IPv6 RFC 6555 = Happy Eyeballs
In my article Switch Your Network to IPv6, I covered checking your router for IPv6 support, enabling IPv6, enabling DHCP-PD on your router's WAN interface and verifying IPv6 functionality. I also discussed a few IPv6 terms and touched on IPv6 security.
In this second IPv6 article, I'm going to provide more detail on IPv6 addressing, security and VLANs. The goal is to provide more insight into IPv6, as well as provide information on some of IPv6's quirks.
Before I get into details on IPv6 addressing, let me explain the eyeball graphic above. RFC (Request For Comment) 6555, also known as "Happy Eyeballs", refers to the ability of a dual-stacked PC to choose when to use IPv4 or IPv6.
While Windows XP and later versions include support for IPv6, they are not all equal in their support. A Windows PC should prefer IPv6 when possible and fall back to IPv4 if no IPv6 connectivity exists. Windows 8.1, 8, and Windows 7 have Happy Eyeballs support, allowing them to prefer IPv6 yet quickly fall back to IPv4 if needed. However, Windows XP IPv6 is not fully RFC standard compliant and has to wait for an IPv6 session to time out before it falls back to IPv4. So it is recommended to upgrade to Windows 7 or later if you're migrating your network to IPv6. (Reference: Practical IPv6 for Windows Administrators, Edward Horley, 2013)
How an IPv6 Address Gets Made
With that said, it is useful to understand how IPv6 addresses are deployed. IPv4 addresses are either dynamically assigned to a device using DHCP (Dynamic Host Configuration Protocol) or they're statically assigned to a device by a human. IPv6 addresses are created in the following ways:
- manually assigned
- automatically assigned by a device
- dynamically assigned using DHCPv6
- dynamically derived using SLAAC (Stateless Address Auto-configuration)
- derived/assigned using a combination of SLAAC and DHCPv6.
When IPv6 is enabled on a device, it will automatically assign itself a link-local address on its interfaces. The link-local address is important, as it is used by the device to communicate with other devices within the LAN.
A link-local address starts with FE80. An IPv6 device will complete its link-local address with the EUI-64 method, or in the case of Windows, a random method. Both methods are used to populate the last 64 bits of the address.
The EUI-64 method generates the last 64 bits of an IPv6 address by modifying its MAC address and inserting FFFE in the middle of the MAC. I'll cover why Windows uses a random method shortly.
In the image below, you can see my Windows PC has generated its link-local address using the Windows random method, as there is no FFFE in the middle of the last 64 bits.
IPv6 Link-Local Address
An interesting IPv6 quirk is a device can use the same link-local address on multiple interfaces. Packets with link-local source and destination addresses are not routed, so the same link-local address can be used by a single device on multiple interfaces. As long as the link-local address is unique on the LAN, there won't be an address conflict.
An IPv6 device uses Neighbor Discovery Protocol (NDP) Neighbor Solicitation (NS) messages to ensure it has created a unique link-local address on the LAN. Duplicate Address Detection (DAD) is the IPv6 process where NS messages are sent to verify that automatically assigned or dynamically derived messages are unique. Other IPv6 devices respond to NS messages with NDP Neighbor Advertisement (NA) messages, identifying whether the automatically assigned link-local address is unique.
SLAAC uses NDP Router Advertisement (RA) messages. IPv6 SLAAC partially replaces IPv4 DHCP. When a router is enabled for IPv6, it will regularly multicast RA messages advertising its global IPv6 prefix. The router will use its link-local address as the source of its RA messages.
Devices enabled for IPv6 will receive the RA message and use the source IPv6 link-local address in the router's RA message as their default gateway to derive their global IPv6 address using the advertised global IPv6 prefix plus either the EUI-64 or random method. The DAD process is used by the IPv6 device to ensure its derived IPv6 address is unique. The screenshot below shows my PC's default gateway address, which is my router's link-local address.
