Computer Network 📂 Network Layer · 3 of 6 73 min read

IPv6 Explained

A complete guide to IPv6 for network engineers: 128-bit addresses, hextet notation, RFC 5952 compression rules, unicast/multicast/anycast address types, the simpler 40-byte fixed header, extension headers, /48-/56-/64 subnetting, SLAAC autoconfiguration, NDP replacing ARP, and dual-stack/tunneling/NAT64 transition. Includes animated diagrams, full IPv4-vs-IPv6 comparison, and real news cases from Google's 50% milestone to Windows "Bad Neighbor" CVE.

Section 01

Why We Needed a Bigger Envelope

340 Undecillion Reasons IPv4 Wasn't Enough
By 1990 the IETF had already noticed something alarming: at the rate the Internet was growing, the 4.3 billion IPv4 addresses would run out somewhere in the mid-2000s. A working group led by Steve Deering and Robert Hinden was told to design a replacement. They called it IP Next Generation — IPng — and by 1998 it became IPv6, standardised in RFC 2460 (later replaced by RFC 8200 in 2017).

The number they picked for the new address length was extraordinary: 128 bits. That is 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses — 340 undecillion. Enough to give every grain of sand on Earth its own IPv6 address, then repeat the exercise for every star in the observable universe, and still have trillions left over.

Fast forward to 28 March 2026: for the first time in 18 years of measurement, Google recorded that access via native IPv6 has for the first time exceeded 50% (50.10% on 28 March 2026, to be precise). Half of the modern Internet already runs on the protocol most people think of as "the future." This tutorial covers every part of IPv6 — address format, address types, the simplified header, SLAAC, NDP, transition mechanisms — and shows how each piece compares with IPv4 alongside.
📍
What Changed and What Stayed the Same

IPv6 is not just "IPv4 with bigger addresses." It also fixed subtle protocol scars from thirty years of experience: no more broadcast, no more per-hop checksum, no more mid-network fragmentation, a simpler header, native autoconfiguration, and mandatory support for IPsec. But it kept what worked: the routing model, the "hourglass" of Layer 3, and clean interop with TCP and UDP on top.


Section 02

32 Bits vs 128 Bits — The Address Space Scale Difference

Before we look at what an IPv6 address looks like, it helps to feel the size difference. IPv4 has enough addresses for roughly one per human. IPv6 has enough for roughly one per atom in the outer 5 metres of the Earth's surface. This is not hyperbole — it's the math of 4 bits × 4 = 16 vs 4 bits × 32 = 128.

Address Space Comparison IPv4 — 32 bits 32 bits 2²² = 4,294,967,296 ~4.3 billion addresses Enough for ~half the humans on Earth IPv6 — 128 bits 128 bits (4× longer) 2¹²⁸ = 340,282,366,920,938,463,463,374,607,431,768,211,456 340 undecillion addresses Enough for every atom in every human body IPv6 has 2⁹⁶ = 7.9 × 10²⁸ times more addresses than IPv4 Not 4×. Not 100×. Nearly 80 octillion times more. That is why IPv6 exhaustion is not a discussion for our species.
The IPv6 bar isn't just longer — it's exponentially longer. Doubling bit-length squares the address count, so adding 96 bits multiplies the space by 296.

Section 03

IPv6 Address Notation — Eight Hextets

IPv4's dotted-decimal (192.168.1.5) uses four base-10 octets. That would be impossibly clumsy for 128 bits, so IPv6 does two things: it uses hexadecimal (base 16) and it groups the address into eight 16-bit blocks called hextets separated by colons.

Full IPv6 address = eight hextets × 16 bits each = 128 bits 2001 hex 0db8 85a3 0000 0000 8a2e 0370 7334 : : : : : : : Global Routing Prefix (48 bits) assigned by ISP / RIR Subnet ID (16 bits) 65,536 subnets per site Interface ID (64 bits) the device on that subnet 2001:0db8:85a3:0000:0000:8a2e:0370:7334 — the canonical "documentation" address (RFC 3849)
Each hextet is 4 hex digits = 16 bits. Eight hextets × 16 = 128 bits total. Global-prefix / subnet-ID / interface-ID is the near-universal 48/16/64 split.
💬
One Hex Digit = 4 Bits

Because a hex digit represents 4 bits (0000 to 1111), four hex digits = 16 bits = one hextet. Eight hextets = 128 bits. Hex was chosen over decimal because writing 128 bits as base-10 digits would take ~39 characters — hex gets it down to 32 hex digits, and the colons make it human-parseable.


