[conspire] IPv6 ... some bits :-)
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Tue Mar 2 07:44:15 PST 2021
Yes, some bits about IPv6.
This is absolutely by no means a full introduction to IPv6 - or even
anything close to that.
But I thought I'd point out at least a few bits about IPv6 ...
interesting, useful ... and/or maybe surprising and "gotcha"s -
especially if one heavily thinks ye old IPv4 way when dealing with or
encountering IPv6.
Lots and lots of IP addresses.
So, IPv4 "vs." IPv6. Let's look at total addresses, ignoring reserved,
etc.
So, IPv4 ... ye olde dotted quad - 4 decimal integers each in range
0-255
separated by . - that's 8 bits each x 4, for a total of 32 bits.
2^32=4,294,967,296 ~= 4.3x10^9 - not even nearly enough for one IP
address per person on the planet. So much for dream of open democratic
communication where anyone and everyone can be consumer and
producer (server) of information, each person at least able to have
one IP for themselves to, e.g., run whatever servers they want on
standard ports, etc. Not to mention we've already run well past
the point of IPv4 address exhaustion. So, there's rather a
premium (read cost) to getting and holding an IPv4 address -
especially if one came a bit later to the party. So not even
really a guarantee anymore that one can necessarily get the
IPv4 addresses one wants, or may even need, or so much as even
a guarantee of one per person. Thus lots of schemes/mechanisms
for stretching the useful lifetime of IPv4 (and with lots of
issues along with that too), and, the longer term solution - IPv6!
IPv6, uses a type of hex notation (with some possible shorthand),
8 sets of 4 hex digits per set, each set separated by : -
that's 4x4=16 bits per set x 8 sets
so that's (4x4)x8=128 bits.
2^128=340,282,366,920,938,463,463,374,607,431,768,211,456 ~= 3.4x10^38
That's around 340 undecillion (long scale) IPv6 addresses.
How many grains of sand on Earth?
About 7.5x10^18 or seven quintillion, five hundred quadrillion grains
7,500,000,000,000,000,000
So ...
Though IPv6 has "only" 4 times as many bits as IPv6 ... exponential,
IPv6 bits are essentially IPv4 bits raised to the power of 4:
(2^32)^4=2^128
Think of it this way.
Think of all the IPv4 addresses.
Think if each one of those had/contained as many IPv4 addresses as all
of the IPv4 addresses. That would be quite a large number, right?
That's only at squared. Do that 2 more levels to get to 4th power,
and you'll quickly see - IPv6 - thats a whole lot of IP addresses.
(2^128)/(7.5x10^18) ~= 45,370,982,256,125,128,426
So, not only are there more than enough IPv6 IP addresses for every
grain of sand on Earth,
there's enough to give each grain of sand on Earth about
45,370,982,256,125,128,426 unique IPv6 addresses each.
That number alone, is far lager than the total number of grains of sand
on Earth, so, if every grain of sand on Earth had as many unique IPv6
addresses to it as there are grains of sand on Earth ... that still
wouldn't use up all the IPv6 addresses ... but we'd be getting within a
decimal order of magnitude:
(7.5x10^18)^2 ~= 5.6x10^37 vs. 3.4x10^38 ~= 2^128
Or, yet another way to think of IPv4 vs. IPv6 address space.
IPv4, 32 bits, IPv6 128. A difference of 96 bits.
Each additional bits doubles the IP space. So, yes, lots more
addresses with IPv6.
And, the ratio of IPv6 addresses to IPv4 addresses,
compared to ratio of all of IPv4 addresses to a single IPv4
address - that first ratio beats the second by a power of 3,
or cube the second ratio to the first.
So ... what to do with all those IPv6 addresses?
Lots of people ... Internet of Things (IoT) ... nanoscale, ...
might need a lot of them. Want to configure them all
manually, or on a DHCPv6 server configured for so many of them or the
like? Surely you jest.
Defaults matter. I mean sure, one can manually configure,
but with up to 2^128 IPs, not gonna be doing that for most, and in
general don't want to do that by default.
So, IPv6 has protocols to essentially do automatic configuration,
and they're generally enabled by default.
