IPv6

IPv6 is the successor to IPv4, using 128-bit addresses written as eight groups of four hexadecimal digits (e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334). Where IPv4 provides roughly 4.3 billion addresses, IPv6 offers approximately 3.4 × 10³⁸, enough to assign a unique address to every device without network address translation.

IPv6 was designed to solve IPv4 exhaustion, simplify routing tables through hierarchical allocation, and restore end-to-end connectivity that NAT obscures.

Address Representation

Addresses are 128 bits long, split into eight 16-bit groups separated by colons. Two compression rules apply:

• Leading zeros in each group can be dropped: 0db8 becomes db8.
• One consecutive run of all-zero groups can be replaced with :: (only once per address).

Full:        2001:0db8:0000:0000:0000:0000:0000:0001
Compressed:  2001:db8::1

IPv4-mapped addresses use the form ::ffff:192.0.2.1, which is mainly relevant for socket APIs on dual-stack hosts.

Address Scopes

Link-local addresses (fe80::) are automatically assigned to every IPv6-enabled interface. They are used by Neighbor Discovery Protocol and are never forwarded by a router, so they work even with no upstream connectivity.

Unique local addresses (fd00::/8 is the commonly used sub-range) serve the same role as 10.0.0.0/8 or 192.168.0.0/16 in IPv4, providing stable addresses within a site that do not depend on an ISP prefix.

Subnets and the /64 Convention

ISPs typically delegate a /48 or /56 prefix to customers. Within that allocation, the conventional unit for a LAN segment is a /64, leaving 64 bits for interface identifiers.

ISP delegation:   2001:db8:abcd::/48
Site subnet:      2001:db8:abcd:0001::/64   (first LAN segment)
                  2001:db8:abcd:0002::/64   (second LAN segment)

A /64 is strongly recommended for any segment using SLAAC, because SLAAC builds the interface ID from the remaining 64 bits. Smaller prefixes break SLAAC and some multicast-derived features.

How Hosts Get Addresses

Three mechanisms assign IPv6 addresses to hosts:

• SLAAC (Stateless Address Autoconfiguration): A router sends Router Advertisements (RA) containing the network prefix. The host appends a self-generated 64-bit interface identifier to form a complete address. No server is required.
• Stateless DHCPv6: The host uses SLAAC for its address but queries a DHCPv6 server for additional options such as DNS resolvers.
• Stateful DHCPv6: The DHCPv6 server assigns addresses and options centrally, similar to DHCP in IPv4.

Privacy extensions (RFC 8981) generate a random, temporary interface identifier that changes over time, reducing the ability to track a host by its address.

Neighbor Discovery Protocol

Neighbor Discovery Protocol (NDP) runs over ICMPv6 and replaces both ARP and several ICMP functions from IPv4.

NDP also handles Duplicate Address Detection (DAD), where a host checks that its chosen address is not already in use before assigning it to an interface.

Dual Stack

Most networks run IPv4 and IPv6 simultaneously. On a dual-stack host:

• The OS holds both an IPv4 and one or more IPv6 addresses per interface.
• Applications and DNS resolve both A (IPv4) and AAAA (IPv6) records. Modern clients follow Happy Eyeballs (RFC 8305) , racing connections and using whichever responds first.
• IPv6 is preferred when both are available and the IPv6 path is healthy.

Publish AAAA records in DNS for any service you want reachable over IPv6:

example.com.  IN  A     203.0.113.10
example.com.  IN  AAAA  2001:db8::10

Practical Commands

Check interface addresses

ip -6 addr show

ifconfig | grep inet6

ipconfig
# Or, structured output:
Get-NetIPAddress -AddressFamily IPv6

Check the IPv6 routing table

ip -6 route show

netstat -rn -f inet6

route print -6
# Or:
Get-NetRoute -AddressFamily IPv6

Ping over IPv6

ping -6 2001:db8::1
ping6 2001:db8::1
# Link-local: append % and interface name (often eth0)
ping6 fe80::1%eth0

ping6 2001:db8::1
# Or: ping -6 2001:db8::1 on newer versions
# Link-local: append % and interface name (often en0)
ping6 fe80::1%en0

ping -6 2001:db8::1
# Link-local: use % and the numeric zone id (interface index from ipconfig)
ping -6 fe80::1%12

Query AAAA records

dig example.com AAAA
dig example.com AAAA +short
dig @1.1.1.1 example.com AAAA +short

Resolve-DnsName example.com -Type AAAA
Resolve-DnsName example.com -Type AAAA -Server 1.1.1.1

Inspect the NDP neighbor table

ip -6 neigh show

ndp -an

Get-NetNeighbor -AddressFamily IPv6
# Or:
netsh interface ipv6 show neighbors

Traceroute over IPv6

traceroute -6 example.com

traceroute6 example.com

tracert -6 example.com

Operational Tips

• Firewall IPv6 explicitly. IPv6 traffic bypasses IPv4 firewall rules. Configure ip6tables on Linux, pf or the application firewall on macOS, and Windows Defender Firewall (separate IPv4 and IPv6 rules) for unique-local and global unicast ingress.
• Test both protocols independently. A service can be reachable over IPv4 but broken over IPv6 (or vice versa). Use curl -6 and curl -4 to isolate which path is failing.
• Allow ICMPv6. NDP, path MTU discovery, and several other core functions depend on ICMPv6. Blocking it entirely will cause subtle connectivity failures even when raw IP forwarding appears to work.
• Check PTR records for IPv6. Reverse DNS for IPv6 uses the ip6.arpa zone with nibble notation. Many monitoring tools and mail servers validate PTR records; missing ones can cause unexpected behaviour.
• CGNAT vs. IPv6. Mobile and some residential ISPs use Carrier-Grade NAT to share a single IPv4 address across many subscribers, which can break peer-to-peer connectivity and complicate logging. Native IPv6 avoids CGNAT entirely and restores a globally unique address per device.