How IPv6 Works
Table of Contents
IPv6 is the successor to IPv4. It replaces 32-bit addresses with 128-bit addresses, eliminates the need for NAT, replaces ARP with a new protocol called NDP, and changes the security model of every network it touches. It has been standardized since 1998 and deployed since the early 2000s, yet the migration from IPv4 is still incomplete.
Why IPv6 Exists
IPv4 has approximately 4.3 billion addresses. That seemed like plenty in 1981, but the explosive growth of the internet, mobile devices, and IoT exhausted the global IPv4 address pool. IANA (the Internet Assigned Numbers Authority) allocated the last blocks of IPv4 addresses to the Regional Internet Registries in 2011. The RIRs have since exhausted their pools, with some allowing only very small allocations to new organizations.
NAT extended IPv4's lifespan by letting entire networks share single addresses, but NAT introduces complexity, breaks end-to-end connectivity, complicates peer-to-peer applications, and adds state to every router in the path. IPv6 solves the address exhaustion problem permanently by providing a vastly larger address space.
IPv6 was not designed as just "IPv4 with bigger addresses." It also simplified the header format (fixed at 40 bytes, compared to IPv4's variable 20-60 bytes), eliminated header checksums (relying on link-layer and transport-layer checksums instead), made IPsec a fundamental part of the specification, and replaced broadcast with multicast.
128-Bit Addressing
An IPv6 address is 128 bits long, written as eight groups of four hexadecimal digits separated by colons:
2001:0db8:85a3:0000:0000:8a2e:0370:7334Two simplification rules make addresses more readable:
Leading zeros within each group can be dropped: 2001:db8:85a3:0:0:8a2e:370:7334
Consecutive all-zero groups can be replaced with :: (but only once per address): 2001:db8:85a3::8a2e:370:7334
The address space is enormous. 2^128 equals approximately 3.4 x 10^38 unique addresses. That is roughly 340 undecillion, or about 5 x 10^28 addresses for every person on Earth. Even with inefficient allocation, this is effectively inexhaustible.
A typical IPv6 allocation to an end user is a /48 or /56 prefix, giving them 2^80 or 2^72 addresses respectively. A single /48 contains 65,536 /64 subnets, each with 2^64 (18.4 quintillion) host addresses. The scale is difficult to comprehend compared to IPv4's scarcity.
graph TD
subgraph "IPv6 Address Structure - /64 network"
A[128 bits total] --> B[Network Prefix - 64 bits]
A --> C[Interface Identifier - 64 bits]
B --> D[Global Routing Prefix - 48 bits]
B --> E[Subnet ID - 16 bits]
C --> F[Derived from MAC - EUI-64]
C --> G[Or - Random - privacy extensions]
C --> H[Or - DHCPv6 assigned]
end
subgraph "Scale Comparison"
I[IPv4 - 2^32 = 4.3 billion] --> J[IPv6 - 2^128 = 340 undecillion]
J --> K[Each person could have 5 x 10^28 addresses]
end
Figure 1 - IPv6 address structure showing the 64-bit network prefix and 64-bit interface identifier
Address Types
IPv6 defines several address categories:
Global Unicast (2000::/3). The equivalent of IPv4 public addresses. Globally routable, assigned by ISPs, and unique across the entire internet. Most global unicast addresses currently begin with 2 or 3.
Link-Local (fe80::/10). Automatically configured on every IPv6 interface. These addresses are valid only on the local network segment (link) and are never routed. Link-local addresses are used for NDP, routing protocol exchanges, and communication between devices on the same link when no global address is needed. Every IPv6 device has at least one link-local address.
Unique Local (fc00::/7, commonly fd00::/8). The IPv6 equivalent of IPv4's private addresses (RFC 1918). Routable within a site but not on the global internet. Used for internal networks that do not need internet-facing addresses.
Multicast (ff00::/8). Replaces IPv4 broadcast entirely. IPv6 has no broadcast concept - functions that used broadcast in IPv4 (like ARP) use multicast in IPv6. Important multicast addresses include ff02::1 (all nodes on the link), ff02::2 (all routers on the link), and ff02::1:ff00:0/104 (solicited-node multicast, used by NDP).
Loopback (::1). The equivalent of IPv4's 127.0.0.1. Used for communication within the same device.
Unspecified (::). The equivalent of IPv4's 0.0.0.0. Used as a source address when a device does not yet have an address (e.g., during SLAAC).
Neighbor Discovery Protocol
NDP (Neighbor Discovery Protocol, RFC 4861) replaces ARP and several other IPv4 mechanisms. It uses ICMPv6 messages (not a separate protocol) and multicast (not broadcast) for all its functions.
NDP serves five main purposes:
Router Discovery. Devices find routers by sending Router Solicitation (RS) messages to the all-routers multicast address (ff02::2). Routers respond with Router Advertisement (RA) messages containing the network prefix, default route, MTU, and flags indicating whether SLAAC or DHCPv6 should be used. Routers also send periodic unsolicited RAs.
Address Resolution. This is the IPv6 equivalent of ARP. When a device needs the link-layer (MAC) address for an IPv6 address, it sends a Neighbor Solicitation (NS) to the solicited-node multicast address derived from the target's IPv6 address. Only the device with that address receives the message and responds with a Neighbor Advertisement (NA) containing its MAC address.
Duplicate Address Detection (DAD). Before using a new IPv6 address, a device sends an NS for that address. If no NA comes back, the address is unique. If a response arrives, the address is already in use and the device must generate a different one.
