IPv4 vs. IPv6

Posted Sep 9, 2025

By Saracen Rhue

4 min read

IPv4 vs. IPv6

Overview

Feature	IPv4	IPv6
Address Length	32 bits (4 bytes)	128 bits (16 bytes)
Address Space	~4.3 billion unique addresses (2³²)	~340 undecillion addresses (2¹²⁸)
Address Format	Dotted decimal (e.g., `192.168.1.1`)	Hexadecimal, colon-separated (e.g., `2001:0db8:85a3:0000:0000:8a2e:0370:7334`)
Address Example	`172.16.254.1`	`2001:db8::8a2e:370:7334` (shortened)
Prefix Length	/0 to /32 (e.g., `/24` for `255.255.255.0`)	/0 to /128 (e.g., `/64` for typical LAN)
Address Types	Unicast, multicast, broadcast	Unicast, multicast, anycast (no broadcast)
Adoption	Widely used, legacy standard (1980s)	Growing adoption, modern standard (1998)

Aspect	IPv4	IPv6
Header Size	20-60 bytes (variable, with options)	40 bytes (fixed, simpler)
NAT (Network Address Translation)	Common due to address scarcity (e.g., private IPs like `192.168.x.x`)	Rarely needed; globally routable addresses
Autoconfiguration	DHCP or manual (e.g., `192.168.1.100`)	Stateless Address Autoconfiguration (SLAAC) or DHCPv6
Fragmentation	Handled by routers and endpoints	Handled only by endpoints (routers don’t fragment)
Checksum in Header	Yes (in IP header)	No (handled by upper layers, e.g., TCP/UDP)
QoS (Quality of Service)	Limited (Type of Service field)	Enhanced (Flow Label field for traffic prioritization)
Security	Optional (IPsec added later)	Built-in IPsec support (though not always used)

Task	IPv4	IPv6
Manual Assignment	Set IP, subnet mask, gateway (e.g., `192.168.1.100`, `255.255.255.0`, `192.168.1.1`)	Set IP, prefix length, gateway (e.g., `2001:db8::1/64`, `fe80::1`)
Automatic Assignment	DHCP (e.g., assigns `10.0.0.2`)	SLAAC (uses router advertisements) or DHCPv6
DNS Configuration	IPv4 DNS servers (e.g., `8.8.8.8`, `1.1.1.1`)	IPv6 DNS servers (e.g., `2001:4860:4860::8888`, `2606:4700:4700::1111`)
Verify Address	`ip addr` or `ifconfig` (e.g., `192.168.1.100/24`)	`ip -6 addr` (e.g., `2001:db8::1/64`)
Test Connectivity	`ping 8.8.8.8`	`ping6 2001:4860:4860::8888`
Firewall Rules	`iptables` (e.g., allow TCP 80 to `192.168.1.100`)	`ip6tables` (e.g., allow TCP 80 to `2001:db8::1`)

Scenario	IPv4	IPv6
Home Networks	Common (e.g., routers assign `192.168.x.x`). NAT used to share public IP.	Growing (e.g., `2a00:...` from ISP). No NAT needed; each device gets a public address.
Datacenters	Standard (e.g., single public IP like `203.0.113.1`). Requires port forwarding for services.	Increasingly used (e.g., `/64` subnets like `2a01:4f8:...`). Simplifies server addressing.
VPNs (e.g., Tailscale)	Relies on NAT traversal (STUN, UPnP, port forwarding like UDP 41641). May use relays if NAT fails.	Direct connections easier (no NAT). Uses global addresses for peer-to-peer (e.g., `2001:db8::1` to `2001:db8::2`).
IoT Devices	Limited by address scarcity; NAT complicates connectivity.	Ideal; vast address space allows unique IPs for billions of devices.
Mobile Networks	Used with carrier-grade NAT (CGNAT).	Preferred for 5G; direct addressing improves performance.

Aspect	IPv4	IPv6
Advantages	- Universal support - Familiar configuration - Works with legacy systems	- Massive address space - No NAT needed - Simplified routing - Built-in IPsec
Challenges	- Address exhaustion - NAT complexity (e.g., port forwarding) - Inconsistent NAT traversal for VPNs	- Incomplete adoption - Requires manual config in some cases (e.g., datacenters) - Compatibility with IPv4-only devices
Performance	Good, but NAT can add latency (e.g., VPN relays).	Better for direct connections; lower latency (e.g., 10-20ms vs. 50ms for relays).

Aspect	IPv4	IPv6
Encryption	Relies on upper layers (e.g., TLS, SSH, VPNs like Tailscale’s WireGuard). IPsec optional.	Same as IPv4; IPsec built-in but rarely mandatory. VPNs (e.g., Tailscale) use WireGuard for both.
Firewall Needs	`iptables` for NAT/port rules (e.g., open TCP 80). CGNAT can obscure devices.	`ip6tables` for direct addresses. Devices are publicly routable, requiring strict rules.
Attack Surface	NAT hides devices but requires open ports (e.g., UDP 41641). Vulnerable to NAT traversal exploits.	Public addresses increase exposure; needs robust firewall (e.g., block unsolicited inbound).
VPN Relays (e.g., Tailscale DERP)	Secure (encrypted), but relays see metadata (e.g., IPs, packet sizes). Used when NAT fails.	Less needed; direct connections reduce third-party involvement. Still secure if relays used.

Aspect	Description
Dual Stack	Most networks run IPv4 + IPv6 (e.g., `192.168.1.1` and `2001:db8::1` on the same device). Ensures compatibility.
Tunneling	IPv6 over IPv4 (e.g., 6to4, Teredo) or IPv4 over IPv6 (e.g., 4in6) for mixed environments.
NAT64/DNS64	Allows IPv6-only devices to access IPv4 services by translating addresses.
Deprecation	IPv4 won’t disappear soon due to legacy systems, but IPv6 is the future for scalability.

Enable IPv6: Check ISP/datacenter support (e.g., /64 subnet). Configure static or SLAAC in OS (e.g., Linux: /etc/network/interfaces, Windows: Network Settings).
Firewall Setup: Use iptables/ip6tables or OS firewalls (e.g., Windows Defender, Unraid’s UI) to secure public IPv6 addresses.
Test Both Protocols: Use ping/ping6 and tailscale netcheck (for VPNs) to verify connectivity.
VPN Optimization: For tools like Tailscale, prefer IPv6 for direct connections to avoid NAT issues and relays (e.g., DERP).
Monitor Adoption: Check network devices for IPv6 support (ip -6 addr). Update firmware/OS for compatibility.

RFCs: IPv4 (RFC 791), IPv6 (RFC 8200)
Tools: Wireshark (analyze packets), ip/ifconfig (Linux), netstat (Windows)
DNS Providers: Google (8.8.8.8, 2001:4860:4860::8888), Cloudflare (1.1.1.1, 2606:4700:4700::1111)
Learning: IETF (ietf.org), ARIN (arin.net), APNIC (apnic.net)

This post is licensed under CC BY 4.0 by the author.