IPv6 Subnetting - Basic Concepts

In IPv6 you typically do not do subnetting beyond the first 64 bits. With very few exceptions, all IPv6 subnets use a /64 block. In certain cases, you might even use two or more /64 blocks in a single physical subnet (e.g. one global unicast and one ULA unicast). Addresses have a 64 bit prefix and a 64 bit suffix (Interface Identifier). You cannot use a smaller block than a /64 (e.g. a /96) if you use SLAAC, because SLAAC generates 64-bit address suffixes. There is no need for any subnet larger than /64, because that is already larger than any conceivable subnet (it is 4.3 billion times larger than the entire IPv4 address space). So, all network links (subnets) use a /64 block. Simple.

When we talk about IPv6 subnetting, we are talking about the first 64 bits of the IPv6 addresses, and usually only about the fourth group of 16 bits (the Subnet ID). If your IPv6 allocation is a single /64 block, there is no subnetting to do. You are done. You can go study some other aspect of IPv6.

On the other hand, if your IPv6 allocation is a /48 block, you have 65,536 /64 blocks to manage. You need to understand IPv6 subnetting. If you were allocated a block larger than a /64 and smaller than a /48 (e.g. a /60, /56, or /52), then you have some smaller number of subnets to manage. If you are with a giant organization that was allocated even more than a /48, or multiple /48s, you may have quite a few subnets to manage (more than 65,536).

In IPv4, the smallest block we manage is a /30 (2 usable addresses). This might be used in a PPP link. The largest block we manage is a /8, which contains 16.7 million addresses. This would probably be 10/8, unless you happen to be one of the lucky few organizations who were allocated an entire Class A of public IPv4 addresses by Jon Postel back in the old days. For example, the 12/8 block that belongs to AT&T. AT&T has all of the IPv4 public addresses from 12.0.0.1 to 12.255.255.254.

In IPv6, the smallest block we normally manage is a single /64 (264 or about 18 quintillion addresses). The one exception is an IPv6 /127 block used in PPP links (two usable addresses). The largest block an organization normally manages is a /48, which contains 65,536 /64 blocks. Very large organization might get a block larger than a /48, but more likely would get multiple /48 blocks, one per large site, possibly from different Regional Internet Registries. It depends on their Internet architecture. Some organizations have only a single main connection to the Internet, and run private network connections between their main site and all other sites. Other organizations save a lot of money by having each site connect to a local Internet provider, and then linking the sites into one giant virtual site via VPNs. In either case they may need a block larger than a /48. The local IPv6 addresses would basically be used only for the endpoints of VPN tunnels between sites. Yet others get a local /48 block for each site, and route all internal traffic right over the IPv6 Internet (possibly with encryption).

An ISP might have to manage a /32 (or larger) block, but hopefully they already know how to do this. It basically is just like managing a /48, but involves bits other than just the Subnet ID (e.g. the third and fourth sixteen bit groups).

With IPv6, the fundamental unit we manage with subnetting is a /64 block of addresses, not an individual address, as was the case with IPv4. We measure block size in terms of how many /64 blocks they include, not in terms of how many addresses. This is IPv6. Think BIG.

IPv6 subnetting is concerned with routing sub-blocks and possibly delegating management of sub-blocks to other network administrators. For example, Sixscape was allocated a /48 block (2001:470:3d::/48) from Hurricane Electric, which has 65,536 /64 blocks. We broke that up into 16 /52 blocks, from 2001:470:3d::/52 to 2001:470:3d:f000::/52, each of which has 4,096 /64 blocks. Two of those /52 blocks we use in our colo, one we route to our main office, and one we route to my house (2001:470:3d:3000::/52). This is single level subnetting. The sixteen sub-blocks are selected with the first hex digit of the 16-bit Subnet ID.

The /52 block routed to our main office was further broken down into sixteen /56 blocks within the office, each of which has 256 /64 blocks - this is now two level subnetting. The first subnetting level breaks the /48 block into sixteen /52 blocks. The second level breaks some of the /52 blocks into sixteen /56 blocks each. The first hex digit determines the /52 block. The second hex digit determines the the /56 block within a /52. The third and fourth hex digits are not used for subnetting in our organization. In my home, the second, third and fourth digits are available to use as I please. I can choose any Subnet ID from 3000 to 3fff. In one of the /56 blocks in the office, the first two digits are already determined. We can use the third and fourth digits as we please. For example, in block 2001:470:3d:2400::/56, we can use any Subnet ID from 2400 to 24ff.

