How does IPv6 subnetting work and how does it differ from IPv4 subnetting?
This is a Canonical Question about IPv6 Subnetting.
Related:
- How does IPv4 Subnetting Work?
I know a lot about IPv4 Subnetting, and as I prepare to (deploy|work on) an IPv6 network I need to know how much of this knowledge is transferable and what I still need to learn. IPv6 seems at first glance to be much more complex than IPv4. So I would like to know:
- IPv6 is 128 bits, so why is /64 the smallest recommended subnet for hosts?
Related to this:
- Why is it recommended to use /127 for point to point links between routers, and why was it recommended against in the past? Should I change existing router links to use /127?
- Why would virtual machines be provisioned with less than a /64 worth of addresses?
- Are there other situations in which I would use a subnet smaller than /64?
- Can I map directly from IPv4 subnets to IPv6 subnets? For instance, does an IPv4 /24 correspond directly to an IPv6 /56 or /120?
- My interfaces have several IPv6 addresses. Must the subnet be the same for all of them?
- Why do I sometimes see a % rather than a / in an IPv6 address and what does it mean?
- Am I wasting too many subnets? Aren't we just going to run out again?
- In what other major ways is IPv6 subnetting different from IPv4 subnetting?
Solution 1:
The first thing that should be mentioned about IPv6 subnetting is that a different mode of thought is called for. In IPv4 you usually think about how many addresses you have available and how you can allocate enough of them to each end user. In IPv6 you usually think about how many /64
-subnets you have available and how you can allocate them to end users. You almost never worry about how many IP addresses will be used in a given subnet. Except for some special cases like point to point links, each subnet just simply has way more addresses available than it will ever require, so instead you worry only about allocating subnets, not hosts inside them.
IPv6 subnets are usually /64
because that is required in order for SLAAC (stateless address auto-configuration) to work. Even where SLAAC is not in use, there may be other reasons to use /64
. For example, there might be some end user devices out there that just assume /64
, or else routing subnets narrower than /64
might be inefficient on some routers because the router implementor has optimized the case of /64
or wider routes in order to save routing table memory.
Why is it recommended to use /127
for point to point links
For the specific case of point-to-point links, /127
is recommended instead of /64
in order to avoid a vulnerability where packets addressed to any one of the quadrillions of unused addresses on the subnet cause unwanted neighbour solicitation requests and table entries that could drown a router. Such misaddresses packets may be malicious or accidental. But even if you actually configure a point-to-point link as /127
, some people advocate assigning a whole /64
anyway just to be consistent.
Why would virtual machines be provisioned with subnets narrower than /64
?
I don't know specifically why virtual machines would be provisioned with subnets narrower than /64
. Perhaps because a hosting provider assumed that a server was like an end-user and required only a single /64
subnet, not anticipating that the server would actually be a collection of VMs requiring an internal routing topology? It could be done also simply as a matter of making the addressing plan easier to memorize: the host gets PREFIX::/64
, then each VM gets PREFIX:0:NNNN::/96
where NNNN is unique to the VM and the VM can allocate PREFIX:0:NNNN:XXXX:YYYY
as it pleases.
Can I map directly from IPv4 subnets to IPv6 subnets? For instance, does an IPv4 /24
correspond directly to an IPv6 /56
or /120
?
From a low level perspective of how addressing and routing works, the prefix length has the same meaning in IPv6 and IPv4. On that level, you can make an analogy such as "an IPv4 /16
uses half the bits for the network address and half the bits for the host address, that's like a /64
in IPv6". But this comparison is not really apt. Strong conventions have emerged in IPv6 which make the divisions of network sizes look somewhat more like the old world of classful networks in IPv4. To be sure, IPv6 didn't reintroduce classful addressing in which the most significant few bits of the address force a particular netmask, but what IPv6 does have is certain [defacto/conventionally] standard network sizes:
-
/64
: the basic size of a single subnet: LAN, WAN, block of addresses for web virtual hosts, etc... "Normal" subnets are never expected to be any narrower (longer prefix) than/64
. No subnets are ever expected to be wider (shorter prefix) than/64
since a/64
's worth of host addresses is way more than we can imagine needing. -
/56
: a block of256
basic subnets. Even though current policies permit ISPs to hand out blocks as large as/48
to every end user and still consider their address utilisation well justified, some ISPs may (and already do) choose to allocate a/56
to consumer-grade customers as a compromise between allocation lots of subnets for them and address economy. -
/48
: a block of65536
basic subnets and the recommended size of block that every ISP customer end site should receive. -
/32
: the default size of block that most ISPs will receive each time they request more addresses from a regional address registry.
