IPv6 – Addressing, Features, Configuration, and Transition

1. What Is IPv6?

IPv6 (Internet Protocol version 6) is the successor to IPv4, developed to solve the exhaustion of the 32-bit IPv4 address space. Published as RFC 2460 in 1998 and updated by RFC 8200 in 2017, IPv6 expands the address space to 128 bits, providing approximately 3.4 × 1038 unique addresses — enough to assign a unique address to every atom on Earth many times over.

Beyond raw address space, IPv6 also delivers a simplified fixed-length header, mandatory IPsec support, stateless autoconfiguration (SLAAC), the elimination of broadcast, and a more efficient hierarchical routing design. 

  IPv4:  192.168.1.1          (32 bits  —  ~4.3 billion addresses)
  IPv6:  2001:0db8:85a3::8a2e:0370:7334  (128 bits —  ~340 undecillion addresses)

  Global allocation hierarchy:
  /23 (IANA) → /32 (RIR/ISP) → /48 (Site) → /64 (Subnet) → /128 (Host)

Related pages: NAT & PAT | IPsec Basics | IPsec VPN | DHCP Overview | How DHCP Works | How DNS Works | OSPF Overview | Default Routes | show ip route | show ip interface brief | IPv6 Basic Configuration Lab

2. Why IPv6? – Reasons for Development

Driver Detail
IPv4 address exhaustion IANA exhausted its IPv4 pool in 2011; all five RIRs have since run out of free /8 blocks. NAT extended IPv4 life but introduced complexity and broke end-to-end connectivity.
Vastly larger address space 2128 addresses eliminate the need for NAT and allow every device — including IoT sensors — to have a globally routable address.
Simplified header Fixed 40-byte header (vs. IPv4’s variable 20–60 bytes) removes rarely used fields, speeds up router processing, and moves optional features to extension headers.
No broadcast Broadcast is replaced by multicast and anycast, eliminating broadcast storms and reducing unnecessary host interruptions.
Stateless autoconfiguration (SLAAC) Devices can self-assign a globally routable address without a DHCP server, simplifying deployment especially for IoT and mobile networks.
Mandatory IPsec support All IPv6 implementations must support IPsec (AH and ESP), enabling end-to-end authentication and encryption as a standard feature.
Better QoS with Flow Label The 20-bit Flow Label field allows routers to identify and prioritise traffic flows without inspecting upper-layer headers.

3. IPv4 vs. IPv6 – Key Differences

Feature IPv4 IPv6
Address length 32 bits 128 bits
Address notation Dotted decimal (e.g., 192.168.1.1) Colon-hex (e.g., 2001:db8::1)
Address space ~4.3 billion ~340 undecillion (3.4 × 1038)
Address types Unicast, Broadcast, Multicast Unicast, Multicast, Anycast (no broadcast)
Header size Variable: 20–60 bytes Fixed: 40 bytes
Header fields 12 fields (including checksum, flags, fragmentation) 8 fields; optional features via extension headers
Checksum Yes — recalculated at every hop No — removed to speed up forwarding
Fragmentation Routers and hosts can fragment Hosts only — routers drop oversized packets and send ICMPv6 “Packet Too Big”
Address configuration Manual or DHCP Manual, SLAAC, or DHCPv6
Address resolution ARP (broadcast-based) NDP Neighbor Solicitation (multicast-based)
NAT requirement Widely used to extend address space Designed to be unnecessary
IPsec Optional (add-on) Mandatory support (use is optional)

4. IPv6 Address Format and Abbreviation Rules

An IPv6 address is 128 bits written as eight groups of four hexadecimal digits separated by colons. Two rules allow shortening any address:

  • Rule 1 — Drop leading zeros within any group: 0db8db8,  00000
  • Rule 2 — Replace one consecutive run of all-zero groups with ::. This can only be used once per address.
Form Address
Full (unabbreviated) 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Leading zeros removed 2001:db8:85a3:0:0:8a2e:370:7334
Double-colon compression 2001:db8:85a3::8a2e:370:7334
Loopback ::1  (127 leading zeros + 1)
Unspecified ::  (all zeros; equivalent to 0.0.0.0 in IPv4)
IPv4-mapped ::ffff:192.168.1.1  (used in dual-stack implementations)

Address components: The address is split into a 64-bit network prefix (identifies the subnet) and a 64-bit interface identifier (identifies the host within that subnet). 

