The premiere source of truth powering network automation. Open and extensible, trusted by thousands.
NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.
IPv6 Pros and Cons
By stretch | Monday, April 12, 2010 at 1:59 a.m. UTC
A reader, Phil, suggested an introductory IPv6 article for those who don't yet have much experience implementing the protocol. So I decided to write an article covering some of the most prominent advantages and disadvantages of IPv6 as compared to its predecessor. Before continuing, consider grabbing a copy of the IPv6 cheat sheet for handy reference.
Topics are split into two broad sections, design and configuration, for ease of digestion.
IPv6 Design
Pro: Much Larger Address Space
Admittedly, everyone already knows this, but it just feels wrong not to include it. However, contrary to popular claims, IPv6 does not give us a bajillion addresses for every grain of sand on the planet. In practice, the later 64 bits of the address will typically be used for host addressing for end-user prefixes, leaving "only" 64 bits for network addressing, which is still twice the length of both the network and host components of an IPv4 address. The obvious need for hierarchical address schemes guarantees that 99.999% of the host addresses available within a /64 prefix will not be used.
Pro: Virtually Unlimited Host Addresses per Prefix
What is the longest subnet mask that can be used to provide at least 12 subnets with at least 50 hosts each?
Remember that crap? IPv6 means no more subnetting word problems! Assuming the "standard" access prefix length of /64, a single prefix is able to address far more hosts than you would ever want to jam into a single prefix. The motivation behind /64 prefixes for end users is discussed under the configuration section of this article.
Pro: Stateless Autoconfig
IPv6 Neighbor Discovery (ND) supplants ARP and introduces the option for stateless automatic configuration in place of static IP addressing or DHCP (although both are still options under IPv6). Hosts configured for autoconfig (which is a default configuration on most platforms) automatically learn of the prefix(es) and router(s) present on the segment, and automatically address themselves as appropriate using EUI-64 addressing.
Con: Harder to Fit Prefixes on Topology Drawings
It sounds silly until you find yourself shrinking font sizes on topology drawings to the point where the text is barely legible. IPv4 addresses, with their cripplingly short length, were easy to overlay onto a topology drawing. Not so much with IPv6, even with the shorthand rules to remove extraneous zeros. The approach I've adopted is to number the link with the prefix (e.g. 2001:db8:0:42::/64), and number end points with only the host portion of the address (e.g. ::4).
Draw: No More IP Scanning
With 264 possible host addresses per /64 prefix, performing a ping scan to detect devices is futile. From a security perspective, this is a boon for mitigating the automated spread of worms and enumeration attempts. On the other hand, it obsoletes an accounting mechanism on which many administrators have come to rely. It also increases the value of DNS servers to attackers.
IPv6 Configuration
Con: Don't Forget to Enable IPv6 Routing
Not normally an issue, but this can lead to frustration if you forget.
Router(config)# ipv6 unicast-routing
I wonder how many decades it will be before we have to remember to turn off IPv4 routing...
Pro: Automatic Link-Local Addressing
Getting IPv6 up and running on an interface is as simple as issuing a single command: ipv6 enable.
Router(config)# interface f1
Demarc(config-if)# ipv6 enable
Router(config-if)# ^Z
Router# show ipv6 interface f1
FastEthernet1 is up, line protocol is down
IPv6 is tentative, link-local address is FE80::21B:2AFF:FE02:523D [TEN]
No Virtual link-local address(es):
No global unicast address is configured
Joined group address(es):
FF02::1
FF02::2
...
This enables link-local IPv6. Link-local addresses are unique only to the local link; packets destined for a link-local address can not travel further than one hop away from their origin. However, link-local addresses work fine for establishing routing protocol adjacencies with directly connected neighbors, for example.
Con: Typing Long Addresses
IPv6 prefixes can be difficult to memorize, especially if you need to deal with several assignments (for example, multiple /48s). IPv6 general prefixes are a convenient tool that allows an administrator to define and reference prefixes by human-friendly names.
