The Next Generation IP in Action

The Internet has been growing exponentially since 1990, as more and more organizations enter cyberspace to facilitate business, research, and education. The downside to this phenomenal success is that the Internet faces a serious shortage of IP addresses, those unique strings of binary numbers that identify Internet hosts. In the early 1990s, people predicted that the last Class B IP address would be allocated in March 1994, a month dubbed the Date of Doom. Although researchers developed interim solutions to postpone the Date of Doom, today it's happening all over again: All current IP addresses will be depleted sometime between 2005 and 2010, if the current rate of Internet growth continues.

Fortunately, the Internet Engineering Task Force (IETF), the organization that developed protocol standards for the Internet, foresaw the diminishing IP address problem and other problems related to IP version 4 (IPv4). To address these problems, the IETF developed IP next generation (IPng), and in January 1995 published "The Recommendation for the IP Next Generation Protocol" in its Request for Comments (RFC) 1752. The IETF referred to the new-generation IP as IP version 6 (IPv6) and developed a comprehensive set of IPv6 standards specifying the implementation of IPv6 on the Internet. In addition to its 128-bit address space, which will solve the address-exhaustion problem, IPv6 uses a hierarchical address scheme, an efficient IP header, Quality of Service (QoS), host address autoconfiguration, authentication, and encryption. Because IPv6 differs in important ways from IPv4, the IETF also created a transition mechanism to ease migration from IPv4 to IPv6.

Vendors have started to support IPv6 and deliver IPv6 products. For example, FTP Software has delivered IPv6 stacks for Windows NT 4.0 and Windows 95. IPv6 has already been built into many routers and into UNIX. The Internet backbone for IPv6 testing, 6bone, links 29 countries to develop IPv6 technologies. IPv6 will eventually arrive in your organization. Be sure you understand IPv6 so that you can apply this new technology properly in your network. In this article I'll delve into IPv6 and explain its address scheme, address autoconfiguration, security, and transition mechanism. As you read, you'll see the benefits IPv6 can bring to the Internet and your intranet.

The IPv4 Address Problem
The Internet originated in the Advanced Research Projects Agency Network (ARPANET), which connected government contractors for the US Depart- ment of Defense (DoD). The research for ARPANET began in 1968, and researchers developed IP to standardize communication protocols in ARPANET. Its developers assumed ARPANET would have fewer than several dozen networks. They selected an address-space size of 32 bits: The first 8 bits represented the network (8 bits can identify 28, or 256 networks), and the remaining 24 bits represented the host. As ARPANET grew, its developers realized it would have more than 256 networks, so they separated the 32-bit address space into three classes: Class A, for large networks; Class B, for midsized networks; and Class C, for small networks.

IPv4's Class A 32-bit addresses begin with a 0 bit, followed by a 7-bit identifier and a 24-bit host identifier. Thus, Class A addresses can identify 27, or 128, networks, each of which can have at most 224, or 16,777,216, hosts. Class B 32-bit addresses begin with the bits 1 0, followed by a 14-bit network identifier and a 16-bit host identifier. Class B addresses can identify 214, or 16,384, networks, each with at most 216, or 65,536, hosts. Class C 32-bit addresses begin with the bits 1 1 0, followed by a 21-bit network identifier and an 8-bit host identifier. Class C addresses can identify 221, or 2,097,152, networks, each with at most 28, or 256, hosts. As you can see, there's a big difference between the number of hosts Class B addresses can handle compared with Class C addresses. Organizations that had or expected to have more than 256 hosts needed a Class B address. By 1992, the InterNIC had assigned about half of the available Class B addresses, and industry analysts projected the Date of Doom from the existing address-assignment rates.

Classless interdomain routing (CIDR), an immediate solution to the Date of Doom, came to the rescue. The idea behind CIDR is to give a block of contiguous Class C addresses, rather than a Class B address, to a company that has more than 256 but fewer than several thousand hosts. For example, suppose you have 1500 hosts on your network. You might receive eight contiguous Class C addresses, such as to, with a subnet mask (a pattern of bits that establishes which part of the IP address identifies the network and which part identifies the host) of All the addresses share the most significant (the higher order) 21 bits, followed by 11 bits to identify up to 2048 hosts. By using Class C addresses in this way, CIDR saved Class B addresses from depletion. Unfortunately, CIDR has not solved the IPv4 problem--the InterNIC will allocate all IPv4 addresses one day, and that day will come within the next 10 to 12 years, according to current projections.

