IPv6: The future of net addresses explained

Why it'll make things easier but won't solve security issues


Why is there so much fuss about IPv6 at the moment? Why do we need it, and what's it for?

The answers are becoming increasingly important as the pool of IPv4 addresses finally begins to run out.

By this time next year the drought will begin to bite – or so it's reckoned – but will IPv6 solve any of the problems and exploits currently made possible by IPv4?

The promise

Long before the internet as we know it today came into being, the protocols upon which it still relies were first developed. One of these was the Internet Protocol (IP), created to ensure that all data packets reached the correct destination in the right order.

Version 4 of the IP protocol has a pool of 4,294,967,296 addresses. Because of the way that these addresses have to be split between numbering subnets and hosts, that pool is now nearing exhaustion. Estimates vary, but it's generally thought that an IPv4 address drought will begin by summer 2011.

By contrast, the number of globally unique addresses that IPv6 can provide is staggering. The figure is 2128, or 3.4 followed by 38 zeros. This is thought to be enough to give every single human being alive his or her own permanently allocated pool of unique IP addresses.

IPv6 will, it's claimed, fundamentally change our relationship with the internet. More and more devices will be able to take advantage of the net.

There are also mandatory security measures in IPv6 that should keep data in transit hidden from prying eyes, while each packet's header information is simplified for more efficient processing by routers on the internet – thereby providing the internet in general with a much needed performance boost.

The designers of IPv6 have also tried to get away from the frustrations of IPv4's infamous netmasks and network classes. In IPv6, the first 64 bits of the address always contain an ISP designated header and subnet number. The other 64 bits are for the host number, and allow each subnet to hold more devices than the entire existing IPv4 address pool.

What's more, all current Microsoft operating systems and domestic Linux distributions already support IPv6 – it's built directly into the operating system and loads at boot up.

The theory

The most obvious difference between IPv4 and IPv6 is seen when you compare address formats. IPv4 uses four 8-bit sections called 'octets' and a similar netmask to carry details on the size of the subnet, the subnet's number and the host number.

IPV6 1

IPV6: A first look at IPv6 addresses reveals that they're far longer than the old ones, though groups of zeros can be ignored

In contrast, an IPv6 address has 16 16-bit words, each separated by a colon. A hexadecimal number of up to four digits usually represents each of these words, though you can omit any leading zeros. If one or more words contains all zeros, they can be skipped in the address. To represent them, you can simply place two colons together.

However, you can only use this shortening trick once in any one IPv6 address. Instead of a netmask, IPv6 addresses always designate the first 64 bits as the network number and the other 64 bits to the host number, meaning that each subnet can, in theory, be far bigger than the IPv4 internet.

IPV6 3

IPV6: The structure of an IPv6 address. The first 64 bits combined make the subnet number, and the second are the host number

In the subnet part of the IPv6 address, the first 48 bits are a globally unique prefix assigned by your ISP. The other 16 bits are the actual subnet number, which can be assigned by the local network administrator in the same way that you can define the first three octets of a 'Class C' IPv4 address. Combined, these initial 64 bits of the IPv6 address are used for routing purposes.

As in an IPv4 address, if they don't reflect the local network, the local router knows to send them on to your ISP, which knows how to get nearer to the destination subnet. When a machine running an IPv6 network stack boots up, unless the OS has been told to use a local IPv6 DHCP server to obtain a host number (or if it's manually configured), it can initially generate a host number based on its own MAC address.

IPV6 2

IPV6: An overview of testing connectivity using IPv6 with a local loopback, a remote test and connecting to another host

The MAC address is supposed to be globally unique, but just in case, the machine can also check with its neighbours on the local subnet to find out if they have any objection. For the security implications of this system, which could be used as a global unique identifier.

Tunnelling in Network adaptors using IPv6 have more than one IP address. For convenience, they have what's called a 'link-local' address. This is an address that is only valid on the local subnet and always has the prefix 'fe80::' followed by the trailing four words that make up the host number.

If you open a command line in Windows and enter the command ipconfig, you'll see the link-local address. Somewhat confusingly, the local link, from which the name 'link-local' is derived, is simply another name for the local subnet.