  2001:0db8:85a3:0001 : 0000:8a2e:0370:7334
  |<--- 64-bit prefix --->| |<-- 64-bit interface ID -->|

5. Types of IPv6 Addresses

Type Prefix Scope Description IPv4 Equivalent
Global Unicast (GUA) 2000::/3 Global Publicly routable addresses, assigned by ISPs. Starts with 2 or 3. Public IP
Link-Local FE80::/10 Link only Auto-generated on every IPv6 interface. Used for NDP, routing protocol hellos, and next-hop addressing. Never forwarded by routers. 169.254.x.x (APIPA)
Unique Local (ULA) FC00::/7 Organisation Private, not routed on the Internet. Similar in function to RFC 1918 ranges. Prefix is typically FD (locally assigned). 10.x.x.x, 172.16.x.x, 192.168.x.x
Loopback ::1/128 Host only Refers to the local device itself; never sent on the wire. 127.0.0.1
Unspecified ::/128 N/A Used as source address before a device has a valid address (e.g., during SLAAC DAD). 0.0.0.0
Multicast FF00::/8 Variable Delivers to all members of a group. Replaces IPv4 broadcast. Well-known groups include FF02::1 (all nodes) and FF02::2 (all routers). 224.0.0.0/4 (Class D)
Anycast From GUA space Global Assigned to multiple interfaces; packet is delivered to the topologically nearest one. Used for DNS root servers, CDN nodes, and load balancing. No direct equivalent
Solicited-Node Multicast FF02::1:FF00:0/104 Link only Automatically generated from the last 24 bits of a unicast address. Used by NDP Neighbor Solicitation instead of broadcast ARP. ARP broadcast

6. IPv6 Address Assignment Methods

6a. SLAAC – Stateless Address Autoconfiguration

With SLAAC (RFC 4862), a device generates its own IPv6 address without any server. The process is:

  1. The device generates a link-local address (FE80::/10 + EUI-64 or random interface ID) and performs Duplicate Address Detection (DAD) via NDP.
  2. The device sends a Router Solicitation (RS) to FF02::2 (all routers).
  3. A router replies with a Router Advertisement (RA) containing the network prefix (e.g., 2001:db8:1::/64) and default gateway.
  4. The device appends its 64-bit interface identifier (EUI-64 or privacy-extended random) to the prefix to form the full global unicast address.
  Router advertises:  2001:db8:abcd:12::/64
  Device MAC:         00-1A-2B-3C-4D-5E
  EUI-64 interface ID: 021a:2bff:fe3c:4d5e
  Final IPv6 address: 2001:db8:abcd:12:021a:2bff:fe3c:4d5e

6b. DHCPv6

DHCPv6 provides more administrative control than SLAAC. Two modes exist:

  • Stateful DHCPv6: The server assigns the full IPv6 address and tracks leases — equivalent to IPv4 DHCP. The RA sets the M (Managed) flag.
  • Stateless DHCPv6: SLAAC handles address assignment; DHCPv6 provides only additional parameters (DNS servers, domain name). The RA sets the O (Other) flag.

6c. EUI-64 Interface ID Generation

EUI-64 derives a 64-bit interface identifier from a 48-bit MAC address:

  1. Split the MAC into two 24-bit halves: 00-1A-2B | 3C-4D-5E
  2. Insert FF:FE in the middle: 00-1A-2B-FF-FE-3C-4D-5E
  3. Flip the 7th bit (Universal/Local bit): 0002
  4. Result: 021a:2bff:fe3c:4d5e

7. IPv6 Header Structure

The IPv6 base header is a fixed 40 bytes, compared to IPv4’s variable 20–60 bytes. Removing rarely used fields and moving optional features to extension headers allows routers to process packets faster.

