May 24, 2012

1.4.13 IPv4 vs. IPv6

IPv4 vs. IPv6

Internet Protocol (IP) is a global communications standard used for linking devices together. It defines how computers communicate over a network. The primary purpose of an IP address is to uniquely identify a node at the Network Layer. Every Internet connected device, computer, smartphone, smart TV, etc. needs a unique IP address. The explosive growth in mobile devices including mobile phones, notebook computers, and wireless handheld devices has created a need for a large number of additional IP addresses.

There are currently two versions: IP version 4 (IPv4) and IP version 6 (IPv6).

IPv4 is the 4th version of the Internet Protocol. It is the most commonly deployed OSI Layer 3 (Network layer) protocol.

IPv4 has a 32 bit address space and consists of 232 or approximately 4.3 billion possibile IPv4 addresses. IPv4 was formally defined by the Internet Engineering Task Force (IETF) in September 1981 as RFC-791.

IPv6 is the next generation of the Internet Protocol. IPv6 has a 128 bit address space and consists of 2128 or approximately 340 undecillion possible IPv6 address. It was formally defined by the IETF as a specification in December 1998 as RFC 2460.

Since the commercialization of the Internet, pressure has been increasing on the IPv4 address space such that, today we have almost fully depleted the IPv4 address. In an effort to maximize usage, techniques such as CIDR, NAT and use of private address spaces are in use, these efforts are only managing to delay the inevitable.

In 1981 when it was first defined, 4 billion IPv4 addresses seemed like a lot. IPv4 was intended to support the needs of academic and US government needs at a time before the commercialization of the Internet. At the time, 4 billion seemed enough.

An IPv6 address is effectively 4 times as long as an IPv4 address. It would be impractical to use the binary or even the more compact decimal notation to represent an IPv6 address. Instead IPv6 is represented using hexadecimal characters.

An IPv6 address has eight groups of hexadecimal characters (the numbers 0–9 and the letters A–F),
also known as hextets, separated by colons. Each hexadecimal digit represents 4 binary digits. IPv6
can have up to 32 hexadecimal digits. Colons are placed between each hextet.

Enhancements in IPv6 include:

  • The size of the IPv6 address space makes it less vulnerable to malicious activities such as IP scanning.
  • IPv6 packets can support a larger payload than IPv4 packets resulting in increased throughput and transport efficiency.
  • Native support for mobile devices via the Mobile IPv6 (MIPv6) protocol.
  • Auto-configuration.
  • Increased authentication and privacy measures, e.g. with embedded IPSec.
  • Better performance through elimination of checksums at the IP level

When 4 Billion Is Not Enough

  • There are a total of 232 or 4,294,967,296 possible IPv4 addresses
  • An IPv4 address can be represented in several formats, including:
    • Dotted decimal notation, e.g. – four groups of decimal numbers, each in the range 0 – 255
    • 32-bit binary notation consisting of four groups of 8 binary digits, e.g. 10000000 01111101 01011001 11111010
    • Dotted hexadecimal, e.g. 0x80.0x7D.0x59.0xFA – Each octet is individually converted to hexadecimal form
    • Dotted octal 0200.0175.0131.0372 – Each octet is individually converted into octal
    • Hexadecimal, e.g. 0x807D59FA – Concatenate the octets of the dotted hexadecimal
  • IPv4 addresses consist of a network portion and a host portion. The network portion of an IPv4 address is variable in length, i.e. the IPv4 network subnet size is variable:
    • Use of the slash (/) notation or CIDR (Classless Inter-Domain Routing) to identify and differentiate between the network and host portion of an IPv4 address. The CIDR notation identifies the number of bits that determines the network portion, e.g. sets aside 24 bits for the network and the remaining 8 bits for hosts addresses.
    • Number of “default” network blocks:
      • 256/8 or 256 class A networks
      • 65,536/16 or 65,536 class B networks
      • 16,777,216/24 or 16,777,216 class C network

IPv6 Address

  • In binary notation, each IPv6 address has 128 binary digits: 2128 (about 3.4×1038) is equal to approximately 5×1028 addresses for each of the 6.5 billion (6.5×109) people alive today
  • There are theoretically 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. The text version of this is 340 undecillion 282 decillion 366 nonillion 920 octillion 938 septillion 463 sextillion 463 quintillion 374 quadrillion 607 trillion 431 billion 768 million 211 thousand 456  addresses.
  • There are 216 or 65,536 numbers per segment or hextet.
  • The preferred form is a 16-byte global IPv6 address. This can be represented as: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx where x is a hexadecimal digit representing 4 bits. The colon (:) is the delimiter between each hextet.

