What Is IPv6 and Why Does It Exist?
Table of Contents
Why IPv6 Exists
IPv4 has 4.3 billion addresses. That number was exhausted. IANA allocated the last /8 blocks in 2011. Regional registries have been rationing scraps ever since. IPv6 was designed to solve this permanently with 128-bit addresses - 340 undecillion possible addresses (3.4 x 10^38). That is roughly 100 addresses for every atom on Earth's surface.
IPv6 is not just "more addresses." The protocol was redesigned with 25 years of IPv4 experience. The header is simplified (fixed 40 bytes, no checksum, no fragmentation fields). Extension headers replace IPv4's variable options. Multicast replaces broadcast. Autoconfiguration is built in rather than bolted on with DHCP.
The transition has been slow. Most networks run both IPv4 and IPv6 simultaneously (dual stack). As of 2025, global IPv6 adoption is roughly 40-45%, with significant variation by country and ISP.
Address Format
An IPv6 address is 128 bits written as eight groups of four hexadecimal digits, separated by colons:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
Leading zeros within each group can be omitted: 2001:db8:85a3:0:0:8a2e:370:7334
One consecutive sequence of all-zero groups can be replaced with :: (once per address): 2001:db8:85a3::8a2e:370:7334
The loopback address (equivalent to IPv4's 127.0.0.1) is ::1. The unspecified address (equivalent to 0.0.0.0) is ::.
IPv6 addresses are typically divided into a 64-bit network prefix and a 64-bit interface identifier. The prefix identifies the subnet. The interface ID identifies the device on that subnet. The standard subnet size is /64, giving each subnet 2^64 (18.4 quintillion) possible addresses.
Address Types
IPv6 eliminates broadcast entirely. Instead, it uses three address types:
- Unicast - identifies a single interface. Equivalent to a regular IPv4 address. Subtypes include global unicast (publicly routable, starts with 2000::/3), link-local (fe80::/10, used for local communication), and unique local (fc00::/7, equivalent to RFC 1918 private addresses).
- Multicast - identifies a group of interfaces. A packet sent to a multicast address is delivered to all members of the group. All-nodes multicast (ff02::1) replaces the IPv4 broadcast address. All-routers multicast (ff02::2) reaches every router on the link.
- Anycast - identifies a set of interfaces, but the packet is delivered to the nearest one (by routing metric). Used for load balancing and redundancy. DNS root servers use anycast.
Every IPv6-enabled interface automatically generates a link-local address (fe80::/10) using its MAC address or a random identifier. This address is usable immediately for communication on the local segment without any configuration or server. It is used for neighbor discovery, router discovery, and other local protocols.
No More NAT
With 2^128 addresses available, there is no shortage to work around. Every device can have a globally unique, publicly routable address. This restores the end-to-end connectivity principle that NAT broke in IPv4.
Without NAT, firewalls become the primary access control mechanism. A stateful firewall still blocks unsolicited inbound connections, providing the same "natural firewall" effect that NAT accidentally created. The difference is that the firewall is an explicit security policy, not a side effect of address translation.
Some organizations still deploy NAT66 (NAT for IPv6) to hide internal address structure, but this is controversial in the IPv6 community. The design intent is that firewalls, not NAT, should handle access control.
Neighbor Discovery Protocol
IPv6 replaces ARP with Neighbor Discovery Protocol (NDP), which runs over ICMPv6. NDP handles:
- Address resolution - equivalent to ARP. A device sends a Neighbor Solicitation (ICMPv6 Type 135) to find the MAC address of a neighbor. The neighbor responds with a Neighbor Advertisement (Type 136). Unlike ARP, these are multicast rather than broadcast.
- Router discovery - routers periodically send Router Advertisements (Type 134) announcing their presence, the network prefix, and configuration options. Hosts use this for autoconfiguration.
- Duplicate Address Detection (DAD) - before using an address, a device sends a Neighbor Solicitation for its own address. If nobody responds, the address is unique. If someone responds, there is a conflict.
- Redirect - routers can redirect hosts to a better first-hop router for a specific destination.
NDP has the same fundamental security problem as ARP: no authentication. An attacker on the local link can send forged Neighbor Advertisements to redirect traffic, just like ARP spoofing. SEND (Secure Neighbor Discovery, RFC 3971) adds cryptographic signatures to NDP messages, but deployment is minimal.
Dual Stack and Transition
Most networks today run dual stack - both IPv4 and IPv6 simultaneously. Every device has both an IPv4 address and an IPv6 address. Applications prefer IPv6 when available (Happy Eyeballs algorithm) and fall back to IPv4 when it is not.
Transition mechanisms include 6to4, Teredo, and 464XLAT for connecting IPv6 islands through IPv4 infrastructure. These add complexity and create additional attack surface that pure IPv4 or pure IPv6 networks do not have.
The long transition timeline means security teams must understand both protocols. An organization might have strong IPv4 security controls but weak or nonexistent IPv6 policies, creating blind spots.
Security Implications
IPv6 introduces security considerations that many organizations overlook:
- Dual-stack exposure - if a network has IPv6 enabled but no IPv6 firewall rules, the entire internal network may be reachable via IPv6 while IPv4 access controls block the same traffic.
- Router Advertisement attacks - an attacker can send fake Router Advertisements to become the default gateway, similar to a rogue DHCP server attack in IPv4.
- NDP spoofing - the IPv6 equivalent of ARP spoofing, with the same man-in-the-middle implications.
- Extension header abuse - IPv6 extension headers can be chained to create packets that bypass some firewalls and IDS systems that do not fully parse the header chain.
The BLEShark Nano monitors 2.4GHz WiFi traffic, which carries both IPv4 and IPv6 frames. As IPv6 deployment grows, understanding the protocol's security properties becomes increasingly relevant for wireless security assessments.