IPv6 is great.
IPv6 modernises networking with a vast address space, cleaner host discovery, and routing that scales. This page offers a concise, practitioner‑friendly overview of Layer 2 and Layer 3 behaviour.
Deep dive
Host discovery
- RS (133) / RA (134) for router & prefix discovery
- NS (135) / NA (136) for neighbour resolution & DAD
- Redirect (137) for better on‑link next‑hop
Key multicast groups
ff02::1(all‑nodes),ff02::2(all‑routers)ff02::1:ff00:0/104(solicited‑node)ff02::1:2(DHCPv6 agents)
Deployment tips
- Prefer SLAAC + RA; add DHCPv6 options as needed
- Enable RA Guard / DHCPv6 Guard at the edge
- Use MLD snooping to constrain multicast
Layer 2
IPv6 eliminates Layer 2 broadcast. It relies on scoped multicast so that control traffic reaches only interested nodes. The most visible example is the solicited‑node multicast group (ff02::1:ffXX:XXXX) derived from the last 24 bits of an address.
This design reduces noise on the link and limits exposure since fewer hosts see discovery frames. Switches can further constrain traffic with MLD snooping.
Quick facts
- No ARP in IPv6
- NDP (ICMPv6) handles discovery & reachability
- All‑nodes:
ff02::1; Routers:ff02::2 - Hosts auto‑join their solicited‑node groups
NDP instead of ARP
Neighbour Discovery replaces ARP with ICMPv6 messages: Router Solicitation/Advertisement (RS/RA), Neighbour Solicitation/Advertisement (NS/NA), and Redirect. Reachability is maintained by Neighbour Unreachability Detection to avoid stale cache entries.
Addressing can be done with SLAAC using RAs and optionally complemented by DHCPv6 for extra options.
Duplicate Address Detection (DAD)
DAD checks if an address is already in use before activation. A host sends an NS to the address’s solicited‑node multicast; any NA response signals a duplicate and the address must not be used.
In short, DAD prevents accidental duplicate assignments, improving stability during autoconfiguration and renumbering.
Layer 3
No NAT required
With a 128‑bit address space, IPv6 removes the scarcity that drove NAT in IPv4 and restores end‑to‑end connectivity, simplifying protocols and troubleshooting.
Stateful firewalls and prefix delegation replace the habit of using NAT as a security boundary. For policy control, apply filtering and proper segmentation—not address translation.
NAT66 exists in some products but is rarely justified; translation is not a routing requirement in IPv6.
Fragmentation only from the source host
With a 128‑bit address space, IPv6 removes the scarcity that drove NAT in IPv4 and restores end‑to‑end connectivity, simplifying protocols and troubleshooting.
NAT66 exists in some products but is rarely justified; translation is not a routing requirement in IPv6.
Operational benefits
- Cleaner application behaviour with fewer ALGs
- Straightforward traceability with proper logging
- Better path‑MTU handling and fewer edge cases
- Native support for multi‑homing and renumbering
FAQ
Does IPv6 improve security by itself?
Not automatically. IPv6 reduces broadcast exposure and removes NAT side‑effects, but you still need stateful firewalls, proper filtering, and host hardening.
How does DAD differ from ARP probing?
DAD is part of NDP. A host probes using NS to the address’s solicited‑node multicast; any NA response indicates a duplicate so the address stays tentative and is not assigned.
If NAT isn’t used, how do I protect hosts?
Use stateful firewalls, ingress/egress filtering, and micro‑segmentation. NAT was never a security feature; policy and filtering are.
Do I still need DHCP?
Often you can rely on SLAAC for addressing and add DHCPv6 for options such as DNS servers when RDNSS via RA is not preferred.