Field Size Purpose
Version 4 bits Always 6 for IPv6
Traffic Class 8 bits DSCP + ECN — used for QoS and congestion signalling
Flow Label 20 bits Identifies a flow for special handling (e.g., real-time traffic) without per-packet deep inspection
Payload Length 16 bits Length of the payload (including extension headers) in bytes
Next Header 8 bits Identifies the type of the next header (e.g., TCP=6, UDP=17, ICMPv6=58, or an extension header type)
Hop Limit 8 bits Equivalent to IPv4 TTL — decremented at each hop; packet discarded when it reaches zero
Source Address 128 bits IPv6 address of the sending interface
Destination Address 128 bits IPv6 address of the intended recipient

Extension headers (Routing, Fragment, Hop-by-Hop Options, Destination Options, Authentication, Encapsulating Security Payload) are chained after the base header using the Next Header field and are only processed by the relevant nodes — not every router along the path.

8. IPv6 Subnetting

IPv6 uses the same slash-notation as CIDR. The standard allocation hierarchy provides each subnet a /64, leaving 64 bits for the interface ID — a requirement for SLAAC and EUI-64 to work correctly.

Prefix Typical Allocation Addresses Available Notes
/23 IANA to RIRs 2105 Top-level allocation block
/32 RIR/ISP block 296 Standard ISP allocation
/48 Enterprise / site 65,536 × /64 subnets Typical allocation to an organisation or branch
/56 Home / small office 256 × /64 subnets Common ISP allocation for residential customers
/64 Single subnet ~18.4 quintillion hosts Required for SLAAC; standard LAN subnet size
/127 Point-to-point links 2 addresses RFC 6164 — replaces /30 for router-to-router links
/128 Single host route / loopback 1 address Used for loopback interfaces and static host routes

9. Neighbor Discovery Protocol (NDP)

NDP (RFC 4861) is IPv6’s replacement for IPv4 ARP and parts of ICMP. It operates over ICMPv6 and uses multicast rather than broadcast, making it far more efficient on large segments.

NDP Message ICMPv6 Type Purpose
Router Solicitation (RS) 133 Host requests router information; sent to FF02::2 (all routers)
Router Advertisement (RA) 134 Router announces prefix, default gateway, MTU, and M/O flags; sent periodically or in response to RS
Neighbor Solicitation (NS) 135 Resolves IPv6 address to MAC (replaces ARP Request); also used for Duplicate Address Detection (DAD)
Neighbor Advertisement (NA) 136 Reply to NS; provides the MAC address (replaces ARP Reply); also sent when link-layer address changes
Redirect 137 Router informs a host of a better next-hop for a destination (replaces ICMPv4 Redirect)

Duplicate Address Detection (DAD): Before using a new address, a host sends an NS with its tentative address as the target. If no NA reply arrives, the address is unique and assigned. If a reply comes back, the address is a duplicate and the assignment fails.

10. IPv6 Routing

IPv6 routing follows the same longest-prefix-match logic as IPv4 but operates on 128-bit addresses. All major routing protocols have been updated or extended for IPv6:

Protocol IPv6 Version Notes
OSPF OSPFv3 Redesigned for IPv6; runs directly over IPv6; uses link-local addresses for neighbour relationships
EIGRP EIGRP for IPv6 Cisco proprietary; enabled per-interface with ipv6 eigrp
RIP RIPng (RFC 2080) RIP Next Generation; uses UDP port 521 and multicast FF02::9
BGP BGP-4 with MP-BGP Multiprotocol BGP extensions (RFC 4760) carry IPv6 prefixes as an address family
IS-IS Integrated IS-IS Multi-topology IS-IS (MT-IS-IS) supports IPv6 natively alongside IPv4

Static routing example (Cisco IOS): 

ipv6 unicast-routing
ipv6 route 2001:db8:2::/64 GigabitEthernet0/1 FE80::1

11. Transition Mechanisms from IPv4 to IPv6

Because IPv4 and IPv6 cannot communicate directly, three categories of transition mechanisms ease the migration:

