Back to Basics – The IPv6 Address Types
To celebrate the release of RFC 8200 which standardizes IPv6 I thought it would be appropriate to do some “back to the basics” IPv6 blog posts. The goal is to help those who might not have gotten on the bandwagon early with IPv6 adoption as well as to provide an easy-to-read refresher for those of us who have been doing this awhile. It never hurts to go back and review material now and then.
So why IPv6 address types? I think the address types available in IPv6 often get overlooked. Many times, the only address people pay attention to are the “daily drivers” used to configure a node. Yes, a global unicast address is what we have been telling you to use all along but what does that really mean?
Let’s jump right in and review the three main address types and then look at how each of those break down in more detail.
There are three main address types in IPv6. They are:
The vast majority of addresses you will encounter will be of the unicast variety. It turns out that this is true for IPv4 too: very few people deal with addresses that are not unicast for that protocol. Seems the more things change, at least some things stay the same! Remember that the IPv6 address types are really a functional definition. We are defining a function we would like the address to have and how they will operate. This allows for some rules of the road for developing the right behavior for an address as well as context about how to talk about the functionality we expect.
So, what exactly is a unicast address? A unicast address is an address you can assign to a node. That node could be a host (like a server) or a router or any other device that is on the network. The purpose of a unicast address is to allow the node to communicate 1:1 with other nodes on a given network. The specific type of unicast address determines what other nodes on a network it can communicate with. See Tom Coffeen’s blog post on ULA which covers some of the address scoping in more details.
There are three currently permitted types of unicast addresses:
- Global (currently IANA is allocating from the 2000::/3 prefix range)
- Link-local (fe80::/64 – technically by the RFC fe80::/10)
- Unique local (fc00::/7)
All nodes on an IPv6 network will have a link-local address. The vast majority of nodes will dynamically generate this link-local address. The common exception are routers where a network administrator may choose to set something up that matches their design needs. Scott Hogg’s blog on fe80::1 and IPv6 default gateways is a great read about this. This means that the most commonly used unicast address is the link-local. Link-local addresses do have some constraints on them. They are designed to match the logical layer 2 domain only. In other words, they don’t cross a layer 3 boundary at all. They also are not guaranteed to be globally unique. In some cases they may not even be unique within a local corporate network. So, a router could potentially have fe80::1 set up on every interface. I know, it makes your head hurt. Again, see Scott’s blog for details!
The next most common unicast address is global. Sometimes these are called GUA or Global Unicast Addresses. A node that has been allocated a GUA is capable of communicating out to the Internet (assuming routing and firewalls allow it) and is globally unique (assuming no manual configuration duplication error occurred). As implied by its name, a global address is intended to be used on the global Internet for communication. (But it is also the address you most commonly use to communicate when you are passing Layer 3 traffic on any internal network). It is the one type of address that really is required to communicate past any private network you operate and control. Despite the name, you should be using global addresses for all your nodes within your internal network. This is true regardless of whether or not they need to talk to other resources on the Internet at all. Just realize, global (or GUA) is the name of a unicast address type. It does not define its function by the name, only its intended use case as described above.
Finally, you have the Unique Local Address or ULA (defined in RFC 4193). There are not many deployments of ULA (and that is a good thing). The use case is limited and should remain so. ULA is for the rare situations where you need to have a unicast address on a node for the purpose of communicating with other nodes but NEVER want that resources to communicate to a GUA or the Internet at large. Many people jump to the conclusion that ULA is the right fit for their “secure” network needs. This is often a huge mistake. First, it is easy enough to set aside GUA space for the purpose of secure internal communication with routing or security rules that deny that GUA space any access to the public Internet. Secondly, once you do have that use case where a ULA node does need to communicate with something past your network, you have to then give that ULA node a GUA address. Often, this is overlooked. Perhaps a particular node or network needs to talk to a business peering network over a VPN. It could be that the node needs to get software updates or firmware updates from the Internet. The few valid use cases for ULA typically fall into the military and government areas; e.g., battlefield networks, civilian infrastructure systems, sensitive government networks and other highly secure networks that should be fully proxied or isolated from the Internet. If you run one of those, you might consider using ULA to help reduce risk. The tradeoff is but that might be a desired outcome given your risk profile.
I will cover multicast and anycast in part 2 and 3 so keep an eye out!
You can find me on twitter as @ehorley and remember…
IPv6 is the future and the future is now.