Section 04

Zero Compression — The Two Shortening Rules

Nobody wants to type 2001:0db8:85a3:0000:0000:8a2e:0370:7334. RFC 5952 defines two compression rules that turn most IPv6 addresses into something reasonable.

Compressing 2001:0db8:85a3:0000:0000:8a2e:0370:7334 Full 2001:0db8:85a3:0000:0000:8a2e:0370:7334 32 hex digits — painful to type Rule 1 2001:db8:85a3:0:0:8a2e:370:7334 Drop leading zeros in each hextet: 0db8 → db8, 0000 → 0, 0370 → 370 Rule 2 2001:db8:85a3::8a2e:370:7334 Replace one longest run of all-zero hextets with "::" Final address: 22 characters — a 10-character saving
Rule 1 always applies. Rule 2 (the double-colon) can be used at most once per address, applied to the longest run of consecutive all-zero hextets.
🔢 Compression Rules — Fully Stated
Rule 1
Leading-zero suppression. Within each hextet, drop leading zeros. 0db8 → db8, 0000 → 0, 0370 → 370. But you must keep at least one digit: 0000 becomes 0, not empty.
Rule 2
Double-colon collapse. One or more consecutive all-zero hextets can be replaced by :: exactly once per address.
Why once?
If :: appeared twice, you couldn't tell how many zero hextets each stood for. Given a 128-bit constraint the parser can figure out the single missing span, but not two.
Longest wins
If multiple zero-runs exist, compress the longest. If tied, compress the first.
Lowercase
RFC 5952 mandates lowercase hex digits in canonical form. 2001:db8::1, not 2001:DB8::1.

Compression Practice Set

Full formAfter Rule 1 (leading zeros dropped)After Rule 2 (:: applied)
2001:0db8:0000:0000:0000:0000:0000:0001 2001:db8:0:0:0:0:0:1 2001:db8::1
0000:0000:0000:0000:0000:0000:0000:0001 0:0:0:0:0:0:0:1 ::1 (loopback)
0000:0000:0000:0000:0000:0000:0000:0000 0:0:0:0:0:0:0:0 :: (unspecified)
fe80:0000:0000:0000:0202:b3ff:fe1e:8329 fe80:0:0:0:202:b3ff:fe1e:8329 fe80::202:b3ff:fe1e:8329
2001:0db8:0000:0000:00ab:0000:0000:0001 2001:db8:0:0:ab:0:0:1 2001:db8::ab:0:0:1 (compress first longer run)
ff02:0000:0000:0000:0000:0000:0000:0001 ff02:0:0:0:0:0:0:1 ff02::1 (all-nodes multicast)
⚠️
Common Compression Traps

(1) 2001::db8::1 is invalid — two double-colons. (2) ::1234:: is invalid for the same reason. (3) Never compress a single zero hextet unless it beats every longer run — 2001:db8:0:1:: is preferred over 2001:db8::1:0:0:0:0. (4) Trailing IPv4 dotted-decimal is allowed for IPv4-mapped addresses: ::ffff:192.168.1.5.


Section 05

Address Types — Unicast, Multicast, Anycast (No Broadcast!)

IPv4 has four communication modes: unicast, broadcast, multicast, and (loosely) anycast. IPv6 formally recognises only three — and drops broadcast entirely.

📧
Unicast
one-to-one
A single interface. The packet reaches exactly one destination. This is 99%+ of all traffic — every TCP connection, every DNS lookup, every HTTPS request is unicast.
📣
Multicast
one-to-many
A group. All interfaces that have joined the multicast group receive the packet. Used heavily by IPv6 itself (Neighbor Discovery, DHCPv6, routing protocols) — not just video streaming.
📡
Anycast
one-to-nearest
Multiple interfaces share one address; routing delivers to the topologically closest one. Used for content delivery networks, DNS root servers, and cloud edge nodes.
💣
Where Did Broadcast Go?

IPv4's broadcast (255.255.255.255) wakes up every device on the subnet, whether they care about the packet or not. That's inefficient and enables amplification attacks like Smurf. IPv6 replaces broadcast with specific multicast groups. For example, ff02::1 is "all nodes on this link" — conceptually identical to broadcast, but interfaces can be configured to ignore it if their OS explicitly opts out. And crucially, it never leaves the local link.


Section 06

Address Categories — Reading the First Bits

Just as IPv4's first octet reveals the class, IPv6's first few bits tell you which category the address belongs to. Here are the categories every network engineer must recognise on sight.