Another mechanism is delaying IPv4 address exhaustion: network address translation. NAT was born from fire-wall technology, in which a company enhances its network security by hiding its internal IP addresses from the external network. Using NAT, a company doesn't need globally unique or legitimate addresses for its private network. When NAT sits on the border between a company's network and the Internet, NAT can convert the company's private IP address space to a small pool of globally unique addresses. Because acquiring a Class A or B address is difficult, many large companies use the private addresses that NAT creates for their internal networks.

However, NAT degrades performance in network throughput. NAT must convert addresses for all packets passing to or from the Internet, but most NATs can't pass this address information to the packet payload (contents). This inability leads to application failures when higher-layer (above the network layer) applications, such as FTP and Windows Internet Naming Service (WINS) registration, must embed address information in a packet's payload.

The IPv6 Address Answer
IPv6 overcomes the address-space problem in IPv4 by defining a 128-bit address space. This address space is long enough to connect all of a company's equipment (e.g., computers, printers, pagers) to the Internet without address conflicts.

IPv6 expresses addresses differently than IPv4 does. An IPv6 address contains eight sections separated by colons. Each section contains 16 bits expressed in four hexadecimal numbers. An example IPv6 address is 1234:5678:9ABC:DEF0:1234: 5678:9ABC:DEF0.

Memorizing an IPv6 address isn't easy. Fortunately, IPv6 lets you simplify an address by cutting off the leading zeros from any 16-bit section that contains them and using a double colon (::) to indicate multiple contiguous sections of zeros. For example, you can simplify address 0123:0000:0000:0000:0004:0056: 789A:BCDE to 123::4:56:789A:BCDE. You can use only one double colon in a simplified address; otherwise, IPv6 could not calculate how many 16-bit sections of zeros occur in a simplified address.

In addition to its 128-bit address space, IPv6 designates a hierarchical address for point-to-point communication. IPv6 calls this type of address an aggregatable global unicast address. IPv6 partitions this address into the hierarchical format shown in Figure 1. The number at the beginning of the address is a format prefix that differentiates the aggregatable global unicast address from other types of addresses. At the top of the address hierarchy are top level aggregators (TLAs). TLAs are public network access points (NAPs) that interconnect long-distance service providers and telephone companies. International Internet registries, such as Internet Assigned Numbers Authority (IANA) allocate addresses to TLAs.

In turn, TLAs assign addresses to the next level in the aggregatable global unicast address hierarchy, the next level aggregator (NLA). NLAs are large Internet Service Providers (ISPs). An NLA allocates addresses to the next level in the aggregatable global unicast address hierarchy, the site level aggregator (SLA). An SLA, which is often called a subscriber, can be an organization such as a university or a small ISP. SLAs can assign addresses to their subscribers. In general, SLAs provide subscribers with a block of contiguous addresses so that organizations can create their address hierarchy to identify different subnets.

The last level of the aggregatable global unicast address is the host interface ID, which identifies one host interface. Organizations assign host interface IDs by using a unique number on the subnet, or they can use the host's NIC ID (i.e., the media access control--MAC--address).

Currently, the routing table of an Internet backbone router contains tens of thousands of entries that it uses to look up the path to a destination network. Routing tables keep growing, but a large routing table degrades a router's performance and can cause routing instabilities. The design of the aggregatable global unicast address can reduce a routing table's size by route aggregation or summarization. For example, with aggregatable global unicast addressing, a US backbone router needs only one entry (i.e., TLA) in its routing table for all networks in the UK. When the router receives a packet addressed to a network in the UK, it uses the TLA ID in the packet's destination address to find the path to the UK TLA in its routing table; then the router forwards the packet to the UK TLA. The UK TLA examines the NLA ID in the packet's destination address to determine the routing path to the NLA and sends the packet to the NLA. Finally, the NLA delivers the packet to its destination network according to the SLA ID in the destination address. This efficient global routing hierarchy operates similarly to the public telephone network.