I manage the 4,096 /64 blocks from the /52 routed to my house. Currently I am using only two of those /64s, namely 2001:470:3d:3000::/64 and 2001:470:3d:3001::/64. I could further subdivide my /52 block into sixteen /56 blocks of 256 /64s each, and route each /56 into different rooms in my house. I could then further sub-divide each one of those/56 blocks up into sixteen /60 blocks of sixteen /64s each. Finally, I could split each /60 block into sixteen /64 blocks. This would be four-level subnetting. The first hex digit of the Subnet ID is already determined (3). The second digit would determine the /56 block within my /52. The third digit would determine the /60 block within a /56 block. The fourth digit would determine a /64 block within a /60 block. You typically need multi-level subnetting only in a large organization.

To summarize, this is the two-level subnetting scheme at Sixscape:

/48 (2001:470:3d::/48) for entire organization (65,536 /64 blocks)

-- /52 (2001:470:3d::/52) - in colo (4,096 /64 blocks)

-- /52 (2001:470:3d:1000::/52) - in colo (4,096 /64 blocks)

-- /52 (2001:470:3d:2000::/52) - main office (4,096 /64 blocks)

---- /56 (2001:470:3d:2000::/56) office infrastructure (256 /64 blocks)

---- /56 (2001:470:3d:2100::/56) office servers (256 /64 blocks)

---- /56 (2001:470:3d:2400::/56) office workstations (256 /64 blocks)

---- other /56s in 2001:470:3d:2000::/52 unused

-- /52 (2001:470:3d:3000::/52) - LEH house (4,096 /64 blocks)

-- other /52s in 2001:470:3d::/48 unused

When managing Subnet IDs, you typically break the 16 bits (or however many you manage) at multiples of 4 bits (16, 12, 8 or 4), because each 4 bits represents one hex digit. There is no real problem with breaking up the 16 bits at other positions, except the addresses might look a bit odd since the split comes "in the middle of a hex digit". This is similar to a /12 block in IPv4, where the division comes "in the middle of" the second 8 bit group. Block 172.16/12 actually includes 172.16/16 up to 172.31/16. If you split IPv6 Subnet IDs at positions other than 16, 12, 8 and 4 bits, you will have similar odd looking results.

You can do IPv6 subnetting by hand, or there are IPv6 subnet calculators available online. My Distributed Network Management System allows you to manage your Subnet IDs easily by splitting larger blocks into any number of smaller blocks, to create even smaller blocks, or /64 blocks from which it allocates addresses.

As for requirements, you should be aware that you need an IPv6 router at every point where a block is broken up into smaller blocks. We have one border router in the colo bringing in the entire /48 block from Hurricane Electric. It routes /52 blocks. There is one internal router in the colo, one in the office and one in my home that accept the /52 blocks, and in the case of the office, break it up into /56 blocks. Another internal router is required to accept each one of the /56 blocks in the office.

The border router in our colo has native IPv6 in its external network (Hurricane Electric's colo network). It does not need a tunnel to receive IPv6 over IPv4. The Sixscape SolidGate firewall can forward IPv6 packets between the internal network and an external network with native IPv6, or forward IPv6 packets between the internal network and a remote IPv6 network using various tunneling protocols, if the external network is IPv4-only.

The office and my home do not have native IPv6 service available. The border routers in the office and my home actually use a 6in4 tunnel to accept the /52 blocks routed from the colo, over intervening IPv4 infrastructure. Within the office, and my home, the entire networks are actually native Dual Stack (no internal tunneling required). The tunnels are only required to link routers that have only IPv4 infrastructure between them. The routers in the colo, office and my home are actually SolidGate firewalls, and do routing and tunneling in addition to enforcing both IPv4 and IPv6 filtering rules. You could use any Dual Stack firewall or router that supports 6in4 tunneling. You need one public IPv4 address on the external interface of each router that does 6in4 tunneling (although that can be the same public IPv4 address used for Hide Mode NAT).

Once you have IPv6 service in your main site (either native or tunneled), SolidGate can forward IPv6 traffic between the IPv6 Internet (and your main site) and your branch offices via 6in4 tunnels. SolidGate can manage either end of a 6in4 tunnel (6in4 is symmetric - there is no "server" or "client" - just two "endpoints"). One SolidGate firewall can actually manage quite a few 6in4 tunnel endpoints (we have not run into a limit so far). Of course you need a SolidGate (or equivalent) at each end of such connections. If we had 4 branch sites, we would need a total of five SolidGate firewalls - one in the main site, and one in each of the branches. Actually in our case, the "main site" is the colo at Hurricane Electric, and our HQ and my home are branch sites.