8

Is it true that the fd00::/8 address space (User Local Addresses) in ipv6 is for machines that you NEVER want to speak with anything on the Internet?

I was just reading that here and rather surprised to find that was the case.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
leeand00
  • 321
  • 1
  • 3
  • 9
  • Indeed private IP addresses (such as 10.x.x.x or 192.168.x.x) behave the same way: You cannot use them in the internet. – Martin Rosenau Apr 27 '18 at 12:57
  • @MartinRosenau, the big difference between the IPv4 Private Addressing and the IPv6 Unique Local Addressing is that Private Addressing has no expectation of being unique (same addressing is expected to be reused in many places), but Unique Local Addressing has a high expectation that it is unique (same addressing is not expected to be used in more than one place). Private Addressing has proved to be a problem with companies that merge or set up extranet connections. Unique Local Addressing is designed to overcome that. – Ron Maupin Apr 27 '18 at 14:23
  • @RonMaupin I know that FC80::/16 (?) really replaces 10/8 - and this address range has been deprecated. However MANY people migrating to IPv6 now use FD00::/64 as prefix which means that FD00::/64 will be anything but unique. However my comment was focused on the question why there are IP addresses for computers never being connected to the internet. 10/8 and 192.168/16 are also never used in the internet... So it is not too surprising that such address ranges exist. – Martin Rosenau Apr 27 '18 at 18:31
  • 2
    @MartinRosenau "_which means that FD00::/64 will be anything but unique._" That is why you do not use that range. The first eight bits are `fd`, and you must use a random number for the next 40 bits of the prefix. Read the RFC linked in my answer. If you are using `fd00::/64`, then you are doing it wrong. `fd00::/8` is part of ULA (`fc00::/7`), and there are rules around how you must assign a prefix in the `fd00::/8` range. You cannot simply use `fd00::/64`. – Ron Maupin Apr 27 '18 at 20:19
  • 2
    @MartinRosenau Actually assigning `fd00::/64` or other obviously non-random prefixes is one of the most common IPv6 mistakes I see. Don't make this mistake; it could be _very expensive_ later on. – Michael Hampton Apr 27 '18 at 20:33
  • I cannot see why anyone would want to restrict themselves to a 121 bit address space in IPv6. The only reason it was done in v4 was because the public internet had used nearly all the available space before NAT came along, so it was more a question of restricting the internet to not use certain ranges that were still available at the time, hence the somewhat obscure choice of numbers. Now the IANA is still allocating public space incrementally so the space used for the foreseeable future is never going to be more than an infinitesimal fraction of the available space. OK, let’s be generous and – Terry Horridge Aug 15 '19 at 11:28

2 Answers2

9

IPv6 packets addressed in the IPv6 ULA address range, fc00::/7, can not be routed on the public Internet. Remember, though, that interfaces can have multiple IPv6 addresses, including Link-Local, Global, and ULA, and they can have several of each. Theoretically, there is no real limit to the number of IPv6 addresses you can assign to one interface, although the host OS will have a limit (usually no more than a couple of dozen, and the OS will need to create IPv6 Solicited-Node multicast addresses for each unicast or anycast IPv6 address, possibly only a single one if the last 24 bits of each address are the same).

For example, you could have a Link-Local address, a Global address, and a ULA address assigned to an interface on each of your hosts. Your hosts on your own network could communicate with the ULA addresses for any traffic that you never want to see on the public Internet, but the hosts could still communicate on the public Internet using any assigned Global addresses.

There are two parts to the ULA addresses:

  1. The first half of the ULA address range, fc00::/8, is reserved for a future global authority to assign.
  2. The second half of the ULA address range, fd00::/8, can be assigned locally, with restrictions. The next 40 bits must be randomly chosen, and you cannot assign prefixes in any particular order.

See RFC 4193, Unique Local IPv6 Unicast Addresses for the full information on assigning ULA addressing:

  1. Introduction

This document defines an IPv6 unicast address format that is globally unique and is intended for local communications [IPV6]. These addresses are called Unique Local IPv6 Unicast Addresses and are abbreviated in this document as Local IPv6 addresses. They are not expected to be routable on the global Internet. They are routable inside of a more limited area such as a site. They may also be routed between a limited set of sites.

Local IPv6 unicast addresses have the following characteristics:

  • Globally unique prefix (with high probability of uniqueness).

  • Well-known prefix to allow for easy filtering at site boundaries.

  • Allow sites to be combined or privately interconnected without creating any address conflicts or requiring renumbering of interfaces that use these prefixes.

  • Internet Service Provider independent and can be used for communications inside of a site without having any permanent or intermittent Internet connectivity.

  • If accidentally leaked outside of a site via routing or DNS, there is no conflict with any other addresses.

  • In practice, applications may treat these addresses like global scoped addresses.

This document defines the format of Local IPv6 addresses, how to allocate them, and usage considerations including routing, site border routers, DNS, application support, VPN usage, and guidelines for how to use for local communication inside a site.

Community
  • 1
Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
6

Is it true that the fd00::/8 address space (User Local Addresses) in IPv6 is for machines that you NEVER want to speak with anything on the Internet?

Not exactly.

The IPv6 proponent's idea was that you could/should run multiple addresses in parallel. So the same machine could have both one or more global addresses for communication with the outside world and one or more ULAs for communication within the organisation.

In this way you could change the IP addresses used for internet connectivity without affecting internal connectivity.

Unfortunately running multiple addresses in parallel is one of those ideas that works better in theory than in practice. If your machines have both global addresses and local addresses it is quite likely that in some cases the global addresses will end up being used for internal communications. If your machines have global addresses for multiple ISPs they may use the wrong one to source traffic.

So what are your options?

  1. Use Provider Independent (PI) space only (or become a Local Internet Registry) this is clearly the better option for major sites of large organisations but it's problematic for small or distributed businesses. Most broadband providers won't do BGP and if everyone went for PI space we would have a routing table nightmare.
  2. Use ISP allocated space only, hope to heck that you never have to change ISPs.
  3. Use ISP allocated space alongside ULA space. Hope that you can keep the ISP allocated space out of internal stuff.
  4. Give the IP purists the finger and deploy IPv6 NAT, at least as a contingency plan.

p.s., the article you linked also claims that "RFC 1918 address space was specifically set aside for the purpose of running NAT", I find this claim highly dubious. Neither RFC1918 or it's predecessor RFC1597 make any mention of NAT.

As far as I can tell, NAT has always made the Internet purists squirm; they grudgingly accepted it for IPv4.

Community
  • 1
Peter Green
  • 12,935
  • 2
  • 20
  • 46
  • 2
    NAT was RFC 1631, published shortly after RFC 1597. – Michael Hampton Apr 27 '18 at 20:31
  • 2
    There has been a standard for IPv6 address selection when having multiple addresses on an interface. It is _[RFC, 6724, Default Address Selection for Internet Protocol Version 6 (IPv6)](https://tools.ietf.org/html/rfc6724)_. Simplistically, if you send to a global destination, then it will use the configured global address, but if you send to a local destination, then it will use the configured local address. There is a lot more to it than that, but the problems that you seem to think exist do not really exist. – Ron Maupin Jun 25 '19 at 00:37