Three Types of IPv6 Addresses
The aggregatable global unicast address is only a part of IPv6 address space. IPv6 defines three types of addresses: unicast, multicast, and anycast. Unicast traffic is the most common traffic on the Internet (a unicast address specifies one recipient). The aggregatable global unicast address is well designed for this point-to-point communication. IPv6 also defines two special unicast addresses for intranets. The first is the link local unicast address, and the second is the site local unicast address. You use the link local unicast address if you let packets traverse on only one link or segment. Routers will not forward packets with link local unicast addresses. You use the site local unicast address if you want to limit the packet delivery scope to your intranet. The edge router connecting your internal network to the external network will never forward packets with site local unicast addresses to the external network.

As in IPv4, IPv6 multicast addresses deliver copies of one source packet to recipients. All recipient hosts in the multicast group receive copies of the same message from one multicast stream. IPv6 supports two kinds of multicast addresses: permanent and transient. Permanent multicast addresses are well-known multicast addresses for special uses, such as for all routers in a local network. You can define a transient multicast address for a multicast group in your network, such as an audio conference. The IPv6 multicast address contains a 112-bit multicast group ID. This address lets you designate a large number of multicast groups for your multicast applications. In the IPv6 multicast address, you can specify multicast scope, which can be node-local, link-local, site-local, or global. In IPv6, multicasting to all nodes in your organization replaces the broadcasting capability in IPv4.

IPv6 introduces a third type of address, the anycast address. Anycast addresses deliver a message to a group of nodes. You use an anycast address to represent a group of nodes. Anycast differs from multicast in that it delivers a message to any one of the nodes in a group. When one node, often the nearest node in the group, receives the message, anycast is finished. You can group routers in an anycast group, and a host can send a query to the anycast group to find the nearest router. You can apply the same concept to other network systems or services, such as Domain Name System (DNS) servers. Currently, IPv6 limits anycast group members to routers only.

Address Autoconfiguration
Manually configuring IP addresses in hosts is a tedious task. Managing static addresses assigned to hosts is also difficult, especially when you need to change static addresses. In IPv4, a Dynamic Host Configuration Protocol (DHCP) server lets you maintain a pool of IP addresses. A host can lease an address and obtain configuration information (such as a default gateway and DNS servers) from the DHCP server, which lets the host automatically configure its IP address. IPv6 inherits this autoconfiguration service from IPv4 and refers to it as stateful autoconfiguration.

In addition to stateful autoconfiguration, IPv6 introduces a stateless autoconfiguration service, which provides more flexible address management. In the stateless autoconfiguration process, a host first generates a link local unicast address by appending its 64-bit NIC ID to the link local address prefix 1111111010. (The Institute of Electrical and Electronics Engineers--IEEE--has changed the old NIC 48-bit globally unique ID--GUID--to a 64-bit GUID known as EUI-64. If the NIC ID is 48 bits, the NIC driver for IPv6 will convert the 48-bit NIC ID to a 64-bit ID according to an IEEE formula.) The host then sends a query, called neighbor discovery, to the same address to verify the uniqueness of the link local unicast address. If there is no response, the self-configured link local unicast address is unique. Otherwise, the host uses a randomly generated interface ID to form a new link local unicast address. Using this link local address as a source address, the host multicasts a request for configuration information, called router solicitation, to all routers on the local link. The routers respond to the request with a router advertisement that contains an aggregatable global unicast address prefix and other relevant configuration information. The host automatically configures its global address by appending its interface ID to the global address prefix it receives from the router. Now the host can communicate with any other host on the Internet. Figure 2 illustrates the stateless autoconfiguration process.

With stateless autoconfiguration, you can change all your network addresses without intervening manually. For example, when you switch to a new ISP, you will be given a new aggregatable global address prefix. The ISP can propagate the prefix from its router to your routers. Your routers advertise the prefix to all hosts in your network, because the routers periodically multicast the router advertisements to all the hosts on their local links. The new addresses replace the old addresses when the hosts receive the new address prefix through the router advertisements.