Router(config)# ipv6 general-prefix MyGlobal 2001:db8:42::/48 Router(config)# interface f0/0 Router(config-if)# ipv6 address MyGlobal 0:0:0:10::1/64 Router(config-if)# do show ipv6 interface brief FastEthernet0/0 [up/up] FE80::C000:6AFF:FEC1:0 2001:DB8:42:10::1 ...
Pro: Easy-to-Type Prefix Lengths on IOS
Cisco IOS has historically required entry of subnet masks for IPv4 interfaces addresses in drawn-out dotted-decimal notation (despite CIDR notation having been around for over twenty years):
Router(config-if)# ip address 172.16.8.1 255.255.255.0
With IPv6, we can thankfully enter prefix lengths in CIDR notation:
Router(config-if)# ipv6 address 2001:db8:0:42::1/64
Pro: EUI-64 Addressing
Just like hosts, routers too can employ EUI-64 addressing for interface addresses. This is recommended only for prefixes where the router's address need not be readily identified, such as on access prefixes:
Router(config)# interface f1
Router(config-if)# ipv6 address 2001:db8:0:42::/64 eui-64
Router(config-if)# ^Z
Router# show ipv6 interface f1
FastEthernet1 is up, line protocol is down
IPv6 is tentative, link-local address is FE80::21B:2AFF:FE02:523D [TEN]
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:0:42:21B:2AFF:FE02:523D, subnet is 2001:DB8:0:42::/64 [EUI/TEN]
Joined group address(es):
FF02::1
FF02::2
...
Feel free to share other pros and cons in the comments!
Posted in IPv6
Comments
April 12, 2010 at 3:39 a.m. UTC
I've noticed a lot of folks are getting their first experience with "real" routing in the IPv6 world. If you have a VPS to play with, a tunnel from Hurricane Electric is easy to set up, but then you get the hankering to have IPv6 at home. Since your home IP is dynamic and you've got that pesky Duffanetsys SessionDestroyer 4000 NAT router, you can't do a Hurricane Electric tunnel to there. You gotta tunnel from home to your VPS if you wanna see the dancing turtle...
Baby, you've got a topology going.
Outside the industry, it's tough to get a fat subnet of publicly-routable IPv4 addresses for experimentation these days. However, you can have a /48 of IPv6 on your doorstep in about ten minutes, and almost all of the key concepts are the same. Labs and RFC1918 addresses and whatnot are good, but nothing beats the accomplishment of connecting to other networks. Perhaps this will become the way to "teach yourself routing" in the near future...
April 12, 2010 at 5:58 a.m. UTC
Typing IP Addresses is a bad habit. So "Typing Long Addresses" is "Pro". DNS is the only acceptable solution fo IPv4 and IPv6. Even for static.
April 12, 2010 at 7:26 a.m. UTC
Thanks! Very helpfull hints. :)
April 12, 2010 at 11:53 a.m. UTC
Con: Getting a user to ping the IPv6 address is never going to happen.
Con: DNS services MUST work. You are highly unlikely to type an entire address but you will probably ping a hostname.
April 12, 2010 at 1:34 p.m. UTC
@ODIN: So you're going to configure interface addresses using DNS eh? Let me know how that works out for you. ;)
April 12, 2010 at 2:06 p.m. UTC
Stretch, you're not using DNS to configure interfaces? Get with the times man.
April 12, 2010 at 3:30 p.m. UTC
Stretch, you've done it again. This is a really good article about the real / world reality of IPv6 that no one else thinks to talk about. (Sort of like the local CLEC not telling you about problems getting listed in the ILEC's phone book when you switch to the CLEC.)
It's the little things like labeling on network diagrams, or having end users ping addresses that smack you up side the head after the fact. I really enjoy seeing these bumps in the road so I can hopefully avoid, or at least prepare for, them.
April 13, 2010 at 3:39 a.m. UTC
@Etherealmind I agree. Speaking with an end-user to get them to ping an IPv6 address would be highly frustrating. Delegating tasks is key!