IPv6 Default Gateway
If no RA messages are received, a device will send a Router Solicitation (RS) message, looking for a RA. If there is no RA message sent, a device may then send a DHCPv6 request to get its IPv6 information.
Where's The DHCP Table?
An unfortunate downside to SLAAC is the lack of a DHCP table. IPv4 routers typically have a means to display a DHCP table, which provides a list of DHCP-assigned devices on the LAN and their IPv4 address. The IPv4 DHCP table is a useful tool to list IPv4 devices on a LAN, shown below.
IPv4 DHCP Table
If SLAAC is used with IPv6, there may not be a DHCP table, because DHCPv6 may not even be running. The Linksys LRT224, for example, has DHCP for IPv4 enabled, but DHCPv6 disabled. The downside to SLAAC is you lose the DHCP list. The upside to SLAAC is less resources are used by the router to maintain lists, making the network more efficient.
IPv6 may use a combination of SLAAC and DHCPv6. The RA may have its Other Configuration Flag set to 1, which tells devices that further addressing information, such as IPv6 DNS addresses, is available via DHCPv6. A device receiving an RA with the Other Configuration Flag set to 1 may derive an address via SLAAC as well as use DHCPv6 to receive additional IPv6 information.
This lack of an IPv6 address table in a router can make bringing up new devices more difficult. With no DHCP table and tools like Overlook Soft's Fing not supporting IPv6, it can be frustrating to find a device's IP address so that you can get to its admin interface. Fortunately, manufacturers are building captive portals and default names into devices, freeing you from having to address it by IP address, either IPv4 or v6.
Finding MAC-IP Association
Another IPv6 by-product is the elimination of ARP (Address Resolution Protocol). IPv4 devices broadcast an ARP request over a LAN asking all devices for the MAC address associated with a specific IPv4 address. In contrast, IPv6 uses NDP messages to map IPv6 addresses to MAC addresses on a LAN. IPv6 multicasts an NS message asking all IPv6 enabled devices for a MAC address associated with a specific IPv6 address.
In Windows, you see MAC-IPv4 associations by using arp -a and MAC-IPv6 associations by netsh interface IPv6 show neighbors from the command line. Here's output from arp -a...
and netsh interface IPv6 show neighbors commands.
Notice in the above output that arp shows multiple MAC-IPv4 associations, but the netsh output shows only two MAC-IPv6 associations. This illustrates an efficiency in IPv6. In many small networks, a PC only needs to know the MAC address of its default gateway. Due to the broadcast nature of arp, a PC is likely to learn the MAC-IPv4 associations of multiple PCs on the LAN. With the more focused multicast messages of NDP, a PC is going to only learn the MAC-IPv6 associations it needs, such as its default gateway.
Another interesting Windows IPv6 quirk is its use of temporary addresses. You may have noticed your IPv6-enabled PC has multiple global IPv6 addresses, some labeled IPv6 Address and others labeled Temporary IPv6 Address. In the image below, generated via ipconfig /all, you can see my PC has global and unique local IPv6 addresses, some preceded by the word "Temporary."
Windows' Temporary IPv6 Addresses
With EUI-64 derived addresses, even though the global IPv6 prefix may change from network to network, the last 64 bits will be constant. Thus, it is possible a device using EUI-64 could be tracked as it moves from network to network, reducing anonymity and security.
Windows solves that issue with the combination of random addressing and deriving permanent IPv6 and temporary IPv6 addresses. Windows periodically changes temporary IPv6 addresses. The end result is outbound traffic from a Windows device and its inbound response will use the temporary address. Since the last 64 bits of a Windows IPv6 address changes periodically anonymity and security are preserved.
I observed that web traffic from my IPv6-enabled Windows PC to IPv6 enabled sites on the Internet used my temporary IPv6 address as the source address instead of the permanent IPv6 address. I also observed over a few days that my temporary IPv6 address changed, while my permanent IPv6 address did not.