How To Read IPv6 Addresses
A common complaint about IPv6 is that addresses are “hard to read”. If you’ve been in the networking world any length of time IPv4′s dotted quad is most likely seared into your brain and clumps of hexadecimal digits of varying lengths can can be hard to wrap your head around. However, those clumps can provide useful information.
Below I’ll go over some of the address types I’ve seen and show you what information they provide.
NOTE: I’m not going to explain the basics of IPv6 address formats. Plenty of others have done that elsewhere. Wikipedia and RFC 4291 are good places to start.
Many of Wireshark’s web sites have been available over IPv6 for a while and as I’ve looked through various capture files and server logs patterns have emerged. Most of the addresses in this post are from IPv6 traffic captured in late January 2011. In Wireshark you can view IPv6 addresses via Statistics→Endpoint List→IPv6 or Statistics→Conversation List→IPv6 or by using the display filter “ipv6″.
First let’s look at the network prefixes that were captured. In my sample capture I see the following /16s (which we’ll call chunks for now):
This alone is incredibly useful. A simple regular expression “[23]…:” (a “2″ or “3″ followed by three characters followed by a “:”) can be used to match public IPv6 traffic. I use this to find IPv6 addresses in Apache access logs.
Wireshark’s display filter engine doesn’t support prefix lengths for IPv6 addresses (not yet, at least) but you can use arithmetic comparisons to find public addresses, e.g. “ipv6.src >= 2000:: && ipv6.src < 4000::”.
Many prefixes in the assigned range are recognizable:
Now let’s skip over to the last half of the addresses and look at some of the recognizable bits in the host portion:
Now take a look at the following addresses. Notice anything unusual?
Below I’ll go over some of the address types I’ve seen and show you what information they provide.
NOTE: I’m not going to explain the basics of IPv6 address formats. Plenty of others have done that elsewhere. Wikipedia and RFC 4291 are good places to start.
Many of Wireshark’s web sites have been available over IPv6 for a while and as I’ve looked through various capture files and server logs patterns have emerged. Most of the addresses in this post are from IPv6 traffic captured in late January 2011. In Wireshark you can view IPv6 addresses via Statistics→Endpoint List→IPv6 or Statistics→Conversation List→IPv6 or by using the display filter “ipv6″.
First let’s look at the network prefixes that were captured. In my sample capture I see the following /16s (which we’ll call chunks for now):
2001::
2002::
2607::
2620::
2a01::
fe80::
ff02::
Most of the traffic in the capture starts with “2″. The prefix 2000::/3 has been assigned for global unicast traffic — that is, traffic you should see on the public internet. Right now you should only see prefixes between 2001::/16 and 2c00::/16 since IANA has only assigned prefixes in that range.2002::
2607::
2620::
2a01::
fe80::
ff02::
This alone is incredibly useful. A simple regular expression “[23]…:” (a “2″ or “3″ followed by three characters followed by a “:”) can be used to match public IPv6 traffic. I use this to find IPv6 addresses in Apache access logs.
Wireshark’s display filter engine doesn’t support prefix lengths for IPv6 addresses (not yet, at least) but you can use arithmetic comparisons to find public addresses, e.g. “ipv6.src >= 2000:: && ipv6.src < 4000::”.
Many prefixes in the assigned range are recognizable:
- 2002:: — 6to4 traffic. MTUs from these addresses will probably be lower than normal.
- 2001:470:: — Hurricane Electric. HE provides a popular tunnel broker service, so MTUs from these address will often be lower than normal.
- 2001:0:: — Teredo tunneling.
- Organizations with large v6 deployments such as 2001:420 (Cisco) 2001:4860 (Google)
Now let’s skip over to the last half of the addresses and look at some of the recognizable bits in the host portion:
- ::5efe:xxyy:zzqq — ISATAP. Yet another tunneling technology. xx, yy, zz, and qq represent a tunnelled IPv4 address.
- ::xxyy:zzff:feqq:rrss — SLAAC. This is the machine’s MAC address (xx:yy:zz:qq:rr:ss) with “ff:fe” shoved in the middle.
- ::random digits — A SLAAC privacy extension address.
Now take a look at the following addresses. Notice anything unusual?
2620:12::5
2001:4860:8004::68
2001:420:80:1::5
Compared to the formats above they’re short. The host portion is mostly zeroes. These are manually assigned. In this case they’re all web server addresses. I added them to demonstrate that the length of IPv6 addresses is often up to you.
2001:4860:8004::68
2001:420:80:1::5
Comments
Post a Comment