And, since the IPv6 space is so huge, we can be a bit lazy(/efficient)
about how that's done.
Want an IPv6 address on the local subnet/vLAN that works, so it can
talk to other stuff there without conflict? Automatically do
an IPv6 address that's based upon the Ethernet MAC address - done.
Fast, easy, no conflicts (well, unless the MAC address is duplicated,
but that should never happen - even then there may be workarounds,
perhaps even automagic).
That also extends further to routers ... automatic configuration,
at least by default, for network devices from router(s). Now the
device automagically knows its network(s), corresponding mask(s),
IPv6 IP addresses, and relevant routing for beyond the subnet.
Kind'a cool, huh? And no need for separate servers(/forwarders)
such as DHCP6, etc. - through one can also use DHCPv6, e.g.
notably if one wants to further supplement that information
(IPv6 autoconfiguration covers a fair bit, but DHCP, and
likewise DHCPv6, can cover a whole lot well beyond that).
IPv6 addresses, routing information ... automatic, at least by
default, and baked into IPv6 - mostly pretty cool, huh?
All those IPv6 addresses ...
Oh my gosh, that's so huge, even the smallest local IPv6
subnet is generally a /64 - so that's 64 bits for network,
leaving 64 bits for the local host/device portion. Even just
that alone is the square of the total IPv4 address space,
and that's just your typical smallest IPv6 subnet.
So, what are all the IP addresses of all the devices on our
current local IPv6 subnet? Well, IPv4, if you weren't sure,
you could ping sweep all possible addresses, and look for the
ARP responses. Well, IPv6, generally 2^64 IP addresses to stat with
for smallest subnet ... you're not going to ping sweep all those.
Well ... we have some non-routable local, and also some shorter
notation, and some special non-conflicting reserved well known multicast
IPv6 addresses - again baked into the IPv6 standards:
ff02::1 All nodes on the local network segment
ff02::2 All routers on the local network segment
So, we can, e.g. ping these IPs, locally, and all the relevant
devices are required to respond - the first of those shown above
would be all devices, and the second, all routers.
E.g.:
$ ping -n -c 3 ff02::1 | awk '{if($3=="from")print $4;}' | sort -u
fe80::3817:e1ff:fee6:2375%ens3:
fe80::46d:92dc:53c9:aee1%ens3:
fe80::5054:ff:fe13:5199%ens3:
fe80::d267:e5ff:fe57:9d9d%ens3:
$
That would be all the live devices. The %ens3 shows us the
domain/interface. On the host I did that on, it defaulted to
that (virtual) physical interface, but I could've specified
a different one, e.g.:
$ ping -n -c 3 ff02::1%he-ipv6 | awk '{if($3=="from")print $4;}' | sort - -u
fe80::4834:684a%he-ipv6:
fe80::6056:aae5%he-ipv6:
$
So ... can be potentially quite a bit easier to figure out what's on the
network.
NAT/SNAT? On IPv6?
"Don't" ... well, mostly.
With 2^128 IPv6 IPs, no need for NAT/SNAT, so it's mostly,
"Uhm, yeah, ... don't do that." But doesn't mean it can't be done.
E.g. sometimes for load balancing or the like, it might be done
for a large number of back-end servers to service a single IPv6 IP,
but there are also often other ways of doing that too.
Network troubleshooting end-to-end, multiple layers of NAT/SNAT along
the way on your IPv4? Mostly kiss that bye bye with IPv6 - now
generally much easier to troubleshoot end-to-end with (most) all
NAT/SNAT no longer complicating things along the way.
Uhm, ... IPv6 IP based upon Ethernet MAC address, oh my gosh, doesn't
that then "leak" that "private" information? Sort'a, and yes, by
default. There's also super-easy (but non-default) privacy option
to change that.
What about firewalling, and I don't want that (whatever) traffic and
want to drop/filter/disable it. Uhm, rather like IPv4,
don't do that without well understanding what one is doing/disabling,
and what is in fact mandated/required per the RFCs and such.