So far, so good, but how do IPv6 packets negotiate their way to a remote server? After all, the internet currently runs on IPv4, as does your internet router.

IPV tunneling

IPV6: Operating systems will tunnel IPv6 over IPv4 for your ISP to decode. It will then send the packets on

The solution is to use a technique called 'tunnelling'. Tunnelling in Windows is done by a technology called Teredo. When IPv6 comes on-stream, the other end of this tunnel at your ISP and will unpack these packets and send them on their way. Teredo is already in Windows 7 and Vista and should be enabled by default.

You can check this on the command line with the ipconfig command. There should be an extra adaptor called the Tunnel Adaptor Local Area Connection. This will have a long IPv6 address assigned to it. There should also be a per cent sign and a number indicating the internal adaptor number after the address.

Testing IPv6

You can test that Windows has IPv6 running by performing a series of loopback tests.

Under IPv4, you'd start by using the command ping on the command line. This causes the network card to intercept the outgoing packets and send them back.

IPV6 test

IPV6: Network adaptors under Windows Vista and 7 now have an IPv6 address as well as one for IPv4

Under IPv6, the ping command to perform a local loopback becomes ping ::1. You can use the double colon trick, because in IPv6 all but the final word in the local loopback address is set to zero. The output of the ping command should be the same as usual – four replies from four sent packets.

The next step is to make the network card pass the packets generated by the ping command to the local subnet. Once 'on the wire', these are read back, because the IP address matches that being used by the network adaptor.

To perform this 'remote loopback' in IPv6, you use the link-local address, which you can find using the ipconfig command. It's attached to the local area network connection and will begin with 'fe80::'. There's no need to include the trailing '%11'. An example command would be ping fe80::e581:fd9a:795f:d560.

The next step is to test that you can ping other hosts on your local network using IPv6. Using ipconfig on the destination machine, find the link-local address of the local area network adaptor. Ping this and you should receive the usual stream of four replies from the machine.

At this point, you would normally ping a remote site on the internet to prove the route out of your local network. However, this relies on your ISP having an IPv4 to IPv6 gateway in place that can unpack IPv6 packets tunnelled over IPv4 using Teredo, and most UK ISP's currently don't.

You can test this by issuing the following ping command: ping –6 ipv6.google.com. The '-6' argument tells ping to use DNS to convert the domain name ipv6.google.com to an IPv6 address. If your ISP isn't set up to accept IPv6 traffic tunnelled over Teredo, this will fail. However, as we're still about 18 months from needing to use IPv6 as a matter of course, this is a command you can use every now and then to see if your ISP has caught up with the future.

IPv6 and security

Security was a cornerstone of IPv6's design. One of the first jobs a hacker has is to identify running hosts on a subnet, but the sheer size of each subnet complicates this task. This is because, rather than simply pinging each possible host at once and causing a traffic storm that will alert any intrusion detection mechanisms to their presence, hackers will ping an initial address, wait a while, ping another random address, wait a while, and so on.

However, it's impossible to check every possible IPv6 address within a reasonable time. Scanning addresses for hosts at a rate of one million per second results in a scan time of about 500,000 years.

While viruses and worms that propagate through email and other infected executables will remain the same under IPv6, this problem of scanning the local subnet for new hosts to infect will hamper the ability of internet based worms to propagate.

IPv4 can already protect its packets using IPSec, which is a way to encrypt and authenticate each one. IPSec is very rarely used in IPv4, however. IPv6 implements it as standard, meaning that traffic (including passwords, card details and the rest) should be safe from sneaky eavesdroppers.

IPv4 uses a special address called a broadcast address. This is a host number from which all other hosts on a subnet accept traffic. Each received packet results in an acknowledgement being sent back. By spoofing the source address, a hacker can run a 'broadcast amplification' denial-of-service attack where the acknowledgements bombard his target.

However, IPv6 doesn't use broadcast addresses, meaning that this simple form of attack should become a thing of the past.

Despite these measures, there's a worry among network security professionals that a lack of understanding of IPv6 and the assumption that the new protocol is secure will lead to new kinds of attacks.

So, despite all the improvements, the fight to keep the internet secure won't go away once IPv6 is in use. It will make the task easier, though, and that's something to be welcomed.

Article continues below