IPv6 Subnetting

IPv6 subnetting is easier than IPv4. It’s also different. Want to divide or combine a subnet? All that is needed is to add or chop off digits and adjust the prefix length by a multiple of four. No longer is there a need to calculate subnet start/end addresses, usable addresses, the null route, or the broadcast address.

IPv4 had a subnet mask (dotted quad notation) that was later replaced by CIDR masking. IPv6 doesn’t have a subnet mask but instead calls it a Prefix Length, often shortened to “Prefix”. Prefix length and CIDR masking work similarly; The prefix length denotes how many bits of the address define the network in which it exists. Most commonly the prefixes used with IPv6 are multiples of four, as seen in Table IPv6 Subnet Table, but they can be any number between 0 and 128.

Using prefix lengths in multiples of four makes it easier for humans to distinguish IPv6 subnets. All that is required to design a larger or smaller subnet is to adjust the prefix by multiple of four. For reference, see Table IPv6 Subnet Table listing the possible IPv6 addresses, as well as how many IP addresses are contained inside of each subnet.

IPv6 Subnet Table

Prefix

Subnet Example

Total IP Addresses

# of /64 nets

4

x::

2 124

2 60

8

xx::

2 120

2 56

12

xxx::

2 116

2 52

16

xxxx::

2 112

2 48

20

xxxx:x::

2 108

2 44

24

xxxx:xx::

2 104

2 40

28

xxxx:xxx::

2 100

2 36

32

xxxx:xxxx::

2 96

4,294,967,296

36

xxxx:xxxx:x::

2 92

268,435,456

40

xxxx:xxxx:xx::

2 88

16,777,216

44

xxxx:xxxx:xxx::

2 84

1,048,576

48

xxxx:xxxx:xxxx::

2 80

65,536

52

xxxx:xxxx:xxxx:x::

2 76

4,096

56

xxxx:xxxx:xxxx:xx::

2 72

256

60

xxxx:xxxx:xxxx:xxx::

2 68

16

64

xxxx:xxxx:xxxx:xxxx::

2 64 (18,446,744,073,709,551,616)

1

68

xxxx:xxxx:xxxx:xxxx:x::

2 60 (1,152,921,504,606,846,976)

0

72

xxxx:xxxx:xxxx:xxxx:xx::

2 56 (72,057,594,037,927,936)

0

76

xxxx:xxxx:xxxx:xxxx:xxx::

2 52 (4,503,599,627,370,496)

0

80

xxxx:xxxx:xxxx:xxxx:xxxx::

2 48 (281,474,976,710,656)

0

84

xxxx:xxxx:xxxx:xxxx:xxxx:x::

2 44 (17,592,186,044,416)

0

88

xxxx:xxxx:xxxx:xxxx:xxxx:xx::

2 40 (1,099,511,627,776)

0

92

xxxx:xxxx:xxxx:xxxx:xxxx:xxx::

2 36 (68,719,476,736)

0

96

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx::

2 32 (4,294,967,296)

0

100

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:x::

2 28 (268,435,456)

0

104

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx::

2 24 (16,777,216)

0

108

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx::

2 20 (1,048,576)

0

112

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx::

2 16 (65,536)

0

116

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:x::

2 12 (4,096)

0

120

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xx::

2 8 (256)

0

124

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxx::

2 4 (16)

0

128

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

2 0 (1)

0

A /64 is a standard size IPv6 subnet as defined by the IETF. It is smallest subnet that can used locally if auto configuration is desired.

Typically, an ISP assigns a /64 or smaller subnet to establish service on the WAN. An additional network is routed for LAN use. The size of the allocation depends upon the ISP, but it’s not uncommon to see end users receive at least a /64 and even up to a /48.

A tunnel service provider such as tunnelbroker.net run by Hurricane Electric will allocate a /48 in addition to a routed /64 subnet and a /64 interconnect.

Assignments larger than /64 usually adopt the first /64 for LAN and subdivide the rest for requirements such as VPN tunnel, DMZ, or a guest network.

Special IPv6 Subnets

Special use networks are reserved in IPv6. A full list of these can be found in the Wikipedia IPv6 article. Six examples of IPv6 special networks and their addresses are shown below in IPv6 Special Networks and Addresses.

IPv6 Special Networks and Addresses

Network

Purpose

2001:db8::/32

Documentation prefix, used for examples, like those find in this book.

::1

Localhost

fc00::/7

Unique Local Addresses (ULA) - also known as “Private” IPv6 addresses.

fe80::/10

Link Local addresses, only valid inside a single broadcast domain.

2001::/16

Global Unique Addresses (GUA) - Routable IPv6 addresses.

ff00::0/8

Multicast addresses

Neighbor Discovery

IPv4 hosts find each other on a local segment using ARP broadcast messages, but IPv6 hosts find each other by sending Neighbor Discovery Protocol (NDP) messages. Like ARP, NDP works inside a given broadcast domain to find other hosts inside of a specific subnet.

By sending special ICMPv6 packets to reserved multicast addresses, NDP handles the tasks of neighbor discovery, router solicitations, and route redirects similar to IPv4’s ICMP redirects.

pfSense automatically adds firewall rules on IPv6 enabled interfaces that permit NDP to function. All current known neighbors on IPv6 can viewed in the firewall GUI at Diagnostics > NDP Table.

Router Advertisements

IPv6 routers are located through their Router Advertisement (RA) messages instead of by DHCP. IPv6-enabled routers that support dynamic address assignment are expected to announce themselves on the network to all clients and respond to router solicitations. When acting as a client (WAN interfaces), pfSense accepts RA messages from upstream routers. When acting as a router, pfSense provides RA messages to clients on its internal networks. See Router Advertisements (Or: “Where is the DHCPv6 gateway option”) for more details.

Address Allocation

Client addresses can be allocated by static addressing through SLAAC (Router Advertisements (Or: “Where is the DHCPv6 gateway option”)), DHCP6 (IPv6 DHCP Server and Router Advertisements), or other tunneling methods such as OpenVPN.

DHCP6 Prefix Delegation

DHCP6 Prefix Delegation delivers a routed IPv6 subnet to a DHCP6 client. A WAN- type interface can be set to receive a prefix over DHCP6 (DHCP6, Track Interface). A router functioning at the edge of a large network can provide prefix delegation to other routers inside the network (DHCPv6 Prefix Delegation).