Inside service provider and entreprise networks, many more prefix lengths than these 4 can be seen. When looking at the routing tables of routers inside these networks, IPv4 and IPv6 have much in common including most of the way routing works: routes for longer prefixes override covering routes for shorter prefixes, so it is possible to aggregate (make shorter) and drill down (make longer) routes. Like in IPv4, routes can be aggregated or summarized to largers blocks with shorter prefixes in order to minimize the size of routing tables.
A different question of mapping between IPv4 and IPv6 would be how to harmonize IPv4 and IPv6 assignments on dual-stack machines so that addressing plans can be readily understood. Far that, there are certainly conventions in common use to do this: embed the IPv4 "subnet number" into a portion of the IPv6 prefix, either with BCD (e.g. 10.0.234.0/24
becomes 2001:db8:abcd:234::/64
) or binary (10.0.234.0/24
becomes 2001:db8:abcd:ea::/64
).
My interfaces have several IPv6 addresses. Must the subnet be the same for all of them?
Absolutely not! IPv6 hosts are expected to be able to be multihomed by having several IP addresses simultaneously that come from different subnets, just like IPv4. If they are autoconfigured with SLAAC then the different subnets might have come from router advertisements from different routers.
Why do I sometimes see a % rather than a / in an IPv6 address and what does it mean?
You would not see one instead of the other. They have different meanings. A slash denotes a prefix (subnet), meaning a block of addresses that all start with the same n
bits. An address without a slash is a host address. You may think of such an address as having an implied /128
at the end, meaning all 128 bits are specified.
The percent sign accompanies a link-local address. In IPv6, every interface has a link-local address in addition to any other IP addresses it might have. But the thing is, link-local addresses are always, without exception, in the fe80::/10
block. But if we attempt to talk to a peer using a link local address and the local host has multiple interfaces, how are we to know which interface to use to talk to this peer? Normally the routing table tells us which interface to use for a particular prefix, but here it will tell us than fe80::/10
is reachable via every interface.
The answer is that we must tell it which interface to use using the syntax address%interface
. For example, fe80::1234:5678:8765:4321%eth0
.
Am I wasting too many subnets? Aren't we just going to run out again?
Nobody knows. Who can tell the future?
But consider this. In IPv6 the number of available subnets is the square of the number of available individual addresses in IPv4. That's really quite a lot. No, I mean really quite a lot!
But still: we are automatically handing out a /32
to any ISP who requests one, we are handing out a /48
to every single ISP customer. Perhaps we're exaggerating and we will squander IPv6 after all. But there is a provision for this: Only one eighth of the IPv6 space has been made available for use so far: 2000::/3
. The idea is that if we make a horrible mess of the first eighth and we have to drastically revise the liberal allocation policies, we get to try 7 more times before we're in trouble.
And finally: IPv6 doesn't have to last forever. Perhaps it will have a longer lifetime than IPv4 (an impressive lifetime already and it's not over) but like every technology it will someday stop mattering. We only need to make it until then.
Solution 2:
##IPv6 is 128 bits, so why is /64 the smallest recommended subnet for hosts?
First of all, a little ASCII art from the RFCs to establish terminology:
| n bits | m bits | 128-n-m bits |
+------------------------+-----------+----------------------------+
| global routing prefix | subnet ID | interface ID |
+------------------------+-----------+----------------------------+
The global routing prefix typically identifies the overall network that the address belongs to. It's typically 48 bits. The Interface ID identifies a given network interface. It's typically 64-bits. The remaining 16 bits is your subnet ID.
###OK, on with the explanation:
According to RFC 4291 -- IP Version 6 Addressing Architecture:
All Global Unicast addresses other than those that start with binary 000 have a 64-bit interface ID field.
And RFC 5375 -- IPv6 Unicast Address Assignment Considerations:
An important part of an IPv4 addressing plan is deciding the length of each subnet prefix. Unlike in IPv4, the IPv6 addressing architecture [RFC4291] specifies that all subnets using Globally Unique Addresses and ULAs always have the same prefix length of 64 bits.