CategoryPrefixRangePurposeIPv4 Analogue
Global Unicast 2000::/3 2000:: – 3fff:ffff:... Routable on public Internet Public IPv4
Link-Local fe80::/10 fe80:: – febf:ffff:... Automatically assigned; never routed off-link 169.254.x.x (APIPA)
Unique Local (ULA) fc00::/7 fc00:: – fdff:ffff:... Private, internal networks RFC 1918 (10.x, 192.168.x)
Multicast ff00::/8 ff00:: – ffff:ffff:... Group communication 224.0.0.0/4
Loopback ::1/128 ::1 exactly Localhost 127.0.0.1
Unspecified ::/128 :: exactly "No address yet" (used during boot) 0.0.0.0
IPv4-mapped ::ffff:0:0/96 ::ffff:0.0.0.0 – ::ffff:255.255.255.255 Represents IPv4 addr in IPv6 syntax
Documentation 2001:db8::/32 2001:db8:: – ... Reserved for docs, tutorials, RFCs 203.0.113.0/24

Well-Known Multicast Groups You'll See Everywhere

AddressMeaning
ff02::1All nodes on this link (like broadcast)
ff02::2All routers on this link
ff02::5OSPFv3 all routers
ff02::9RIPng routers
ff02::1:2All DHCPv6 relay agents / servers
ff02::1:ff<last24bits>Solicited-node (used by Neighbor Discovery)
🏠
Every IPv6 Interface Has At Least Two Addresses

When an IPv6 interface comes up, it always gets a link-local address in fe80::/10 — derived from its MAC via SLAAC (Section 10) — even before any router advertises anything. If a router is present, the interface also gets one or more global-unicast addresses. This is why ifconfig shows multiple IPv6 addresses per NIC.


Section 07

The IPv6 Header — Simpler, Fixed, Faster

IPv6's header was redesigned from scratch with 25 years of hindsight. The result is fewer fields, fixed length, no per-hop checksum, and cleaner alignment for hardware parsing.

IPv6 Header — 40 bytes fixed, 8 fields 0 4 12 32 48 56 63 byte 0-3 Ver (4b) TC (8b) Flow Label (20 bits) — NEW in IPv6 byte 4-7 Payload Length (16b) Next Header (8b) Hop Limit (8b) byte 8-23 Source IPv6 Address (128 bits) 2001:db8::1 (example) byte 24-39 Destination IPv6 Address (128 bits) 2001:db8::2 (example)
40 bytes exactly. Watch the amber glow travel through the fields — those are the eight components we'll explain next.

Each IPv6 Header Field Explained

FieldSizePurposeIPv4 Equivalent
Version4 bits Always 6 for IPv6. Lets stack decide "parse me as IPv6." Same as IPv4 Version
Traffic Class8 bits DSCP (6b) + ECN (2b) — identical semantics to IPv4 DSCP + ECN (ToS field)
Flow Label20 bits NEW. Identifies packets of the same flow so routers can hash-load-balance without inspecting L4 headers None
Payload Length16 bits Length of everything after this 40-byte header, in bytes. Max 65,535 (or Jumbogram for >64K) Total Length (but Total Length included the header)
Next Header8 bits Identifies what comes next: TCP (6), UDP (17), ICMPv6 (58), or an extension header Protocol field — same numbering
Hop Limit8 bits Decrements at each router. Zero ⇒ drop + ICMPv6 Time Exceeded TTL (renamed to fit its real meaning)
Source Address128 bits Sender's IPv6 address Same, but 4× the size
Destination Address128 bits Recipient's IPv6 address Same, but 4× the size
Fields Deleted From IPv4

IHL is gone (header is always 40 bytes). Identification, Flags, Fragment Offset are gone from the base header — if fragmentation is ever needed it happens only at the source via an extension header, never at intermediate routers. Header Checksum is gone entirely — Ethernet CRC and TCP/UDP checksums already catch corruption; router CPU no longer has to recompute on every hop. Options + Padding are gone — replaced by extension headers.


Section 08

Extension Headers — Optional Chained Modules

When IPv6 needs an "option" (fragmentation, source routing, IPsec authentication, mobility), it doesn't cram it into the base header. Instead the packet grows a chain: base header → extension header 1 → extension header 2 → … → TCP/UDP. The Next Header field of each stage tells the parser what comes next.

Extension header chain — each stage's Next Header points to the next IPv6 base hdr NextHdr = 43 (routing) Routing hdr (43) NextHdr = 44 (fragment) Fragment hdr (44) NextHdr = 6 (TCP) TCP segment (6) Application data Common Next Header values: 0 = Hop-by-Hop  •  43 = Routing  •  44 = Fragment  •  50 = ESP (IPsec)  •  51 = AH (IPsec)  •  58 = ICMPv6  •  59 = No Next Hdr
Fragmentation is now an extension header, added only when needed and processed only by the source and destination — not by every router along the path.

