๐ New Blog Post: IPv6 in Practice ๐
As IPv4 exhaustion becomes more real and many providers move toward IPv6-first environments, itโs important for DevOps folks, sysadmins, and even self-hosters to understand how IPv6 works โ and how itโs different from what weโve used for decades.
In my latest post, I walk through:
โ
What IPv6 is and why it matters
โ
Real-world security considerations vs IPv4
โ
IPv6 address types, and tools
โ
A comparison table to clear up confusion
This post is part of my technical blog series where I document what I learn hands-on, one topic at a time.
Introduction
The internet is running out of space โ literally. IPv4, the addressing system weโve relied on for decades, has been exhausted. While solutions like NAT helped delay the inevitable, the need for a larger, more efficient addressing system led to the development of IPv6.
Iโve recently been digging into IPv6 in some of my VPS and homelab setups, and this post reflects what Iโve learned along the way โ from what it is, how itโs used, to where it stands today.
What is IPv6
IPv6 (Internet Protocol version 6) is the successor to IPv4. It uses 128-bit addresses, allowing for a virtually unlimited number of unique IPs โ about 340 undecillion to be precise.
๐ง Key differences:
- ๐งฎ IPv6 uses hexadecimal, not dotted decimal
- ๐ IPv6 addresses are 128 bits vs IPv4โs 32 bits
- ๐งต IPv6 supports built-in autoconfiguration (SLAAC)
- ๐ IPsec is part of the IPv6 spec
- ๐ฐ๏ธ Broadcast is replaced by multicast and anycast
๐งพ Example IPv6 address:2001:0db8:85a3:0000:0000:8a2e:0370:7334
This can be shortened to: 2001:db8:85a3::8a2e:370:7334
The Adaptation of IPv6
Despite being introduced in the late 1990s, IPv6 adoption has been slow. Many networks still run primarily on IPv4 with IPv6 as a secondary stack.
๐ Reasons for slow adoption:
- ๐งฑ Existing infrastructure relies heavily on IPv4
- ๐ Dual-stack environments increase complexity
- ๐งฐ Tools and applications werenโt always IPv6-ready
- ๐ ๏ธ Many admins are still more comfortable with IPv4
๐ก I first came across IPv6 back in 2010 while downloading torrent files โ I noticed some remote peers were already using IPv6 addresses. Around the same time, the CCNA curriculum briefly covered IPv6, giving me just a basic introduction to the concept.
IPv6 Address Types Explained
IPv6 introduces more explicit address types, each with a specific purpose:
Unicast โ one-to-one communication
- ๐ Global Unicast: Routable on the internet
- Equivalent to public IPv4 addresses
- Begin with 2000::/3 prefix
- Globally routable and reachable on the IPv6 Internet
- ๐ Link-local:
- Begin with fe80::/10 prefix
- Automatically configured on all IPv6 interfaces
- Used for communication within the same network segment
- Not routable beyond the local network
Multicast โ one-to-many communication
- Begin with ff00::/8 prefix
- Used to send traffic to multiple destinations simultaneously
- Replace broadcast functionality from IPv4
Anycast โ one-to-nearest communication
- ๐งญ Same address assigned to multiple devices; traffic goes to the closest one (used by DNS root servers)
Special Addresses
- ::1/128 โ Loopback address (equivalent to 127.0.0.1 in IPv4)
- ::/128 โ Unspecified address
- ::ffff:0:0/96 โ IPv4-mapped IPv6 addresses
IPv6 Security Considerations
Letโs talk about the elephant in the room โ is IPv6 secure?
๐ Security improvements over IPv4:
- ๐ก๏ธ IPsec support: While optional in IPv4, itโs required in the IPv6 spec
- ๐ End-to-end encryption potential: Less NAT, more transparent connections
- ๐ชช Autoconfiguration with authentication: Via DHCPv6 or secure SLAAC
โ ๏ธ Security challenges:
- ๐งฌ Privacy risks with static identifiers: SLAAC may use MAC addresses in IPs
- ๐ญ Tracking concerns: Without privacy extensions, your deviceโs address may stay predictable
- ๐ง Firewalls matter more: Since NAT isnโt present, every device could be globally reachable
- ๐ต๏ธ Dual-stack risks: IPv6 might bypass IPv4-based firewall rules
๐งฐ Security tip:
Use temporary IPv6 addresses and always configure a host-level firewall (nftables, ip6tables) for inbound rules.
IPv4 vs IPv6 โ Comparison Table
| Feature/Aspect | IPv4 | IPv6 |
|---|---|---|
| Address Size | 32-bit | 128-bit |
| Address Count | ~4.3 billion | ~340 undecillion |
| Address Format | Decimal (e.g. 192.168.1.1) | Hexadecimal (e.g. 2001:db8::1) |
| NAT Required | โ Yes | โ No |
| Broadcast | โ Supported | โ Not supported |
| Built-in IPsec | โ Optional | โ Required in spec |
| Fragmentation | Routers or host | Host only |
| Autoconfiguration | Limited (DHCP) | SLAAC + DHCPv6 |
| Security by Obscurity | NAT adds some | Needs proper firewalling |
How to acquire IPv6?
