Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Less than 100 days left of IPv4 addresses

2010, ipv6

I've just written up a piece on InfoQ about the fact that we now have less than 100 days left of IPv4 address availability.

If you haven't used IPv6 yet, it's worth familiarising yourself with the concepts and the terms; tools like ping6 and host handle IPv6; other tools like ssh support either natively (or can be selected with the -4 or -6 switches).

$ host ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has IPv6 address 2a00:1450:8006::93
$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2axx:xxxx::xxxx:xxff:fexx:xxxx --> 2a00:1450:8006::93
16 bytes from 2a00:1450:8006::93, icmp_seq=0 hlim=56 time=36.776 ms
16 bytes from 2a00:1450:8006::93, icmp_seq=1 hlim=56 time=36.916 ms
apple:support alex$ telnet -6 ipv6.google.com 80
Trying 2a00:1450:8006::93...
Connected to ipv6.l.google.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 302 Found
Location: http://www.google.co.uk/
...

Obviously in this example I've obfuscated my IPv6 address; but typically you'll see the ff:fe in the middle. That's because the lower parts of the address are made up of six bytes of the computer's MAC address, with 'fffe' in the middle. So if your MAC address is a1:b2:c3:d4:e5:f6, then the auto-discovery address will likely be something ending in :81b2:c3ff:fed5:e5f6. (Note that the second least significant bit in the first digit is flipped.) If that computer was on Google's network, it would get 2a00:1450:8006::81b2:c3ff:fed5:e5f6 as an address (the 2a00:1450:8006 is their routing prefix, which they probably own all of underneath giving Google a much wider networking address on its own than the entire internet IPv4 space).

This may not work for you – if you don't have an IPv6 address, you won't be able to ping or telnet into Google's webserver (on port 80!). However, if your OS supports IPv6 then you will be able to ping6 ::1, which is the loopback address as well as any fe80:: address, which will also use the MAC address (e.g. fe80::81b2:c3ff:fed5:e5f6).

Security

Whilst IPv6 makes IPSec a mandatory supported part of the protocol (it's optional in IPv4), there are also some security considerations. For one, the firewalls may well be configured to prevent access to a given port; but there's an entirely different firewall for IPv6 which may be wide open. Also, unlike local IPv4 addresses behind a NAT, which can't be directly accessed, the IPv6 address can be globally addressed from anywhere.

Fortunately, the address space is so much wider in IPv6 that scans for open ports are likely to be impractical for the next decade (though this is really security through obscurity). In addition, the automatically generated addresses may eschew the MAC address and use a random number each time; though this will cause a client to potentially change its address between restarts. (This may be useful for privacy in an ISP who would otherwise be able to track source usage; the detail is in RFC3041.)

Conclusion

The IPv4 address space is almost exhausted, and IPv6 is the only real solution for the future. However, the full IPv6 transition is still some time away; and time is running out.