    Here is an example of an IPv6 address: 2620:0000:1CFE:FACE:B00C:0000:0000:0003 – eight groups of 4 hexadecimal characters (0-9A-F) separated by colons

    IPv6 addresses range from 0000:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF.

    Any four-digit group of zeroes in an IPv6 address can be collapsed by omitting leading zeros or replacing zeros with double colon. The following IPv6 addresses are identical and valid:
    • 2607:f8b0:4000:0805:0000:0000:0000:1010
    • 2607:f8b0:4000:805:0:0:0:1010
    • 2607:f8b0:4000:805::1010
  • Note: Only one set of double colons is allowed in any one IPv6 address.

    An IPv6 address can be used in a URL:
    • http://2607:f8b0:4000:0805:0000:0000:0000:1010/
  • Here is an example of an IP address that contains a port number:
    • [2607:f8b0:4000:0805:0000:0000:0000:1010]:80
  • This is a URL with an IPv6 address and a port number, 80:
    • http://[2607:f8b0:4000:0805:0000:0000:0000:1010]:80
  • Note: the square brackets above are only necessary when specifying a port number.
  • How many networks are possible with IPv6?
    • Take the 8 hextets of an IPv6 address; Cut it in half; That half has 4 hextet and each hextet consists of 16 bits; Each of the 4 hextets contains up to 65,536 numbers; To get the total number in the 4 hextet, multiply 65,536 four times, e.g. 65,536 * 65,536 * 65,536 * 65,536 = 18,446,744,073,709,551,616 or 18 quintillion.
    • There are 18 quintillion possible IPv6 networks. Each of the 18 quintillion IPv6 networks can host 18 quintillion host addresses.
  • Notes
    • Public IPv6 addresses begin with the 001 prefix. This cuts down the maximum possible IPv6 addresses from 2128 to 2125. Additionally it means that public IPv6 addresses are limited to those beginning with binary 001x or hextet 2xxx or 3xxx.
    • One undecillion is one trillion trillion trillion.
    • Broadcast addresses not supported in IPv6
    • Global unicast address defined in RFC3587
    • A hextet is the description for each of the 8 colon delimited blocks in an IPv6 address.
    • Google maintains both IPv4 and IPv6 DNS servers:
    • Google’s Public DNS IP Addresses
      IPv6 2001:4860:4860::8888 2001:4860:4860::8844

Transition Mechanisms

IPv4 and IPv6 are not interchangeable. In lieu of a clean cut-over from IPv4 to IPv6, one of three transition mechanisms can be implemented to enable communication between IPv4 and IPv6 devices.
  • Dual-stack: Device level support for both IPv4 and IPv6. The term "dual-stack" refers to TCP/IP capable devices providing support for both IPv4 and IPv6.
  • Tunnels: Tunnel IPv6 packets over an IPv4 topology. The term "tunneling" refers to a means to encapsulate one version of IP in another so the packets can be sent over a backbone that does not support the encapsulated IP version.
  • Protocol Translators: Translation allows IPv6 only hosts to communicate with IPv4 only hosts. The term "translators" refers to devices capable of translating traffic from IPv4 to IPv6 or vice and versa. Note: Use of protocol translators cause problems with NAT and highly constrain the use of IP-addressing.
Note: The transition mechanisms can impact (slow down) the communication channel between an IPv4-on and IPv6-only site.

