorter forms, such as removing zeroes at the start of numbers, and a long string of zeroes in the middle, so:

2001:db8:0000:0000:0000:0000:0002:0001

becomes:

2001:db8::2:1

Like IPv4, routers don't look at the entire IPv6 address, but only the prefix, using the same CIDR notation as IPv4. So this represents a 48-bit prefix, where the router ignores the remaining 80-bits.
2001:db8:1234::/48

Normally, subnets are divided precisely in half, with the network prefix being the first 64-bits, and the host portion being the final 64-bits.

Comcast home users only get a single IPv6 subnet, a /64 delegation. Business class users get a /60 delegation, or 16 subnets.

Thus, Internet routers might see a Comcast address with a /48 prefix, but Comcast's own routers see finer grained prefixes like /60 or /64 when routing packets to customer subnets.

Your home router handles this, getting a delegation from Comcast, then providing one or more subnets downstream.

The next step is to get an IPv6 address automatically assigned to your computer. Multiple ways are used simultaneously, so you usually get multiple addresses.

One way is DHCPv6, which works just like DHCP, assigning addresses from a small pool. It results in addresses like the following, with only the lower 16-bits being used.
2001:db8:1234::014b

Another way is "SLAAC", which assigns the lower 64-bits of the address using your 48-bit MAC address, with FF:FE inserted in the middle to pad it out. My current Raspberry Pi does this, see how the 'ether' address matches the IPv6 address? https://t.co/HgnC8oMP1H

There's another 'static' address technique that simply chooses a random number and broadcasts on the local network to test for duplicates, then (because 'static' and not 'dynamic'), stores to disk for future use.

..so what's 'dynamic' vs 'static'?

Static IPv6 addresses are always the same, so is a security risk, because websites track you and such. So your computer also generates a new dynamic IPv6 address (random 64-bit host portion) every few minutes and uses that instead for outgoing connections.

Thus, we preserve the end-to-end nature of servers, that receive incoming connections to a known, static address, while clients get some of the anonymity of NATs, able to use ever changing outgoing addresses that later can't be used to attack them.

Then there are the "local only" addresses. With Ethernet and IPv4, we learned all about ARP (no IPv4 header) or DHCP (using IPv4 address of 0.0.0.0 and 255.255.255.255).

IPv6 changes this to using valid addresses and not broadcasts.

Like SLAC, your computer creates a local-only address based on MAC address. Prefixes of fe80:: will not be routed. Thus, you always have a valid IPv6 address for the local subnet, for making things like DHCPv6 requests. https://t.co/8KfXwdI2EL

In addition, instead of "broadcasts" on the local subnet (like 255.255.255.255), IPv6 uses "multicasts", meaning, if that if you aren't interested in a type of multicast, your battery-powered devices won't get woken up to process it.

DHCP on IPv4 assigns not only the address, but also gives you config info, like router and DNS server.

On IPv6, you can get them from DHCPv6, but you usually get them with a separate "Neighbor Notification" protocol (using the local address) that tells you router and DNS info.

Thus, standard configuration gets:
- static local FE80 address
- static self-assigned address
- static (somewhat) DHCPv6 address
- new dynamic addresses every few minutes
- local router address
- DNS resolver address

This is the standard configuration. There are deviations from this that'll get you confused, like low-power IPv6 networks (battery devices). I can't help you there.

There is also the weirdness that while a new dynamic address is selected for clients every few minutes, it can't release old ones until the 'sockets' are freed by the apps using old addresses. So you might find your computer right now has 100 IPv6 dynamic addresses.

Note: I wrote my own IPv6 stack for 'masscan', so I'm an expert in areas that you would never care about.

On the other hand, I'm as clueless as everyone else trying fix some weird IPv6 edge case configuring my local network. Like with Ubiquiti.

Sat Aug 14 17:42:17 +0000 2021