IPv6 Addressing for Enterprises

About to embark on deploying IPv6? First, you need to know some key differences in IPv6 address formats.

Don’t be deterred by the intimidating appearance of those long IP version 6 (IPv6) addresses. Instead, think back to that steep learning curve you conquered with IPv4 setup – all those complicated subnetting rules and awkward /27s and /29s. After a few hours it all made sense, and it will be the same with IPv6 – except this time you’ll discover that IPv6 can actually be simpler than IPv4 and, as a result, easier to configure and maintain.

[ Learn more from our IPv6 Deployment Guide. ]

IPv6 Address Format

Let’s start with the way that IPv6 addresses are written.  Whereby IPv4 addresses are 32-bit numbers represented in quad-dotted-decimal notation, IPv6 addresses are much longer and have their own unique format.  With IPv6 addresses being 128 bits in length, this allows for 2¹²⁸ addresses or 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (3.4X10³⁸ or approximately 340 undecillion).  Therefore, we need an easy way to write them down.

IPv6 addresses follow a specific architecture and use the above-described textual representation that is defined in RFC 4291.  The format of a 128-bit IPv6 address is presented for us humans to read as 8 segments (hextets) each separated by a colon “:”.  When written in fully-expanded format, an IPv6 address would appear like the following:

2001:0DB8:0012:0034:0000:0000:0000:1111

Each of the address’s 8 hextets is separated by a colon.  Each hextet uses four hexadecimal digits (0-9, A-F) to write the 16 bits.  The eight sections of 16 bits each sum to the 128 bits of the address.

The IPv6 address can be compressed for readability by removing leading zeros within each segment, and by performing a once-only compression of multiple segments of continuous zeros into a double-colon “::”.  For example, if the above address was to use these compression techniques,it would be more cleanly written as the following:

2001:DB8:12:34::1111

Note: the IPv6 addresses that we are using here are from the IPv6 Address Prefix Reserved for Documentation (RFC 3849).

IPv6 Address Types

IPv6 also may seem complicated because there are different types of addresses.  Similar to IPv4’s public, private (RFC 1918), and Automatic Private IP Addressing (APIPA) addresses (169.254.0.0/16), IPv6 has four primary address types, each with its own specific function:

• 2000::/3 = Global Unicast Addresses (GUA). You can think of these as public Internet-usable addresses for node-to-node direct unicast communications.
• FC00::/7 = Unique Local Addresses (ULA). These are private addresses never to be used on the Internet and not NATed.
• FE80::/10 = Link-Local Addresses. Used only for internal LAN-based communications, never forwarded by routers.
• FF00::/8 = Multicast addresses. Used for one-to-many dissemination of packets to a scope of the network.

Let’s focus our attention on the global addresses, because those are what you are going to use for your Internet-facing systems as well as networks and systems within your Internet perimeter. There is no NAT functionality needed for IPv6 (see RFC 4864) because we have an abundance of addresses.

Unique Local Addresses (ULA) (RFC 4193) are not recommended for internal enterprise networks. Link-local IPv6 addresses and multicast addresses can be easily researched on your own.

IPv6 Global Addresses

IPv6 Global Unicast Addresses (GUA) are always in the range of 2000::/3 and start with the hex digit “2” or “3” in the most significant hex digit. 

For these global unicast addresses, it is common for the left-most high-order 64 bits of the address to represent the network segment that is used for a link. The right-most low-order 64 bits of the address represent the unique node on that network. 

In IPv6 parlance, the last 64 bits of the address is referred to as the Internet Identifier (IID) because it uniquely identifies the single node on that network.  This might remind you of network protocols from days gone by when there were a network number and a node number within the address. 

If you are a large enterprise and are multiply homed to the Internet using Border Gateway Protocol  (BGP) with your own Autonomous System Network (ASN) and you have your own public IPv4 addresses, then you may qualify for allocation of Provider Independent (PI) IPv6 address space from your Regional Internet Registry (RIR). This allocation may be dependent on your RIR’s policies. In North America you’ll find the policies listed in the Number Resource Policy Manual (NRPM) published by the American Registry for Internet Numbers (ARIN). 