Section 09

IPv6 Subnetting — Why /64 Is the Universal Subnet Size

IPv6 addressing was designed around fixed-length prefixes. The universal rule: every subnet is a /64. That leaves 64 bits for the interface ID — enough for 1.8×1019 hosts per subnet. This is not wasteful; it's what SLAAC (Section 10) needs to work.

IPv6 subnet hierarchy — ISP allocates, subscriber subnets, /64 is universal /32 — typical ISP allocation (RIR → ISP) /48 — site / enterprise assignment ... 2¹⁶ sites /56 — small business / residential (256 subnets) ... 2⁸ sites /64 — single subnet (LAN, VLAN) ... 256 subnets per /56, 65,536 per /48 Below /64 lives the Interface ID — 2⁶⁴ = 18.4 quintillion hosts per subnet
A tiny business gets a /48 — that's 65,536 usable /64 subnets. A home user gets a /56 — still 256 subnets. Every single one of those subnets is a /64.
🔢 Numerical — What Does a /48 Buy You?
Q
An enterprise gets prefix 2001:db8:abcd::/48. How many /64 subnets, and how many hosts total?
1
Number of /64 subnets = 2(64 − 48) = 216 = 65,536 subnets.
2
Hosts per /64 subnet = 264 = 18,446,744,073,709,551,616.
3
Total addresses in the /48 = 2(128 − 48) = 2801.2 septillion.
A single enterprise allocation holds more addresses than the entire IPv4 space multiplied by 280 trillion. There is no scarcity story here.

Same Subnet or Not? — The IPv6 Prefix-Match Test

In IPv4 you determine "are these two hosts on the same subnet?" by ANDing each IP with the subnet mask and comparing the results. IPv6 uses the exact same idea — but with a cleaner name. Instead of a dotted mask like 255.255.255.0, you write the prefix length (/64). Two hosts are on the same subnet if and only if their first N bits are identical, where N is the prefix length.

Are host A and host B on the same /64 subnet? Compare the first 64 bits. Case 1 same LAN Host A 2001:db8:abcd:0001 ::0000:0000:0000:0005 Host B 2001:db8:abcd:0001 ::0000:0000:0000:0100 first 64 bits (network prefix) — IDENTICAL ✓ last 64 bits (interface ID) differ — that's fine ⇒ SAME SUBNET — A can reach B directly via NDP, no router needed Case 2 different LANs Host A 2001:db8:abcd:0001 ::0000:0000:0000:0005 Host C 2001:db8:abcd: 0002 ::0000:0000:0000:0005 ↓ 4th hextet differs (0001 vs 0002)
Compare the first N bits (here N = 64). Match ⇒ same subnet, talk directly. Differ ⇒ different subnets, packet must go through a router.
🔢 Numerical — Same Subnet Check (Full Walkthrough)
Q
Are 2001:db8:abcd:1::5 and 2001:db8:abcd:1:abcd::100 on the same /64 subnet?
1
Prefix length = 64. So we compare the first 64 bits = the first four hextets.
2
Address A first 4 hextets: 2001 : 0db8 : abcd : 0001.
3
Address B first 4 hextets: 2001 : 0db8 : abcd : 0001.
4
They are identical ⇒ same subnet 2001:db8:abcd:1::/64.
Host A reaches host B directly via Neighbor Discovery. No router hop. The interface-ID part (bits 65-128) is irrelevant to the check.
🔢 Numerical — Different Subnets, Then Change the Prefix Length
Q
Are 2001:db8:abcd:1::5 and 2001:db8:abcd:2::100 on the same subnet if the prefix length is (a) /64, (b) /48?
(a) /64
Compare first 64 bits = first 4 hextets. A: 2001:db8:abcd:0001. B: 2001:db8:abcd:0002. 4th hextet differs ⇒ different /64 subnets. Router required.
(b) /48
Compare first 48 bits = first 3 hextets. A: 2001:db8:abcd. B: 2001:db8:abcd. Identical ⇒ same /48 aggregate. They belong to the same enterprise but different LANs.
Insight: "same subnet" is a question the prefix length decides. On a LAN (/64), they're different. From the ISP's view (/48), they're the same enterprise.

Do We Still Have an "AND Mask" Operation in IPv6?

