On the 6th June 2012, the World IPv6 Launch will officially mark the beginning of the transition to IPv6, as several major service providers will permanently enable it. TCP/IP itself will remain unchanged, apart from the IP header having a larger address space and a difference version number, but the massive address range provides us with interesting possibilities I’m very enthusiastic about. I’ve posted a little about this before, after hearing the SecuraBit interview (Episode 81) with Sam Bowne, and reading The Second Internet (Lawrence Hughes).
The Address Space
IPv4 has an address range with 4,294,967,296 possible values, which means it could theoretically support around 4 billion hosts. It seemed large enough at the time (around 1980), as nobody was expecting the Internet would hae anything approaching 4 billion hosts, or that the average person would eventually have several network-enabled devices. So, to minimise the overhead involved in routing Internet traffic, it was decided the address field would be limited to a reasonable 32 bits.
But the current problem isn’t a straightforward one of IPv4 addresses running out, contrary to what’s commonly believed. Several methods enable us to continue using IPv4 indefinitely – NAT, PAT and name servers for shared hosting being just three such methods. The real problem is the efficiency of the Internet is reduced the more we rely on them.
IPv6 has a 128-bit address field, giving us an address range with 3.40282366921e+38 possible values – enough to allocate approximately 6.67e+25 addresses to each square centimetre of the Earth’s surface. It means every person could be allocated a block of addresses larger than the entire IPv4 range, and therefore every network-enabled device in existence can have many addresses. We could even go further and allocate addresses to individual software applications, so that traffic could be routed to the correct one.
Local Area Networks and Security
Practically all operating systems released in the last five years fully support IPv6, but unfortunately the same isn’t the case where the average home router’s concerned. Even 6-to-4 tunnelling has been something of a problem, as I’ve found during my Hurricane Electric experiments.
Cisco, Linksys and D-Link will be among the first to manufacture home routers with full IPv6 capability after the official launch, so we should see commercially available ones advertised by the end of the year.
The routers will partly determine the host addresses in some cases, but in an entirely different way to DHCP. It will be done by splitting the local addresses into two 64-bit segments, the first 64 bits being defined by the router and the other 64 bits derived from the host’s MAC address. The value ff:fe: will separate both segments, maybe to identify the address as private. Alternatively, the host can also generate a random value independent of its MAC address as a security measure.
Currently with IPv4, and largely because of NAT, it’s difficult to enable incoming connections to internal hosts, such as VoIP calls, as the router wouldn’t know which private address to forward the connection to. The story’s quite different with IPv6 and static addresses, and ‘multihoming’ would enable traffic to be continuously routed to the same device as it moves from one network to another.
Although it wasn’t intentional, the almost limitless number of publicly reachable multicast addresses (beginning with ff:) provides some security for communications within a group. If IPsec can also be used, that’s a bonus as it extends to both IP and TCP.
Any address beginning with ff: can be designated as a group’s multicast address, and anything sent to that address will be broadcast to all members of the group. A third party attempting to listen in must search through 5.19229685853e+33 possible addresses. But we’re still left with the possibility the broadcasts can be intercepted, and also the key distribution problem since only symmetric encryption could be used for simultaneous messaging to several parties.