Based on the problems encountered by myself and my colleagues, the author carefully selected 10 problems and answered them in this article.

Question 1: Are the only differences between IPv4 and IPv6 the address formats?

In addition to the different address formats, IPv4 and IPv6 protocol stacks are also different. They are logically two completely different worlds.

Here are four differences that are often encountered in practice:

▷ Basic communication process : ND replaces ARP, multicast replaces broadcast, fe80 address becomes standard, ICMP becomes the core of communication

▷ IP configuration method : Stateless automatic IP configuration by the client becomes the mainstream, weakening DHCP

▷ DNS domain name resolution : AAAA records replace IPv4 A records, and there are priority issues for applications (whether AAAA or A should be resolved first)

▷ Application layer adaptability : In socket programming, AF_INET only supports IPv4, and AF_INET6 only supports IPv6

Question 2: Is the transition from IPv4 to IPv6 transparent to applications?

Wrong, it is aware and the upper-level application needs to be transformed.

For example, when visiting fzxiaomange.com, should we prioritize resolving IPv6 addresses (AAAA) or IPv4 addresses (A) because we have to choose a route to send the request. Now many frameworks will give priority to IPv6.

Note: If an AAAA record is resolved, even if the local machine does not have a routable IPv6 address, it is possible that the request will still be attempted over IPv6, causing the request to fail .

Another typical example is that the program will exchange the underlying IP address in the application layer . For example, the FTP active mode will exchange the IPv4 address in the application layer. If the IPv6 address is actually available, it may cause abnormalities in subsequent connections.

The inability to achieve transparency and imperceptibility is one of the reasons for the emergence of some transition plans from IPv4 to IPv6.

Question 3: To provide web services, do I need to configure an IPv6 address for each server?

There is a saying now that "there are unlimited IPv6 addresses, and each server can be equipped with an IP address without the need for NAT."

This is very misleading. How to use IPv6 depends on the scenario . For example, my personal blog fzxiaomange.com consists of nginx->php->mysql, which are located on three servers. You only need to configure the IPv6 address on nginx and add an AAAA record on DNS pointing to the IPv6 address of L7. There is no need to configure IPv6 addresses on php and mysql servers, and once configured, the intranet is directly exposed.

Each device is configured with IPv6, which is mainly suitable for client-oriented scenarios and scenarios with high address demand , such as IoT devices, mobile 4G, and home broadband.

In addition, IPv6 has NAT , which is suitable for scenarios where office PCs, computer room servers, etc. need to access the IPv6 network but do not want others to actively access the network.

Question 4: Do IPv4 and IPv6 need to be configured on the same network card?

Yes, both are fine. First, you need to understand two words: "single stack" and "dual stack" :

From the node point of view (general explanation):

▷ Single stack: refers to an IPv6 node, that is, a server or a mobile phone, which has only an IPv6 address or only an IPv4 address. The former is called "IPv6 single stack" or "IPv6-Only" , and the latter is called "IPv4 single stack" or "IPv4-Only" .

▷ Dual stack: refers to an IPv6 node that has both an IPv6 address and an IPv4 address

From the perspective of the network card :

▷ Single stack: It means that a network card has only IPv6 address or only IPv4 address. The diagram is as follows

Single stack

▷ Dual stack: means that a network card has both an IPv6 address and an IPv4 address

Dual stack

IPv4 and IPv6 are two completely disjoint worlds logically. If the terminal is located at the same physical layer, such as the same VLAN, then the network card can only be configured with IPv6 addresses and IPv4 addresses at the same time; otherwise, one network card must be configured with IPv6 and the other with IPv4. Therefore, the key is to see how the network architecture is designed, and each has its pros and cons . For example, if they are placed on the same network card, bandwidth sharing can be achieved, while if they are placed on different network cards, bandwidth can be limited and charged separately.

Problem 5. My network card has an address starting with fe80. Can I use it to access the public network?

win10

centos7

When the network card is started, a "Link-Local Address" is automatically generated, which is a unicast address of fe80::/10 . The "Link-Local Address" is used for IP autoconfiguration , neighbor discovery , etc.

Note :

▷ Core: Each network card has a "link local address", which is the core of IPv6 protocol communication and should not be deleted

▷ Scope: The message is transmitted only within the same Layer 2 scope and will not be forwarded by the router

▷ Address: The algorithm for "link-local address" is not uniform. Some operating systems calculate it based on the MAC address (EUI-64), while others calculate it randomly or using some other algorithm.