Redirect. Similar to ICMP Redirect in IPv4. A router tells a host that a better first-hop router exists for a specific destination.
Neighbor Unreachability Detection (NUD). Devices periodically verify that neighbors are still reachable by sending NS probes and waiting for NA responses. This replaces the simple timeout-based ARP cache expiration with active reachability confirmation.
sequenceDiagram
participant H as New Host
participant R as Router
participant N as Neighbor
Note over H: Device joins network
H->>H: Generate link-local address fe80::1
H->>H: DAD - send NS for fe80::1
Note over H: No response - address is unique
H->>R: Router Solicitation - ff02::2
R->>H: Router Advertisement - prefix 2001:db8::/64 + flags
H->>H: Generate global address via SLAAC
H->>H: DAD for global address
Note over H: Address configured
H->>N: Neighbor Solicitation - who has 2001:db8::2?
N->>H: Neighbor Advertisement - MAC 11:22:33:44:55:66
H->>N: Data packet to MAC 11:22:33:44:55:66
Figure 2 - NDP workflow from joining a network through address configuration to neighbor resolution
SLAAC vs DHCPv6
SLAAC (Stateless Address Autoconfiguration) is the primary method for IPv6 address assignment. It requires no server infrastructure - devices configure themselves using information from Router Advertisements.
The process works like this:
- The device generates a link-local address (fe80:: plus an interface identifier derived from the MAC address or randomly generated).
- The device performs DAD to confirm the address is unique.
- The device sends a Router Solicitation and receives a Router Advertisement containing the network prefix.
- The device combines the prefix with its interface identifier to form a global unicast address.
- DAD is performed on the global address before it is used.
Privacy extensions (RFC 4941) address a concern with SLAAC: if the interface identifier is derived from the MAC address, the same device can be tracked across different networks. Privacy extensions generate random interface identifiers that change periodically, making tracking harder.
DHCPv6 provides stateful address assignment similar to DHCP for IPv4. It can assign specific addresses, DNS server information, domain search lists, and other configuration options. DHCPv6 is used when administrators need centralized control over address assignments or need to provide configuration that SLAAC cannot deliver (like DNS server addresses on some systems).
Router Advertisements contain flags that indicate which method to use:
- M flag (Managed) - tells devices to use DHCPv6 for address assignment
- O flag (Other) - tells devices to use DHCPv6 for additional configuration (DNS, NTP) but use SLAAC for addresses
- Both flags off - use SLAAC only
Security Implications
IPv6 changes the security model in several significant ways:
No NAT means every device is globally routable. In IPv4, NAT provided an accidental firewall - devices behind NAT could not receive unsolicited inbound connections. In IPv6, every device has a public address and is directly reachable from the internet. Firewalls must be explicitly configured to filter inbound traffic. Without proper firewall rules, every device on the network is exposed.
NDP spoofing replaces ARP spoofing. Just as ARP has no authentication, basic NDP has no authentication either. An attacker on the local network can send forged Router Advertisements (claiming to be a router and redirecting traffic) or forged Neighbor Advertisements (the IPv6 equivalent of ARP spoofing). SEND (SEcure Neighbor Discovery, RFC 3971) adds cryptographic signatures to NDP messages, but adoption is minimal.
Rogue Router Advertisements are particularly dangerous. A malicious RA can advertise a fake prefix, set the attacker as the default gateway, or configure DNS to point to the attacker's server. RA Guard on managed switches can filter unauthorized RAs, similar to how DHCP snooping protects against rogue DHCP servers in IPv4.
Larger address space complicates scanning. Scanning a /64 subnet (2^64 addresses) is computationally infeasible - at one million probes per second, it would take over 500,000 years. Attackers must use other techniques to discover active hosts: monitoring multicast traffic, DNS enumeration, or exploiting predictable address patterns (like SLAAC addresses derived from MAC addresses).
IPsec was originally mandatory in the IPv6 specification. The intent was that every IPv6 device would support encryption and authentication at the network layer. In practice, the requirement was relaxed to "should" rather than "must" because many constrained devices (IoT sensors, embedded systems) lack the resources for IPsec. But the framework for end-to-end encryption exists in the protocol specification.
The Slow Migration
IPv6 has been standardized for over 25 years, yet global adoption hovers around 40-45% of internet traffic (as measured by Google). The migration has been slow for several reasons:
NAT works well enough. For most users and businesses, NAT solved the address exhaustion problem without requiring a protocol change. The pain of IPv4 exhaustion is mostly felt by ISPs and large organizations, not end users.
Dual-stack complexity. Running both IPv4 and IPv6 simultaneously doubles the operational complexity. Every firewall rule, every DNS entry, every monitoring system must handle both protocols.
Application compatibility. Some applications were written assuming IPv4 addresses (32-bit integers, dotted-decimal notation). Supporting IPv6 requires code changes.
Training and expertise. Network engineers trained on IPv4 need to learn new concepts (NDP, SLAAC, /64 subnets, multicast-heavy operation) and new troubleshooting techniques.
Despite the slow pace, IPv6 adoption is accelerating. Major mobile networks, cloud providers, and content delivery networks are IPv6-native. New IoT deployments increasingly use IPv6 because the address space eliminates the need for complex NAT traversal in device-to-cloud communication.
For security researchers, IPv6 presents both new opportunities and new attack surfaces. The BLEShark Nano operates in local network environments where understanding both IPv4 and IPv6 behavior is essential for comprehensive network analysis.
Get the BLEShark Nano - $36.99+