IP Security
Security is always an important topic on the Internet, and the original IP design did not address security. You probably have heard stories about hackers in the early days of the Internet who attacked government, military, and corporate networks and stole sensitive information. To increase Internet security, IETF developed a set of IP Security (IPSec) protocols that have protected IP communications since 1995. IPSec is part of IPv6 and an optional extension to IPv4.

IPSec supplies two security features: authentication and encryption. Authentication lets you know that the data you receive is from the actual sender and was not altered in transit. Authentication deters hackers from attacking your network and data. Encryption encodes data to provide data confidentiality, and it prevents hackers from decoding the data when it traverses the network. The Authentication Header (AH) protocol in IPSec defines the way you can use authentication. Encapsulating Security Payload (ESP) IEEE standard in IPSec defines the way you can apply encryption and optional authentication. You can use either or both of the protocols in your IP communications based on your security requirements. Both AH and ESP can provide authentication, but AH provides stronger authentication than ESP provides.

When you apply AH or ESP in a specific communication, the protocol is associated with a set of security information and services. This association is referred to as Security Association. SA might include the authentication algorithm, the encryption algorithm, and the keys for authentication and encryption. IPSec uses a key distribution and exchange protocol, such as Internet Security Association and Key Management Protocol (ISAKMP), to establish and maintain the SA. The SA is a one-way logical connection. For example, authenticated communication between two hosts will use two SAs, one in each direction.

IPSec defined two types of SAs: transport mode and tunnel mode. The transport-mode SA inserts the AH or ESP header after the IP header (and any optional extension headers) and before any upper-layer headers (such as the TCP or UDP header) and data. (See the sidebar "What's New in the IPv6 Header" to learn about IPv6 headers.) The tunnel-mode SA, however, puts the entire original IP packet into a new IP packet. You will see two IP headers for each packet in tunnel mode: an outer header specifying the destination for IPSec processing, and an inner header specifying the ultimate destination of the packet. You can use the transport-mode SA only between two hosts, but you can use the tunnel-mode SA between two hosts or between two security gateways, or between a host and a security gateway. A security gateway can be a router, firewall, or Virtual Private Network (VPN) device.

An important application of IPSec is VPN, which secures communications between networks connected through a public network, such as the Internet. Figure 3, page 206, shows an IPSec-enabled VPN, in which you can apply the two SA modes according to your security requirements. For example, if you treat your internal network as a trusted network, you can use the tunnel mode between your network's two security gateways. A packet traverses between a host and the security gateway in the same network. The security gateway encrypts the packet to the Internet and decrypts the packet from the Internet. If you need to protect communication all the way from a host in your network to a host in a different network, you can establish a secure channel between the two hosts with the transport mode or tunnel mode. Figure 3 shows that a mobile host attached to the Internet can use IPSec to communicate with its home network without a security leak.

IPSec, as a part of IPv6, is a network layer protocol. It deals with underlying network security regardless of the higher-layer applications, such as Web, email, and file transfer. To authenticate a Web session, you still need Secure Sockets Layer (SSL) protocol. However, protocols in the TCP/IPv6 suite can take full advantage of IPSec. For instance, the Open Shortest Path First (OSPF) routing protocol for IPv6 removed the authentication feature you find in OSPF for IPv4.

IPv6 Transition
The benefits of IPv6 are the driving force behind a worldwide effort to upgrade the Internet and corporate networks to IPv6. This global upgrade is not an overnight project. IETF recognized that it will be impossible for all systems on the Internet and corporate networks to upgrade from IPv4 to IPv6 at once. Mixed and heterogeneous IPv6 and IPv4 systems will need to coexist on the Internet for a long time. As part of the IPv6 development effort, IETF defined the processes that will drive the transition from IPv4 to IPv6, including three mechanisms: the IPv4-compatible IPv6 address, dual IP stacks, and IPv6 over IPv4 tunneling.

The IPv4-compatible IPv6 address is a special IPv6 unicast address that an IPv6 and an IPv4 node can use to communicate over an IPv4 network. This address has a prefix of 96 zero bits followed by a 32-bit IPv4 address. For example, if a node's IPv4 address is, its IPv4-compatible IPv6 address will be 0:0:0:0:0:0:C038:101.

