Posts

A CGA (cryptographically generated address) is created using two hash functions with multiple inputs. The first function uses a public key and a changing random value to obtain a certain number of zero bits in the hash. The second function combines the network prefix and the first hash. The final 128-bit address combines the network prefix with the last 64 bits of the second hash. These hash functions help confirm if an IPv6 address is a valid CGA, ensuring secure communication between trusted addresses. ...

IPv6 Addresses IPv6 addresses are 128 bits long, meaning it can address $2^{128}$ addresses (340,282,366,920,938,463,463,374,607,431,768,211,456). The first 64 bits of an address are the network prefix, with the remaining 64 bits being the interface identifier. Written as eight groups of four hexadecimal digits, with colons between them. E.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334. The hexadecimal is case insensitive but the IETF recommends using only lowercase letters. The full representation of an address can be shortened using 2 techniques: ...

The link-local prefix (fe80::/10) is valid and unique only on a single link, comparable to IPv4’s auto-configuration addresses (169.254.0.0/16). Within this prefix, there’s a single subnet (fe80::/64). The last 64 bits are generated using stateless autoconfiguration. Every IPv6-enabled interface must have a link-local address, so applications can rely on its existence even without IPv6 routing.

Traditionally MAC addresses were used to generate the interface identifier. A 48-bit MAC address is turned into a 64-bit EUI1-64 address by inserting FF-FE in the middle, then the 7th most significant bit is inverted. The bit is inverted to specify that the address is now “universally unique”. As compared to normal EUI-64 generation, when this EUI-64 is used to form an IPv6 address, it is modified: the meaning of the Universal/Local bit (the 7th most significant bit of the EUI-64, starting from 1) is inverted, so that a 1 now means Universal. ...

To address privacy issues of modified EUI-64 addresses, stable privacy addresses were created. These addresses are consistent within a network but change when moving to another network, enhancing privacy. They are chosen randomly yet deterministically from the network’s address space. Stable privacy addresses are generated using a hash function that considers various stable parameters. Although implementations vary, it’s advised to use the network prefix, network interface name, a duplicate address counter, and a secret key. The hash value forms the final address, typically combining the least significant 64 bits with the 64-bit network prefix for a 128-bit address. If there’s no conflict with existing or reserved addresses, the address is assigned to the interface. ...

So that a user identity can’t be tracked a node may create temporary addresses with interface identifiers based on time and which have relatively short lifetimes (hours to days), after which they are replaced with new addresses. Temporary addresses may be used as source address for originating connections, while external hosts use a public address. Network interfaces configured for IPv6 use temporary addresses by default in OS X Lion and later Apple systems as well as in Windows Vista, Windows 2008 Server and later Microsoft systems. ...

Unique local addresses (ULAs) in IPv6 are for local communication, similar to IPv4 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). They can only be routed within cooperating sites. The address block is divided into two parts: the lower half (fc00::/8) is meant for global allocation, but no method has been defined yet; the upper half (fd00::/8) is for “probabilistically unique” addresses. A /48 private prefix is created by combining the /8 prefix with a 40-bit random number, reducing the chance of conflicts when sites merge or communicate. The lower 64 bits are configured using stateless autoconfiguration. ...

Used in software before the application has learned its host’s source address, or to mean that an application is listening for incoming connections on all available interfaces.