What is the IPv6 equivalent to IPv4 RFC1918 addresses?

ipv6

Solution 1:

The "Unique Local Address" is exactly what you're looking for. fc00::/7 gives you enough bits that if you generate a random number instead of just picking one the chances of collision are small.

Does this mean I'll need extra protections so my router would not automatically start advertising these private IPv6 addresses to the world?

The RFC that covers these ULAs (RFC4193) specifically states that these numbers should not be routed on the internet, though two peers may mutually agree to pass certain prefixes. Unless Comcast decides to unilaterally route these (unlikely in the extreme) you should have no worries about route advertisement.

Assuming I will never, ever, tie that IPv6 address into the real internet (a router will NAT & firewall it), can I ignore the RFC to an extent and go with fc00::4:0/120?

Don't assume that. For instance, Comcast is currently doing IPv6 trials and they're passing out /64's to end-users (slide 5); not just the single address they're doing with IPv4. This means that their now-running IPv6 testers have the option of running with globally routeable addresses, but firewalled by their router, or do some kind of NAT with either link-local or unique-global-addresses.

However, running without any kind of address translation is not as insane as it sounds. Keep in mind a few points.

  • Comcast is handing out a /64 subnet to you, so your attacker already knows what your IP space looks like.
  • A /64 provides a mind bogglingly huge number of potential addresses. 2^64 worth! That's four billion IPv4 Internet's worth of IP addresses. (2^64 == 2^32 * 2^32. Four billion times four billion .) While the nature of IPv6 autoprovisioning reduces the actual number of addresses that need scanning, scanning it is still infeasible.
  • Unless you set up your own domain to provide it, Comcast will not be providing forward or reverse DNS lookups to your /64-worth of IP addresses. This greatly reduces the ability of attackers to recon your network.
  • Running without NAT makes certain network problems easier, and certainly makes undesirable but very popular peer-to-peer technologies (you know what I'm talking about) a lot easier to get up and running.

Running without a firewall is still just as insane as it sounds, though. Happily, you can do firewalling without having to NAT.

Second question, what's this link-local thing?

Think of it as able to reach anything in the current broadcast domain, and can not be routed. Like NetBEUI-of-old. In fact, if your home network is completely flat you can use these addresses instead of Unique Local Addresses.

Third question, what is scope id for?

It's used for two different things, which makes it annoying to describe:

Thing 1: Multicast. It defines how far the multicast packet is intended to reach.

Thing 2: (What I think you're referring to) This is used on a URI as a way of defining which interface to use. It's used primarily with link-local addresses. It should never be used in conjunction with CIDR notation, so the two syntaxes should never be combined.

Solution 2:

You should not be using an address starting with fc00:

As explained in RFC 4193 it is a 7 bit prefix. Everything after those first 7 bits should be filled in as explained in the RFC. The method currently defined will always produce an address that starts wit fd. The 00 should be replaced with random numbers, and the next two groups of 16 bits should also be random making up a total of 40 bits.

There are lots of pages on the internet that can generate one for you. I just want to one of those sites to get an example of what such a prefix could look like fdae:a212:e94d::/48

As you pointed out, those addresses are global unicast, but they are not supposed to be globally routable. If your router does route them externally by default, it would be a good idea to configure filters to prevent that. Your upstream should be filtering as well, so they will only be routed outside your network if both of you have misconfigured routers.

Solution 3:

all addresses starting with fe80: something are link-local. You can think of a "link" being all the computers connected to a switched network with no routers. So those ipv6 addresses can be used only for communication on that net.

The hardest part for us humans is probably that the machines now configure themselves. There is a protocol called Neighbour Discovery Protocol (NDP) that takes care of saying "hello" to all the other machines on the net.

If you don't want the machines to access internet then... just don't install a router.

You CAN set up ipv6 by hand or with a DHCP server, but you don't need to. That's one of the good news with ipv6.

Related

Question marks showing in ls of directory. IO errors too
I accidentaly forbid SSH connection to a remote server... What's next?
Iptables forward all traffic to a specified port, to another device
Files disappearing on linux server
How to log every linux command to a logserver
What's the purpose of setgid directory?
Enabling Powershell Remoting, Access is denied?
Can I be my own trusted CA via an signed intermediate certificate?
Is the 10-DNS-lookup limit in the SPF spec typically enforced?
Why should one have a secondary DNS server?
What are the merits of SAS vs SATA drives? [closed]
Naming convention for PC in a network