Yes — conceptually. Just as in IPv4, the network prefix is obtained by ANDing the address with a mask. IPv6 just doesn't write the mask out in dotted form; it derives it from the prefix length. For a /64, the "mask" would be ffff:ffff:ffff:ffff::. Applying it:

IPv6 AND operation — deriving the network prefix from a full address Address 2001:db8:abcd:1::5 2001:0db8:abcd:0001 0000:0000:0000:0005 AND Mask /64 → first 64 bits = 1 ffff:ffff:ffff:ffff 0000:0000:0000:0000 = Prefix 2001:db8:abcd:1::/64 2001:0db8:abcd:0001 0000:0000:0000:0000 First 64 bits: (network bit) AND 1 = itself. Last 64 bits: (host bit) AND 0 = 0. Result: the pure network prefix 2001:db8:abcd:1::/64 — used for routing table lookups.
Same AND operation as IPv4 — but the mask is virtual, derived on the fly from the prefix length. Nobody writes it out because "/64" already tells you the same thing.
💬
Why IPv6 Dropped the Dotted Mask

IPv4's 255.255.255.0 and CIDR /24 encode identical information — they just say it differently. Since IPv6 designers were starting fresh, they picked the more compact form and never looked back. In IPv6 you write 2001:db8::/32 or fe80::1/64 — the slash-notation is the only way to express the mask. You'll never see ffff:ffff:ffff:ffff:: written explicitly outside of protocol specs; it's derived from the prefix length automatically.

Is There an OR Trick for a "Broadcast" Address?

No — and this is a real difference from IPv4. Recall that IPv6 has no broadcast address. Where IPv4 uses IP OR (NOT mask) to find the broadcast (all host bits set to 1), IPv6 replaces that concept with the ff02::1 "all nodes" multicast. So the OR-with-wildcard trick from Section 06 of the IPv4 tutorial has no direct equivalent here — there's simply no address to compute. Every "everyone on the link" scenario in IPv6 uses a well-known multicast group instead.


Section 10

SLAAC — Stateless Address Autoconfiguration

In IPv4 a fresh device usually gets its address from a DHCP server. IPv6 introduces SLAAC: the device configures its own global address just by listening for a Router Advertisement. No DHCP server needed for basic connectivity.

SLAAC — how a device configures its own IPv6 address in 4 steps Host new laptop Router gateway Step 1: fe80:: auto-set from EUI-64 or random host has link-local: fe80::a12:34ff:fe56:78 Router Solicitation (RS) Step 2: "Are there any routers on this link?" → ff02::2 Router Advertisement (RA) Step 3: "The prefix here is 2001:db8:abcd:1::/64. I'm your default gateway." Step 4: Host builds global address = prefix + interface-ID 2001:db8:abcd:1::a12:34ff:fe56:78 — ready to use, no DHCP needed
Four steps. No DHCP server required. Host generates its own link-local, asks for a prefix, gets one from the router, and assembles the global address itself.
🔄 SLAAC — What Happens Under the Hood
Interface-ID
Modern OSes generate a random 64-bit ID (RFC 4941 privacy extensions) that rotates periodically. Older systems used EUI-64: expand the 48-bit MAC by inserting fffe in the middle and flipping the U/L bit.
DAD
Before using its new address, the host performs Duplicate Address Detection: it multicasts a Neighbor Solicitation for itself. If nobody replies, the address is unique and safe to use.
Lifetime
The RA carries a Valid Lifetime and Preferred Lifetime. When these expire, the address deprecates or disappears — automatic renumbering built-in.
DHCPv6 still exists
SLAAC gives you an address but not DNS server info or extra options. For those, DHCPv6 (or the RA's RDNSS option) is still needed. SLAAC and DHCPv6 coexist.

How Does the Computer Actually Choose? — The M and O Flags

A single IPv6 network can be configured for SLAAC, DHCPv6, or both. The choice isn't made by the client — it's advertised by the router using two bits inside every Router Advertisement. When the RA arrives, the client reads these two flags and follows the router's instructions.

Two bits inside the Router Advertisement control everything Router Advertisement (ICMPv6 type 134) carries M bit + O bit + Prefix Info option M=0, O=0 SLAAC only Address: SLAAC DNS: RA's RDNSS (no DHCP server) M=0, O=1 Stateless DHCPv6 Address: SLAAC DNS/NTP: DHCPv6 (most common) M=1, O=0 or 1 Stateful DHCPv6 Address: DHCPv6 DNS/NTP: DHCPv6 (enterprise, tracking) M=1, A=0 DHCPv6-only Address: DHCPv6 SLAAC disabled (A bit clears SLAAC) M = Managed address configuration  |  O = Other configuration (DNS etc.)  |  A = Autonomous (per-prefix SLAAC enable)
The RA is the traffic controller. Its M and O bits tell every joining device exactly which combination of SLAAC and DHCPv6 to use on this link.