Resources
RFCs to know
4291 – IP Version 6 Addressing Architecture
4861 – Neighbor Discovery for IPv6
4862 – IPv6 Stateless Address Autoconfiguration
6052 - IPv6 Addressing of IPv4/IPv6 Translators
6105 - Pv6 Router Advertisement Guard
6145 - IP/ICMP Translation Algorithm
6146 - Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers
6147 - DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
6877 - 464XLAT: Combination of Stateful and Stateless Translation
7050 - Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis
7225 - Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)
8200 – Internet Protocol, Version 6 (IPv6)
8585 - Requirements for IPv6 Customer Edge Routers to Support IPv4-as-a-Service
8781 - Discovering PREF64 in Router Advertisements
8880 - Special Use Domain Name 'ipv4only.arpa'
8925 – IPv6-Only Preferred Option for DHCPv4
9099 - Operational Security Considerations for IPv6 Networks
Operator guidance
IETF BCP 38/84 – Ingress/Egress filtering
RA Guard, DHCPv6 Guard, MLD Snooping
Use prefix delegation for customer edges
At a glance
Multicast over broadcast on L2
NDP (NS/NA, RS/RA) replaces ARP
DAD prevents duplicate addresses
NAT not a routing requirement in IPv6
NAT64/DNS64 makes legacy IP reachable from a IPv6 only environment
464XLAT gives the capability to make legacy IP only communication possible over an IPv6 only environment
IPv6 Mostly with legacy DHCP Option 108 enables clat46 on iOS, macOS, Linux in a (W)LAN environment and soon in Windows too
Glossar
ARP - Address Resolution Protocol for IPv4
DHCP - Dynamic Host Configuration Protocol
GUA - Global Unicast Address
IETF - Internet Engineering Task Force
IGMP - Internet Group Management Protocol
IP – Internet Protocol
LLA - Link-Local Address
MLD - Multicast Listener Discovery (replaces IGMP)
NA/NS - Neighbor Advertisement/Soliciation
NAT - Network Address Translation (routing feature)
NDP - Neighbor Discovery Protocol (replaces ARP)
RA/RS - Router Advertisement/Solicitation
ULA - Unicast Local Address range
Well-know addresses
| Prefix / Address | Name | Scope / Type | Notes |
|---|---|---|---|
:: |
Unspecified address | Special | Used to indicate no assigned address |
::/0 |
Default route | Routing | IPv6 equivalent of the IPv4 default route |
::1 |
Loopback | Host local | Localhost address |
2000::/3 |
Global unicast address space | Global unicast | Routable on the public Internet |
fc00::/7 |
Unique local unicast (ULA) | Local unicast | Private addressing range, similar to RFC1918 in IPv4 |
fd00::/8 |
Locally assigned ULA prefix | Local unicast | Commonly used subset of ULA in practice |
fe80::/10 |
Link-local unicast | Link-local | Valid only on the local link, not routed |
2001:db8::/32 |
Documentation prefix | Documentation | Reserved for examples and documentation |
3fff::/20 |
Documentation prefix | Documentation | Newer documentation range, often forgotten |
64:ff9b::/96 |
Well-known NAT64 prefix | Translation | Used for IPv6 to IPv4 translation |
2002::/16 |
6to4 | Transition | Legacy transition mechanism, mostly deprecated |
::ffff:0:0/96 |
IPv4-mapped IPv6 | Special | Used by dual-stack APIs and network stacks |
2001:0000::/32 |
Teredo | Transition | Legacy tunneling mechanism |
ff00::/8 |
Multicast range | Multicast | All IPv6 multicast addresses |
ff02::1 |
All Nodes | Multicast link-local | Targets all nodes on the local link |
ff02::2 |
All Routers | Multicast link-local | Targets all routers on the local link |
ff02::1:ff00:0/104 |
Solicited-node multicast | Multicast link-local | Used by Neighbor Discovery Protocol (NDP) |
ff02::1:2 |
DHCPv6 servers and relay agents | Multicast link-local | Used by DHCPv6 clients to reach servers and relays |
ff05::1:3 |
DHCPv6 servers | Multicast site-local | Site-scoped DHCPv6 server multicast address |
ff02::5 |
OSPFv3 AllSPFRouters | Protocol multicast | Used by OSPFv3 routers |
ff02::6 |
OSPFv3 AllDRouters | Protocol multicast | Used by OSPFv3 designated routers |
ff02::9 |
RIPng routers | Protocol multicast | Used by RIPng |
ff02::a |
EIGRP for IPv6 | Protocol multicast | Used by EIGRP for IPv6 |
ff02::d |
All PIM routers | Protocol multicast | Used by Protocol Independent Multicast |
ff02::16 |
MLDv2-capable routers | Protocol multicast | Used by Multicast Listener Discovery v2 |
fec0::/10 |
Site-local unicast | Deprecated | Deprecated and replaced by ULA |
2001:20::/28 |
ORCHIDv2 | Special-purpose | Experimental identifier space |
(subnet prefix):: |
Subnet-router anycast | Anycast concept | Subnet-specific address with interface ID set to zero, no single fixed global prefix |