The dual IP stack mechanism implements both IPv6 and IPv4 stacks on one system, either a host or a router. Such a system, an IPv6 and IPv4 node, has both IPv6 and IPv4 addresses and can send and receive IPv6 and IPv4 packets.

Compared to the dual IP stack mechanism, IPv6 over IPv4 tunneling is a more complicated method. The tunneling mechanism encapsulates IPv6 data inside IPv4 packets to carry IPv6 data between an IPv6 node and an IPv4 node over existing IPv4 networks, such as the Internet. Three steps are involved in the tunneling process: encapsulation, decapsulation, and tunnel management. In encapsulation, the tunnel entry point creates an IPv4 header, encapsulates the IPv6 packet in a new IPv4 packet, and transmits the packet. In decapsulation, the tunnel endpoint removes the IPv4 header, recovers the original IPv6 packet, and processes it. Finally, the tunnel entry point maintains the tunnel configuration information, such as the maximum transfer unit (MTU) size that the tunnel supports.

There are four tunneling scenarios: router-to-router, host-to-router, host-to-host, and router-to-host. In the network Figure 4 shows, which uses an IPv4 routing infrastructure to carry IPv6 packets, you can apply one of the four tunneling scenarios according to the spe- cific communication between two hosts. For example, when Host 2 sends an IPv6 packet to Host 4, Router A will encapsulate the IPv6 packet in an IPv4 packet destined to Router B. When Router B receives the IPv4 packet, it decapsulates the packet and forwards it to Host 4. In this tunneling, the tunnel endpoint (Router B) is not the packet's final destination (Host 4). The tunnel entry point (Router A) must determine the tunnel endpoint and find the tunnel endpoint's address from configuration information when the tunnel entry point establishes the tunnel. Therefore, this type of tunneling is called configured tunneling. When Host 7 sends a packet to Host 1, Host 7 establishes a host-to-router tunnel between itself and Router A. Because Router A is not the packet's final destination, this host-to-router tunneling is also configured tunneling.

When a host with an IPv4-compatible IPv6 address sends a packet to another host with an IPv4-compatible address through an IPv4 routing network, the source host can establish a host-to-host tunnel. The tunnel entry point, the source host, determines that the destination host is the tunnel endpoint and automatically extracts the lower order 32 bits of the IPv4-compatible address to determine the tunnel endpoint's address. This type of tunneling is called automated tunneling. In automated tunneling, the tunnel endpoint is always the packet's ultimate destination. For example, in Figure 4, when Host 5 sends a packet to Host 7, it can use automated tunneling from Host 5 to Host 7. Automated tunneling also applies to the router-to-host tunneling scenario. For instance, when Host 4 sends a packet to Host 5, Host 4 can use automated tunneling from Router B to Host 5.

The dual IP stack and IPv6 over IP4 tunneling mechanisms let you migrate IPv4 to IPv6 in your network at a controllable pace. Before your IPv6 transition, you must have a new DNS server in place that supports both IPv4 and IPv6. You can use the new resource record type AAAA for an IPv6 host and address in the DNS server, and the record type A for an IPv4 host and address. The new DNS server will handle both AAAA and A records for IPv6 and IPv4 nodes. Currently, the new versions of UNIX operating systems (OSs) from Digital Equipment, IBM, and Sun Microsystems support the new DNS and IPv6. Although Microsoft DNS in Windows NT Server 4.0 includes the AAAA record type, Microsoft TCP/IP for NT doesn't speak IPv6 yet.

Where Are You Going Today?
IPv6 is the long-term solution to building a reliable, manageable, secure, and high-performance Internet and IP network. Now that you understand IPv6's important features and benefits, you must know where you plan to go to apply this new technology to your network. Study IPv6, add it to your long-term project plan, get your hands on it, ask vendors to support it, integrate it into your network upgrade, and deliver it to your clients. You might be curious about Microsoft's support for IPv6 in NT 4.0 and 5.0. Unfortunately, whether and how Microsoft will support IPv6 is mainly a mystery. However, Microsoft is implementing IPSec in NT 5.0, a subject I will address in a future article. Microsoft might not completely support IPv6 now, but the Internet is off and running to a new destination, and its name is IPv6.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.