If you drop "the wrong stuff", you seriously screw up your network,
so don't do that. And quite the same can also be said of IPv4, e.g. with
Path MTU. So, thinking something like "ICMP 'bad', must drop all ICMP",
that's both short sighted, and also wrong. Do that and you break
stuff - same also quite applies to IPv6 and ICMP6.
So, ... IPv6 ... whole helluva lot of IP addresses - no shortage
at all. Also allows for very lazy/efficient use/allocation,
and it being so huge, makes some things very easy that were
never feasible with IPv4. With IPv6, one can mostly kiss
all those NAT/SNAT headaches bye bye. Oh my gosh, merging
two large major corporations. They're using RFC-1918 IPv4 space,
and it conflicts/overlaps between the two. My gosh, what a huge
mess to sort out to integrate those networks! Ugh! With IPv6, that's
essentially a non-issue.
The time for IPv6 is ... now? No, several years ago already!
If one looks at stats on IPv6 usage/adoption, it's no longer
a "nice to have", it's (almost) a "must have" these days.
Still doing IPv4 only sites/servers on The Internet?
Many clients won't be able to reach you nearly as well as
they can with IPv6, and some may not be able to reach you
at all. Oh, and yes, generally better for security too.
Huh, with all those IPs? Well, why yes.
Oh my gosh, what IP accessed your site and did ... whatever.
IPv4? Oh, that's the IPv4 gateway IPv4 of humongous
company/institution/country's firewall/proxy - good luck
isolating that to responsible party/person - you'll need the
timestamp and ports information from both sides, and hopefully
the other side logged that and retains it long enough and cooperates
for it to be useful. Good luck on that.
IPv6 will generally much better isolate to the responsible client IP
address(es) and the responsible party (or at least the abused victim
or proxy along the way), whereas IPv4, your trail may end at some
huge legitimate proxy/NAT/SNAT and the answer (if you get a response)
may be "sorry, our volume is way too huge for that - we don't
log it" or ... "we only retain those logs for 4 hours".
That also means if there's problematic IP address or block/range,
likely filtering on such is more likely to work and not block
innocent non-offenders with IPv6, whereas IPv4 uhm, you may
end up inadvertently blocking a whole lot of legitimate users
at the same time ... e.g. blocked that IP? You just locked out
an employer with 150,000 employees, or an entire college campus of
30,000 students, faculty and staff, or a whole country of more than
a million - or even billion - people.
"Static" IPs? On IPv6? Why yes! ... uhm, well, sort'a kind'a.
So, given the IPv4 shortage, tight allocations, hard to get
static IPv4 IPs (somewhat pricey, if available at all, and quantity
of course limited). Not an issue for IPv6. And, you get the IPs
and they're "yours" forever (unless you transfer 'em or whatever),
right? But won't that eventually lead to a routing mess like IPv4
sort'a is, and growth may not be all that predictable, and the routing
space will end up quite fractured and quite a burden for Internet
routers to process? Well, IPv6 has provisions for that.
Allocations aren't necessarily "forever". They can actually be
pulled back, reassigned, swapped out - whatever. Why? Well, so
IPv6 will never get stuck in the nasty routing mess that IPv4 is.
Those IPs can be pulled back and reassigned, if/as/when needed,
to straighten out (or prevent) such mess. Now, not the kind of
thing that would happen every day (or even every year or so),
but can in fact happen, and is reserved as a capability to do so.
So ... you thought those lead bits of your IPv6 IP addresses would
never change? Think again. You should be able to re-IP all those IPv6
addresses. Oh, the lower bits - you get to keep those the same - not
an issue, but the higher network bits - those may need to get changed
on you. So, that's another reason to use the appropriate tooling
and capabilities that IPv6 readily supplies. So that one can in
fact change all those IPv6 IPs without too much trouble at all.
You did set up your networks that way, ... right?
And, presumably if/when that would be done, one would have a bridge
period, where one had both sets of IPs - so one could
smoothly transition from one set to the other (in some ways
not unlike current IPv4, except IPv6 is much better designed,
and has relevant tools, etc., to well manage changing the
network bits while still keeping the same "host" bits of the
address, across all of your IPv6 addresses).