DHCPv6 — The Four-Message Handshake

When a client needs stateful DHCPv6 (address assigned by a server, same as classic IPv4 DHCP), it runs a four-message exchange. Think of it as the IPv6 cousin of DHCPv4's DORA — the letters change but the choreography is identical.

DHCPv6 — SARR — four ICMPv6 messages over UDP ports 546/547 Client UDP 546 DHCPv6 srv UDP 547 1. SOLICIT "Any DHCPv6 servers out there?" → multicast to ff02::1:2 (all DHCP relays/servers) 2. ADVERTISE "I can offer 2001:db8:abcd:1::42/64, DNS = 2001:db8::53, lease = 1 day" 3. REQUEST "Yes, please give me exactly what you offered" → unicast back to that server 4. REPLY "Confirmed. Address, lease and all options are yours." → client now uses the address
SARR = Solicit → Advertise → Request → Reply. Same round-trip pattern as DHCPv4's DORA. Client always initiates; server never speaks unsolicited.

DHCPv6 vs DHCPv4 — Side by Side

📡 DHCPv4 (RFC 2131)
MessagesDORA (Discover, Offer, Request, Ack)
PortsUDP 67 (server), 68 (client)
DeliveryBroadcast 255.255.255.255
Client IDMAC address (chaddr)
Choice logicClient picks first / best OFFER
Address sourceOnly DHCPv4 (or manual)
📡 DHCPv6 (RFC 8415)
MessagesSARR (Solicit, Advertise, Request, Reply)
PortsUDP 547 (server), 546 (client)
DeliveryMulticast ff02::1:2
Client IDDUID (DHCP Unique Identifier)
Choice logicClient picks server with highest Preference
Address sourceDHCPv6 or SLAAC (RA flags decide)

The Complete Decision Tree — What the Computer Actually Does

🧠 When a new laptop plugs in, here's the exact algorithm it runs
1
Interface comes up. Generate a link-local fe80::/64 address (from EUI-64 or random). Verify uniqueness with DAD.
2
Send a Router Solicitation to ff02::2 (all routers). Wait for a Router Advertisement.
3
Received RA arrives. Read three critical bits:
M flag — is a DHCPv6 server managing addresses here?
O flag — is there other config (DNS, NTP) via DHCPv6?
A flag (per prefix) — can I autoconfigure from this prefix using SLAAC?
4a
If A = 1 for the advertised prefix → run SLAAC: build a global address by combining the prefix with my interface ID.
4b
If M = 1 → also start DHCPv6 SOLICIT to ff02::1:2 for an address (SARR exchange).
4c
If O = 1 but M = 0 → start DHCPv6 INFORMATION-REQUEST for DNS/NTP options only (no address).
5
End result: my interface may end up with up to four addresses simultaneously: link-local + SLAAC public + SLAAC privacy (temporary, rotating) + DHCPv6-assigned. That's normal and correct.
For outgoing connections, RFC 6724 source-address selection picks the "best" of those addresses based on scope, preferred lifetime, and privacy preference.
🔐
Why Do Enterprises Prefer Stateful DHCPv6?

SLAAC is beautiful for home users but a nightmare for compliance teams: addresses are unpredictable, rotate for privacy, and there's no central log of "who had which IP at which time." Stateful DHCPv6 gives back the audit trail enterprises legally require: the DHCPv6 server sees every allocation, records the DUID, and can enforce policy. Windows Server, Cisco routers, and Infoblox all ship DHCPv6 servers precisely for this reason.

⚠️
Android Deliberately Skips DHCPv6

A famous compatibility gap: Android has refused to implement DHCPv6 for over a decade (Google Issue #32621). If your network is configured with M=1 for address assignment, Android phones will fail to get an IPv6 address entirely — even though every other OS works fine. Result: enterprise networks that want IPv6 on phones must run SLAAC (M=0, O=1) with RDNSS options, not stateful DHCPv6. This is a real operational constraint to check before choosing stateful DHCPv6 in a mixed environment.


Section 11

NDP — Neighbor Discovery Replaces ARP

IPv4 uses ARP (Address Resolution Protocol) to map an IP to a MAC address: broadcast "who has 192.168.1.5?" and wait for the owner to reply with its MAC. IPv6 doesn't have broadcast, so it uses ICMPv6 Neighbor Discovery Protocol (NDP, RFC 4861).