Category Mechanism How It Works Best For
Dual Stack Dual Stack (RFC 4213) Devices run both IPv4 and IPv6 simultaneously; choose the protocol based on destination Preferred long-term approach; used during migration period
Dual-Stack Lite (DS-Lite) Tunnels IPv4 inside IPv6; ISP handles NAT at the carrier level (CGNAT) ISPs deploying IPv6 infrastructure while still serving IPv4 customers
Tunneling 6to4 (RFC 3056) Encapsulates IPv6 packets inside IPv4 packets; uses 2002::/16 prefix; automatic tunnel setup IPv6 islands separated by IPv4 infrastructure
ISATAP Intra-Site Automatic Tunnel Addressing Protocol; embeds IPv4 address in the IPv6 interface ID Internal enterprise transition within an IPv4 site
Teredo Tunnels IPv6 over IPv4 UDP; works through NAT; used by Windows hosts behind NAT End-host connectivity when behind NAT (now largely replaced by dual stack)
Translation NAT64 + DNS64 Translates IPv6 packets to IPv4 at the gateway; DNS64 synthesises AAAA records for IPv4-only destinations IPv6-only networks that must reach IPv4-only Internet services
MAP-T / MAP-E Stateless translation/encapsulation; maps IPv4 addresses and ports to IPv6 prefixes Large-scale ISP deployments without per-session NAT state

12. Security in IPv6

  • IPsec (mandatory support): All IPv6 implementations must support AH (Authentication Header) and ESP (Encapsulating Security Payload). This enables end-to-end authentication and encryption without relying on application-layer solutions.
  • Secure Neighbor Discovery (SEND, RFC 3971): Uses cryptographically generated addresses (CGA) and RSA signatures on NDP messages to prevent NDP spoofing and rogue RA attacks — the IPv6 equivalents of ARP poisoning.
  • RA Guard: A switch feature (RFC 6105) that drops unauthorised Router Advertisement messages on access ports, preventing rogue router attacks.
  • DHCPv6 Guard: Drops DHCPv6 server messages on untrusted ports, analogous to DHCP snooping in IPv4.
  • Expanded attack surface: The larger address space makes traditional network scanning impractical, but attackers can still target known prefixes, multicast groups, and link-local addresses.
  • Firewall and IDS awareness: All firewall and intrusion detection rules must explicitly account for IPv6 traffic; a dual-stack host with an unfiltered IPv6 interface may bypass IPv4-only security controls entirely.

13. Cisco IOS IPv6 Configuration

! Enable IPv6 routing globally
ipv6 unicast-routing

! Configure a GUA and link-local on an interface
interface GigabitEthernet0/0
 ipv6 address 2001:db8:1:1::1/64
 ipv6 address FE80::1 link-local
 no shutdown

! Configure OSPFv3
ipv6 router ospf 1
 router-id 1.1.1.1

interface GigabitEthernet0/0
 ipv6 ospf 1 area 0

! Static default route
ipv6 route ::/0 GigabitEthernet0/0 FE80::2

! Verification commands
show ipv6 interface brief
show ipv6 neighbors
show ipv6 route
show ipv6 ospf neighbor
ping ipv6 2001:db8:2::1

14. IPv6 Deployment Challenges

Challenge Detail Mitigation
Legacy IPv4-only equipment Older routers, switches, firewalls, and applications may not support IPv6 Dual stack during transition; replace or upgrade end-of-life hardware
Operator training IPv6 address management, subnetting, and troubleshooting differ enough from IPv4 to require deliberate upskilling CCNA/CCNP training; lab practice; phased rollout
Security tool gaps Some firewalls, IDS/IPS, and logging tools treat IPv6 as an afterthought Audit all security controls for IPv6 coverage; enable RA Guard and DHCPv6 Guard
IPAM and DNS updates IP address management systems must handle 128-bit addresses and AAAA records alongside A records Upgrade or replace IPAM tools; ensure DNS supports both record types
Transition complexity Running dual-stack adds operational overhead; tunnelling mechanisms can introduce asymmetric routing and MTU issues Plan for a clean dual-stack phase followed by IPv4 deprecation; avoid tunnel sprawl