ARIN also has many useful IPv6 resources to guide you smoothly through the process of address allocation.  You can also see from ARIN’s fee schedule that you can be allocated an astronomically large amount of IPv6 addresses for a nominal fee. And you can forget about asking your RIR for more IPv4 addresses – there aren’t any more to give out, so if you need more you will have to buy them on the open market and transfer them.

If you are not a multiply-homed enterprise and have a single upstream ISP, then you will likely be given a Provider Assigned (PA) IPv6 address block from your ISP’s address pool. 

In this case, you may likely be allocated a single /48 prefix.  In case you think this isn’t enough, this single /48 allows for 65,536 individual /64 prefixes. If you checked, your enterprise probably doesn’t have that many routes in your internal core routing tables.

IPv6 Addressing Simplicity

IPv6 reduces the complexity of address planning and assigning addresses to networks. Instead of using a wide variety of IPv4 subnet lengths to maximise host efficiency, it is best practice to use some standard prefix lengths to simplify things. IPv6 should be a breath of fresh air to those who toil with the scarcity constraints of IPv4 addresses.

With IPv6, it will be common to use a single hex digit to represent some part of your addressing hierarchy.  You will be using prefixes that have lengths that end on an even nibble boundary.  Furthermore, your addressing plan will use common prefix lengths, such as /40, /44, /48, /52, /56, /64. 

Standardizing some simple prefix lengths will make things easier.  Unlike IPV4, you are no longer restricted to allocate an IP subnet with the closest match to the number of hosts you have on that subnet. The de facto IPv6 prefix length is a /64, which allows for plenty of addresses for any sized network.

With IPv6, your address planning will number the subnets and networks, rather than being concerned with the number of host addresses needed for the network.  There will be plenty of addresses, so you can reserve much of your address space for future use and fit your plan to one that suits your organization’s operational and administrative needs best. Don’t worry about wasting addresses, but also avoid the temptation to over-engineer your address planning; creating too many addressing hierarchy levels simply might not be worth the administrative burden.

This addressing simplicity means we may never actually need an IPv6 subnet calculator, as previously thought.  With IPv4, a subnet calculator is required because we are using a variety of subnet lengths and striving for maximum host efficiency.  With IPv6, using a subnet calculator isn’t even a consideration because we will use the standard /64 prefix length for all networks.  This will make using a subnet calculator obsolete when it comes to IPv6.

IPv6 Addressing for Hosts

You don’t need to be overly concerned about the last 64 bits of an IPv6 address.  The Interface Identifier (IID) will be used to uniquely identify the host.  If you choose to use Stateless Address Auto-Configuration (SLAAC) (RFC 4862), then the hosts on that LAN segment may elect to self-determine their IID. 

One method is for the host to use its interface MAC address and the Modified EUI-64 method.  However, to provide more privacy for the end-node, some operating systems may use the Privacy and/or Temporary addressing method defined in RFC 4941. 

A new method called Stable IIDs (Stable SLAAC) (RFC 8064) is now becoming available in operating systems. However, enterprise environments would prefer to use DHCPv6 (RFC 3315) for auditability of addresses assigned to hosts and for the privacy of randomized interface identifiers.

The only exception to this is when you may have a significant number of Android-based operating system devices in your environment.  They don’t support DHCPv6 client functionality, which means you must use Recursive DNS Server (RDNSS) (RFC 8106) or resort to SLAAC.

What next?

Now that you are familiar with IPv6 addresses, you are ready to to learn more about IPv6 and proceed with deploying it in your enterprise network. “Enterprise IPv6 Deployment Guidelines” (RFC 7381), recommends the first step is to contact your ISP and express your interest in connecting to the IPv6 Internet. 

Then obtain your IPv6 addresses from your Regional Internet Registry or ISP, and put together an initial IPv6 addressing plan. We recommend using a guide such as “IPv6 Address Planning by Tom Coffeen and some address planning worksheets to help with that process. 

Then start to configure those addresses on your Internet routers, firewalls and Internet perimeter devices.  Once you are at this point, you are ready to start to bring IPv6 into your organization. Then you’ll be ready for my IPv6 Deployment Guide.

(Scott Hogg is a co-founder of HexaBuild.io, an IPv6 consulting and training firm, and has over 25 years of cloud, networking and security experience.)