📡 IPv4 ARP
Layer2.5 (own protocol)
DeliveryBroadcast (FF:FF:FF:FF:FF:FF)
Ask"Who has 192.168.1.5?"
Answer"I have it, my MAC is..."
SecurityNone — ARP spoofing trivial
📡 IPv6 NDP
LayerICMPv6 (types 133-137)
DeliverySolicited-node multicast (ff02::1:ff<xx>)
AskNeighbor Solicitation (NS)
AnswerNeighbor Advertisement (NA)
SecuritySEND (RFC 3971) adds crypto
ICMPv6 TypeNamePurpose
133Router Solicitation (RS)"Any routers here?" — multicast to ff02::2
134Router Advertisement (RA)"I'm a router, prefix is X, MTU is Y, DNS is Z"
135Neighbor Solicitation (NS)Replaces ARP request
136Neighbor Advertisement (NA)Replaces ARP reply
137Redirect"Use this better next-hop for that destination"
🔫
NDP Attack Surface — Bad Neighbor (CVE-2020-16898)

NDP's power made it a target. In October 2020, Microsoft patched CVE-2020-16898: The vulnerability, codenamed "Bad Neighbor", is a bug in the IPv6 Neighbor Discovery Protocol, particularly it's improper handling of ICMPv6 Router Advertisement Packets. While publicly available proof of concept (PoC) code results in a denial of service, attackers can exploit this bug to perform remote code execution (RCE). An attacker on the same subnet could crash or take over a Windows machine with a single malformed RA packet. This is why enterprise networks now filter untrusted RAs at the switch port (RA Guard) — a defence that has no IPv4 analogue because ARP was never this powerful.


Section 12

Transition Mechanisms — Living With Both Protocols

Nobody flips a switch to migrate the Internet. The transition from IPv4 to IPv6 has been slow, overlapping, and uneven. Three families of mechanisms make coexistence possible.

🏭
Dual Stack
The endpoint runs both stacks simultaneously. Every interface has an IPv4 and an IPv6 address. Apps prefer IPv6 when a AAAA record is available (Happy Eyeballs, RFC 8305 — race both, use the winner). This is the dominant deployment today.
most common
🔌
Tunneling
Wrap IPv6 packets inside IPv4 packets to cross an IPv4-only region. Variants: 6to4 (RFC 3056), Teredo (RFC 4380 — works through NAT), 6rd (RFC 5969 — ISP-scale). Cheap to deploy but adds latency and MTU headaches.
bridge legacy networks
🔄
Translation (NAT64 / DNS64)
An IPv6-only client wants to reach an IPv4-only server. DNS64 synthesises a fake IPv6 address for the IPv4 host; NAT64 translates traffic on the fly. Used heavily on IPv6-only mobile networks like Reliance Jio and T-Mobile.
IPv6-only clients

Section 13

IPv4 vs IPv6 — The Complete Side-by-Side

AspectIPv4IPv6
Address length32 bits128 bits
Address count4.3 × 1093.4 × 1038
NotationDotted decimal (192.168.1.5)Colon hex (2001:db8::1)
Header size20 – 60 bytes (variable)40 bytes fixed
Header checksumYes (recomputed every hop)None — faster routing
FragmentationRouter or sourceSource only
BroadcastYes (255.255.255.255)None — replaced by multicast groups
MulticastOptional (Class D)Core protocol feature (ff00::/8)
AnycastLoose conventionFirst-class address type
Address configManual, DHCP, or APIPASLAAC, DHCPv6, or manual
ARP / NDPARP over broadcastNDP over ICMPv6 multicast
IPsecOptional add-onOriginally mandatory (now optional)
NATEssential due to scarcityUnnecessary — every device gets a global address
QoSToS / DSCP + ECNTraffic Class + Flow Label
Reverse DNSin-addr.arpaip6.arpa
OptionsIn-header (up to 40 B)Extension headers (chained)
Loopback127.0.0.1::1
Any-network0.0.0.0::
Private ranges10/8, 172.16/12, 192.168/16fc00::/7 (ULA)
Link-local169.254/16 (APIPA fallback)fe80::/10 (always present)

