Debunking the IPv6 Has More Security and QoS Myths

I thought that in the year 2011 …when the we’ve had so much talk about IPv6, lots of the smoke about what IPv6 is capable of and what it isn’t capable of would have cleared. Unfortunately not. Today I read this piece from CNET and I went “really? in this age, some major tech website still writes this kind of thing?”. Here are some of the claims they make about the new IPv6 ready DLink routers:

[a] “Enhanced network security: Plug in an IPv6-enabled D-Link router and the new security feature is automatically turned on.”

Exactly what new security feature are we talking about here? Just to clarify what has been done several times allover the web, even though implementation of IPsec is mandatory for IPv6, its usage is NOT and so IPv6 does not yield any new security benefits over IPv4. In fact, poorly managed, IPv6 is a security risk as it could completely bybass all that air-tight security you did for IPv4 on your network edge.

[b] “Increased network speeds and accessibility: As Web sites start to offer content over IPv6 and ISPs deploy IPv6 service, an IPv6-compliant router offers faster connection speeds and provides access to Web sites and applications that have transitioned. With its better design, IPv6 has integrated quality of service, so traffic is classified by voice, video, and data, and transported accordingly, resulting in faster network speeds.”

Puff!!!! Again, IPv6 doesn’t currently offer anything in QoS that IPv4 does not. And sorry to break it to you, but your connection speed is still going to depend upon how much bandwidth you have and not the IP version you are using.

To understand the source of this myth, look at the figure below which show the IPv4 header next to an IPv6 one. With respect to QoS, notice that:

  • The field responsible for QoS (specifically enables a packet to be marked for special treatment) in IPv4 was “ToS” ie Type of Service. This field is 8 bits long. In v6, the field was renamed to the more appropriate “Traffic Class” but same size and brings nothing new.
  • In IPv6, there is one new field … the “Flow Label” which is the source of this myth. The flow label in theory is meant to identify upper layer flows so that a router can identify upper layer flows without having to look beyong layer 3 (which could be time-consuming and slower). In reality, that field’s usage has not been defined and so it is currently unused. Therefore …right now, IPv6 offers nothing new to QoS that IPv4, thus making the assertion that IPv6 is faster false.

IPv4 and IPv6 Headers Compared

Even I used to propagate these myths which are based off of the original intentions of the IPv6 designers …but as time has gone on, we must do a reality check …the major benefit of IPv6 today is more address space and with that …maybe a return to the original end-to-end model of the Internet. Who know what cool innovations will result from that?

IPv6 Subnetting Made Easy

Introduction


Call it emotional attachment to IPv4 or whatever you like, but recently I have become more and more interested in finding and easy way to subnet IPv6 prefixes in my head like we are used to doing in IPv4. This post expands on an idea I picked off of the NANOG mailing list.

The method presented here is for the quick subnetting in your head, which you should get by practice. So it works well for a small number of subnets (16 max) but can be expanded for any number of subnets. However if you have to deal with more than 16 subnets, it is certainly more efficient to use any of the several IPv6 calculators out there (my favourite is sipcalc – a command line tool).

This method helps you answer the question: “Given the prefix PPPP/Y, what are the sub-prefixes of length /Z (where Z > Y) that can be gotten from it?“

I assume that you understand the fundamentals of IPv6 addressing, very basic binary and hex math. I also assume that you know how to arrive at the value Z from an analysis of your network design or requirements.


Definitions


  • Hexit – a single hexadecimal digit (0 – 9 , a – e). A hexit is made up of 4 bits.
  • Hex grouping – each of the groups of hexits of an IPv6 address that are separated by colons.
  • Defining hexit – the hexits that change for each subnet but stays the same for the same subnet. Think ‘interesting octet’ from IPv4 subnetting days. You could simply look it up from the following table.

The bit ranges that define various IPv6 hexits

  • Parent prefix – the original prefix to be subnetted in prefix/length format.
  • Y = prefix length of original prefix
  • Z = prefix length of subnets of original prefix

The Procedure


Calculate the following parameters

  1. Number of subnetting bits:  x = Z – Y

  2. Number of subnets possible with x bits: S = 2^x

  3. Number of hexits represented by the x bits: h = x/4 (this should be rounded up to the next integer)

For a given number of subnet bits (x), the defining hexit for each subnet will increase in value according to the increment, from hexadecimal zero (0) to “e” as shown in the table below. Note that the ‘definining’ hexit(s) is simply the one after the boundary hexit (that defined by original prefix length Y.

IPv6 Quick Subnetting Cheatsheet

IPv6 Quick Subnetting Cheatsheet

Examples


[a] Subnet 2001:db8::/32 into /36s

  • Subnetting bits (x) = 36 – 32 = 4 (these will give us 16 [i.e. 2^4] subnets.

  • Number of hexits represented by 4 bits = 4/4 = 1

  • From the table, the defining hexit should increment by 1 with discrete hex values 0 – f.

  • Thus our subnets are:

2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
2001:db8:4000::/36
2001:db8:5000::/36
2001:db8:6000::/36
2001:db8:7000::/36
2001:db8:8000::/36
2001:db8:9000::/36
2001:db8:a000::/36
2001:db8:b000::/36
2001:db8:c000::/36
2001:db8:d000::/36
2001:db8:e000::/36
2001:db8:f000::/36

[b] As a small end site, you received the 2001:db8:c001:ba00::/56 assignment from your ISP, and you have 3 main office locations you want to divide this block between. Find these 3 subnets.

  • Number of subnets required = 3

  • Subnetting bits (x) such that (2^x) >=3 , x = 2 (this will actually give us 4 subnets of equal prefix length). Also the prefix length of our subnets will be 58 (56+2)

  • Number of hexits represented by 2 bits = 1

  • From the table, the defining hexit should increment by 4 with discrete hex values 0, 4, 8, c.

  • Thus our subnets are:

2001:db8:c001:ba00::/58
2001:db8:c001:ba40::/58
2001:db8:c001:ba80::/58
2001:db8:c001:bac0::/58
Please drop me a comment if you have suggestions of how to make this even easier and happy v6 subnetting …in your head. If you would like a highly detailed and complete method for IPv6 subnetting, let me invite you to read my other post “IPv6 Subnetting – General Procedure