So ignoring the 000-prefix exception, the Interface ID is always 64-bits exactly. This is another way of saying that all local broadcast networks are always 64-bits. If you have an IPv6 address, its netmask is always 64 bits. Never more, never less. If you were assigned an address space larger than that (shorter netmask than 64-bits), then it's assumed that you will be partitioning that address space into 64-bit networks and handling the routing yourself. If you were given a network smaller than that (longer netmask), then someone screwed up.
##So, why 64-bits exactly?
As a rule, IPv6 addresses are automatically-configured rather than assigned. The router will advertise which network prefix is available (routing prefix + subnet ID: first 64-bits), and your computer will fill in the last 64-bits using its own unique identifier. How does your computer come up with a unique identifier? There's a few possibilities, the most common is to use your interface's MAC address. You split the MAC in half (vendor half / serial half), flip the universal-local bit on the vendor side, and join them back together with FF:FE
in the middle. So 00:30:48:01:23:45
becomes 0230:48ff:fe01:2345
. Now put the advertised 64-bit network prefix on the left-hand-side of that, and you have your IP address.
The important point here is that if you follow this scheme, IP address collisions won't happen. Since every device on a given broadcast network NEEDS a unique MAC address to work, tying the interface ID to the MAC address means that as long as broadcast traffic doesn't collide, then neither will IPv6 addresses. Using 64-bits (instead of just the 48 dedicated to MAC addresses) gives a bit of wiggle-room beyond just the addresses provided by this scheme (there are several others).
Are there other situations in which I would use a subnet smaller than /64?
Nope. Not unless you're broken. Well, you may have a justification based on local requirements for setting up manual routing with your existing network. But bear in mind that by doing so, you're probably making a mess:
From RFC 5375 -- IPv6 Unicast Address Assignment Considerations:
Using a subnet prefix length other than a /64 will break many features of IPv6, including Neighbor Discovery (ND), Secure Neighbor Discovery (SEND) [RFC3971], privacy extensions [RFC4941], parts of Mobile IPv6 [RFC4866], Protocol Independent Multicast - Sparse Mode (PIM-SM) with Embedded-RP [RFC3956], and Site Multihoming by IPv6 Intermediation (SHIM6) [SHIM6], among others. A number of other features currently in development, or being proposed, also rely on /64 subnet prefixes.
....
However, some network administrators have used prefixes longer than /64 for links connecting routers, usually just two routers on a point-to-point link. On links where all the addresses are assigned by manual configuration, and all nodes on the link are routers (not end hosts) that are known by the network, administrators do not need any of the IPv6 features that rely on /64 subnet prefixes, this can work. Using subnet prefixes longer than /64 is not recommended for general use, and using them for links containing end hosts would be an especially bad idea, as it is difficult to predict what IPv6 features the hosts will use in the future.
Why is it recommended to use /127 for point to point links between routers, and why was it recommended against in the past?
You may want to gloss over RFC 3627 -- Use of /127 Prefix Length Between Routers Considered Harmful. Then have a look at the subsequent RFC 6164 -- Using 127-Bit IPv6 Prefixes on Inter-Router Links.
The objection to using prefixes longer than /64 on routers has to do with router auto-configuration potentially failing under rare circumstances. The objection to using prefixes shorter than /127 (2-hosts-only) has to do with a number of potential denial-of-service issues relating to packets being sent to the unrouted addresses. Since real-world denial-of-service issues are worse than theoretical auto-configuration failures, /127 is the new favorite.
Should I change existing router links to use /127?
If you control an IPv6 router, I'd recommend reading the two RFCs (they're short!) and deciding for yourself.
Can I map directly from IPv4 subnets to IPv6 subnets?
For instance, does an IPv4 /24 correspond directly to an IPv6 /56 or /120?
Actually... yes. Remember that 000-prefix we intentionally ignored earlier? Well, here's a use for it:
On dual-stack systems (ones with both IPv4 and IPv6 stacks active), you can represent IPv4 using IPv6 mechanics. They call it "IPv4-mapped IPv6 addresses". The pattern is all-zeroes, followed by FFFF
, followed by the 32-bit IPv4 address.
So, 192.168.100.21
becomes ::FFFF:C0A8:6415
-- or more simply: ::FFFF:192.168.100.21
. Since that right-hand bit represents an IPv4 address, it's traditionally written out using dotted-decimal form.
As this is an actual IPv4 address, it still uses IPv4 headers etc., which means that an IPv4 stack must be present, IPv4 routes must be set, and all that. The advantage is that you can represent both IPv4 and IPv6 addresses using a single address structure, which can simplify application development. It doesn't make a lick of difference as far as the network is concerned.