Section 14

Real-World Cases from the News

🏆
Google Passes 50% IPv6 — March 2026
An 18-year milestone: Now, 18 years since Google started recording this data, access via native IPv6 has for the first time exceeded 50% (50.10% on 28 March 2026, to be precise). Country breakdown from the same source: France (73%), India (72%), and Saudi Arabia (65%) to laggards like Italy (17%), Spain (10%), Egypt (4%), and most African and Central Asian countries.
Internet Society Pulse
🇳🇱
Reliance Jio — India's IPv6-Only Backbone
Wikipedia's IPv6-deployment reference tracks India's giant leap: Reliance JIO has deployed and is offering IPv6 services in India since September 2016, and has migrated 200M of their Internet users on their IPv6 only mobile network by the end of 2017. As of May 2022, Reliance had an IPv6 adoption level of over 92%. Jio couldn't afford enough IPv4 addresses for its 400M+ subscribers — so it skipped to IPv6-only with NAT64 for legacy IPv4 destinations.
200M IPv6-only users since 2017
🔫
Windows "Bad Neighbor" (CVE-2020-16898)
A single malicious NDP Router Advertisement could crash or hijack any Windows 10 or Server 2019 machine on the local subnet. The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable. It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations. Named "Bad Neighbor" because the bug lived in Neighbor Discovery. Patched October 2020.
CVSS 8.8, October 2020
🇨🇳
China's 2030 IPv6-Only Plan
Wikipedia summarises Beijing's national mandate: In July 2021, China announced plans to complete a national IPv6 rollout by 2030. It is the only country known to advocate towards a single-stack network... As of mid-2025, China's IPv6 adoption is around 45%. The 2025 IPv6 Development Report puts China reported 865 million active IPv6 users, accounting for 77% of Internet users, with IPv6 traffic share reaching 34% of total Internet traffic.
state-mandated single-stack
🇫🇷
France — The Global IPv6 Leader
Free.fr and Orange got there first. Per Wikipedia: In February 2026, France had 86% IPv6 penetration according to Google's IPv6 Statistics page. In November 2025, France had 79% IPv6 penetration according to APNIC. When your ISP defaults to native IPv6 on every new customer connection for a decade, IPv6 becomes the dominant protocol.
86% in February 2026
🔢
The Register's IPv6 Poetry
Covering Google's 50% milestone, The Register captured the scale in a memorable line: they designed IPv6 around 128-bit addresses, meaning the IPv6 numberspace offers 340 undecillion addresses — 340 followed by 36 zeroes. That vast quantity of addresses is probably enough to allow humanity to assign a unique identifier to every connected device our species will create between now and the heat-death of the universe. Exhaustion is not on the roadmap.
The Register, April 2026

Section 15

Golden Rules for IPv6 Deployment

🏆 Non-Negotiable Rules for Working with IPv6
1
Always use /64 for a LAN subnet. Anything smaller breaks SLAAC. Don't try to save addresses by going /112 or /120 — you have effectively unlimited /64s, and you have exactly zero justification not to spend them.
2
Enable RA Guard on access-layer switches. A rogue or malicious Router Advertisement can hijack the entire link (see Bad Neighbor above). Every managed switch worth buying supports this feature. Turn it on.
3
Deploy dual-stack, not IPv6-only, at the enterprise edge. Even in 2026, plenty of external destinations remain IPv4-only. Use Happy Eyeballs (RFC 8305) on clients to prefer IPv6 whenever available. Save IPv6-only deployments for controlled environments (data centres, mobile carriers with NAT64).
4
Use privacy extensions (RFC 4941) on end-user devices. EUI-64 addresses embed the MAC address in the address itself — a permanent tracking cookie. Every modern OS generates rotating random Interface IDs instead; verify that yours is doing so.
5
Never NAT IPv6. NAT was a scarcity hack for IPv4. There is no address shortage in IPv6, so there is no reason to NAT. Doing so re-introduces every fragility NAT brought to IPv4: broken PMTU discovery, broken end-to-end reachability, broken peer-to-peer.
6
Firewall IPv6 explicitly. Many networks turn on IPv6 but leave the IPv6 firewall wide open because "we only firewalled IPv4." Every rule must have an IPv6 counterpart. Bad guys look for exactly this asymmetry.
7
Test with Google's IPv6-only test page and Happy Eyeballs. Don't just enable IPv6 — verify from the client's perspective that it prefers IPv6 and that fallback to IPv4 works when IPv6 is broken. Silent IPv6-related slowdowns are the number-one user complaint in mixed environments.
🌈
The Whole Protocol in One Paragraph

IPv6 is a 128-bit-address, fixed-40-byte-header, no-broadcast, no-checksum, autoconfiguration-friendly redesign of IP that fixes IPv4's address scarcity and adds simpler routing, native multicast, extension-header modularity, and SLAAC. Every subnet is a /64, every enterprise gets a /48, every ISP a /32, and the whole space has enough addresses to run the Internet for the next several thousand years. Half the world already uses it. Learn it once — you'll use it for the rest of your career.