Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How To Read IPv6 Addresses (Tutorial)
New Posts  All Forums:Forum Nav:

How To Read IPv6 Addresses (Tutorial)

post #1 of 4
Thread Starter 
Quote:
Originally Posted by Wireshark 

Tuesday, February 8, 2011 15:53 | By Gerald Combs | Filed in Info, Protocols

A common complaint about IPv6 is that addresses are “hard to read”. If you’ve been in the networking world any length of time IPv4′s dotted quad is most likely seared into your brain and clumps of hexadecimal digits of varying lengths can can be hard to wrap your head around. However, those clumps can provide useful information.

Below I’ll go over some of the address types I’ve seen and show you what information they provide.

NOTE: I’m not going to explain the basics of IPv6 address formats. Plenty of others have done that elsewhere. Wikipedia and RFC 4291 are good places to start.

Many of Wireshark’s web sites have been available over IPv6 for a while and as I’ve looked through various capture files and server logs patterns have emerged. Most of the addresses in this post are from IPv6 traffic captured in late January 2011. In Wireshark you can view IPv6 addresses via Statistics→Endpoint List→IPv6 or Statistics→Conversation List→IPv6 or by using the display filter “ipv6″.

First let’s look at the network prefixes that were captured. In my sample capture I see the following /16s (which we’ll call chunks for now):

2001::
2002::
2607::
2620::
2a01::
fe80::
ff02::

Most of the traffic in the capture starts with “2″. The prefix 2000::/3 has been assigned for global unicast traffic — that is, traffic you should see on the public internet. Right now you should only see prefixes between 2001::/16 and 2c00::/16 since IANA has only assigned prefixes in that range.

This alone is incredibly useful. A simple regular expression “[23]…:” (a “2″ or “3″ followed by three characters followed by a “:”) can be used to match public IPv6 traffic. I use this to find IPv6 addresses in Apache access logs.

Wireshark’s display filter engine doesn’t support prefix lengths for IPv6 addresses (not yet, at least) but you can use arithmetic comparisons to find public addresses, e.g. “ipv6.src >= 2000:: && ipv6.src < 4000::”.

Many prefixes in the assigned range are recognizable:

* 2002:: — 6to4 traffic. MTUs from these addresses will probably be lower than normal.
* 2001:470:: — Hurricane Electric. HE provides a popular tunnel broker service, so MTUs from these address will often be lower than normal.
* 2001:0:: — Teredo tunneling.
* Organizations with large v6 deployments such as 2001:420 (Cisco) 2001:4860 (Google)

The prefixes outside the global unicast range (fe80:: and ff02:smile.gif are link-local and multicast addresses respectively. Both of these are limited to the local network and typically used for ICMPv6 neighbor discovery.

Now let’s skip over to the last half of the addresses and look at some of the recognizable bits in the host portion:

* ::5efe:xxyy:zzqq — ISATAP. Yet another tunneling technology. xx, yy, zz, and qq represent a tunnelled IPv4 address.
* ::xxyy:zzff:feqq:rrss — SLAAC. This is the machine’s MAC address (xx:yy:zz:qq:rr:ss) with “ff:fe” shoved in the middle.
* ::random digits — A SLAAC privacy extension address.

There are two things of note about these last two. Windows has SLAAC privacy extensions enabled by default, while other operating systems (particularly Linux and OS X) don’t. You can often tell machine’s OS by looking at the host portion its IPv6 address. Furthermore, one of the big complaints about IPv6 (big hairy addresses) is actually a feature.

Now take a look at the following addresses. Notice anything unusual?

2620:12::5
2001:4860:8004::68
2001:420:80:1::5

Compared to the formats above they’re short. The host portion is mostly zeroes. These are manually assigned. In this case they’re all web server addresses. I added them to demonstrate that the length of IPv6 addresses is often up to you.


Source
Edited by _GTech - 2/25/11 at 12:08am
The Rock
(15 items)
 
  
Reply
The Rock
(15 items)
 
  
Reply
post #2 of 4
Awesome! Good find.
post #3 of 4
Hurricane Electric provides a 'certification' (really just training) if you need a good introduction to IPv6.

http://ipv6.he.net/certification/index.php
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #4 of 4
Thread Starter 
Quote:
Originally Posted by beers;12526300 
Hurricane Electric provides a 'certification' (really just training) if you need a good introduction to IPv6.

http://ipv6.he.net/certification/index.php

Well it's not like it's rocket science.. biggrin.gif
The Rock
(15 items)
 
  
Reply
The Rock
(15 items)
 
  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How To Read IPv6 Addresses (Tutorial)