15. Key Points & CCNA Exam Tips

  • IPv6 = 128 bits, written in eight groups of four hex digits separated by colons
  • Abbreviation: drop leading zeros per group; use :: once to compress consecutive all-zero groups
  • Address types: Global Unicast (2000::/3), Link-Local (FE80::/10), ULA (FC00::/7), Multicast (FF00::/8), Loopback (::1)
  • No broadcast in IPv6 — multicast and anycast replace it entirely
  • SLAAC uses Router Advertisements + EUI-64 (or random) interface ID; no server required
  • EUI-64: split MAC, insert FF:FE, flip 7th bit
  • DHCPv6 Stateful (M flag) = full address assignment; Stateless (O flag) = SLAAC + extra options only
  • NDP replaces ARP; NS/NA messages use solicited-node multicast, not broadcast
  • DAD verifies address uniqueness before it is assigned
  • IPv6 header = fixed 40 bytes, 8 fields; no checksum, no fragmentation by routers
  • Standard subnet = /64 (required for SLAAC); point-to-point links use /127 (RFC 6164)
  • Routing protocols: OSPFv3, EIGRP for IPv6, RIPng, MP-BGP
  • Transition: Dual Stack (preferred) → Tunneling (6to4, ISATAP, Teredo) → Translation (NAT64/DNS64)
  • IPsec support is mandatory in IPv6; actual use is optional
  • Enable IPv6 routing on Cisco with ipv6 unicast-routing

IPv6 Quiz

1. What is the length of an IPv6 address?

Correct answer is B. IPv6 addresses are 128 bits long, written as eight groups of four hexadecimal digits. This provides approximately 3.4 × 1038 unique addresses.

2. Which notation is used to represent IPv6 addresses?

Correct answer is A. IPv6 uses eight groups of four hexadecimal digits separated by colons. Leading zeros within a group can be omitted, and :: compresses one consecutive run of all-zero groups.

3. What mechanism replaces ARP in IPv6 networks?

Correct answer is D. NDP uses ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages to resolve IPv6 addresses to MAC addresses. Unlike ARP, NDP uses solicited-node multicast rather than broadcast, making it far more efficient.

4. Which IPv6 address type is similar to a private IPv4 address?

Correct answer is C. Unique Local Addresses (ULA, FC00::/7) are the IPv6 equivalent of RFC 1918 private ranges — routable within an organisation but not on the public Internet. The FD prefix is the locally-assigned variant.

5. What is SLAAC in IPv6?

Correct answer is A. SLAAC (RFC 4862) allows a device to automatically generate its own IPv6 address using a router-advertised prefix plus a locally derived 64-bit interface identifier, requiring no DHCP server.

6. What prefix length is typically used for IPv6 subnets?

Correct answer is B. IPv6 subnets are typically /64, leaving 64 bits for the interface identifier. This is also a requirement for SLAAC and EUI-64 to function correctly. Each /64 contains approximately 18.4 quintillion addresses.

7. Which IPv6 transition method encapsulates IPv6 packets inside IPv4?

Correct answer is C. 6to4 (RFC 3056) encapsulates IPv6 packets inside IPv4 packets to traverse IPv4-only infrastructure. It uses the 2002::/16 prefix and embeds the IPv4 address in the IPv6 address. Dual Stack runs both protocols simultaneously; NAT64 translates between them.

8. What security feature has mandatory support in IPv6?

Correct answer is D. All IPv6 implementations must support IPsec (AH and ESP) as defined in the IPv6 specification. However, actual use of IPsec to protect traffic remains optional and must be explicitly configured.

9. Which IPv6 address type is used for communication within the same link?

Correct answer is A. Link-local addresses (FE80::/10) are auto-generated on every IPv6-enabled interface and are used for NDP, routing protocol neighbour relationships, and next-hop addressing. They are never forwarded beyond the local link by a router.

10. Which routing protocol version supports IPv6?

Correct answer is C. OSPFv3 is the version of OSPF redesigned for IPv6. It runs directly over IPv6, uses link-local addresses for neighbour relationships, and carries IPv6 prefix information in LSAs. OSPFv2 is IPv4-only.

← Back to Home