4

By convention, each device on the LAN under IPv6 gets a /64 subnet, right? That's an obscene number of addresses per device! Why not make the addresses shorter, say, 72 bits, then each device would get 256 addresses in its subnet, which would save several bytes per packet during transmission (which is a Good Thing). Why the need for such insanely long addresses?

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
Elliot Gorokhovsky
  • 237
  • 2
  • 8

2 Answers2

11

By convention, each device on the LAN under IPv6 gets a /64 subnet, right?

No. Each network is almost always a /64 network. Each host still gets one or more addresses on the network, but I don't know of any OS that will handle more than a few dozen addresses for an interface on a LAN.

Why the need for such insanely long addresses?

That is so that we don't get in the same position as we are with IPv4. IPv4 ran out of addresses a long time ago, but it was extended by breaking the IP end-to-end premise with kludges like NAT. IPv6 has enough addresses that we should not get into the same position for the foreseeable future, and it restores the IP foundation of end-to-end connectivity because each device can have a unique IP address.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
  • On your second point. I understand the need to make addresses longer, but 2^128 is many orders of magnitude more than the number of particles in the universe! We could guarantee unique addresses for a trillion years with far fewer bytes. My question wasn't about the need to make addresses longer, it was asking who decided to make them *astronomically* long? There are actually physical arguments (see Feynmann's Lectures on Computation) that prove it's impossible to carry out more than 2^100 or so operations, period, on any computer, even one the size of the universe. – Elliot Gorokhovsky Dec 05 '16 at 21:32
  • Also, could you give me a link explaining the whole `/64` convention? A comment on a [previous question](https://networkengineering.stackexchange.com/questions/37070/mac-spoofing-and-eui-64/37072?noredirect=1#comment57710_37072) I asked said, "Technically, an ISP should give every site a /48 network block, giving everyone 65,536 /64 networks. [RFC 6177, IPv6 Address Assignment to End Sites](https://tools.ietf.org/html/rfc6177) has relaxed that, but most ISPs give their business customers a /48. ISPs will not advertise any prefixes longer than /48." – Elliot Gorokhovsky Dec 05 '16 at 21:36
  • Break it down into parts. 64 bits for the network, and 64 bits for the host. The idea is that we never need to go back to the well for more addresses. Also, 128 bits is a nice round number for both 32- and 64-bit computers. Many things are starting to use 128-bit numbers, e.g. GUIDs. There were parties to the negotiation that wanted the 160-bit numbers. You also need to remember that we don't know what is coming. The IoT has the ability to suddenly use far more addresses than you can imagine for sensors and controls in homes, businesses, cars, public places, etc. – Ron Maupin Dec 05 '16 at 21:40
  • Wait a second... the quote in my previous comment is from you! What did you mean when you said ""Technically, an ISP should give every site a /48 network block, "? – Elliot Gorokhovsky Dec 05 '16 at 21:44
  • Most networks, with very few exceptions, e.g. `/127` point-to-point networks, will use a `/64` network. Using other size networks can break some IPv6 features. ISPs need to advertise prefixes to each other (that _is_ the Internet), and advertising prefixes longer than `/48` would make routing table far too large to handle. Currently, ISPs will not advertise any prefix longer than `/24` for IPv4, and the public routing tables are extremely large. Advertising `/48` for IPv6 is twice as many bits. – Ron Maupin Dec 05 '16 at 21:44
  • Wait, I think I get it... Each network gets a /64. But ISPs only advertise /48. So the in-between is just fffffffff or whatever? – Elliot Gorokhovsky Dec 05 '16 at 21:47
  • No. Each _network_ gets `/64`. A single host interface can have a single Global IPv6 address, or it can have several (in the same network, or in multiple networks). There is going to be a host OS limit to this, and the largest I have heard about is 32 addresses on an interface. There are a few reasons to have multiple addresses on an interface, but it really doesn't need to be any different than IPv4 today. – Ron Maupin Dec 05 '16 at 21:48
  • No. An ISP assigns a `/48` per business site, and will advertise that. That gives a business 65,536 network to use at the site. Many companies actually could use more than that, so they will get a `/44` network, or smaller prefix. – Ron Maupin Dec 05 '16 at 21:50
  • OK. So I guess what I don't understand is, why did you say "Each network is almost always a /64 network. Each host still gets one or more addresses on the network, but I don't know of any OS that will handle more than a few dozen addresses for an interface on a LAN."? What's the distinction? Each host gets a /64 subnet, right? So what's the problem? – Elliot Gorokhovsky Dec 05 '16 at 21:53
  • 2
    No. The _network_ is `/64` not the host. For example, with IPv4, you probably have a network like `192.168.1.0/24`. The _network_ is a `/24`, but each host is assigned only one address from that `/24` network. IPv6 is the same thing, except IPv6 specifically allows you to assign multiple addresses to a host interface. That is much harder with IPv4 because that wasn't really envisioned when IPv4 was created. The network math (e.g. subnetting) is really the same for both IPv4 and IPv6. – Ron Maupin Dec 05 '16 at 21:58
  • Oh, I think I get it... So for example, if my LAN were a `10.0.0.1/8`, my network would be a `/8`, but my hosts would have just one address. So for IPv6, my LAN is a `/64`, and each host gets some addresses. What I didn't get is your advertising thing. Did you just mean that if the packet is going between ISPs, it just uses `/48` bits for routing, and then the rest would be routed internally (i.e. within the ISP WAN)? So like, Comcast would advertise the first 48 bits, and then route the remaining 16 internally to my LAN? – Elliot Gorokhovsky Dec 05 '16 at 22:04
  • Each ISP needs to tell it neighboring ISPs what networks it knows how to get to. That is advertising. That is routing 101, how routers learn routes. Any packets destined to a network that the router doesn't know how to get to get dropped. An ISP can have a `/48` network that it divides into smaller networks for it customers, but it will only be able to tell its neighbors about the aggregate `/48` network. If you were to get a provider-independent network from an RIR, your ISP would only be able to advertise it if the prefix is <= `/48`. – Ron Maupin Dec 05 '16 at 22:09
  • OK, makes sense. Final question, then. Why is it that when I run `ifconfig` I get an IPv6 address with a `/64` at the end? Why would ifconfig give me a subnet? Shouldn't it give me a single address per address? – Elliot Gorokhovsky Dec 05 '16 at 22:17
  • 1
    That is showing you the network size for that address. You should get the same thing for IPv4 addresses, too, or it may be that IPv4 only gives you the mask. The `/64` is just telling you how long the mask is (how many one bits in the mask). IPv6 notation doesn't actually use the IPv4-style mask, only the CIDR notation for mask length. – Ron Maupin Dec 05 '16 at 22:23
  • Ah. Yes, it does give an explicit 255.255.etc mask for ipv4 – Elliot Gorokhovsky Dec 05 '16 at 22:41
2

In addition to the other answer, I would direct people who don't understand how IPv6 addresses get assigned to homes/small businesses etc to read this: https://www.rfc-editor.org/rfc/rfc6177

I also thought of another benefit of having /64 site subnets: it makes port scanning impossible given just the network prefix. With IPv4, port scanning is a serious problem, as we saw with worms like Mirai etc (UPnP). With IPv6, your probability of guessing a private address (the 64 bit suffix) is 2^(-64), i.e. 0 (if they're using randomly generated addresses, which they would be if they care about this kind of security). Shorter addresses, like 64+48 (minimum to identify from MAC), would only give 48 bits of protection for random guessing, really 48-3*8 because there are only a few OSI values.

Community
  • 1
Elliot Gorokhovsky
  • 237
  • 2
  • 8