๐ Residential / Home Internet Subscriber
๐ง How to Get IPv6:
- Your ISP must support IPv6 and enable it for your line.
- If your ISP supports IPv6, your router will usually receive an IPv6 prefix automatically via DHCPv6 or SLAAC.
- Most modern home routers (like Asus, TP-Link, etc.) have IPv6 enabled by default, or have a toggle in their web UI.
๐ก Do I need to configure it myself?
- Usually, no configuration is needed, but:
- You might need to enable โIPv6โ in the router settings.
- For some ISPs, you may need to switch the IPv6 mode (e.g., Native, 6rd, or Passthrough).
๐ What You Get:
- A /64 or /56 IPv6 prefix assigned to your network.
- Each device on your LAN gets a public IPv6 address.
๐ป VPS Hosting Provider Perspective
๐ง How to Get IPv6:
- Most VPS providers (like Hetzner, Linode, DigitalOcean) assign:
- A single IPv6 address (
/128) or - A small IPv6 subnet (e.g.,
/64or/80) to your VPS.
- A single IPv6 address (
- Some VPSs need you to enable IPv6 during VM creation or configure it manually in
/etc/network/interfacesornetplan.
๐ก Do I need to configure it myself?
- Often yes โ youโll configure:
- IPv6 address
- Gateway (often link-local)
- Possibly DNS (like
2606:4700:4700::1111for Cloudflare)
๐ What You Get:
- A public, globally routable IPv6 address.
- Native IPv6 connectivity โ usually with full inbound and outbound access.
๐ข Corporate Business Hosting Their Apps (On-Prem or Colocation)
๐ง How to Get IPv6:
- Requires coordination with their ISP or upstream provider.
- Theyโll be assigned an IPv6 prefix (e.g.,
/48or/56), routed to their BGP edge routers.
๐ก Do They Configure It?
- Yes, network engineers will:
- Assign IPv6 subnets internally
- Update DNS (AAAA records)
- Configure firewalls and access controls
- Ensure IPv6 support in their reverse proxies, load balancers, etc.
๐ What They Get:
- Full IPv6 block(s) to design internal network layout.
- More freedom for subnetting and routing.
- Often dual-stack setup with both IPv4 and IPv6.
โ๏ธ Cloud Service Providers (e.g., AWS, Azure, GCP)
๐ง How to Get IPv6:
- Must opt-in or configure it in the virtual network settings (VPC/VNet).
- Not all services support IPv6 by default.
Examples:
- AWS: Assign IPv6 CIDRs to VPC and subnets, then enable per EC2 instance.
- Azure: Dual-stack is supported but limited to certain resources.
- GCP: Supports global unicast IPv6; requires setup in firewall and routing.
๐ก Do They Configure It?
- Users or cloud architects do โ manually or via IaC (Terraform, CloudFormation).
๐ What They Get:
- Huge address space (e.g.,
/56or/64per subnet). - Granular IPv6-based firewall and routing options.
- Ability to go IPv6-only or dual-stack.
FAQ about IPv6
Can You Ping Another Device in the LAN Using a Link-Local Address?
Yes, you can ping another device using its link-local address, but you must specify the interface (a.k.a. zone or scope), because link-local addresses are not unique globally โ theyโre only unique per link.
For example: ping6 fe80::1a2b:3c4d:5e6f:7g8h%eth0
The %eth0 part tells your OS which network interface to use (Linux-style). On Windows, it might look like %12 instead.
Can You Use Link-Local to Access Services (like SSH)?
Not really. Link-local is good for discovery and local neighbor communication, but you wouldnโt use it for regular client-server access like web or SSH. Thatโs what global unicast addresses are for (2000::/3 range).
How does IPv6 handle broadcasts?
IPv6 eliminates broadcast addresses. Instead, it uses multicast addresses for one-to-many communication, making the protocol more efficient. For example, ff02::1 represents all nodes on the local network.
What is Stateless Address Autoconfiguration (SLAAC)?
SLAAC is a method where devices automatically configure IPv6 addresses without a DHCP server. The device creates an address by combining the network prefix (received from router advertisements) with an interface identifier (often based on the MAC address or randomly generated).
Does IPv6 offer better security than IPv4?
IPv6 was designed with built-in security capabilities through mandatory IPsec support, though this is no longer required in practice. The vast address space eliminates the need for NAT, allowing for true end-to-end connectivity which can simplify security models but also requires proper firewall configuration.
Final Thoughts
IPv6 isnโt just a theoretical upgrade โ itโs already being used by many providers, especially in Europe and Asia. If youโre a DevOps engineer, network admin, or curious self-hoster, nowโs the time to get hands-on with it.
For me, IPv6 went from an intimidating wall of colons to something I now use comfortably when setting up servers, reverse proxies, and DNS.
Reading Further
๐ Here are some useful resources to dive deeper:
- ๐ RFC 4291 โ IPv6 Addressing Architecture
- ๐งช https://ipv6-test.com
- ๐ Tools:
ip,nmap -6,tcpdump,curl -6,dig AAAA - ๐งต APNIC Blog on IPv6
0 Comments