How are IPv6 addresses allocated?
How are IPv6 addresses allocated?
I frequently notice nodes receiving entire IPv6 ranges (usually /64) instead of individual addresses. This pattern appears mainly on VPS setups but also occurs with my mobile data plan. When I linked my laptop to a mobile hotspot, it obtained a public IPv6 address that I could reach from anywhere online. My question is why companies provide such large blocks and why my mobile assigns a public IP when using NAT for IPv4. Also, since my VPS also has a /64 block, can I freely use any IP within that range? Could an OpenVPN server then supply any address in the block to its clients, making it publicly accessible on the internet?
There are an enormous number of available IPv6 addresses—about 340 trillion trillion, or 340,282,366,920,938,000,000,000,000,000,000,000,000. In contrast, IPv4 offers roughly 4 billion addresses. With such a vast pool, most IPv4 space is already used, so ISPs rely on NAT to share one IP among many users, while IPv6 provides much more flexibility by distributing address blocks freely.
View it differently, giving each person on Earth a /48 and never reclaiming them means IPv6 will last longer than 480 years, allowing us to repeat this process many times. On such a long timeline, other factors beyond IPv6 address shortage will prompt the IETF to create a new successor. Assigning small subnets like /56 or /48 is generally discouraged, except when necessary for P2P links or loopbacks. A /64 is usually the safest choice unless you specifically need to split it for certain use cases. It's unusual for ISPs to only provide blocks in /64s, though that doesn't violate any standards.
I understand your concerns about the large number of addresses and the lack of running out soon. However, I remain concerned about my phone distributing public traffic through its hotspot. A NAT gateway normally provides security by acting as a firewall, keeping devices behind it protected from the public internet. When a router starts assigning public IPs without proper safeguards, it undermines that protection, exposing all connected devices to potential threats. This sudden shift puts everything vulnerable to attacks, which isn’t something I’m comfortable with.
IPv6 eliminates the need for NAT, allowing every IP address to directly reach the internet. IPv4 introduced NAT because they anticipated running out of unique addresses. IPv6 was built without relying on NAT at all. This results in a much larger number of possible addresses. Additionally, the smallest network an ISP can assign to a customer is a /64 subnet, which supports up to 65,536 IP addresses. Because of these characteristics, firewall protection becomes especially crucial with IPv6.
Considering a /64 network offers more than 4 billion possible IPv6 addresses, scanning it would take longer than scanning the entire IPv4 internet, which is why people avoid doing it. The safest method to discover if a service is running on your computer is by examining your own computer's IP address and scanning it. If you're worried about security, placing a firewall on your machine that permits only desired incoming traffic can help. In reality, you shouldn't be overly concerned.
This topic is a rabbit hole for many, and it's important to grasp why IPv6 isn't being adopted widely—largely due to fear. Those unfamiliar with IPv6 or firewall operations often struggle to comprehend how devices maintain public IP addresses. NAT isn't about security; it's more about addressing limitations. PAT offers some security benefits but isn't a full replacement for firewalls. Additionally, considering our existing ARIN address space of 2000::/3, we could allocate every human on Earth two billion /64 addresses while still retaining some capacity.
The concern is genuine because closed environments such as IoT devices and gaming consoles often lack clear firewall configurations. With IPv4, assigning static IPs via DHCP helps routers enforce security before traffic reaches the network. However, with IPv6, managing addresses becomes complex—multiple assignment methods exist, and some devices alter their UUIDs after reboot, making consistent IPing difficult. Ideally, each machine should be individually firewalled, but this becomes unwieldy in large networks where users may not grasp these details. IPv6 introduces a significant learning challenge compared to simpler setups like NAT or basic IPv4 routing. For most users expecting seamless operation, it poses a major security risk. You can't automatically block incoming connections by default, as this would disrupt essential services, yet leaving it open exposes the network to substantial threats that previously didn’t exist.