Think IP addresses never change?
https://frontier.com/resources/change-my-ip
Think again. At least with IPv6 one well knows (or should)
of that possibility, and also with IPv6, it's much better
designed/engineered/tooled, to make such changes much less
painful ... at least if one bothers to set it up properly.
Will IPv4 go away? Do I keep having to deal with both IPv4 and IPv6
stacks? Well, IPv6 to the rescue! The IPv6 address space is so
huge, it's trivial to fit all of IPv4 within - and there's in fact
an addressing that does that. So, in environments that are dual
stack, or IPv6 "only", there's an IPv6 way of addressing IPv4 IPs.
So, that also means quite a bit of simplification. Don't
have to, e.g. in programs, for the most part, deal with two different
stacks, two different formats for IPs, etc. To large extent can treat
'em all essentially as IPv6!.
And, will IPv4 go away from The Internet? Probably yes and no.
There's so much IPv4 stuff and legacy IPv4, it will probably "never"
go away entirely. But eventually it'll probably get phased off of
The Internet ... probably not soon, but, eventually the overhead
of keeping it won't be worth it, and it'll likely get squeezed
out - but I'd expect that won't happen for some many years
yet, but ... eventually. And anything that still needs to talk
IPv4 ... well, that can always continue locally in non-routable
space, and any IPv4 stuff that still needs Internet access years
from now when IPv4 is no longer routed on The Internet - should be
relatively simple matter of doing some network mapping between
IPv6 and IPv4, perhaps along with some NAT/SNAT bits (especially
on the IPv4 side), and, such devices would still probably be
usable on The Internet for some fair while to come. But
eventually, "some day", there won't be any more IPv4(ish) stuff
out there to talk to. And any "remaining" IPv4 on/across
The Internet, will probably eventually shrink down to IPv4
tunneled within IPv6 - relegated to talk to what remains of
such space on The Internet (ye old vintage legacy view of
The Internet from relatively early in the millennium). But again,
that's likely a significant number of years out into the future ...
but ... eventually.
Yummy training - want quite a bit more?
Hurricane Electric (https://he.net/)
has a lot of very good IPv6 training information ... well complete
the training and one can also get (I presume they're still doing this):
o a cool IPv6 t-shirt
o certain additional privileges on their free IPv6 tunneling (notably
ability to connect out to the default SMTP and IRC ports)
For more on that, start here:
https://ipv6.he.net/certification/
Oh, you can even show your certification too, e.g.:
https://ipv6.he.net/certification/create_badge.php?pass_name=MichaelPaoli&badge=2
https://ipv6.he.net/certification/create_badge.php?pass_name=MichaelPaoli&badge=3
Some teensy cautionary bits regarding their training/certification:
o Some of the stuff is a wee bit dated - not a biggie, but tends to be
more noticeable in some areas, e.g.:
o the state of IPv4 exhaustion and IPv6 adoption/deployment
o a lot of IPv6 specific commands - e.g. ping6 - in many cases now
those are superseded by relevant options - typically -6 (and -4)
o if one is planning to do the full exercises, one would be well
advised to pick suitable domain - one that one can fully control,
has static IPs, can do sending/receiving email servers, DNS servers,
can delegate the DNS, etc. Most notably as, at least I saw earlier in
their software, once one has selected domain, one can't (at least on a
given account) go back later and change that domain selection. So, to
be able to complete all the required tests (which are programmatically
checked and verified), should start with a suitable domain.
Anyway, still an excellent training/certification program - and free!
Big finite numbers? Perhaps start around here:
How many particles in the (observable) Universe? (hint - we don't
have enough IPv6 addresses for all of them, but square the IPv6 address
space, and we'd be getting relatively close), Googol, Googolplex,
Skewes' numbers, Graham's number, TREE, Busy Beaver, Rayo's Number
https://www.youtube.com/playlist?list=PLt5AfwLFPxWJ_FwchNAjB3xa8UnoKdmQI
or maybe jump straight to the top:
The Daddy of Big Numbers (Rayo's Number) - Numberphile
https://www.youtube.com/watch?v=X3l0fPHZja8
More information about the conspire
mailing list