▷ Service: Although the link-local address can communicate within the second layer, it is mainly used for core communication and some high-level network protocols. It is not suitable for communication between upper-layer application services. Therefore, it cannot be used to access the public network or provide external services.

Problem 6. How to configure IPv6 address

Public and private addresses

▷ Public network address: “Global Unicast Address” (2000::/3)

▷ Private network address: “Unique-Local Address” (fc00::/7)

Careful people may find out why it is called "global unicast address" here, but "unique local address" is not called "unique local unicast address". Well, they are actually abbreviations. They are defined as "Global Unicast Addresses" and "Link-Local IPv6 Unicast Addresses" in RFC. In fact, "global unicast address" can be called "global address", but it seems a bit awkward.

Automatically generated or fixed IP

In IPv6, any unicast address can be automatically generated or manually configured as a fixed IP, depending on the application scenario:

▷ Client: If I want to access the ipv6 Internet without providing external services, I can use automatic generation without using a fixed ip address

▷ Server: If you need to provide external services, the IP address needs to be fixed and cannot be automatically generated.

Automatic IP configuration

There are two methods in ipv6: "stateful" and "stateless"

▷ Stateful: The address is managed by the DHCPv6 Server, and the DHCPv6 Client obtains an available IP address from it.

▷ Stateless ( SLAAC ): The router sends a "Router Advertisement" message (RA) , which contains the prefix information of the IPv6 address. When receiving the RA packet, it will automatically generate one or more IP addresses based on the prefix information.

Problem 7. How to resolve MAC addresses without ARP

The ARP protocol is the protocol used by IPv4 to resolve the target MAC address. In IPv6, the address is resolved using the Neighbor Discovery Protocol (NDP or ND for short).

ND is not a specific protocol, but an abstract set of protocols used to describe multiple related functions. All the protocols covered are based on ICMPv6. There are two types of messages related to MAC address resolution:

▷ Neighbor Solicitation message NS (Neighbor Solicitation) : request resolution

▷ Neighbor Advertisement Message NA (Neighbor Advertisement) : Response Analysis

This is very similar to ping:

▷ Ping: Send an ICMP echo request message, and the other end responds with an ICMP echo reply message

▷ Address resolution: send icmp ns message, the other end responds icmp na message

Problem 8. IPv6 uses multicast instead of broadcast. What changes are needed?

IPv6 uses multicast instead of broadcast. The characteristic of multicast is that it does not completely flood like broadcast, but data packets are only sent to machines that have joined the multicast group.

However, this has a prerequisite, that is, the switch must be able to identify and maintain multicast group information . Mainstream switches have this function, but not all are enabled by default. For Layer 2 switches, MLDv2 Snooping needs to be enabled.

As the name implies, the switch will identify which port the "MLDv2 Member Report" message is sent from and record it. Later, when the switch receives a multicast packet, it will first check whether its multicast address can be matched in the cache.

▷ Matching success: The data packet will only be sent from the corresponding port

▷ If the match fails, it will flood, which is no different from broadcasting.

Question 9: Is IPv6 really secure?

The ideal is beautiful . IPv6 has been designed with a lot of security aspects since its inception. The "complete" IPv6 has at least the following three advantages in terms of security:

▷ Natively supported end-to-end encryption

▷ Secure Neighbor Discovery (SEND )

▷ Larger address space

The reality is cruel . Only point 3 has worked. The larger address space reduces the probability of being illegally scanned. Points 1 and 2 have not really become popular because the protocol itself is very complex, difficult to learn, and difficult to implement . Therefore, in order to accelerate the popularization of IPv6, IETF no longer requires security . This also leads to IPv6 not being as secure as expected. The address spoofing and false gateways that exist in IPv4 still exist in IPv6.

Problem 10. How to learn IPv6

There are many IPv6 tutorials available online, many of which focus on IPv6 addresses, IP packet formats, and ICMP packet formats, which can easily discourage beginners. Although I am not a professional network engineer, I hope to provide some inspiration. The recommended learning steps are as follows:

1️⃣ History and design concept of IPv6

2️⃣ IPv6 address format, classification, prefix calculation, and comparison with IPv4

3️⃣ Configuration and viewing of IP address and gateway routing

4️⃣ Server-side practice, try to add IPv6 to your website

5️⃣ Client practice, let your PC access IPv6 Internet

6️⃣ Application layer practice, write a pair of C/S programs by yourself, which can support both IPv4 and IPv6

7️⃣ IPv6 communication principles, capture and analyze each packet, familiar with ND, DHCPv6, etc.

8️⃣ Inter-access and transition between IPv4 and IPv6

9️⃣ IPv6 Security