IPv4 and IPv6 Address Equivalency

IPv4 Address IPv6 Address
Internet address classes Not applicable in IPv6
Multicast addresses ( IPv6 multicast addresses (FF00::/8)
Broadcast addresses Not applicable in IPv6
Unspecified address is Unspecified address is ::
Loopback address is Loopback address is ::1
Public IP addresses Global unicast addresses
Private IP addresses (,, and Site-local addresses (FEC0::/10)
Autoconfigured addresses ( Link-local addresses (FE80::/64)
Text representation: Dotted decimal notation Text representation: Colon-hexadecimal format with suppression of leading zeros and zero compression. IPv4-compatible addresses are expressed in dotted decimal notation.
Network bits representation: Subnet mask in dotted decimal notation or prefix length notation Network bits representation: Prefix length notation only
DNS name resolution: IPv4 host address (A) resource record DNS name resolution: IPv6 host address AAAA resource records (RFC 1886) or A6 records (RFC 2874)
DNS reverse resolution: IN-ADDR.ARPA domain DNS reverse resolution: IP6.INT domain (RFC 1886) or IP6.ARPA domain (RFC 2874)

Compression Rules

An IPv6 address can be compressed by squeezing out all zero hextets (groups of 4 hex digits) and leading zeros. I.e. FC00:0001:A000:0B00:0000:0927:0127:00AB or FC00:1:A000:B00::927:127:AB

Only one set of double colons is allowed, otherwise the result would be ambiguous.

“The killer application of IPv6 is the survival of the open Internet as we know it.” – Lorenzo Colitti, Google.

The following table compares some of the key features of the IPv4 and IPv6 protocols:

IPv4 IPv6
Source / destination addresses are 32 bits (4 bytes) in length. Source / destination addresses are 128 bits (16 bytes) in length.
IPSec support is optional. IPSec support is required.
No identification of packet flow for Quality of Service (QoS) handling by routers is present within the IPv4 header. Packet flow identification for QoS handling by routers is included in the IPv6 header using the Flow Label field.
Fragmentation is done by both routers and the sending host. Fragmentation is not done by routers, only by the sending host.
Header includes a checksum. Header does not include a checksum.
Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IPv4 address to a link layer address. ARP Request frames are replaced with multicast Neighbor Solicitation messages.
ICMP Router Discovery is used to determine the IPv4 address of the best default gateway and is optional ICMP Router Discovery is replaced with ICMPv6 Router Solicitation and Router Advertisement messages and is required.
Broadcast addresses are used to send traffic to all nodes on a subnet. There are no IPv6 broadcast addresses. Instead, a link-local scope all-nodes multicast address is used.
Must be configured either manually or through DHCP. Does not require manual configuration or DHCP.


1.4.12 ICMP


Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It provides maintenance and reporting functions. It is chiefly used by IP end systems and all IP intermediate systems (i.e routers) to send error messages indicating, problems with delivery of IP datagrams within an IP network. It can be used to show when a particular end system is not responding, when an IP network is not reachable, when a node is overloaded, when an error occurs in the IP header information, etc.

The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required.
ICMP is defined in RFC 792. It is assigned protocol number 1.

ICMP provides error reporting, flow control and first-hop gateway redirection.
The ping program contains a client interface to ICMP. It may be used by a user to verify an end-to-end Internet Path is operational. The ping program also collects performance statistics (i.e. the measured round trip time and the number of times the remote server fails to reply.

The traceroute (or tracert) program contains a client interface to ICMP. Like the ping program, it may be used by a user to verify an end-to-end Internet Path is operational, but also provides information on each of the Intermediate Systems (i.e. IP routers) to be found along the IP Path from the sender to the receiver.
Some Routers are configured to discard ICMP messages, while others process them but do not return ICMP Error Messages.

ICMP is one of the favorite protocols used for DoS attacks. Many businesses have disabled ICMP through the router to prevent these types of situations from occurring.

A smurf attack is one in which large volumes of ICMP echo requests (pings) are broadcast to all other machines on the network and in which the source address of the broadcast system has been spoofed to appear as though it came from the target computer. When all the machines that received the broadcast respond, they flood the target with more data than it can handle.

ICMP is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as ping and traceroute.

The “ping of death” is a large ICMP packet sent to overflow the remote host's buffer. A ping of death crashes a system by sending ICMP packets that are larger than the system can handle.

The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network.

  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney