ipv6-ipaddress

How to read IPv6 IP addresses

You’ve probably heard about IP addresses running out for some time now. It finally happened last week in North America with IPv4. While the next generation of makes sure we’ll continue to have addresses, it comes with a change and some compatibility issues that can impact your online anonymity and investigations. In this post, we’ll highlight those issues and provide some tips and tools for reading IPv6 addresses.

Surfing on IPv6
Major ISPs have been migrating to IPv6 for some time. To be compatible, they have been providing customers and web traffic with dual access to IPv4 and IPv6. Chances are you’re already surfing on both. When this happens, some websites are going to register a different version about you and this is due to the different amount of information available through both.

Dual access is especially important for investigators who browse the Internet through VPNs (virtual private networks) or proxy Internet connections. These proxies hide the user’s actual IP address, except when the applications making the connection don’t work with IPv6 . When this happens, the application leaks the real IP address to the websites and related services in use like fraud detection services. You probably won’t know when this happens.

Compatibility is a big issue and it’s a reason why users should periodically test their Internet connection. Unfortunately, most online tools like Whatsmyipaddress.net and IPchicken.com are still configured to detect IPv4 only. So, look for tools that offer IPv6 services and verify their results.

Find out if you’re surfing on IPv6
Test-IPv6.com
IPv6leak.com

Location
IP addresses do not transmit geographic locations, whether the user is visiting a website or communicating by email. This is true for both versions.

With IPv4, we learned how to infer locations from clues pointing to the records. These clues include resolve hosts or reverse DNS which is essentially a domain name assigned by the ISP to identify the corresponding data center. Some investigative tools use this to infer the IP address location. Geo-location tools, on the other hand, get their precision by mapping out the routes that lead to the address.

You won’t find the same clues in IPv6 records.

IPv6 has one record with a physical address and this is the administrative contact. It is frequently listed as a corporate office which IPv4 also lists but, of course, with the other clues. In other words, most IPv6 lookups depend on physical addresses based on offices and not data centers. The office can be located on one coast, while the data center providing the IP address of interest is located on the other coast. There is plenty of room to add these details to IPv6 records, though there are no requirements to do so.

Reading and using IPv6 addresses
Investigators have become comfortable with reading and using IPv4 addresses. It’s going to take time to gain the same comfort with IPv6.

IPv6 looks and works differently in a manual review. You can’t just enter an IPv6 address into a browser to view a website like you can with IPv4.  You have to place the address inside of brackets as shown below. Try copying and pasting these IP addresses and URLs into your browser.

IPv4 CNN.com
157.166.226.25
http://157.166.226.25

Ipv6.CNN.com
2620:100:e000::8001
http://[2620:100:e000::8001]/

IPv6 looks very different, but how we read them is fundamentally unchanged.  We read IP addresses like phone numbers because the region, provider and customer information are all contained within the number and we can see this by reading from left to right. The country or region of origin is found on the far left, along with the service provider. This service provider lends a number from within their block to the customer and that’s the full number we see. ARIN provides a great interactive graphic illustrating these segments.

IPv6 Interactive graphic
ARIN IPv6

With IPv4, the IP addresses are issued in blocks to countries. This makes it possible to ascertain the general origin by looking at the first set of numbers known as an octet. You can’t do this with IPv6. You need to review the first two sets of numbers and that will identify both the ISP and the country where the IP address block was registered.

In summary.  IPv6 presents additional challenges for investigators. It’s a good idea to regularly test your Internet connection and to get acquainted with IPv6 tools. You’ll find a couple tools to get you started below and also online at our NetBootCamp Internet investigations tool list.

 

IPv6 lookup tools
http://www.tcpiputils.com/browse/ipv6-address
http://centralops.net
https://whois.arin.net/ui/advanced.jsp

Note: Maxmind.com also provides a geoIP lookup demo

IPv6 assignments by country / ISP
http://www.tcpiputils.com/ipv6-geolocation-database
http://ipverse.net/ipblocks/data/countries
http://www.cidr-report.org/v6