Continuing in Chapter 2 of “Deploying IPv6 Networks” (Cisco Press, 2005)
IPv6 provides hierarchical network segmentation and aggregation through variable length subnet masking (VLSM), which breaks the address into a network portion and a host portion. The network prefix identifies the number of bits in the network portion of the address, similar to CIDR notation (e.g. /24). VLSM is the same as what was eventually adopted with IPv4 after classful boundaries proved to be a bad design decision.
IPv6 prefers to reference interfaces on a host rather than the host itself, since a single device may have multiple interfaces with different addresses. Therefore, technically the host portion of the address is referred to as an “interface identifier” instead. Interface identifiers must be 64-bits in length, according to RFC 3513. I believe this is why most IPv6 best practice recommendations use a minimum subnet size of /64. However, I’ve heard that this may have changed since this book was written… but for now, let’s continue on.
The 64-bit interface identifier can be generated in three different ways (each of which underscores the desire to maintain a globally-unique address):
- Modified EUI-64 format, which builds an IP address based on the layer 2 address of the interface (Ethernet MAC address).
- Auto-generated random address (RFC 3041) to increase privacy and security
- Acquisition via a DHCPv6 server
- Manual configuration
- Cryptographically generated addresses (CGAs) based on RFC 3972 through a hash function with a private key. This provides added security and address authentication, particularly useful for the Neighbor Discovery process.
The network portion of the address also reflects the scope of a network domain. Three address scopes exist:
- Link-Local Scope – identifies all hosts within a layer 2 domain (e.g. the local subnet). These are referred to as Link-Local Addresses (LLAs).
- Unique-Local Scope – identifies all devices within an administrative domain, either physical or logical (e.g. all devices within an enterprise network). These are called Unique-Local Addresses (ULAs).
- Global Scope – identifies all devices reachable across the Internet. These are called Global Unicast Addresses (GUAs).
The scopes are hierarchical, such that the link-local scope resides within a unique-local scope, which resides within the global scope. The unique-local scope was requested by organizations that wanted to continue the practice of having a “site-scope” and using private addressing only relevant within a local site, similar to IPv4 private addressing. However, the IETF working group felt it important to maintain globally unique addressing.
Individual hosts may or may not be aware of the address scope, but routers must be aware of scope information carried within the address for network segmentation and traffic forwarding. Since hosts typically communicate with multiple other hosts in different scopes, each host interface will typically have an address for each scope.
Personally, at this stage of my learning I find the concept of scopes completely logical, but the need for a host interface to have multiple addresses completely illogical and unnecessary. If a host interface has a globally unique address, why should it require a different address when it communicates with a host interface in another scope? Are network routing mechanisms and security controls sufficient to handle the interaction between host interfaces? Let’s table this question for later review and press on…
Link-Local Addresses (LLAs)
Each IPv6 interface is provided with a layer 3 IP address that allows it to communicate exclusively with other hosts on the same link (subnet). Packets with LLAs as either the SA or DA should never be routed off the local link. These addresses are used for discovering neighbors or routers, and for on-link communications.
LLA addresses have a fixed network prefix of FE80::/10, where the first 10 bits are 1111 1110 10, and the next 54 bits are all 0’s. This leave only the last 64 bits for the unique interface identifier, or host portion of the address, to be assigned. Therefore, the link-local network prefix of every subnet overlaps with every other link-local network prefix on other subnets. There is no hierarchy to LLAs; they are flat in nature. This also means that LLAs are constant since they are not meaningful outside of the local link, and are not affected by network re-numbering. For this reason, LLAs are typically used for Neighbor Discovery advertisement by routers, and by various protocols for next hop identification (e.g. BGP).
That also answers my question from three paragraphs back, since LLAs are not routable, although they may be globally unique if the interface identifier is chosen using the Modified EUI-64 format.
Figure 1 - Link Local Address Structure
Unique Local Addresses (ULAs)
The ULAs replaced the earlier attempt for an IPv6 site-local scope which was ambiguous and potentially allowed non-unique addressing. Because non-unique addressing such as private addresses in IPv4 introduce issues with applications (e.g. embedding IP addresses in data payloads) and routing (e.g. interconnecting discontiguous portions of a single site across intermediate networks), ULAs were created which maintain the globally unique structure of the Internet with IPv6.
ULA addresses have a fixed network prefix of FC00::/7, where the first 7 bits are 1111 110L, where ‘L’ identifies the assignment policy. Currently only a value of ‘1’ is specified designating a local assignment (FD00::/8).
Figure 2 - Unique Local Address Structure
The next 40 bits represent the Global ID that ensures global uniqueness of the address, which is pseudo-randomly generated but does not need to be sequential or follow any hierarchy since it will not be aggregated for routing globally. Hence, every “site” will have a unique Global ID. The 16 bit Subnet ID provides the local network administrator with for hierarchical addressing within the site. And the final 64 bits are the interface identifier as previously discussed.
Traffic that uses ULAs as either SA or DA in packets should not be allowed to leave the local site. ULAs prevent address collisions when interconnecting different “sites,” and make discontiguous site topologies easier to manage. For instance, this prevents issues such as the need to perform address translation when interconnecting IPv4 subnets with overlapping private IP addressing. Hooray! This definitely helps clarify the need for address scopes (from my earlier question), but I’m still questioning why GUAs can’t simply be used as both ULAs and GLAs.
Global Unicast Addresses (GUAs)
GUAs provide addressing that can be used to interconnect hosts across the IPv6 Internet. They are globally unique and globally routable. Since IPv6 addresses are 128 bits in length, they provide a much larger quantity of available addressing space than IPv4.
GUA addresses have a fixed network prefix of 2000::/3, where the first 3 bits are 001.
Figure 3 - Global Unicast Address Structure
The remaining address is broken down into the following structure:
- Global Routing Prefix – delegated hierarchically
down from the IANA to Regional Internet Registries (RIRs) and subsequently to
Internet Service Providers (ISPs) and individual Organizations. The global
routing prefix uniquely identifies the RIR, ISP, and Organization to which it
assigned, and is typically /48 or smaller.
- Subnet Identifier – used internally to identify
the network structure within the organization. The subnet identifier is
typically 16 bits or larger, depending the global prefix assigned to the
organization. The minimum 16 bits provides equivalent internal addressing space
as the previous 10.0.0.0/8 private addressing commonly used by organizations
- Interface Identifier – the individual host interface identifier portion, as previously discussed.
A lot of effort has been put into developing this simple yet flexible structure for GUAs to provide easy aggregation when coupled with rigorous prefix-allocation policies by the IANA and RIRs, which will be discussed in the next post.
Unicast Addressing Summary
- LLAs – FE80::/10
- ULAs – FC00::/7 (with range FC00::/8 through FD00::/8)
- GUAs – 2000::/3 (with range 2000::/4 through 3000::/4)
P.S. – Please follow or get involved in the discussion on IPv6 architecture, design, and implementation on Twitter with the #IPv6Mission hashtag.