April 14, 2010 at 4:15 p.m. UTC
For those that would like to get their hands a little more dirty with IPv6, I suggest two things:
1) Get a tunnel to your home from Hurricane Electric (as mentioned above by Ryan). Nothing beats getting stuff ACTUALLY talking with real-world applications on both sides and "mush" in the middle.
2) Get a copy of Migrating to IPv6 by Marc Blanchet from Wiley publishers, ISBN: 978-0471-49892-6. Its well written and fairly easy to understand.
April 15, 2010 at 6:26 a.m. UTC
@stretch, if we consider static IP - the simplest way to configure is typing. It's not hard even for IPv6. This way may be not the best for large network. The best is to integrate DNS and DHCP with various options for address resolution and assignment. Then, if we need to change addresses for some reason, it will be quiet simple - just correct one database. General prefixes is cool, but is it possible to integrate them with DNS without some TCL-scripting on Cisco router? If not, there will be one database more. I'll better type. (By the way, is it really possible?)
But my comment wasn't about configuration. It was about pinging, dealing with users, etc. So ping 192.168.42.43 is a bad habit in most cases. So long typing is a "pro".
However these "pro" and "con" are very admin and network dependent.
April 15, 2010 at 6:54 a.m. UTC
Con: ACLs
May 3, 2010 at 2:14 p.m. UTC
PRO: IPsec is a mandatory component for IPv6
December 7, 2010 at 10:36 p.m. UTC
ipv6 addressing schema is god dam confusing.
April 28, 2011 at 8:31 a.m. UTC
I think I would add
con: all ipv6 enabled hosts are world accesible, even those behind an ipv4 nat router. I wonder how multiple levels of NAT behave... I also wonder how long until an exploit for ipv6 enabled NATing routers (or hosts) becomes commonplace which allows an attacker access to the local IPv4 network including those legacy computers running win2k or xp for some (specific - i hope) reason.
2xcon: the lack of nmap -6 -sP 2002:6dgh:303g:1/64 *. I often find it useful to remind me of some server which has been long forgotten and not updated, etc... and also check for any rogues on the network.
- digits may have been changed to protect the innocent. that is not an ipv6 address...
March 14, 2012 at 8:20 p.m. UTC
so its beneficial for ipv6 on large complex networks but its not for administrators who have to diagnose connections its good to have an alternative to over run networks in large cities but its not for the administrators that control them so its great for the end user but for the companies that support these addresses it costs more money therefore not beneficial to the end user Why did they come up with this? my theory to make more money and say they fixed an issue that's not really there in the first place ill stick with 000.000.000.000 network ipv4 standard until its obsolete which there wont be computers then we will be artificial humans with biological strings of code in which connecting to each other wouldn't be done in public anyways lol.
June 7, 2012 at 10:07 a.m. UTC
There are several benefits for iPv6 that we'll experience, however, there are con's that we'll not be told or learn from friends. Some of these include:
Easy tracking and monitoring (Surveillance)of any1 using the internet,
No more DHCP usage (i.e iP hopping),
No more hidding behind public iP's for anonymous reporting/communication,
Targeted attacked will be more accurate than before this time,
*...etc..etc...
Ask yourself why it has come out at a time when there are more and more threats of "terror attacks" as well as Cyber attacks!!!
Note that:
IPv6 allows about 340 undecillion IP addresses i.e. the number 34 followed by 37 zeroes.
The new numbers are written in Hexadecimal form in groups of four digits, such as 2001:0DB8:AC10:FE01:0000:0000:1000:0000
April 7, 2013 at 3:45 a.m. UTC
@Kaiterry, just use 7 proxies then ^^
November 19, 2014 at 1:14 p.m. UTC
most every connection starts on a Ethernet LAN (6 bytes long address) and ends on a similar LAN. What's the benefit of using 16 bytes address (32 bytes source + destiny) if at the local network card we use only 6. Besides, we have a, very, big header using IPv6 (IPv4 uses 20 bytes total, if no options). Now think using IPv6 to transport a voice sample. VoIP is becoming increasingly used and will substitute convetional voice communications (using TDM) soon. This will stress the network with a heavy voice traffic. Please, someone make this thing clear for me. Thks.